You can install Identity Manager engine as a non-root user to enhance the security of your Linux server. You cannot install Identity Manager engine as a non-root user if you installed the Identity Vault as root. You need to perform the following steps if you want to install the engine as a non-root user:
Ensure that NICI is installed. For more information, see Installing NICI.
Perform a non-root installation of Identity Vault. For more information, see Performing a Non-root Installation of Identity Vault.
Perform a non-root installation of Identity Manager Engine. For more information, see Performing a Non-root Installation of Engine.
You must install NICI before you proceed with the Identity Vault installation. Since the required NICI packages are used system-wide, you are recommended to use the root user to install the necessary packages. However, if necessary you can delegate access to a different account using sudo and use that account to install the NICI packages.
From the iso that you have mounted, navigate to the /IDVault/setup/ directory.
Run the following command:
rpm -ivh nici64-3.1.0-1.00.x86_64.rpm
Verify that NICI is set to server mode. Enter the following command:
/var/opt/novell/nici/set_server_mode64
This is a mandatory step to ensure that the Identity Vault configuration process does not fail.
This section describes how to use the tarball to install the Identity Vault. When you extract the file, the system creates the etc, opt, and var directories.
Log in as a sudo user with the appropriate rights to the computer where you want to install the Identity Vault.
NOTE:You can also log in as a root user, when you want to specify a custom installation path.
From the iso that you have mounted, navigate to the /IDVault/ directory.
Create a new directory and copy the eDir_NonRoot.tar.gz file to that directory. For example, /home/user/install/eDirectory.
Use the following command to extract the file:
tar -zxvf eDir_NonRoot.tar.gz
To manually export the paths for environment variables, enter the following command:
export LD_LIBRARY_PATH=custom_location/eDirectory/opt/novell/eDirectory/ lib64:custom_location/eDirectory/opt/novell/eDirectory/lib64/ndsmodules: custom_location/eDirectory/opt/novell/lib64:$LD_LIBRARY_PATH export PATH=custom_location/eDirectory/opt/novell/eDirectory/ bin:custom_location/eDirectory/opt/novell/eDirectory/sbin:/opt/novell/ eDirectory/bin:$PATH export MANPATH=custom_location/eDirectory/opt/novell/man:custom_location/ eDirectory/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=custom_location/eDirectory/opt/novell/eDirectory/ share/locale:$TEXTDOMAINDIR
To use the ndspath script to export the paths for environment variables, you must prefix the ndspath script to the utility. Complete the following steps:
From the custom_location/eDirectory/opt directory, run the utility with the following command:
custom_location/eDirectory/opt/novell/eDirectory/bin/ndspath utility_name_with_parameters
Export the paths in the current shell with the following command:
. custom_location/eDirectory/opt/novell/eDirectory/bin/ndspath
Run the utilities as normal.
Add the instructions for exporting the path to the end of /etc/profile, ~/bashrc, or similar scripts.
This step allows you to start the utilities directly whenever you log in or open a new shell.
Configure Identity Vault by using one of the following methods:
Use the ndsconfig utility
ndsconfig new [-t <treename>] [-n <server_context>] [-a <admin_FDN>] [-w <admin password>] [-i] [-S <server_name>] [-d <path_for_dib>] [-m <module>] [e] [-L <ldap_port>] [-l <SSL_port>] [-o <http_port>] -O <https_port>] [-p <IP address:[port]>] [-c] [-b <port_to_bind>] [-B <interface1@port1>, <interface2@port2>,..] [-D <custom_location>] [--config-file <configuration_file>] [--configure-eba-now <yes/no>]
where, -t denotes the tree name to which the server has to be added.
-n denotes the context of the server in which the server object is added.
-a fully distinguished name of the User object with Supervisor rights to the context in which the server object and Directory services are to be created.
-s denotes the server name
-d denotes the directory path where the database files are stored.
-m denotes the module name.
You must specify the same values that you specified during the configuration process.
For example:
ndsconfig new -t novell-tree -n novell -a admin.novell -S linux1 -d /home/ mary/inst1/data -b 1025 -L 1026 -l 1027 -o 1028 -O 1029 -D /home/inst1/var --config-file /home/inst1/nds.conf --configure-eba-now yes
The port numbers you enter need to be in the range 1024 to 65535. Port numbers lesser than 1024 are normally reserved for the super-user and standard applications. Therefore, you cannot assume the default port 524 for any eDirectory applications.
This might cause the following applications to break:
The applications that don't have an option to specify the target server port.
The older applications that use NCP, and run as root for 524.
Use the ndsmanage utility to configure a new instance. For more information, see the Creating an Instance through ndsmanage in the NetIQ eDirectory Installation Guide.
When you use this method, you cannot install the following components:
Remote Loader: To install the Remote Loader as a non-root user, use the Java Remote Loader. For more information, see Installing Java Remote Loader.
Linux Account Driver: Requires root privileges to function.
NOTE:When you install Identity Manager engine as a non-root user, the installation files are located under the non-root users directory. For example, /home/user; where user is non-root. The installation files are not required to run Identity Manager. You can delete the files after installation.
To install the Identity Manager engine as a non-root user:
Log in as the non-root user that you used to install the Identity Vault.
The user account must have write access to the directories and files of the non-root Identity Vault installation.
Navigate to the location where you have mounted the Identity_Manager_4.8_Linux.iso.
From the mount location, navigate to the /IDM directory.
Execute the following command:
./idm-nonroot-install.sh
Use the following information to complete the installation:
Specify the directory where the non-root eDirectory installation is. For example, /home/user/install/eDirectory.
If this is the first Identity Manager server installed in this instance of eDirectory, enter Y to extend the schema. If the schema is not extended, Identity Manager cannot function.
You are prompted to extend the schema for each instance of eDirectory owned by the non-root user that is hosted by the non-root eDirectory installation.
If you select to extend the schema, specify the full distinguished name (DN) of the eDirectory user who has rights to extend the schema. The user must have the Supervisor right to the entire tree to extend the schema. For more information about extending the schema as a non-root user, see the schema.log file that is placed in the data directory for each instance of eDirectory.
Run the /opt/novell/eDirectory/bin/idm-install-schema program to extend the schema on additional eDirectory instances after the installation is complete.
To complete the installation process, continue to Completing a Non-root Installation.