Building an IDM 3 Test Environment using eDirectory 8.8 Multi-Instances
Novell Cool Solutions: AppNote
By Akos Szechy
Digg This -
Posted: 20 Sep 2006
eDirectory 8.8 introduced some great features. One of them is the multi-instances support that allows you to run multiple copies of eDirectory trees on one box. This is also a cool feature; you can test how the eDirectory-eDirectory driver works, and all you need is one server. You can test all the other drivers as well on the box - it's just a question of resources.
In this AppNote I will show you how can you build a test environment using one SLES 9 (SP3) box with eDirectory 8.8 (SP1), running the following drivers:
- LDAP driver
- Delimited file driver
Basically you will create 3 eDirectory instances. Two will host the eDirectory drivers, while one will operate as an LDAP directory so you can run the LDAP Driver against it.
Warning: This configuration should run fine in production as well, but I don't suggest you bet your life on one single box.
eDirectory 8.8 SP1 Installation
After you install the SLES9 box - which we won't cover here - you have to install eDirectory 8.8.1. You can get a copy at http://download.novell.com
1. Choose the installation path and run the nds-install script.
2. Accept the terms.
3. Choose 1 - eDirectory server components.
4. Add the following lines to /root/.bashrc file, so it will find the utilities and the related stuff. If .bashrc does not exist, you can copy it from the /etc/skel directory to /root.
export PATH=/opt/novell/eDirectory/bin:/opt/novell/eDirectory/sbin:$PATH export LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/nds-modules:/opt/novell/lib:$LD_LIBRARY_PATH export MANPATH=/opt/novell/man:/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=/opt/novell/eDirectory/share/locale
eDirectory is now installed, so you can go ahead and configure your eDirectory instances to be used by IDM.
Note: Please be sure 'openldap' is not installed! If it's installed, you have to stop it or move the default LDAP port to a different port, as port 389 is already used.
Configuring eDirectory Instances
You can configure the instances with ndsconfig or ndsmanage. We'll use ndsconfig, as it can specify with one command how to create your tree.
1. Create the first instance:
ndsconfig new -t IDM3_TREE -n o=novell -S SLES91 -a admin.novell -d /var/opt/novell/eDirectory/IDM3_TREE/dib -D /var/opt/novell/eDirectory/IDM3_TREE/data -L 389 -l 636 -o 8008 -O 8009
Sample parameters and descriptions to create a new tree:-t - the name of the tree: IDM3_TREE
-n - the context of the server: o=novell
-S - the name of the server: SLES91
-a - the name of the admin user: admin.novell
-d - the path for the dib: /var/opt/novell/eDirectory/IDM3_TREE/dib
-D - the path for the data files: /var/opt/novell/eDirectory/IDM3_TREE/data
-L - the port for clear text LDAP: 389
-l - the port for LDAP SSL: 636
-o - Remote Manager over HTTP: 8008
-O - Remote Manager over HTTPS: 8009
2. The installation will ask for an Admin password; provide it now.
3. Create the second instance:
ndsconfig new -t IDM3_TREE2 -n o=novell -S SLES92 -a admin.novell -d /var/opt/novell/eDirectory/IDM3_TREE2/dib -D /var/opt/novell/eDirectory/IDM3_TREE2/data -L 1389 -l 1636 -o 18008 -O 18009 -b 1524 ?-config-file /var/opt/novell/eDirectory/IDM3_TREE2/conf
Sample parameters and descriptions to create a second tree:
-t - the name of the tree: IDM3_TREE2
-n - the context of the server: o=novell
-S - the name of the server: SLES92
-a - the name of the admin user: admin.novell
-d - the path for the dib: /var/opt/novell/eDirectory/IDM3_TREE2/dib
-D - the path for the data files: /var/opt/novell/eDirectory/IDM3_TREE2/data
-L - the port for clear text LDAP: 1389
-l - the port for LDAP SSL: 1636
-o - Remote Manager over HTTP: 18008
-O - Remote Manager over HTTPS: 18009
-b - the NCP port where eDirectory will listen on : 1524
--config-file - the configuration file for this instance: /var/opt/novell/eDirectory/IDM3_TREE2/conf
4. The installation will ask for an Admin password; provide it now.
5. As a summary, check the following table to verify the most important values of your trees:
|Value||Tree1 (IDM3_TREE)||Tree2 (IDM3_TREE)|
|IP address of your server||172.16.63.130||172.16.63.130|
|LDAP clear text port||389||1389|
|LDAP SSL port||636||1636|
6. Just to be on the safe side, check if you can log in using ndslogin:
ndslogin -t IDM3_TREE -h 172.16.63.130:524 admin.novell ndslogin -t IDM3_TREE2 -h 172.16.63.130:1524 admin.novell
Both logins should succeed before you continue.
Identity Manager Installation
To install IDM, you need the IDM 3.01 ISO available (you can get a copy from http://download.novell.com). Once you have it, follow these instructions:
1. Install IDM3 by starting the dirxml_setup.bin file from the /linux/setup directory.
2. Accept the License agreement.
3. Choose "1 - Metadirectory Server".
4. Choose the eDirectory instance where you would like to install IDM. In your case this is the first instance with IDM3_TREE.
5. Specify the username: cn=admin,o=novell (NOTE the LDAP format!)
6. Specify the password and accept the offered drivers, so the installation can continue.
7. Repeat the steps for the second instance, but at point 4 choose the second instance.
AdministrationFor administering the system, you use Mobile iManager 2.6 and installed the IDM 3.01 iManager Plug-ins from http://download.novell.com.
I prefer Mobile iManager; if something goes wrong, you just unzip it again, and it runs fine.
Configuring the eDirectory-eDirectory Driver
Now you need to configure the drivers.
1. Log in to the first tree using Mobile iManager.
Figure 1 - Mobile iManager login
2. Create a new container called "dirxml" under [Root], using iManager or any administrative tools. You will synchronize this container with the second trees dirxml container. Using iManager you can create it with the Create Object task under the Directory Administration role.
3. Go to the Identity Manager Overview page of the Identity Manager role.
Figure 2 - IDM Overview page
4. Click Search and then start the Create New DriverSet wizard to create your Driverset.
5. Create a new driverset called DSet under "novell" and associate with the server object.
Figure 3 - Creating the DSet driverset
6. Import the eDirectory.xml file from the /nw/dirxml/drivers directory on the CD.
Figure 4 - Importing eDirectory.xml
7. Enter the necessary parameters:
- Driver name: eDirectory1 (I suggest you don't put any spaces in the name)
- Remote tree address: 172.16.63.130
- Remote tree port: put 2222 here, you will see this later
- Base container: dirxml
- Password sync version: 2.0
- Remote container: dirxml
- Define admin.novell as security equivalent
Note: Unless you specify this lots of operation will not work as the IDM engine will not have rights to perform.
You don't have to modify/specify the remaining fields. You can click on Finish, so the driver should be imported, and you should see something like this:
Figure 5 - Finishing the driver import
Now, lets go to the Second tree and do the same ...
8. Exit from iManager.
9. At the login prompt, specify the second tree by placing 172.16.63.130:1524 in the Tree field.
10. Once you log in, do the same as you did with the first tree, but name the driver "eDirectory2".
11. Once you are done with the second tree, generate the Key material objects used to allow the two drivers to talk to each other. If no PKI snapins are installed, you'll get an error message while trying to generate the certificates that NPKIT cannot be initialized.
12. Select the NDS-to-NDS Driver Certificates task from the Identity manager Utilities role and fill in with the details as follows for the first tree:
Figure 6 - NDS2NDS Driver Certificates, first tree
13. Do the same for the second tree:
Figure 7 - NDS2NDS Driver Certificates, second tree
The summary should be something like this:
Figure 8 - Driver Certificates Summary
13. Click Finish to create the certificates.
As you might realize, you set both drivers on port 2222. Of course, this is not possible - only one application can use a TCP port. However, you only have one network card...so, what is the solution? You have to specify for both drivers two ports: one where it listens, and a second one where it can find the remote driver. Basically you will set your first driver to listen on port 1234 and the second driver to listen on 4321.
Let's do it:
1. Log in to the first tree.
2. Now you need to open the Driver.
3. Access the Identity Manager role / Identity Manager Overview.
4. Search for the driver and click on the driver icon to select it. In the Authentication context box you should see: 172.16.63.130:2222.
5. Modify it to 172.16.63.130:1234:4321. This will let the driver know that it listens on port 1234 and it can find the other tree on port 4321.
6. You may want to set the Startup option to Manual instead of Auto.
7. Click Apply.
8. Switch to the Misc tab and specify a trace level of 3, to see what's going on in NDSTRACE.
9. Click Apply and then OK.
10. Repeat the above steps for the second tree, but in this case specify 172.16.63.130:4321:1234 in the Authentication Context. It should look like this:
Figure 9 - Setting the Authentication Context
Preparing for the Startup
It's a good idea to enable NDSTRACE on the server, so you can track what's going on. You can use these NDSTRACE commands all the time to track IDM:
ndstrace Select the appropriate instance set dstrace = nodebug ndstrace dxml dvrs
Starting the Drivers
1. Log in to the first tree.
2. Open the Driver (Identity Manager role, Identity Manager overview, Search).
3. Select the stop sign and from the dropdown box and click Start.
The driver should start and the status should change to a little Yin-Yang sign like this:
Figure 10 - Driver startup
4. Once, its done, repeat it for the second tree.
Once the drivers start up, you can create a user under the dirxml organization in any tree, and that should sync to the other tree. Also, in ndstrace you should see something like this:
eDirectory2 ST: DirXML Log Event ------------------- Driver: \IDM3_TREE2\novell\DSet\eDirectory2 Channel: Subscriber Object: \IDM3_TREE2\dirxml\user1 Status: Success Message: <application>DirXML</application> <module>eDirectory1 <object-dn>\IDM3_TREE2\dirxml\user1 (dirxml\user1)</object-dn> <component>Publisher</component>
So now you have a working eDirectory-eDirectory driver. You can add one more eDirectory instance, so it can serve as an LDAP directory for your LDAP Driver.
First, you have to create one more eDirectory instance in the well known way:
ndsconfig new -t LDAP_TREE -n o=novell -S SLES93 -a admin.novell -d /var/opt/novell/eDirectory/LDAP_TREE/dib -D /var/opt/novell/eDirectory/LDAP_TREE/data -L 2389 -l 2636 -o 28008 -O 28009 -b 2524 ?-config-file /var/opt/novell/eDirectory/LDAP_TREE/conf
After you create the tree,
1. Try to log into it with iManager. Remember, this time you have your tree on port 172.16.63.130:2524.
2. Create an Organization called dirxml. That's what you will use in this tree as well for synchronization.
3. For testing, disable "Require TLS for Simple Binds with Password" by the following command on the server:
ldapconfig set "Require TLS for Simple Binds with Password=no"
4. Select the 3rd instance and log in.
5. It's a good idea to test if LDAP really works in cleartext mode. If you don't get an error but see a lot of data after executing this command, you should be fine:
ldapsearch -h localhost -p 2389 -x -D cn=admin,o=novell -w novell
Creating the LDAP driver
1. Open iManager to the first tree.
2. Go to the Identity Manager Overview and click Add Driver.
3. Add the driver to the existing driverset.
4. Browse for the LDAP.XML file.
5. Specify the following parameters:
- eDirectory container: dirxml
- LDAP Container: o=dirxml
- LDAP Server: 172.16.63.130 port: 2389
- LDAP Authentication DN: cn=admin,o=novell (NOTE: LDAP format is used!)
- LDAP Authentication Password: novell
- Polling interval in seconds: 5
- Publication method: LDAP Search
The other parameters should be fine. Note: Don't forget to set Admin.novell as the Security equivalent!
6. Specify a trace level 3 as you did in the previous steps (on the Drivers MISC tab).
7. Start the driver.
8. Verify that creating a user in any tree under the dirxml organization creates the user in the other two trees.
The Delimited Text file driver is a bit different to the others, but still interesting to have it on this box.
It's easy to set up - just follow these steps:
1. Create three directories: /var/idm, /var/idm/in, /var/idm/out
2. Login with iManager to the first server and create a new driver based on the DelimitedTextCSVSample.xml
3. Specify the following parameters:
- Output File Path: /var/idm/out
- Input File Path:/var/idm/in
- New User container: dirxml
4. By now, you should remember that you need to include the Security Equivalent, set the trace level and check to see if the driver is on Manual startup.
5. Start the driver.
6. See if any files are generated in /var/idm/out when you create users in any trees under dirxml.
You should see a file in the out directory with a content like this:
aszechy-sles9:/var/idm/out # ll total 4 drwxr-xr-x 2 root root 88 Sep 12 06:14 . drwxr-xr-x 4 root root 96 Sep 12 06:09 .. -rw-rw-rw- 1 root root 13 Sep 12 06:14 1158066840178.csv aszechy-sles9:/var/idm/out # cat 1158066840178.csv user5,,,,,,,
At this point, the most common error you'll see in DSTrace is -672, because you haven't specified the Security equivalent user.
So as you can see, you set up basically a four-system IDM environment quite easily on one box. Now you can play with eDirectory, LDAP or with the Delim driver.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com