Novell eDirectory 8.7.1 for HP-UX October 28, 2003 Table of Contents 1.0 Getting Started 1.1 What is Novell eDirectory? 1.2 eDirectory Utilities 1.3 iManager 2.0 Installation 2.1 Prerequisites 2.2 OpenSLP for HP-UX 2.3 Installing eDirectory 2.4 Configuring eDirectory 2.5 Installing/Uninstalling iManager 2.6 Installing eDirectory 8.7.1 With More Than One Network Card Enabled 2.7 Uninstalling eDirectory 3.0 Known Issues 3.1 Bulkloading to eDirectory 3.2 During Installation, gettext Displays Errors if libiconv is Not Present in the Default Location 3.3 OpenSLP on HP-UX Does Not Interoperate with Novell SLP 3.4 While Adding a Secondary Server to a Tree with HP-UX as the Master Server, SLP for Service Location Fails 3.5 Using Non-English Characters in Passwords 3.6 NMAS Issues 3.7 Error While Starting ndsd with Locale Other Than English 3.8 SNMP Issues 4.0 Documentation 4.1 eDirectory 8.7.1 Administration Guide 4.2 Additional Readme Information 5.0 Legal Notices 1.0 Getting Started 1.1 What is Novell eDirectory? Novell eDirectory is a highly scalable, high-performing, secure directory service. It can store and manage millions of objects, such as users, applications, network devices, and data. Novell eDirectory offers a secure identity management solution that runs across multiple platforms and is Internet-scalable and extensible. For more information on eDirectory and its concepts, refer to Chapter 2, "Understanding Novell eDirectory," in the Novell eDirectory 8.7.1 Administration Guide located at http://www.novell.com/documentation/lg/edir871/in dex.html. 1.2 eDirectory Utilities - nds-install: Installs eDirectory. This utility installs the depots comprising the eDirectory components to your system. - ndsconfig: Configures eDirectory. With this utility you can configure a new tree, upgrade your existing tree, add a server to your existing tree, or remove a tree. - ndsbackup: Creates a backup of or restores the eDirectory tree. You can back up or restore specific objects, the full tree, or part of the tree. - ndsmerge: Combines two eDirectory trees. You can also use this utility to rename a tree. - ndstrace: Displays messages related to the internal view of eDirectory activity and also traces eDirectory events. - ndsrepair: Repairs and corrects problems with the eDirectory database, such as records, schema, bindery objects, and external references. - ndssch: Extends your eDirectory schema. - ICE (Import Convert Export Utility): Imports data into and exports data from LDAP directories. It also converts files from one format to another. - ndsimonitor: Monitors your servers from any location on your network where a supported Web browser is available. - eMBox Client: Lets you access all of the eDirectory backend utilities remotely as well as on the server. You can access the eDirectory Management Toolbox (eMBox) through its Java command line client. - nmasinst: Installs NMAS and configures NMAS methods. 1.3 iManager iManager provides a Web-based management tool that uses Roles to delegate eDirectory administration, management, and services tasks. Novell iManager consists of two pieces, Novell eDirectory Management Framework (eMFrame) and Novell eDirectory Management Toolbox (eMBox). iManager lets you manage IP printers, DNS and DHCP servers, and server licenses, as well as create users, groups, or organizational units. iManager provides a flexible browser-based system that is easy to use, and it is a lightweight tool for quick management tasks that require access to eDirectory. 2.0 Installation 2.1 Prerequisites 2.1.1 Hardware Requirements - PA-RISC 2.0 processor - HP-UX 11i operating system - 256 MB RAM minimum - 300 MB hard disk space 2.1.2 Software Requirements - Ensure that the OS is updated with the patch PHSS_26560. Download and install the patch PHSS_26560 from http://www.itrc.hp.com > maintenance and support for hp products. Note: If you have installed the patch PHSS_28436, we recommend you uninstall it and then install patch PHSS_26560. - Ensure that the HP-UX 11i Quality Pack (GOLDQPK11i) is installed. Download and install it from http://www.software.hp.com/SUPPORT_PLUS /qpk.html#N0.110. - Ensure that gettext is installed. Download and install it from http://hpux.connect.org.uk/hppd/hpux/Gn u/. - Ensure that libiconv is installed. Download and install it from http://hpux.connect.org.uk/hppd/hpux/De velopment/Libraries/. Kernel Prerequisites for Scaling eDirectory You need to change the following parameters before performing memory intensive operations: 1. maxdsiz and maxdsiz_64 to 4 GB or the maximum value possible 2. maxssiz to a minimum of 256 MB 3. max_thread_proc to a minimum of 64 4. maxusers to a minimum of 256 users (If your eDirectory server would handle multiple client connections simultaneously.) The process for setting the values of all these kernel parameters value is given below: 1. Run sam from the command line. 2. Select Kernel Configuration > Configurable Parameters > Kernel Tunable. 3. Select Actions > Modify Configurable Parameter.Type the new value in Formula/Value, then click OK. 4. Select Actions > Process New Kernel. 5. Reboot the system when prompted. 2.2 OpenSLP for HP-UX You can use OpenSLP for dynamic tree lookup. If OpenSLP is not installed on your machine, to locate a tree across the network you can use the static file /etc/hosts.nds. Entries in /etc/hosts.nds are of the following format: .TREE_NAME. For more information on host.nds, refer to the hosts.nds man page. For more information on OpenSLP on HP-UX, refer to the following URL: http://docs.hp.com/cgi-bin/fsearch/framedisplay?to p=/hpux/onlinedocs/5969-4323/5969-4323_top.html&co n=/hpux/onlinedocs/5969-4323/00/00/4-con.html&toc= /hpux/onlinedocs/5969-4323/00/00/4-toc.html&search terms=SLP&queryid=20030626-225812 2.2.1 Installing OpenSLP Download and install OpenSLP for HP-UX from http://www.software.hp.com/cgi-bin/swdepot _parser.cgi/cgi/displayProductInfo.pl?produ ctNumber=HPUXSLP. 2.2.2 Configuring OpenSLP 1. The SLP daemon can be configured to function either as a Directory Agent (DA) or as a Service Agent. In either case, the following changes need to be done before starting the SLP daemon. - Uncomment the following lines in the SLP configuration file, /etc/slp.conf, when configuring the SLP daemon as a DA: net.slp.DAAddresses = net.slp.isDA = true - Uncomment the following line in the SLP configuration file, /etc/slp.conf, when configuring the SLP daemon as a Service Agent: net.slp.isDA = false - Uncomment the following line in the SLP configuration file, /etc/slp.conf, when configuring the SLP daemon if DA is configured in the network: net.slp.DAAddresses = 2. If the DA is not configured, ensure that the system is configured for multicast routing. To check if the host is enabled for multicast routing, enter the following: /usr/bin/netstat -nr Ensure that the following entry is present in the routing table: 224.0.0.0 If the entry is not present, log in as root and enter the following command to enable multicast routing: route add 224.0.0.0 3. In case of other eDirectory replication on Solaris, Linux, and AIX, if Native SLP is also installed on them, ensure that you are using OpenSLP by exporting NDS_SLP_VERSION to 2 using the following command: export NDS_SLP_VERSION=2 4. Restart the SLP daemon as follows: /usr/bin/slpdc restart 2.3 Installing eDirectory If you are installing eDirectory from the CD, use the nds-install command in the setup directory for installing eDirectory on UNIX as follows: ./nds-install If you download Novell eDirectory 8.7.1 from http://download.novell.com, use gunzip to convert the downloaded file to a tar file. Then use tar xvf to get the eDirectory installation and uninstallation scripts. While installing eDirectory, you would be prompted to enter the license file path. You can download this license file from http://www.novell.com/products/edirectory/custome r_license.htm. For more information on installing eDirectory, refer to Chapter 1, "Installing and Upgrading Novell eDirectory," in the eDirectory 8.7.1 Administration Guide. 2.4 Configuring eDirectory You have to use the ndsconfig utility to configure a new eDirectory tree and add replica servers to an existing tree. Creating a New Tree Enter the following syntax to create a new tree: ndsconfig new -t -n -a [-i] [-S ] [-d ] [-m ] [-e] [-L ] [-l ] [-o ] [-O ] For example, to create a new tree with the name corp-tree, you could enter the following command: ndsconfig new -t corp-tree -n o=org -a cn=admin.o=org Note: If OpenSLP is not installed on your system, use the -i option to disable the usage of SLP to broadcast the creation of a new tree. For example, to create a new tree with the name corp-tree, without using SLP, you could enter the following command: ndsconfig new -t corp-tree -n o=org -a cn=admin.o=org -i Adding a Server to an Existing Tree Enter the following syntax to add a server to an existing tree: ndsconfig add -t -n -a [-e] [-L ] [-l ] [-o ] [-O ] [-S ] [-d ] [-p ] [-m ] For example, to add a server to an existing tree, you could enter the following command: ndsconfig add -t corp-tree -n o=org -a cn=admin.o=org 2.5 Installing/Uninstalling iManager For information on installing/uninstalling iManager, refer to the iManager Administration Guide at http://www.novell.com/documentation/lg/imanager20 /. 2.6 Installing eDirectory 8.7.1 With More Than One Network Card Enabled Installing eDirectory 8.7.1 on an HP-UX machine with more than one network card enabled causes an LDAP SSL error during the initial configuration. There are two work arounds: 1. Have only one NIC enabled when performing the initial install with ndsconfig. 2. If more than one NIC is enabled when running ndsconfig and you receive the following error: "Unable to configure LDAP Server with default SSL CertificateDNS certificate. Use ConsoleOne/ldapconfig to associate SSL CertificateDNS certificate with LDAP Server." run ldapconfig afterwards to configure. For example: ldapconfig -t TREENAME -p hostname:port -w passwd -a admin.org -s "LDAP:keyMaterialName= SSL CertificateDNS" 2.7 Uninstalling eDirectory To uninstall eDirectory, you need to first deconfigure the tree setup. 2.7.1 Deconfiguring eDirectory To deconfigure eDirectory from the system, enter the following command: ndsconfig rm -a For example, to deconfigure eDirectory from the system, you could enter the following command: ndsconfig rm -a cn=admin.o=org 2.7.2 Uninstalling eDirectory Do the following to uninstall eDirectory from the system: 1. Enter the following command: nds-uninstall 2. Select the eDirectory components that you want to uninstall from the list that is displayed. Note: The nds-uninstall command will not uninstall the Novell security component NOVLniu0.depot from the system because it might be used by other products. You can manually remove the depot. 3.0 Known Issues 3.1 Bulkloading to eDirectory Bulkloading objects to an eDirectory server through ICE may result in LBURP timeout errors being reported. This can be avoided by setting the eDirectory cache tunable parameters maxdirtycache and lowdirtycache. More information regarding these settings would be available in the eDirectory 8.7.1 Tuning Guide at http://www.novell.com/products/edirectory/whitepa pers.html. 3.2 During Installation, gettext Displays Errors if libiconv is Not Present in the Default Location During installation, eDirectory looks for libiconv in the default /usr/local/lib directory. If libiconv is not present in this location, gettext does not work. To resolve this, copy libiconv.sl to the /usr/local/lib directory and proceed with the installation. 3.3 OpenSLP on HP-UX Does Not Interoperate with Novell SLP OpenSLP on HP-UX does not interoperate with Novell SLP (version 1) on eDirectory servers on Windows, NetWare, Linux, Solaris, and AIX. For eDirectory on HP-UX to interoperate with eDirectory on other platforms, you need to have the following setup on the platforms: - Windows and NetWare: NDSslp - Linux: OpenSLP - Solaris: Native SLP - AIX: hosts.nds 3.4 While Adding a Secondary Server to a Tree with HP-UX as the Master Server, SLP for Service Location Fails When you configure a tree with HP-UX as the master server and try to add a secondary to it, you can use the static file hosts.nds instead of SLP for service location. 3.5 Using Non-English Characters in Passwords Before using non-English characters in a password, enter the following command: stty cs8 -istrip 3.6 NMAS Issues 3.6.1 Adding an HP-UX eDirectory Server to a non-HP-UX Tree If you add an HP-UX eDirectory server to an eDirectory 8.7.1 tree, you must use nmasinst to configure the HP-UX eDirectory server for NMAS and to update any login methods installed with non-HP-UX eDirectory 8.7.1. See Chapter 1, "Installing and Upgrading Novell eDirectory," in the eDirectory 8.7.1 Administration Guide for information on how to install and configure NMAS using the nmasinst utility. 3.6.2 Error While Using NMAS ConsoleOne Snap-ins to Install a Login Method When using the NMAS ConsoleOne snap-ins to install a login method into eDirectory running on a UNIX server, you might encounter the error, "Unknown meaning for error number -1; Please call a Novell support provider. Unable to create the object due to the above error." To resolve this, do the following: 1. Delete the object created when the error occurred. This object is not complete. 2. Do one of the following: - Install the method by running ConsoleOne from a workstation that is using Novell Client version 4.83 (SP1). - Install the method from the server console using the nmasinst utility. 3.6.3 eDirectory Utilities Do Not Work with NMAS Simple Passwords eDirectory utilities like ndsbackup, ndsrepair, and ndsmerge work with NDS passwords alone and will not work with NMAS Simple Passwords. 3.7 Error While Starting ndsd with Locale Other Than English Starting the ndsd service with a locale other than English displays the error "Could not load Unicode tables." To bring up an eDirectory server in non-English locales, export /usr/local/lib as follows: export SHLIB_PATH=/usr/local/lib:$SHLIB_PATH 3.8 SNMP Issues 3.8.1 Multiple Trap Issue For each trap generated, the previously generated trap will also be generated. For example, if you have generated trap 50 and later generated trap 43, while trap 43 is being generated you will get trap 50 as well. This problem is observed only on low-end servers (with a hardware configuration of 1 CPU, 256 MB RAM, 400 MHz) and works as expected on high-end servers (with a hardware configuration of 2 CPU, 1 GB RAM, 650 MHz). 3.8.2 Extra VarBind Issue Two extra varbinds get added for each trap generated, along with the list of eDirectory specific trap variables. These two extra varbinds are sysUpTime.0 and trapOID.0. You can ignore these extra variables. 4.0 Documentation 4.1 eDirectory 8.7.1 Administration Guide The Novell eDirectory 8.7.1 Administration Guide is located in the following directory on the Novell eDirectory 8.7.1 for HP-UX CD: /documentation/english/edir871/edir871.pdf For the latest copy of the Novell eDirectory 8.7.1 Administration Guide, see http://www.novell.com/documentation/lg/edir871/in dex.html. 4.2 Additional Readme Information For information on additional eDirectory issues for this release, refer to Solution #10073723, "Novell eDirectory 8.7.x Readme Addendum," in the Novell Knowledge Base (http://support.novell.com). 5.0 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. Copyright © 2003 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. U.S. Patent No. 5,608,903; 5,671,414; 5,677,851; 5,758,344; 5,784,560; 5,794,232; 5,818,936; 5,832,275; 5,832,483; 5,832,487; 5,870,739; 5,873,079; 5,878,415; 5,884,304; 5,913,025; 5,919,257; 5,933,826. U.S and Foreign Patents Pending. Novell, NetWare, ConsoleOne, and Novell Directory Services and NDS are registered trademarks of Novell, Inc. in the United States and other countries. eDirectory is a trademark of Novell, Inc. All third-party products are the property of their respective owners. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org). Refer to /documentation/english/license/license.txt on the eDirectory CD for additional information and license terms.