Novell EDIRECTORY 8.8 SP1 Installation Manual

Novell eDirectory 8.8 Installation Guide

Novell

novdocx (en) 6 April 2007

eDirectory

8.8 SP1

INSTALLATION GUIDE

May 25, 2007

TM

www.novell.com

Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2003-2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

novdocx (en) 6 April 2007

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com

Online Documentation: To access the online documentation for this and other Novell products, and to get

updates, see www.novell.com/documentation.

Novell Trademarks

Client32 is a trademark of Novell, Inc.

eDirectory is a trademark of Novell, Inc.

NetWare is a registered trademark of Novell, Inc., in the United States and other countries.

NetWare Core Protocol and NCP are trademarks of Novell, Inc.

NMAS is a trademark of Novell, Inc.

Novell is a registered trademark of Novell, Inc., in the United States and other countries.

Novell Client is a trademark of Novell, Inc.

Novell Directory Services and NDS are registered trademarks of Novell, Inc., in the United States and other

countries.

Ximiam is a registerd trademark of Novell, Inc., in the United States and other countries.

ZENworks is a registered trademark of Novell, Inc., in the United States and other countries.

Third-Party Materials

All third-party trademarks are the property of their respective owners.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://

www.openssl.org).

novdocx (en) 6 April 2007

Contents

About This Book 9

1 Installing or Upgrading Novell eDirectory on NetWare 11

1.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.1.1 Upgrade to eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.1.2 Upgrade to eDirectory 8.8 SP2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.3 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.4 Forcing the Backlink Process to Run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.5 Updating the eDirectory Schema for NetWare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.6 Disk Space Check on Upgrading to eDirectory SP2 or later . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1.7 Installing or Upgrading Novell eDirectory on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1.7.1 Installing or Upgrading Novell eDirectory 8.8 on NetWare . . . . . . . . . . . . . . . . . . . . 15

1.7.2 Server Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.7.3 Installing NMAS Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.7.4 Installing NMAS Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.7.5 Installing into a Tree with Dotted Name Containers . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.7.6 Unattended Upgrade to eDirectory 8.8 SP2 on Netware . . . . . . . . . . . . . . . . . . . . . 18

1.7.7 Remote Installation or Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

novdocx (en) 6 April 2007

2 Installing or Upgrading Novell eDirectory on Windows 23

2.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.3 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.4 Forcing the Backlink Process to Run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.5 Updating the eDirectory Schema for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2.6 Disk Space Check on Upgrading to eDirectory SP2 or later . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2.7 Installing Novell eDirectory on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.7.1 Installing or Updating Novell eDirectory 8.8 on Windows 2000 or Server 2003 . . . . 27

2.7.2 Server Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.7.3 Communicating with eDirectory through LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

2.7.4 Installing NMAS Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

2.7.5 Installing NMAS Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

2.7.6 Installing into a Tree with Dotted Name Containers . . . . . . . . . . . . . . . . . . . . . . . . . 32

3 Installing or Upgrading Novell eDirectory on Linux 35

3.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.3 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.4 Forcing the Backlink Process to Run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.5 Upgrading eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.5.1 Server Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.5.2 Upgrading on Linux Servers Other Than OES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.5.3 Upgrading Through ZENworks Linux Management on OES Linux SP2 . . . . . . . . . . 39

3.5.4 Upgrading the Tarball Deployment of eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . . 44

3.5.5 Upgrading Multiple Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

3.5.6 Disk Space Check on Upgrading to eDirectory SP2 or later . . . . . . . . . . . . . . . . . . . 45

Contents 5

3.6 Installing eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

3.6.1 Using SLP with eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

3.6.2 Installing NICI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

3.6.3 Using the nds-install Utility to Install eDirectory Components . . . . . . . . . . . . . . . . . . 49

3.6.4 Installing Through ZENworks Linux Management on OES Linux SP2 . . . . . . . . . . . 51

3.6.5 Nonroot User Installing eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

3.6.6 Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server . . . . . . 57

3.6.7 Using ndsconfig to Configure Multiple Instances of eDirectory 8.8 . . . . . . . . . . . . . . 61

3.6.8 Using ndsconfig to Install a Linux Server into a Tree with Dotted Name Containers . 66

3.6.9 Using the nmasinst Utility to Configure NMAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

3.6.10 nonroot user SNMP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

4 Installing or Upgrading Novell eDirectory on Solaris 69

4.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

4.2 Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

4.3 Hardware Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

4.4 Forcing the Backlink Process to Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

4.5 Upgrading eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

4.5.1 Upgrading Multiple Instances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

4.5.2 Upgrading the Tarball Deployment of eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . . . 72

4.6 Installing eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

4.6.1 Server Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

4.6.2 Using SLP with eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

4.6.3 Installing NICI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

4.6.4 Using the Nds-install Utility to Install eDirectory Components . . . . . . . . . . . . . . . . . . 75

4.6.5 Nonroot User Installing eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

4.6.6 Using the Ndsconfig Utility to Add or Remove the eDirectory Replica Server . . . . . . 79

4.6.7 Using ndsconfig to Configure Multiple Instances of eDirectory 8.8 . . . . . . . . . . . . . . 81

4.6.8 Using Ndsconfig to Install a Solaris Server into a Tree with Dotted Name Containers . 81

4.6.9 Using the Nmasinst Utility to Configure NMAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

4.6.10 nonroot user SNMP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

novdocx (en) 6 April 2007

5 Installing or Upgrading Novell eDirectory on AIX 83

5.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

5.2 Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

5.3 Hardware Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

5.4 Forcing the Backlink Process to Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

5.5 Upgrading eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

5.5.1 Upgrading Multiple Instances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

5.5.2 Upgrading the Tarball Deployment of eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . . . 86

5.6 Installing eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

5.6.1 Server Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

5.6.2 Using SLP with eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

5.6.3 Installing NICI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

5.6.4 Using the Nds-install Utility to Install eDirectory Components . . . . . . . . . . . . . . . . . . 89

5.6.5 Nonroot User Installing eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

5.6.6 Using the Ndsconfig Utility to Add or Remove the eDirectory Replica Server . . . . . . 93

5.6.7 Using ndsconfig to Configure Multiple Instances of eDirectory 8.8 . . . . . . . . . . . . . . 95

5.6.8 Using Ndsconfig to Install an AIX Server into a Tree with Dotted Name Containers . 95

5.6.9 Using the Nmasinst Utility to Configure NMAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

5.6.10 nonroot user SNMP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

6 Novell eDirectory 8.8 Installation Guide

6 Installing or Upgrading Novell eDirectory on HP-UX 97

6.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

6.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

6.3 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

6.4 Forcing the Backlink Process to Run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

6.5 Upgrading eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

6.5.1 Upgrading Multiple Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

6.5.2 Upgrading the Tarball Deployment of eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . 100

6.6 Installing eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

6.6.1 Server Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

6.6.2 Using OpenSLP for HP-UX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

6.6.3 Installing NICI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

6.6.4 Installing eDirectory Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

6.6.5 Nonroot User Installing eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

6.6.6 Using the Ndsconfig Utility to Add or Remove the eDirectory Replica Server. . . . . 107

6.6.7 Using ndsconfig to Configure Multiple Instances of eDirectory 8.8 . . . . . . . . . . . . . 109

6.6.8 Using Ndsconfig to Install an HP-UX Server into a Tree with Dotted Name Containers 109

6.6.9 Using the Nmasinst Utility to Configure NMAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

novdocx (en) 6 April 2007

7 Relocating the DIB 113

7.1 Linux and UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

7.2 NetWare and Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

8 Upgrade Requirements of eDirectory 8.8 115

8.1 Reference Changes in 8.8 SP2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

8.2 Upgrade Process in 8.8 SP2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

8.3 Performing a Dry Run before Upgrading eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

8.3.1 Common Problems Encountered during the Upgrade Process. . . . . . . . . . . . . . . . 119

9 Configuring Novell eDirectory on Linux, Solaris, AIX, or HP-UX Systems 121

9.1 Configuration Utilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

9.1.1 The ndsconfig Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

9.1.2 Using the ldapconfig Utility to Configure the LDAP Server and LDAP Group Objects . 121

9.1.3 Using the nmasinst Utility to Configure Novell Modular Authentication Service . . . 122

9.2 Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

9.3 Security Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

10 Migrating to eDirectory 8.8 SP2 129

10.1 Migrating to eDirectory 8.8 SP2 While Upgrading the Operating System . . . . . . . . . . . . . . . 129

10.2 Migrating to eDirectory 8.8 SP2 Without Upgrading the Operating System . . . . . . . . . . . . . 131

11 Uninstalling Novell eDirectory 133

11.1 Uninstalling eDirectory on NetWare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

11.1.1 Reinstalling eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

11.2 Uninstalling eDirectory on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

11.2.1 Uninstalling eDirectory, ConsoleOne, and SLP DA. . . . . . . . . . . . . . . . . . . . . . . . . 134

11.2.2 Uninstalling NICI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Contents 7

11.3 Uninstalling eDirectory on Linux, Solaris, or AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

11.4 Uninstalling eDirectory on HP-UX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

A Linux, Solaris, AIX, and HP-UX Packages for Novell eDirectory 137

A.1 Package Name Specifications for HP-UX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

B Server Health Checks 141

B.1 Need for Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

B.2 Performing Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

B.2.1 With the Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

B.2.2 As a Standalone Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

B.3 Types of Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

B.3.1 Basic Server Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

B.3.2 Partitions and Replica Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

B.4 Categorization of Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

B.4.1 Normal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

B.4.2 Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

B.4.3 Critical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

B.5 Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

novdocx (en) 6 April 2007

C Configuring OpenSLP for eDirectory 147

C.1 Service Location Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

C.2 SLP Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

C.2.1 Novell Service Location Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

C.2.2 User Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

C.2.3 Service Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

C.3 Configuration Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

8 Novell eDirectory 8.8 Installation Guide

About This Book

This Installation Guide describes how to install Novell® eDirectoryTM 8.8. It is intended for network administrators, and contains the following sections:

 Chapter 1, “Installing or Upgrading Novell eDirectory on NetWare,” on page 11

 Chapter 2, “Installing or Upgrading Novell eDirectory on Windows,” on page 23

 Chapter 3, “Installing or Upgrading Novell eDirectory on Linux,” on page 35

 Chapter 4, “Installing or Upgrading Novell eDirectory on Solaris,” on page 69

 Chapter 5, “Installing or Upgrading Novell eDirectory on AIX,” on page 83

 Chapter 6, “Installing or Upgrading Novell eDirectory on HP-UX,” on page 97

 Chapter 7, “Relocating the DIB,” on page 113

 Chapter 8, “Upgrade Requirements of eDirectory 8.8,” on page 115

 Chapter 9, “Configuring Novell eDirectory on Linux, Solaris, AIX, or HP-UX Systems,” on

page 121

novdocx (en) 6 April 2007

 Chapter 10, “Migrating to eDirectory 8.8 SP2,” on page 129

 Chapter 11, “Uninstalling Novell eDirectory,” on page 133

 Appendix A, “Linux, Solaris, AIX, and HP-UX Packages for Novell eDirectory,” on page 137

 Appendix B, “Server Health Checks,” on page 141

 Appendix C, “Configuring OpenSLP for eDirectory,” on page 147

Audience

The guide is intended for network administrators.

Feedback

We want to hear your comments and suggestions about this manual and the other documentation included with this product. Please use the User Comments feature at the bottom of each page of the online documentation, or go to www.novell.com/documentation/feedback.html and enter your comments there.

Documentation Updates

For the most recent version of the Novell eDirectory 8.8 Installation Guide, see the Novell

eDirectory 8.8 Documentation (http://www.novell.com/documentation/edir88/index.html) Web s i t e.

Additional Documentation

For documentation on managing and administering eDirectory, see the Novell eDirectory 8.8

Administration Guide (http://www.novell.com/documentation/edir88/index.html).

About This Book

9

Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items within a cross-reference path.

®

A trademark symbol (

, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party

trademark.

When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash. Users of platforms that require a forward slash, such as Linux* and UNIX*, should use forward slashes as required by your software.

novdocx (en) 6 April 2007

10 Novell eDirectory 8.8 Installation Guide

1

Installing or Upgrading Novell

novdocx (en) 6 April 2007

eDirectory on NetWare

Use the following information to install or upgrade Novell® eDirectoryTM 8.8 on a NetWare® server:

 Section 1.1, “System Requirements,” on page 11

 Section 1.2, “Prerequisites,” on page 11

 Section 1.3, “Hardware Requirements,” on page 12

 Section 1.4, “Forcing the Backlink Process to Run,” on page 13

 Section 1.5, “Updating the eDirectory Schema for NetWare,” on page 13

 Section 1.6, “Disk Space Check on Upgrading to eDirectory SP2 or later,” on page 15

 Section 1.7, “Installing or Upgrading Novell eDirectory on NetWare,” on page 15

1.1 System Requirements

System requirements vary depending on the version to which eDirectory is upgraded. The following sections contain the system requirements for upgrading to eDirectory 8.8 and eDirectory 8.8 SP2.

1.1.1 Upgrade to eDirectory 8.8

1

 You can upgrade to eDirectory 8.8 on the following version of NetWare:

 NetWare 6.5 with Support Pack 3 or later (http://support.novell.com/filefinder/18197/

index.html)

 Administrative rights to the eDirectory tree so you can modify the schema.

1.1.2 Upgrade to eDirectory 8.8 SP2

 You can upgrade to eDirectory 8.8 SP2 on the following version of NetWare:

 NetWare 6.5 with Support Pack 4 or later (http://support.novell.com/filefinder/18197/

index.html)

 Administrative rights to the eDirectory tree so you can modify the schema.

For information on hardware requirements, see Section 1.3, “Hardware Requirements,” on page 12.

1.2 Prerequisites

IMPORTANT: Check the currently installed Novell and Third Party applications to determine if eDirectory 8.8 is supported before upgrading your existing eDirectory environment. You can find out the current status for Novell products in the TID - What Novell products are supported with

Installing or Upgrading Novell eDirectory on NetWare

11

Novell eDirectory 8.8? (http://support.novell.com/cgi-bin/search/searchtid.cgi?10099872.htm) It is

also highly recommended to backup eDirectory prior to any upgrades.

 If you are installing into an eDirectory tree that has NetWare and Windows servers, each

NetWare server must be running:

 NetWare 5.1 with Support Pack 8 (http://support.novell.com/filefinder/9331/index.html)

or later

 NetWare 6.0 with Support Pack 5 (http://support.novell.com/filefinder/13659/index.html)

or later

 NetWare 6.5 with Support Pack 3 (http://support.novell.com/filefinder/18197/index.html)

or later

Each Windows server must be running eDirectory 8.7.3 or later.

 (Conditional) NICI 2.7 and eDirectory 8.8 support key sizes up to 4096 bits. If you want to use

a 4 KB key size, every server must be upgraded to eDirectory 8.8. In addition, every workstation using the management utilities, for example, iManager and ConsoleOne, must have NICI 2.7 installed on it.

When you upgrade your Certificate Authority (CA) server to eDirectory 8.8, the key size will not change; it will be 2 KB. The only way to create a 4 KB key size is recreate the CA on an eDirectory 8.8 server. In addition, you would have to change the default from 2 KB to 4 KB for the key size, during the CA creation.

novdocx (en) 6 April 2007

 (Conditional) If you are upgrading a NetWare server as a nonadministrator user, ensure that you

have met the following prerequisites:

 A NetWare server in the eDirectory 8.8 tree installed as the tree admin

Ensure that you have the following rights:

 Supervisor rights to the container the server is being installed into.

 All Attributes rights: read, compare, and write rights over the W0.KAP.Security object.

 Entry rights: browse rights over Security container object.

 All Attributes rights: read and compare rights over Security container object.

As a nonadministrator user, you can only upgrade a NetWare server.

 (Conditional) If you are installing a secondary server into an existing tree as a nonadministrator

user, ensure that at least one of the servers in the tree has the same or higher eDirectory version as that of the secondary being added as container admin. In case the secondary being added is of later version, then the schema needs to be extended by the admin of the tree before adding the secondary using container admin.

Configuring Static IP Address

Static IP address must be configured on the server for the eDirectory to perform efficiently. Configuring eDirectory on the servers with DHCP address can lead to unpredictable results.

1.3 Hardware Requirements

Hardware requirements depend on the specific implementation of eDirectory.

For example, a base installation of eDirectory with the standard schema requires about 74 MB of disk space for every 50,000 users. However, if you add a new set of attributes or completely fill in

12 Novell eDirectory 8.8 Installation Guide

every existing attribute, the object size grows. These additions affect the disk space, processor, and memory needed.

Two factors increase performance: more cache memory and faster processors.

For best results, cache as much of the DIB Set as the hardware allows.

eDirectory scales well on a single processor. However, Novell eDirectory 8.7 took advantage of multiple processors. Adding processors improves performance in some areas—for example, logins and having multiple threads active on multiple processors. eDirectory itself is not processor intensive, but it is I/O intensive.

The following table illustrates typical system requirements for eDirectory for NetWare:

Objects Processor Memory Hard Disk

100,000 Pentium* III 450-700 MHz (single) 384 MB 144 MB

1 million Pentium III 450-700 MHz (dual) 2 GB 1.5 GB

10 million Pentium III 450-700 MHz (2 to 4) 2+ GB 15 GB

novdocx (en) 6 April 2007

Requirements for processors might be greater than the table indicates, depending upon additional services available on the computer as well as the number of authentications, reads, and writes that the computer is handling. Processes such as encryption and indexing can be processor intensive.

Of course, faster processors improve performance. Additional memory also improves performance because eDirectory can then cache more of the directory into memory.

1.4 Forcing the Backlink Process to Run

Because the internal eDirectory identifiers change when upgrading to Novell eDirectory, the backlink process must update backlinked objects for them to be consistent.

Backlinks keep track of external references to objects on other servers. For each external reference on a server, the backlink process ensures that the real object exists in the correct location and verifies all backlink attributes on the master of the replica. The backlink process occurs two hours after the database is open and then every 780 minutes (13 hours). The interval is configurable from 2 minutes to 10,080 minutes (7 days).

After migrating to eDirectory, we recommend that you force the backlink to run by issuing the following commands from the server console. Running the backlink process is especially important on servers that do not contain a replica.

1 At the server console, enter set dstrace=on.

2 Enter set dstrace=+blink.

3 Enter set dstrace=*b.

4 When the process is complete, enter set dstrace=off.

1.5 Updating the eDirectory Schema for NetWare

When upgrading a NetWare server to eDirectory 8.8, you might need to update the eDirectory schema by running DSRepair on the server that has the master replica of the root partition.

Installing or Upgrading Novell eDirectory on NetWare 13

IMPORTANT: If the master replica of the root partition resides on a Windows server, follow the instructions in Section 2.5, “Updating the eDirectory Schema for Windows,” on page 26.

For an upgrade that needs a platform upgrate also, refer to Chapter 10, “Migrating to eDirectory 8.8

SP2,” on page 129.

To update the schema:

1 Copy the appropriate dsrepair.nlm file from the product CD (or downloaded and

expanded file) to the sys:\system directory of the server that contains the master replica of the Tree partition.

2 At the server console of the master replica of the root partition, load dsrepair.nlm.

3 Select Advanced Options Menu > Global Schema Operations.

4 Enter the Administrator's name (for example, Admin.VMP) and password.

NOTE: In eDirectory 8.8 and later, you can have case sensitive passwords for all the utilities. Refer to Novell eDirectory 8.8 What's New Guide (http://www.novell.com/documentation/

edir88/index.html) for more information.

novdocx (en) 6 April 2007

5 Select Post NetWare 5 Schema Update > Yes .

dsrepair.nlm updates the schema and posts the results to the dsrepair.log file.

Ignore errors associated with adding object classes. dsrepair.nlm is simply applying the Post NetWare 5 Schema Update changes to each object.

6 Copy the appropriate patch version of dsrepair.nlm to each NetWare server in the

eDirectory tree.

Use the table in Step 1 as a reference. Having a correct version on each server ensures that the schema needed for eDirectory is properly maintained when dsrepair.nlm is run in the future.

If you use an earlier version of dsrepair.nlm and select Rebuild Operational Schema, schema enhancements made by the Post NetWare 5 Schema Update will be lost. To resolve lost schema enhancements, run dsrepair.nlm according to the following table.

If You Are Running dsrepair.nlm From Here

A server that holds a writable replica of the root partition

From any other server Select Advanced Options > Global Schema

Then

Reapply the Post NetWare 5 Schema Update to your eDirectory tree.

Operations > Request Schema from Tree.

This action resynchronizes the schema from the root of the tree.

7 Close dsrepair.nlm before installing eDirectory on the server.

If dsrepair.nlm is loaded, the server might not restart.

14 Novell eDirectory 8.8 Installation Guide

1.6 Disk Space Check on Upgrading to eDirectory SP2 or later

When eDirectory server is upgraded from previous versions to eDirectory 8.8 SP2 or later, the disk space check for the DIB upgrade would be performed. The free disk space necessary in the file system, where the DIB resides would be equal to that of the DIB size. The messages of the disk space check would be updated in the sys:\system\dscheck.log.

NOTE: The disk space check is required only during the DIB upgrade process. For more information, refer to Chapter 8, “Upgrade Requirements of eDirectory 8.8,” on page 115.

1.7 Installing or Upgrading Novell eDirectory on NetWare

This section contains the following information:

 “Installing or Upgrading Novell eDirectory 8.8 on NetWare” on page 15

 “Server Health Checks” on page 16

novdocx (en) 6 April 2007

 “Installing NMAS Server Software” on page 16

 “Installing NMAS Client Software” on page 17

 “Installing into a Tree with Dotted Name Containers” on page 17

 “Unattended Upgrade to eDirectory 8.8 SP2 on Netware” on page 18

 “Remote Installation or Upgrade” on page 21

NOTE: Unattended Upgrade feature is supported only for SP2 release.

1.7.1 Installing or Upgrading Novell eDirectory 8.8 on NetWare

1 At the server console, enter nwconfig.nlm.

2 Select Product Options > Install a Product Not Listed.

3 Press F3 and specify the path to the NW directory where the installation program can find the

nds8.ips file.

 If you downloaded eDirectory from the Web, enter the path to the NW directory you

extracted from the downloaded file (for example, sys:\edir\nw).

 If you are installing from a CD, mount the CD as a volume and enter volume_name:NW

(for example, edir_88:NW).

For information on mounting a CD as a volume, see “CD-ROMs as Logical Volumes”

(http://www.novell.com/documentation/lg/nw6p/nss_enu/data/htxx7fd6.html) in the

Novell Storage Services Administration Guide.

4 Follow the on-screen prompts concerning license agreements, the Readme file, and tips.

5 Enter the administrator's login name (for example, Admin.VMP) and password.

Installing or Upgrading Novell eDirectory on NetWare 15

IMPORTANT: This window might close before you enter this information. If it does, toggle (Alt+Esc) to the screen and enter the information. Otherwise, the installation will not be complete.

NOTE: In eDirectory 8.8 and later, you can have case sensitive passwords for all the utilities. Refer to Novell eDirectory 8.8 What's New Guide (http://www.novell.com/documentation/

edir88/index.html) for more information.

6 In the LDAP Configuration screen, specify which LDAP ports to use, then click Next.

For more information, see “Communicating with eDirectory through LDAP” on page 29.

7 Select the NMAS

TM

login method you want to install, then click Next.

See “Installing NMAS Server Software” on page 16 and “Installing NMAS Client Software”

on page 17 for more information.

8 Click Finish to start the eDirectory installation.

9 To complete the installation, remove any diskettes or CDs when prompted, then click Yes to

restart the server.

novdocx (en) 6 April 2007

1.7.2 Server Health Checks

With eDirectory 8.8, when you upgrade eDirectory, a server health check is conducted by default to ensure that the server is safe for the upgrade:

 Section B.3.2, “Partitions and Replica Health,” on page 143

Based on the results obtained from the health checks, the upgrade will either continue or exit as follows:

 If all the health checks are successful, the upgrade will continue.

 If there are minor errors, the upgrade will prompt you to continue or exit.

 If there are critical errors, the upgrade will exit.

See Appendix B, “Server Health Checks,” on page 141 for a list of minor and critical error conditions.

Skipping Server Health Checks

To skip server health checks, enter No when you are prompted to perform the health check.

For more information, see Appendix B, “Server Health Checks,” on page 141.

1.7.3 Installing NMAS Server Software

Novell Modular Authentication ServiceTM (NMAS) server components are installed automatically when you run the eDirectory installation program. You will need to select the login methods you want to install.

Select the login methods that you want to install into eDirectory by checking the appropriate check boxes. When you select a login method, a description of the component appears in the Description box. For more information on login methods, see “Managing Login and Post-Login Methods and

16 Novell eDirectory 8.8 Installation Guide

Sequences” (http://www.novell.com/documentation/lg/nmas23/admin/data/a53vj9a.html) in the

Novell Modular Authentication Service Administration Guide.

Click Select All if you want to install all the login methods into eDirectory. Click Clear All if you want to clear all selections.

The NDS login method is installed by default.

1.7.4 Installing NMAS Client Software

The NMAS client software must be installed on each client workstation where you want to use the NMAS login methods.

1 At a Windows client workstation, insert the Novell eDirectory 8.8 CD.

2 From the NMAS directory, run nmasinstall.exe.

3 Select the NMAS Client Components checkbox.

Optionally, you can select the NICI checkbox if you want to install this component.

4 Click OK and follow the on-screen instructions.

5 Reboot the client workstation after the installation completes.

novdocx (en) 6 April 2007

1.7.5 Installing into a Tree with Dotted Name Containers

You can install a NetWare server into an eDirectory tree that has containers with dots in the names (for example, O=novell.com or C=u.s.a). Using containers with dotted names requires that those dots be escaped with the backslash character. To escape a dot, simply put a backslash in front of any dot in a container name. For example:

O=novell\.com

You cannot start a name with a dot. For example, you cannot create a container named “.novell” because it starts with a dot (‘.’).

IMPORTANT: If your tree has containers with dotted names, you must escape those names when logging into utilities such as iMonitor, iManager, and DHost iConsole. For example, if your tree has “novell.com” as the name of the O, enter username.novell\.com in the Username field when logging in to iMonitor (see Figure 1-1).

Figure 1-1 iMonitor Login Screen

Installing or Upgrading Novell eDirectory on NetWare 17

1.7.6 Unattended Upgrade to eDirectory 8.8 SP2 on Netware

The SPK for eDirectory 8.8 upgrade is provided with the Netware installation package. SPK has to be inserted into the ConsoleOne “Server Software Packages” snap-in for customizing into local environments. Once the Server Software Package ConsoleOne snap-in is installed, you can insert this SPK in the ConsoleOne.

NOTE: Pre upgrade health check is not run during unattended upgrade, ensure you run dscheck.nlm manually before starting the upgrade.

To perform this,

1 Import the applicable SPK into ConsoleOne.

2 To do this, right click on the Server Software Packages name space and select Insert New

Package (see Figure 1-2).

Figure 1-2 Adding the package into ConsoleOne

novdocx (en) 6 April 2007

An SPK has components and properties. To see the components, click on the SPK's expand box. The properties include a description, requirements, and variables. The Support Pack SPKs use variables, which is the only place where each site will need to make specific modifications.

18 Novell eDirectory 8.8 Installation Guide

All of the SPK's components may use the SPK's variables. To see the variables, right click on the SPK and select Properties (see Figure 1-3).

Figure 1-3 Editing the package properties

novdocx (en) 6 April 2007

3 Click on the Va ri ab le s tab to make the site-specific changes needed by the installation process

(see Figure 1-4).

Figure 1-4 Modifying the package variables

Edit and change the values of the two variables “user_id” and “pwd”.

 user_id

administrator name that the install program will use to extend the tree.

 pwd

password for the above username

These are the only two fields that need to be edited. Leave the values of rest of the variables as defined.

WARNING: The installation source folders will be partially removed for security reasons. You need to copy the installation source again in case you restart the installation on failures, e.g, Disk Space unavailability errors.

Installing or Upgrading Novell eDirectory on NetWare 19

Adding Upgrade Source to the SPK

The automated upgrade for eDirectory on Netware for ZFS environment is delivered as SPK along with the source. The compiled CPK is not provided since the user is expected to provide values for the variables containing administrator credentials. This SPK needs to be compiled to a CPK in the customer site after providing values to these variables.

As mentioned earlier, the source is delivered along with the SPK and the source has to be attached to the SPK before compiling the CPK. Steps for attaching the source to the SPK is given below:

1 Copy the source to the local machine and name the folder as “eDir88”. There are references to

this folder name inside the SPK and hence please use this suggested name.

2 Right click on the “Copying files” component and select Properties and browse to the Copy

File Tab.

3 Remove the file set (if given as a sample) by right clicking on the file group and choosing

Remove. Choose “Add File” by right clicking on the File Group as given below:

Figure 1-5 Adding the source to the SPK

novdocx (en) 6 April 2007

4 Then select the “eDir88” folder that contains the source files that are delivered along with the

SPK as given below:

Figure 1-6 Selecting the upgrade source

20 Novell eDirectory 8.8 Installation Guide

Fully Automated Standalone Upgrade

Once the above changes are performed, compile the SPK to make a CPK using the right-click menu option in the main component to compile (see Figure 1-7).

Figure 1-7 Compiling the SPK

novdocx (en) 6 April 2007

This CPK is ready to be imported into the Policy distributor to be used in the upgrade at all customer sites.

IMPORTANT: This script contains the admin username and password in clear text in a temporary file until the server is automatically restarted and used to start nwconfig again. Soon after the script is called, this temporary file <NDS8.NCF> and the script files are deleted permanently from the system.

1.7.7 Remote Installation or Upgrade

During Install or Upgrade, the Installer provides the following message and prompts for user input:

"Are you installing remotely through rconsole?"

"No-Local"

"Yes-Remote"

After prompting this message, the Installation typically continues in the XServer Console displaying options to choose the NMAS methods to be installed, followed by configuration progress.

If you are performing the installation or upgrade from a remote terminal, you will not be able to access the XServer Console to choose the NMAS methods to be installed. In this case, you could choose "Yes-Remote", which by default installs all NMAS methods without any further indications in the System Console.

NOTE: The Installer will restart the server once the installation is complete.

Installing or Upgrading Novell eDirectory on NetWare 21

novdocx (en) 6 April 2007

22 Novell eDirectory 8.8 Installation Guide

2

Installing or Upgrading Novell

novdocx (en) 6 April 2007

eDirectory on Windows

Use the following information to install or upgrade Novell® eDirectoryTM 8.8 on a Windows* 2000 or Windows Server 2003:

 Section 2.1, “System Requirements,” on page 23

 Section 2.2, “Prerequisites,” on page 23

 Section 2.3, “Hardware Requirements,” on page 25

 Section 2.4, “Forcing the Backlink Process to Run,” on page 25

 Section 2.5, “Updating the eDirectory Schema for Windows,” on page 26

 Section 2.6, “Disk Space Check on Upgrading to eDirectory SP2 or later,” on page 26

 Section 2.7, “Installing Novell eDirectory on Windows,” on page 27

IMPORTANT: Novell eDirectory 8.8 lets you install eDirectory for Windows without the Novell

TM

Client will use the existing Client. For more information, see “Installing or Updating Novell eDirectory 8.8

on Windows 2000 or Server 2003” on page 27.

2.1 System Requirements

. If you install eDirectory 8.8 on a machine already containing the Novell Client, eDirectory

2

 One of the following:

 Windows 2000 Server with Service Pack 4 or later, Windows 2000 Advanced Server with

Service Pack 4 or later

 Windows Server 2003

IMPORTANT: Windows XP is not a supported Novell eDirectory 8.8 platform.

 An assigned IP address.

 A Pentium 200 with a minimum of 64 MB RAM (128 MB recommended) and a monitor color

palette set to a number higher than 16.

 (Optional) One or more workstations running one of the following:

 Novell Client for Windows 95/98 version 3.4

 Novell Client for Windows 2000/XP version 4.9

 Administrative rights to the Windows server and to all portions of the eDirectory tree that

contain domain-enabled User objects. For an installation into an existing tree, you need administrative rights to the Tree object so that you can extend the schema and create objects.

2.2 Prerequisites

IMPORTANT: Check the currently installed Novell and Third Party applications to determine if eDirectory 8.8 is supported before upgrading your existing eDirectory environment. You can find

Installing or Upgrading Novell eDirectory on Windows

23

out the current status for Novell products in the TID - What Novell products are supported with

Novell eDirectory 8.8? (http://support.novell.com/cgi-bin/search/searchtid.cgi?10099872.htm) It is

also highly recommended to backup eDirectory prior to any upgrades.

 Because NTFS provides a safer transaction process than a FAT file system provides, you can

install eDirectory only on an NTFS partition. Therefore, if you have only FAT file systems, do one of the following:

 Create a new partition and format it as NTFS.

Use Disk Administrator. Refer to Windows Server User Guide for more information.

 Convert an existing FAT file system to NTFS, using the CONVERT command.

Refer to Windows Server User Guide for more information.

If your server only has a FAT file system and you forget or overlook this process, the installation program prompts you to provide an NTFS partition.

 (Conditional) NICI 2.7 and eDirectory 8.8 support key sizes up to 4096 bits. If you want to use

a 4 KB key size, every server must be upgraded to eDirectory 8.8. In addition, every workstation using the management utilities, for example, iManager and ConsoleOne, must have NICI 2.7 installed on it.

novdocx (en) 6 April 2007

When you upgrade your Certificate Authority (CA) server to eDirectory 8.8, the key size will not change; it will be 2 KB. The only way to create a 4 KB key size is recreate the CA on an eDirectory 8.8 server. In addition, you would have to change the default from 2 KB to 4 KB for the key size, during the CA creation.

 If you are upgrading to eDirectory 8.8, make sure you have the latest NDS and eDirectory

patches installed on all non-eDirectory 8.8 servers in the tree. You can get NDS and eDirectory patches from the Novell Support (http://support.novell.com) Web site.

 Make sure you have the latest Windows 2000 or 2003 Server Service Packs installed. The latest

updated Windows Service Pack needs to be installed after the installation of the Windows SNMP service.

 If you are upgrading from a previous version of eDirectory, it must be eDirectory 8.7 or later.

 (Conditional) If you are installing a secondary server into an existing tree as a nonadministrator

user, ensure that you have the following rights:

 Supervisor rights to the container the server is being installed into.

 Supervisor rights to the partition where you want to add the server.

NOTE: This is required for adding the replica when the replica count is less than 3.

 All Attributes rights: read, compare, and write rights over the W0.KAP.Security object.

 Entry rights: browse rights over Security container object.

 All Attributes rights: read and compare rights over Security container object.

 (Conditional) If you are installing a secondary server into an existing tree as a nonadministrator

user, ensure that at least one of the servers in the tree has the same or higher eDirectory version as that of the secondary being added as container admin. In case the secondary being added is of later version, then the schema needs to be extended by the admin of the tree before adding the secondary using container admin.

24 Novell eDirectory 8.8 Installation Guide

Configuring Static IP Address

Refer to “Configuring Static IP Address” on page 12 for more information on configuring static IP addresses.

2.3 Hardware Requirements

Hardware requirements depend on the specific implementation of eDirectory.

For example, a base installation of eDirectory with the standard schema requires about 74 MB of disk space for every 50,000 users. However, if you add a new set of attributes or completely fill in every existing attribute, the object size grows. These additions affect the disk space, processor, and memory needed.

Two factors increase performance: more cache memory and faster processors.

For best results, cache as much of the DIB Set as the hardware allows.

eDirectory scales well on a single processor. However, Novell eDirectory 8.8 takes advantage of multiple processors. Adding processors improves performance in some areas—for example, logins and having multiple threads active on multiple processors. eDirectory itself is not processor intensive, but it is I/O intensive.

novdocx (en) 6 April 2007

The following table illustrates typical system requirements for Novell eDirectory for Windows 2000:

Objects Processor Memory Hard Disk

10,000 Pentium III 450-700 MHz (single) 384 MB 144 MB

1 million Pentium III 450-700 MHz (dual) 2 GB 1.5 GB

10 million Pentium III 450-700 MHz (2 to 4) 2+ GB 15 GB

Requirements for processors might be greater than the table indicates, depending upon additional services available on the computer as well as the number of authentications, reads, and writes that the computer is handling. Processes such as encryption and indexing can be processor intensive.

2.4 Forcing the Backlink Process to Run

Because the internal eDirectory identifiers change when upgrading to eDirectory, the backlink process must update backlinked objects for them to be consistent.

Backlinks keep track of external references to objects on other servers. For each external reference on a server, the backlink process ensures that the real object exists in the correct location and verifies all backlink attributes on the master of the replica. The backlink process occurs two hours after the database is open and then every 780 minutes (13 hours). The interval is configurable from 2 minutes to 10,080 minutes (7 days).

After migrating to eDirectory, we recommend that you force the backlink to run by completing the following procedure. Running the backlink process is especially important on servers that do not contain a replica.

1 Click Start > Settings > Control Panel > Novell eDirectory Services

Installing or Upgrading Novell eDirectory on Windows 25

2 In the Services tab, select ds.dlm.

3 Click Configure.

4 In the Trigger tab, click Backlinker.

For more information about the backlink process, refer to the Novell eDirectory 8.8 Administration

Guide (http://www.novell.com/documentation/edir88/edir88/data/h0000005.html).

2.5 Updating the eDirectory Schema for Windows

To install eDirectory 8.8 into an existing tree, you might need to update the eDirectory schema by running DSRepair on the server that contains the master replica of the root partition.

IMPORTANT: If the master replica of the root partition resides on a NetWare server, follow the instructions in Section 1.5, “Updating the eDirectory Schema for NetWare,” on page 13.

For an upgrade that needs a platform upgrate also, refer to Chapter 10, “Migrating to eDirectory 8.8

SP2,” on page 129.

novdocx (en) 6 April 2007

The eDirectory installation program checks the existing schema's version. If the schema has not been upgraded, the installation program instructs you to run DSRepair and then discontinues.

1 Copy patches\dsrepair\ntnds8\dsrepair.dll from the product CD to the

directory where you installed eDirectory (for example, c:\novell\nds).

2 Click Start > Settings > Control Panel > Novell eDirectory Services.

3 Select dsrepair.dlm in the Service list.

4 Enter -ins in the Startup Parameters field, then click Start.

After the schema has been updated, the Status field next to the dsrepair.dlm service will be blank.

5 To see the results of the schema update, select dsrepair.dlm, then click Start.

6 Click File > Open Log File > Open.

The last entry in the log file will contain the results of the schema update.

2.6 Disk Space Check on Upgrading to eDirectory SP2 or later

When eDirectory server is upgraded from previous versions to eDirectory 8.8 SP2 or later, the disk space check for the DIB upgrade would be performed. The free disk space necessary in the file system, where the DIB resides would be equal to that of the DIB size. The messages of the disk space check would be updated in the ni.log and <Install Path>/novell/nds/ ndscheck.log.

NOTE: The disk space check is required only during the DIB upgrade process. For more information, refer to Chapter 8, “Upgrade Requirements of eDirectory 8.8,” on page 115.

26 Novell eDirectory 8.8 Installation Guide

2.7 Installing Novell eDirectory on Windows

This section contains the following information:

 “Installing or Updating Novell eDirectory 8.8 on Windows 2000 or Server 2003” on page 27

 “Server Health Checks” on page 28

 “Communicating with eDirectory through LDAP” on page 29

 “Installing NMAS Server Software” on page 32

 “Installing NMAS Client Software” on page 32

 “Installing into a Tree with Dotted Name Containers” on page 32

2.7.1 Installing or Updating Novell eDirectory 8.8 on Windows 2000 or Server 2003

You can install eDirectory 8.8 for Windows without the Novell Client. If you install eDirectory 8.8 on a machine already containing the Novell Client, eDirectory will use the existing Client, or update it if it is not the latest version.

novdocx (en) 6 April 2007

1 At the Windows server, log in as Administrator or as a user with administrative privileges.

2 To resolve tree names, make sure that SLP is correctly configured on your network and that

SLP DAs are stable.

For more information, see one of the following:

 Appendix C, “Configuring OpenSLP for eDirectory,” on page 147

 DHCP Options for Service Location Protocol (http://www.openslp.org/doc/rfc/

rfc2610.txt)

 OpenSLP Documentation (http://www.openslp.org/#Documentation)

3 If you have Autorun turned off, run setup.bat from the Novell eDirectory 8.8 SP2 CD or

from the downloaded file.

The installation program checks for the following components before it installs eDirectory. If a component is missing or is an incorrect version, the installation program automatically launches an installation for that component.

 NICI 2.7

For more information on the Novell International Cryptographic Infrastructure (NICI), see the NICI 2.7 Administration Guide (http://www.novell.com/documentation/nici27x/

index.html).

You might have to reboot the server after the NICI installation. The eDirectory installation will continue after the reboot.

 Novell Client for Windows.

IMPORTANT: The Novell Client is updated automatically if you have an older version of the Client already installed on the machine. For more information on the Client, see the

Novell Client for Windows (http://www.novell.com/documentation/lg/noclienu/ index.html) online documentation.

4 View the license agreement, then click I Accept.

5 Select a language for the installation, then click Next.

Installing or Upgrading Novell eDirectory on Windows 27

6 Specify or confirm the installation path, then click Next.

7 Specify or confirm the DIB path, then click Next.

8 (New installations only) Select an eDirectory installation type, then click Next.

 Install eDirectory into an Existing Tree incorporates this server into your eDirectory

network. The server can be installed into any level of your tree.

 Create a New eDirectory Tree creates a new tree. Use this option if this is the first server

to go into the tree or if this server requires a separate tree. The resources available on the new tree will not be available to users logged in to a different tree.

9 Provide information in the eDirectory Installation screen, then click Next.

 If you are installing a new eDirectory server, specify a Tree name, Server object context,

and Admin name and password for the new tree.

 If you are installing into an existing tree, specify the Tree name, Server object context, and

Admin name and password of the existing tree.

 If you are upgrading an eDirectory server, specify the Admin password.

NOTE: In eDirectory 8.8 and later, you can have case sensitive passwords for all the utilities. Refer to Novell eDirectory 8.8 What's New Guide (http://www.novell.com/

documentation/edir88/index.html) for more information.

novdocx (en) 6 April 2007

For information on using dots in container names, see “Installing into a Tree with Dotted Name

Containers” on page 32.

10 (New installations only) In the HTTP Server Port Configuration page, specify the ports to use

for the eDirectory administrative HTTP server, then click Next.

IMPORTANT: Make sure that the HTTP stack ports you set during the eDirectory installation are different than the HTTP stack ports you have used or will use for Novell iManager. For more information, see the Novell iManager 2.5 Administration Guide (http://www.novell.com/

documentation/imanager25/index.html).

11 (New installations only) In the LDAP Configuration page, specify which LDAP ports to use,

then click Next.

For more information, see “Communicating with eDirectory through LDAP” on page 29.

12 Select the NMAS

TM

login methods you want to install, then click Next.

See “Installing NMAS Server Software” on page 32 and “Installing NMAS Client Software”

on page 32 for more information.

13 Click Finish to complete the eDirectory installation.

2.7.2 Server Health Checks

With eDirectory 8.8, when you upgrade eDirectory, a server health check is conducted by default to ensure that the server is safe for the upgrade.

 Section B.3.2, “Partitions and Replica Health,” on page 143

Based on the results obtained from the health checks, the upgrade will either continue or exit as follows:

 If all the health checks are successful, the upgrade will continue.

28 Novell eDirectory 8.8 Installation Guide

 If there are minor errors, the upgrade will prompt you to continue or exit.

 If there are critical errors, the upgrade will exit.

See Appendix B, “Server Health Checks,” on page 141 for a list of minor and critical error conditions.

Skipping Server Health Checks

To skip server health checks, disable server health checks when prompted in the installation wizard

For more information, see Appendix B, “Server Health Checks,” on page 141.

2.7.3 Communicating with eDirectory through LDAP

When you install eDirectory, you must select a port that the LDAP server monitors so that it can service LDAP requests. The following table lists options for various installations:

Installation Option Result

novdocx (en) 6 April 2007

eDirectory 8.8 Clear text (port 389) Selects port 389.

eDirectory 8.8 Encrypted (port 636) Selects port 636.

eDirectory 8.8 Require TLS for simple bind Keeps (on the LDAP Group object) a

parameter asked about during installation.

Port 389, the Industry-Standard LDAP Clear-Text Port

The connection through port 389 is not encrypted. All data sent on a connection made to this port is clear. Therefore, a security risk exists. For example, LDAP passwords can be viewed on a simple bind request.

An LDAP Simple Bind requires only a DN and a password. The password is in clear text. If you use port 389, the entire packet is in clear text. By default, this option is disabled during the eDirectory installation.

Because port 389 allows clear text, the LDAP server services Read and Write requests to the Directory through this port. This openness is adequate for environments of trust, where spoofing doesn't occur and no one inappropriately captures packets.

To disallow clear passwords and other data, select the Require TLS for Simple Bind with Password option during installation.

As the following figure illustrates, the page gives defaults of 389, 636, and Require TLS for Simple Bind with Password.

Installing or Upgrading Novell eDirectory on Windows 29

Figure 2-1 Defaults for the LDAP Configuration Screen

novdocx (en) 6 April 2007

Scenario: Require TLS for Simple Bind with Password Is Enabled: Olga is using a client that asks for a password. After Olga enters a password, the client connects to the server. However, the LDAP server does not allow the connection to bind to the server over the clear-text port. Everyone is able to view Olga's password, but Olga is unable to get a bound connection.

The Require TLS for Simple Bind with Password discourages users from sending observable passwords. If this setting is disabled (that is, not checked), users are unaware that others can observe their passwords. This option, which does not allow the connection, only applies to the clear-text port.

If you make a secure connection to port 636 and have a simple bind, the connection is already encrypted. No one can view passwords, data packets, or bind requests.

Port 636, the Industry-Standard Secure Port

The connection through port 636 is encrypted. TLS (formerly SSL) manages the encryption. By default, the eDirectory installation selects this port.

The following figure illustrates the selected port.

30 Novell eDirectory 8.8 Installation Guide

Figure 2-2 LDAP Server Connections Page in iManager

novdocx (en) 6 April 2007

A connection to port 636 automatically instantiates a handshake. If the handshake fails, the connection is denied.

IMPORTANT: This default selection might cause a problem for your LDAP server. If a service already loaded on the host server (before eDirectory was installed) uses port 636, you must specify another port.

Installations earlier than eDirectory 8.7 treated this conflict as a fatal error and unloaded nldap.nlm. The eDirectory 8.7.3 onwards installation loads nldap.nlm, places an error message in the dstrace.log file, and runs without the secure port.

Scenario: Port 636 Is Already Used: Your server is running Active Directory*. Active Directory is running an LDAP program, which uses port 636. You install eDirectory. The installation program detects that port 636 is already used and doesn't assign a port number for the Novell LDAP server. The LDAP server loads and appears to run. However, because the LDAP server does not duplicate or use a port that is already open, the LDAP server does not service requests on any duplicated port.

If you are not certain that port 389 or 636 is assigned to the Novell LDAP server, run the ICE utility. If the Vendor Version field does not specify Novell, you must reconfigure LDAP Server for eDirectory and select a different port.See “Verifying That The LDAP Server Is Running” in the Novell eDirectory 8.8 Administration Guide for more information.

Scenario: Active Directory Is Running: Active Directory is running. Clear-text port 389 is open. You run the ICE command to port 389 and ask for the vendor version. The report displays Microsoft*. You then reconfigure the Novell LDAP server by selecting another port, so that the eDirectory LDAP server can service LDAP requests.

Novell iMonitor can also report that port 389 or 636 is already open. If the LDAP server isn't working, use Novell iMonitor to identify details. See “Verifying That The LDAP Server Is Running” in the Novell eDirectory 8.8 Administration Guide for more information.

Installing or Upgrading Novell eDirectory on Windows 31

2.7.4 Installing NMAS Server Software

Novell Modular Authentication ServiceTM (NMAS) server components are installed automatically when you run the eDirectory installation program. You will need to select the login methods you want to install.

Select the login methods that you want to install into eDirectory by checking the appropriate check boxes. When you select a login method, a description of the component appears in the Description box. For more information on login methods, see “Managing Login and Post-Login Methods and

Sequences” (http://www.novell.com/documentation/beta/nmas30/admin/data/a53vj9a.html) in the

Novell Modular Authentication Service Administration Guide.

Click Select All if you want to install all the login methods into eDirectory. Click Clear All if you want to clear all selections.

The NDS login method is installed by default.

2.7.5 Installing NMAS Client Software

The NMAS client software must be installed on each client workstation where you want to use the NMAS login methods.

novdocx (en) 6 April 2007

1 At a Windows client workstation, insert the Novell eDirectory 8.8 CD.

2 From the NMAS directory, run nmasinstall.exe.

3 Select the NMAS Client Components check box.

Optionally, you can select the NICI check box if you want to install this component.

4 Click OK, then follow the on-screen instructions.

5 Reboot the client workstation after the installation completes.

2.7.6 Installing into a Tree with Dotted Name Containers

You can install a Windows server into an eDirectory tree that has containers with dots in the names (for example, O=novell.com or C=u.s.a). Using containers with dotted names requires that those dots be escaped with the backslash character. To escape a dot, simply put a backslash in front of any dot in a container name. See Figure 2-3 for an example.

You cannot start a name with a dot. For example, you cannot create a container named “.novell” because it starts with a dot (‘.’).

32 Novell eDirectory 8.8 Installation Guide

Figure 2-3 eDirectory Installation Information Screen

novdocx (en) 6 April 2007

IMPORTANT: If your tree has containers with dotted names, you must escape those names when logging into utilities such as iMonitor, iManager, and DHost iConsole. For example, if your tree has “novell.com” as the name of the O, enter username.novell\.com in the Username field when logging in to iMonitor (see Figure 2-4).

Figure 2-4 iMonitor Login Screen

Installing or Upgrading Novell eDirectory on Windows 33

novdocx (en) 6 April 2007

34 Novell eDirectory 8.8 Installation Guide

3

Installing or Upgrading Novell

novdocx (en) 6 April 2007

eDirectory on Linux

Use the following information to install or upgrade Novell® eDirectoryTM 8.8 on a Linux* server:

 Section 3.1, “System Requirements,” on page 35

 Section 3.2, “Prerequisites,” on page 36

 Section 3.3, “Hardware Requirements,” on page 37

 Section 3.4, “Forcing the Backlink Process to Run,” on page 38

 Section 3.5, “Upgrading eDirectory,” on page 38

 Section 3.6, “Installing eDirectory,” on page 46

3.1 System Requirements

 One of the following:

 OES Linux SP2 32 bit

 SUSE Linux Enterprise Server 8.x 32 bit

 SUSE Linux Enterprise Server 9 32 bit (SP1, SP2 & SP3) and 64 bit (SP3) or later

 SUSE Linux Enterprise Server 10 32 bit and 64 bit

3

NOTE: eDirectory 8.8 SP2 is supported on SLES 10 XEN virtualization service that runs the SLES 10 guest OS. The following updates are available at https://update.novell.com

(https://update.novell.com).

SUSE-Linux-Enterprise-Server-X86_64-10-0-20061011-020434

SLES10-Updates

For registering and updating SUSE Linux Enterprise 10, refer to Registering SUSE Linux

Enterprise 10 with the Novell Customer Center (http://support.novell.com/techcenter/ articles/RegandUpdate_SLE10.html). After installating the latest update, ensure that the

minimum patch level of the installed update is 3.0.2_09763-0.8.

To determine the version of SUSE Linux you are running, see the /etc/SuSE-release file.

 Red Hat Enterprise Linux ES & AS 3.0 32 bit

Ensure that the latest glibc patches are applied from Red Hat Errata (http://rhn.redhat.com/

errata) on Red Hat systems. The minimum required version of the glibc library is version

2.1.

 Red Hat Enterprise Linux AS 4.0 32 and 64-bit

 256 MB RAM minimum

 90 MB of disk space for the eDirectory server

 25 MB of disk space for the eDirectory administration utilities

 74 MB of disk space for every 50,000 users

 Ensure that gettext is installed

Installing or Upgrading Novell eDirectory on Linux

35

NOTE: By default, gettext is not installed on the base install of SLES9, but is included in the SLES9 install CD's. Ensure you install it before you run nds-install, or you will get messages about it missing.

3.2 Prerequisites

IMPORTANT: Check the currently installed Novell and Third Party applications to determine if eDirectory 8.8 is supported before upgrading your existing eDirectory environment. You can find out the current status for Novell products in the TID - What Novell products are supported with

Novell eDirectory 8.8? (http://support.novell.com/cgi-bin/search/searchtid.cgi?10099872.htm). We

also highly recommend you to back up eDirectory before any upgrades.

 (Conditional) NICI 2.7 and eDirectory 8.8 support key sizes up to 4096 bits. If you want to use

a 4 KB key size, every server must be upgraded to eDirectory 8.8. In addition, every workstation using the management utilities, for example, iManager and ConsoleOne, must have NICI 2.7 installed on it.

When you upgrade your Certificate Authority (CA) server to eDirectory 8.8, the key size will not change; it will be 2 KB. The only way to create a 4 KB key size is recreate the CA on an eDirectory 8.8 server. In addition, you would have to change the default from 2 KB to 4 KB for the key size, during the CA creation.

novdocx (en) 6 April 2007

For more information, refer to Section 3.6.2, “Installing NICI,” on page 47.

 SLP installed and configured

With eDirectory 8.8, SLP does not get installed as part of the eDirectory installation.

Only a root user can install SLP.

For more information on installing SLP, refer to “Using SLP with eDirectory” on page 46.

 The Linux host enabled for multicast routing

To check if the host is enabled for multicast routing, enter the following command:

/bin/netstat -nr

The following entry should be present in the routing table:

224.0.0.0 0.0.0.0

If the entry is not present, log in as root and enter the following command to enable multicast routing:

route add -net 224.0.0.0 netmask 240.0.0.0 dev interface

The interface could be a value such as eth0, hme0, hme1, or hme2, depending on the NIC that is installed and used.

 Network server time synchronized

Use Network Time Protocol's (NTP) xntpd to synchronize time across all network servers. If you want to synchronize time on Linux, Solaris, AIX, or HP-UX systems with NetWare servers, use timesync.nlm 5.09 or later.

 compat-libstdc++ RPM

®

If the compat-libstdc++ RPM is not present on your host machine, install it. This RPM contains libstdc++-libc6.1-1.so.2.

 compat

36 Novell eDirectory 8.8 Installation Guide

If the compat RPM is not present on your machine, install it. This RPM contains libncurses.so.4.

 For YaST based installation:

 Install the java2 jre package. This contains libjava.so and libjvm.so.

 (Conditional) If you are installing a secondary server, all the replicas in the partition that you

install the product on should be in the On state.