Installing and Configuring LDAP Services for eDirectory

Novell LDAP Services for eDirectory is installed through the eDirectory installation. You can modify the default configuration of LDAP Services for eDirectory using ConsoleOne^TM. For more information, see Installing and Upgrading Novell eDirectory.

Two new objects are added to your directory tree when eDirectory is installed:

LDAP Server object. Use this object to set up and manage the Novell LDAP Server properties.

See Configuring the LDAP Server Object for more information.

LDAP Group object. Use this object to set up and manage the way LDAP clients access and use the information on the Novell LDAP server.
See Configuring the LDAP Group Object for more information.

Loading and Unloading LDAP Services for eDirectory

LDAP Services for eDirectory can be loaded and unloaded manually. To load LDAP Services for eDirectory, enter the following commands:

Table 100. Commands to Load LDAP Services for eDirectory

Server	Command
NetWare^®	At the console prompt, type LOAD NLDAP.NLM.
Windows* NT*/2000	In the DHOST (NDSCONS) screen select NLDAP.DLM > click Start.
Linux* or Solaris*	At the Linux or Solaris prompt, type `/usr/sbin/nldap -l`

To unload LDAP Services for eDirectory, enter the following commands:

Table 101. Commands to Unload LDAP Services for eDirectory

Server	Command
NetWare	At the console pompt, type `UNLOADNLDAP.NLM`.
Windows NT/2000	In the DHOST (NDSCONS) screen, select NLDAP.DLM > click Stop.
Linux or Solaris	At the Linux or Solaris prompt, type `/usr/sbin/nldap -u`

Tuning LDAP for eDirectory

The following are the optimal settings for eDirectory LDAP search and authentication on a server with two processors and 2 GB of RAM:

Table 102. Optimal Settings for eDirectory LDAP Search and Authentication

Maximum TCP port limit	45000
Maximum pending TCP connection requests	4096
Maximum packet receive buffers	10000
Minimum packet receive buffers	3000
Maximum physical receive packet sizes	2048
Maximum concurrent disk cache writes	2000
Maximum concurrent directory cache writes	500
Maximum directory cache buffers	200000
Maximum number of internal directory handles	100
Maximum number of directory handles	20
DSTRACE	!mxxxxxx Replace xxxxxx with the amount of RAM in bytes to use as cache. On NT, create a text file named _ndsdb.ini in the directory, then add this line.

Managing the Memory

eDirectory uses memory for the database cache and for directory usage. These are separate allocated memory pools. The directory engine uses memory from available memory pools in the operating system as needed. The database uses a cache pool that is defined by parameters detailed below. Usually, the more database cache given to eDirectory, the better the performance. However, since eDirectory uses available system memory for its buffers, if clients are performing queries that require large data sets to be returned, the size of the database cache might need to be decreased to have enough system memory for the directory to handle building the query responses.

The database engine uses the database cache to hold the most recently accessed blocks. This cache is initially defined with a fixed size of 16 MB. The size of this cache can be changed from the command line in shipping versions of eDirectory. The following example command will set the eDirectory database cache to 80 million bytes:

set dstrace=!mb 80000000

A file named _ndsdb.ini in the SYS:\NETWARE directory on a NetWare server, or in the directory containing the eDirectory database files on the Windows, Solaris, and Linux environments (normally \novell\nds\dbfiles) can also be defined. This text file simply needs to contain a line such as the following:

cache=80000000

Don't add any white space by the equals (=) sign

The cache in eDirectory 8.6 can be initialized with a hard limit just as with earlier versions. In addition, the upper and lower limits can be set either as hard numbers or as a percentage of available memory. Dynamic allocation control parameters allow the cache size to grow or shrink depending on use. If the proper configuration parameters are set, the database cache dynamically grows or shrinks based on other system resource needs.

Editing the _ndsdb.ini file can manually control database memory usage. The format for INI file commands is given below:

cache=cacheBytes # Set a hard memory limit

Alternative formats are shown in Table 103.

Table 103. Alternative INI Commands

Command	Description
cache=cache_options	Sets a hard limit or dynamically adjusting limit. Multiple cache options can be specified in any order, separated by commas. All are optional. They are as follows:
DYN or HARD	Dynamic or hard limit.
AVAIL or TOTAL	These only apply if a hard limit was chosen. Omit these options for a dynamic limit.
%:percentage	The percentage of available or total physical memory.
MIN:bytes	The minimum number of bytes.
MAX:bytes	The maximum number of bytes.
LEAVE:bytes	The minimum number of bytes to leave for the OS.
blockcachepercent=percentage	Splits the cache between the block and record cache.

If a hard limit is specified and the administrator wants to define the database cache to use a percentage of the memory, the administrator can select between a percentage of total memory or a percentage of available memory. Dynamic limits always refer to a percentage of available memory. The following command examples are all valid in the _ndsdb.ini file.

The following is an example dynamic limit of 75% available memory, a minimum of 16 million bytes, and 32 million bytes for the OS:

cache=DYN,%:75,MIN:16000000, LEAVE 32000000

The following is an example hard limit of 75% total physical memory, a minimum of 18 million bytes, and a maximum of 512 million bytes:

cache=HARD, TOTAL,%:75,MIN:18000000, MAX 512000000

The following is an example old style hard limit of 8 million bytes:

cache=8000000

The database cache is divided between block cache and record cache. Block cache holds data and index blocks that mirror the storage on the disk. Record cache holds in-memory representations of directory objects and attributes. If updating or adding to the directory, use the block cache setting. If performing mostly reads, use the record cache. It is possible to cause a thrashing condition in both caches if performing numerous sequential updates without allocating cache size properly. Unless specifically changed, the cache is allocated to be 50% block cache and 50% record cache. The blockcachepercent option can be included in the _ndsdb.ini file to specify the percentage of cache allocated to caching data and index blocks. (The default is 50%.) The remaining cache is used for entries.

For example, to designate 60% block cache and 40% record cache, enter the following:

blockcachepercent=60

Do not select 100% of the cache for either block or record cache and starve the other cache type. In general, do not allocate more than 75% of your cache memory to one or the other type.

Database cache settings can also be controlled using Novell iMonitor.

Although the cache size is dynamic depending on the amount of memory available, the DSTRACE command can still be used for custom environments.

Configuring the LDAP Server Object

The LDAP Server object stores configuration data for an LDAP Services for eDirectory server. During installation, an LDAP Server object named LDAP Server server_name is created (where server_name is the name of the server LDAP Services for eDirectory is installed on). The LDAP Server object is created in the same container as the Server object.

Each LDAP Server object configures one LDAP Services for eDirectory server. Do not assign the same LDAP Server object to more than one LDAP Services for eDirectory server. If you assign the LDAP Server object to another server, it is no longer assigned to the previous server.

In ConsoleOne, right-click the LDAP Server object > click Properties.

Enter the configurable parameters in the property pages.

For more information on LDAP Server parameters, see the LDAP online help.

Click Apply > OK.

Configuring the LDAP Group Object

The LDAP Group object stores configuration data that can be applied to a single LDAP server or a group of LDAP servers. If you plan to implement the same configuration on multiple servers, configure one LDAP Group object and assign it to each of the LDAP Services for eDirectory servers from the LDAP Server General Page.

The LDAP Group configures the class and attribute mappings and security policies on the server. This greatly simplifies configuration changes, because one configuration change can be applied instantly to multiple LDAP servers.

During installation, an LDAP Group object named LDAP Group server_name is created in the same container as the Server object.

To configure the LDAP Group object, use ConsoleOne to complete the following steps:

In ConsoleOne, right-click the LDAP Group object > click Properties.

Enter the configurable parameters in the property pages.

For more information on LDAP Group parameters, see the LDAP online help.

Click Apply > OK.

Configuring LDAP Server and LDAP Group Objects on Linux or Solaris Systems

You can use the LDAP configuration utility, ldapconfig, on Linux or Solaris systems to modify, view, and refresh the attributes of LDAP Server and Group objects.

Use the following syntax to view LDAP attribute values on Linux and Solaris systems:

ldapconfig [-t tree_name | -p host_name[:port]] [-w password] [-a <user FDN>] [-V] [-R] [-H] [-f] -v attribute,attribute2...

Use the following syntax to modify values of LDAP attributes on Linux and Solaris systems:

ldapconfig [-t tree_name | -p host_name[:port]] [-w password] [-a admin_FDN] -s attribute=value,...

Table 104. ldapconfig Parameters

ldapconfig Parameter	Description
-t	Name of the eDirectory tree where the component will be installed.
-p	Name of the host.
-w	Password of the user having administration rights.
-a	Fully distinguished name of the user having administration rights.
-v	Option to view the value of the LDAP attribute.
-s	Option to set a value for an attribute of the installed components.
-R	Refreshes the LDAP server.
-V	Lets you view the current LDAP configuration settings.
-H	Lets you view the usage and help strings.
-f	Allows operations on a filtered replica.
attribute	Configurable LDAP server or group attribute name. For more information, see LDAP Server Attributes and LDAP Group Attributes.

Table 105 provides a description of configurable LDAP Server attributes:

Table 105. LDAP Server Attributes

LDAP Server Attribute	Description
LDAP Server	Fully Distinguished Name of the LDAP server object in eDirectory
LDAP Host Server	Fully Distinguished Name of the host eDirectory server that the LDAP server runs on.
LDAP Group	LDAP group object in eDirectory of which this LDAP server is a member.
LDAP Server Bind Limit	Number of clients that can simultaneously bind to the LDAP server. A value of 0 (zero) indicates no limit.
LDAP Server Idle Timeout	Period of inactivity from a client after which LDAP server will terminate connection with this client. A value of 0 (zero) indicates no limit.
LDAP Enable TCP	Indicates whether TCP (non-SSL) connections are enabled for this LDAP server. Range of values is 1 (yes) and 0 (no).
LDAP Enable SSL	Indicates whether SSL connections are enabled for this LDAP server. The range of values is 1 (yes) and 0 (no).
LDAP TCP Port	Port number on which LDAP server will listen for TCP (non SSL) connections.
LDAP SSL Port	Port number on which LDAP server will listen for SSL connections.
keyMaterialName	Name of the Certificate object in eDirectory which is associated with this LDAP server and which will be used for SSL LDAP connections.
searchSizeLimit	Maximum number of entries that the LDAP server will return to an LDAP client in response to a search. A value of 0 (zero) indicates no limit.
searchSizeLimit	Maximum number of seconds after which an LDAP search will be timed out by the LDAP server. A value of 0 (zero) indicates no limit.
extensionInfo	Extensions supported by the LDAP server.
filteredReplicaUsage	Specifies whether the LDAP server should use a filtered replica for an LDAP search. The range of values is 1 (use filtered replica) and 0 (do not use filtered replica).
sslEnableMutualAuthentication	Specifies whether SSL-based mutual authentication (Certificate-based client authentication) is enabled on the LDAP server
ldapEnablePSearch	Specifies whether or not the persistent search feature is enabled on the LDAP server. It can take the values, true or false.
ldapMaximumPSearchOperations	An integer value that limits the number of concurrent persistent search operations possible. A value of 0 specifies unlimited search operations.
ldapIgnorePSearchLimitsForEvents	Indicates whether size and time limits should be ignored after the persistent search request has sent the initial result set. It can take the values, true or false. If this is set to false, the entire persistent search operation is subject to the search limits. If either limit is reached the search will fail with the appropriate error message.

Table 106 provides a description of configurable LDAP Group attributes:

Table 106. LDAP Group Attributes

LDAP Group Attribute	Description
LDAP Server List	List of LDAP servers which are members of this group.
LDAP Allow Clear Text Password	Specifies whether the LDAP server allows transmission of passwords in clear text from an LDAP client. The range of values is 0 (no) and 1 (yes).
LDAP Search Referral Usage	Specifies how the LDAP server processes LDAP referrals. The range of values includes: Prefer Chaining (Chain Requests to Other NDS^® Servers) The LDAP server will chain the request to other eDirectory servers rather than returning referrals, except when servicing a persistent search operation and an entry is not present on the local server, or when servicing any extended operation that returns referrals. Prefer Referrals The LDAP server will traverse the tree if there is no LDAP server running on another replica server that has the relevant objects. If there is an LDAP server running on another replica server, an LDAP referral of that server will be returned. Always Refer (All NDS LDAP Servers in Tree Must Support Referrals) The LDAP server will always return an LDAP referral. If no LDAP referral exists, an error is returned. Default Referral Shows the location of the default referral. An LDAP referral will be returned if the LDAP server cannot contact any other replica server in the same tree or if there is no other LDAP server running on the other replica server.
LDAP Referral	An LDAP referral will be returned if the LDAP server cannot contact any other replica server in the same tree or if there is no other LDAP server running on the other replica server. This is the default.

Examples

To view value of the attribute in the attribute list:

Enter the following command:

ldapconfig [-t tree_name | -p host_name[:port]] [-w password] [-a user_FDN] -v "LDAP Allow Clear Text Password","searchTimeLimit"

To configure the LDAP TCP port number:

Enter the following command:

ldapconfig [-t tree_name | -p host_name[:port]] [-w password] [-a admin_FDN] -s "LDAP TCP Port=389","searchSizeLimit=1000"