Novell eDirectory 8.8 Administration Guide
Novell
novdocx (ENU) 01 February 2006
eDirectory
8.8
ADMINISTRATION GUIDE
February 3, 2006
TM
www.novell.com
Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities
on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export
laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses.
Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no
responsibility for your failure to obtain any necessary export approvals.
Copyright © 2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
novdocx (ENU) 01 February 2006
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent
applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the online documentation for this and other Novell products, and to get
updates, see www.novell.com/documentation.
Novell Trademarks
Client32 is a trademark of Novell, Inc.
eDirectory is a trademark of Novell, Inc.
NetWare is a registered trademark of Novell, Inc., in the United States and other countries.
NetWare Core Protocol and NCP are trademarks of Novell, Inc.
NMAS is a trademark of Novell, Inc.
Novell is a registered trademark of Novell, Inc., in the United States and other countries.
Novell Client is a trademark of Novell, Inc.
Novell Directory Services and NDS are registered trademarks of Novell, Inc., in the United States and other
countries.
Ximiam is a registerd trademark of Novell, Inc., in the United States and other countries.
ZENworks is a registered trademark of Novell, Inc., in the United States and other countries.
Third-Party Materials
All third-party trademarks are the property of their respective owners.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://
www.openssl.org).
novdocx (ENU) 01 February 2006
novdocx (ENU) 01 February 2006
Contents
About This Guide 17
1 Understanding Novell eDirectory 19
1.1 Ease of Management through Novell iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.1.1 Powerful Tree Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.1.2 Web-Based Management Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.1.3 Single Login and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.2 Object Classes and Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.2.1 List of Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.2.2 Container Object Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.2.3 Leaf Object Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
1.3 Context and Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
1.3.1 Distinguished Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
1.3.2 Typeful Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
1.3.3 Name Resolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
1.3.4 Current Workstation Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
1.3.5 Leading Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
1.3.6 Relative Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
1.3.7 Trailing Periods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
1.3.8 Context and Naming on Linux and UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
1.4 Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
1.4.1 Schema Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
1.4.2 Schema Classes, Attributes, and Syntaxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
1.4.3 Understanding Mandatory and Optional Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 46
1.4.4 Sample Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
1.4.5 Designing the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
1.5 Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
1.5.1 Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
1.5.2 Distributing Replicas for Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
1.5.3 Partitions and WAN Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
1.6 Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
1.6.1 Replica Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
1.6.2 Filtered Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
1.7 NetWare Bindery Emulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
1.8 Server Synchronization in the Replica Ring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
1.9 Access to Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
1.10 eDirectory Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
1.10.1 Trustee Assignments and Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
1.10.2 eDirectory Rights Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
1.10.3 Default Rights for a New Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
1.10.4 Delegated Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
1.10.5 Administering Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
novdocx (ENU) 01 February 2006
5
2 Designing Your Novell eDirectory Network 69
2.1 eDirectory Design Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
2.1.1 Network Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
2.1.2 Organizational Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
2.1.3 Preparing for eDirectory Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
2.2 Designing the eDirectory Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
2.2.1 Creating a Naming Standards Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
2.2.2 Designing the Upper Layers of the Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
2.2.3 Designing the Lower Layers of the Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
2.3 Guidelines for Partitioning Your Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
2.3.1 Determining Partitions for the Upper Layers of the Tree . . . . . . . . . . . . . . . . . . . . . . 76
2.3.2 Determining Partitions for the Lower Layers of the Tree . . . . . . . . . . . . . . . . . . . . . . 77
2.3.3 Determining Partition Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
2.3.4 Considering Network Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
2.4 Guidelines for Replicating Your Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
2.4.1 Workgroup Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
2.4.2 Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
2.4.3 Determining the Number of Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
2.4.4 Replicating the Tree Partition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
2.4.5 Replicating for Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
2.4.6 Meeting Bindery Services Needs for NetWare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.4.7 Managing WAN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.5 Planning the User Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.5.1 Reviewing Users' Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.5.2 Creating Accessibility Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
2.6 Designing eDirectory for e-Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
2.7 Understanding the Novell Certificate Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.7.1 Rights Required to Perform Tasks on Novell Certificate Server . . . . . . . . . . . . . . . . 82
2.7.2 Ensuring Secure eDirectory Operations on Linux, Solaris, AIX, and HP-UX
Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
2.8 Synchronizing Network Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
2.8.1 Synchronizing Time on NetWare Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
2.8.2 Synchronizing Time on Windows Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
2.8.3 Synchronizing Time on Linux, Solaris, AIX, or HP-UX Systems . . . . . . . . . . . . . . . . 87
2.8.4 Verifying Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
2.9 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
novdocx (ENU) 01 February 2006
3 Managing Objects 91
3.1 General Object Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
3.1.1 Browsing the eDirectory Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
3.1.2 Creating an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
3.1.3 Modifying an Object's Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
3.1.4 Copying Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
3.1.5 Moving Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
3.1.6 Deleting Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
3.1.7 Renaming Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
3.2 Managing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
3.2.1 Creating and Modifying User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
3.2.2 Setting Up Optional Account Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.2.3 Setting Up Login Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
3.2.4 Login Time Restrictions for Remote Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
3.2.5 Deleting User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
3.3 Configuring Role-Based Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
3.3.1 Defining RBS Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
3.3.2 Defining Custom RBS Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
6 Novell eDirectory 8.8 Administration Guide
3.4 Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
3.4.1 Features of Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
3.4.2 Normal or Replica Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
3.4.3 Priority Sync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
4 Managing the Schema 117
4.1 Extending the Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
4.1.1 Creating a Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
4.1.2 Deleting a Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
4.1.3 Creating an Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.1.4 Adding an Optional Attribute to a Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.1.5 Deleting an Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.1.6 Creating an Auxiliary Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
4.1.7 Extending an Object with the Properties of an Auxiliary Class . . . . . . . . . . . . . . . . 120
4.1.8 Modifying an Object's Auxiliary Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
4.1.9 Deleting Auxiliary Properties from an Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.2 Viewing the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.2.1 Viewing Class Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.2.2 Viewing Attribute Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
4.3 Manually Extending the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
4.3.1 Extending the Schema on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
4.3.2 Extending the Schema on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
4.3.3 Extending the Schema on Linux, Solaris, AIX, or HP-UX Systems. . . . . . . . . . . . . 123
4.4 Schema Flags Added in eDirectory 8.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
4.5 Using the eMBox Client to Perform Schema Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.5.1 Using the DSSchema eMTool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.5.2 DSSchema eMTool Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
novdocx (ENU) 01 February 2006
5 Managing Partitions and Replicas 129
5.1 Creating a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
5.2 Merging a Partition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
5.3 Moving Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
5.4 Cancelling Create or Merge Partition Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
5.5 Administering Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
5.5.1 Adding a Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
5.5.2 Deleting a Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
5.5.3 Changing a Replica Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
5.6 Setting Up and Managing Filtered Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
5.6.1 Using the Filtered Replica Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
5.6.2 Defining a Partition Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
5.6.3 Setting Up a Server Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
5.7 Viewing Partitions and Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
5.7.1 Viewing the Partitions on a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
5.7.2 Viewing a Partition’s Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
5.7.3 Viewing Information about a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
5.7.4 Viewing Partition Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
5.7.5 Viewing Information about a Replica. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
6 Novell eDirectory Management Utilities 141
6.1 Novell Import Conversion Export Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
6.1.1 Using the Novell iManager Import Convert Export Wizard . . . . . . . . . . . . . . . . . . . 142
6.1.2 Using the Command Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
6.1.3 Conversion Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
7
6.1.4 LDAP Bulk Update/Replication Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
6.1.5 Migrating the Schema between LDAP Directories . . . . . . . . . . . . . . . . . . . . . . . . . . 175
6.1.6 Improving the Speed of LDIF Imports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
6.2 Index Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
6.2.1 Creating an Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
6.2.2 Deleting an Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
6.2.3 Taking an Index Offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
6.2.4 Managing Indexes on Other Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
6.2.5 Using the Novell Import Conversion Export Utility to Manage Indexes . . . . . . . . . . 179
6.3 Predicate Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
6.3.1 Managing Predicate Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
6.4 eDirectory Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
6.4.1 Using the eMBox Client Service Manager eMTool . . . . . . . . . . . . . . . . . . . . . . . . . 182
6.4.2 Using the Service Manager Plug-In to Novell iManager . . . . . . . . . . . . . . . . . . . . . 183
7 Using Novell iMonitor 2.1 185
7.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
7.1.1 Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
7.1.2 eDirectory Versions That Can Be Monitored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
7.2 Accessing iMonitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
7.3 iMonitor Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
7.3.1 Anatomy of an iMonitor Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
7.3.2 Modes of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
7.3.3 iMonitor Features Available on Every Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
7.3.4 NetWare Remote Manager Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
7.3.5 Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
7.4 iMonitor Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.4.1 Viewing eDirectory Server Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
7.4.2 Viewing Partition Synchronization Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
7.4.3 Viewing Server Connection Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
7.4.4 Viewing Known Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
7.4.5 Viewing Replica Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
7.4.6 Controlling and Configuring the DS Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
7.4.7 Configuring Trace Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
7.4.8 Viewing Process Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
7.4.9 Viewing Agent Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
7.4.10 Viewing Traffic Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
7.4.11 Viewing Background Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
7.4.12 Viewing eDirectory Server Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
7.4.13 Viewing DSRepair Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
7.4.14 Viewing Agent Health Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
7.4.15 Browsing Objects in Your Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
7.4.16 Viewing Entries for Synchronization or Purging . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
7.4.17 Viewing Novell Nsure Identity Manager Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
7.4.18 Viewing the Synchronization Status of a Replica. . . . . . . . . . . . . . . . . . . . . . . . . . . 201
7.4.19 Configuring and Viewing Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
7.4.20 Viewing Schema, Class, and Attribute Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 203
7.4.21 Searching for Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
7.4.22 Using the Stream Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
7.4.23 Clone DIB Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
7.5 Ensuring Secure iMonitor Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
novdocx (ENU) 01 February 2006
8 Merging Novell eDirectory Trees 211
8.1 Merging eDirectory Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
8.1.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
8 Novell eDirectory 8.8 Administration Guide
8.1.2 Target Tree Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
8.1.3 Schema Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
8.1.4 Merging the Source into the Target Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
8.1.5 Partition Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
8.1.6 Preparing the Source and Target Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
8.1.7 Synchronizing Time before the Merge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
8.1.8 Merging Two Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
8.1.9 Post-Merge Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
8.2 Grafting a Single Server Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
8.2.1 Understanding Context Name Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
8.2.2 Preparing the Source and Target Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
8.2.3 Grafting the Source and Target Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
8.3 Renaming a Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
8.4 Using the eMBox Client to Merge Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
8.4.1 Using the DSMerge eMTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
8.4.2 DSMerge eMTool Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
9 Encrypting Data In eDirectory 227
9.1 Encrypted Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
9.1.1 Using Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
9.1.2 Managing Encrypted Attributes Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
9.1.3 Accessing the Encrypted Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
9.1.4 Viewing the Encrypted Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
9.1.5 Encrypting and Decrypting Backup Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
9.1.6 Cloning the DIB Fileset Containing Encrypted Attributes . . . . . . . . . . . . . . . . . . . . 234
9.1.7 Adding eDirectory 8.8 Servers to Replica Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
9.1.8 Backward Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
9.1.9 Migrating to Encrypted Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
9.1.10 Replicating the Encrypted Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
9.2 Encrypted Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
9.2.1 Enabling Encrypted Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
9.2.2 Adding a New Replica to a Replica Ring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
9.2.3 Synchronization and Encrypted Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
9.2.4 Viewing the Encrypted Replication Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
9.3 Achieving Complete Security While Encrypting Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
9.3.1 Encrypting Data in an All New Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
9.3.2 Encrypting Data in an Existing Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
9.3.3 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
novdocx (ENU) 01 February 2006
10 Repairing the Novell eDirectory Database 251
10.1 Performing Basic Repair Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
10.1.1 Performing an Unattended Full Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
10.1.2 Performing a Local Database Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
10.1.3 Checking External References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
10.1.4 Repairing a Single Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
10.1.5 Deleting Unknown Leaf Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
10.2 Viewing and Configuring the Repair Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
10.2.1 Opening the Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
10.2.2 Setting Log File Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
10.3 Performing a Repair in Novell iMonitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
10.4 Repairing Replicas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
10.4.1 Repairing All Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
10.4.2 Repairing Selected Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
10.4.3 Repairing Time Stamps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
10.4.4 Designating This Server As the New Master Replica . . . . . . . . . . . . . . . . . . . . . . . 259
9
10.4.5 Destroying the Selected Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
10.5 Repairing Replica Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
10.5.1 Repairing All Replica Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
10.5.2 Repairing the Selected Replica Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
10.5.3 Sending All Objects to Every Server in the Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
10.5.4 Receiving All Objects from the Master to the Selected Replica . . . . . . . . . . . . . . . . 262
10.5.5 Removing This Server from the Replica Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
10.6 Maintaining the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
10.6.1 Requesting Schema from the Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
10.6.2 Resetting the Local Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
10.6.3 Performing a Post-NetWare 5 Schema Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
10.6.4 Performing Optional Schema Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
10.6.5 Importing Remote Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
10.6.6 Declaring a New Schema Epoch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
10.7 Repairing Server Network Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
10.7.1 Repairing All Network Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
10.7.2 Repairing a Server's Network Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
10.8 Performing Synchronization Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
10.8.1 Synchronizing the Selected Replica on This Server . . . . . . . . . . . . . . . . . . . . . . . . 267
10.8.2 Reporting the Synchronization Status on This Server . . . . . . . . . . . . . . . . . . . . . . . 267
10.8.3 Reporting the Synchronization Status on All Servers . . . . . . . . . . . . . . . . . . . . . . . 268
10.8.4 Performing a Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
10.8.5 Scheduling an Immediate Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
10.9 Advanced DSRepair Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
10.9.1 Running DSRepair on the eDirectory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
10.9.2 DSRepair Command Line Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
10.9.3 Using Advanced DSRepair Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
10.10 Using the eMBox Client to Repair a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
10.10.1 Using the DSRepair eMTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
10.10.2 DSRepair eMTool Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
novdocx (ENU) 01 February 2006
11 WAN Traffic Manager 277
11.1 Understanding WAN Traffic Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
11.1.1 LAN Area Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
11.1.2 WAN Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
11.1.3 Limiting WAN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
11.1.4 Assigning Cost Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
11.2 WAN Traffic Manager Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
11.2.1 1-3am.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
11.2.2 7am-6pm.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
11.2.3 Costlt20.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
11.2.4 Ipx.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
11.2.5 Ndsttyps.wmg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
11.2.6 Onospoof.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
11.2.7 Opnspoof.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
11.2.8 Samearea.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
11.2.9 Tcpip.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
11.2.10 Timecost.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
11.3 WAN Policy Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
11.3.1 Declaration Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
11.3.2 Selector Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
11.3.3 Provider Section. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
11.3.4 Construction Used within Policy Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
10 Novell eDirectory 8.8 Administration Guide
12 Understanding LDAP Services for Novell eDirectory 309
12.1 Key Terms for LDAP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
12.1.1 Clients and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
12.1.2 Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
12.1.3 Referrals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
12.2 Understanding How LDAP Works with eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
12.2.1 Connecting to eDirectory from LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
12.2.2 Class and Attribute Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
12.2.3 Enabling Nonstandard Schema Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
12.2.4 Syntax Differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
12.2.5 Supported Novell LDAP Controls and Extensions . . . . . . . . . . . . . . . . . . . . . . . . . 320
12.3 Using LDAP Tools on Linux, Solaris, AIX, or HP-UX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
12.3.1 LDAP Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
12.4 Extensible Match Search Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
13 Configuring LDAP Services for Novell eDirectory 335
13.1 Loading and Unloading LDAP Services for eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
13.2 Verifying That the LDAP Server Is Loaded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
13.3 Verifying That the LDAP Server Is Running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
13.3.1 Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
13.3.2 Verifying That The LDAP Server Is Running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
13.3.3 Verifying That A Device Is Listening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
13.4 Configuring LDAP Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
13.4.1 Configuring LDAP Server and LDAP Group Objects on Linux, Solaris, AIX, or HP-UX
Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
13.5 Refreshing the LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
13.6 Authentication and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
13.6.1 Requiring TLS for Simple Binds with Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . 346
13.6.2 Starting and Stopping TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
13.6.3 Configuring the Server for TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
13.6.4 Configuring the Client for TLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
13.6.5 Exporting the Trusted Root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
13.6.6 Authenticating with a Client Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
13.6.7 Using Certificate Authorities from Third-Party Providers . . . . . . . . . . . . . . . . . . . . . 349
13.6.8 Creating and Using LDAP Proxy Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
13.6.9 Using SASL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
13.7 Using the LDAP Server to Search the Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
13.7.1 Setting Search Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
13.7.2 Using Referrals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
13.7.3 Searching Filtered Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
13.8 Using LDAP Referral Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
13.8.1 Need for LDAP Referral Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
13.8.2 Using LDAP Referral Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
13.8.3 Format for Specifying LDAP Referral Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
13.8.4 Example Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
13.8.5 Invalid Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
13.8.6 Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
13.9 Configuring for Superior Referrals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
13.9.1 Scenario: Superior Referrals in a Federated Tree . . . . . . . . . . . . . . . . . . . . . . . . . 363
13.9.2 Creating a Nonauthoritative Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
13.9.3 Specifying Reference Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
13.9.4 Updating Reference Information through LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
13.9.5 Affected Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
13.9.6 Discovering Support for Superior References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
13.10 Persistent Search: Configuring for eDirectory Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
novdocx (ENU) 01 February 2006
11
13.10.1 Managing Persistent Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
13.10.2 Controlling Use of the Monitor Events Extended Operation. . . . . . . . . . . . . . . . . . . 369
13.11 Getting Information about the LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
14 Backing Up and Restoring Novell eDirectory 373
14.1 Checklist for Backing Up eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
14.2 Understanding Backup and Restore Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
14.2.1 About the eDirectory Backup eMTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
14.2.2 What's Different about Backup and Restore in eDirectory 8.7.3? . . . . . . . . . . . . . . 378
14.2.3 Overview of How the Backup eMTool Does a Restore . . . . . . . . . . . . . . . . . . . . . . 380
14.2.4 Format of the Backup File Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
14.2.5 Format of the Backup Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
14.2.6 Using DSMASTER Servers as Part of Disaster Recovery Planning . . . . . . . . . . . . 386
14.2.7 Transitive Vectors and the Restore Verification Process . . . . . . . . . . . . . . . . . . . . . 387
14.2.8 Restore Verification Is Backward Compatible Only with eDirectory 8.5 or Later . . . 388
14.2.9 Preserving Rights When Restoring File System Data on NetWare . . . . . . . . . . . . . 388
14.3 Using Roll-Forward Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
14.3.1 Issues to Be Aware of When Turning On Roll-Forward Logging . . . . . . . . . . . . . . . 390
14.3.2 Location of the Roll-Forward Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
14.3.3 Backing Up and Removing Roll-Forward Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
14.3.4 Cautionary Note: Removing eDirectory Also Removes the Roll-Forward Logs . . . . 393
14.4 Preparing for a Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
14.4.1 Prerequisites for Restoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
14.4.2 Locating the Right Backup Files for a Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
14.5 Using Novell iManager for Backup and Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
14.5.1 Backing Up Manually with iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
14.5.2 Configuring Roll-Forward Logs with iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
14.5.3 Restoring from Backup Files with iManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
14.6 Using the eMBox Client for Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
14.6.1 Backing Up Manually with the eMBox Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
14.6.2 Doing Unattended Backups, Using a Batch File with the eMBox Client . . . . . . . . . 407
14.6.3 Configuring Roll-Forward Logs with the eMBox Client. . . . . . . . . . . . . . . . . . . . . . . 410
14.6.4 Restoring from Backup Files with the eMBox Client . . . . . . . . . . . . . . . . . . . . . . . . 412
14.6.5 Backup and Restore Command Line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
14.7 Using DSBK.NLM on NetWare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
14.8 Changes to Server-Specific Information Backup (NetWare Only) . . . . . . . . . . . . . . . . . . . . . 423
14.9 Recovering the Database If Restore Verification Fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
14.9.1 Cleaning Up the Replica Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
14.9.2 Repair the Failed Server and Readd Replicas to the Server . . . . . . . . . . . . . . . . . . 427
14.10 Scenarios for Backup and Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
14.10.1 Scenario: Losing a Hard Drive Containing eDirectory in a Single-Server NetWork . 429
14.10.2 Scenario: Losing a Hard Drive Containing eDirectory in a Multiserver Environment 430
14.10.3 Scenario: Losing an Entire Server in a Multiple-Server Environment . . . . . . . . . . . 432
14.10.4 Scenario: Losing Some Servers in a Multiple-Server Environment . . . . . . . . . . . . . 433
14.10.5 Scenario: Losing All Servers in a Multiple-Server Environment. . . . . . . . . . . . . . . . 433
14.11 Backing Up and Restoring NICI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
14.11.1 UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
14.11.2 NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
14.11.3 Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
novdocx (ENU) 01 February 2006
15 SNMP Support for Novell eDirectory 441
15.1 Definitions and Terminology for SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
15.2 Understanding SNMP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
15.3 eDirectory and SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
12 Novell eDirectory 8.8 Administration Guide
15.3.1 Benefits of SNMP Instrumentation on eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . 444
15.3.2 Understanding How SNMP Works with eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . 444
15.4 Installing and Configuring SNMP Services for eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
15.4.1 Loading and Unloading the SNMP Server Module . . . . . . . . . . . . . . . . . . . . . . . . . 447
15.4.2 Subagent Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
15.4.3 Setting Up SNMP Services for eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
15.5 Monitoring eDirectory Using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
15.5.1 Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
15.5.2 Configuring Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
15.5.3 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
15.6 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
16 Maintaining Novell eDirectory 491
16.1 Improving eDirectory Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
16.1.1 Distributing Memory between Entry and Block Caches. . . . . . . . . . . . . . . . . . . . . . 492
16.1.2 Using the Default Cache Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
16.1.3 Tuning LDAP for eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
16.2 Improving eDirectory Performance on Linux, Solaris, AIX, and HP-UX Systems . . . . . . . . . 498
16.2.1 Fine-Tuning the eDirectory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
16.2.2 Optimizing eDirectory Cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
16.2.3 Tuning the Solaris OS for Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
16.3 Improving Bulkload Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
16.3.1 eDirectory Cache Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
16.3.2 LBURP Transaction Size Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
16.3.3 Increasing the Number of Asynchronous Requests in ICE . . . . . . . . . . . . . . . . . . . 505
16.3.4 Increased Number of LDAP Writer Threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
16.3.5 Disabling Schema Validation in ICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
16.3.6 Disabling ACL Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
16.3.7 Backlinker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
16.3.8 Enabling/Disabling Inline Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
16.3.9 Increasing the LBURP Time Out Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
16.4 Keeping eDirectory Healthy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
16.4.1 When to Perform Health Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
16.4.2 Health Check Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
16.4.3 Checking eDirectory Health Using iMonitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
16.4.4 For More Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
16.5 Resources for Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
16.6 Upgrading Hardware or Replacing a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
16.6.1 Planned Hardware or Storage Device Upgrade without Replacing the Server . . . . 512
16.6.2 Planned Replacement of a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
16.7 Restoring eDirectory after a Hardware Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
novdocx (ENU) 01 February 2006
17 DHost iConsole Manager 521
17.1 What is DHost? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
17.2 Running DHost iConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
17.2.1 Running DHost iConsole on NetWare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
17.2.2 Running DHost iConsole on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
17.2.3 Running DHost iConsole on Linux, Solaris, AIX, and HP-UX . . . . . . . . . . . . . . . . . 523
17.3 Managing eDirectory Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
17.3.1 Loading or Unloading Modules on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
17.3.2 Loading or Unloading Modules on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
17.3.3 Loading or Unloading Modules on Linux, Solaris, AIX, and HP-UX . . . . . . . . . . . . 525
17.4 Querying for DHost Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
17.4.1 Viewing the Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
13
17.4.2 Viewing Protocol Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
17.4.3 Viewing Connection Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
17.4.4 Viewing the Thread Pools Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
17.5 Process Stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
17.6 Setting the SAdmin Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
17.6.1 Setting the SAdmin Password on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
17.6.2 Setting the SAdmin Password on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
17.6.3 Setting the SAdmin Password on Linux, Solaris, AIX, and HP-UX . . . . . . . . . . . . . 529
18 The eDirectory Management Toolbox 531
18.1 Using the eMBox Command Line Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
18.1.1 Displaying the Command Line Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
18.1.2 Running the eMBox Command Line Client in Interactive Mode. . . . . . . . . . . . . . . . 532
18.1.3 Running the eMBox Command Line Client in Batch Mode . . . . . . . . . . . . . . . . . . . 536
18.1.4 eMBox Command Line Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
18.1.5 Establishing a Secure Connection with the eMBox Client . . . . . . . . . . . . . . . . . . . . 539
18.1.6 Finding Out eDirectory Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
18.2 Using the eMBox Logger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
18.2.1 Using the eMBox Logger Command Line Client . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
18.2.2 Using the eMBox Logger Feature in Novell iManager . . . . . . . . . . . . . . . . . . . . . . . 542
novdocx (ENU) 01 February 2006
A NMAS Considerations 543
A.1 Setting Up a Security Container As a Separate Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
A.2 Merging Trees with Multiple Security Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
A.2.1 Product-Specific Operations to Perform prior to Tree Merge. . . . . . . . . . . . . . . . . . 544
A.2.2 Performing the Tree Merge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
A.2.3 Product-Specific Operations to Perform after the Tree Merge . . . . . . . . . . . . . . . . . 547
B Novell eDirectory Linux and UNIX Commands and Usage 549
B.1 General Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
B.2 LDAP-Specific Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
C Configuring OpenSLP for eDirectory 557
C.1 Service Location Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
C.2 SLP Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
C.2.1 Novell Service Location Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
C.2.2 User Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
C.2.3 Service Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
C.3 Configuration Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
D How Novell eDirectory Works with DNS 561
E Configuring GSSAPI with eDirectory 563
E.1 Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
E.1.1 Assumptions on Network Characteristics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
E.1.2 Installing the Kerberos Plug-in for iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
E.1.3 Adding Kerberos LDAP Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
E.1.4 Exporting the Trusted Root Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
E.2 Configuring the SASL-GSSAPI Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
E.2.1 Merging eDirectory Trees Configured with SASL-GSSAPI Method . . . . . . . . . . . . . 568
14 Novell eDirectory 8.8 Administration Guide
E.3 Managing the SASL-GSSAPI Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
E.3.1 Extending the Kerberos Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
E.3.2 Managing the Kerberos Realm Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
E.3.3 Managing a Service Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
E.3.4 Editing Foreign Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
E.4 Creating a Login Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
E.5 How Does LDAP Use SASL-GSSAPI? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
E.6 Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
novdocx (ENU) 01 February 2006
15
novdocx (ENU) 01 February 2006
16 Novell eDirectory 8.8 Administration Guide
About This Guide
This guide describes how to manage and configure Novell® eDirectoryTM 8.8.
• Chapter 1, “Understanding Novell eDirectory,” on page 19
• Chapter 2, “Designing Your Novell eDirectory Network,” on page 69
• Chapter 3, “Managing Objects,” on page 91
• Chapter 4, “Managing the Schema,” on page 117
• Chapter 5, “Managing Partitions and Replicas,” on page 129
• Chapter 6, “Novell eDirectory Management Utilities,” on page 141
• Chapter 7, “Using Novell iMonitor 2.1,” on page 185
• Chapter 8, “Merging Novell eDirectory Trees,” on page 211
• Chapter 9, “Encrypting Data In eDirectory,” on page 227
• Chapter 10, “Repairing the Novell eDirectory Database,” on page 251
• Chapter 11, “WAN Traffic Manager,” on page 277
novdocx (ENU) 01 February 2006
• Chapter 12, “Understanding LDAP Services for Novell eDirectory,” on page 309
• Chapter 13, “Configuring LDAP Services for Novell eDirectory,” on page 335
• Chapter 14, “Backing Up and Restoring Novell eDirectory,” on page 373
• Chapter 15, “SNMP Support for Novell eDirectory,” on page 441
• Chapter 16, “Maintaining Novell eDirectory,” on page 491
• Chapter 17, “DHost iConsole Manager,” on page 521
• Chapter 18, “The eDirectory Management Toolbox,” on page 531
• Appendix A, “NMAS Considerations,” on page 543
• Appendix B, “Novell eDirectory Linux and UNIX Commands and Usage,” on page 549
• Appendix C, “Configuring OpenSLP for eDirectory,” on page 557
• Appendix D, “How Novell eDirectory Works with DNS,” on page 561
• Appendix E, “Configuring GSSAPI with eDirectory,” on page 563
Audience
The guide is intended for network administrators.
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to www.novell.com/documentation/feedback.html and enter your
comments there.
17
Documentation Updates
For the most recent version of this guide, see Novell eDirectory 8.8 Administration Guide (http://
www.novell.com/documentation/edir88/index.html).
Additional Documentation
For eDirectory installation instructions, see the Novell eDirectory 8.8 Installation Guide (http://
www.novell.com/documentation/edir88/index.html).
For documentation on the eDirectory management utility, see the Novell iManager 2.5
Administration Guide (http://www.novell.com/documentation/imanager25/index.html).
Documentation Conventions
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items
within a cross-reference path.
®
A trademark symbol (
, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
trademark.
novdocx (ENU) 01 February 2006
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux and UNIX*, should use forward slashes as required by your software.
18 Novell eDirectory 8.8 Administration Guide
1
Understanding Novell eDirectory
In simplest terms, Novell® eDirectoryTM is a list of objects that represent network resources, such as
network users, servers, printers, print queues, and applications. Novell eDirectory is a highly
scalable, high-performing, secure directory service. It can store and manage millions of objects,
such as users, applications, network devices, and data. Novell eDirectory offers a secure identity
management solution that runs across multiple platforms, is internet-scalable, and extensible.
Novell eDirectory provides centralized identity management, infrastructure, Net-wide security, and
scalability to all types of applications running behind and beyond the firewall. Novell eDirectory
includes Web-based and wireless management capabilities, allowing you to access and manage the
directory and users, access rights, and network resources from a Web browser and a variety of
handheld devices.
Novell eDirectory natively supports the directory standard Lightweight Directory Access Protocol
(LDAP) 3 and provides support for TLS/SSL services based on the OpenSSL source code. For more
information on the eDirectory engine, see eDirectory Process Requests (http://developer.novell.com/
research/sections/netmanage/dirprimer/2002/august/p020801.htm).
novdocx (ENU) 01 February 2006
1
Figure 1-1 shows a few of the objects as viewed in the Novell iManager management utility.
Figure 1-1 eDirectory Objects in iManager
Some object classes might not be available, depending on the actual schema configured on the
eDirectory server and the operating system running eDirectory.
For more information on objects, see Section 1.2, “Object Classes and Properties,” on page 23.
If you have more than one eDirectory server on the network, the directory can be replicated on
multiple servers.
This chapter includes the following information:
• Section 1.1, “Ease of Management through Novell iManager,” on page 20
• Section 1.2, “Object Classes and Properties,” on page 23
• Section 1.3, “Context and Naming,” on page 38
• Section 1.4, “Schema,” on page 41
• Section 1.5, “Partitions,” on page 47
Understanding Novell eDirectory
19
• Section 1.6, “Replicas,” on page 50
• Section 1.7, “NetWare Bindery Emulation,” on page 55
• Section 1.8, “Server Synchronization in the Replica Ring,” on page 55
• Section 1.9, “Access to Resources,” on page 55
• Section 1.10, “eDirectory Rights,” on page 56
1.1 Ease of Management through Novell
iManager
Novell eDirectory allows for easy, powerful, and flexible management of network resources. It also
serves as a repository of user information for groupware and other applications. These applications
access your directory through the industry-standard Lightweight Directory Access Protocol
(LDAP).
eDirectory ease-of-management features include a powerful tree structure, an integrated
management utility, and single login and authentication.
Novell iManager lets you manage the directory and users, and access rights and network resources
within the directory, from a Web browser and a variety of handheld devices. The eDirectory plug-ins
to iManager give you access to basic directory management tasks, and to the eDirectory
management utilities you previously had to run on the eDirectory server, such as DSRepair,
DSMerge, and Backup and Restore.
novdocx (ENU) 01 February 2006
For more information, see the Novell iManager 2.5 Administration Guide (http://www.novell.com/
documentation/imanager25/index.html).
1.1.1 Powerful Tree Structure
Novell eDirectory organizes objects in a tree structure, beginning with the top Tree object, which
bears the tree's name.
®
Whether your eDirectory servers are running NetWare
resources can be kept in the same tree. You won’t need to access a specific server or domain to
create objects, grant rights, change passwords, or manage applications.
The hierarchical structure of the tree gives you great management flexibility and power. These
benefits primarily result from the following two features:
• “Container Objects” on page 20
• “Inheritance” on page 21
Container Objects
Container objects allow you to manage other objects in sets, rather than individually. There are three
common classes of container objects, as seen in Figure 1-2:
Figure 1-2 Common Classes of Container Objects
, Linux*, UNIX*, or Windows*, all
20 Novell eDirectory 8.8 Administration Guide
The Tree object is the top container object in the tree. It usually contains your company’s
Organization object.
Organization is normally the first container class under the Tree object. The Organization object
is typically named after your company. Small companies keep management simple by having all
other objects directly under the Organization object.
Organizational Unit objects can be created under the Organization to represent distinct
geographical regions, network campuses, or individual departments. You can also create
Organizational Units under other Organizational Units to further subdivide the tree.
Other classes of container objects are Country and Locality, which are typically used only in
multinational networks.
The Domain object can be created under the Tree object or under Organization, Organizational
Unit, Country, and Locality objects.
You can perform one task on the container object that applies to all objects within the container.
Suppose you want to give a user named Amy complete management control over all objects in the
Accounting container. (See Figure 1-3.)
novdocx (ENU) 01 February 2006
Figure 1-3 Container Object
To do this, right-click the Accounting object, select Trustees of This Object, then add Amy as a
trustee. Next, select the rights you want Amy to have, then click OK. Now Amy has rights to
manage the Database application, the Bookkeepers group, the LaserPrinter printer, and the users
Amy, Bill, and Bob.
Inheritance
Another powerful feature of eDirectory is rights inheritance. Inheritance means that rights flow
down to all containers in the tree. This allows you to grant rights with very few rights assignments.
For example, suppose you want to grant management rights to the objects shown in Figure 1-4 on
page 21.
Figure 1-4 Sample eDirectory Objects
Understanding Novell eDirectory 21
You could make any of the following assignments:
• If you grant a user rights to Allentown, the user can manage only objects in the Allentown
container.
• If you grant a user rights to East, the user can manage objects in the East, Allentown, and
Yorktown containers.
• If you grant a user rights to YourCo, the user can manage any objects in any of the containers
shown.
For more information on assigning rights, see Section 1.10, “eDirectory Rights,” on page 56.
1.1.2 Web-Based Management Utility
iManager is a browser-based tool used for administering, managing, and configuring eDirectory
objects. iManager gives you the ability to assign specific tasks or responsibilities to users and to
present the user with only the tools (with the accompanying rights) necessary to perform those sets
of tasks.
To run iManager, you will need a workstation with Microsoft* Internet Explorer 6.0 SP1 or later
(recommended), Mozilla* 1.7 or later, or Mozilla Firefox* 0.9.2.
novdocx (ENU) 01 February 2006
IMPORTANT: While you might be able to access iManager through a Web browser not listed, we
do not guarantee full functionality.
You can use iManager to perform the following supervisory tasks:
• Configure LDAP- and XML-based access to eDirectory
• Create objects representing network users, devices, and resources
• Define templates for creating new user accounts
• Find, modify, move, and delete network objects
• Define rights and roles to delegate administrative authority
• Extend the eDirectory schema to allow custom object types and properties
• Partition and replicate the eDirectory database across multiple servers
• Run eDirectory management utilities such as DSRepair, DSMerge, and Backup and Restore
You can use iManager to perform other management functions based on plug-ins that have been
loaded into iManager. The following eDirectory plug-ins are installed with iManager 2.5:
• eDirectory Backup and Restore
• eDirectory Log Files
• eDirectory Merge
• eDirectory Repair
• eDirectory Service Manager
• eGuide Content
• iManager Base Content
• Import Convert Export Wizard
• Index Management
22 Novell eDirectory 8.8 Administration Guide
•iPrint
• LDAP
• Universal Password Enforcement
• Priority Sync
• Encrypted Attributes
• Encrypted Replication
•NLS
•NMAS
• PKI/Certificate
• Filtered Replica Configuration Wizard
•SNMP
• WAN Traffic Manager
For more information on installing, configuring, and running iManager, see the Novell iManager 2.5
Administration Guide (http://www.novell.com/documentation/imanager25/index.html).
novdocx (ENU) 01 February 2006
1.1.3 Single Login and Authentication
With eDirectory, users log in to a global directory, so you don’t need to manage multiple server or
domain accounts for each user, and you don’t need to manage trust relationships or pass-through
authentication among domains.
A security feature of the directory is authentication of users. Before a user logs in, a User object
must be created in the directory. The User object has certain properties, such as a name and
password.
When the user logs in, eDirectory checks the password against the one stored in the directory for
that user and grants access if they match.
1.2 Object Classes and Properties
The definition of each type of eDirectory object is called an object class. For instance, User and
Organization are object classes. Each class of object has certain properties. A User object, for
example, has First Name, Last Name, and many other properties.
The schema defines the object classes and properties, along with the rules of containment (what
containers can contain which objects). eDirectory ships with a base schema that you, or the
applications you use, can extend. For more information about schemas, see Section 1.4, “Schema,”
on page 41.
Container objects contain other objects and are used to divide the tree into branches, while leaf
objects represent network resources.
1.2.1 List of Objects
The following tables list eDirectory object classes. Added services can create new object classes in
eDirectory that are not listed below.
Understanding Novell eDirectory 23
eDirectory Container Object Classes
novdocx (ENU) 01 February 2006
iManager Icon
Container Object
(Abbreviation)
Description
Tree Represents the beginning of your tree. For more
information, see “Tree” on page 25.
Country (C) Designates the countries where your network resides and
organizes other directory objects within the country. For
more information, see “Country” on page 28.
License Container (LC) Created automatically when you install a license certificate
or create a metering certificate using Novell Licensing
Services (NLS) technology. When an NLS-enabled
application is installed, it adds a License Container
container object to the tree and a License Certificate leaf
object to that container.
Organization (O) Helps you organize other objects in the directory. The
Organization object is a level below the Country object (if
you use the Country object). For more information, see
“Organization” on page 26.
Organizational Unit (OU) Helps you to further organize other objects in the directory.
The Organizational Unit object is a level below the
Organization object. For more information, see
“Organizational Unit” on page 27.
Domain (DC) Helps you to further organize other objects in the directory.
The Domain object can be created under the Tree object or
under Organization, Organizational Unit, Country, and
Locality objects. For more information, see “Domain” on
page 28.
eDirectory Leaf Object Classes
iManager Icon Leaf Object Description
AFP Server Represents an AppleTalk* Filing Protocol server that operates as a
node on your eDirectory network. It usually also acts as a NetWare
router to, and the AppleTalk server for, several Macintosh*
computers.
Alias Points to the actual location of an object in the directory. Any
directory object located in one place in the directory can also
appear to be in another place in the directory by using an Alias. For
more information, see “Alias” on page 36.
Application Represents a network application. Application objects simplify
administrative tasks such as assigning rights, customizing login
scripts, and launching applications.
Computer Represents a computer on the network.
Directory Map Refers to a directory in the file system. For more information, see
“Directory Map” on page 37.
24 Novell eDirectory 8.8 Administration Guide
iManager Icon Leaf Object Description
Group Assigns a name to a list of User objects in the directory. You can
assign rights to the group instead of to each user; then the rights
transfer to each user in the group. For more information, see
“Group” on page 32.
License Certificate Use with NLS technology to install product license certificates as
objects in the database. License Certificate objects are added to the
Licensed Product container when an NLS-aware application is
installed.
Organizational Role Defines a position or role within an organization.
Print Queue Represents a network print queue.
Print Server Represents a network print server.
Printer Represents a network printing device.
Profile Represents a login script used by a group of users who need to
share common login script commands. The users don’t need to be
in the same container. For more information, see “Profile” on
page 38.
novdocx (ENU) 01 February 2006
Server Represents a server running any operating system. For more
information, see “Server” on page 29.
Template Represents standard User object properties that can be applied to
new User objects.
Unknown Represents an object for which iManager has no custom icon.
User Represents the people who use your network. For more
information, see “User” on page 30.
Volume Represents a physical volume on the network. For more
information, see “Volume” on page 29.
1.2.2 Container Object Classes
• “Tree” on page 25
• “Organization” on page 26
• “Organizational Unit” on page 27
• “Country” on page 28
• “Domain” on page 28
Tree
The Tree container, formerly [Root], is created when you first install eDirectory on a server in
your network. As the top-most container, it usually holds Organization objects, Country objects, or
Alias objects.
What Tree Represents
Tree represents the top of your tree.
Understanding Novell eDirectory 25
Usage
Tree is used to make universal rights assignments. Because of inheritance, any rights assignments
you make to Tree as the target apply to all objects in the tree. See Section 1.10, “eDirectory Rights,”
on page 56. The [Public] trustee has the Browse right and Admin has the Supervisor right to Tree by
default.
Important Properties
The Tree object has a Name property, which is the tree name you supply when installing the first
server. The tree name is shown in the hierarchy of iManager.
Organization
An Organization container object is created when you first install eDirectory on a server in your
network. As the top-most container under Tree, it usually holds Organizational Unit objects and leaf
objects.
The User object named Admin is created by default in your first Organization container.
novdocx (ENU) 01 February 2006
What an Organization Object Represents
Normally the Organization object represents your company, although you can create additional
Organization objects under Tree. This is typically done for networks with distinct geographical
districts or for companies with separate eDirectory trees that have merged.
Usage
The way you use Organization objects in your tree depends on the size and structure of your
network. If the network is small, you should keep all leaf objects under one Organization object.
For larger networks, you can create Organizational Unit objects under the Organization to make
resources easier to locate and manage. For example, you can create Organizational Units for each
department or division in your company.
For networks with multiple sites, you should create an Organizational Unit for each site under the
Organization object. That way, if you have (or plan to have) enough servers to partition the
directory, you can do so logically along site boundaries.
For easy sharing of company-wide resources such as printers, volumes, or applications, create
corresponding Printer, Volume, or Application objects under the Organization.
Important Properties
The most useful properties for Organization are listed below. Only the Name property is required.
For a complete list of properties, select an Organization object in iManager. To display a description
for each page of properties, click Help.
•Name
Typically, the Name property is the same as your company’s name. Of course, you can shorten
it for simplicity. For instance, if the name of your company is Your Shoe Company, you might
use YourCo.
The Organization name becomes part of the context for all objects created under it.
26 Novell eDirectory 8.8 Administration Guide
•Login Script
The Login Script property contains commands that are executed by any User objects directly
under the Organization. These commands are run when a user logs in.
Organizational Unit
You can create Organizational Unit (OU) container objects to subdivide the tree. Organizational
Units are created with iManager under an Organization, Country, or another Organizational Unit.
Organizational Units can contain other Organizational Units and leaf objects such as User and
Application objects.
What an Organizational Unit Object Represents
Normally the Organizational Unit object represents a department, which holds a set of objects that
commonly need access to each other. A typical example is a set of Users, along with the Printers,
Volumes, and Applications that those Users need.
At the highest level of Organizational Unit objects, each Organizational Unit can represent each site
(separated by WAN links) in the network.
novdocx (ENU) 01 February 2006
Usage
The way you use Organizational Unit objects in your tree depends on the size and structure of your
network. If the network is small, you might not need any Organizational Units.
For larger networks, you can create Organizational Unit objects under the Organization to make
resources easier to locate and manage. For example, you can create Organizational Units for each
department or division in your company. Remember that administration is easiest when you keep
User objects together in the Organizational Unit with the resources they use most frequently.
For networks with multiple sites, you can create an Organizational Unit for each site under the
Organization object. That way, if you have (or plan to have) enough servers to partition the
directory, you can do so logically along site boundaries.
Important Properties
The most useful properties for the Organizational Unit are listed below. Only the Name property is
required. For a complete list of properties, select an Organizational Unit object in iManager. To
display a description for each page of properties, click Help.
•Name
Typically, the Name property is the same as the department name. Of course, you can shorten it
for simplicity. For instance, if the name of your department is Accounts Payable, you can
shorten it to AP.
The Organizational Unit name becomes part of the context for all objects created under it.
•Login Script
The Login Script property contains commands that are executed by any User objects directly
under the Organizational Unit. These commands are run when a user logs in.
Understanding Novell eDirectory 27
Country
You can create Country objects directly under the Tree object using iManager. Country objects
are optional and required only for connection to certain X.500 global directories.
What a Country Object Represents
The Country object represents the political identity of its branch of the tree.
Usage
Most administrators do not create a Country object, even if the network spans countries, since the
Country object only adds an unnecessary level to the tree. You can create one or many Country
objects under the Tree object, depending on the multinational nature of your network. Country
objects can contain only Organization objects.
If you do not create a Country object and find that you need one later, you can always modify the
tree to add one.
Important Properties
novdocx (ENU) 01 February 2006
The Country object has a two-letter Name property. Country objects are named with a standard twoletter code such as US, UK, or DE.
Domain
You can create Domain objects directly under the Tree object using iManager. You can also
create them under Organization, Organization Unit, Country, and Location objects.
What a Domain Object Represents
The Domain object represent DNS domain components. Domain objects let you use your Domain
Name System location of services resource records (DNS SRV) to locate services in your tree.
Using Domain objects, a tree could look something like this:
DS=Novell.DC=Provo.DC=USA
In this example, all subcontainers are domains. You can also use Domain objects in a mixed tree,
such as:
DC=Novell.O=Provo.C=USA
Or
OU=Novell.DC=Provo.C=USA
Usually, the topmost Domain is the overall Tree, with subdomains under Tree. For example,
machine1.novell.com could be represented by DC=machine1.DC=novell.DC=com in a tree
representation. Domains give you a more generic way to set up an eDirectory tree. If all containers
and subcontainers are DC objects, users do not need to remember C, O, or OUs when searching for
objects.
Usage
NetWare 4 and 5 trees cannot have Domain objects at the top of the tree. With NetWare 4 and 5, the
NCP Server object can be placed in an Organization, Country, Organizational Unit, or Locality
28 Novell eDirectory 8.8 Administration Guide
container, but not in a Domain container. With NetWare 6, however, you can place Domain objects
at the top of the tree, and you can place the NCP Server object in a Domain container.
For older installations of NetWare (such as NetWare 4), when you prepare the tree to install or
upgrade to NetWare 5 or later, the nds500.sch file will automatically run. After the first server is
installed into the tree, this file extends the schema to allow the Domain container to be created
anywhere and hold most directory objects.
1.2.3 Leaf Object Classes
• “Server” on page 29
• “Volume” on page 29
• “User” on page 30
• “Group” on page 32
• “Alias” on page 36
• “Directory Map” on page 37
• “Profile” on page 38
novdocx (ENU) 01 February 2006
Server
A Server object is automatically created in the tree whenever you install eDirectory on a server.
The object class can be any server running eDirectory.
You can also create a Server object to represent a NetWare 2 or NetWare 3 bindery server.
What a Server Object Represents
The Server object represents a server running eDirectory or a bindery-based (NetWare 2 or NetWare
3) server.
Usage
The Server object serves as a reference point for replication operations. A Server object that
represents a bindery-based server allows you to manage the server’s volumes with iManager.
Important Properties
The Server object has a Network Address property, among others. The Network Address property
displays the protocol and address number for the server. This is useful for troubleshooting at the
packet level
For a complete list of properties, select a Server object in iManager. To display a description for
each page of properties, click Help.
Volume
When you create a physical volume on a server, a Volume object is automatically created in the
tree. By default, the name of the Volume object is the server’s name with an underscore and the
physical volume’s name appended (for example, YOSERVER_SYS).
Volume objects are supported only on NetWare. Linux and UNIX file system partitions cannot be
managed using Volume objects.
Understanding Novell eDirectory 29
What a Volume Object Represents
A Volume object represents a physical volume on a server, whether it is a writable disk, a CD, or
other storage medium. The Volume object in eDirectory does not contain information about the files
and directories on that volume, although you can access that information through iManager. File and
directory information is retained in the file system itself.
Usage
In iManager, click the Vo lu m e icon to manage files and directories on that volume. iManager
provides information about the volume’s free disk space, directory entry space, and compression
statistics.
You can also create Volume objects in the tree for NetWare 2 and NetWare 3 volumes.
Important Properties
In addition to the required Name and Host Server properties, there are other important Volume
properties.
•Name
novdocx (ENU) 01 February 2006
This is the name of the Volume object in the tree. By default, this name is derived from the
name of the physical volume, though you can change the object name.
•Host Server
This is the server that the volume resides on.
•Version
This is the NetWare or eDirectory version of the server hosting the volume.
User
A User object is required for logging in. When you install the first server into a tree, a User
object named Admin is created. Log in as Admin the first time.
You can use the following methods to create or import User objects:
• iManager
For more information on iManager, see the Novell iManager 2.5 Administration Guide (http://
www.novell.com/documentation/imanager25/index.html).
• Batches from database files
For more information on using batch files, see Section 2.2, “Designing the eDirectory Tree,” on
page 70.
• NetWare upgrade utilities
For more information on upgrade utilities, including importing users from existing bindery
servers, see Section 2.2, “Designing the eDirectory Tree,” on page 70.
What a User Object Represents
A User object represents a person who uses the network.
30 Novell eDirectory 8.8 Administration Guide
Loading...