After installing the Identity Vault, you can use the ndsconfig utility to configure the Identity Vault. You must have Administrator rights to use the ndsconfig utility. When you use this utility with arguments, it validates all arguments and prompts for the password of the user having Administrator rights. If you use the utility without arguments, ndsconfig displays a description of the utility and available options.
You can also use this utility to remove the eDirectory Replica Server and change the current configuration of eDirectory Server. For more information, see Section 12.0, Configuring the Identity Vault after Installation.
When you use the ndsconfig utility, the following conditions apply:
The maximum number of characters allowed for the treename, admin_FDN, and server_FDN variables are as follows:
treename: 32 characters
admin_FDN: 255 characters
server_FDN: 255 characters
When you add a server to an existing tree and the context that you specify does not exist in the Server object, the ndsconfig utility creates the context while adding the server.
You can add LDAP and security services to the existing tree after installing the Identity Vault.
To enable encrypted replication in the server, include the -E option in the commands for adding a server to an existing tree. For more information about encrypted replication, see “Encrypted Replication” in the NetIQ eDirectory Administration Guide.
For more information about using the ndsconfig utility to modify eDirectory, see the NetIQ eDirectory Administration Guide.
The ndsconfig utility supports the following parameters:
Creates a new tree. If you do not specify the parameters in the command line, the utility prompts you to enter the values for each of the missing parameters.
Creates a new tree. If you do not specify the parameters in the command line, ndsconfig applies the default value for each of the missing parameters.
Adds a server to an existing tree. Also adds LDAP and SAS services, after you configure Identity Vault in the existing tree.
Removes the Server object and directory services from a tree.
NOTE:This option does not remove the key material objects. You must remove these objects manually.
Upgrades eDirectory to a later version.
Instructs the utility to ignore checking whether a tree of the same name exists if you are configuring a new tree. Multiple trees of the same name can exist.
Specifies the server name. The server name can contain periods (for example, netiq.com). However, you must include escape character for the period. For more information about using escape characters, see Using Escape Characters when a Container Name Includes a Period (“.”).
Specifies the name of the tree to which you want to add the server. It can have a maximum of 32 characters. If not specified, ndsconfig takes the tree name from the n4u.nds.treename parameter that is specified in the /etc/opt/novell/eDirectory/conf/nds.conf file. The default treename is $LOGNAME-$HOSTNAME-NDStree.
Specifies the context of the server in which the server object is added. It can have a maximum of 64 characters. If the context is not specified, ndsconfig takes the context from the configuration parameter n4u.nds.server-context specified in the /etc/opt/novell/eDirectory/conf/nds.conf file. The server context should be specified in the typed form. The default context is org.
Specifies the directory path where the database files will be stored.
Forcefully adds the replica of the server regardless of the number of servers already added to the server.
Specifies the TCP port number on the LDAP server. If the default port 389 is already in use, it prompts you to specify a new port.
Specifies the SSL port number on the LDAP server. If the default port 636 is already in use, it prompts you to specify a new port.
Specifies the fully distinguished name of the User object with Supervisor rights to the context in which the server object and Directory services are to be created. The admin name should be specified in the typed form. It can have a maximum of 64 characters. The default value is admin.org.
Enables clear text passwords for LDAP objects.
Specifies the name of the module that you want to install or configure. If you are configuring a new tree, you can specify the ds module only. After configuring the ds module, you can add the NMAS, LDAP, SAS, SNMP, HTTP services, and NetIQ SecretStore (ss) using the add command. If the module name is not specified, all the modules are installed.
NOTE:If you do not want to configure the SecretStore during an upgrade of eDirectory through the nds-install command, pass the no_ss value to this option. For example, enter ndsinstall '-m no_ss'.
Specifies the HTTP clear port number.
Specifies the HTTP secure port number.
Specifies the IP address of the remote host that holds a replica of the partition to which this server is being added. Use this option when adding a secondary server (add command) to a tree. The default port number is 524. This helps in faster lookup of the tree since it avoids SLP lookup.
Replicates to the local server the partition to which the server is added. This option disallows adding replicas to the local server.
Prevents prompts during ndsconfig operation, such as yes/no to continue the operation, or prompt to re-enter port numbers when there is a conflict, etc. The utility continues to prompt you for mandatory parameters if they are not passed on command line.
This option allows passing the admin user password in clear text.
NOTE:NetIQ does not recommend using this option in an environment concerned about password security.
Enables encrypted replication for the server you are trying to add.
Instructs the utility to jump or override the health check option before installing the Identity Vault.
Specifies the default port number on which a particular instance should listen on. This sets the default port number on n4u.server.tcp-port and n4u.server.udp-port. If you use the -b option to specify an NCP port, then the utility assumes that port is the default port and updates the TCP and UDP parameters accordingly.
NOTE:The -b and -B options are mutually exclusive parameters.
Specifies the port number along with the IP address or interface. For example, -B eth0@524, -B 100.1.1.2@524, -B[2015::3]@524.
NOTE:
The -b and -B options are mutually exclusive parameters.
To specify an IPv6 address, you must contain the address in braces ([ ]).
Specifies the absolute path and file name to store the nds.conf configuration file. For example, to store the configuration file in the /etc/opt/novell/eDirectory/directory, enter the following command:
--config-file /etc/opt/novell/eDirectory/nds.conf
Allows the LDAP URLs to configure the LDAP interface on the LDAP Server object. Uses commas to separate multiple URLs. For example:
-P ldap://1.2.3.4:389,ldaps://1.2.3.4:636,ldap://[2015::3]:389
NOTE:
To specify an IPv6 address, you must contain the address in braces ([ ]). For example, ldap://[2015::3]:389.
If you do not specify the LDAP URLs during the initial configuration, you can add them in the ldapInterfaces attribute using the ldapconfig command or in iManager after the initial configuration. For more information, see Adding LDAP URLS for IPV6 on the LDAP Server Object.
Creates the data, dib, and log directories in the specified path.
Sets the value for the configurable parameters that you specified for the Identity Vault. Use this option to set the bootstrapping parameters before configuring a tree.
When you change configuration parameters, you must restart ndsd for the new value to take effect. You do not need to restart ndsd for the following configuration parameters:
n4u.nds.inactivity-synchronization-interval
n4u.nds.synchronization-restrictions
n4u.nds.janitor-interval
n4u.nds.backlink-interval
n4u.nds.drl-interval
n4u.nds.flatcleaning-interval
n4u.nds.server-state-up-threshold
n4u.nds.heartbeat-schema
n4u.nds.heartbeat-data
Displays the help strings for the configurable parameters that you specified for the Identity Vault. If you do not specify a parameter list, the utility lists the help strings for all of the configurable parameters.
You must extend the Identity Vault schema to support SecretStore functionality. The identity applications need SecretStore to connect to the vault.
To extend the schema for the Identity Vault, enter the following command:
For x64bit
ice -S SCH -f /opt/novell/eDirectory/lib64/nds-schema/sssv3.sch -D LDAP -s serverIP -d adminDN
For example:
For x32bit
ice -S SCH -f /var/opt/novell/eDirectory/lib/nds-schema/sssv3.sch -D LDAP -s 192.0.2.1 -d cn=admin,o=administrators
(Conditional) To configure SecretStore on a Linux server, complete the following steps:
Navigate to the conf directory, by default /etc/opt/novell/eDirectory/conf.
To run the configuration file, enter ssscfg -c.
Specify the configuration settings for Secret Store, then close the utility.
In a text editor, open ndsmodules.conf.
Add the following entry to the file:
ssncp
This entry loads the SecretStore module when eDirectory starts.
(Conditional) To configure SecretStore on a Windows server, complete the following steps:
Navigate to the conf directory, by default Program Files/novell/eDirectory/conf.
Enter the following command:
ssscfg.exe -c
Specify the configuration settings for SecretStore, then close the utility.
Run NDSCons.exe.
In the utility, specify auto for the ssncp.dlm module.
Close the utility.
For more information, see “SecretStore Configuration for eDirectory Server” in the NetIQ eDirectory Administration Guide.
To configure the Identity Vault in a specific locale, you must export LC_ALL and LANG to that particular locale before performing the configuration. For example, enter the following commands in the ndsconfig utility:
export LC_ALL=ja
export LANG=ja
When you create a new tree in the Identity Vault, the ndsconfig utility can walk you through the configuration or you can enter a single command to specify all the parameter values. You can specify an IPv6 address for the new tree, if your Identity Vault server already supports IPv6 addresses.
(Conditional) To have the ndsconfig utility prompt you for the parameters for a new tree in the Identity Vault, enter the following command:
ndsconfig new [-t tree_name] [-n server_context] [-a admin_FDN]
For example:
ndsconfig new -t corp-tree -n o=company -a cn=admin.o=company
(Conditional) To create a new tree in the Identity Vault by specifying all the parameters in the command line, enter the following text:
ndsconfig new [-t treename] [-n server_context] [-a admin_FDN] [-i] [-S server_name] [-d path_for_dib] [-m module] [e] [-L ldap_port] [-l SSL_port] [-o http_port] [-O https_port] [-p IP_address:[port]] [-R] [-c] [-w admin_password] [-b port_to_bind] [-B interface1@port1,interface2@port2,..] [-D custom_location] [--config-file configuration_file]
or
ndsconfig def [-t treename] [-n server_context] [-a admin_FDN] [-w admin_password] [-c] [-i] [-S server_name] [-d path_for_dib] [-m module] [-e] [-L ldap_port] [-l SSL_port] [-o http_port] [-O https_port] [-D custom_location] [--config-file configuration_file]
To add a server to an existing tree, enter the following command:
ndsconfig add [-t treename] [-n server context] [-a admin_FDN] [-i] [-S server_name] [-d path_for_dib] [-m module] [e] [-L ldap_port] [-l SSL_port] [-o http_port] [-O https_port] [-p IP_address:[port]] [-R] [-c] [-w admin_password] [-b port_to_bind] [-B interface1@port1,interface2@port2,..] [-D custom_location] [--config-file configuration_file]
For example:
ndsconfig add -t corp-tree -n o=company -a cn=admin.o=company -S srv1
Navigate to the dsreports directory, located by default in /var/opt/novell/eDirectory/data/.
Delete the HTML files that you previously created using iMonitor.
Using the ndsconfig utility, enter the following command:
ndsconfig rm [-a admin_FDN] [-w admin_password] [-p IP_address:[port]] [-c]
To remove the server object and directory services from a tree, enter the following command:
ndsconfig rm -a Admin_FDN
You can configure multiple instances of the Identity Vault on a single host. The method to configure multiple instance with the ndsconfig utility is similar to configuring a single instance multiple times. Each instance should have unique instance identifiers, such as the following:
Different data and log file location. Use the --config-file, -d, and -D options.
Unique port number for the instance to listen to. Use the -b and -B options.
Unique server name for the instance. Use the -S server name option.
For more information, see “Using ndsconfig to Configure Multiple Instances of eDirectory” in the NetIQ eDirectory Installation Guide.
NOTE:
During configuration of the Identity Vault, the default NCP server name is set as the host server name. When configuring multiple instances, you must change the NCP server name. Use the ndsconfig command line option, -S server_name to specify a different server name. When configuring multiple instances, either on the same tree or on different trees, the NCP server name should be unique.
All the instances share the same server key (NICI).