This section helps you enable EBA on eDirectory. Depending on your type of installation, follow the instructions from one of the following sections:
To enable EBA on a new tree, perform one of the following actions depending on your platform:
Linux: To enable EBA while configuring a new eDirectory tree, run the ndsconfig command with ––configure–eba-now argument at the command line.
For example: ndsconfig new ––configure–eba-now yes
If this argument is not passed to the command, you are prompted to enable EBA. Based on your preference, enter yes or no at the prompt.
Windows: The installation program provides the option of enabling EBA during eDirectory configuration. To enable EBA, select the Enable EBA option during configuration.
NOTE:eDirectory does not allow you to configure ebaext.dlm and ebassl_srv.dlm modules on an EBA-enabled server for auto-startup because the DS module automatically loads them when you enable EBA on an eDirectory server.
If you attempt to load ebaext.dlm and ebassl_srv.dlm modules on a non EBA-enabled server, the modules might successfully load, but the EBA functionality will not work.
To enable EBA on an existing eDirectory tree, perform one of the following actions depending on your platform:
Linux: Run the ndsconfig upgrade command with ––configure–eba-now argument on one of the servers having a writable replica of the tree-root partition.
For example: ndsconfig upgrade ––configure–eba-now yes
Windows: Run setup.exe from the eDirectory 9.0 installation folder on one of the servers having a writable replica of the tree-root partition and select the Enable EBA option during the eDirectory configuration.
When you enable EBA on an eDirectory server, a Certificate Signing Request (CSR) is sent to the EBA CA. The EBA CA validates the CSR, performs access control checks, and then issues the NCP CA certificate to the server. Before enabling EBA on a server, ensure that:
(Mandatory) A writable replica of the partition containing the administrator DN is present on a EBA-enabled server in the tree.
(Optional) A writable replica of the partition containing the server object is present on a EBA-enabled server in the tree. If the server does not meet this condition, the EBA CA saves the CSR and does not issue the NCP CA certificate. This causes eDirectory configuration to fail and requires the administrator to approve the CSR using the EBA plug-in of iManager. For more information, see Managing the EBA CA by Using iManager. After the CSR is approved, configure EBA by running the ndsconfig upgrade command. For example, ndsconfig upgrade --configure-eba-now yes
To enable EBA when a new server is added to a tree, perform one of the following actions depending on your platform:
Linux: Run the ndsconfig add command with ––configure–eba-now yes argument.
For example: ndsconfig add ––configure–eba-now yes
Windows: Run setup.exe from the eDirectory 9.0 installation folder and select the Enable EBA option during the eDirectory configuration.
To enable EBA on a configured server, perform one of the following actions depending on your platform:
Linux: Run the ndsconfig upgrade command with ––configure–eba-now yes argument.
For example: ndsconfig upgrade ––configure–eba-now yes
Windows: Run setup.exe from the eDirectory 9.0 installation folder and select the Enable EBA option during the eDirectory configuration.
IMPORTANT:In addition to the server acting as the EBA CA, NetIQ recommends that you must have at least one more EBA-enabled server containing the Read/Write replica of the tree-root partition. If the server acting as EBA CA goes down, the other EBA-enabled server can be configured to act as EBA CA. For more information, see Moving the EBA CA Role to a New Server.
To disable EBA on a configured server, perform one of the following actions depending on your platform:
Linux:
Run the following commands to restart the eDirectory server with EBA disabled:
ndsmanage stopall export DISABLE_EBA=true ndsmanage startall
Run the following commands to restart the eDirectory server with EBA enabled:
ndsmanage stopall unset DISABLE_EBA ndsmanage startall
NOTE:You must add all the environment variables required for the eDirectory service in the env file located in the /etc/opt/novell/eDirectory/conf directory on RHEL 7.x and SLES 12.x platforms.
Windows: Go to Control Panel > System > Advanced System Settings > Environment Variables > System Variables > New. Add a new variable called DISABLE_EBA with value 1 and restart the server.
IMPORTANT:You must disable EBA only for troubleshooting purpose. If EBA is disabled on an eDirectory server which is acting as EBA CA for 7 days or more, the EBA functionality on the eDirectory tree will be broken. For more information, see TID 7017232.