Novell®
www.novell.com
Administration Guide
novdocx (en) 22 June 2009
AUTHORIZED DOCUMENTATION
eDirectory
8.8 SP5
December 02, 2009
TM
Novell eDirectory 8.8 Administration Guide
Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities
on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export
laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses.
Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no
responsibility for your failure to obtain any necessary export approvals.
Copyright © 2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
novdocx (en) 22 June 2009
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent
applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the online documentation for this and other Novell products, and to get
updates, see www.novell.com/documentation.
Novell Trademarks
Client32 is a trademark of Novell, Inc.
eDirectory is a trademark of Novell, Inc.
NetWare is a registered trademark of Novell, Inc., in the United States and other countries.
NetWare Core Protocol and NCP are trademarks of Novell, Inc.
NMAS is a trademark of Novell, Inc.
Novell is a registered trademark of Novell, Inc., in the United States and other countries.
Novell Client is a trademark of Novell, Inc.
Novell Directory Services and NDS are registered trademarks of Novell, Inc., in the United States and other
countries.
Ximiam is a registerd trademark of Novell, Inc., in the United States and other countries.
ZENworks is a registered trademark of Novell, Inc., in the United States and other countries.
Third-Party Materials
All third-party trademarks are the property of their respective owners.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://
www.openssl.org).
novdocx (en) 22 June 2009
novdocx (en) 22 June 2009
4 Novell eDirectory 8.8 Administration Guide
Contents
About This Guide 17
1 Understanding Novell eDirectory 19
1.1 Ease of Management through Novell iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.1.1 Powerful Tree Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.1.2 Web-Based Management Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.1.3 Single Login and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.2 Object Classes and Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.2.1 List of Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.2.2 Container Object Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.2.3 Leaf Object Classes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
1.3 Context and Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
1.3.1 Distinguished Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
1.3.2 Typeful Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
1.3.3 Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
1.3.4 Current Workstation Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.3.5 Leading Period. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.3.6 Relative Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.3.7 Trailing Periods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.3.8 Context and Naming on Linux and UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
1.4 Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
1.4.1 Schema Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
1.4.2 Schema Classes, Attributes, and Syntaxes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
1.4.3 Understanding Mandatory and Optional Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 50
1.4.4 Sample Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
1.4.5 Designing the Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
1.5 Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
1.5.1 Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
1.5.2 Distributing Replicas for Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
1.5.3 Partitions and WAN Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
1.6 Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
1.6.1 Replica Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
1.6.2 Filtered Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
1.7 NetWare Bindery Emulation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1.8 Server Synchronization in the Replica Ring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1.9 Access to Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
1.10 eDirectory Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
1.10.1 Trustee Assignments and Targets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
1.10.2 eDirectory Rights Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
1.10.3 Default Rights for a New Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
1.10.4 Delegated Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
1.10.5 Administering Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
novdocx (en) 22 June 2009
2 Designing Your Novell eDirectory Network 73
2.1 eDirectory Design Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
2.1.1 Network Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
2.1.2 Organizational Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
2.1.3 Preparing for eDirectory Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
2.2 Designing the eDirectory Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Contents 5
2.2.1 Creating a Naming Standards Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
2.2.2 Designing the Upper Layers of the Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
2.2.3 Designing the Lower Layers of the Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
2.3 Guidelines for Partitioning Your Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.3.1 Determining Partitions for the Upper Layers of the Tree . . . . . . . . . . . . . . . . . . . . . . 80
2.3.2 Determining Partitions for the Lower Layers of the Tree . . . . . . . . . . . . . . . . . . . . . . 81
2.3.3 Determining Partition Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
2.3.4 Considering Network Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
2.4 Guidelines for Replicating Your Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.4.1 Workgroup Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.4.2 Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.4.3 Determining the Number of Replicas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
2.4.4 Replicating the Tree Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
2.4.5 Replicating for Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
2.4.6 Meeting Bindery Services Needs for NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
2.4.7 Managing WAN Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
2.5 Planning the User Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
2.5.1 Reviewing Users' Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
2.5.2 Creating Accessibility Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
2.6 Designing eDirectory for e-Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
2.7 Understanding the Novell Certificate Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
2.7.1 Rights Required to Perform Tasks on Novell Certificate Server . . . . . . . . . . . . . . . . 86
2.7.2 Ensuring Secure eDirectory Operations on Linux, Solaris, and AIX Systems . . . . . . 87
2.8 Synchronizing Network Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
2.8.1 Synchronizing Time on NetWare Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
2.8.2 Synchronizing Time on Windows Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
2.8.3 Synchronizing Time on Linux, Solaris, or AIX Systems . . . . . . . . . . . . . . . . . . . . . . . 91
2.8.4 Verifying Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
novdocx (en) 22 June 2009
3 Managing Objects 93
3.1 General Object Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.1.1 Browsing the eDirectory Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.1.2 Creating an Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
3.1.3 Modifying an Object's Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
3.1.4 Copying Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
3.1.5 Moving Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
3.1.6 Deleting Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.1.7 Renaming Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.2 Managing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.2.1 Creating and Modifying User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
3.2.2 Setting Up Optional Account Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
3.2.3 Setting Up Login Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
3.2.4 Login Time Restrictions for Remote Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
3.2.5 Deleting User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
3.3 Configuring Role-Based Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
3.3.1 Defining RBS Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
3.3.2 Defining Custom RBS Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
3.4 Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
3.4.1 Features of Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
3.4.2 Normal or Replica Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
3.4.3 Priority Sync. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4 Managing the Schema 119
4.1 Extending the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.1.1 Creating a Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
6 Novell eDirectory 8.8 Administration Guide
4.1.2 Deleting a Class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
4.1.3 Creating an Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.1.4 Adding an Optional Attribute to a Class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.1.5 Deleting an Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.1.6 Creating an Auxiliary Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
4.1.7 Extending an Object with the Properties of an Auxiliary Class . . . . . . . . . . . . . . . . 122
4.1.8 Modifying an Object's Auxiliary Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
4.1.9 Deleting Auxiliary Properties from an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.2 Viewing the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.2.1 Viewing Class Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.2.2 Viewing Attribute Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
4.3 Manually Extending the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
4.3.1 Extending the Schema on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
4.3.2 Extending the Schema on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
4.3.3 Extending the Schema on Linux, Solaris, or AIX Systems . . . . . . . . . . . . . . . . . . . 125
4.4 Schema Flags Added in eDirectory 8.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.5 Using the Client to Perform Schema Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
4.5.1 Using the DSSchema eMTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
4.5.2 DSSchema eMTool Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
5 Managing Partitions and Replicas 131
novdocx (en) 22 June 2009
5.1 Creating a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
5.2 Merging a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
5.3 Moving Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
5.4 Cancelling Create or Merge Partition Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
5.5 Administering Replicas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
5.5.1 Adding a Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
5.5.2 Deleting a Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
5.5.3 Changing a Replica Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
5.6 Setting Up and Managing Filtered Replicas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
5.6.1 Using the Filtered Replica Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
5.6.2 Defining a Partition Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
5.6.3 Setting Up a Server Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
5.7 Viewing Partitions and Replicas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
5.7.1 Viewing the Partitions on a Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.7.2 Viewing a Partition’s Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.7.3 Viewing Information about a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.7.4 Viewing Partition Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.7.5 Viewing Information about a Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6 Novell eDirectory Management Utilities 143
6.1 Novell Import Conversion Export Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
6.1.1 Using the Novell iManager Import Convert Export Wizard . . . . . . . . . . . . . . . . . . . 144
6.1.2 Using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
6.1.3 Conversion Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
6.1.4 LDAP Bulk Update/Replication Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
6.1.5 Migrating the Schema between LDAP Directories. . . . . . . . . . . . . . . . . . . . . . . . . . 178
6.1.6 Improving the Speed of LDIF Imports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
6.2 Index Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
6.2.1 Creating an Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
6.2.2 Deleting an Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
6.2.3 Taking an Index Offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
6.2.4 Managing Indexes on Other Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
6.2.5 Using the Novell Import Conversion Export Utility to Manage Indexes . . . . . . . . . . 182
Contents 7
6.3 Predicate Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
6.3.1 Managing Predicate Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
6.4 eDirectory Service Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
6.4.1 Using the Client Service Manager eMTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
6.4.2 Using the Service Manager Plug-In to Novell iManager . . . . . . . . . . . . . . . . . . . . . 187
7 Offline Bulkload Utility 189
7.1 Using ldif2dib for Bulkloading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
7.2 Multiple Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
7.3 Tuning ldif2dib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
7.3.1 Tuning the Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
7.3.2 Transaction Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
7.3.3 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
7.3.4 Block Cache Percent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
7.3.5 Check Point Interval. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
7.4 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
7.4.1 Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
7.4.2 ACL Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.4.3 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.4.4 Unsupported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.4.5 Simple Password LDIF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.4.6 Custom Classes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.5 Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.5.1 Duplicate Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
7.5.2 No Schema Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
7.5.3 Insufficient Space on Hard-Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
7.5.4 Forced Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
7.5.5 Terminal Resizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
novdocx (en) 22 June 2009
8 Using Novell iMonitor 2.4 195
8.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
8.1.1 Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
8.1.2 eDirectory Versions That Can Be Monitored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
8.2 Accessing iMonitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
8.3 iMonitor Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
8.3.1 Anatomy of an iMonitor Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
8.3.2 Modes of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
8.3.3 iMonitor Features Available on Every Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
8.3.4 NetWare Remote Manager Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
8.3.5 Configuration Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
8.4 iMonitor Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
8.4.1 Viewing eDirectory Server Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
8.4.2 Viewing Partition Synchronization Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
8.4.3 Viewing Server Connection Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
8.4.4 Viewing Known Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
8.4.5 Viewing Replica Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
8.4.6 Controlling and Configuring the DS Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
8.4.7 Configuring Trace Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
8.4.8 Viewing Process Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
8.4.9 Viewing Agent Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
8.4.10 Viewing Traffic Patterns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
8.4.11 Viewing Background Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
8.4.12 Viewing eDirectory Server Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
8.4.13 Viewing DSRepair Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
8.4.14 Viewing Agent Health Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
8 Novell eDirectory 8.8 Administration Guide
8.4.15 Browsing Objects in Your Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
8.4.16 Viewing Entries for Synchronization or Purging. . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
8.4.17 Viewing Novell Nsure Identity Manager Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
8.4.18 Viewing the Synchronization Status of a Replica . . . . . . . . . . . . . . . . . . . . . . . . . . 211
8.4.19 Configuring and Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
8.4.20 Viewing Schema, Class, and Attribute Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . 213
8.4.21 Searching for Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
8.4.22 Using the Stream Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
8.4.23 Clone DIB Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
8.5 Ensuring Secure iMonitor Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
8.6 Configuring HTTP Server Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
8.7 Setting HTTP Stack Parameters Using ndsconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
9 SecretStore Configuration for eDirectory Server 223
9.1 UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
9.2 Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
9.3 NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
10 Merging Novell eDirectory Trees 225
novdocx (en) 22 June 2009
10.1 Merging eDirectory Trees. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
10.1.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
10.1.2 Target Tree Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
10.1.3 Schema Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
10.1.4 Merging the Source into the Target Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
10.1.5 Partition Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
10.1.6 Preparing the Source and Target Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
10.1.7 Synchronizing Time before the Merge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
10.1.8 Merging Two Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
10.1.9 Post-Merge Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
10.2 Grafting a Single Server Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
10.2.1 Understanding Context Name Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
10.2.2 Preparing the Source and Target Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
10.2.3 Grafting the Source and Target Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
10.3 Renaming a Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
10.4 Using the Client to Merge Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
10.4.1 Using the DSMerge eMTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
10.4.2 DSMerge eMTool Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
11 Encrypting Data In eDirectory 241
11.1 Encrypted Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
11.1.1 Using Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
11.1.2 Managing Encrypted Attributes Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
11.1.3 Accessing the Encrypted Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
11.1.4 Viewing the Encrypted Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
11.1.5 Encrypting and Decrypting Backup Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
11.1.6 Cloning the DIB Fileset Containing Encrypted Attributes . . . . . . . . . . . . . . . . . . . . 249
11.1.7 Adding eDirectory 8.8 Servers to Replica Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
11.1.8 Backward Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
11.1.9 Migrating to Encrypted Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
11.1.10 Replicating the Encrypted Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
11.2 Encrypted Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
11.2.1 Enabling Encrypted Replication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
11.2.2 Adding a New Replica to a Replica Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Contents 9
11.2.3 Synchronization and Encrypted Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
11.2.4 Viewing the Encrypted Replication Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
11.3 Achieving Complete Security While Encrypting Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
11.3.1 Encrypting Data in an All New Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
11.3.2 Encrypting Data in an Existing Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
11.3.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
12 Repairing the Novell eDirectory Database 265
12.1 Performing Basic Repair Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
12.1.1 Performing an Unattended Full Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
12.1.2 Performing a Local Database Repair. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
12.1.3 Checking External References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
12.1.4 Repairing a Single Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
12.1.5 Deleting Unknown Leaf Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
12.2 Viewing and Configuring the Repair Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
12.2.1 Opening the Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
12.2.2 Setting Log File Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
12.3 Performing a Repair in Novell iMonitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
12.4 Repairing Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
12.4.1 Repairing All Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
12.4.2 Repairing Selected Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
12.4.3 Repairing Time Stamps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
12.4.4 Designating This Server As the New Master Replica . . . . . . . . . . . . . . . . . . . . . . . 273
12.4.5 Destroying the Selected Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
12.5 Repairing Replica Rings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
12.5.1 Repairing All Replica Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
12.5.2 Repairing the Selected Replica Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
12.5.3 Sending All Objects to Every Server in the Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
12.5.4 Receiving All Objects from the Master to the Selected Replica. . . . . . . . . . . . . . . . 275
12.5.5 Removing This Server from the Replica Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
12.6 Maintaining the Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
12.6.1 Requesting Schema from the Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
12.6.2 Resetting the Local Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
12.6.3 Performing a Post-NetWare 5 Schema Update. . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
12.6.4 Performing Optional Schema Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
12.6.5 Importing Remote Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
12.6.6 Declaring a New Schema Epoch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
12.7 Repairing Server Network Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
12.7.1 Repairing All Network Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
12.7.2 Repairing a Server's Network Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
12.8 Performing Synchronization Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
12.8.1 Synchronizing the Selected Replica on This Server . . . . . . . . . . . . . . . . . . . . . . . . 281
12.8.2 Reporting the Synchronization Status on This Server . . . . . . . . . . . . . . . . . . . . . . . 281
12.8.3 Reporting the Synchronization Status on All Servers . . . . . . . . . . . . . . . . . . . . . . . 281
12.8.4 Performing a Time Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
12.8.5 Scheduling an Immediate Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
12.9 Advanced DSRepair Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
12.9.1 Running DSRepair on the eDirectory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
12.9.2 DSRepair Command Line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
12.9.3 Using Advanced DSRepair Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
12.10 Using the Client to Repair a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
12.10.1 Using the DSRepair eMTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
12.10.2 DSRepair eMTool Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
novdocx (en) 22 June 2009
10 Novell eDirectory 8.8 Administration Guide
13 WAN Traffic Manager 291
13.1 Understanding WAN Traffic Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
13.1.1 LAN Area Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
13.1.2 WAN Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
13.1.3 Limiting WAN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
13.1.4 Assigning Cost Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
13.2 WAN Traffic Manager Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
13.2.1 1-3am.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
13.2.2 7am-6pm.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
13.2.3 Costlt20.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
13.2.4 Ipx.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
13.2.5 Ndsttyps.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
13.2.6 Onospoof.wmg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
13.2.7 Opnspoof.wmg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
13.2.8 Samearea.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
13.2.9 Tcpip.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
13.2.10 Timecost.wmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
13.3 WAN Policy Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
13.3.1 Declaration Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
13.3.2 Selector Section. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
13.3.3 Provider Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
13.3.4 Construction Used within Policy Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
novdocx (en) 22 June 2009
14 Understanding LDAP Services for Novell eDirectory 323
14.1 Key Terms for LDAP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
14.1.1 Clients and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
14.1.2 Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
14.1.3 Referrals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
14.2 Understanding How LDAP Works with eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
14.2.1 Connecting to eDirectory from LDAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
14.2.2 Class and Attribute Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
14.2.3 Enabling Nonstandard Schema Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
14.2.4 Syntax Differences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
14.2.5 Supported Novell LDAP Controls and Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 334
14.3 Using LDAP Tools on Linux, Solaris, or AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
14.3.1 LDAP Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
14.4 Extensible Match Search Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
14.5 LDAP Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
14.5.1 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
15 Configuring LDAP Services for Novell eDirectory 349
15.1 Loading and Unloading LDAP Services for eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
15.2 Verifying That the LDAP Server Is Loaded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
15.3 Verifying That the LDAP Server Is Running. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
15.3.1 Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
15.3.2 Verifying That The LDAP Server Is Running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
15.3.3 Verifying That A Device Is Listening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
15.4 Configuring LDAP Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
15.4.1 Configuring LDAP Server and LDAP Group Objects on Linux, Solaris, AIX
Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
15.5 Refreshing the LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
15.6 Authentication and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
15.6.1 Requiring TLS for Simple Binds with Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . 363
15.6.2 Starting and Stopping TLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Contents 11
15.6.3 Configuring the Server for TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
15.6.4 Configuring the Client for TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
15.6.5 Exporting the Trusted Root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
15.6.6 Authenticating with a Client Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
15.6.7 Using Certificate Authorities from Third-Party Providers . . . . . . . . . . . . . . . . . . . . . 366
15.6.8 Creating and Using LDAP Proxy Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
15.6.9 Using SASL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
15.7 Using the LDAP Server to Search the Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
15.7.1 Setting Search Limits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
15.7.2 Using Referrals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
15.7.3 Searching Filtered Replicas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
15.8 Configuring for Superior Referrals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
15.8.1 Scenario: Superior Referrals in a Federated Tree . . . . . . . . . . . . . . . . . . . . . . . . . . 379
15.8.2 Creating a Nonauthoritative Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
15.8.3 Specifying Reference Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
15.8.4 Updating Reference Information through LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
15.8.5 Affected Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
15.8.6 Discovering Support for Superior References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
15.9 Persistent Search: Configuring for eDirectory Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
15.9.1 Managing Persistent Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
15.9.2 Controlling Use of the Monitor Events Extended Operation . . . . . . . . . . . . . . . . . . 385
15.10 Getting Information about the LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
15.11 Auditing LDAP Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
novdocx (en) 22 June 2009
16 Implementing the Service Location Protocol 389
16.1 Understanding SLP Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
16.1.1 User Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
16.1.2 Service Agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
16.1.3 Directory Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
16.1.4 SLP Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
16.2 How SLP Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
16.2.1 SLP with a User Agent, Service Agent, and No Directory Agent. . . . . . . . . . . . . . . 394
16.2.2 SLP with a User Agent, Service Agent, and Directory Agent . . . . . . . . . . . . . . . . . 395
16.3 Understanding Local Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
16.3.1 Central Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
16.3.2 SLP Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
16.3.3 Customized Scopes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
16.3.4 Proxy Scopes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
16.3.5 Scalability and Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
16.3.6 Private Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
16.3.7 Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
16.4 Understanding Directory Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
16.4.1 How SLP Works in Directory Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
16.4.2 SLP eDirectory Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
16.5 Novell’s Implementation of SLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
16.5.1 Novell’s User Agents and Service Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
16.5.2 The Novell Directory Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
16.5.3 Using the Novell Windows NT Directory Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
16.5.4 Using the Service Location Protocol Directory Agent . . . . . . . . . . . . . . . . . . . . . . . 411
16.6 Setting Up SLP on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
16.7 Setting Up SLP on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
16.7.1 Installing the NetWare SLP Directory Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
16.7.2 Setting Up the NetWare Directory Agent Manually . . . . . . . . . . . . . . . . . . . . . . . . . 414
16.7.3 NetWare SLP Directory Agent Console Commands . . . . . . . . . . . . . . . . . . . . . . . . 414
16.8 Setting Up SLP on Linux or Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
16.8.1 User Agents and Service Agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
12 Novell eDirectory 8.8 Administration Guide
16.8.2 Starting and Stopping the Daemon Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
16.8.3 Using the SLPINFO Diagnostic Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
16.8.4 eDirectory Interoperatability with OpenSLP on Linux and Solaris 8.0 SLP . . . . . . . 419
16.8.5 SLP V1- V2 Interoperatibility Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
17 Backing Up and Restoring Novell eDirectory 421
17.1 Checklist for Backing Up eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
17.2 Understanding Backup and Restore Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
17.2.1 About the eDirectory Backup Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
17.2.2 What's Different between Backup and Restore in DSBK and TSA for NDS Backup 426
17.2.3 Overview of How the Backup Tool Does a Restore. . . . . . . . . . . . . . . . . . . . . . . . . 427
17.2.4 Format of the Backup File Header. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
17.2.5 Format of the Backup Log File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
17.2.6 Using DSMASTER Servers as Part of Disaster Recovery Planning . . . . . . . . . . . . 433
17.2.7 Transitive Vectors and the Restore Verification Process. . . . . . . . . . . . . . . . . . . . . 434
17.2.8 Preserving Rights When Restoring File System Data on NetWare . . . . . . . . . . . . . 434
17.3 Using Roll-Forward Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
17.3.1 Issues to Be Aware of When Turning On Roll-Forward Logging . . . . . . . . . . . . . . . 437
17.3.2 Location of the Roll-Forward Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
17.3.3 Backing Up and Removing Roll-Forward Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
17.3.4 Cautionary Note: Removing eDirectory Also Removes the Roll-Forward Logs. . . . 440
17.4 Preparing for a Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
17.4.1 Prerequisites for Restoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
17.4.2 Locating the Right Backup Files for a Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
17.5 Backing Up and Restoring NICI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
17.5.1 Backing Up NICI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
17.5.2 Restoring NICI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
17.6 Using DSBK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
17.6.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
17.6.2 Using DSBK on Various Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
17.6.3 Backing Up Manually with DSBK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
17.6.4 Configuring Roll-Forward Logs with DSBK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
17.6.5 Restoring from Backup Files with DSBK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
17.6.6 Backup and Restore Command Line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
17.7 Recovering the Database If Restore Verification Fails. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
17.7.1 Cleaning Up the Replica Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
17.7.2 Repair the Failed Server and Readd Replicas to the Server . . . . . . . . . . . . . . . . . . 462
17.8 Scenarios for Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
17.8.1 Scenario: Losing a Hard Drive Containing eDirectory in a Single-Server NetWork. 463
17.8.2 Scenario: Losing a Hard Drive Containing eDirectory in a Multiserver Environment 464
17.8.3 Scenario: Losing an Entire Server in a Multiple-Server Environment . . . . . . . . . . . 466
17.8.4 Scenario: Losing Some Servers in a Multiple-Server Environment . . . . . . . . . . . . . 467
17.8.5 Scenario: Losing All Servers in a Multiple-Server Environment. . . . . . . . . . . . . . . . 467
17.9 Disaster Recovery Plan using DSBK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
17.9.1 Disaster Recovery Plan on Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
novdocx (en) 22 June 2009
18 SNMP Support for Novell eDirectory 471
18.1 Definitions and Terminology for SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
18.2 Understanding SNMP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
18.3 eDirectory and SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
18.3.1 Benefits of SNMP Instrumentation on eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . 474
18.3.2 Understanding How SNMP Works with eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . 474
18.4 Installing and Configuring SNMP Services for eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
18.4.1 Loading and Unloading the SNMP Server Module . . . . . . . . . . . . . . . . . . . . . . . . . 477
Contents 13
18.4.2 Subagent Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
18.4.3 Setting Up SNMP Services for eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
18.5 Monitoring eDirectory Using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
18.5.1 Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
18.5.2 Configuring Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
18.5.3 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
18.6 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
19 Maintaining Novell eDirectory 515
19.1 Advanced Referral Costing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
19.1.1 Improving Server-to-Server Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
19.1.2 Advantages of Referral Costing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
19.1.3 Deploying ARC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
19.1.4 Enabling Advanced Referral Costing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
19.1.5 Tuning Advanced Referral Costing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
19.1.6 Monitoring Advanced Referral Costing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
19.2 Improving Bulkload Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
19.2.1 eDirectory Cache Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
19.2.2 LBURP Transaction Size Setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
19.2.3 Increasing the Number of Asynchronous Requests in ICE . . . . . . . . . . . . . . . . . . . 525
19.2.4 Increased Number of LDAP Writer Threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
19.2.5 Disabling ACL Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
19.2.6 Disabling Schema Validation in ICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
19.2.7 Disabling ACL Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
19.2.8 Backlinker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
19.2.9 Enabling/Disabling Inline Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
19.2.10 Increasing the LBURP Time Out Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
19.3 Keeping eDirectory Healthy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
19.3.1 When to Perform Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
19.3.2 Health Check Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
19.3.3 Checking eDirectory Health Using iMonitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
19.3.4 For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
19.4 Resources for Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
19.5 Upgrading Hardware or Replacing a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
19.5.1 Planned Hardware or Storage Device Upgrade without Replacing the Server . . . . 532
19.5.2 Planned Replacement of a Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
19.5.3 Server IP Address Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
19.6 Restoring eDirectory after a Hardware Failure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
novdocx (en) 22 June 2009
20 DHost iConsole Manager 541
20.1 What is DHost? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
20.2 Running DHost iConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
20.2.1 Running DHost iConsole on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
20.2.2 Running DHost iConsole on Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
20.2.3 Running DHost iConsole on Linux, Solaris, and AIX . . . . . . . . . . . . . . . . . . . . . . . . 543
20.3 Managing eDirectory Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
20.3.1 Loading or Unloading Modules on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
20.3.2 Loading or Unloading Modules on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
20.3.3 Loading or Unloading Modules on Linux, Solaris, and AIX . . . . . . . . . . . . . . . . . . . 545
20.4 Querying for DHost Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
20.4.1 Viewing the Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
20.4.2 Viewing Protocol Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
20.4.3 Viewing Connection Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
20.4.4 Viewing the Thread Pools Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
20.5 Process Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
14 Novell eDirectory 8.8 Administration Guide
21 Setting the SAdmin Password 549
21.1 Setting the SAdmin Password on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
21.2 Setting the SAdmin Password on Windows, Linux, Solaris, and AIX . . . . . . . . . . . . . . . . . . . 549
22 The eDirectory Management Toolbox 551
22.1 Using the Command Line Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
22.1.1 Displaying the Command Line Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
22.1.2 Running the Command Line Client in Interactive Mode . . . . . . . . . . . . . . . . . . . . . 552
22.1.3 Running the Command Line Client in Batch Mode . . . . . . . . . . . . . . . . . . . . . . . . . 556
22.1.4 eMBox Command Line Client Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
22.1.5 Establishing a Secure Connection with the Client . . . . . . . . . . . . . . . . . . . . . . . . . 559
22.1.6 Finding Out eDirectory Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
22.2 Using the Logger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
22.2.1 Using the Logger Command Line Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
22.2.2 Using the Logger Feature in Novell iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
22.3 Using the eMBox Client for Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
22.3.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
22.3.2 Backing Up Manually with the eMBox Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
22.3.3 Doing Unattended Backups, Using a Batch File with the eMBox Client . . . . . . . . . 565
22.3.4 Configuring Roll-Forward Logs with the eMBox Client . . . . . . . . . . . . . . . . . . . . . . 568
22.3.5 Restoring from Backup Files with the eMBox Client . . . . . . . . . . . . . . . . . . . . . . . . 569
22.4 Using Novell iManager for Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
22.4.1 Backing Up Manually with iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
22.4.2 Configuring Roll-Forward Logs with iManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
22.4.3 Restoring from Backup Files with iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
novdocx (en) 22 June 2009
A NMAS Considerations 579
A.1 Setting Up a Security Container As a Separate Partition. . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
A.2 Merging Trees with Multiple Security Containers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
A.2.1 Product-Specific Operations to Perform prior to Tree Merge. . . . . . . . . . . . . . . . . . 580
A.2.2 Performing the Tree Merge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
A.2.3 Product-Specific Operations to Perform after the Tree Merge . . . . . . . . . . . . . . . . 583
B Novell eDirectory Linux and UNIX Commands and Usage 585
B.1 General Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
B.2 LDAP-Specific Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
C Configuring OpenSLP for eDirectory 593
C.1 Service Location Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
C.2 SLP Fundamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
C.2.1 Novell Service Location Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
C.2.2 User Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
C.2.3 Service Agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
C.3 Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
D How Novell eDirectory Works with DNS 597
E Configuring GSSAPI with eDirectory 599
E.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Contents 15
E.1.1 Assumptions on Network Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
E.1.2 Installing the Kerberos Plug-in for iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
E.1.3 Adding Kerberos LDAP Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
E.1.4 Exporting the Trusted Root Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
E.2 Configuring the SASL-GSSAPI Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
E.2.1 Merging eDirectory Trees Configured with SASL-GSSAPI Method. . . . . . . . . . . . . 604
E.3 Managing the SASL-GSSAPI Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
E.3.1 Extending the Kerberos Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
E.3.2 Managing the Kerberos Realm Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
E.3.3 Managing a Service Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
E.3.4 Editing Foreign Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
E.3.5 Configuring SASL GSSAPI Authentication if MIT Kerberos KDC Uses eDirectory as
Backend. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
E.4 Creating a Login Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
E.5 How Does LDAP Use SASL-GSSAPI? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
E.6 Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
F Security Considerations 613
F.1 LDAP Binds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
F.2 Nessus Scan Results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
novdocx (en) 22 June 2009
G Documentation Updates 615
G.1 December 02, 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
G.2 June 05, 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
16 Novell eDirectory 8.8 Administration Guide
About This Guide
This guide describes how to manage and configure Novell® eDirectoryTM 8.8.
Chapter 1, “Understanding Novell eDirectory,” on page 19
Section 2.2, “Designing the eDirectory Tree,” on page 74
Chapter 3, “Managing Objects,” on page 93
Chapter 4, “Managing the Schema,” on page 119
Chapter 5, “Managing Partitions and Replicas,” on page 131
Chapter 6, “Novell eDirectory Management Utilities,” on page 143
Chapter 7, “Offline Bulkload Utility,” on page 189
Chapter 8, “Using Novell iMonitor 2.4,” on page 195
Chapter 10, “Merging Novell eDirectory Trees,” on page 225
Chapter 11, “Encrypting Data In eDirectory,” on page 241
Chapter 12, “Repairing the Novell eDirectory Database,” on page 265
novdocx (en) 22 June 2009
Chapter 13, “WAN Traffic Manager,” on page 291
Chapter 14, “Understanding LDAP Services for Novell eDirectory,” on page 323
Chapter 15, “Configuring LDAP Services for Novell eDirectory,” on page 349
Chapter 17, “Backing Up and Restoring Novell eDirectory,” on page 421
Chapter 18, “SNMP Support for Novell eDirectory,” on page 471
Chapter 19, “Maintaining Novell eDirectory,” on page 515
Chapter 20, “DHost iConsole Manager,” on page 541
Chapter 21, “Setting the SAdmin Password,” on page 549
Chapter 22, “The eDirectory Management Toolbox,” on page 551
Appendix A, “NMAS Considerations,” on page 579
Appendix B, “Novell eDirectory Linux and UNIX Commands and Usage,” on page 585
Appendix C, “Configuring OpenSLP for eDirectory,” on page 593
Appendix D, “How Novell eDirectory Works with DNS,” on page 597
Appendix E, “Configuring GSSAPI with eDirectory,” on page 599
Audience
The guide is intended for network administrators.
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to www.novell.com/documentation/feedback.html and enter your
comments there.
About This Guide 17
Documentation Updates
For the most recent version of this guide, see Novell eDirectory 8.8 Administration Guide (http://
www.novell.com/documentation/edir88/index.html).
Additional Documentation
For eDirectory installation instructions, see the Novell eDirectory 8.8 Installation Guide (http://
www.novell.com/documentation/edir88/index.html).
For documentation on the eDirectory management utility, see the Novell iManager 2.6
Administration Guide (http://www.novell.com/documentation/imanager26/index.html).
Documentation Conventions
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items
within a cross-reference path.
®
A trademark symbol (
, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
trademark.
novdocx (en) 22 June 2009
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux and UNIX*, should use forward slashes as required by your software.
18 Novell eDirectory 8.8 Administration Guide
1
Understanding Novell eDirectory
In simplest terms, Novell® eDirectoryTM is a list of objects that represent network resources, such as
network users, servers, printers, print queues, and applications. Novell eDirectory is a highly
scalable, high-performing, secure directory service. It can store and manage millions of objects,
such as users, applications, network devices, and data. Novell eDirectory offers a secure identity
management solution that runs across multiple platforms, is internet-scalable, and extensible.
Novell eDirectory provides centralized identity management, infrastructure, Net-wide security, and
scalability to all types of applications running behind and beyond the firewall. Novell eDirectory
includes Web-based and wireless management capabilities, allowing you to access and manage the
directory and users, access rights, and network resources from a Web browser and a variety of
handheld devices.
Novell eDirectory natively supports the directory standard Lightweight Directory Access Protocol
(LDAP) 3 and provides support for TLS/SSL services based on the OpenSSL source code. For more
information on the eDirectory engine, see eDirectory Process Requests (http://developer.novell.com/
research/sections/netmanage/dirprimer/2002/august/p020801.htm).
novdocx (en) 22 June 2009
1
Figure 1-1 shows a few of the objects as viewed in the Novell iManager management utility.
Figure 1-1 eDirectory Objects in iManager
Some object classes might not be available, depending on the actual schema configured on the
eDirectory server and the operating system running eDirectory.
For more information on objects, see Section 1.2, “Object Classes and Properties,” on page 23.
If you have more than one eDirectory server on the network, the directory can be replicated on
multiple servers.
This chapter includes the following information:
Section 1.1, “Ease of Management through Novell iManager,” on page 20
Section 1.2, “Object Classes and Properties,” on page 23
Section 1.3, “Context and Naming,” on page 42
Section 1.4, “Schema,” on page 45
Section 1.5, “Partitions,” on page 51
Understanding Novell eDirectory
19
Section 1.6, “Replicas,” on page 54
Section 1.7, “NetWare Bindery Emulation,” on page 59
Section 1.8, “Server Synchronization in the Replica Ring,” on page 59
Section 1.9, “Access to Resources,” on page 60
Section 1.10, “eDirectory Rights,” on page 60
1.1 Ease of Management through Novell
iManager
Novell eDirectory allows for easy, powerful, and flexible management of network resources. It also
serves as a repository of user information for groupware and other applications. These applications
access your directory through the industry-standard Lightweight Directory Access Protocol
(LDAP).
eDirectory ease-of-management features include a powerful tree structure, an integrated
management utility, and single login and authentication.
Novell iManager lets you manage the directory and users, and access rights and network resources
within the directory, from a Web browser and a variety of handheld devices. The eDirectory plug-ins
to iManager give you access to basic directory management tasks, and to the eDirectory
management utilities you previously had to run on the eDirectory server, such as DSRepair,
DSMerge, and Backup and Restore.
novdocx (en) 22 June 2009
For more information, see the Novell iManager 2.6 Administration Guide (http://www.novell.com/
documentation/imanager26/index.html).
1.1.1 Powerful Tree Structure
Novell eDirectory organizes objects in a tree structure, beginning with the top Tree object, which
bears the tree's name.
®
Whether your eDirectory servers are running NetWare
resources can be kept in the same tree. You won’t need to access a specific server or domain to
create objects, grant rights, change passwords, or manage applications.
The hierarchical structure of the tree gives you great management flexibility and power. These
benefits primarily result from the following two features:
“Container Objects” on page 20
“Inheritance” on page 21
Container Objects
Container objects allow you to manage other objects in sets, rather than individually. There are three
common classes of container objects, as seen in Figure 1-2:
Figure 1-2 Common Classes of Container Objects
, Linux*, UNIX*, or Windows*, all
20 Novell eDirectory 8.8 Administration Guide
The Tree object is the top container object in the tree. It usually contains your company’s
Organization object.
Organization is normally the first container class under the Tree object. The Organization object
is typically named after your company. Small companies keep management simple by having all
other objects directly under the Organization object.
Organizational Unit objects can be created under the Organization to represent distinct
geographical regions, network campuses, or individual departments. You can also create
Organizational Units under other Organizational Units to further subdivide the tree.
Other classes of container objects are Country and Locality, which are typically used only in
multinational networks.
The Domain object can be created under the Tree object or under Organization, Organizational
Unit, Country, and Locality objects.
You can perform one task on the container object that applies to all objects within the container.
Suppose you want to give a user named Amy complete management control over all objects in the
Accounting container. (See Figure 1-3.)
novdocx (en) 22 June 2009
Figure 1-3 Container Object
To do this, right-click the Accounting object, select Trustees of This Object, then add Amy as a
trustee. Next, select the rights you want Amy to have, then click OK. Now Amy has rights to
manage the Database application, the Bookkeepers group, the LaserPrinter printer, and the users
Amy, Bill, and Bob.
Inheritance
Another powerful feature of eDirectory is rights inheritance. Inheritance means that rights flow
down to all containers in the tree. This allows you to grant rights with very few rights assignments.
For example, suppose you want to grant management rights to the objects shown in Figure 1-4 on
page 21.
Figure 1-4 Sample eDirectory Objects
Understanding Novell eDirectory 21
You could make any of the following assignments:
If you grant a user rights to Allentown, the user can manage only objects in the Allentown
container.
If you grant a user rights to East, the user can manage objects in the East, Allentown, and
Yorktown c o n t a iners.
If you grant a user rights to YourCo, the user can manage any objects in any of the containers
shown.
For more information on assigning rights, see Section 1.10, “eDirectory Rights,” on page 60.
1.1.2 Web-Based Management Utility
iManager is a browser-based tool used for administering, managing, and configuring eDirectory
objects. iManager gives you the ability to assign specific tasks or responsibilities to users and to
present the user with only the tools (with the accompanying rights) necessary to perform those sets
of tasks.
To run iManager, you will need a workstation with Microsoft* Internet Explorer 6.0 SP1 or later
(recommended), Mozilla* 1.7 or later, or Mozilla Firefox* 0.9.2.
novdocx (en) 22 June 2009
IMPORTANT: While you might be able to access iManager through a Web browser not listed, we
do not guarantee full functionality.
You can use iManager to perform the following supervisory tasks:
Configure LDAP- and XML-based access to eDirectory
Create objects representing network users, devices, and resources
Define templates for creating new user accounts
Find, modify, move, and delete network objects
Define rights and roles to delegate administrative authority
Extend the eDirectory schema to allow custom object types and properties
Partition and replicate the eDirectory database across multiple servers
Run eDirectory management utilities such as DSRepair, DSMerge, and Backup and Restore
You can use iManager to perform other management functions based on plug-ins that have been
loaded into iManager. The following eDirectory plug-ins are installed with iManager 2.6:
eDirectory Backup and Restore
eDirectory Log Files
eDirectory Merge
eDirectory Repair
eDirectory Service Manager
eGuide Content
iManager Base Content
Import Convert Export Wizard
Index Management
22 Novell eDirectory 8.8 Administration Guide
iPrint
LDAP
Universal Password Enforcement
Priority Sync
Encrypted Attributes
Encrypted Replication
NLS
NMAS
PKI/Certificate
Filtered Replica Configuration Wizard
SNMP
WAN Traffic Manager
For more information on installing, configuring, and running iManager, Novell iManager 2.6
Administration Guide (http://www.novell.com/documentation/imanager26/index.html).
novdocx (en) 22 June 2009
1.1.3 Single Login and Authentication
With eDirectory, users log in to a global directory, so you don’t need to manage multiple server or
domain accounts for each user, and you don’t need to manage trust relationships or pass-through
authentication among domains.
A security feature of the directory is authentication of users. Before a user logs in, a User object
must be created in the directory. The User object has certain properties, such as a name and
password.
When the user logs in, eDirectory checks the password against the one stored in the directory for
that user and grants access if they match.
1.2 Object Classes and Properties
The definition of each type of eDirectory object is called an object class. For instance, User and
Organization are object classes. Each class of object has certain properties. A User object, for
example, has First Name, Last Name, and many other properties.
The schema defines the object classes and properties, along with the rules of containment (what
containers can contain which objects). eDirectory ships with a base schema that you, or the
applications you use, can extend. For more information about schemas, see Section 1.4, “Schema,”
on page 45.
Container objects contain other objects and are used to divide the tree into branches, while leaf
objects represent network resources.
1.2.1 List of Objects
The following tables list eDirectory object classes. Added services can create new object classes in
eDirectory that are not listed below.
Understanding Novell eDirectory 23
eDirectory Container Object Classes
novdocx (en) 22 June 2009
iManager Icon
Container Object
(Abbreviation)
Description
Tree Represents the beginning of your tree. For more
information, see “Tree” on page 25.
Country (C) Designates the countries where your network resides and
organizes other directory objects within the country. For
more information, see “Country” on page 28.
License Container (LC) Created automatically when you install a license certificate
or create a metering certificate using Novell Licensing
Services (NLS) technology. When an NLS-enabled
application is installed, it adds a License Container
container object to the tree and a License Certificate leaf
object to that container.
Organization (O) Helps you organize other objects in the directory. The
Organization object is a level below the Country object (if
you use the Country object). For more information, see
“Organization” on page 26.
Organizational Unit (OU) Helps you to further organize other objects in the directory.
The Organizational Unit object is a level below the
Organization object. For more information, see
“Organizational Unit” on page 27.
Domain (DC) Helps you to further organize other objects in the directory.
The Domain object can be created under the Tree object or
under Organization, Organizational Unit, Country, and
Locality objects. For more information, see “Domain” on
page 28.
eDirectory Leaf Object Classes
iManager Icon Leaf Object Description
AFP Server Represents an AppleTalk* Filing Protocol server that operates as a
node on your eDirectory network. It usually also acts as a NetWare
router to, and the AppleTalk server for, several Macintosh*
computers.
Alias Points to the actual location of an object in the directory. Any
directory object located in one place in the directory can also
appear to be in another place in the directory by using an Alias. For
more information, see “Alias” on page 40.
Application Represents a network application. Application objects simplify
administrative tasks such as assigning rights, customizing login
scripts, and launching applications.
Computer Represents a computer on the network.
Directory Map Refers to a directory in the file system. For more information, see
“Directory Map” on page 41.
24 Novell eDirectory 8.8 Administration Guide
iManager Icon Leaf Object Description
Group Assigns a name to a list of User objects in the directory. You can
assign rights to the group instead of to each user; then the rights
transfer to each user in the group. For more information, see
“Group” on page 32.
License Certificate Use with NLS technology to install product license certificates as
objects in the database. License Certificate objects are added to the
Licensed Product container when an NLS-aware application is
installed.
Organizational Role Defines a position or role within an organization.
Print Queue Represents a network print queue.
Print Server Represents a network print server.
Printer Represents a network printing device.
Profile Represents a login script used by a group of users who need to
share common login script commands. The users don’t need to be
in the same container. For more information, see “Profile” on
page 42.
novdocx (en) 22 June 2009
Server Represents a server running any operating system. For more
information, see “Server” on page 29.
Template Represents standard User object properties that can be applied to
new User objects.
Unknown Represents an object for which iManager has no custom icon.
User Represents the people who use your network. For more
information, see “User” on page 31.
Volume Represents a physical volume on the network. For more
information, see “Volume” on page 30.
1.2.2 Container Object Classes
“Tree” on page 25
“Organization” on page 26
“Organizational Unit” on page 27
“Country” on page 28
“Domain” on page 28
Tree
The Tree container, formerly [Root], is created when you first install eDirectory on a server in
your network. As the top-most container, it usually holds Organization objects, Country objects, or
Alias objects.
What Tree Represents
Tree represents the top of your tree.
Understanding Novell eDirectory 25
Usage
Tree is used to make universal rights assignments. Because of inheritance, any rights assignments
you make to Tree as the target apply to all objects in the tree. See Section 1.10, “eDirectory Rights,”
on page 60. The [Public] trustee has the Browse right and Admin has the Supervisor right to Tree by
default.
Important Properties
The Tree object has a Name property, which is the tree name you supply when installing the
first server. The tree name is shown in the hierarchy of iManager.
Tree name cannot exceed 32 characters.
Organization
An Organization container object is created when you first install eDirectory on a server in your
network. As the top-most container under Tree, it usually holds Organizational Unit objects and leaf
objects.
The User object named Admin is created by default in your first Organization container.
novdocx (en) 22 June 2009
What an Organization Object Represents
Normally the Organization object represents your company, although you can create additional
Organization objects under Tree. This is typically done for networks with distinct geographical
districts or for companies with separate eDirectory trees that have merged.
Usage
The way you use Organization objects in your tree depends on the size and structure of your
network. If the network is small, you should keep all leaf objects under one Organization object.
For larger networks, you can create Organizational Unit objects under the Organization to make
resources easier to locate and manage. For example, you can create Organizational Units for each
department or division in your company.
For networks with multiple sites, you should create an Organizational Unit for each site under the
Organization object. That way, if you have (or plan to have) enough servers to partition the
directory, you can do so logically along site boundaries.
For easy sharing of company-wide resources such as printers, volumes, or applications, create
corresponding Printer, Volume, or Application objects under the Organization.
26 Novell eDirectory 8.8 Administration Guide
Important Properties
The most useful properties for Organization are listed below. Only the Name property is required.
For a complete list of properties, select an Organization object in iManager. To display a description
for each page of properties, click Help.
Name
Typically, the Name property is the same as your company’s name. Of course, you can shorten
it for simplicity. For instance, if the name of your company is Your Shoe Company, you might
use YourCo.
The Organization name becomes part of the context for all objects created under it.
Login Script
The Login Script property contains commands that are executed by any User objects directly
under the Organization. These commands are run when a user logs in.
Organization name can be 64 characters long.
Organizational Unit
novdocx (en) 22 June 2009
You can create Organizational Unit (OU) container objects to subdivide the tree. Organizational
Units are created with iManager under an Organization, Country, or another Organizational Unit.
Organizational Units can contain other Organizational Units and leaf objects such as User and
Application objects.
What an Organizational Unit Object Represents
Normally the Organizational Unit object represents a department, which holds a set of objects that
commonly need access to each other. A typical example is a set of Users, along with the Printers,
Volumes, and Applications that those Users need.
At the highest level of Organizational Unit objects, each Organizational Unit can represent each site
(separated by WAN links) in the network.
Usage
The way you use Organizational Unit objects in your tree depends on the size and structure of your
network. If the network is small, you might not need any Organizational Units.
For larger networks, you can create Organizational Unit objects under the Organization to make
resources easier to locate and manage. For example, you can create Organizational Units for each
department or division in your company. Remember that administration is easiest when you keep
User objects together in the Organizational Unit with the resources they use most frequently.
For networks with multiple sites, you can create an Organizational Unit for each site under the
Organization object. That way, if you have (or plan to have) enough servers to partition the
directory, you can do so logically along site boundaries.
Understanding Novell eDirectory 27
Important Properties
The most useful properties for the Organizational Unit are listed below. Only the Name property is
required. For a complete list of properties, select an Organizational Unit object in iManager. To
display a description for each page of properties, click Help.
Name
Typically, the Name property is the same as the department name. Of course, you can shorten it
for simplicity. For instance, if the name of your department is Accounts Payable, you can
shorten it to AP.
The Organizational Unit name becomes part of the context for all objects created under it.
Login Script
The Login Script property contains commands that are executed by any User objects directly
under the Organizational Unit. These commands are run when a user logs in.
Organizational Unit name can be 64 characters long.
Country
novdocx (en) 22 June 2009
You can create Country objects directly under the Tree object using iManager. Country objects
are optional and required only for connection to certain X.500 global directories.
What a Country Object Represents
The Country object represents the political identity of its branch of the tree.
Usage
Most administrators do not create a Country object, even if the network spans countries, since the
Country object only adds an unnecessary level to the tree. You can create one or many Country
objects under the Tree object, depending on the multinational nature of your network. Country
objects can contain only Organization objects.
If you do not create a Country object and find that you need one later, you can always modify the
tree to add one.
Important Properties
The Country object has a two-letter Name property. Country objects are named with a standard
two-letter code such as US, UK, or DE.
Country name cannot exceed 2 characters.
Domain
You can create Domain objects directly under the Tree object using iManager. You can also
create them under Organization, Organization Unit, Country, and Location objects.
What a Domain Object Represents
The Domain object represent DNS domain components. Domain objects let you use your Domain
Name System location of services resource records (DNS SRV) to locate services in your tree.
Using Domain objects, a tree could look something like this:
28 Novell eDirectory 8.8 Administration Guide
DS=Novell.DC=Provo.DC=USA
In this example, all subcontainers are domains. You can also use Domain objects in a mixed tree,
such as:
DC=Novell.O=Provo.C=USA
Or
novdocx (en) 22 June 2009
OU=Novell.DC=Provo.C=USA
Usually, the topmost Domain is the overall Tree, with subdomains under Tree. For example,
machine1.novell.com could be represented by
DC=machine1.DC=novell.DC=com
in a tree
representation. Domains give you a more generic way to set up an eDirectory tree. If all containers
and subcontainers are DC objects, users do not need to remember C, O, or OUs when searching for
objects.
Usage
NetWare 4 and 5 trees cannot have Domain objects at the top of the tree. With NetWare 4 and 5, the
NCP Server object can be placed in an Organization, Country, Organizational Unit, or Locality
container, but not in a Domain container. With NetWare 6, however, you can place Domain objects
at the top of the tree, and you can place the NCP Server object in a Domain container.
For older installations of NetWare (such as NetWare 4), when you prepare the tree to install or
upgrade to NetWare 5 or later, the nds500.sch file will automatically run. After the first server is
installed into the tree, this file extends the schema to allow the Domain container to be created
anywhere and hold most directory objects.
Domain name can be 64 characters long.
1.2.3 Leaf Object Classes
“Server” on page 29
“Volume” on page 30
“User” on page 31
“Group” on page 32
“Nested Groups” on page 36
“Alias” on page 40
“Directory Map” on page 41
“Profile” on page 42
Server
A Server object is automatically created in the tree whenever you install eDirectory on a server.
The object class can be any server running eDirectory.
You can also create a Server object to represent a NetWare 2 or NetWare 3 bindery server.
Understanding Novell eDirectory 29
What a Server Object Represents
The Server object represents a server running eDirectory or a bindery-based (NetWare 2 or NetWare
3) server.
Usage
The Server object serves as a reference point for replication operations. A Server object that
represents a bindery-based server allows you to manage the server’s volumes with iManager.
Important Properties
The Server object has a Network Address property, among others. The Network Address property
displays the protocol and address number for the server. This is useful for troubleshooting at the
packet level
For a complete list of properties, select a Server object in iManager. To display a description for
each page of properties, click Help.
Volume
novdocx (en) 22 June 2009
When you create a physical volume on a server, a Volume object is automatically created in the
tree. By default, the name of the Volume object is the server’s name with an underscore and the
physical volume’s name appended (for example, YOSERVER_SYS).
Volume objects are supported only on NetWare. Linux and UNIX file system partitions cannot be
managed using Volume objects.
What a Volume Object Represents
A Volume object represents a physical volume on a server, whether it is a writable disk, a CD, or
other storage medium. The Volume object in eDirectory does not contain information about the files
and directories on that volume, although you can access that information through iManager. File and
directory information is retained in the file system itself.
Usage
In iManager, click the Vo lu m e icon to manage files and directories on that volume. iManager
provides information about the volume’s free disk space, directory entry space, and compression
statistics.
You can also create Volume objects in the tree for NetWare 2 and NetWare 3 volumes.
Important Properties
In addition to the required Name and Host Server properties, there are other important Volume
properties.
Name
This is the name of the Volume object in the tree. By default, this name is derived from the
name of the physical volume, though you can change the object name.
Host Server
This is the server that the volume resides on.
30 Novell eDirectory 8.8 Administration Guide
Loading...