How it Works
Novell
Loading...
EDIRECTORY
Installation Guide
82 pgs1.13 Mb0
Troubleshooting Guide
634 pgs6.6 Mb0
What’s New Guide
90 pgs1.16 Mb0
Administration Guide
616 pgs6.58 Mb0
Tuning Guide for UNIX* Platforms
30 pgs480.31 Kb0
WHAT'S NEW GUIDE
68 pgs1.07 Mb0
INSTALLATION GUIDE
118 pgs1.39 Mb0
TROUBLESHOOTING GUIDE
96 pgs925.48 Kb0
ADMINISTRATION GUIDE
621 pgs7.1 Mb0
Administration Guide
154 pgs1.8 Mb0
ADMINISTRATION GUIDE
574 pgs6.01 Mb0
ADMINISTRATION GUIDE
150 pgs1.92 Mb0
WHAT’S NEW GUIDE
70 pgs947.2 Kb0
TROUBLESHOOTING GUIDE
78 pgs1.17 Mb0
Troubleshooting Guide
116 pgs1.09 Mb0
Table of contents
Loading...

Novell EDIRECTORY Troubleshooting Guide

Administration Guide
Novell®
novdocx (en) 11 July 2008
AUTHORIZED DOCUMENTATION
eDirectory
8.8 SP3
TM
www.novell.com

Novell eDirectory 8.8 Administration Guide

Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
novdocx (en) 11 July 2008
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com
Online Documentation: To access the online documentation for this and other Novell products, and to get
updates, see www.novell.com/documentation.
Novell Trademarks
Client32 is a trademark of Novell, Inc.
eDirectory is a trademark of Novell, Inc.
NetWare is a registered trademark of Novell, Inc., in the United States and other countries.
NetWare Core Protocol and NCP are trademarks of Novell, Inc.
NMAS is a trademark of Novell, Inc.
Novell is a registered trademark of Novell, Inc., in the United States and other countries.
Novell Client is a trademark of Novell, Inc.
Novell Directory Services and NDS are registered trademarks of Novell, Inc., in the United States and other
countries.
Ximiam is a registerd trademark of Novell, Inc., in the United States and other countries.
ZENworks is a registered trademark of Novell, Inc., in the United States and other countries.
Third-Party Materials
All third-party trademarks are the property of their respective owners.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://
www.openssl.org).
novdocx (en) 11 July 2008
novdocx (en) 11 July 2008
Contents
About This Guide 17
1 Understanding Novell eDirectory 19
1.1 Ease of Management through Novell iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.1.1 Powerful Tree Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.1.2 Web-Based Management Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.1.3 Single Login and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.2 Object Classes and Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.2.1 List of Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.2.2 Container Object Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.2.3 Leaf Object Classes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
1.3 Context and Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
1.3.1 Distinguished Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
1.3.2 Typeful Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
1.3.3 Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.3.4 Current Workstation Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.3.5 Leading Period. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.3.6 Relative Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.3.7 Trailing Periods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
1.3.8 Context and Naming on Linux and UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
1.4 Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
1.4.1 Schema Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
1.4.2 Schema Classes, Attributes, and Syntaxes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
1.4.3 Understanding Mandatory and Optional Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 50
1.4.4 Sample Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
1.4.5 Designing the Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
1.5 Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
1.5.1 Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
1.5.2 Distributing Replicas for Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
1.5.3 Partitions and WAN Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
1.6 Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
1.6.1 Replica Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
1.6.2 Filtered Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
1.7 NetWare Bindery Emulation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1.8 Server Synchronization in the Replica Ring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1.9 Access to Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
1.10 eDirectory Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
1.10.1 Trustee Assignments and Targets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
1.10.2 eDirectory Rights Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
1.10.3 Default Rights for a New Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
1.10.4 Delegated Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
1.10.5 Administering Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
novdocx (en) 11 July 2008
2 Designing Your Novell eDirectory Network 73
2.1 eDirectory Design Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
2.1.1 Network Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
2.1.2 Organizational Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
2.1.3 Preparing for eDirectory SP3 Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
2.2 Designing the eDirectory Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Contents 5
2.2.1 Creating a Naming Standards Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
2.2.2 Designing the Upper Layers of the Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
2.2.3 Designing the Lower Layers of the Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
2.3 Guidelines for Partitioning Your Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.3.1 Determining Partitions for the Upper Layers of the Tree . . . . . . . . . . . . . . . . . . . . . . 80
2.3.2 Determining Partitions for the Lower Layers of the Tree . . . . . . . . . . . . . . . . . . . . . . 81
2.3.3 Determining Partition Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
2.3.4 Considering Network Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
2.4 Guidelines for Replicating Your Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.4.1 Workgroup Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.4.2 Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.4.3 Determining the Number of Replicas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
2.4.4 Replicating the Tree Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
2.4.5 Replicating for Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
2.4.6 Meeting Bindery Services Needs for NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
2.4.7 Managing WAN Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
2.5 Planning the User Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
2.5.1 Reviewing Users' Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
2.5.2 Creating Accessibility Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
2.6 Designing eDirectory for e-Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
2.7 Understanding the Novell Certificate Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
2.7.1 Rights Required to Perform Tasks on Novell Certificate Server . . . . . . . . . . . . . . . . 86
2.7.2 Ensuring Secure eDirectory Operations on Linux, Solaris, and AIX Systems . . . . . . 87
2.8 Synchronizing Network Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
2.8.1 Synchronizing Time on NetWare Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
2.8.2 Synchronizing Time on Windows Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
2.8.3 Synchronizing Time on Linux, Solaris, or AIX Systems . . . . . . . . . . . . . . . . . . . . . . . 91
2.8.4 Verifying Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
novdocx (en) 11 July 2008
3 Managing Objects 93
3.1 General Object Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.1.1 Browsing the eDirectory Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.1.2 Creating an Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
3.1.3 Modifying an Object's Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
3.1.4 Copying Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
3.1.5 Moving Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.1.6 Deleting Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.1.7 Renaming Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.2 Managing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.2.1 Creating and Modifying User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
3.2.2 Setting Up Optional Account Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
3.2.3 Setting Up Login Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
3.2.4 Login Time Restrictions for Remote Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
3.2.5 Deleting User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
3.3 Configuring Role-Based Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
3.3.1 Defining RBS Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
3.3.2 Defining Custom RBS Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
3.4 Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
3.4.1 Features of Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
3.4.2 Normal or Replica Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
3.4.3 Priority Sync. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4 Managing the Schema 121
4.1 Extending the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.1.1 Creating a Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
6 Novell eDirectory 8.8 Administration Guide
4.1.2 Deleting a Class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
4.1.3 Creating an Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.1.4 Adding an Optional Attribute to a Class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.1.5 Deleting an Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.1.6 Creating an Auxiliary Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
4.1.7 Extending an Object with the Properties of an Auxiliary Class . . . . . . . . . . . . . . . . 124
4.1.8 Modifying an Object's Auxiliary Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4.1.9 Deleting Auxiliary Properties from an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4.2 Viewing the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4.2.1 Viewing Class Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4.2.2 Viewing Attribute Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.3 Manually Extending the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.3.1 Extending the Schema on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.3.2 Extending the Schema on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.3.3 Extending the Schema on Linux, Solaris, or AIX Systems . . . . . . . . . . . . . . . . . . . 127
4.4 Schema Flags Added in eDirectory 8.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
4.5 Using the eMBox Client to Perform Schema Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
4.5.1 Using the DSSchema eMTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
4.5.2 DSSchema eMTool Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
5 Managing Partitions and Replicas 133
novdocx (en) 11 July 2008
5.1 Creating a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
5.2 Merging a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
5.3 Moving Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
5.4 Cancelling Create or Merge Partition Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
5.5 Administering Replicas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
5.5.1 Adding a Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
5.5.2 Deleting a Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
5.5.3 Changing a Replica Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
5.6 Setting Up and Managing Filtered Replicas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
5.6.1 Using the Filtered Replica Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
5.6.2 Defining a Partition Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.6.3 Setting Up a Server Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
5.7 Viewing Partitions and Replicas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
5.7.1 Viewing the Partitions on a Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
5.7.2 Viewing a Partition’s Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
5.7.3 Viewing Information about a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
5.7.4 Viewing Partition Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
5.7.5 Viewing Information about a Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
6 Novell eDirectory Management Utilities 145
6.1 Novell Import Conversion Export Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
6.1.1 Using the Novell iManager Import Convert Export Wizard . . . . . . . . . . . . . . . . . . . 146
6.1.2 Using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
6.1.3 Conversion Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
6.1.4 LDAP Bulk Update/Replication Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
6.1.5 Migrating the Schema between LDAP Directories. . . . . . . . . . . . . . . . . . . . . . . . . . 180
6.1.6 Improving the Speed of LDIF Imports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
6.2 Index Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
6.2.1 Creating an Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
6.2.2 Deleting an Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
6.2.3 Taking an Index Offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
6.2.4 Managing Indexes on Other Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
6.2.5 Using the Novell Import Conversion Export Utility to Manage Indexes . . . . . . . . . . 184
Contents 7
6.3 Predicate Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
6.3.1 Managing Predicate Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
6.4 eDirectory Service Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
6.4.1 Using the eMBox Client Service Manager eMTool . . . . . . . . . . . . . . . . . . . . . . . . . 188
6.4.2 Using the Service Manager Plug-In to Novell iManager . . . . . . . . . . . . . . . . . . . . . 189
7 Offline Bulkload Utility 191
7.1 Using ldif2dib for Bulkloading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
7.2 Multiple Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.3 Tuning ldif2dib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.3.1 Tuning the Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.3.2 Transaction Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.3.3 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
7.3.4 Block Cache Percent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
7.3.5 Check Point Interval. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
7.4 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
7.4.1 Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
7.4.2 ACL Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
7.4.3 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
7.4.4 Unsupported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
7.4.5 Simple Password LDIF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
7.4.6 Custom Classes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
7.5 Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
7.5.1 Duplicate Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
7.5.2 No Schema Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
7.5.3 Insufficient Space on Hard-Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
7.5.4 Forced Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
7.5.5 Terminal Resizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
novdocx (en) 11 July 2008
8 Using Novell iMonitor 2.4 197
8.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
8.1.1 Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
8.1.2 eDirectory Versions That Can Be Monitored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
8.2 Accessing iMonitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
8.3 iMonitor Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
8.3.1 Anatomy of an iMonitor Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
8.3.2 Modes of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
8.3.3 iMonitor Features Available on Every Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
8.3.4 NetWare Remote Manager Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
8.3.5 Configuration Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
8.4 iMonitor Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
8.4.1 Viewing eDirectory Server Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
8.4.2 Viewing Partition Synchronization Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
8.4.3 Viewing Server Connection Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
8.4.4 Viewing Known Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
8.4.5 Viewing Replica Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
8.4.6 Controlling and Configuring the DS Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
8.4.7 Configuring Trace Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
8.4.8 Viewing Process Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
8.4.9 Viewing Agent Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
8.4.10 Viewing Traffic Patterns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
8.4.11 Viewing Background Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
8.4.12 Viewing eDirectory Server Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
8.4.13 Viewing DSRepair Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
8.4.14 Viewing Agent Health Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
8 Novell eDirectory 8.8 Administration Guide
8.4.15 Browsing Objects in Your Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
8.4.16 Viewing Entries for Synchronization or Purging. . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
8.4.17 Viewing Novell Nsure Identity Manager Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
8.4.18 Viewing the Synchronization Status of a Replica . . . . . . . . . . . . . . . . . . . . . . . . . . 213
8.4.19 Configuring and Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
8.4.20 Viewing Schema, Class, and Attribute Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . 215
8.4.21 Searching for Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
8.4.22 Using the Stream Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
8.4.23 Clone DIB Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
8.5 Ensuring Secure iMonitor Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
9 Merging Novell eDirectory Trees 223
9.1 Merging eDirectory Trees. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
9.1.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
9.1.2 Target Tree Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
9.1.3 Schema Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
9.1.4 Merging the Source into the Target Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
9.1.5 Partition Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
9.1.6 Preparing the Source and Target Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
9.1.7 Synchronizing Time before the Merge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
9.1.8 Merging Two Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
9.1.9 Post-Merge Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
9.2 Grafting a Single Server Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
9.2.1 Understanding Context Name Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
9.2.2 Preparing the Source and Target Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
9.2.3 Grafting the Source and Target Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
9.3 Renaming a Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
9.4 Using the eMBox Client to Merge Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
9.4.1 Using the DSMerge eMTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
9.4.2 DSMerge eMTool Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
novdocx (en) 11 July 2008
10 Encrypting Data In eDirectory 239
10.1 Encrypted Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
10.1.1 Using Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
10.1.2 Managing Encrypted Attributes Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
10.1.3 Accessing the Encrypted Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
10.1.4 Viewing the Encrypted Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
10.1.5 Encrypting and Decrypting Backup Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
10.1.6 Cloning the DIB Fileset Containing Encrypted Attributes . . . . . . . . . . . . . . . . . . . . 247
10.1.7 Adding eDirectory 8.8 Servers to Replica Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
10.1.8 Backward Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
10.1.9 Migrating to Encrypted Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
10.1.10 Replicating the Encrypted Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
10.2 Encrypted Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
10.2.1 Enabling Encrypted Replication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
10.2.2 Adding a New Replica to a Replica Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
10.2.3 Synchronization and Encrypted Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
10.2.4 Viewing the Encrypted Replication Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
10.3 Achieving Complete Security While Encrypting Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
10.3.1 Encrypting Data in an All New Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
10.3.2 Encrypting Data in an Existing Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
10.3.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Contents 9
11 Repairing the Novell eDirectory Database 263
11.1 Performing Basic Repair Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
11.1.1 Performing an Unattended Full Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
11.1.2 Performing a Local Database Repair. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
11.1.3 Checking External References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
11.1.4 Repairing a Single Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
11.1.5 Deleting Unknown Leaf Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
11.2 Viewing and Configuring the Repair Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
11.2.1 Opening the Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
11.2.2 Setting Log File Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
11.3 Performing a Repair in Novell iMonitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
11.4 Repairing Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
11.4.1 Repairing All Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
11.4.2 Repairing Selected Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
11.4.3 Repairing Time Stamps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
11.4.4 Designating This Server As the New Master Replica . . . . . . . . . . . . . . . . . . . . . . . 271
11.4.5 Destroying the Selected Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
11.5 Repairing Replica Rings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
11.5.1 Repairing All Replica Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
11.5.2 Repairing the Selected Replica Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
11.5.3 Sending All Objects to Every Server in the Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
11.5.4 Receiving All Objects from the Master to the Selected Replica. . . . . . . . . . . . . . . . 273
11.5.5 Removing This Server from the Replica Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
11.6 Maintaining the Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
11.6.1 Requesting Schema from the Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
11.6.2 Resetting the Local Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
11.6.3 Performing a Post-NetWare 5 Schema Update. . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
11.6.4 Performing Optional Schema Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
11.6.5 Importing Remote Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
11.6.6 Declaring a New Schema Epoch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
11.7 Repairing Server Network Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
11.7.1 Repairing All Network Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
11.7.2 Repairing a Server's Network Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
11.8 Performing Synchronization Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
11.8.1 Synchronizing the Selected Replica on This Server . . . . . . . . . . . . . . . . . . . . . . . . 279
11.8.2 Reporting the Synchronization Status on This Server . . . . . . . . . . . . . . . . . . . . . . . 279
11.8.3 Reporting the Synchronization Status on All Servers . . . . . . . . . . . . . . . . . . . . . . . 279
11.8.4 Performing a Time Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
11.8.5 Scheduling an Immediate Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
11.9 Advanced DSRepair Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
11.9.1 Running DSRepair on the eDirectory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
11.9.2 DSRepair Command Line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
11.9.3 Using Advanced DSRepair Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
11.10 Using the eMBox Client to Repair a Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
11.10.1 Using the DSRepair eMTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
11.10.2 DSRepair eMTool Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
novdocx (en) 11 July 2008
12 WAN Traffic Manager 289
12.1 Understanding WAN Traffic Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
12.1.1 LAN Area Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
12.1.2 WAN Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
12.1.3 Limiting WAN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
12.1.4 Assigning Cost Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
12.2 WAN Traffic Manager Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
12.2.1 1-3am.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
10 Novell eDirectory 8.8 Administration Guide
12.2.2 7am-6pm.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
12.2.3 Costlt20.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
12.2.4 Ipx.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
12.2.5 Ndsttyps.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
12.2.6 Onospoof.wmg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
12.2.7 Opnspoof.wmg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
12.2.8 Samearea.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
12.2.9 Tcpip.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
12.2.10 Timecost.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
12.3 WAN Policy Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
12.3.1 Declaration Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
12.3.2 Selector Section. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
12.3.3 Provider Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
12.3.4 Construction Used within Policy Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
13 Understanding LDAP Services for Novell eDirectory 321
13.1 Key Terms for LDAP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
13.1.1 Clients and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
13.1.2 Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
13.1.3 Referrals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
13.2 Understanding How LDAP Works with eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
13.2.1 Connecting to eDirectory from LDAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
13.2.2 Class and Attribute Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
13.2.3 Enabling Nonstandard Schema Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
13.2.4 Syntax Differences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
13.2.5 Supported Novell LDAP Controls and Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 332
13.3 Using LDAP Tools on Linux, Solaris, or AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
13.3.1 LDAP Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
13.4 Extensible Match Search Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
13.5 LDAP Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
13.5.1 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
novdocx (en) 11 July 2008
14 Configuring LDAP Services for Novell eDirectory 349
14.1 Loading and Unloading LDAP Services for eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
14.2 Verifying That the LDAP Server Is Loaded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
14.3 Verifying That the LDAP Server Is Running. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
14.3.1 Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
14.3.2 Verifying That The LDAP Server Is Running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
14.3.3 Verifying That A Device Is Listening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
14.4 Configuring LDAP Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
14.4.1 Configuring LDAP Server and LDAP Group Objects on Linux, Solaris, AIX Systems. . 355
14.5 Refreshing the LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
14.6 Authentication and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
14.6.1 Requiring TLS for Simple Binds with Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . 361
14.6.2 Starting and Stopping TLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
14.6.3 Configuring the Server for TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
14.6.4 Configuring the Client for TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
14.6.5 Exporting the Trusted Root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
14.6.6 Authenticating with a Client Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
14.6.7 Using Certificate Authorities from Third-Party Providers . . . . . . . . . . . . . . . . . . . . . 365
14.6.8 Creating and Using LDAP Proxy Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
14.6.9 Using SASL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
14.7 Using the LDAP Server to Search the Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Contents 11
14.7.1 Setting Search Limits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
14.7.2 Using Referrals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
14.7.3 Searching Filtered Replicas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
14.8 Configuring for Superior Referrals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
14.8.1 Scenario: Superior Referrals in a Federated Tree . . . . . . . . . . . . . . . . . . . . . . . . . . 378
14.8.2 Creating a Nonauthoritative Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
14.8.3 Specifying Reference Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
14.8.4 Updating Reference Information through LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
14.8.5 Affected Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
14.8.6 Discovering Support for Superior References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
14.9 Persistent Search: Configuring for eDirectory Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
14.9.1 Managing Persistent Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
14.9.2 Controlling Use of the Monitor Events Extended Operation . . . . . . . . . . . . . . . . . . 385
14.10 Getting Information about the LDAP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
14.11 Auditing LDAP Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
15 Implementing the Service Location Protocol 389
15.1 Understanding SLP Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
15.1.1 User Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
15.1.2 Service Agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
15.1.3 Directory Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
15.1.4 SLP Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
15.2 How SLP Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
15.2.1 SLP with a User Agent, Service Agent, and No Directory Agent. . . . . . . . . . . . . . . 394
15.2.2 SLP with a User Agent, Service Agent, and Directory Agent . . . . . . . . . . . . . . . . . 395
15.3 Understanding Local Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
15.3.1 Central Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
15.3.2 SLP Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
15.3.3 Customized Scopes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
15.3.4 Proxy Scopes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
15.3.5 Scalability and Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
15.3.6 Private Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
15.3.7 Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
15.4 Understanding Directory Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
15.4.1 How SLP Works in Directory Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
15.4.2 SLP eDirectory Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
15.5 Novell’s Implementation of SLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
15.5.1 Novell’s User Agents and Service Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
15.5.2 The Novell Directory Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
15.5.3 Using the Novell Windows NT Directory Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
15.5.4 Using the Service Location Protocol Directory Agent . . . . . . . . . . . . . . . . . . . . . . . 411
15.6 Setting Up SLP on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
15.7 Setting Up SLP on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
15.7.1 Installing the NetWare SLP Directory Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
15.7.2 Setting Up the NetWare Directory Agent Manually . . . . . . . . . . . . . . . . . . . . . . . . . 414
15.7.3 NetWare SLP Directory Agent Console Commands . . . . . . . . . . . . . . . . . . . . . . . . 414
15.8 Setting Up SLP on Linux or Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
15.8.1 User Agents and Service Agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
15.8.2 Starting and Stopping the Daemon Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
15.8.3 Using the SLPINFO Diagnostic Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
15.8.4 eDirectory Interoperatability with OpenSLP on Linux and Solaris 8.0 SLP . . . . . . . 419
15.8.5 SLP V1- V2 Interoperatibility Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
novdocx (en) 11 July 2008
16 Backing Up and Restoring Novell eDirectory 421
16.1 Checklist for Backing Up eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
12 Novell eDirectory 8.8 Administration Guide
16.2 Understanding Backup and Restore Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
16.2.1 About the eDirectory Backup eMTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
16.2.2 What's Different about Backup and Restore in eDirectory 8.7.3? . . . . . . . . . . . . . . 426
16.2.3 Overview of How the Backup eMTool Does a Restore . . . . . . . . . . . . . . . . . . . . . . 428
16.2.4 Format of the Backup File Header. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
16.2.5 Format of the Backup Log File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
16.2.6 Using DSMASTER Servers as Part of Disaster Recovery Planning . . . . . . . . . . . . 434
16.2.7 Transitive Vectors and the Restore Verification Process. . . . . . . . . . . . . . . . . . . . . 435
16.2.8 Restore Verification Is Backward Compatible Only with eDirectory 8.5 or Later . . . 436
16.2.9 Preserving Rights When Restoring File System Data on NetWare . . . . . . . . . . . . . 436
16.3 Using Roll-Forward Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
16.3.1 Issues to Be Aware of When Turning On Roll-Forward Logging . . . . . . . . . . . . . . . 438
16.3.2 Location of the Roll-Forward Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
16.3.3 Backing Up and Removing Roll-Forward Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
16.3.4 Cautionary Note: Removing eDirectory Also Removes the Roll-Forward Logs. . . . 441
16.4 Preparing for a Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
16.4.1 Prerequisites for Restoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
16.4.2 Locating the Right Backup Files for a Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
16.5 Using Novell iManager for Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
16.5.1 Backing Up Manually with iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
16.5.2 Configuring Roll-Forward Logs with iManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
16.5.3 Restoring from Backup Files with iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
16.6 Using the eMBox Client for Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
16.6.1 Backing Up Manually with the eMBox Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
16.6.2 Doing Unattended Backups, Using a Batch File with the eMBox Client . . . . . . . . . 457
16.6.3 Configuring Roll-Forward Logs with the eMBox Client . . . . . . . . . . . . . . . . . . . . . . 460
16.6.4 Restoring from Backup Files with the eMBox Client . . . . . . . . . . . . . . . . . . . . . . . . 462
16.6.5 Backup and Restore Command Line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
16.7 Using DSBK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
16.7.1 Using nlm on NetWare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
16.7.2 Using dsbk on Linux/AIX/Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
16.7.3 Using dsbk on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
16.8 Changes to Server-Specific Information Backup (NetWare Only) . . . . . . . . . . . . . . . . . . . . . 476
16.9 Recovering the Database If Restore Verification Fails. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
16.9.1 Cleaning Up the Replica Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
16.9.2 Repair the Failed Server and Readd Replicas to the Server . . . . . . . . . . . . . . . . . . 480
16.10 Scenarios for Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
16.10.1 Scenario: Losing a Hard Drive Containing eDirectory in a Single-Server NetWork. 482
16.10.2 Scenario: Losing a Hard Drive Containing eDirectory in a Multiserver Environment 483
16.10.3 Scenario: Losing an Entire Server in a Multiple-Server Environment . . . . . . . . . . . 485
16.10.4 Scenario: Losing Some Servers in a Multiple-Server Environment . . . . . . . . . . . . . 486
16.10.5 Scenario: Losing All Servers in a Multiple-Server Environment. . . . . . . . . . . . . . . . 486
16.11 Backing Up and Restoring NICI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
16.11.1 UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
16.11.2 NetWare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
16.11.3 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
novdocx (en) 11 July 2008
17 SNMP Support for Novell eDirectory 493
17.1 Definitions and Terminology for SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
17.2 Understanding SNMP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
17.3 eDirectory and SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
17.3.1 Benefits of SNMP Instrumentation on eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . 496
17.3.2 Understanding How SNMP Works with eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . 496
17.4 Installing and Configuring SNMP Services for eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
17.4.1 Loading and Unloading the SNMP Server Module . . . . . . . . . . . . . . . . . . . . . . . . . 499
Contents 13
17.4.2 Subagent Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
17.4.3 Setting Up SNMP Services for eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
17.5 Monitoring eDirectory Using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
17.5.1 Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
17.5.2 Configuring Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
17.5.3 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
17.6 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
18 Maintaining Novell eDirectory 537
18.1 Improving eDirectory Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
18.1.1 Distributing Memory between Entry and Block Caches . . . . . . . . . . . . . . . . . . . . . . 538
18.1.2 Using the Default Cache Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
18.1.3 Tuning LDAP for eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
18.2 Improving eDirectory Performance on Linux, Solaris, and AIX Systems . . . . . . . . . . . . . . . . 545
18.2.1 Fine-Tuning the eDirectory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
18.2.2 Optimizing eDirectory Cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
18.2.3 Tuning the Solaris OS for Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
18.3 Improving eDirectory Searches and Reads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
18.4 Advanced Referral Costing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
18.4.1 Improving Server-to-Server Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
18.4.2 Advantages of Referral Costing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
18.4.3 Deploying ARC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
18.4.4 Enabling Advanced Referral Costing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
18.4.5 Tuning Advanced Referral Costing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
18.4.6 Monitoring Advanced Referral Costing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
18.5 Improving Bulkload Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
18.5.1 eDirectory Cache Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
18.5.2 LBURP Transaction Size Setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
18.5.3 Increasing the Number of Asynchronous Requests in ICE . . . . . . . . . . . . . . . . . . . 561
18.5.4 Increased Number of LDAP Writer Threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
18.5.5 Disabling Schema Validation in ICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
18.5.6 Disabling ACL Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
18.5.7 Backlinker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
18.5.8 Enabling/Disabling Inline Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
18.5.9 Increasing the LBURP Time Out Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
18.6 Countering Memory Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
18.6.1 Enabling FLAIM Memory Pre-Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
18.7 Keeping eDirectory Healthy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
18.7.1 When to Perform Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
18.7.2 Health Check Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
18.7.3 Checking eDirectory Health Using iMonitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
18.7.4 For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
18.8 Resources for Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
18.9 Upgrading Hardware or Replacing a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
18.9.1 Planned Hardware or Storage Device Upgrade without Replacing the Server . . . . 570
18.9.2 Planned Replacement of a Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
18.9.3 Server IP Address Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
18.10 Restoring eDirectory after a Hardware Failure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
novdocx (en) 11 July 2008
19 DHost iConsole Manager 577
19.1 What is DHost? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
19.2 Running DHost iConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
19.2.1 Running DHost iConsole on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
19.2.2 Running DHost iConsole on Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
14 Novell eDirectory 8.8 Administration Guide
19.2.3 Running DHost iConsole on Linux, Solaris, and AIX . . . . . . . . . . . . . . . . . . . . . . . . 579
19.3 Managing eDirectory Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
19.3.1 Loading or Unloading Modules on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
19.3.2 Loading or Unloading Modules on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
19.3.3 Loading or Unloading Modules on Linux, Solaris, and AIX . . . . . . . . . . . . . . . . . . . 581
19.4 Querying for DHost Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
19.4.1 Viewing the Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
19.4.2 Viewing Protocol Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
19.4.3 Viewing Connection Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
19.4.4 Viewing the Thread Pools Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
19.5 Process Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
19.6 Setting the SAdmin Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
19.6.1 Setting the SAdmin Password on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
19.6.2 Setting the SAdmin Password on Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
19.6.3 Setting the SAdmin Password on Linux, Solaris, and AIX . . . . . . . . . . . . . . . . . . . . 585
20 The eDirectory Management Toolbox 587
20.1 Using the eMBox Command Line Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
20.1.1 Displaying the Command Line Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
20.1.2 Running the eMBox Command Line Client in Interactive Mode . . . . . . . . . . . . . . . 588
20.1.3 Running the eMBox Command Line Client in Batch Mode . . . . . . . . . . . . . . . . . . . 592
20.1.4 eMBox Command Line Client Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
20.1.5 Establishing a Secure Connection with the eMBox Client . . . . . . . . . . . . . . . . . . . . 595
20.1.6 Finding Out eDirectory Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
20.2 Using the eMBox Logger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
20.2.1 Using the eMBox Logger Command Line Client . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
20.2.2 Using the eMBox Logger Feature in Novell iManager . . . . . . . . . . . . . . . . . . . . . . . 598
novdocx (en) 11 July 2008
A NMAS Considerations 601
A.1 Setting Up a Security Container As a Separate Partition. . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
A.2 Merging Trees with Multiple Security Containers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
A.2.1 Product-Specific Operations to Perform prior to Tree Merge. . . . . . . . . . . . . . . . . . 602
A.2.2 Performing the Tree Merge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
A.2.3 Product-Specific Operations to Perform after the Tree Merge . . . . . . . . . . . . . . . . 605
B Novell eDirectory Linux and UNIX Commands and Usage 607
B.1 General Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
B.2 LDAP-Specific Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
C Configuring OpenSLP for eDirectory 615
C.1 Service Location Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
C.2 SLP Fundamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
C.2.1 Novell Service Location Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
C.2.2 User Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
C.2.3 Service Agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
C.3 Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Contents 15
D How Novell eDirectory Works with DNS 619
E Configuring GSSAPI with eDirectory 621
E.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
E.1.1 Assumptions on Network Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
E.1.2 Installing the Kerberos Plug-in for iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
E.1.3 Adding Kerberos LDAP Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
E.1.4 Exporting the Trusted Root Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
E.2 Configuring the SASL-GSSAPI Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
E.2.1 Merging eDirectory Trees Configured with SASL-GSSAPI Method. . . . . . . . . . . . . 626
E.3 Managing the SASL-GSSAPI Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
E.3.1 Extending the Kerberos Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
E.3.2 Managing the Kerberos Realm Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
E.3.3 Managing a Service Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
E.3.4 Editing Foreign Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
E.4 Creating a Login Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
E.5 How Does LDAP Use SASL-GSSAPI? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
E.6 Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
novdocx (en) 11 July 2008
F Security Considerations 633
F.1 LDAP Binds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
F.2 Nessus Scan Results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
16 Novell eDirectory 8.8 Administration Guide

About This Guide

This guide describes how to manage and configure Novell® eDirectoryTM 8.8.
Chapter 1, “Understanding Novell eDirectory,” on page 19
Chapter 2, “Designing Your Novell eDirectory Network,” on page 73
Chapter 3, “Managing Objects,” on page 93
Chapter 4, “Managing the Schema,” on page 121
Chapter 5, “Managing Partitions and Replicas,” on page 133
Chapter 6, “Novell eDirectory Management Utilities,” on page 145
Chapter 7, “Offline Bulkload Utility,” on page 191
Chapter 8, “Using Novell iMonitor 2.4,” on page 197
Chapter 9, “Merging Novell eDirectory Trees,” on page 223
Chapter 10, “Encrypting Data In eDirectory,” on page 239
Chapter 11, “Repairing the Novell eDirectory Database,” on page 263
novdocx (en) 11 July 2008
Chapter 12, “WAN Traffic Manager,” on page 289
Chapter 13, “Understanding LDAP Services for Novell eDirectory,” on page 321
Chapter 14, “Configuring LDAP Services for Novell eDirectory,” on page 349
Chapter 16, “Backing Up and Restoring Novell eDirectory,” on page 421
Chapter 17, “SNMP Support for Novell eDirectory,” on page 493
Chapter 18, “Maintaining Novell eDirectory,” on page 537
Chapter 19, “DHost iConsole Manager,” on page 577
Chapter 20, “The eDirectory Management Toolbox,” on page 587
Appendix A, “NMAS Considerations,” on page 601
Appendix B, “Novell eDirectory Linux and UNIX Commands and Usage,” on page 607
Appendix C, “Configuring OpenSLP for eDirectory,” on page 615
Appendix D, “How Novell eDirectory Works with DNS,” on page 619
Appendix E, “Configuring GSSAPI with eDirectory,” on page 621
Audience
The guide is intended for network administrators.
Feedback
We want to hear your comments and suggestions about this manual and the other documentation included with this product. Please use the User Comments feature at the bottom of each page of the online documentation, or go to www.novell.com/documentation/feedback.html and enter your comments there.
About This Guide 17
Documentation Updates
For the most recent version of this guide, see Novell eDirectory 8.8 Administration Guide (http://
www.novell.com/documentation/edir88/index.html).
Additional Documentation
For eDirectory installation instructions, see the Novell eDirectory 8.8 Installation Guide (http://
www.novell.com/documentation/edir88/index.html).
For documentation on the eDirectory management utility, see the Novell iManager 2.6
Administration Guide (http://www.novell.com/documentation/imanager26/index.html).
Documentation Conventions
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items within a cross-reference path.
®
A trademark symbol (
, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
trademark.
novdocx (en) 11 July 2008
When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash. Users of platforms that require a forward slash, such as Linux and UNIX*, should use forward slashes as required by your software.
18 Novell eDirectory 8.8 Administration Guide
1

Understanding Novell eDirectory

In simplest terms, Novell® eDirectoryTM is a list of objects that represent network resources, such as network users, servers, printers, print queues, and applications. Novell eDirectory is a highly scalable, high-performing, secure directory service. It can store and manage millions of objects, such as users, applications, network devices, and data. Novell eDirectory offers a secure identity management solution that runs across multiple platforms, is internet-scalable, and extensible.
Novell eDirectory provides centralized identity management, infrastructure, Net-wide security, and scalability to all types of applications running behind and beyond the firewall. Novell eDirectory includes Web-based and wireless management capabilities, allowing you to access and manage the directory and users, access rights, and network resources from a Web browser and a variety of handheld devices.
Novell eDirectory natively supports the directory standard Lightweight Directory Access Protocol (LDAP) 3 and provides support for TLS/SSL services based on the OpenSSL source code. For more information on the eDirectory engine, see eDirectory Process Requests (http://developer.novell.com/
research/sections/netmanage/dirprimer/2002/august/p020801.htm).
novdocx (en) 11 July 2008
1
Figure 1-1 shows a few of the objects as viewed in the Novell iManager management utility.
Figure 1-1 eDirectory Objects in iManager
Some object classes might not be available, depending on the actual schema configured on the eDirectory server and the operating system running eDirectory.
For more information on objects, see Section 1.2, “Object Classes and Properties,” on page 23.
If you have more than one eDirectory server on the network, the directory can be replicated on multiple servers.
This chapter includes the following information:
Section 1.1, “Ease of Management through Novell iManager,” on page 20
Section 1.2, “Object Classes and Properties,” on page 23
Section 1.3, “Context and Naming,” on page 42
Section 1.4, “Schema,” on page 45
Section 1.5, “Partitions,” on page 52
Understanding Novell eDirectory
19
Section 1.6, “Replicas,” on page 55
Section 1.7, “NetWare Bindery Emulation,” on page 59
Section 1.8, “Server Synchronization in the Replica Ring,” on page 59
Section 1.9, “Access to Resources,” on page 60
Section 1.10, “eDirectory Rights,” on page 60

1.1 Ease of Management through Novell iManager

Novell eDirectory allows for easy, powerful, and flexible management of network resources. It also serves as a repository of user information for groupware and other applications. These applications access your directory through the industry-standard Lightweight Directory Access Protocol (LDAP).
eDirectory ease-of-management features include a powerful tree structure, an integrated management utility, and single login and authentication.
Novell iManager lets you manage the directory and users, and access rights and network resources within the directory, from a Web browser and a variety of handheld devices. The eDirectory plug-ins to iManager give you access to basic directory management tasks, and to the eDirectory management utilities you previously had to run on the eDirectory server, such as DSRepair, DSMerge, and Backup and Restore.
novdocx (en) 11 July 2008
For more information, see the Novell iManager 2.6 Administration Guide (http://www.novell.com/
documentation/imanager26/index.html).

1.1.1 Powerful Tree Structure

Novell eDirectory organizes objects in a tree structure, beginning with the top Tree object, which bears the tree's name.
®
Whether your eDirectory servers are running NetWare resources can be kept in the same tree. You won’t need to access a specific server or domain to create objects, grant rights, change passwords, or manage applications.
The hierarchical structure of the tree gives you great management flexibility and power. These benefits primarily result from the following two features:
“Container Objects” on page 20
“Inheritance” on page 21
Container Objects
Container objects allow you to manage other objects in sets, rather than individually. There are three common classes of container objects, as seen in Figure 1-2:
Figure 1-2 Common Classes of Container Objects
, Linux*, UNIX*, or Windows*, all
20 Novell eDirectory 8.8 Administration Guide
Description: Tree object icon The Tree object is the top container object in the tree. It usually
contains your company’s Organization object.
Description: Organization object icon Organization is normally the first container class under
the Tree object. The Organization object is typically named after your company. Small companies keep management simple by having all other objects directly under the Organization object.
Description: Organizational Unit object icon Organizational Unit objects can be created under
the Organization to represent distinct geographical regions, network campuses, or individual departments. You can also create Organizational Units under other Organizational Units to further subdivide the tree.
Other classes of container objects are Country and Locality, which are typically used only in multinational networks.
Description: Domain icon The Domain object can be created under the Tree object or under
Organization, Organizational Unit, Country, and Locality objects.
You can perform one task on the container object that applies to all objects within the container. Suppose you want to give a user named Amy complete management control over all objects in the Accounting container. (See Figure 1-3.)
novdocx (en) 11 July 2008
Figure 1-3 Container Object
To do this, right-click the Accounting object, select Trustees of This Object, then add Amy as a trustee. Next, select the rights you want Amy to have, then click OK. Now Amy has rights to manage the Database application, the Bookkeepers group, the LaserPrinter printer, and the users Amy, Bill, and Bob.
Inheritance
Another powerful feature of eDirectory is rights inheritance. Inheritance means that rights flow down to all containers in the tree. This allows you to grant rights with very few rights assignments. For example, suppose you want to grant management rights to the objects shown in Figure 1-4 on
page 21.
Figure 1-4 Sample eDirectory Objects
Understanding Novell eDirectory 21
You could make any of the following assignments:
If you grant a user rights to Allentown, the user can manage only objects in the Allentown
container.
If you grant a user rights to East, the user can manage objects in the East, Allentown, and
Yorktown c o n t a iners.
If you grant a user rights to YourCo, the user can manage any objects in any of the containers
shown.
For more information on assigning rights, see Section 1.10, “eDirectory Rights,” on page 60.

1.1.2 Web-Based Management Utility

iManager is a browser-based tool used for administering, managing, and configuring eDirectory objects. iManager gives you the ability to assign specific tasks or responsibilities to users and to present the user with only the tools (with the accompanying rights) necessary to perform those sets of tasks.
To run iManager, you will need a workstation with Microsoft* Internet Explorer 6.0 SP1 or later (recommended), Mozilla* 1.7 or later, or Mozilla Firefox* 0.9.2.
novdocx (en) 11 July 2008
IMPORTANT: While you might be able to access iManager through a Web browser not listed, we do not guarantee full functionality.
You can use iManager to perform the following supervisory tasks:
Configure LDAP- and XML-based access to eDirectory
Create objects representing network users, devices, and resources
Define templates for creating new user accounts
Find, modify, move, and delete network objects
Define rights and roles to delegate administrative authority
Extend the eDirectory schema to allow custom object types and properties
Partition and replicate the eDirectory database across multiple servers
Run eDirectory management utilities such as DSRepair, DSMerge, and Backup and Restore
You can use iManager to perform other management functions based on plug-ins that have been loaded into iManager. The following eDirectory plug-ins are installed with iManager 2.6:
eDirectory Backup and Restore
eDirectory Log Files
eDirectory Merge
eDirectory Repair
eDirectory Service Manager
eGuide Content
iManager Base Content
Import Convert Export Wizard
Index Management
22 Novell eDirectory 8.8 Administration Guide
iPrint
LDAP
Universal Password Enforcement
Priority Sync
Encrypted Attributes
Encrypted Replication
NLS
NMAS
PKI/Certificate
Filtered Replica Configuration Wizard
SNMP
WAN Traffic Manager
For more information on installing, configuring, and running iManager, Novell iManager 2.6
Administration Guide (http://www.novell.com/documentation/imanager26/index.html).
novdocx (en) 11 July 2008

1.1.3 Single Login and Authentication

With eDirectory, users log in to a global directory, so you don’t need to manage multiple server or domain accounts for each user, and you don’t need to manage trust relationships or pass-through authentication among domains.
A security feature of the directory is authentication of users. Before a user logs in, a User object must be created in the directory. The User object has certain properties, such as a name and password.
When the user logs in, eDirectory checks the password against the one stored in the directory for that user and grants access if they match.

1.2 Object Classes and Properties

The definition of each type of eDirectory object is called an object class. For instance, User and Organization are object classes. Each class of object has certain properties. A User object, for example, has First Name, Last Name, and many other properties.
The schema defines the object classes and properties, along with the rules of containment (what containers can contain which objects). eDirectory ships with a base schema that you, or the applications you use, can extend. For more information about schemas, see Section 1.4, “Schema,”
on page 45.
Container objects contain other objects and are used to divide the tree into branches, while leaf objects represent network resources.

1.2.1 List of Objects

The following tables list eDirectory object classes. Added services can create new object classes in eDirectory that are not listed below.
Understanding Novell eDirectory 23
eDirectory Container Object Classes
novdocx (en) 11 July 2008
iManager Icon
Container Object (Abbreviation)
Description
Tree Represents the beginning of your tree. For more
information, see “Tree” on page 25.
Country (C) Designates the countries where your network resides and
organizes other directory objects within the country. For more information, see “Country” on page 28.
License Container (LC) Created automatically when you install a license certificate
or create a metering certificate using Novell Licensing Services (NLS) technology. When an NLS-enabled application is installed, it adds a License Container container object to the tree and a License Certificate leaf object to that container.
Organization (O) Helps you organize other objects in the directory. The
Organization object is a level below the Country object (if you use the Country object). For more information, see
“Organization” on page 26.
Organizational Unit (OU) Helps you to further organize other objects in the directory.
The Organizational Unit object is a level below the Organization object. For more information, see
“Organizational Unit” on page 27.
Domain (DC) Helps you to further organize other objects in the directory.
The Domain object can be created under the Tree object or under Organization, Organizational Unit, Country, and Locality objects. For more information, see “Domain” on
page 28.
eDirectory Leaf Object Classes
iManager Icon Leaf Object Description
AFP Server Represents an AppleTalk* Filing Protocol server that operates as a
node on your eDirectory network. It usually also acts as a NetWare router to, and the AppleTalk server for, several Macintosh* computers.
Alias Points to the actual location of an object in the directory. Any
directory object located in one place in the directory can also appear to be in another place in the directory by using an Alias. For more information, see “Alias” on page 40.
Application Represents a network application. Application objects simplify
administrative tasks such as assigning rights, customizing login scripts, and launching applications.
Computer Represents a computer on the network.
Directory Map Refers to a directory in the file system. For more information, see
“Directory Map” on page 41.
24 Novell eDirectory 8.8 Administration Guide
iManager Icon Leaf Object Description
Group Assigns a name to a list of User objects in the directory. You can
assign rights to the group instead of to each user; then the rights transfer to each user in the group. For more information, see
“Group” on page 32.
License Certificate Use with NLS technology to install product license certificates as
objects in the database. License Certificate objects are added to the Licensed Product container when an NLS-aware application is installed.
Organizational Role Defines a position or role within an organization.
Print Queue Represents a network print queue.
Print Server Represents a network print server.
Printer Represents a network printing device.
Profile Represents a login script used by a group of users who need to
share common login script commands. The users don’t need to be in the same container. For more information, see “Profile” on
page 42.
novdocx (en) 11 July 2008
Server Represents a server running any operating system. For more
information, see “Server” on page 29.
Template Represents standard User object properties that can be applied to
new User objects.
Unknown Represents an object for which iManager has no custom icon.
User Represents the people who use your network. For more
information, see “User” on page 31.
Volume Represents a physical volume on the network. For more
information, see “Volume” on page 30.

1.2.2 Container Object Classes

“Tree” on page 25
“Organization” on page 26
“Organizational Unit” on page 27
“Country” on page 28
“Domain” on page 28
Tree
Description: Tree object icon The Tree container, formerly [Root], is created when you first
install eDirectory on a server in your network. As the top-most container, it usually holds Organization objects, Country objects, or Alias objects.
What Tree Represents
Tree represents the top of your tree.
Understanding Novell eDirectory 25
Usage
Tree is used to make universal rights assignments. Because of inheritance, any rights assignments you make to Tree as the target apply to all objects in the tree. See Section 1.10, “eDirectory Rights,”
on page 60. The [Public] trustee has the Browse right and Admin has the Supervisor right to Tree by
default.
Important Properties
The Tree object has a Name property, which is the tree name you supply when installing the
first server. The tree name is shown in the hierarchy of iManager.
Tree name cannot exceed 32 characters.
Organization
Description: Organization object icon An Organization container object is created when you first
install eDirectory on a server in your network. As the top-most container under Tree, it usually holds Organizational Unit objects and leaf objects.
The User object named Admin is created by default in your first Organization container.
novdocx (en) 11 July 2008
What an Organization Object Represents
Normally the Organization object represents your company, although you can create additional Organization objects under Tree. This is typically done for networks with distinct geographical districts or for companies with separate eDirectory trees that have merged.
Usage
The way you use Organization objects in your tree depends on the size and structure of your network. If the network is small, you should keep all leaf objects under one Organization object.
For larger networks, you can create Organizational Unit objects under the Organization to make resources easier to locate and manage. For example, you can create Organizational Units for each department or division in your company.
For networks with multiple sites, you should create an Organizational Unit for each site under the Organization object. That way, if you have (or plan to have) enough servers to partition the directory, you can do so logically along site boundaries.
For easy sharing of company-wide resources such as printers, volumes, or applications, create corresponding Printer, Volume, or Application objects under the Organization.
26 Novell eDirectory 8.8 Administration Guide
Important Properties
The most useful properties for Organization are listed below. Only the Name property is required. For a complete list of properties, select an Organization object in iManager. To display a description for each page of properties, click Help.
Name
Typically, the Name property is the same as your company’s name. Of course, you can shorten it for simplicity. For instance, if the name of your company is Your Shoe Company, you might use YourCo.
The Organization name becomes part of the context for all objects created under it.
Login Script
The Login Script property contains commands that are executed by any User objects directly under the Organization. These commands are run when a user logs in.
Organization name can be 64 characters long.
Organizational Unit
novdocx (en) 11 July 2008
Description: Organizational Unit object icon You can create Organizational Unit (OU) container
objects to subdivide the tree. Organizational Units are created with iManager under an Organization, Country, or another Organizational Unit.
Organizational Units can contain other Organizational Units and leaf objects such as User and Application objects.
What an Organizational Unit Object Represents
Normally the Organizational Unit object represents a department, which holds a set of objects that commonly need access to each other. A typical example is a set of Users, along with the Printers, Volumes, and Applications that those Users need.
At the highest level of Organizational Unit objects, each Organizational Unit can represent each site (separated by WAN links) in the network.
Usage
The way you use Organizational Unit objects in your tree depends on the size and structure of your network. If the network is small, you might not need any Organizational Units.
For larger networks, you can create Organizational Unit objects under the Organization to make resources easier to locate and manage. For example, you can create Organizational Units for each department or division in your company. Remember that administration is easiest when you keep User objects together in the Organizational Unit with the resources they use most frequently.
For networks with multiple sites, you can create an Organizational Unit for each site under the Organization object. That way, if you have (or plan to have) enough servers to partition the directory, you can do so logically along site boundaries.
Understanding Novell eDirectory 27
Important Properties
The most useful properties for the Organizational Unit are listed below. Only the Name property is required. For a complete list of properties, select an Organizational Unit object in iManager. To display a description for each page of properties, click Help.
Name
Typically, the Name property is the same as the department name. Of course, you can shorten it for simplicity. For instance, if the name of your department is Accounts Payable, you can shorten it to AP.
The Organizational Unit name becomes part of the context for all objects created under it.
Login Script
The Login Script property contains commands that are executed by any User objects directly under the Organizational Unit. These commands are run when a user logs in.
Organizational Unit name can be 64 characters long.
Country
novdocx (en) 11 July 2008
Description: Country object icon You can create Country objects directly under the Tree object
using iManager. Country objects are optional and required only for connection to certain X.500 global directories.
What a Country Object Represents
The Country object represents the political identity of its branch of the tree.
Usage
Most administrators do not create a Country object, even if the network spans countries, since the Country object only adds an unnecessary level to the tree. You can create one or many Country objects under the Tree object, depending on the multinational nature of your network. Country objects can contain only Organization objects.
If you do not create a Country object and find that you need one later, you can always modify the tree to add one.
Important Properties
The Country object has a two-letter Name property. Country objects are named with a standard
two-letter code such as US, UK, or DE.
Country name cannot exceed 2 characters.
Domain
Description: Domain icon You can create Domain objects directly under the Tree object using
iManager. You can also create them under Organization, Organization Unit, Country, and Location objects.
What a Domain Object Represents
The Domain object represent DNS domain components. Domain objects let you use your Domain Name System location of services resource records (DNS SRV) to locate services in your tree.
28 Novell eDirectory 8.8 Administration Guide
Using Domain objects, a tree could look something like this:
DS=Novell.DC=Provo.DC=USA
In this example, all subcontainers are domains. You can also use Domain objects in a mixed tree, such as:
DC=Novell.O=Provo.C=USA
Or
OU=Novell.DC=Provo.C=USA
Usually, the topmost Domain is the overall Tree, with subdomains under Tree. For example, machine1.novell.com could be represented by DC=machine1.DC=novell.DC=com in a tree representation. Domains give you a more generic way to set up an eDirectory tree. If all containers and subcontainers are DC objects, users do not need to remember C, O, or OUs when searching for objects.
Usage
NetWare 4 and 5 trees cannot have Domain objects at the top of the tree. With NetWare 4 and 5, the NCP Server object can be placed in an Organization, Country, Organizational Unit, or Locality container, but not in a Domain container. With NetWare 6, however, you can place Domain objects at the top of the tree, and you can place the NCP Server object in a Domain container.
novdocx (en) 11 July 2008
For older installations of NetWare (such as NetWare 4), when you prepare the tree to install or upgrade to NetWare 5 or later, the nds500.sch file will automatically run. After the first server is installed into the tree, this file extends the schema to allow the Domain container to be created anywhere and hold most directory objects.
Domain name can be 64 characters long.

1.2.3 Leaf Object Classes

“Server” on page 29
“Volume” on page 30
“User” on page 31
“Group” on page 32
“Nested Groups” on page 36
“Alias” on page 40
“Directory Map” on page 41
“Profile” on page 42
Server
Description: Server object icon A Server object is automatically created in the tree whenever
you install eDirectory on a server. The object class can be any server running eDirectory.
You can also create a Server object to represent a NetWare 2 or NetWare 3 bindery server.
Understanding Novell eDirectory 29
What a Server Object Represents
The Server object represents a server running eDirectory or a bindery-based (NetWare 2 or NetWare
3) server.
Usage
The Server object serves as a reference point for replication operations. A Server object that represents a bindery-based server allows you to manage the server’s volumes with iManager.
Important Properties
The Server object has a Network Address property, among others. The Network Address property displays the protocol and address number for the server. This is useful for troubleshooting at the packet level
For a complete list of properties, select a Server object in iManager. To display a description for each page of properties, click Help.
Volume
novdocx (en) 11 July 2008
Description: Volume object icon When you create a physical volume on a server, a Volume object
is automatically created in the tree. By default, the name of the Volume object is the server’s name with an underscore and the physical volume’s name appended (for example, YOSERVER_SYS).
Volume objects are supported only on NetWare. Linux and UNIX file system partitions cannot be managed using Volume objects.
What a Volume Object Represents
A Volume object represents a physical volume on a server, whether it is a writable disk, a CD, or other storage medium. The Volume object in eDirectory does not contain information about the files and directories on that volume, although you can access that information through iManager. File and directory information is retained in the file system itself.
Usage
In iManager, click the Vo lu m e icon to manage files and directories on that volume. iManager provides information about the volume’s free disk space, directory entry space, and compression statistics.
You can also create Volume objects in the tree for NetWare 2 and NetWare 3 volumes.
Important Properties
In addition to the required Name and Host Server properties, there are other important Volume properties.
Name
This is the name of the Volume object in the tree. By default, this name is derived from the name of the physical volume, though you can change the object name.
Host Server
This is the server that the volume resides on.
Ve r si o n
30 Novell eDirectory 8.8 Administration Guide
Loading...
+ 604 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use