Administering eDirectory on Linux

< Day Day Up >

Test Objectives Covered:

5. Perform eDirectory administration tasks .

There are three main tools you will use to administer eDirectory on Linux:

Command-line utilities
iManager
iMonitor

In this section, we will discuss the basics of each. We will also relate how to perform an eDirectory health check.

Command-line Utilities

On the Linux platform, eDirectory includes several utilities that can be used from the command line to manage your eDirectory database. A detailed discussion of each utility is beyond the scope of this book. We will use iManager and iMonitor as the primary administration tools, wherever possible.

The command-line eDirectory utilities included in NNLS are listed in Table 5.3.

Table 5.3. eDirectory Command-Line Utilities

UTILITY	DESCRIPTION
/etc/init.d/ndsd	The ndsd init script is used to start and stop the eDirectory service on your server. It is used like other init scripts, with start or stop modifiers. For example, to stop the service, you would enter `/etc/init.d/ndsd stop` . To start the service, you would enter: `/etc/init.d/ndsd start` .
Ldapconfig	The ldapconfig utility can be used to configure your LDAP Server and LDAP Group objects in your tree. Enter `man ldapconfig` at your shell prompt to see the various parameters used with this utility.
Ndsbackup	The ndsbackup utility is used to save the logical structure of the eDirectory tree to a file. If something should happen to the objects in the tree, you can use this utility to restore them from the backup file previously created.
Ndsconfig	The ndsconfig utility is used to configure the eDirectory tree itself. It can be used to create a new tree, modify an existing tree, add a server to an existing tree, or remove a server from the tree. Enter `man ndsconfig` at your shell prompt to see the various parameters used with this utility.
Ndslogin	The ndslogin utility is used to check whether eDirectory authentication is working correctly. When it's run, you provide a username as a modifier (for example, `ndslogin cgrayson.if.cle` ). The utility then prompts you for the user 's password. The utility then tests, authenticates, and reports the results.
Ndsmerge	This utility can be used to combine two separate eDirectory trees into a single tree. This can be a delicate operation. Before attempting this, enter `man ndsmerge` at the shell prompt and read the instructions for preparing the trees and servers.
Ndsrepair	Because of the replicated, distributed nature of eDirectory, it's possible for errors to creep into the database due to failed communication links and other issues. The ndsrepair utility can be used to check the local eDirectory database for errors and repair them. To run a full, unattended repair, enter `ndsrepair -U` at the shell prompt. To see all the options available with this utility, enter `man nds` repair at the shell prompt.
Ndsstat	The ndsstat utility is used to display information about the local eDirectory server. It displays the tree name, the server distinguished name , and the version of eDirectory installed. To use this utility, simply enter `ndsstat` at the shell prompt.
Ndstrace	This utility can be used to trace internal eDirectory activity. This utility has many options and parameters. View the ndstrace man page for more information about how to use this utility.

One thing you need to keep in mind when using these utilities is that they are server centric . That is, they only configure the eDirectory service on the local server.

If your eDirectory tree is large and has many servers, this may prove to be cumbersome. In this case, you should use iManager and iMonitor. In fact, on your CLE exam, you should do everything you can with iMonitor and iManager first. Only if you can't perform a task with these two utilities should you consider using the command-line utilities.

Using iManager

Novell's iManager is a web-based utility that is used to manage your eDirectory tree. We've already used iManager several times in the exercises in this book. iManager is accessed by opening a web browser and accessing http:// your_server_address /nps/iManager.html.

When you do, the iManager authentication page is displayed, as shown in Figure 5.38.

Figure 5.38. The iManager authentication page.

graphics/05fig38.jpg

iManager uses eDirectory to control access. The tasks you can perform in iManager are dependent upon the credentials you supply in this page.

You should be aware that the iManager uses LDAP to authenticate. If the user you are authenticating as exists in the same context as your server object and your LDAP Server and LDAP group objects, you can simply provide the typeless username.

In the preceding exercises, you simply entered admin and were able to authenticate. If you want to use a different user, you must supply the typeful distinguished name of the user using LDAP syntax. For example, if I were Christopher Grayson and wanted to authenticate to the CLE-TREE we just installed, I would enter cn=cgrayson,ou=IF,o=CLE in the Username field.

After authenticating, the iManager home page appears, shown in Figure 5.39.

Figure 5.39. The iManager home page.

graphics/05fig39.jpg

Notice that a frame labeled Roles and Tasks is displayed on the left side of the screen. By default, iManager displays all the roles and tasks it has been configured with.

The roles are superordinate headings displayed in black text. These are groupings of individual tasks.

The tasks are specific jobs you can perform with iManager. They are displayed as links beneath the role headings.

If your credentials have insufficient rights in the eDirectory tree to perform a task, a message will be displayed in the right frame when you try to complete it. If you do have the appropriate level of rights, the interface required to complete the task you selected is displayed in the right frame.

One of the cool features of iManager is the ability to configure Role-Based Services (RBS). By default, RBS is not configured, hence the reason iManager displays all roles and tasks for all users. If you configure RBS, you can associate specific roles and tasks with specific users. When you do this, the users automatically receive all the rights they will need to accomplish the associated tasks in the eDirectory tree.

For example, you can associate a user with the Help Desk role, shown in Figure 5.40.

Figure 5.40. The Help Desk role.

graphics/05fig40.jpg

When the user authenticates to iManager, he or she only sees the Help Desk role in the left frame. The user automatically receives the rights needed to clear intruder lockouts, create users, and set user passwords within the area of the tree you specify.

Let's now turn our attention to the last eDirectory management tool we're going to cover in this chapter: iMonitor.

Using iMonitor

iMonitor has a different purpose than iManager. iManager is primarily designed to manage the tree ”performing day-to-day tasks such as adding users, creating groups, and assigning rights.

iMonitor, on the other hand, is designed specifically to monitor and troubleshoot the eDirectory database on the servers in your tree. You can view current eDirectory operations based on servers, partitions, or replicas.

iMonitor operates in two different modes: direct mode and proxy mode . Simply speaking, iMonitor is running in direct mode when you are using it to work on the eDirectory database and service on the same server where you are accessing iMonitor.

In proxy mode, you access iMonitor on one server in the eDirectory tree and then use it to manage the eDirectory database and service on a different server in the tree. This is a really useful feature of iMonitor. If you were to install your NNLS server into an existing eDirectory tree where servers are installed running older versions of eDirectory or NDS, you can use proxy mode to manage them as well as your NNLS server.

To access iMonitor, run a web browser and open https :// your_server_IP_address :8010/nds. When you do, iMonitor displays an authentication screen, as shown in Figure 5.41.

Figure 5.41. Authenticating to iMonitor.

graphics/05fig41.jpg

Unlike in iManager, you authenticate to iMonitor using standard eDirectory naming conventions. For example, if you want to authenticate as the admin user in the tree you installed previously, enter admin.IF.CLE in the Username field.

As with iManager, the tasks you can perform within iMonitor are controlled by the rights assigned to the user object you used to authenticate to the tree.

Most tasks in iMonitor require that the user object you use have the Supervisor right to the server object. This can be either your tree admin user or another user whom you have granted rights to the server object.

After authentication, the iMonitor home page is displayed, as shown in Figure 5.42.

Figure 5.42. The iMonitor home page.

graphics/05fig42.jpg

The iMonitor home page displays a summary of the eDirectory agents on your server. You can quickly view the synchronization status of the replicas in the replica ring as well as the status of the various eDirectory processes running on the server.

One of the key roles of iMonitor is to check the health of your eDirectory tree. Let's talk now about how this is done.

Performing an eDirectory Health Check with iMonitor

As mentioned earlier, eDirectory uses a distributed, replicated database. The service, as well as the database data, is distributed among the various servers in the tree. For the most part, eDirectory functions flawlessly. Directory information is synchronized around the various replica rings, and eDirectory processes occur on schedule.

Certain situations can arise, however, that interfere with the proper functioning of the directory. Any of the following can cause errors to appear in the eDirectory database:

Dropped network links between servers
Lost time synchronization
Failed hardware
Corrupted eDirectory files

This is only a partial list of the network issues that can cause errors to be introduced into the tree. Fortunately, Novell provides several tools that can be used to fix these errors, with iMonitor being key among them. In this section, we're going to talk about how to use iMonitor to perform an eDirectory health check.

You need to understand just how important these health checks are ”a majority of eDirectory problems actually fix themselves if left alone long enough. Experienced eDirectory administrators call this "letting the tree settle down." The phrase "time heals all wounds" is very applicable .

Over the years , I've observed many eDirectory administrators jump right in and start trying to manually repair problems in their tree. However, the majority of these problems will fix themselves over time.

There are times, however, when manual intervention is necessary. If left alone too long, some eDirectory issues will propagate throughout the tree, causing horrendous problems.

What should you do? Run regular eDirectory health checks to make sure everything is functioning as it should. If you have a relatively static eDirectory tree (meaning changes occur in the tree only rarely), you should run a full health check about once or twice a month.

If you have a very dynamic tree where changes are made on a frequent basis, you should run health checks much more often ”as much as once or twice a week.

You should also run a health check before you perform any major tree operations, such as creating partitions, adding replicas, or adding servers to the tree.

Using iMonitor, you do the following to perform a basic eDirectory health check:

Check the eDirectory version on all the servers in the tree.
Verify that time is synchronized on all servers in the tree.
Check partition continuity. This involves making sure all replicas of each partition in the tree are able to communicate with each other.

You can also perform an advanced eDirectory health check. We're not going to cover this process here because it isn't required to pass the CLE exam and because it requires more eDirectory knowledge and experience than you have at this time.

In summary, an advanced health check includes the preceding items and adds the following processes:

Check to see that the eDirectory schema is synchronized on all servers in the tree.
Check for stuck obituaries. Obituaries occur in the eDirectory tree whenever you modify, move, or delete an object. The original information is saved for a time to preserve a history of the object until the change has been synchronized to all replicas in the ring. When the change has been fully synchronized, the obituary is flagged as purgeable and is removed from the system. If an obituary is stuck, it indicates a synchronization problem somewhere in the replica ring that must be rectified.
Check external references. An external reference is created when you access information in the tree that isn't actually stored in a replica on the local server. eDirectory creates a shortcut to the actual data residing on a different server in the tree called an external reference .
Check the status of the limber processes. Whenever you make a change to a server in the tree, such as changing the server's name or IP address, eDirectory employs a process called limber that propagates the new information around to the other servers in the tree. Without the limber process, changing a server's IP address, for example, would completely destroy the replica ring it participated in. This part of the health check ensures that this process is working properly.

To run a basic health check with iMonitor, complete the following steps:

Open a web browser and navigate to https:// your_server_IP_address :8010/nds.
Authenticate as your admin user.
In the left frame, select Agent Configuration . The page shown in Figure 5.43 appears.

Figure 5.43. The iMonitor Agent Configuration page.
Scroll down the list and note the version of eDirectory installed.
Scroll down and verify that time is synchronized.
In the left frame, scroll down to the Links heading and select Agent Synchronization . The page shown in Figure 5.44 appears.

Figure 5.44. The iMonitor Agent Synchronization page.

Note

Note that there is an Agent Synchronization link under the Agent Configuration heading as well. Be sure to select the link located under Links .
Check the Errors and Last Successful Sync fields. The Errors field should be . The Last Successful Sync field displays how long it has been since the entire ring was last successfully synchronized. It should have occurred fairly recently.
You'll notice that each partition has its own row of information. At the right end of each row is a collection of links. For each partition, select its Continuity link.
Verify that the Errors field for each partition is and that the Last Successful Sync happened recently.
Under Links , select Agent Process Status . The page shown in Figure 5.45 appears.

Figure 5.45. The iMonitor Agent Process Status page.
Identify any error codes displayed for schema sync status, obituary status, external reference status, or limber status.
Run a full unattended repair process on your server by completing the following:
1. In the iMonitor toolbar, select the Repair icon. The page shown in Figure 5.46 appears.
  
  Figure 5.46. The iMonitor Repair page.
2. Mark Run in Unattended Mode .
3. Select Start Repair .
4. Wait while the repair process is completed.