NetIQ eDirectory allows for easy, powerful, and flexible management of network resources. It also serves as a repository of user information for groupware and other applications. These applications access your directory through the industry-standard Lightweight Directory Access Protocol (LDAP).
eDirectory ease-of-management features include a powerful tree structure, an integrated management utility, and single login and authentication.
NetIQ iManager lets you manage the directory and users, and access rights and network resources within the directory, from a Web browser and a variety of handheld devices. The eDirectory plug-ins to iManager give you access to basic directory management tasks, and to the eDirectory management utilities you previously had to run on the eDirectory server, such as DSRepair, DSMerge, and Backup and Restore.
For more information, see the NetIQ iManager 2.7 Administration Guide.
NetIQ eDirectory organizes objects in a tree structure, beginning with the top Tree object, which bears the tree's name.
Whether your eDirectory servers are running Linux or Windows, all resources can be kept in the same tree. You won’t need to access a specific server or domain to create objects, grant rights, change passwords, or manage applications.
The hierarchical structure of the tree gives you great management flexibility and power. These benefits primarily result from the following two features:
Container objects allow you to manage other objects in sets, rather than individually. There are three common classes of container objects, as seen in Figure 1-2:
Figure 1-2 Common Classes of Container Objects
The Tree object is the top container object in the tree. It usually contains your company’s Organization object.
Organization is normally the first container class under the Tree object. The Organization object is typically named after your company. Small companies keep management simple by having all other objects directly under the Organization object.
Organizational Unit objects can be created under the Organization to represent distinct geographical regions, network campuses, or individual departments. You can also create Organizational Units under other Organizational Units to further subdivide the tree.
Other classes of container objects are Country and Locality, which are typically used only in multinational networks.
The Domain object can be created under the Tree object or under Organization, Organizational Unit, Country, and Locality objects.
You can perform one task on the container object that applies to all objects within the container. Suppose you want to give a user named Amy complete management control over all objects in the Accounting container, which contains the Database application, the Bookkeepers group, the LaserPrinter printer, and the users Amy, Bill, and Bob.
To do this, navigate to the View Objects tab in iManager and select the parent tree of theobject in the left pane. In the right pane, select and then click > . Click and add Amy as a trustee. Next, click and select the rights you want Amy to have. Now Amy has rights to manage the Database application, the Bookkeepers group, the LaserPrinter printer, and the users Bill and Bob, in addition to herself.
Another powerful feature of eDirectory is rights inheritance. Inheritance means that rights flow down to all containers in the tree. This allows you to grant rights with very few rights assignments. For example, suppose you want to grant management rights to the objects shown in Figure 1-3.
Figure 1-3 Sample eDirectory Objects
You could make any of the following assignments:
If you grant a user rights to Allentown, the user can manage only objects in the Allentown container.
If you grant a user rights to East, the user can manage objects in the East, Allentown, and Yorktown containers.
If you grant a user rights to YourCo, the user can manage any objects in any of the containers shown.
For more information on assigning rights, see Section 1.9, eDirectory Rights.
iManager is a browser-based tool used for administering, managing, and configuring eDirectory objects. iManager gives you the ability to assign specific tasks or responsibilities to users and to present the user with only the tools (with the accompanying rights) necessary to perform those sets of tasks.
To run iManager, you will need a workstation with Microsoft Internet Explorer 6.0 SP1 or later (recommended), Mozilla 1.7 or later, or Mozilla Firefox 0.9.2 or later.
IMPORTANT:While you might be able to access iManager through a Web browser not listed, we do not guarantee full functionality.
You can use iManager to perform the following supervisory tasks:
Configure LDAP- and XML-based access to eDirectory
Create objects representing network users, devices, and resources
Define templates for creating new user accounts
Find, modify, move, and delete network objects
Define rights and roles to delegate administrative authority
Extend the eDirectory schema to allow custom object types and properties
Partition and replicate the eDirectory database across multiple servers
Run eDirectory management utilities such as DSRepair, DSMerge, and Backup and Restore
You can use iManager to perform other management functions based on plug-ins that have been loaded into iManager. The following eDirectory plug-ins are bundled with iManager 2.7:
eDirectory Backup and Restore
eDirectory Log Files
eDirectory Service Manager
iManager Base Content
Import Convert Export Wizard
Universal Password Enforcement
NetIQ Licensing Services (NLS)
NetIQ Modular Authentication Service (NMAS)
Filtered Replica Configuration Wizard
WAN Traffic Manager
For more information on installing, configuring, and running iManager, NetIQ iManager 2.7 Administration Guide.
With eDirectory, users log in to a global directory, so you don’t need to manage multiple server or domain accounts for each user, and you don’t need to manage trust relationships or pass-through authentication among domains.
A security feature of the directory is authentication of users. Before a user logs in, a User object must be created in the directory. The User object has certain properties, such as a name and password.
When the user logs in, eDirectory checks the password against the one stored in the directory for that user and grants access if they match.