2.6 Installing eDirectory

The following sections provide information about installing NetIQ eDirectory on Linux:

2.6.1 Using SLP with eDirectory

In earlier releases of eDirectory, SLP was installed during the eDirectory install. But with eDirectory 8.8, you need to separately install SLP before proceeding with the eDirectory install.

If you plan to use SLP to resolve tree names, you should install and configure the protocol, and the SLP directory agents (DAs) should be stable.

  1. Install OpenSLP, if it is not already installed.

  2. Follow the on-screen instructions to complete the SLP installation.

  3. Start SLP manually as follows:

    /etc/init.d/slpd start
    

For more information, refer to Section C.0, Configuring OpenSLP for eDirectory.

Similarly, when you uninstall the SLP package, you need to stop SLP manually, as follows:

/etc/init.d/slpd stop

If you don't want to (or cannot) use SLP, you can use the flat file hosts.nds to resolve tree names to server referrals. The hosts.nds file can be used to avoid SLP multicast delays when SLP DA is not present in the network.

hosts.nds is a static lookup table used by eDirectory applications to search eDirectory partition and servers. In the hosts.nds file, for each tree or server, a single line contains the following information:

  • Tree/Server Name: Tree names end with a trailing dot (.).

  • Internet Address: This can be a DNS name or IP address.

  • Server Port: Optional, appended with a colon (:) to the Internet address.

Local server need not have an entry in this file unless it is listening on non-default NCP port.

The syntax followed in the hosts.nds file is as follows:

<[partition name.]tree name>.  <host-name/ip-addr>[:<port>]
<server name>  <dns-addr/ip-addr>[:<port>]

For example:

# This is an example of a hosts.nds file:
# Tree name             Internet address/DNS Resolvable Name
  CORPORATE.            myserver.mycompany.com
  novell.CORPORATE.     1.2.3.4:524

# Server name           Internet address
  CORPSERVER            myserver.mycompany.com

See the hosts.nds man page for more details.

If you decide to use SLP to resolve the tree name to determine if the eDirectory tree is advertised, after eDirectory and SLP are installed, enter the following:

/usr/bin/slptool findattrs services:ndap.novell///(svcname-ws==[treename or *])"

For example, to search for the services whose svcname-ws attribute match with the value SAMPLE_TREE, enter the following command:

/usr/bin/slptool findattrs services:ndap.novell///(svcname-ws==SAMPLE_TREE)/"

If you have a service registered with its svcname-ws attribute as SAMPLE_TREE, then the output will be similar to the following:

service:ndap.novell:///SAMPLE_TREE

If you do not have a service registered with its svcname-ws attribute as SAMPLE_TREE, there will be no output.

For more information, see Section C.0, Configuring OpenSLP for eDirectory.

2.6.2 Using the nds-install Utility to Install eDirectory Components

Use the nds-install utility to install eDirectory components on Linux systems. This utility is located in the Setup directory of the downloaded file for the Linux platform. The utility adds the required packages based on what components you choose to install.

  1. Enter the following command at the setup directory:

    ./nds-install
    

    If you do not provide the required parameters in the command line, the nds-install utility will prompt you for the parameters.

    The following table provides a description of the nds-install utility parameters:

    nds-install Parameter

    Description

    -h or --help

    Displays help for nds-install.

    -i

    Prevents the nds-install script from invoking the ndsconfig upgrade command if a DIB is detected at the time of the upgrade.

    -j

    Jumps or overrides the health check option before installing eDirectory. For more information about health checks, refer to Section B.0, eDirectory Health Checks.

    -m

    Specifies the module name to configure. While configuring a new tree, you can configure only the ds module. After configuring the ds module, you can add the NMAS, LDAP, SAS, SNMP, HTTP services, and NetIQ SecretStore (ss) using the add command. If the module name is not specified, all the modules are installed.

    -u

    Specifies the option to use in an unattended install mode.

    The installation program installs the following RPMs:

  2. If you are prompted, enter the complete path to the license file.

    You will be prompted to enter the complete path to the license file only if the installation program cannot locate the file in the default location. The default location is the /var, the mounted license diskette, or the current directory.

    If the path you entered is not valid, you will be prompted to enter the correct path.

  3. After the installation is complete, you need to update the following environment variables and export them. You can either do it manually or use a script.

    • Manually export the environment variables by entering the following commands:

      export LD_LIBRARY_PATH=/opt/novell/eDirectory/lib64:/opt/novell/eDirectory/lib64/nds-modules:/opt/novell/lib64:$LD_LIBRARY_PATH
      
      export MANPATH=/opt/novell/man:/opt/novell/eDirectory/man:$MANPATH
      
      export TEXTDOMAINDIR=/opt/novell/eDirectory/share/locale:$TEXTDOMAINDIR
      
    • Use the ndspath script to export the environment variables by performing the following steps:

      If you do not want to export the paths manually, you can use the /opt/novell/eDirectory/bin/ndspath script as follows:

      • Prefix the ndspath script to the utility and run the utility you want as follows:

        /opt/novell/eDirectory/bin/ndspath utility_name_with_parameters 
        

        NOTE:When you prefix the ndspath script to the commands with arguments, specify the arguments in double quotes.

        For example:

        /opt/novell/eDirectory/bin/ndspath ldapconfig "-s ldapTLSRequired=yes"
        
      • Export the paths in the current shell as follows:

        . /opt/novell/eDirectory/bin/ndspath
        

        After entering the above command, run the utilities as you would normally do.

      • The path exporting instructions should be placed at the end of /etc/profile or ~/bashrc or similar scripts. Therefore, whenever you log in or open a new shell, you can start using the utilities directly.

You can use the ndsconfig utility to configure eDirectory Server after installation.

NetIQ Modular Authentication Service (NMAS) is installed as part of the server component. By default, ndsconfig configures NMAS. You can also use the nmasinst utility to configure NMAS server after installation. This must be done after configuring eDirectory with ndsconfig.

For more information on the ndsconfig utility, see The ndsconfig Utility.

For more information on the nmasinst utility, see Using the nmasinst Utility to Configure NMAS.

NOTE:After you install eDirectory, we recommend you exclude the DIB directory on your eDirectory server from any antivirus or backup software processes. Use the eDirectory Backup Tool to back up your DIB directory.

For more information about backing up eDirectory, see Backing Up and Restoring NetIQ eDirectory, in the NetIQ eDirectory 8.8 SP8 Administration Guide.

2.6.3 Non-root User Installing eDirectory 8.8

A non-root user can install eDirectory 8.8 using the tarball.

Prerequisites

  • If you want to install eDirectory using the tarball and not the nds-install utility, ensure that NICI is installed. For information on installing NICI, refer to Installing NICI.

  • Ensure that SNMP subagent is installed using the command rpm --nodeps <path of snmp subagent rpm>.

  • If you want to use SLP and SNMP, ensure that they are installed by the root user.

  • Write rights to the directory where you want to install eDirectory.

    If you are a non-administrator user, ensure that you have the appropriate rights as mentioned in the Section 2.2, Prerequisites section.

Installing NICI

NICI should be installed before you proceed with the eDirectory installation. Because the required NICI packages are used system-wide, we recommend you use the root user to install the necessary packages. However, if necessary you can delegate access to a different account using sudo and use that account to install the NICI packages.

With eDirectory 8.8 SP3 or later versions, 32 and 64-bit applications can coexist in a single system. This requires installing both the 32 and 64-bit versions of NICI.

Root User Installing NICI

To install NICI, enter both of the following commands:

32-bit: rpm -ivh NICI_rpm_absolute_path/nici-2.7.7-0.02.i586.rpm

64-bit: rpm -ivh NICI_rpm_absolute_path/nici64-2.7.7-0.02.x86_64.rpm

Non-root User Installing NICI

Non-root users can make use of the sudo utility to install NICI. sudo (superuser do) allows a root user to give certain users the ability to run some commands as root. A root user can do this by editing the /etc/sudoers configuration file and adding appropriate entries in it.

For more information, refer to the sudo Website.

WARNING:sudo enables you to give limited root permissions to non-root users. Therefore, you must understand the security implications before proceeding.

A root user needs to complete the following procedure to enable a non-root user (for example, john) to install NICI:

  1. Log in as root.

  2. Edit the /etc/sudoers configuration file using the visudo command.

    NOTE:There is no space between vi and sudo in the command.

    Make an entry with the following information:

    Username   hostname=(root) NOPASSWD: /bin/rpm
    

    For example, to enable user “john” to run /bin/rpm as root on the hostname “lnx-2,” type the following:

    john     lnx-2=(root) NOPASSWD: /bin/rpm
    

A non-root user (“john,” in this example) needs to do the following to install NICI:

  1. Log in as “john” and execute the following command:

    sudo rpm -ivh nici_rpm_file_name_with_path
    

    For example:

    sudo rpm -ivh /88/Linux/Linux/setup/nici-2.7.7-5.i386.rpm
    
  2. To initialize NICI, enter the following:

    ln -sf /var/opt/novell/nici /var/novell/nici
    

    To ensure that NICI is set to server mode, enter the following:

    /var/opt/novell/nici/set_server_mode
    

NICI gets installed in the server mode.

Configuring User Service on SLES 12 and RHEL 7

To support services for non-root users on these platforms, start systemd specific to the user as a one-time activity.

The following are the advantages of starting services as a non-root user:

  • A system administrator can monitor a service.

  • The computer starts the service on reboot.

To start systemd specific to a user, run the following command:

systemctl start user@<uid>.service

where uid is the User ID of the user.

For example, systemctl start user@1001.service

Installing eDirectory

  1. Go to the directory where you want to install eDirectory.

  2. Untar the tar file as follows:

    tar xvf /tar_file_name
    

    The etc, opt, and var directories are created.

  3. Export the paths as follows:

    • Manually export the environment variables by entering the following commands:

      export LD_LIBRARY_PATH=custom_location/eDirectory/opt/novell/eDirectory/lib64:custom_location/eDirectory/opt/novell/eDirectory/lib64/nds-modules:custom_location/eDirectory/opt/novell/lib64:$LD_LIBRARY_PATH
      
      export PATH=custom_location/eDirectory/opt/novell/eDirectory/bin:custom_location/eDirectory/opt/novell/eDirectory/sbin:/opt/novell/eDirectory/bin:$PATH
      
      export MANPATH=custom_location/eDirectory/opt/novell/man:custom_location/eDirectory/opt/novell/eDirectory/man:$MANPATH
      
      export TEXTDOMAINDIR=custom_location/eDirectory/opt/novell/eDirectory/share/locale:$TEXTDOMAINDIR
      

      Use the ndspath script to export the environment variables by performing the following steps:

      If you do not want to export the paths manually, prefix the ndspath script to the utility.

      • Run the utility you want as follows:

        custom_location/eDirectory/opt/novell/eDirectory/bin/ndspath utility_name_with_parameters 
        
      • Export the paths in the current shell as follows:

        . custom_location/eDirectory/opt/novell/eDirectory/bin/ndspath
        

        NOTE:Ensure that you enter the above commands from the custom_location/eDirectory/opt directory.

        After entering the above commands, run the utilities as you would normally do.

      • Call the script in your profile, bashrc, or similar scripts. Therefore, whenever you log in or open a new shell, you can start using the utilities directly.

  4. Configure eDirectory in the usual manner.

    You can configure eDirectory in any of the following ways:

    • Use the ndsconfig utility as follows:

      ndsconfig new [-t <treename>] [-n <server_context>] [-a <admin_FDN>] [-w <admin password>] [-i] [-S <server_name>] [-d <path_for_dib>] [-m <module>] [e] [-L <ldap_port>] [-l <SSL_port>] [-o <http_port>] -O <https_port>] [-p <IP address:[port]>] [-c] [-b <port_to_bind>] [-B <interface1@port1>, <interface2@port2>,..] [-D <custom_location>] [--config-file <configuration_file>]
      

      For example:

      ndsconfig new -t mary-tree -n novell -a admin.novell -S linux1 -d /home/mary/inst1/data -b 1025 -L 1026 -l 1027 -o 1028 -O 1029 -D /home/mary/inst1/var --config-file /home/mary/inst1/nds.conf
      

      The port numbers you enter need to be in the range 1024 to 65535. Port numbers lesser than 1024 are normally reserved for the super-user and standard applications. Therefore, you cannot assume the default port 524 for any eDirectory applications.

      This might cause the following applications to break:

      • The applications that don't have an option to specify the target server port.

      • The older applications that use NCP, and run as root for 524.

    • Use the ndsmanage utility to configure a new instance. For more information, refer to the Creating an Instance through ndsmanage.

    Follow the on-screen instructions to complete the configuration.

    For more information, see Section 2.6.4, Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server.

NOTE:After you install eDirectory, we recommend you exclude the DIB directory on your eDirectory server from any antivirus or backup software processes. Use the eDirectory Backup Tool to back up your DIB directory.

For more information about backing up eDirectory, see Backing Up and Restoring NetIQ eDirectory, in the NetIQ eDirectory 8.8 SP8 Administration Guide.

2.6.4 Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server

After installing eDirectory, configure the eDirectory replica server using the ndsconfig utility. You must have Administrator rights to use the ndsconfig utility. When this utility is used with arguments, it validates all arguments and prompts for the password of the user having Administrator rights. If the utility is used without arguments, ndsconfig displays a description of the utility and available options. This utility can also be used to remove the eDirectory Replica Server and change the current configuration of eDirectory Server. For more information, see The ndsconfig Utility.

Prerequisite for Configuring eDirectory in a Specific Locale

If you want to configure eDirectory in a specific locale, you need to export LC_ALL and LANG to that particular locale before eDirectory configuration. For example, to configure eDirectory in the Japanese locale, enter the following:

export LC_ALL=ja

export LANG=ja

Creating A New Tree

Use the following syntax:

ndsconfig new [-t <treename>] [-n <server context>] [-a <admin FDN>] [-i] [-S <server name>] [-d <path for dib>] [-m <module>] [e] [-L <ldap port>] [-l <SSL port>] [-o <http port>] [-O <https port>] [-p <IP address:[port]>] [-R] [-c] [-w <admin password>] [-b <port to bind>] [-B <interface1@port1>, <interface2@port2>,..] [-D <custom_location>] [--config-file <configuration_file>]

A new tree is installed with the specified tree name and context.

There is a limitation on the number of characters in the tree_name, admin FDN and server FDN variables. The maximum number of characters allowed for these variables is as follows:

  • tree_name: 32 characters

  • admin FDN: 255 characters

  • server FDN: 255 characters

If the parameters are not specified in the command line, ndsconfig prompts you to enter values for each of the missing parameters.

Or, you can also use the following syntax:

ndsconfig def [-t <treename>] [-n <server context>] [-a <admin FDN>] [-w <admin password>] [-c] [-i] [-S <server name>] [-d <path for dib>] [-m <module>] [-e] [-L <ldap port>] [-l <SSL port>] [-o <http port>] [-O <https port>] [-D <custom_location>] [--config-file <configuration_file>]

A new tree is installed with the specified tree name and context. If the parameters are not specified in the command line, ndsconfig takes the default value for each of the missing parameters.

For example, to create a new tree, you could enter the following command:

ndsconfig new -t corp-tree -n o=company -a cn=admin.o=company

Adding a Server into an Existing Tree

Use the following syntax:

ndsconfig add [-t <treename>] [-n <server context>] [-a <admin FDN>] [-w <admin password>] [-e] [-P <LDAP URL(s)>][-L <ldap port>] [-l <SSL port>] [-o <http port>] [-O <https port>] [-S <server name>] [-d <path for dib>] [-m <module>] [-p <IP address:[port]>] [-R] [-c] [-b <port to bind>] [-B <interface1@port1>, <interface2@port2>,..] [-D <custom_location>] [--config-file <configuration_file>] [-E]

A server is added to an existing tree in the specified context. If the context that the user wants to add the Server object to does not exist, ndsconfig creates the context and adds the server.

LDAP and security services can also be added after eDirectory has been installed into the existing tree.

For example, to add a server into an existing tree, you could enter the following command:

ndsconfig add -t corp-tree -n o=company -a cn=admin.o=company -S srv1

You can enable encrypted replication in the server you want to add using the -E option. For more information on encrypted replication, see Encrypted Replication in the NetIQ eDirectory 8.8 SP8 Administration Guide.

Removing a Server Object And Directory Services From a Tree

Use the following syntax:

ndsconfig rm [-a <admin FDN>] [-w <admin password>] [-p <IP address:[port]>] [-c] 

eDirectory and its database are removed from the server.

NOTE:The HTML files created using iMonitor will not be removed. You must manually remove these files from /var/opt/novell/eDirectory/data/dsreports before removing eDirectory.

For example, to remove the eDirectory Server object and directory services from a tree, you could enter the following command:

ndsconfig rm -a cn=admin.o=company

ndsconfig Utility Parameters

ndsconfig Parameter

Description

new

Creates a new eDirectory tree. If the parameters are not specified in the command line, ndsconfig prompts you to enter values for each of the missing parameters.

def

Creates a new eDirectory tree. If the parameters are not specified in the command line, ndsconfig takes the default value for each of the missing parameters.

add

Adds a server into an existing tree. Also adds LDAP and SAS services, after eDirectory has been configured in the existing tree.

rm

Removes the Server object and directory services from a tree.

NOTE:This option does not remove the key material objects. These objects must be removed manually.

upgrade

Upgrades eDirectory to a later version.

-i

While configuring a new tree, ignores checking whether a tree of the same name exists. Multiple trees of the same name can exist.

-S server name

Specifies the server name. The server name can also contain dots (for example, netiq.com). Because ndsconfig is a command line utility, using containers with dotted names requires that those dots be escaped out, and the parameters containing these contexts must be enclosed in double quotes.

For example, to install a new eDirectory tree on a Linux server using netiq.com as the name of the O, use the following command:

ndsconfig new -a "admin.novell\\.com" -t netiq_tree -n "OU=servers.O=netiq\\.com"

The Admin name and context and the server context parameters are enclosed in double quotes, and only the '.' in netiq.com is escaped using the '\\' (backslash) character. You can also use this format when installing a server into an existing tree.

NOTE:You cannot start a name with a dot. For example, you cannot install a server that has the name “.novell”, because it starts with a dot ('.').

-t treename

The tree name to which the server has to be added. It can have a maximum of 32 characters. If not specified, ndsconfig takes the tree name from the n4u.nds.tree-name parameter that is specified in the /etc/opt/novell/eDirectory/conf/nds.conf file. The default treename is $LOGNAME-$HOSTNAME-NDStree.

-n server context

Specifies the context of the server in which the server object is added. It can have a maximum of 64 characters. If the context is not specified, ndsconfig takes the context from the configuration parameter n4u.nds.server-context specified in the /etc/opt/novell/eDirectory/conf/nds.conf file. The server context should be specified in the typed form. The default context is org.

-d path for dib

The directory path where the database files will be stored.

-r

This option forcefully adds the replica of the server regardless of the number of servers already added to the server.

-L ldap_port

Specifies the TCP port number on the LDAP server. If the default port 389 is already in use, it prompts for a new port.

-l ssl_port

Specifies the SSL port number on the LDAP server. If the default port 636 is already in use, it prompts for a new port.

-a admin FDN

Specifies the fully distinguished name of the User object with Supervisor rights to the context in which the server object and Directory services are to be created. The admin name should be specified in the typed form. It can have a maximum of 64 characters. The default admin name is admin.org.

-e

Enables clear text passwords for LDAP objects.

-m modulename

Specifies the module name to configure. While configuring a new tree, you can configure only the ds module. After configuring the ds module, you can add the NMAS, LDAP, SAS, SNMP, HTTP services, and NetIQ SecretStore (ss) using the add command. If the module name is not specified, all the modules are installed.

NOTE:If you do not want to configure the SecretStore during eDirectory upgrade through nds-install, pass the no_ss value to this option. For example, nds-install '-m no_ss'.

-o

Specifies the HTTP clear port number.

-O

Specifies the HTTP secure port number.

-p <IP address:[port]>

This option is used for secondary server addition (add command) to a tree. It specifies the IP address of the remote host that holds a replica of the partition to which this server is being added. The default port number is 524. This helps in faster lookup of the tree since it avoids SLP lookup.

-R

By default a replica of the partition to which the server is added would be replicated to the local server. This option disallows adding replicas to the local server.

-c

This option avoids prompts during ndsconfig operation, such as yes/no to continue the operation, or prompt to re-enter port numbers when there is a conflict, etc. The user receives prompts only for entering mandatory parameters if they are not passed on command line.

-w <admin password>

This option allows passing the admin user password in clear text.

NOTE:Since password is passed in clear text, this is not recommended as a safe option owing to password insecurity.

-E

Enables encrypted replication for the server you are trying to add.

-j

Jumps or overrides the health check option before installing eDirectory.

-b port to bind

Sets the default port number on which a particular instance should listen on. This sets the default port number on n4u.server.tcp-port and n4u.server.udp-port. If an NCP port is passed using the -b option, then it is assumed to be the default port and the TCP and UDP parameters are updated accordingly.

NOTE:-b and -B are exclusively used.

-B interface1@port1, interface2@port2,...

Specifies the port number along with the IP address or interface. For example:

-B eth0@524

or

-B 100.1.1.2@524

NOTE:-b and -B are mutually exclusive.

--config-file configuration file

Specify the absolute path and file name to store the nds.conf configuration file. For example, to store the configuration file in the /etc/opt/novell/eDirectory/ directory, enter --config-file /etc/opt/novell/eDirectory/nds.conf.

-P <LDAP URL(s)>

Allows the LDAP URLs to configure the LDAP interface on the LDAP Server object.

For example: -P ldap://1.2.3.4:1389,ldaps://1.2.3.4:1636

-D path_for_data

Creates the data, dib, and log directories in the path mentioned.

set valuelist

Sets the value for the specified eDirectory configurable parameters. It is used to set the bootstrapping parameters before configuring a tree. When configuration parameters are changed, ndsd needs to be restarted for the new value to take effect. However, for some configuration parameters, ndsd need not be restarted.

These parameters are listed below:

  • n4u.nds.inactivity-synchronization-interval

  • n4u.nds.synchronization-restrictions

  • n4u.nds.janitor-interval

  • n4u.nds.backlink-interval

  • n4u.nds.drl-interval

  • n4u.nds.flatcleaning-interval

  • n4u.nds.server-state-up-threshold

  • n4u.nds.heartbeat-schema

  • n4u.nds.heartbeat-data

get help paramlist

Use to view the help strings for the specified eDirectory configurable parameters. If the parameter list is not specified, ndsconfig lists the help strings for all the eDirectory configurable parameters.

set valuelist

Sets the value for the specified eDirectory configurable parameters. It is used to set the bootstrapping parameters before configuring a tree.

When configuration parameters are changed, ndsd needs to be restarted for the new value to take effect.

get paramlist

Use to view the current value of the specified eDirectory configurable parameters. If the parameter list is not specified, ndsconfig lists all the eDirectory configurable parameters.

2.6.5 Using ndsconfig to Configure Multiple Instances of eDirectory 8.8

You can configure multiple instances of eDirectory 8.8 on a single host. With the multiple instances feature support in eDirectory 8.8, you can configure the following:

  • Multiple instances of eDirectory on a single host

  • Multiple trees on a single host

  • Multiple replicas of the same tree or partition on a single host

The following table lists the platforms that support the multiple instances:

Feature

Linux

Windows

Multiple instances support

The method to configure multiple instance is similar to configuring a single instance multiple times. Each instance should have unique instance identifiers, such as the following:

  • Different data and log file location

    You can use the ndsconfig --config-file, -d, and -D options to do this.

  • Unique port number for the instance to listen to

    You can use the ndsconfig -b and -B options to do this.

  • Unique server name for the instance

    You can use the ndsconfig -S server name option to do this.

    IMPORTANT:During eDirectory configuration, the default NCP server name is set as the host server name. When configuring multiple instances, you must change NCP server name. Use the ndsconfig command line option, -S <server_name> to specify a different server name.

    When configuring multiple instances, either on the same tree or on different trees, the NCP server name should be unique.

Need for Multiple Instances

Multiple instances arose from the need to:

  • Leverage high-end hardware by configuring more than one instance of eDirectory.

  • Pilot your setup on a single host before investing on the required hardware.

Sample Scenarios for Deploying Multiple Instances

Multiple instances that belong to the same or multiple trees can be used in the following scenarios effectively.

eDirectory in a Large Enterprise

  • In large enterprises, you can provide load balancing and high availability of eDirectory services.

    For example, if you have three replica servers running LDAP services on ports 1524, 2524, and 3524, respectively, you can configure a new instance of eDirectory and provide a high-availability LDAP service on a new port 636.

  • You can leverage high-end hardware across departments in an organization by configuring multiple instances on a single host.

eDirectory in an Evaluation Setup

  • Universities: Many enthusiasts (students) can evaluate eDirectory from the same host using the multiple instances.

  • Training for eDirectory administration:

    • Participants can try out administration using the multiple instances.

    • Instructors can use a single host to teach a class of students. Each student can have his own tree.

Using Multiple Instances

eDirectory 8.8 makes it very easy for you to configure multiple instances. To effectively use multiple instances, you need to plan the setup and then configure the multiple instances.

Planning the Setup

To use this feature effectively, we recommend that you plan the eDirectory instances and ensure that each instance has definite instance identifiers like the hostname, port number, server name, or the configuration file.

While configuring multiple instances, you need to ensure that you have planned for the following:

  • Location of the configuration file

  • Location of the variable data (like log files)

  • Location of the DIB

  • NCP™ interface, unique identifying port for every instance, and ports of other services (like LDAP, LDAPS, HTTP, and HTTP secure port)

  • Unique server name for every instance

Configuring Multiple Instances

You can configure multiple instances of eDirectory using the ndsconfig utility. The following table lists the ndsconfig options you need to include when configuring multiple instances.

NOTE:All the instances share the same server key (NICI).

Option

Description

--config-file

Specifies the absolute path and filename to store the nds.conf configuration file.

For example, to store the configuration file in the /etc/opt/novell/eDirectory/ directory, use --config-file /etc/opt/novell/eDirectory/nds.conf.

-b

Specifies the port number where the new instance should listen.

NOTE:-b and -B are exclusively used.

-B

Specifies the port number along with the IP address or interface. For example:

-B eth0@524

or

-B 100.1.1.2@524

NOTE:-b and -B are exclusively used.

-D

Creates the data, dib, and log directories in the path specified for the new instance.

S

Specifies the server name.

Using the above-mentioned options, you can configure a new instance of eDirectory.

You can also configure a new instance using the ndsmanage utility. For more information, refer to Creating an Instance through ndsmanage.

Managing Multiple Instances

This section includes the following information:

The ndsmanage Utility

The ndsmanage utility enables you to do the following:

Listing the Instances

The following table describes how to list the eDirectory instances.

Table 2-1 ndsmanage Usage for Listing the Instances

Syntax

Description

ndsmanage

Lists all the instances configured by you.

ndsmanage -a|--all

List instances of all the users who are using a particular installation of eDirectory.

ndsmanage username

List the instances configured by a specific user

The following fields are displayed for every instance:

  • Configuration file path

  • Server FDN and port

  • Status (whether the instance is active or inactive)

NOTE:This utility lists all the instances configured for a single binary.

Refer to Figure 2-1 for more information.

Creating an Instance through ndsmanage

To create a new instance through ndsmanage:

  1. Enter the following command:

    ndsmanage
    

    If you have two instances configured, the following screen is displayed:

    Figure 2-1 ndsmanage Utility Output Screen

  2. Enter c to create a new instance.

    You can either create a new tree or add a server to an existing tree. Follow the instructions on the screen to create a new instance.

Performing Operations for a Specific Instance

You can perform the following operations for every instance:

Other than the ones listed below, you can also run DSTrace for a selected instance.

Starting a Specific Instance

To start an instance configured by you, do the following:

  1. Enter the following:

    ndsmanage
    
  2. Select the instance you want to start.

    The menu expands to include the options you can perform on a specific instance.

    Figure 2-2 ndsmanage Utility Output Screen with Instance Options

  3. Enter s to start the instance.

Alternatively, you can also enter the following at the command prompt:

ndsmanage start --config-file configuration_file_of_the_instance_configured_by_you

Stopping a Specific Instance

To stop an instance configured by you, do the following:

  1. Enter the following:

    ndsmanage
    
  2. Select the instance you want to stop.

    The menu expands to include the options you can perform on a specific instance. For more information, refer to ndsmanage Utility Output Screen with Instance Options.

  3. Enter k to stop the instance.

Alternatively, you can also enter the following at the command prompt:

ndsmanage stop --config-file configuration_file_of_the_instance_configured_by_you

Deconfiguring an Instance

To deconfigure an instance, do the following:

  1. Enter the following:

    ndsmanage
    
  2. Select the instance you want to deconfigure.

    The menu expands to include the options you can perform on a specific instance. For more information, refer to ndsmanage Utility Output Screen with Instance Options.

  3. Enter d to deconfigure the instance.

Starting and Stopping All Instances

You can start and stop all the instances configured by you.

Starting all the Instances

To start all the instances configured by you, enter the following at the command prompt:

ndsmanage startall

To start a specific instance, refer to Starting a Specific Instance.

Identifying a Specific Instance

While configuring multiple instances, you assign a hostname, port number, and a unique configuration file path to every instance. This hostname and port number are the instance identifiers.

Most of the utilities have the -h hostname:port or --config-file configuration_file_location option that enables you to specify a particular instance. See the man pages of the utilities for more information.

Invoking a Utility for a Specific Instance

If you want to run a utility for a specific instance, you need to include the instance identifier in the utility command. The instance identifiers are the path of the configuration file, and the hostname and port number. You can use the --config-file configuration_file_location or the -h hostname:port to do so.

If you do not include the instance identifiers in the command, the utility displays the various instances you own and prompts you to select the instance you want to run the utility for.

For example, to run DSTrace for a specific utility using the --config-file option, you would enter the following:

ndstrace --config-file configuration_filename_with_location

Sample Scenario for Multiple Instances

Mary is a non-root user who wants to configure two trees on a single host machine for a single binary.

Planning the Setup

Mary specifies the following instance identifiers.

  • Instance 1:

    Port number the instance should listen on

    1524

    Configuration file path

    /home/maryinst1/nds.conf

    DIB directory

    /home/mary/inst1/var

  • Instance 2:

    Port number the instance should listen on

    2524

    Configuration file path

    /home/mary/inst2/nds.conf

    DIB directory

    /home/mary/inst2/var

Configuring the Instances

To configure the instances based on the above mentioned instance identifiers, Mary must enter the following commands.

  • Instance 1:

    ndsconfig new -t mytree -n o=novell -a cn=admin.o=company -b 1524 -D 
    /home/mary/inst1/var --config-file /home/mary/inst1/nds.conf
    
  • Instance 2:

    ndsconfig new -t corptree -n o=novell -a cn=admin.o=company -b 2524 -D 
    /home/mary/inst2/var --config-file /home/mary/inst2/nds.conf
    
Invoking a Utility for an Instance

If Mary wants to run the DSTrace utility for instance 1 that is listening on port 1524, with its configuration file in /home/mary/inst1/nds.conf location and its DIB file located in /home/mary/inst1/var, then she can run the utility as follows:

ndstrace --config-file /home/mary/inst1/nds.conf

or

ndstrace -h 164.99.146.109:1524

If Mary does not specify the instance identifiers, the utility displays all the instances owned by Mary and prompts her to select an instance.

Listing the Instances

If Mary wants to know details about the instances in the host, she can run the ndsmanage utility.

  • To display all instances owned by Mary:

    ndsmanage
    
  • To display all instances owned by John (username is john):

    ndsmanage john
    
  • To display all instances of all users that are using a particular installation of eDirectory:

    ndsmanage -a
    

2.6.6 Using ndsconfig to Install a Linux Server into a Tree with Dotted Name Containers

You can use ndsconfig to install a Linux server into an eDirectory tree that has containers using dotted names (for example, novell.com).

Because ndsconfig is a command line utility, using containers with dotted names requires that those dots be escaped out, and the parameters containing these contexts must be enclosed in double quotes. For example, to install a new eDirectory tree on a Linux server using “O=netiq.com” as the name of the O, use the following command:

ndsconfig new -a 'admin.netiq.com' -t netiq_tree -n 'OU=servers.O=netiq.com'

The Admin name and context and the server context parameters are enclosed in double quotes, and only the dot (’.’) in novell.com is escaped using the ’\’ (backslash) character.

You can also use this format when installing a server into an existing tree.

NOTE:You should use this format when entering dotted admin name and context while using utilities such as DSRepair, Backup, DSMerge, DSLogin, and ldapconfig.

2.6.7 Using the nmasinst Utility to Configure NMAS

By default, ndsconfig configures NMAS. You can also use nmasinst to configure NMAS.

ndsconfig only configures NMAS and does not install the login methods. To install these login methods, you can use nmasinst.

IMPORTANT:You must configure eDirectory with ndsconfig before you install the NMAS login methods. You must also have administrative rights to the tree.

Configuring NMAS

By default, ndsconfig configures NMAS. You can also use nmasinst for the same.

To configure NMAS and create NMAS objects in eDirectory, enter the following at the server console command line:

nmasinst -i admin.context tree_name

nmasinst prompts you for a password.

This command creates the objects in the Security container that NMAS needs, and installs the LDAP extensions for NMAS on the LDAP Server object in eDirectory.

The first time NMAS is installed in a tree, it must be installed by a user with enough rights to create objects in the Security container. However, subsequent installs can be done by container administrators with read-only rights to the Security container. nmasinst will verify that the NMAS objects exist in the Security container before it tries to create them.

nmasinst does not extend the schema. The NMAS schema is installed as part of the base eDirectory schema.

Installing Login Methods

To install login methods using nmasinst, enter the following at the server console command line:

nmasinst -addmethod admin.context tree_name config.txt_path

The last parameter specifies the config.txt file for the login method that is to be installed. A config.txt file is provided with each login method.

Here is an example of the -addmethod command:

nmasinst -addmethod admin.netiq MY_TREE ./nmas-methods/novell/Simple Password/config.txt

If the login method already exists, nmasinst will update it.

For more information, see “Managing Login and Post-Login Methods and Sequences” in the NetIQ Modular Authentication Services 3.3 Administration Guide.

2.6.8 Non-root user SNMP configuration

NICI and NOVLsubag should be installed as root user.

  1. Root User Installing NICI. Refer to Root User Installing NICI

  2. Root User Installing NOVLsubag.

    To install NOVLsubag, complete the following procedure:

    Enter the following command:

    rpm -ivh --nodeps NOVLsubag_rpm_file_name_with_path
    

    For example:

    rpm -ivh --nodeps novell-NOVLsubag-8.8.1-5.i386.rpm
    
  3. Export the paths as follows:

    Manually export the environment variables.

    export LD_LIBRARY_PATH=custom_location/opt/novell/eDirectory/lib64:/opt/novell/eDirectory/lib64/nds-modules:/opt/novell/lib64:$LD_LIBRARY_PATH
    
    export   PATH=/opt/novell/eDirectory/bin:$PATH
    
    export MANPATH=/opt/novell/man:$MANPATH