Installing Novell eDirectory on Linux or Solaris

This section will help you install and get started using Novell eDirectory on a Linux or Solaris system. For more information on the Linux or Solaris packages for Novell eDirectory, see Linux and Solaris Packages for Novell eDirectory .

The following installation instructions will help you install and get started using Novell eDirectory on Linux or Solaris:


System Requirements


Linux


Solaris


Prerequisites

eDirectory must be installed on all servers that you want to place an eDirectory replica on.


Upgrading eDirectory

This following sections explains how to upgrade eDirectory from previous versions of NDS or eDirectory:


Upgrading From NDS eDirectory 8.5

Upgrading from NDS eDirectory 8.5 or NDS eDirectory 8.5.1 to Novell eDirectory 8.6.1 disables the security objects created in this version, such as the Certificate Authority (CA), User, and Server Certificate objects.

Before upgrading, run the NICI migration utility for migrating security objects from NICI 1.5 to NICI 2.3. More information about this utility is available at the Novell Support and DownloadsWeb site.

After running the NICI migration utility, do the following to upgrade to eDirectory 8.6.1:

  1. Use nds-install to upgrade the directory.

    2.

  2. Use ndsconfig upgrade to upgrade the schema.

    3.

Upgrade ConsoleOne to 1.3.3 if an older version is installed on the system.


Upgrading From Previous Versions of NDS or eDirectory

Before upgrading to Novell eDirectory 8.6.1 from versions of NDS or eDirectory prior to NDS eDirectory 8.5, first upgrade your directory to NDS eDirectory 8.5. Then upgrade to Novell eDirectory 8.6.1 as mentioned in Upgrading From NDS eDirectory 8.5.

Contact Novell Support for more information.


Installing eDirectory

The following sections provide information about installing and uninstalling Novell eDirectory on Linux or Solaris systems:


SLP Usage with eDirectory

If you plan to use SLP to resolve tree names, it should have been properly configured and SLP DAs should be stable. If you don't want to (or cannot) use SLP, you can use a flat file to resolve tree names to server referrals. Refer to man page host.nds for details.


Using the nds-install Utility to Install eDirectory Components

Use the nds-install utility to install eDirectory components on Linux and Solaris systems. This utility is located in the Setup directory on the CD for the respective platforms. The utility adds the required packages based on what components you choose to install.

To install eDirectory components:

  1. Log in as root on the host.

    2.

  2. Enter the following command from the setup directory:

    nds-install

    3.

  3. When prompted, accept the license agreement.

    The installation program displays a list of eDirectory components that you can install.

    4.

  4. Specify the option for the component you want to install.

    Based on the component you choose to install, the installation program proceeds to add the appropriate RPMs, or packages into the Linux or Solaris system. Table 5 lists the packages installed for each eDirectory component.


    Table 5. eDirectory Component Packages

    eDirectory Component Packages Installed Description

    eDirectory Server

    NDSbase
    NDScommon
    NDSsecur
    NDSsecutl
    NDSmasv
    NDSserv
    NDSimon
    NDSrepair
    NDSslp
    NDSdexvnt

    The eDirectory replica server will be installed on the specified server.

    Administration Utilities

    NDSadmutl
    NDSbase
    NDSsecutl
    NLDAPbase

    The Novell Import Conversion Export and LDAP Tools administration utilities will be installed on the specified workstation.

    Management Console for eDirectory

    NDSbase
    NDSslp
    NOVLC1
    C1JRE
    NDS set of packages

    The management console for eDirectory will be installed on the specified workstation.

    NMAS (Novell Modular Authentication Service) server

    NDSnmas

    The NMAS server components and the configuration utilities will be installed on the specified server.

    NSAdexvnt

    NDSdexvnt

    This package contains the library that manages events generated in Novell eDirectory to other database.

  5. If you are prompted, enter the complete path to the NICI Foundation Key file.

    You will be prompted to enter the complete path to the NICI Foundation Key only if the installation program cannot locate the file in the default location (/var, the mounted license diskette, or the current directory).

    If the path you entered is not valid, you will be prompted to enter the correct path.

    You can use the ndsconfig utility to configure eDirectory Server after installation. However, to do so, you need to ensure that the .nfk file has been copied to the /var directory.

    If you have selected Novell Modular Authentication ServiceTM (NMASTM) as one of the components to be installed, you can use the nmasconfig utility to configure NMAS server after installation. This must be done after configuring eDirectory with ndsconfig.

    For more information on the ndsconfig utility, see ndsconfig Utility .

    For more information on the nmasconfig utility, see Using the nmasconfig Utility to Configure NMAS Server .

    6.

IMPORTANT:  Before you begin to use eDirectory, you must ensure that SLP has been installed for the eDirectory tree to be advertised correctly. To determine if the eDirectory tree is advertised, type the following:

/usr/bin/slpinfo -s "ndap.novell//(svcname-ws==*tree_name.)/"

To install eDirectory components, use the following syntax:

nds-install -c component1 [[-c component2]...] [-h] [-n path_to_.nfk]

If you do not provide the required parameters in the command line, the nds-install utility will prompt for the parameters.

Table 6 provides a description of the parameters of the nds-install utility:


Table 6. The nds-install Utility Parameters

nds-install Parameter Description

-c

Specifies the component to be installed based on the packages available. You can install more than one component by using the -c option multiple times.

-h

Specifies the option to display help.

-n

Specifies the path to the file that contains the Novell Foundation Key (.nfk).

Example

To install eDirectory Server packages, enter the following command:

nds-install -c server -n /var


Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server

You must have Administrator rights to use the ndsconfig utility. When this utility is used with arguments, it validates all arguments and prompts for the password of the user having administrator rights. If the utility is used without arguments, ndsconfig displays a description of the utility and available options. This utility can also be used to remove the eDirectory Replica Server and change the current configuration of eDirectory Server. For more information, see ndsconfig Utility .

To create a new tree:

  1. Use the following syntax:

    ndsconfig new [-m <modulename>] [-i] [-s <servername>] [-t <tree_name>] [-n <context>] [-d path_for_DIB] [-L <ldap_port>] [-l <ssl_port>] [-c <caname>[:<casize>]] [-k <kmoname>[:<kmosize>]] [-e] -a admin_name

    A new tree is installed with the specified tree name and context. If the parameters are not specified in the command line, ndsconfig prompts you to enter values for each of the missing parameters.

    Or, you can also use the following syntax:

    ndsconfig def [-m <modulename>] [-i] [-s <servername>] [-t <tree_name>] [-n <context>] [-d path_for_DIB] [-L <ldap_port>] [-l <ssl_port>] [-c <caname>[:<casize>]] [-k <kmoname>[:<kmosize>]] [-e] -a admin_name

    A new tree is installed with the specified tree name and context. If the parameters are not specified in the command line, ndsconfig takes the default value for each of the missing parameters.

    2.

To add a server into an existing tree:

  1. Use the following syntax:

    ndsconfig add [-m <modulename>] [-s <servername>] [-p IP_address] [-t tree_name] [-n context] [-d path_for_DIB] [-L <ldap_port>] [-l <ssl_port>] [-e] -a admin_name

    A server is added to an existing tree in the specified context. If the context to which the user wants to add the Server object does not exist, ndsconfig creates the context and adds the server.

    LDAP and security services can also be added after eDirectory has been installed into the existing tree.

To remove a Server object and directory services from a tree:

  1. Use the following syntax:

    ndsconfig rm -a admin_name

    eDirectory and its database are removed from the server.

    2.


Table 7. The ndsconfig Utility Parameters

ndsconfig Parameter Description

new

Creates a new eDirectory tree. If the parameters are not specified in the command line, ndsconfig prompts you to enter values for each of the missing parameters.

def

Creates a new eDirectory tree. If the parameters are not specified in the command line, ndsconfig takes the default value for each of the missing parameters.

add

Adds a server into an existing tree.

rm

Removes the Server object and directory services from a tree.

-i

Ignores a tree of the same name, while installing a new tree. This option is generally not recommended for use.

-s

Specifies the server name.

-t

The tree name to which the server has to be added. If not specified, ndsconfig uses the tree name from the n4u.base.tree-name parameter specified in the etc/nds.conf file. For more information, see n4u.base.tree-name.

-n

The context of the server into which the Server object is added. If not specified, ndsconfig uses the context from the n4u.nds.server-context parameter specified in the /etc/nds.conf file. For more information, see n4u.nds.server-context.

-d

The directory path where the database files will be stored.

-L

The TCP port number on the LDAP server.

-l

The SSL port number on the LDAP server.

-c

The name and size of the organizational CA.

-k

The name and size of the Key Material Object.

-a

Distinguished name of the User object that has Supervisor rights to the context in which the Server object and directory services will be created.

-e

Enables clear text password for LDAP objects.

-p

Installs eDirectory Server into an existing tree by specifying the IP address of a server hosting the tree. If this option is used, SLP is not used for tree lookup.

-m

Specifies the module name to install. While installing a new tree, you can install only the ds module. After installing the ds module, you can add the LDAP and SAS services using the add command. If the module name is not specified, all three modules are installed.

set

Sets the value for the specified eDirectory configurable parameters.

get

Lets you view the current value of the eDirectory configurable parameters.

get help

Lets you view the help strings for the eDirectory configurable parameters.

Examples

To create a new tree, enter the following command:

ndsconfig new -t corp-tree -n o=company -a cn=admin.o=company

To add a server into an existing tree, enter the following command:

ndsconfig add -t corp-tree -n o=company -a cn=admin.o=company

To remove the eDirectory Server object and directory services from a tree, enter the following command:

ndsconfig rm -a cn=admin.o=company


Using the nmasconfig Utility to Configure NMAS Server

This section discusses the following topics:

To use the nmasconfig utility for server configuration, ensure that you have administrative rights to the Security container.


About the nmasconfig Utility

Use this utility for login sequence management, login method management, and Simple Password management, apart from configuring and unconfiguring the NMAS server.

When this utility is used with arguments, it validates them and prompts for the password of the user who has administrative rights.

If the utility is used without arguments, nmasconfig displays a description of the utility and available options.

NOTE:  Do not install the current release of NMAS on UNIX on the servers that are part of the tree and have NMAS Enterprise Edition installed and configured on them.

Four modes of operation are available:

  1. config
    2.
  2. method
    3.
  3. sequence
    4.
  4. passwd
    5.

Only one of the modes of operation can be selected.

For more information on the parameters of nmasconfig utility, see the nmasconfig manpage, nmasconfig.1m.


Table 8. The nmasconfig Utility General Parameters

nmasconfig Parameter Description

-t

Refers to the name of the eDirectory tree on which NMAS has to be configured.This is an optional parameter. By default, this is taken from the tree name of the current server, read from nds.conf file.

-h host name:[port]

Refers to the hostname and, optionally, the eDirectory port. By default, this is taken from the hostname of the current server and the default eDirectory port.

Configuring the NMAS Server

The nmasconfig utility lets you configure the NMAS server or remove the configuration of the NMAS server. To configure the server, you must have Administrator rights to the Security container.


Table 9. The nmasconfig Utility Configure Parameters

Configure Parameter Description

-c

Configures NMAS.

-d

Removes NMAS configuration.

-a

Refers to the fully distinguished name of the eDirectory administrator with supervisor rights to the security container.

The fully distinguished name of the administrator should be specified in the typeless, dot-delimited, form without the tree name. This parameter is required.

To Configure the NMAS Server

To configure the NMAS server, enter the following command:

nmasconfig config [-t treename] [-h hostname[:port]] -c -a adminname


Example:

To configure NMAS in the tree ACME running on the same host, enter the following command.

nmasconfig config -t acme -c -a admin.company

NOTE:   When configuring a remote server, it is recommended to enter the tree and the server name as command line parameters to nmasconfig.


To Remove the NMAS Configuration

To remove the NMAS server configuration, enter the following command:

nmasconfig config [-t treename] [-h hostname[:port]] -d -a adminname


Example:

To remove the configuration of NMAS in the tree ACME, enter the following command:

nmasconfig config -t acme -d -a admin.company

NOTE:  Removing the NMAS configuration using the -d option does not remove any objects in the Security container. It specifically removes the server-specific configuration.

For NMAS configuration or unconfiguration to take effect, restart the Novell eDirectory server.


Login Method Management

Use the method mode of the nmasconfig utility to install a new login method or upgrade an existing login method to the tree. It can also be used to remove an existing login method.

IMPORTANT:  The method binaries for all the platforms can be found in the NMAS directory nmasmethods, located on the eDirectory CD. The methods for all platforms can be installed together from ConsoleOne (Windows) or nmasconfig (UNIX).


Installing a New Login Method

To install a new login method or upgrade an existing login method to the tree, enter the following command:

nmasconfig method [general options] -i | -U -f path-to-config.txt -a admin_name


Table 10. The nmasconfig Utility Method Parameters

Method Parameter Description

-i

Installs a new method.

This also creates a login sequence which contains only this login method.

-u

Upgrades NMAS configuration.

-r

Removes an existing method from the tree.

This also removes the sequence with only this login method, created during this method install.

-a

Refers to the fully distinguished name of the eDirectory administrator with supervisor rights for the context in which the server object and Directory services are to be created.

The fully distinguished name of the administrator should be specified in the typeless, dot-delimited, form without the tree name. This parameter is required.

-f

Refers to the absolute or relative path, including the filename, to the config.txt file for the method that needs to be installed. This text file is located in the NMAS methods directory on the install CD. This is a required parameter if either the -i or -U options are specified.

-m

Refers to the name of the NMAS method object that needs to be removed from the tree. If there are spaces or special characters in the method object name, the name should be entered in quotes (" ").This is a required parameter if the -r option is specified.

Example:

To install a new method on the tree running on the current server, enter the following command:

nmasconfig method -i -f ./SimplePassword/config.txt -a admin.company


Removing an Existing Login Method

To remove an existing login method, enter the following command:

nmasconfig method [general options] -r -m methodname -a admin_name

To remove an existing login method from the tree running on the current server, enter the following command:

nmasconfig method -t ACME -r -m "X.509 Certificate" -a admin.company

IMPORTANT:  You only need to specify one of these options: -i, -U, or -r.


Login Sequence Management

Use the sequence mode of the nmasconfig utility to manage the login sequence.

To manage the login sequence, enter the following command:

nmasconfig sequence [general options] -D user_name -a admin_name


Table 11. The nmasconfig Utility Sequence Parameters

Sequence Parameter Description

-D

Refers to the distinguished name of the user object for which sequence management is to be done.The user's distinguished name should be specified in the typeless, dot-delimited form without the tree name. This is a required parameter.

-a

Refers to the distinguished name of the user object with supervisor rights to the context in which the previously specified user object is to be modified.The admin DN should be specified in the typeless, dot-delimited form without the tree name. This is a required parameter.

Example: To manage the authorized and default sequences of the user named user1 in tree ACME, enter the following command:

nmasconfig sequence -t ACME -D user1.finance.company -a admin.company

The sequence management option generates a menu of options.


Table 12. The Sequence Management Menu Options

Sequence Management Options Description

(a) Authorize a method

Authorizes a sequence present in the Available Login Sequences list.

(b) Remove an authorized method

Removes an existing authorized login sequence from the Authorized Login Sequences list.

(c) Change default login sequence

Sets the default login sequence for the user from the Authorized Login Sequences list.

(d) Commit current changes and exit

Commits the changes to eDirectory and exits the sequence management menu.

(e) Quit without saving

Quits the sequence management menu without saving the changes.

IMPORTANT:  The nmasconfig utility does not have the functionality to create, delete, or modify sequences. The sequence mode supports only the operations which are performed for a user, such as setting the Authorized or default sequences. For other sequence operations, use ConsoleOne on a Windows workstation.


Managing Simple Passwords

Use the passwd mode of the nmasconfig utility to set simple passwords.

To set the simple password for a specified user in the tree, enter the following command:

nmasconfig passwd [general options] [-H hash_type] [-a admin_name] -D user_name


Table 13. The nmasconfig Utility Password Parameters

Password Parameter Description

-H

Refers to the hashing format in which the simple password for the user needs to be stored in eDirectory. The valid values are "sha," "md5," or "clear."By default, the simple password hash type is "clear."

-a

Refers to the distinguished name of the user object with supervisor rights to the context where the specified User object's simple password is to be modified.

The administrator's fully distinguished name should be specified in the typeless, dot-delimited form without the tree name.

-D

Refers to the distinguished name of the user object for which simple password change is to be done. The user DN should be specified in the typeless, dot-delimited form without the tree name. This is a required parameter.

Example 1: If you are an admin and are changing another user's simple password, enter the following command:

nmasconfig passwd -a admin.company -D user1.finance.company

Example 2: If you are modifying your own simple password, enter the following command:

nmasconfig passwd -D user1.finance.company


Linux and Solaris Packages for Novell eDirectory

Novell eDirectory includes a Linux or Solaris package system, which is a collection of tools that simplify the installation and uninstallation of various eDirectory components. Packages contain makefiles that describe the requirements to build a certain component of eDirectory. Packages also include configuration files, utilities, libraries, daemons, and manual pages that use the standard Linux or Solaris tools installed with the OS.

Table 14 provides information about the Linux and Solaris packages that are included with Novell eDirectory.


Table 14. Linux and Solaris Packages for Novell eDirectory

Package Description

NDSadmutl

Contains the Novell Import Conversion Export utility and is dependent on the NDSbase package.

NDSbase

Represents the Directory User Agent. This package is dependent on the NDSslp package.

The NDSbase package contains the following:

  • An authentication toolbox containing the RSA authentication needed for eDirectory
  • A platform-independent system abstraction library, a library containing all the defined Directory User Agent functions, and the schema extension library
  • A combined configuration utility and the Directory User Agent test utility
  • The eDirectory configuration file and manual pages

NDScommon

Contains the man pages for the eDirectory configuration file, install, and uninstall utilities.

NDSsecur

Contains the server-side security components eDirectory Server uses, including the following:

  • SAS SDK, and PKI Server
  • Java Wrapper over SAS SDK
  • Pure Java SSL

NDSsecutl

Contains the client-side security utilities, including the following:

  • PKI Client and configuration utility

NDSmasv

Contains the libraries required for mandatory access control (MASV).

NDSserv

Contains all the binaries and libraries needed by the eDirectory Server. It also contains the utilities to manage the eDirectory Server on the system. This package is dependent on the NDSbase and NDSsecur packages.

The NDSserv package contains the following:

  • An NDS install library, FLAIM library, trace library, NDS library, LDAP server library, LDAP install library, index editor library, DNS library, merge library, and LDAP extension library for LDAP SDK
  • eDirectory Server daemon
  • A binary for DNS and a binary to load or unload LDAP
  • The utility needed to create the MAC address, the utility to trace the server and change some of the global variables of the server, the utility to back up and restore eDirectory, and the utility to merge eDirectory trees
  • Startup scripts for DNS, NDSD, and NLDAP
  • Manual pages

NDSimon

Contains the runtime libraries and utilities used to search and retrieve data from eDirectory services. This package is dependent on the NDSbase package.

NDSrepair

Contains the runtime libraries and utility which corrects problems in the eDirectory database. This package is dependent on the NDSbase package.

NDSslp

The NDSslp package contains the following:

  • The SLP User Agent/Service Agent daemon and the SLP libraries to access SLP
  • The transport library, utility library, and configuration library that the SLP daemon uses
  • The Unicode* library that the SLP daemon and API library use.

NLDAPbase

Contains LDAP libraries, extensions to LDAP libraries, and the following LDAP tools:

  • ldapdelete

  • ldapmodify

  • ldapmodrdn

  • ldapsearch

    ndsindex

NDS set of packages

Contains a set of ConsoleOne snap-ins.

NOVLC1

Contains Linux or Solaris package for the ConsoleOne management utility.

C1JRE

Contains the Java* runtime files and libraries that are required to run ConsoleOne on Linux or Solaris systems.

NDSnmas

Contains all the NMAS libraries, and nmasconfig binaries needed for NMAS server.

NDSdexvnt

This package contains library that manages events generated in Novell eDirectory to other database.


Previous | Next