Novell Open Enterprise Server 2 Best Practices Migration Guide - eDirectory Installation & Migration
- 1 eDirectory Installation & Migration
- 1.1 Choosing an eDirectory Version
- 1.2 Analyzing eDirectory Design
- 1.3 Choosing an eDirectory Installation or Migration Strategy
- 1.4 Installation Prerequisites
- 1.5 Installing eDirectory 8.8 on OES 2 (Linux)
- 1.5.1 Installing eDirectory during the OES 2 Linux (SLES 10) Installation
- 1.5.2 Installing the eDirectory Server in a New eDirectory Tree
- 1.5.3 Installing an eDirectory Server into an Existing Tree
- 1.5.4 Adding LDAP Authentication Through eDirectory
- 1.5.5 Additional Information
- 1.5.6 Using ndsconfig to Install eDirectory
- 1.6 Configuring eDirectory on OES 2
- 1.7 eDirectory Migration
- 1.8 Remove Directory Services from NetWare
- 1.9 Accessing eDirectory Management Tools
- 1.10 Additional eDirectory Resources
eDirectory Installation & Migration
This section provides an overview of eDirectory installation and migration practices. Other documents, particularly OES 2 product documentation, including the following should be used as the authoritative sources for information:
- OES 2: Linux Installation Guide
- Novell eDirectory 8.8 Installation Guide
- Novell eDirectory 8.8 Administration Guide
- OES 2: Planning and Implementation Guide
Copious cross-references to these documents, as well as others, where applicable, are included.
Some of the information in this section has been compiled from early-adopter consulting engagements. We thank our customers and our experts, particularly Michael Saunders and Gilson Melo for their contributions to this section.
Choosing an eDirectory Version
Novell currently supports two series of eDirectory: 8.7.3.x and 8.8.x. While they have somewhat different feature sets, these two series are tested and certified to inter-operate within the same tree. Note, too, that eDirectory needs to be hosted on a current fully-supported OS. At this time, the only version of NetWare that is under full support is NetWare 6.5.
OES 2 Linux utilizes eDirectory 8.8.2. It is preferable, but not required, to upgrade existing servers to either eDirectory 188.8.131.52 or 8.8.2 before or during the process of introducing OES 2 Linux into the environment.
- eDirectory is 8.8.2 is only supported on current AIX, Linux, Windows, and NetWare 6.5 platforms.
- eDirectory 184.108.40.206 is supported on all the same platforms as well as all NetWare 5.1 and above.
Note: If you are using NetWare 5.1 with NDS8, the latest NDS8 and eDirectory 8.7 schema extensions must be applied.
- NDS 6.x on NetWare 4.11 is not upgradeable and not certified compatible with current eDirectory versions. All NetWare 4.11 servers should be upgraded to current NetWare or removed from the tree.
The Novell Planning and Implementation Guide includes a table that lists the operating systems and eDirectory versions that OES 2 Linux has been tested with and found to be compatible.
Novell also publishes a matrix (refer to TID:10099872) that documents the tested and certified compatibility between current and older releases of eDirectory. In some cases, interoperability between versions outside the matrix will work but have not been fully tested. However, there are known issues that will cause stability, performance, and functionality problems. This is also the case with older versions of NetWare that are no longer supported, even if they are running current versions of eDirectory.
In an ideal situation, Novell recommends that all servers in a tree be of the same fully-supported eDirectory and OS versions. This, however, may not be practical in some environments. If you are using several versions of eDirectory or NetWare in different segments of your tree, Novell recommends that these servers not hold partition replicas.
Do the following to ensure eDirectory compatibility throughout the tree:
- Upgrade all servers to a currently supported version of the OS (NetWare 6.5, SLES, RH or AIX).
- Upgrade all servers to eDirectory 220.127.116.11.
- Retire and remove all NetWare 4.11/NDS 6.x servers from the tree.
- Introduce eDirectory 8.8.x into the tree as required.
As you become familiar with some of the added features in eDirectory 8.8.2, it is likely that further implementations of 8.8.2 will be undertaken. Many of these features will be available if just the dedicated DS Master servers are upgraded. This can be done in-place without the need for a full OS upgrade to these existing servers.
There are valid cases for both eDirectory 8.7.3 and eDirectory 8.8. ItÃ¢â‚¬â„¢s not a problem if you migrate to OES 2 Linux and decide to stay with version 8.7.3, but there are some advantages to moving to eDirectory 8.8 (v8.8 SP2 is included with OES 2 Linux).
If you are already using 8.7.3 in your organization and are comfortable with it, you don't necessarily need to upgrade:
- Has been in the market for 3 years
- Ships as part of OES 1 and NetWare 6.5
- Is fully inter-operable with 8.8
- Is the newest directory from Novell and is the core directory for OES 2.
- Supports newer advances in Novell Identity Manager and Novell Access Manager
- Includes enhanced features and scalability
- Has a longer support cycle than 8.7
If youÃ¢â‚¬â„¢re planning to take advantage of Domain Services for Windows in Novell Open Enterprise Server 2 when it ships with SP1, youÃ¢â‚¬â„¢ll need to deploy eDirectory 8.8 somewhere in your organization. This service enables Linux servers to integrate with Active Directory so users can authenticate from Windows to Linux servers without the need for a Novell client on the desktop.
New Linux Features with eDirectory 8.8
New features of eDirectory v8.8 make it a compelling option on Linux:
- Multiple instances of eDirectory, trees, and replicas of the same tree or partition on a single host (eDirectory 8.8 only) and a utility, ndsmanage, to track instances
- Universal password enforcement
- Priority sync to synchronize modified, critical data immediately (passwords, for example) between two or more eDirectory 8.8 servers hosting the same partition
- Data encryption stored on the disk or transmitted between two or more eDirectory 8.8 servers
- Enhancements to increase bulk load performance
- Command line options for the Import Conversion Export (ICE) utility corresponding to those in iManager
- LDAP-based backups for attributes and attribute values one object at a time
- Enhanced error logging to indicate message severity levels, configuration errors, and iMonitor and SAL message filtering
- Deployment via ZENworks Linux Management 7.2
- Installation and configuration via YaST
- Custom locations for applications, data, and configuration files
- FHS and LSB compliance
- Server health check utility
- Non-root installation
- SecretStore Integration
For complete information, refer to the Novell eDirectory 8.8 What's New Guide available at www.novell.com/documentation/edir88.
Novell Products Supported with eDir 8.8
For a list of products supported by eDirectory 8.8, refer to TID:10099872.
Analyzing eDirectory Design
Installing eDirectory on OES 2 Linux provides an excellent opportunity to review current directory structure to make sure existing directory strategies still meet your organization's needs and growth patterns.
If you decide to redesign your system, you need to determine whether to keep services in their original tree or move them to a new tree. As part of this process, youÃ¢â‚¬â„¢ll probably also want to remove any objects that are no longer being used.
It is important that any eDirectory tree that caters primarily to file and print be designed first and foremost around the WAN configuration, particularly if your organization includes several remote facilities. In most cases, you'll want to provide a partition for each remote location, even when they are single-server sites.
If, for example, you have five NetWare 6.5 servers in place that are primarily dedicated to providing eDirectory replica services, all of the Master replicas could be contained on one of these servers along with multiple replicas of the higher levels of the tree. Each remote server should include a R/W replica of its local partition. Make sure you have three writable replicas in place to provide adequate redundancy.
Evaluate whether changes are necessary to better accommodate each of the following:
- Type of tree: Does a Traditional (pyramid-shaped, single tree environment) or specialized tree (flat tree designed for a specific situation (identity vault or LDAP authentication, for example)) make better sense in your environment? Many Novell customers are opting for a flat tree so LDAP can walk the tree more efficiently to find a user object.
- Physical network layout (location-based and designed around WAN links): Analyze the number of offices; where they are located; how many users are at each site; how sites communicate with each other; whether offices share the same data; how is data routed among the sites.
- Organizational structure (function-based design): Is your organization static or dynamic? What growth patterns do you anticipate?
- Security: How secure does your data need to be; does some data need enhanced security?
- Server configuration: What types of servers are on your network; do they need to interact; where are they located; what applications and services does each host; are they managed locally or centrally?
- User accessibility needs: Which applications and services are needed by which users; do users need to read data or modify it; which rights need to flow from the root; how many users need remote access; where will remote users access data from?
- Application needs: Which offices use the same applications; how many users per application; are applications installed locally or centrally?
- Administrative strategies: Do you intend to manage eDirectory centrally or from many dispersed locations?
- Naming standards for eDirectory objects: What naming standards are in force? Do any of them need to be changed or updated?
- Scalability and interoperability: How important are these on your network? Are you willing to compromise scalability and/or performance for other worthwhile goals?
- Speed and efficiency: How important are these on your network? Are you willing to compromise speed and efficiency for other worthwhile goals?
- Fault tolerance: What steps have you taken to provide fault tolerance? Do additional options need to be implemented?
If you decide to re-engineer your tree, itÃ¢â‚¬â„¢s a good idea to create the new tree in a lab to make sure you understand its structure and that itÃ¢â‚¬â„¢s actually going to work the way you want before you put it into production.
For additional eDirectory design information, refer to Section 2.0, "Designing Your Novell eDirectory Network" in the Novell eDirectory 8.8 Administration Guide. This section provides information about the following:
- Section 2.1, eDirectory Design Basics
- Section 2.2, Designing the eDirectory Tree
- Section 2.3, Guidelines for Partitioning Your Tree
- Section 2.4, Guidelines for Replicating Your Tree
- Section 2.5, Planning the User Environment
- Section 2.6, Designing eDirectory for e-Business
- Section 2.7, Understanding the Novell Certificate Server
- Section 2.8, Synchronizing Network Time
- Section 2.9, Security Considerations
Choosing an eDirectory Installation or Migration Strategy
There are several basic strategies for setting up eDirectory on OES 2 Linux or migrating to the OES 2 Linux platform:
Installing eDirectory fresh on Linux. Customers who have adopted this strategy are usually unhappy with their existing tree (the tree hasn't kept up with organizational changes and growth). Moving to Linux provides an opportunity to update the tree by starting from scratch. These customers also tend to consolidate more services when they add new Linux servers. And they often incorporate specialty trees such as an Identity vault on SUSE rather than OES 2 Linux.
In cases where eDirectory or the operating system and services are outdated, it sometimes makes sense to just redo the whole environment (new tree design, partitioning, replication strategies, newer utilities/services) rather than port the existing structure.
The single biggest issue in many organizations is that NetWare and eDirectory haven't been patched, so starting fresh is the easier option. This is true of file and print as well. Most customers who use this strategy are moving to OES Linux from NetWare 5 and NDS 6 (which is limited to 1500 users).
Adding a branch to an existing tree. These customers migrate objects to a new OES 2 Linux branch and then gradually retire the older NetWare branch. By adding a branch, it's easier to drag and drop users and login scripts, certificates, and PKI so they don't have to be recreated.
Migrating with the migedir utility. You can install eDirectory fresh on OES 2 Linux and then run the migedir utility to migrate from NetWare eDirectory 8.7.3 IR5 or higher (the only supported source system). The migedir utility is designed to be used when you want to migrate eDirectory and server identity alone?not with other migration services.
Important: Even though eDirectory migration using migedir is tested and certified by Novell test labs, it's not a complete solution for migrating from NetWare to Linux. The migedir utility is intended as a standalone migration utility and can't be used in concert with any of the other OES Migration Tools. Once the migedir utility is used, the services on the source server (NetWare 6.5) are no longer available. Compatibility issues with other utilities are scheduled to be addressed in OES 2 SP1, but until then you must choose between using migedir and using the OES Migration Tools.
Using migedir, both eDirectory data and server identity are migrated to provide seamless accessibility after migration. The migedir migration utility also performs many pre-migration tasks, health validations, server backups, server migration, and post-migration tasks for you. The eDirectory database is upgraded to a new format when SP2 is installed. The appropriate upgrade utility is called after the packages are upgraded to eDirectory 8.8.
The strategy you choose must also be conditioned by the following:
- Workstation implementation. The workstation environment has a direct affect on the backend infrastructure. Many customers are retiring Novell Client 32 and doing a desktop refresh using a mix, depending on their needs, of native Windows, CIFS, Samba, Kerberos, and SUSE Linux Enterprise Desktop (SLED)Ã¢â‚¬â€œall managed with ZEN. In fact, approximately 50% of our customers use multiple protocols on the desktop. The backend has to accommodate all of them. It usually takes customers a year or more to complete a desktop migration.
- 32 vs 64 bit. Almost all hardware is now 64-bit, but many Novell applications and services, including eDirectory, are 32-bit. Even though most of the 32-bit applications run on 64-bit hardware (a few don't), the power of the hardware is wasted. It's possible to take advantage of 64-bit hardware by running eDirectory on the 32-bit portion and using the rest for other processing; this, of course, increases performance. There's not as much advantage with other applications and services as there is with eDirectory.
Upgrading eDirectory prior to migrating. In many cases, you'll need to upgrade existing eDirectory versions before installing OES 2 Linux or migrating from NetWare. See Section 3.5, "Upgrading eDirectory" in the Novell eDirectory 8.8 Installation Guide.
Installing eDirectory on OES 2 Linux. Refer to Section 3, "Installing or Upgrading Novell eDirectory on Linux" in the Novell eDirectory 8.8 Installation Guide. Instructions for installing eDirectory as a pattern install when you install OES 2 Linux are found in the OES 2 Linux Installation Guide.
Migrating eDirectory from NetWare to OES 2 Linux. For information on the migedir utility, refer to Section 11, "Migrating eDirectory from NetWare to OES 2 Linux" in the Novell eDirectory 8.8 Installation Guide.
Migrating to eDirectory with or without upgrading the operation system. See sections 10.1 and 10.2 in the Novell eDirectory 8.8 Installation Guide.
Check Existing Directory Health
Execute a directory health check BEFORE doing anything. Problems with eDirectory can derail a roll out very quickly. Make sure there are no significant health issues before you begin the migration. The primary goal of this evaluation is to determine whether the prerequisites have been met for introducing OES 2 Linux and eDirectory 8.8 into an existing tree or migrating eDirectory from NetWare to Linux.
Note: When you upgrade to eDirectory 8.8 or use the migedir utility to migrate eDirectory from NetWare to Linux, a server health check is conducted by default to ensure that the server is safe for the upgrade or migration.
Whichever option you choose, make sure each of the following is checked:
- eDirectory Version. Running different versions of NDS or eDirectory on the same version of NetWare can cause synchronization problems. All NDS versions should be at the latest version on their respective operating system platforms. If your version of NDS or eDirectory is outdated, download the latest software patch from Novell Directory Services Patches and Files.
- Time Synchronization. NDS communication uses timestamps to uniquely identify objects and the object's modification time for synchronization purposes. Time stamps are assigned to each object and property to ensure the correct order for object and property updates. If servers in the tree are not synchronized to the correct local time (or more importantly, to each other) replica synchronization will not be reliable and severe object corruption and data loss can be experienced. To avoid these problems, time needs to be in sync across all servers in the network.
- Server-to-Server Synchronization. NDS servers communicate changes made to objects and partition boundaries. This step verifies that no errors exist when NDS performs synchronization processes.
- Replica Ring Synchronization. This operation reads the Synchronization Status attribute from the replica object on each server that holds replicas of the partitions. It displays the time of the last successful synchronization to all servers as well as any errors that have occurred since.
- Synchronization Tolerances. This operation indicates the time periods since a server has synced with inbound and outbound data changes, how much data is outstanding, etc.
- Background Processes. These processes perform a variety of tasks including replication of changes and maintenance of system information.
- External References. Check External References to determine if a replica containing the object can be located.
- Hung Obituaries. These are object delete and move operations that have not completed successfully because mixed versions of DS have been used. Significant overhead is expended by the replica servers in retrying the obituary process constantly without success. Check the Flag States of the obituaries on all servers in the backlink lists for the obituaries.
- Collision and Unknown Objects. In most cases, these objects can be deleted, but each should be investigated for origin and references first.
- Replica States. Check the partitions and states of the replicas stored in the server's NDS database files.
- eDirectory Schema Synchronization. Each NDS server has schema definitions that are used for creating and maintaining objects. Verify that schema synchronization between servers is working correctly.
Health Check Tools
Depending on your preference, you can perform an eDirectory server health check several ways:
- Use migedir Diagnostic Tools. If you are using migedir to migrate eDirectory from NetWare to Linux, the built-in diagnostic tool is probably sufficient.
- 'Use the new command-line health check utility with eDirectory 8.8. Novell eDirectory 8.8 provides a diagnostic tool to help you determine whether your server is safe before upgrading. These health checks run by default with every upgrade and they occur before the actual package upgrade. However, you can run the diagnostic tool, ndscheck (or dscheck on NetWare), to complete a health check at anytime. Versions are available for the following:
- Linux and UNIX. Health checks are run by default before an upgrade operation starts (to skip the default health checks, use the -j option with nds-install).
- NetWare and Windows. Server health checks happen as part of the installation wizard.
Basic server health and partition and replica health are checked and the results displayed on the screen and logged in the ndscheck.log. If the health checks are done as part of the upgrade and critical errors are found, the upgrade is aborted.
In earlier releases of eDirectory, the upgrade did not check the health of the server before proceeding with the upgrade. As a result, the upgrade operation sometimes failed, leaving eDirectory in an inconsistent state. In some cases, it was impossible to roll back to the pre-upgrade settings. This new health check tool resolves this, helping you make sure your server is ready to upgrade.
For additional information, including command parameters for each operating system, refer to Appendix B, "Server Health Checks," in the Novell eDirectory 8.8 Installation Guide.
- Use iMonitor. You can use either of two methods (manual and automated) in iMonitor, a web-based diagnostic tool:
- Use the Navigator Frame (iMonitor > Navigator > Reports).
- Use the Assistant Frame (iMonitor > Assistant > Agent Health).
Even with a large number of servers, this procedure tends to run very quickly (less than 5 minutes for 15-20 servers if all of the servers are healthy). The process is the same for all operating systems. Be aware that if you use the automated process, the report will run without authentication (that is, it will run as [Public]); however, this should be fine for a health check report. Health check reports can also be scheduled.
An excellent discussion of this method is available via a Cool Solutions article. See http://www.novell.com/coolsolutions/feature/15336.html.
- Follow the instructions in "NDS / eDirectory Health Check Procedures - Cross Platform" (TID 10060600). This Novell Technical Information Document (TID), though somewhat "dated," describes the health-check process in detail but requires using both DSREPAIR and DSTRACE, the operation of which varies from platform to platform (instructions for each platform are included in the TID). Background processes are verified using a rather invasive method of forcing the process to run. To run this check on all servers in the environment, you need to connect to each server remotely to execute the commands, a time-consuming process if you have a large number of servers.
You can view a tutorial or access a text version of the TID at http://support.novell.com/additional/tutorials/index.html
Training on the tools and techniques used to keep eDirectory healthy is available in course 3007: eDirectory Tools and Diagnostics (eDirectory 8.7.3). In this course you learn how to
- Perform eDirectory health checks
- Perform eDirectory operations properly
- Properly diagnose, troubleshoot, and resolve eDirectory issues
- Use eDirectory troubleshooting tools and utilities
Other eDirectory courses are available and recommended:
- Fundamentals of Novell eDirectory, Course 3017 (eDirectory 8.7.3)
- Novell eDirectory 8.8 Design and Implementation, Course 3067 (eDirectory 8.8)
To learn more about these courses, visit the Novell Training Services site (index) and select eDirectory.
Check Requirements and Prerequisites
System requirements and prerequisites are summarized below. Refer to sections 3.1 and 3.2 of the http://www.novell.com/documentation/edir88/index.html?page=/documentation/edir88/edirin88/data/bqs8nru.html Novell eDirectory 8.8 Installation Guide for a complete listing and explanation].
eDirectory System Requirements
Note: To determine the version of SUSE Linux you are running, see the /etc/SuSE-release file.
|RAM||256 MB RAM minimum (in addition to that required by the Linux OS)|
|Rights||Administrative rights to the existing eDirectory tree so that you can modify the schema.|
Check currently installed Novell and Third Party applications to determine if eDirectory 8.8 is supported before upgrading your existing eDirectory environment. You can find the current status for Novell products in TID 10099872 What Novell products are supported with Novell eDirectory 8.8?
If a product is not supported, you should not install eDirectory 8.8 on the same server as that product. In addition, that product should not be configured to search an eDirectory 8.8 server. As long as these conditions are met, you can still install eDirectory 8.8 on some servers and run with a mixed tree.
eDirectory Hardware Requirements
Hardware requirements depend on the specific implementation of eDirectory. Two factors increase performance: more cache memory and faster processors. For best results, cache as much of the DIB set as the hardware allows.
eDirectory scales well on a single processor, but takes advantage of multiple processors. Adding processors improves performance in some areasÃ¢â‚¬â€œfor example, logins and having multiple threads active on multiple processors. eDirectory itself is not processor intensive, but it is I/O intensive.
The following table illustrates typical system requirements for eDirectory on Linux:
|100,000||Pentium III 450-700 MHz (single)||384 MB||144 MB|
|1 million||Pentium III 450-700 MHz (dual)||2 GB||1.5 GB|
|10 million||Pentium III 450-700 MHz (2 to 4)||2+ GB||15 GB|
Requirements for processors might be greater than the table indicates, depending on the services hosted by the computer as well as the number of authentications, reads, and writes the computer handles. Processes such as encryption and indexing can be processor intensive.
- Back up eDirectory before any upgrades, installations, or migrations.
- (Conditional) If you need to upgrade to eDir 8.7.3 IR5, consider the following:
- The root of the production tree needs to be eDir 8.7.3 IR5 or later.
- The Certificate Authority server needs to be the most recent. (i.e. NW 6.5 SP7 or OES 2).
- Any older (NDS product) servers should not hold any replicas of the tree.
For additional upgrade information see the Novell eDirectory 8.8 Installation Guide.
- (Conditional) Make sure gettext is installed if you will be using the nds-install utility to perform the installation.
To check, run the following command:
rpm -q gettext
This displays the package and the version (if it is installed).
If you need to install gettext, see http://www.gnu.org/software/gettext/.
- Enable the Linux host for multicast routing.
To determine whether the host is so enabled, enter the following command:
The following entry should be present in the routing table:
If the entry is not present, log in as root and enter the following command to enable multicast routing: The -interface could be a value such as eth0, hme0, hme1, or hme2, depending on the NIC that is installed and used.
- Make sure NICI is installed. Instructions differ depending on whether a root or nonroot user is doing the installation.
NICI 2.7 and eDirectory 8.8 support key sizes up to 4096 bits. If you want to use a 4 KB key size, every server must be upgraded to eDirectory 8.8. In addition, every workstation using the management utilities, for example, iManager and ConsoleOne, must have NICI 2.7 installed on it.
When you upgrade your Certificate Authority (CA) server to eDirectory 8.8, the key size (2 KB) does not change. The only way to create a 4 KB key size is to recreate the CA on an eDirectory 8.8 server and change the default key size from 2 KB to 4 KB during the CA creation.
See Section 3.6.2, "Installing NICI" in the Novell eDirectory 8.8 Installation Guide.
eDirectory prompts for the installation of NICI during installation if it is not already installed.
Warning: Novell strongly encourages using the NICI install program provided on each platform to install and configure NICI. NICI installed by other means can cause irreparable damage. It might be necessary to remove NICI, perhaps remove other items such as certificates that you have purchased, and reinstall NICI properly.
- For secure Novell eDirectory operations, download the NICI Foundation Key file.
You can obtain an evaluation file from the Novell eDirectory Eval License Download Web site. You'll need the NICI Foundation Key in order to create Certificate Authority and Key Material objects.
- Make sure SLP is installed and configured.
With eDirectory 8.8, SLP is not installed as part of the eDirectory installation. If you plan to use SLP to resolve tree names, it needs to be installed and configured before proceeding with the eDirectory installation. SLP DAs also need to be stable. Only a root user can install SLP.
See Section 3.6.1, "Using SLP with eDirectory" in the Novell eDirectory 8.8 Installation Guide for information.
Enter the following command:
rpm -ivh SLP_rpm_file_name_with path
where path is the setup directory in the build (for example, /home/build/Linux/Linux/setup/novell-NDSslp-8.8-20i386.rpm directory)
- Synchronize the time on all network servers in the tree.
Use Network Time Protocol's (NTP) xntpd to synchronize time. To synchronize time on Linux with NetWare servers, use timesync.nlm 5.09 or later. You are prompted to synchronize time during the eDirectory configuration process if you are installing eDirectory as an add-on to the OES 2 Linux installation.
- Make sure the compat-libstdc++RPM is present on your host machine.
- (Conditional) For YaST based installations, install the java 1_4_2 jre package. This contains libjava.so and libjvm.so.
- If you are installing a secondary server, make sure all replicas in the partition that you install the product on are in the On state.
You will need Supervisor rights to the container the server is being installed into and to the partition where you want to add the server and Browse and Read and Compare rights to the Security container object.
(Conditional) If you are installing a secondary server into an existing tree as a non-administrator user, ensure that at least one of the servers in the tree has the same or higher eDirectory version as that of the secondary being added as container admin. If the secondary being added is of a later version, then the schema needs to be extended by the admin of the tree before adding the secondary using container admin.
- If you will be installing ConsoleOne, make sure the file system supports symbolic links
- Force the Backlink process to Run.
Because the internal eDirectory identifiers change when upgrading, the backlink process must update backlinked objects for them to be consistent.
Backlinks keep track of external references to objects on other servers. For each external reference on a server, the backlink process ensures that the real object exists in the correct location and verifies all backlink attributes on the master of the replica. The backlink process occurs two hours after the database is open, and then every 780 minutes (13 hours). The interval is configurable from 2 minutes to 10,080 minutes (7 days).
After migrating to eDirectory, start the ndstrace process by issuing the ndstrace -l>log& command, which runs the process in the background. You can force the backlink to run by issuing the ndstrace -c set ndstrace=*B command from the ndstrace command prompt. Then you can unload the ndstrace process by issuing the ndstrace -u command. Running the backlink process is especially important on servers that do not contain a replica.
Installing eDirectory 8.8 on OES 2 (Linux)
Several different installation options are possible:
- Installing eDirectory along with the OES 2 Linux operating system (OES 2 Linux installation) using a pattern eDirectory install.
- This service selects and installs these companion services:
- Novell Backup/Storage Management Services (SMS)
- Novell Linux User Management (LUM)
- Novell Remote Manager (NRM)
- To install eDirectory (and other add-on services) when you install OES 2 Linux, select the pattern during the initial server installation or install them later.
- Using the nds-install utility. This utility is found in the Setup directory of the downloaded file for the Linux platform.
- Using ZENworks Linux Management (both command line and GUI).
- Using ndsconfig (adding and removing replicas, configuring multiple instances, or installing into a tree with dotted name containers).
The eDirectory pattern install is documented in OES 2: Linux Installation Guide. See "Customizing the Software Selections" and "Installing or Configuring OES 2 Services on an Existing OES 2 Linux or SLES 10 SP1 Server."
Instructions for using nds-install, ndsconfig, and ZENworks are included in the Novell eDirectory 8.8 Installation Guide. See section 3.0, "Installing or Upgrading Novell eDirectory on Linux."
Installing eDirectory during the OES 2 Linux (SLES 10) Installation
To install any of the OES 2 patterns (eDirectory among them) when you install the operating system, you need to customize the software selections; otherwise, only the base SLES 10 and base OES packages are installed.
None of the OES Services is selected by default. This lets you fully customize your OES server. Some services require eDirectory to be installed on the local server. Where this is the case, you will be prompted to install eDirectory if it isn't already installed. If you want OES components to use a local eDirectory database, we recommend that you install eDirectory before installing any other OES components.
Note: You will be asked whether to configure Linux User Management (LUM) when you install eDirectory. LUM needs to be enabled for all NSS users and will be needed when you migrate files from NetWare NSS volumes to OES Linux NSS volumes to prevent file ownership problems. You will also need LUM if your eDirectory users will log in to Linux. Setting up LUM on SLES v10 is described in TID 3994289.
Complete the following steps to install eDirectory"
- On the installation program's Installation Settings page, click Software and select eDirectory (see the screen shot below).
Important: If you deselect a pattern after selecting it, the installation program won't install the pattern or any of the dependent patterns. Rather than deselecting a pattern, click Cancel, and then click the Software heading again to choose your selections again.
Selecting a pattern automatically selects the other patterns that it depends on.
- When the software components you want to install have been selected, click Accept.
- (Conditional) If the prompt for Automatic Changes displays, click Continue.
- (Conditional) If prompted, resolve any dependency conflicts.
- Continue with the OES 2 Linux (SLES 10) installation, and, when finished, reboot the server.
- Review the selected installation settings. When they are correct, click Accept.
- On the Confirm Installation page, click Install.
The base installation settings are applied and the packages are installed.
After the server reboots, you can configure services as needed, eDirectory among them (see "Configuring eDirectory on OES 2").
You can also install and configure any of the patterns later. See Section 4.1, "Installing or Configuring OES 2 Services on an Existing OES 2 Linux or SLES 10 SP1 Server" in the OES 2 Linux Installation Guide.
Installing the eDirectory Server in a New eDirectory Tree
If you are creating a new eDirectory tree on your network, note that the first server is important for two reasons:
- Basic eDirectory tree structure is created during the first installation.
- The first server permanently hosts the Certificate Authority for your organization.
- In the OES 2 Linux installation program's eDirectory Configuration - New or Existing Tree page, select New Tree and specify a name for the eDirectory tree you want to create.
- Select the Use eDirectory Certificates for HTTPS Services check box to replace the existing YaST server certificate and key files with eDirectory server certificate and key files (default).
Important: Selecting the Use eDirectory Certificates for HTTPS Services check box overwrites existing certificate configuration files. On an existing SLES 10 server that already has certificates installed and configured, leave this option deselected to preserve the existing certificate configuration.
Most OES services that provide HTTPS connectivity are configured by default to use the self-signed common server certificate created by YaST. Self-signed certificates provide minimal security and limited trust, so consider using eDirectory certificates instead.
If you select this option, eDirectory automatically backs up the currently installed certificate and key files and replaces them with files created by the eDirectory Organizational CA (or Tree CA).
The default YaST server certificate and key files are:
- Key file: /etc/ssl/servercerts/serverkey.pem
- Certificate file: /etc/ssl/servercerts/servercert.pem
The eDirectory server certificate and key files are:
- Key file: /etc/ssl/servercerts/eDirkey.pem
- Certificate file: /etc/ssl/servercerts/eDircert.pem
For more information, see "Certificate Management in the OES 2: Planning and Implementation Guide.
- Click Next and from the New Tree Information page, specify the information requested (FDN and password).
- Click Next and from the eDirectory Configuration - Local Server Configuration page, specify the information requested:
*The context for the server object in the eDirectory tree.
*A location for the eDirectory database. The default path is /var/opt/novell/eDirectory/data/dib, but you can use this option to change the location if you expect the number of objects in your tree to be large and the current file system does not have sufficient space.
- The ports to use for servicing LDAP requests. The default ports are 389 unsecure and 636 secure.
- The ports to use for providing access to iMonitor. The default ports are 8028 unsecure and 8030 secure.
- When the configuration is complete, click Next.
- Specify options for synchronizing server time. On the eDirectory Configuration - NTP & SLP page, select the Network Time Protocol NTP server field to specify the time source all servers in the tree will use.
- Specify SLP configuration options. On the eDirectory Configuration - NTP & SLP page, specify the SLP options you need.
- Select the Novell Modular Authentication Services (NMAS) login method. On the Novell Modular Authentication Services page, select all the login methods you want to install.
- Configure any other server services you have selected.
- 1After selecting and resolving all product configuration options, click Next to configure all of the components and finish the installation.
Installing an eDirectory Server into an Existing Tree
Consider the following before installing into an existing tree:
- Check DNS and SLP. If you will be installing an eDirectory server into an existing tree, make sure DNS and SLP are working well. If you still have problems, consider using DNS entries in the /etc/hosts file and adding a DNS entry for the Treename.
- Check eDirectory versions. Make sure the eDirectory versions in the tree are compatible with eDirectory 8.8.2. Novell's Linux impact team suggests that every server in the tree be at 8.7.3.x for an 8.8 install because of schema extension issues. If you are running a currently supported OS (NW 6.5, SLES 9/10 or OES) and currently supported eDirectory (8.7.3 or 8.8) you should have no problems. If you are running anything earlier (OS or eDir), eDirectory may or may not work depending on which functions you are using. You would also be on your own if you call Support because earlier versions are no longer supported in the life cycle matrix.
- Update Master replicas. If you are installing OES 2 Linux servers into a tree containing NetWare 6.5 servers, be sure that all of the NetWare eDirectory master and replica servers have been updated to SP6 or later prior to installing OES 2 Linux and eDirectory.
See also Choosing an eDirectory Version on page 17 for additional recommendations.
- Verify eDirectory Health. Novell Support has reported a significant number of installation incidents related to eDirectory health and time synchronization. To avoid such problems, do the following prior to installing:
- Understand coexistence and migration issues
- Make sure eDirectory is healthy
- Check Time Synchronization (Existing Tree)
OES 2 Linux and NetWare servers can receive network time from either an existing eDirectory server or from an NTP time source. The critical point is that the entire tree must be synchronized to the same time sources. For example, do not set your new OES 2 server to receive time from an NTP source unless the whole tree is synchronized to the same NTP source.
If you are installing into an existing tree, the OES 2 Linux install proposes to use the IP address of the eDirectory server (either NetWare or Linux) as the NTP time source. This default should be sufficient unless one of the following is true:
- The server referenced is a NetWare 5.0 or earlier server, in which case you need to identify and specify the address of another server in the tree that is running either a later version of NetWare or OES 2 Linux.
- You will have more than 30 servers in your tree. In this case, you'll need to configure the server to fit in your planned time synchronization hierarchy. For more information, see "Planning a Time Synchronization Hierarchy before Installing OES" in the OES 2: Planning and Implementation Guide.
The OES 2 Linux install activates the xntp daemon and configures it to synchronize server time with the specified NTP time source. After the install completes, you can configure the daemon to work with additional time sources to ensure fault tolerance. For more information, see Changing Time Synchronization Settings on a SLES 10 Server in the OES 2: Planning and Implementation Guide.
Also refer to Section 12.3, "Time Synchronization" in the OES 2: Planning and Implementation Guide for additional information and cross references.
To install eDirectory
- In the OES 2 Linux installation program's eDirectory Configuration - New or Existing Tree screen, select Existing Tree and specify a name for the eDirectory tree you want to join.
- Select the Use eDirectory Certificates for HTTPS Services check box to replace the existing YaST server certificate and key files with eDirectory server certificate and key files (default). Refer to Step 2 above relative to HTTPS Services.
- At the eDirectory Configuration - Existing Tree Information dialog, specify the required information:
- The IP address of an existing eDirectory server with a replica
- The NCP port on the existing server
- The LDAP and secure LDAP port on the existing server
- The fully distinguished name and context for the user Admin on the existing server
- The password for user Admin on the existing server
- When the configuration is complete, click Next.
- In the eDirectory Configuration - Local Server Configuration dialog, specify the following information:
- The context for the server object in the eDirectory tree.
- A location for the eDirectory database. The default path is /var/opt/novell/eDirectory/data/dib, but you can use this option to change the location if you expect the number of objects in your tree to be large and the current file system does not have sufficient space.
- The ports to use for servicing LDAP requests. The default ports are 389 unsecure and 636 secure.
- The ports to use for providing access to iMonitor. The default ports are 8028 unsecure and 8030 secure.
- After selecting the services to be installed, click Accept.
- Change the default configuration information as needed:
- Specify options for synchronizing server time On the eDirectory Configuration - NTP & SLP page, select the Network Time Protocol NTP server field to specify the time source all servers in the tree will use.
- Specify SLP configuration options. On the eDirectory Configuration - NTP & SLP page, specify the SLP options you need.
- Select the Novell Modular Authentication Services (NMAS) login method. On the Novell Modular Authentication Services page, select all the login methods you want to install.
- Configure any other server services you have selected.
- After selecting and resolving all product configuration options, click Next to configure all of the components and finish the installation.
Adding LDAP Authentication Through eDirectory
This section was originally published as part of a Cool Solutions AppNote: "Complete NetWare to OES Linux Migration Guide" written by Mike Faris, Sr. Network Engineer at Aviall. It is reprinted here with permission.
Managing and maintaining password files can be a hassle. To make this easier, especially if you have a number of OES 2 Linux servers, configure local authentication to use LDAP and eDirectory, and then simply add designated users and administrators, to the LUM group; this gives them local access. Root and other predefined local accounts are not affected. Follow the steps below.
- Type yast at the command line.
- Select the Network/Advanced section and then > LDAP client.
- Select Use LDAP.
- Add the LDAP server in the server field and the search base where users are located.
Base DN: o=[org]
Addresses of LDAP Servers: my-edir-serv.mydomain.com
- Select LDAP TLS/SSL.
- Select Advanced Configuration and specify the following:
User Map: o=[org]
Password Map: o=[org]
Group Map: dc=[org]
Password Change Protocol: nds
Group member Attribute: member
- Select Administration Settings from the top of the box.
Configuration Base DN: o=[org]
Administration DN: o=[org]
- Select Accept and save your changes by clicking Finish.
- Edit the /etc/nsswitch.conf file by modifying the following lines:
passwd: compat nam
group: compat nam
passwd_compat: ldap files
group_compat: ldap files
There are two primary sources for eDirectory installation and configuration information. You'll want to check both the OES 2 Linux Installation Guide and the Novell eDirectory 8.8 Installation Guide as indicated below:
Instructions for completing eDirectory installation and configuration steps are included in the following sections of the OES 2 Linux Installation Guide:
- Section 3.0, "Installing Open Enterprise Server 2 Linux," particularly Section 3.3, "Installing OES 2 Linux As a New Installation"
- Section 4.0, "Installing or Configuring OES 2 Services on an Existing OES 2 Linux or SLES 10 SP1 Server "
Other installation-specific options are documented in the following sections of the Novell eDirectory 8.8 Installation Guide:
- Section 3.6.1, Ã¢â‚¬Å“Using SLP with eDirectoryÃ¢â‚¬Â
- Section 3.6.2, Ã¢â‚¬Å“Installing NICIÃ¢â‚¬Â
- Section 3.6.3, Ã¢â‚¬Å“Using the nds-install Utility to Install eDirectory ComponentsÃ¢â‚¬Â
- Section 3.6.4, Ã¢â‚¬Å“Installing Through ZENworks Linux Management on OES Linux SP2Ã¢â‚¬Â
- Section 3.6.5, Ã¢â‚¬Å“Nonroot User Installing eDirectory 8.8Ã¢â‚¬Â
- Section 3.6.6, Ã¢â‚¬Å“Using the ndsconfig Utility to Add or Remove the eDirectory Replica ServerÃ¢â‚¬Â
- Section 3.6.7, Ã¢â‚¬Å“Using ndsconfig to Configure Multiple Instances of eDirectory 8.8Ã¢â‚¬Â
- Section 3.6.8, Ã¢â‚¬Å“Using ndsconfig to Install a Linux Server into a Tree with Dotted Name
- Section 3.6.9, Ã¢â‚¬Å“Using the nmasinst Utility to Configure NMASÃ¢â‚¬Â
- Section 3.6.10, Ã¢â‚¬Å“nonroot user SNMP configurationÃ¢â‚¬Â
Using ndsconfig to Install eDirectory
You can use the ndsconfig utility to add an eDirectory replica server to an existing tree or add an eDirectory server to an existing tree.
This utility is located in the Setup directory of the downloaded file for the Linux platform. The utility adds the required packages based on the components you choose to install.
Administrator rights are required.
- 1.Enter the following command at the Setup directory:
- 2.To install eDirectory components, use the following syntax:
nds-install [-c <component1> [-c <component2>]...] [-h] [--help] [-i] [-j] [-u]
|-c|| Specifies the component to be installed based on the packages available. You can install more than one component by using the -c option multiple times.
There are two components you can install: the eDirectory server and the eDirectory administration utilities.
For example, to install Novell eDirectory Server packages, enter the following command: ./nds-install -c server
|-h or --help||Displays help for nds-install.|
|-i||Prevents the nds-install script from invoking the ndsconfig upgrade if a DIB is detected at the time of the upgrade.|
|-j||Jumps or overrides the health check option before installing eDirectory. For more information about health checks, refer to Section B.0, "eDirectory Health Checks (in the Novell eDirectory 8.8 Installation Guide)|
|-u|| Specifies the option to use in an unattended install mode.
For the unattended install to proceed, you need to enter at least the -c option at the command line, or else the install will abort
Create a New Tree
To create a new tree, enter
You can specify the following parameters:
[-t <treename>] [-n <server context>] [-a <admin FDN>] [-i] [-S <server name>] [-d <path for dib>] [-m <module>] [e] [-L <ldap port>] [-l <SSL port>] [-o <http port>] [-O <https port>] [-p <IP address:[port]>] [-R] [-c] [-w <admin password>] [-b <port to bind>] [-B <interface1@port1>, <interface2@port2>,...] [-D <custom_location>] [--config-file <configuration_file>]
If the parameters are not specified in the command line, ndsconfig prompts you to enter values for each of the missing parameters.
A new tree is installed with the specified tree name.
Add a Server to an Existing Tree
To add a server to an existing tree, use the following syntax:
For example, to add a server into an existing tree, you could enter the following command:
ndsconfig add -t corp-tree -n o=company -a cn=admin.o=company -S srv1F
The following parameters can be specified:
[-t <treename>] [-n <server context>] [-a <admin FDN>] [-w <admin password>] [-e] [-P <LDAP URL(s)>] [-L <ldap port>] [-l <SSL port>] [-l <SSL port>] [-o <http port>] [-O <https port>] [-S <server name>] [-d <path for dib>] [-m <module>] [-p <IP address:[port]>] [-R] [-c] [-b <port to bind>] [-B <interface1@port1>, <interface2@port2>,..] [-D <custom_location>] [--config-file <configuration_file>] [-E]
A server is added to an existing tree in the specified context. If the needed context does not exist, ndsconfig creates the context and adds the server.
LDAP and security services can also be added after eDirectory has been installed into the existing tree.
An explanation of ndsconfig parameters is included in Section 3.6.6, "Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server" in the Novell eDirectory 8.8 Installation Guide.
Note: You can also use ndsmanage to create a new tree or add eDirectory to an existing tree. See Section 3.6.7, "Using ndsconfig to Configure Multiple Instances of eDirectory 8.8."
Configuring eDirectory on OES 2
If you install eDirectory as part of the OES 2 Linux installation, you can set or change default configuration parameters during the installation process. Also included are options to create a new tree and install the server in that new tree or install the server into an existing tree (see Installing eDirectory 8.8 on OES 2 (Linux on page 28).
If you need to reconfigure eDirectory after installation, use iMonitor or iManager rather than YaST. The configuration provided in YaST is intended for the initial eDirectory installation and configuration only.
Other Linux Configuration Utilities
Novell eDirectory takes advantage of several other configuration utilities to simplify the configuration of various eDirectory components on Linux systems. If you use any of the utilities listed below, follow the instructions provided.
- ndsconfig - Add an eDirectory Replica Server to an existing tree or create a new tree and configure existing servers. See Section 4.6.6 and Section 9.1.1 in the Novell eDirectory 8.8 Installation Guide.
- ndsmanage - Add eDirectory instances to an existing tree or create a new tree and configure eDirectory.
- ldapconfig - Modify, view, and refresh the attributes of LDAP servers and LDAP group objects. See also "Using the ladapconfig Utility on Linux and UNIX" in the Novell eDirectory 8.8 Administration Guide.
- nmasinst - Configure Novell Modular Authentication Service. See Section 3.6.9, "Using the nmasinst Utility to Configure NMAS." You can also configure NMAS with ndsconfig. See Section 3.6.9 "Using the nmasinst Utility to Configure NMAS" in the Novell eDirectory 8.8 Installation Guide.
See Section 3.5.3, "Configuring eDirectory 8.8 Through YaST After Upgrade" and Section 9.0, "Configuring Novell eDirectory on Linux, Solaris, AIX, or HP-UX Systems" in the Novell eDirectory 8.8 Installation Guide. Configuration parameters are explained in Section 9.2.
OES 2 (with eDirectory 8.8) includes a migration tool, migedir, that works well if you intend to migrate only eDirectory. The eDirectory migration utility handles the scenario in which the entire server identity is migrated to the target server. This means that eDirectory no longer exists on the source and, hence, other OES Migration Tools will not work against this NetWare server.
If you intend to migrate other services from NetWare to OES 2 Linux, the migedir utility can't be used; you can however, move eDirectory using a process that takes advantage of replicas.
In this scenario, you copy the existing eDirectory information from a NetWare server to a new OES 2 Linux server, without the Linux server assuming the NetWare server's identity. You can then migrate objects to the new OES Linux branch and then gradually retire the older NetWare branch. Once you've added a branch, it's easy to drag and drop users and login scripts, certificates, and PKI so they don't have to be recreated.
Both processes are explained in this section.
Migration Process Using Replicas
- Create a new OES 2 server and create a new eDirectory 8.8 tree on Linux.
- Create an eDirectory replica on the target Linux server by attaching it to the same replica ring as the source NetWare server.
This creates two instances of eDirectory in the environment. The OES Migration Tools do a non-destructive migration of all services; hence, they need both servers with their respective directories up and running.
- Allow the Linux directory to synchronize.
If necessary, you can rework the layout of your tree structure, remap the location of all user objects in your new tree, and delete any user objects that are no longer needed.
- Once eDirectory synchronization of the replica is complete, run the required service migrations with the OES Migration Tools.
- Retire the older NetWare server.
Except where dependencies exist, there is no required order for migrating services in the same tree. An example of a dependency would be that the Archive and Versioning service depends on the file system.
Migration Process Using migedir
eDirectory migration from NetWare requires both the migration of eDirectory data and the server identity to provide seamless accessibility after the migration. The eDirectory migration utility provided with eDirectory 8.8 SP2 (the migedir command line utility) performs many pre-migration tasks, health validations, server backups, server migration, and post-migration tasks for you. All eDirectory objects, including user objects, are moved.
The eDirectory database is upgraded to a new format when SP2 is installed. The appropriate upgrade utility is called after the packages are upgraded to eDirectory 8.8.
eDirectory migration is performed independent of the OES migration framework. The complete migration task is performed by invoking the migedir command line utility.
This section provides basic information. Refer to the eDirectory installation, upgrade, and migration sections in the Novell eDirectory 8.8 Installation Guide for complete information.
Important: Even though eDirectory migration using migedir is tested and certified by Novell test labs, it is not a complete solution for migrating from NetWare to Linux. The migedir utility is intended as a standalone migration utility to be used when you want to migrate eDirectory alone and can't be used in concert with any of the other OES Migration Tools. Once the migedir utility is used, the services on the source server (NetWare 6.5) are no longer available. Compatibility issues with other utilities are scheduled to be addressed in OES 2 SP1, but until then you must choose between using migedir and using other OES Migration Tools.
The migedir migration utility handles the following:
Pre-migration. The utility performs the following checks:
- The health and state of the replicas in the ring are verified.
- Configuration information for the server being migrated is collected and written to a configuration file to be used by other operations during the migration.
- Time synchronization is verified between the source and target servers.
- The target server is checked for any existing eDirectory instances.
- If an instance exists, the user is prompted and the existing instance removed before proceeding with the migration.
- If the instance doesnÃ¢â‚¬â„¢t exist, a new instance is configured and used.
Migration. The utility migrates the eDirectory instance based on the collected configuration information. This involves backing up the source server data, locking the eDirectory instance on the source server, migrating data (all eDirectory objects) to the target server, and restoring the eDirectory instance on the target server. Dependent NICI files are also migrated.
The utility also configures the local instance on the target server with the source server details obtained during the previous checks.
Post-migration. After migration, the following tasks are performed by the utility:
- The nds.conf configuration file is modified with the source server eDirectory instance information, such as tree name and server name.
- The eDirectory instance on the target server is restarted so it can use the new data.
- Network address repair is performed to start the synchronization of the new IP address in the replica ring.
Source NetWare Server
The source NetWare server should be running and should not be part of any partition operation at the time of the migration.
The source has to be eDirectory 8.7.3 IR5.
Linux Target Server
- The target server must be running OES 2 Linux.
- eDirectory 8.8 SP2 RPMs should already be installed. You can install and configure eDirectory through YaST.
- The default eDirectory 8.8 SP2 instance must already be configured and be active (this instance will be overwritten during the migration).
- The target Linux server must be able to access the NetWare server remotely. (The eDirectory migration utility runs only on the target server.)
The eDirectory migration utility is designed to run only on OES 2 Linux, which is the target platform for migration. Hardware and supported platform requirements are the same as those for OES 2 Linux.
- IP address and DNS migrations are not performed by the eDirectory migration utility.
- Only the eDirectory instance will be migrated. Applications depending on eDirectory will not.
- Only the target server will be available after the migration. The source server will be locked.
Note: You should not use this migration methodology if both servers need to be available during the migration operation.
- Run the migedir utility by entering the following command on the target server:
migedir -s <IP address> [-A <log directory name>] [-t] [-v] [-h]
The utility takes the following command line options:
Option Description -s <IP address> Specifies the IP address of the source server containing the eDirectory instance to be migrated. This is a mandatory parameter. -A directory name Enables auditing. Directory name specifies the directory in which log files should be created. -t Tests the validity of the input parameters.
This option verifies the IP address; however, it does not perform the actual migration.
-v Enables the verbose mode. -h Prints help about using this utility.
- Follow the on-screen display as the utility performs the migration.
During migration, the database on the source server is locked to avoid running multiple copies of the instance on the source and target servers at the same time. Running multiple instances can lead to data inconsistency. If the process fails, and if you intend to bring up the source server again, you need to perform the following tasks:
- Remove the partially migrated eDirectory instance on the target server.
Refer to "Removing a Server Object and Directory Services from a Tree" in the Novell eDirectory 8.8 Administration Guide for more information.
- Restore and unlock the database in the source server. The database backup is saved in the sys:ni/data folder.
Refer to Section 15.0, "Backing Up and Restoring Novell eDirectory" in the Novell eDirectory 8.8 Administration Guide for more information.
Post Migration Procedures
After migration, the target eDirectory instance listens on the IP address of the target server and not on the source serverÃ¢â‚¬â„¢s address. Allow additional time after migration for the eDirectory instance to synchronize the new IP address in the replica ring. Successful eDirectory migration can be verified by performing eDirectory operations on the new IP address.
Important: If you want to use the existing security certificates, you must change the IP address of the target server to that of the source server. If you donÃ¢â‚¬â„¢t want to do this, you must issue new certificates.
If you change the IP address of the target server after migration, you must modify the nds.conf file, restart the eDirectory instance, and repair the network address and partitions replica manually. For more information on repairing eDirectory instances, refer to Section 11.9, "Advanced DSRepair Options" in the Novell eDirectory 8.8 Administration Guide.
Move, Create, or Import Users
If you have opted to create a new tree and don't use the migedir utility to migrate eDirectory from NetWare to Linux, you'll need to decide how to move user objects from one tree to another. Several options are available:
Use Novell Identity Manager. One method is setting up a Novell Identity Manager connection between your old tree and your new one. This will allow you to easily synchronize user objects to the new tree. You can also use Identity Manager to remap the location of all user objects in your new tree.
Create and Import an LDIF file. Create an LDIF file containing user objects and use iManager to import it. Configure the LDIF file so it creates a Users' organization container and then places an object for each user in it.
Note: See the Cool Solutions AppNote: "Moving User Home Directories the sed Way" written by Jim Pye for another way to use ICE tools to modify the LDIF file before importing users and other objects into the new tree. Modifying LDIF files with sed can be helpful if you need to automate mass changes.
- Create an LDIF file containing user objects.
- Use iManager to import the file (eDirectory Maintenance > Import Convert Export Wizard)
- Add the User Objects to the tree (in the 0=Users container).
- Create the containers you need (iManager > Roles and Tasks > eDirectory Administration > Create Object).
- Once the user objects have been imported and the lower level container created, move users from the Users container to the appropriate containers (iManager > Roles and Tasks > eDirectory Administration > Move Object).
Remove Directory Services from NetWare
At some point, you may want to remove directory services from NetWare. Follow the instructions below:
Important: Removing eDirectory from a NetWare server makes the NetWare volumes and file system inaccessible. Removing eDirectory also removes the roll-forward log directory and all existing logs. If you anticipate needing the logs to restore eDirectory on this server in the future, first copy the roll-forward logs to another location before removing eDirectory. For information about roll-forward logs, see "Using Roll-Forward Logs" in the Novell eDirectory 8.8 Administration Guide.
- At the NetWare server console, run NWCONFIG.
- Select Directory Options > Remove Directory Services from This Server.
- Follow the online instructions.
Accessing eDirectory Management Tools
Several tools, many of them Web-based, can be used to manage aspects of eDirectory. Primary tools are listed here.
ConsoleOne. Is not supported to perform administration tasks against an OES2 Linux server. If you have a service that requires ConsoleOne (such as Novell GroupWise), it is supported for administration of those applications.
iManager 2.7. This utility manages both NetWare and Linux servers from any server or workstation running Internet Explorer 5.5 SP2 or later or Netscape 6.2 or later. Use iManager to set up and manage your Novell eDirectory tree, to manage eDirectory objects, schema, partitions, and replicas, and to create and manage users, groups, and other objects.
iMonitor. Novell iMonitor provides cross-platform monitoring and diagnostic capability for all servers in an eDirectory tree. Servers can be monitored from any location on the network where a Web browser is available. For information, see Section 8.0, "Using Novell iMonitor 2.4" in the Novell eDirectory 8.8 Administration Guide.
Novell Remote Manager (NRM) for Linux. This browser-based utility can be used to manage Linux servers from a remote location. Use it to monitor server health, change the server configuration, or perform diagnostic and debugging tasks. It does not require a special client, provides a graphical interface, and provides added functionality that is not available in other management utilities. For information, see the OES 2: Novell Remote Manager Administration Guide for Linux.
Novell Import Conversion Export Utility (ICE). The Novell Import Conversion Export utility lets you
- Import data from LDIF files to an LDAP directory
- Export data from the LDAP directory to an LDIF file
- Migrate data between LDAP servers
- Perform a schema compare and update
- Load information into eDirectory using a template
- Import schema from SCH files to an LDAP directory
You can run the Novell Import Conversion Export client utility from the command line, from a snap-in to ConsoleOne, or from the Import Convert Export Wizard in Novell iManager. The comma-delimited data handler, however, is available only in the command line utility and Novell iManager.
Refer to Section 6.1, "Novell Import Conversion Export Utility" in the Novell eDirectory 8.8 Administration Guide.
eDirectory Management Toolbox (eMBox). This tool lets you access all of the eDirectory backend utilities remotely as well as on the server. eMBox works with Novell iManager to provide Web-based access to eDirectory utilities such as DSRepair, DSMerge, Backup and Restore, and Service Manager.
eMBox must be loaded and running on the eDirectory server and Role Based Services must be configured through iManager to the tree that is to be administered in order for eMBox tools to run.
Note: For additional information, refer to Section 20.0, "The eDirectory Management Toolbox" in the Novell eDirectory 8.8 Administration Guide.
Commandline Configuration Tools. The following commandline tools, specific to eDirectory, are also available:
- ndsconfig Utility. Use this utility to configure eDirectory, to add the eDirectory replica server to an existing tree, or to create a new tree.
See Section 9.2 in the Novell eDirectory 8.8 Installation Guide for configuration parameters and Section 3.6.6 for instructions for adding or removing replica servers.
- ldapconfig Utility. Use this utility to configure the LDAP Server and LDAP Group Objects. For more information, see Ã¢â‚¬Å“Using the ldapconfig Utility on Linux and UNIXÃ¢â‚¬Â in the Novell eDirectory 8.8 Administration Guide.
- nmasinst Utility. Use this utility to configure Novell Modular Authentication Service. From eDirectory 8.7.3 onwards, by default, ndsconfig configures NMAS. You can also use nmasinst on Linux to configure NMAS. ndsconfig only configures NMAS and does not install the login methods. To install these login methods, you need to use nmasinst after you have configured eDirectory with ndsconfig. See Section 3.6.9 in the Novell eDirectory 8.8 Installation Guide.
- General Utilities. Refer to Section B.1, "General Utilities" in the Novell eDirectory 8.8 Administration Guide for a list and description of commandline tools along with syntax and to Section B.2 for LDAP-specific commands.
Information about these and other utilities is also included in the OES 2: Utilities Reference.
Additional eDirectory Resources
- eDirectory 8.8 Documentation
- eDirectory Cool Solutions
- eDirectory Health Check - Online Training
- eDirectory Health Check - Cool Solutions
- Bridging from NW to OES
- eDirectory Training Courses
Refer to the chart below:
|Class||Level||Duration||Delivery Method||Product Association|
|3007||Novell eDirectory Tools and Diagnostics||3 - Advanced||5 Days||Classroom, Self-Study Kit||eDirectory 8.7.3|
|3017||Fundamentals of Novell eDirectory||2 - Intermediate||5 Days||Classroom, Self-Study Kit||eDirectory 8.7.3|
|3067||Novell eDirectory Design and Implementation: eDirectory 8.8||2 - Intermediate||3 Days||Classroom, Self-Study Kit||eDirectory 8.8|
|Advanced Technical Training, Novell eDirectory 8.8||4 - Expert||3 Days||Classroom||eDirectory 8.8|