Novell is now a part of Micro Focus

Setting Up eDirectory on Linux

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 11 May 2005

Note: This article is adapted from BrainShare presentation TUT280: eDirectory on Linux.

eDirectory on Linux - Model and Specifications

The Linux model for eDirectory is pictured below.

Figure 1 - Linux model for eDirectory

Here are the basic specifications for running eDirectory on Linux:

  • 4 GB of addressable memory for the process. This requires kernel tweaking to get to 4 GB; otherwise, memory is limited to 2.8 GB to 3.6 GB.
  • It runs in the User memory space.
  • It works well in multi-processor environments.
  • It can run as root.
  • The eDirectory admin can relocate DIBs or relocate logs.
  • Most utilities are wrappers to libraries.

Components and Configuration

The components for eDirectory on Linux are found in the following locations:

  • Configuration: /etc
  • DIB: /var/nds/dib
  • Logs: /var/nds
  • Libraries: /usr/lib and /usr/lib/nds-modules
  • Binaries: /usr/bin and /usr/sbin

The basic configuration files are listed below.

File Description
/etc/nds.conf Primary configuration file for ndsd
/user/lib/nds-modules/ndsmodules.conf Configures how modules are loaded on startup and what modules are loaded. To troubleshoot, remark them out and load them back one at a time.
/etc/ndsimon.conf and ndsimonhealth.conf Allows for customization of iMonitor
/etc/nici.cfg Contains the nici configuration, version, strength, etc.

The Linux OES default ports are described below.

Figure 2 - Linux model for eDirectory

To locate the current httpstk ports, use: ndsconfig get | grep http
To locate the NCP ports, use: ndsconfig get | grep tcp
To locate the LDAP ports, use: ldapconfig get | grep -i port

Managing the ndsd Process

To start ndsd on both Linux and Solaris, use this service script: /etc/rc.d/init.d/ndsd start

To stop ndsd on both Linux and Solaris, use this service script: /etc/rc.d/init.d/ndsd stop

Note: It is recommended not to start and stop ndsd manually. Use the scripts as noted above.

To monitor ndsd, use the following command: # ps -eaxf |grep ndsd

Here is some sample output:

root      5067     1  0 00:54 ?        00:00:00 /usr/sbin/ndsd
root      5070  5067  0 00:54 ?        00:00:00 /usr/sbin/ndsd
root      5071  5070  0 00:54 ?        00:00:00 /usr/sbin/ndsd
root      5072  5070  0 00:54 ?        00:00:00 /usr/sbin/ndsd
root      5074  5070  0 00:54 ?        00:00:00 /usr/sbin/ndsd
root      5075  5070  0 00:54 ?        00:00:01 /usr/sbin/ndsd

These threads are Light Weight Processes (LWPs), which reduces switching overhead. You will see them as multiple ndsd's running on same machine. You can use pstree to see them as a structure view (for example, pstree 'cat /var/nds/'). Use 'top' to make sure that ndsd is not hogging system resources.

Installation Considerations

Here are some issues to consider before installing eDirectory on Linux. For more details, consult the eDirectory for Linux documentation.

Memory - 128 to 256MB minimum. 2GB just for eDirectory usually works best. Disk space for DIBs, libraries, binaries and logs - about 300MB for full installation, and approximately 74MB for every 50,000 objects. CPU speed - 200 Mhz min. (Intel only for Linux); 400 Mhz or greater is recommended. File System Types - Note that the file system must be on a local bus. eDirectory is not supported on an NFS mount, as DIB corruption can occur. Various file systems are supported, such as reiserFs, ext2, and ext3. SANs are supported through a local bus. Platforms - eDirectory is built only for x86 architecture. Other platforms (IBM Series 390, PowerPC, etc.) will not work.

Time Synchronization

It's important that time is synchronized on the system. If you're using NTP, then run nptdate <time_source> (when ntpd is not running). You can use the ntpq -p command to test the NTP configuration.

You also need to configure the /etc/ntp.conf file. The syntax used is:

Server 127.127.Xtype.0 prefer
Fudge 127.127.XType.0 stratum 0

For the local hardware clock, use Server For the remote IP NTP time source, use Server Use port 123 for tcp/udp.

Communications using SLP and hosts.nds

You can use the existing SLP on your system, or the process can install Novell SLP. OpenSLP uses TCP, while Novell SLP uses UDP. The configuration is done in /etc/slp.conf, and port 427 is used for tcp/udp.

Avoid placing switches between hosts if the routers will not route to hosts. This is known as the "smart switch /stupid router" problem. See the specific switch documentation for details.

The Hosts file (/etc/hosts.nds) is used to resolve tree names to server referrals. It is a static lookup table used by eDirectory applications to look up eDirectory partitions and servers. If a tree or server is not available in the file, then the lookup is performed through SLP. This can be used to avoid SLP multicast delays when a SLP Directory Agent (DA) is not present in the network.

Here is a sample /etc/hosts.nds file:

## Master of tree partition  
Partition ----------- Server DNS or IP
## R/W of tree partition  

## Master of novell partition  
## R/W of tree partition  

## Server name --------- Internet address

Installing eDirectory on Linux

To install eDirectory on Linux,

  1. Download and extract the tarball (# tar -zxvf eDir_873_linux.tgz).
  2. Change to the install directory (# cd ./Linux/setup).
  3. Install the binaries (# ./nds-install).
  4. Configure an instance of eDirectory (# ndsconfig add -t MyTree -n Novell -a admin.Novell ...)

If you are adding to an existing tree, test it in a lab first. Understand that nds-install does not run ndsconfig. Also, you should run a health-check on the environment after installation. For example, in iMonitor check the Maximum Ring Delta, the Health Options (green lights), and the time synchronization.

Installation FAQ's

Q1. What if the the installation fails finding my existing eDirectory environment (tree)?

A1. Check the SLP environment; and check that the daemon is running and configured. If you are using the /etc/hosts.nds file, be sure it is created before the installation. Run ndsconfig with the (-p server_address) to specify a server that holds a partition of the tree.

Q2. What if eDirectory fails when getting schema?

A2. Verify whether a firewall is running on one of the eDirectory servers. Many Linux installations default to having a firewall. Also, check: iptables -L

Linux Authentication to eDirectory

Here are some recommendations for authenticating to Linux on eDirectory:

  • Use LDAP APIs for cross-platform services that require accessing eDirectory objects and attributes.
  • Use PAM-ldap for native Linux applications for Linux authentication and authorization. This is configured by default in OES.
  • Use Identity Manager 2 when the applications are not directory-enabled, PAM-enabled or cannot be customized.

Figure 3 - Linux model for eDirectory

Authentication Procedure

  1. Extend the schema in eDirectory with the rfc2307 schema.
  2. Create a Group Object in eDirectory that will contain the PAM-enabled users.
  3. Add a GID value to the gidNumber attribute in the new group.
  4. Add distinctive uidNumber, gidNumber, loginShell and homeDirectory values for each user in eDirectory.
  5. Configure home directories for each user on the SUSE 9.2 or RedHat 9 workstation and assign appropriate rights so the users can access them.
  6. Enable PAM authentication on the Linux workstations.
  7. Configure the pam.conf file on the SUSE 9.2 or RedHat 9 workstation.
  8. Configure the ldap.conf file on the SUSE 9.2 or RedHat 9 workstation.
  9. Configure the nsswitch.conf file on the SUSE 9.2 or RedHat 9 workstation.

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates