Novell eDirectory 8.7 on Linux

Prepared by Pascal Chong on February 7 2003
Revision History
Revision v2.0    February 2003    Revised by Pascal Chong
Covers version 8.7
Revision v1.0    October 2002    Revised by Pascal Chong
Initial public release. Covers version 8.6x

Table of Contents
1. Introduction
1.1 Why Am I Writing This ?
1.2 Copyright, License and Important Caveats
1.3 What is Novell eDirectory ?
1.4 What is NDS ?
1.5 What is LDAP ?
1.6 How is eDirectory different from other LDAP servers ?
2. System Requirements
2.1 Hardware Requirements
2.2 Software Requirements
2.3 Pre-Install Checks
3. Installing Novell eDirectory for Linux
3.1 Downloading Novell eDirectory
3.2 Installing Novell eDirectory
4. Configuring Novell eDirectory
4.1 Setting Up The First Tree
4.2 Setting Up hosts.nds
4.3 Configuring for LDAP with ConsoleOne

1. Introduction

For those of you who are curious about how - or whether - Novell products work on Linux, this document attempts to give the Linux user or administrator a quick start on Novell eDirectory.

1.1 Why Am I Writing This ?

For those who are wondering, I am NOT an employee of Novell, I used to work for a reseller, but that is not the reason why I am an advocate of Novell's eDirectory product.

My first introduction to Novell, was with Netware (of course) v3.12. It was a great product, but I was not a fan of its pricing or its platform support. I thought then that if they took NDS out and made it available on the Linux platform, and gave it a reasonable price tag, I would consider it. Well, with the latest version of eDirectory, Novell has done just that.

Novell eDirectory is a renaming of NDS, and everything I liked about NDS back in 1997 is still there, and it is better than before because of comprehensive LDAP support.

1.2 Copyright and Caveats

This document is free documentation; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

1.3 What is Novell eDirectory ?

Novell eDirectory is an LDAP-enabled directory server. This product originates from NDS, the Novell Directory Services, and is its present incarnation. It can be used as an LDAP server, but the LDAP schema maps to Novell's NDS schema. eDirectory is NOT Netware and does not require Netware to run on any platform. Any LDAP-compliant application can interface with eDirectory, often without needing to change the code, because eDirectory supports standard LDAP syntax.

1.4 What is NDS ?

Novell Directory Services (NDS) debuted in 1994, and was derived from the Xerox X.500 database scheme. Although NDS was, and still is, primarily, the facility that allowed you to create users and groups on the Netware network. Novell eDirectory has the ability to exist on many platforms, other than Netware, including Windows NT/2000, Linux and Solaris.

1.5 What is LDAP ?

LDAP is the Lightweight Directory Access Protocol. It was originally designed as a protocol to access data stored in a X.500 directory. The goal of LDAP was to standardize the way network applications access distributed directory information. For more information about LDAP, and to answer the question of whether databases or directories are better, click here

1.6 How is eDirectory different from other LDAP servers ?

There are significant differences in performance, structure, and even object storage capabilities between eDirectory and other competing directory server products. All this is documented on Novell's website, as well as on other websites and newsgroups out there, on the Internet. For me, the user/group model is the main advantage for eDirectory for System Integrators and people who have to deploy and administer directories, especially in my region, Asia. LDAP requires the directory administrator to understand the structure of LDAP directories, which consists of attributes, object classes and values. Someone who is new to directory services will find the learning curve particularly steep. However, just about every administrator I know, is familiar with creating users and groups. Yes, even Windows administrators. A quick glance at ConsoleOne, the administration utility for eDirectory and other Novell products, shows a familiar interface, with just a hint of LDAP complexity in the directory tree in the left pane.


2. System Requirements

The procedures in this document were tested with Probatus Spectra Linux 1.2, but it should work equally well with other rpm-based Linux systems.

2.1 Hardware Requirements

Please note that if you are going to use Novell eDirectory in a production environment with a lot of users, refer to the server sizing guide in the product documentation.

2.2 Software Requirements

2.3 Pre-Install Checks

Before beginning the installation, you will need to check certain parameters in your Linux server/workstation :

Enable Multicasting. You will need to check your routing table for an existing specific multicasting entry. Login as root and execute the following command,

#/bin/netstat -rn

Existing routes will be printed to screen. Look for the following entry

224.0.0.00.0.0.0

If you do not see this, then you will need to add the necessary entry. Again, as root user, execute the following command, (this assumes that you have just one network card and it is recognized by your system as eth0.

#route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0

If you have more than one eDirectory server on the same network. You will need to use NTP to synchronize the time on your systems. You probably should have an NTP server configured on your network, if your company is fairly large. I have encountered problems starting my eDirectory server if the NTP connection is lost or unavailable. An indication that this may be the problem is when the NDS daemon fails to start at boot time.


3. Installing Novell eDirectory

The great thing -to me anyway- about Novell eDirectory is that it doesn't take a powerful server with lots of RAM and a fast processor, to run it. But you do need to ensure that the pre-installation checks are done. This will save you a lot of time and trouble later.

Installation consists of a few stages :

3.1 Downloading Novell eDirectory

At the time this Step was written, the eDirectory tarball can be downloaded from : http://www.novell.com/products/edirectory/evaluation.html. More information about eDirectory can be found at this URL : http://www.novell.com/products/edirectory/

Before you begin downloading, you will need to fill out an evaluation license request form, which can be found here. After which, the license will be emailed to the email address you have specified. You will need to save the license files, which have the extensions .nfk and .nlf. You will need it later, during the installation.

Once you have filled out the request form and submitted it, you can proceed to download the software. At the time this Step was written, it can be found here.

If you have not already done so, you will need to create a Novell login account. You will use the username and password to login to the member section and begin downloading.

Create a directory and download the software into that directory. Then login as root and begin unpacking the software. So, supposing we created a directory /Downloads/novell,

# cd /Downloads/novell
# tar -zxvf edir*

3.2 Installing Novell eDirectory

Now we can begin installing eDirectory. Login as root and execute the following commands

# cd /Downloads/novell/Linux/setup
# ./nds-install

You will see the following message appear:

%% Welcome to the installation of Novell eDirectory 8.7.0
%% The Novell eDirectory (8.7.0) for Linux End User License Agreement will now
be displayed.
%% Please read the agreement carefully before accepting the terms.
%% Press ENTER to continue.

Press <Enter> and you will see

The following Software License and Limited Warranty is translated into several
languages. Please go to the /licenses directory at the root of this CD to
find the appropriate language for you. If You agree to the terms,
click "Accept" or select "Accept License Agreement". If You do not agree to the
terms, click "Cancel" or select "Exit".

Novell(r) eDirectory(tm) 8.7
Novell Software License Agreement

PLEASE READ THIS AGREEMENT CAREFULLY. BY INSTALLING OR OTHERWISE USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE WITH THESE TERMS, DO NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE. THE SOFTW ARE MAY NOT BE SOLD, TRANSFERRED, OR FURTHER DISTRIBUTED EXCEPT AS AUTHORIZED BY NOVELL.
....

(c)1993, 2000-2002 Novell, Inc. All Rights Reserved.

Novell is a registered trademark and eDirectory and NMAS are trademarks of
Novell, Inc. in the United States and other countries.

%% Do you accept the terms of the Novell eDirectory (8.7.0) license agreement '[y/n/q] ? '

Press y and <Enter> to continue.

%% List of Novell eDirectory (8.7.0) components available to install

%% 1 Novell eDirectory Server
%% 2 Novell eDirectory Administration Utilities
%% 3 Management Console for Novell eDirectory (ConsoleOne)

%% Select the components you wish to install [?, q] :

You will need all three, so key in 1,2,3 and <Enter>.

%% Enter the path to License File (.nfk):

You will now need to specify the path to your license files that should have come to you via email, after you filled out and submitted the evaluation request form earlier. If you have not received it, or if you have lost it, simply go back to the evaluation form here, fill it out and submit it again. Then check your email and save the attached .nfk and .nls files into a directory on your local hard drive and key in the location at the above prompt, then press <Enter>. Installation will proceed.

%% Installing NICI-2.4.1
Preparing...                ########################################### [100%]
   1:nici                   ########################################### [100%]
Initializing NICI ... done.

%% License file Copied.


%% Adding packages...

Preparing...                ########################################### [100%]
   1:NDSslp                 ########################################### [100%]
Starting NDS SLP services...
Done
Preparing...                ########################################### [100%]
   1:NDSmasv                ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NDSbase                ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NLDAPsdk               ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NLDAPbase              ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NDScommon              ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NOVLpkis               ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NOVLpkia               ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NOVLpkit               ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NOVLsas                ########################################### [100%]
Preparing...                ########################################### [100%]
   1:ntls                   ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NDSserv                ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NDSrepair              ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NDSimon                ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NOVLsnmp               ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NOVLsubag              ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NOVLnmas               ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NOVLembox              ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NOVLlmgnt              ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NOVLstlog              ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NOVLxis                ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NOVLice                ########################################### [100%]
Preparing...                ########################################### [100%]
   1:NDSdxevnt              ########################################### [100%]
%% Installing ConsoleOne....

You will now be asked about the languages you wish to install.

The following is a list of languages that are available to install.

1  English
2  French
3  All

Select the languages you wish to install [?,q]:

Next, you will be presented with a list of ConsoleOne extensions or Snap-Ins that you can choose to install. ConsoleOne is the administration and management tool you will use to interface with eDirectory. You can choose to install all the Snap-Ins or just the ones that you will be using. At a minimum, you will need 1,2,3,4,6. For my deployment, I wanted everything except the WAN Manager because I am deploying eDirectory on a small SoHo LAN.

The following are all the available snapins you can choose to install

0 NONE
1 ICE Snapin
2 Index Manager Snapin
3 LDAP Snapin
4 SLP Snapin
5 WAN Manager Snapin
6 PKI Snapin
7 Filtered Replica Snapin
8 All

Select the snapin(s) you wish to install [?,q]: 1,2,3,4,6,7

ConsoleOne is a Java application, and the installer will next ask if you wish to install the Java Runtime Environment (JRE) that comes with the product. This is the IBM JRE, an excellent choice because of its speed and support, in my opinion (see my StepByStep on IBM's Java). I strongly recommend that you install it, even if you currently have Java installed on your system. It installs into /opt/IBM-Java2-13 directory, so you might want to check if you are already using IBM's Java.

Do you wish to install Java Runtime Environment [y,n,q] ?

Key in y and installation will proceed.

%% Adding package IBMJava2-JRE ...
Preparing...                ########################################### [100%]
   1:IBMJava2-JRE           ########################################### [100%]

%% Adding package NOVLc1 ...
Preparing...                ########################################### [100%]
   1:NOVLc1                 ########################################### [100%]
%% Adding package NDSsice ...
Preparing...                ########################################### [100%]
   1:NDSsice                ########################################### [100%]
%% Adding package NDSsimgr ...
Preparing...                ########################################### [100%]
   1:NDSsimgr               ########################################### [100%]
%% Adding package NDSsldap ...
Preparing...                ########################################### [100%]
   1:NDSsldap               ########################################### [100%]
%% Adding package NDSsslp ...
Preparing...                ########################################### [100%]
   1:NDSsslp                ########################################### [100%]
%% Adding package NDSspki ...
Preparing...                ########################################### [100%]
   1:NDSspki                ########################################### [100%]
%% Adding package NDSsfrep ...
Preparing...                ########################################### [100%]
   1:NDSsfrep               ########################################### [100%]

%% Java Runtime Environment Successfully Installed.
%% ConsoleOne Successfully Installed.
%% Execute /usr/ConsoleOne/bin/ConsoleOne to run ConsoleOne
%% Snapins Successfully Installed.


%% Novell eDirectory Server packages successfully installed.

%% Novell eDirectory Administration Utilities packages successfully installed.

%% Use "ndsconfig" to configure Novell eDirectory Server.

%% Please update following environment variables to use LDAP tools from Novell -
PATH=/usr/ldaptools/bin:$PATH
MANPATH=/usr/ldaptools/man:$MANPATH

%% Please go through ../readme.txt carefully before using the product.

After installation completes, you will have to edit /etc/profile and add the environment variables PATH and MANPATH, as per the messages by the installer.

After making and saving the changes, you might want to reboot the system, both to get your changes to take effect, as well as to test that your installation succeeded, and that your system is still ok after the installation. Novell eDirectory adds two daemons to your startup configuration : ndsd which is the eDirectory (or NDS) daemon, and uasaslp which is the Service Location Protocol (SLP) daemon.


4. Configuring Novell eDirectory

4.1 Setting Up The First Tree

After your system has rebooted, it is time to setup the first directory tree for your network. You will need to login as root for this operation.

Designing directory trees is beyond the scope of this Step (although I am planning one Step on this in the near future), so we shall not cover it for now. Supposing we wanted to create a tree for a company called Virago, organization name o=Virago, tree name as Virago, with the Distinuguished Name (DN) of the Administrator as cn=ViragoAdmin.o=Virago. Then we can create the tree with the following command inside a terminal window :

[root@localhost root]# ndsconfig new -t Virago -n o=Virago -a
cn=ViragoAdmin.o=Virago
Enter the password for cn=ViragoAdmin.o=Virago:
Re-enter the password for cn=ViragoAdmin.o=Virago:
HTTP Port 80 already in use...
Please enter another HTTP port: 81
HTTPS Port 443 already in use...
Please enter another HTTPS port: 444
Configuring eDirectory with following parameters
        Admin name      = cn=ViragoAdmin.o=Virago
        Tree name       = Virago
        Server Context  = o=Virago
        dibdir path     = /var/nds/dib

Searching for Duplicate Tree Name in the network.  Please wait...
Installing Novell eDirectory Server ...

Novell eDirectory Server successfully installed on this system.
Extending schema...
For more details view schema extension logfile: /var/nds/schema.log
Schema extended successfully.
Configuring SAS service ...
Successfully configured SAS service
Configuring LDAP Server with default SSL CertificateDNS certificate
Done
Restarting ndsd to load the tree key
Stopping the service 'ndsd'... Done.
Starting the service 'ndsd'... Done.

You will need to take note of some of the information here because you will need it later. When you first login to ConsoleOne later, you will need the following information : Admin username and password, Tree name, ServerContext. From the messages that the ndsconfig command generates, you can see the values that it will use for these settings. In our example, the settings and values are :

Also note that in our example, HTTP port 81 and HTTPS port 444 are used - in this case for iManager, the web-based management tool for eDirectory. By default, iManager will try to install to port 80 and 443. If it sees a web server running on these ports, it automatically prompts the administrator for a different port number.

4.2 Setting Up hosts.nds

If you are installing eDirectory on a pristine Red Hat system, you may have default firewall rules that block the Service Location Protocol (SLP). SLP functions like the "Network Neighbourhood" of Microsoft Windows, in that it broadcasts available services on the network, and enable applications like ConsoleOne to "know" what services are available. If SLP is blocked, you will not be able to "browse" for the eDirectory server.

I did not have this problem with TurboLinux, but with Spectra Linux, this issue surfaced.

In any case, one way to do away with SLP, or, if you don't like to wait for ConsoleOne to browse for the eDirectory server, is to create a file hosts.nds inside /etc directory. This file is very similar to the hosts file that network engineers are so familiar with. The contents of our hosts.nds file are shown below:

# hosts.nds file for Virago
# Tree name		Internet Address
Virago.			localhost

Note the trailing period "." after the Tree name. This is not a typo -- you need to specify it as a fully qualified tree name. If your server has a static IP address, you can specify it under "Internet Address". The only reason why I specified "localhost" is because I am installing eDirectory on the only system in my network (i.e. my home computer).

4.3 Configuring for LDAP With ConsoleOne

One of the things I like so much about Novell eDirectory is ConsoleOne, the graphical administrator. For "casual" LDAP administrators, or people coming into LDAP or Linux for the first time, a graphical tool like this can help ease the learning curve considerably.

What we are going to do here is to use ConsoleOne to setup Novell eDirectory for LDAP operations. By default, Novell eDirectory is very secure, accepting only encrypted connections to the server. There are some applications that do not support SSL/TLS connections to LDAP servers, and so we will need to configure for unencrypted, plain text authentication. Note that this is NOT recommended for production servers !

You can launch ConsoleOne as a "mortal" user, that is any user other than root. The application is found in /usr/ConsoleOne/bin directory. To start it, simply execute the following command :

[chongym@localhost chongym]$ cd /usr/ConsoleOne/bin
[chongym@localhost bin]$ ./ConsoleOne

ConsoleOne will launch and begin loading all the snap-ins that it can find. Then you will see the window below.

You will now need to authenticate to the eDirectory server. Click on the NDS object in the left pane and click the Tree icon in the toolbar to authenticate. Key in the settings and values that you noted down earlier. For our example, it should look like this :

After authenticating successfully, expand all the objects in the left pane and take a look around. Click on the oganization object in the left pane and you should see all the objects that are created for it in the right pane, as shown below.

Locate the LDAP Server object and the LDAP Group object. You are going to make some changes to the properties of these objects. Right-click the LDAP Server object and select "Properties". You will see the General Settings of your LDAP server.

Click on the SSL/TLS Configuration tab. Ensure that the checkbox for "Require TLS for All Operations" is cleared. Click Apply then Close.

Next, locate the LDAP Group object. Right click it and select "Properties". You will see the LDAP Group General Settings. Ensure that the checkbox for "Require TLS for simple binds with password" is cleared. Click Apply then Close.

4.4 Testing LDAP Operations

Now we are ready to begin testing several LDAP operations against eDirectory. We will be using eDirectory's text commands, which are very similar to those of OpenLDAP, and we will look at debugging information from DSTRACE, a very useful troubleshooting tool for eDirectory.

First, we need to login as root, because we cannot execute ndstrace as a normal user. We open a terminal window and execute the following command :

# ndstrace

The terminal window will look something like the picture above. Note the NDSTrace: prompt at the bottom of the window. Your commands will appear there. Type "set dstrace=nodebug" (without the quotes), this will clear the DSTRACE settings. Then type "set dstrace=+ldap". This will turn on LDAP debugging. When you run any LDAP commands against this eDirectory server, informational and error messages will be displayed in this DSTRACE window. For production deployments, you will want to turn off LDAP debugging because it takes up CPU cycles.

Now we are ready to begin testing. Open another terminal and type the following command :"

# ldapsearch -h localhost -b "" -s one objectclass=*

Your terminal window will look something like the one below :

And your DSTRACE window will display the following information :

At this point, your eDirectory server can be used for unencrypted binds (or "logons") and will spew out debugging messages in the DSTRACE screen. If you are going to be using LDAP in your applications, you will need to check if your application supports SSL/TLS connections and binds to eDirectory. If it does, you will need to re-enable SSL and TLS in your eDirectory server. If it does not, just leave it alone in its present state. You should also disable LDAP debugging for production servers.

This document should help you get started, but barely scrapes the surface of many issues that you will need to deal with, if and when you decide to use LDAP. You will need to decide :

Novell has excellent documentation on their website, including a set of Java classes that you can use to interface with any LDAP-compliant server. I've tried it successfully myself interfacing with an OpenLDAP server, which shows how portable the classes are. They can be found here.



Footnote

If you are using kernel versions before 2.4.18. My advice is to upgrade to 2.4.18 or better. With the 2.4.9 kernel, I experienced lock-ups on my Dell system, caused by the CDROM drive. This bug seems to be hardware-specific, because my other system, which is an IBM Netfinity 1000, does not have this problem. The bug manifests itself when you attempt to mount the CDROM drive, and the operation will hang. No, you cannot kill it, and the only option is to reboot. The bug was finally fixed in kernel 2.4.18.

You can use glibc 2.1.x, but my advice is to upgrade. Hey, since you already have a 2.4.x kernel, why not use the latest glibc ?



searchSearch Index