Setting Up eDirectory on Linux
Novell Cool Solutions: Feature
Digg This -
Posted: 11 May 2005
Note: This article is adapted from BrainShare presentation TUT280: eDirectory on Linux.
eDirectory on Linux - Model and Specifications
The Linux model for eDirectory is pictured below.
Figure 1 - Linux model for eDirectory
Here are the basic specifications for running eDirectory on Linux:
- 4 GB of addressable memory for the process. This requires kernel tweaking to get to 4 GB; otherwise, memory is limited to 2.8 GB to 3.6 GB.
- It runs in the User memory space.
- It works well in multi-processor environments.
- It can run as root.
- The eDirectory admin can relocate DIBs or relocate logs.
- Most utilities are wrappers to libraries.
Components and Configuration
The components for eDirectory on Linux are found in the following locations:
- Configuration: /etc
- DIB: /var/nds/dib
- Logs: /var/nds
- Libraries: /usr/lib and /usr/lib/nds-modules
- Binaries: /usr/bin and /usr/sbin
The basic configuration files are listed below.
|/etc/nds.conf||Primary configuration file for ndsd|
|/user/lib/nds-modules/ndsmodules.conf||Configures how modules are loaded on startup and what modules are loaded. To troubleshoot, remark them out and load them back one at a time.|
|/etc/ndsimon.conf and ndsimonhealth.conf||Allows for customization of iMonitor|
|/etc/nici.cfg||Contains the nici configuration, version, strength, etc.|
The Linux OES default ports are described below.
Figure 2 - Linux model for eDirectory
To locate the current httpstk ports, use: ndsconfig get | grep http
To locate the NCP ports, use: ndsconfig get | grep tcp
To locate the LDAP ports, use: ldapconfig get | grep -i port
Managing the ndsd Process
To start ndsd on both Linux and Solaris, use this service script: /etc/rc.d/init.d/ndsd start
To stop ndsd on both Linux and Solaris, use this service script: /etc/rc.d/init.d/ndsd stop
Note: It is recommended not to start and stop ndsd manually. Use the scripts as noted above.To monitor ndsd, use the following command: # ps -eaxf |grep ndsd
Here is some sample output:
root 5067 1 0 00:54 ? 00:00:00 /usr/sbin/ndsd root 5070 5067 0 00:54 ? 00:00:00 /usr/sbin/ndsd root 5071 5070 0 00:54 ? 00:00:00 /usr/sbin/ndsd root 5072 5070 0 00:54 ? 00:00:00 /usr/sbin/ndsd root 5074 5070 0 00:54 ? 00:00:00 /usr/sbin/ndsd root 5075 5070 0 00:54 ? 00:00:01 /usr/sbin/ndsd
These threads are Light Weight Processes (LWPs), which reduces switching overhead. You will see them as multiple ndsd's running on same machine. You can use pstree to see them as a structure view (for example, pstree 'cat /var/nds/ndsd.pid'). Use 'top' to make sure that ndsd is not hogging system resources.
Here are some issues to consider before installing eDirectory on Linux. For more details, consult the eDirectory for Linux documentation.Memory - 128 to 256MB minimum. 2GB just for eDirectory usually works best. Disk space for DIBs, libraries, binaries and logs - about 300MB for full installation, and approximately 74MB for every 50,000 objects. CPU speed - 200 Mhz min. (Intel only for Linux); 400 Mhz or greater is recommended. File System Types - Note that the file system must be on a local bus. eDirectory is not supported on an NFS mount, as DIB corruption can occur. Various file systems are supported, such as reiserFs, ext2, and ext3. SANs are supported through a local bus. Platforms - eDirectory is built only for x86 architecture. Other platforms (IBM Series 390, PowerPC, etc.) will not work.
It's important that time is synchronized on the system. If you're using NTP, then run nptdate <time_source> (when ntpd is not running). You can use the ntpq -p command to test the NTP configuration.
You also need to configure the /etc/ntp.conf file. The syntax used is:
Server 127.127.Xtype.0 prefer Fudge 127.127.XType.0 stratum 0
For the local hardware clock, use Server 127.127.1.0. For the remote IP NTP time source, use Server clock.via.net. Use port 123 for tcp/udp.
Communications using SLP and hosts.nds
You can use the existing SLP on your system, or the process can install Novell SLP. OpenSLP uses TCP, while Novell SLP uses UDP. The configuration is done in /etc/slp.conf, and port 427 is used for tcp/udp.
Avoid placing switches between hosts if the routers will not route to hosts. This is known as the "smart switch /stupid router" problem. See the specific switch documentation for details.
The Hosts file (/etc/hosts.nds) is used to resolve tree names to server referrals. It is a static lookup table used by eDirectory applications to look up eDirectory partitions and servers. If a tree or server is not available in the file, then the lookup is performed through SLP. This can be used to avoid SLP multicast delays when a SLP Directory Agent (DA) is not present in the network.
Here is a sample /etc/hosts.nds file:
## Master of tree partition Partition ----------- Server DNS or IP CORP. server1.corp.com ## R/W of tree partition CORP. server2.corp.com ## Master of novell partition novell.CORP. server2.corp.com ## R/W of tree partition novell.CORP. server1.corp.com ## Server name --------- Internet address NCPserver1 server1.corp.com NCPserver2 server2.corp.com
Installing eDirectory on Linux
To install eDirectory on Linux,
- Download and extract the tarball (# tar -zxvf eDir_873_linux.tgz).
- Change to the install directory (# cd ./Linux/setup).
- Install the binaries (# ./nds-install).
- Configure an instance of eDirectory (# ndsconfig add -t MyTree -n Novell -a admin.Novell ...)
If you are adding to an existing tree, test it in a lab first. Understand that nds-install does not run ndsconfig. Also, you should run a health-check on the environment after installation. For example, in iMonitor check the Maximum Ring Delta, the Health Options (green lights), and the time synchronization.
Q1. What if the the installation fails finding my existing eDirectory environment (tree)?
A1. Check the SLP environment; and check that the daemon is running and configured. If you are using the /etc/hosts.nds file, be sure it is created before the installation. Run ndsconfig with the (-p server_address) to specify a server that holds a partition of the tree.
Q2. What if eDirectory fails when getting schema?
A2. Verify whether a firewall is running on one of the eDirectory servers. Many Linux installations default to having a firewall. Also, check: iptables -L
Linux Authentication to eDirectory
Here are some recommendations for authenticating to Linux on eDirectory:
- Use LDAP APIs for cross-platform services that require accessing eDirectory objects and attributes.
- Use PAM-ldap for native Linux applications for Linux authentication and authorization. This is configured by default in OES.
- Use Identity Manager 2 when the applications are not directory-enabled, PAM-enabled or cannot be customized.
Figure 3 - Linux model for eDirectory
- Extend the schema in eDirectory with the rfc2307 schema.
- Create a Group Object in eDirectory that will contain the PAM-enabled users.
- Add a GID value to the gidNumber attribute in the new group.
- Add distinctive uidNumber, gidNumber, loginShell and homeDirectory values for each user in eDirectory.
- Configure home directories for each user on the SUSE 9.2 or RedHat 9 workstation and assign appropriate rights so the users can access them.
- Enable PAM authentication on the Linux workstations.
- Configure the pam.conf file on the SUSE 9.2 or RedHat 9 workstation.
- Configure the ldap.conf file on the SUSE 9.2 or RedHat 9 workstation.
- Configure the nsswitch.conf file on the SUSE 9.2 or RedHat 9 workstation.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com