The following sections provide information about installing Novell eDirectory on AIX:
Section 3.6.3, Using the nds-install Utility to Install eDirectory Components
Section 3.6.5, Using the Ndsconfig Utility to Add or Remove the eDirectory Replica Server
Section 3.6.6, Using ndsconfig to Configure Multiple Instances of eDirectory 8.8
Section 3.6.7, Using Ndsconfig to Install an AIX Server into a Tree with Dotted Name Containers
With eDirectory 8.8, when you upgrade or install eDirectory, two server health checks are conducted by default to ensure that the server is safe for the upgrade.
Based on the results obtained from the health checks, the upgrade will either continue or exit as follows:
If all the health checks are successful, the upgrade will continue.
If there are minor errors, the upgrade will prompt you to continue or exit.
If there are critical errors, the upgrade will exit.
See Section B.0, eDirectory Health Checks for a list of minor and critical error conditions.
To skip server health checks, use nds-install -j or ndsconfig upgrade -j.
For more information, see Section B.0, eDirectory Health Checks.
In earlier releases of eDirectory, SLP was installed during the eDirectory install. But with eDirectory 8.8, you need to separately install SLP before proceeding with the eDirectory install.
If you plan to use SLP to resolve tree names, it should have been properly configured and SLP DAs should be stable.
Install SLP using the following command:
installp -acgXd absolute_path_of_NDSslp_fileset NDS.NDSslp
The SLP fileset is present in the setup directory in the build. For example, if you have the build in the /home/build directory, enter the following command:
installp -acgXd /home/build/Aix/Aix/setup/NDS.NDSslp
Follow the onscreen instructions to complete the SLP installation.
Start SLP.
If you don't want to (or cannot) use SLP, you can use the flat file hosts.nds to resolve tree names to server referrals. The hosts.nds file can be used to avoid SLP multicast delays when a SLP DA is not present in the network.
hosts.nds is a static lookup table used by eDirectory applications to search eDirectory partition and servers. The hosts.nds file should be created in /etc/opt/novell/eDirectory/conf/hosts.nds or <custom_location>/etc/opt/novell/eDirectory/conf/hosts.nds. For more information on hosts.nds, refer to Using SLP with eDirectory and the hosts.nds manpage.
If you decide to use SLP to resolve the tree name to determine if the eDirectory tree is advertised, after eDirectory and SLP are installed, enter the following:
/usr/bin/slpinfo -s "ndap.novell///(svcname-ws==[treename or *])"
For example, to search for the services whose svcname-ws attribute match with the value SAMPLE_TREE, enter the following command:
/usr/bin/slpinfo -s "ndap.novell///(svcname-ws==SAMPLE_TREE)/"
If you have a service registered with its svcname-ws attribute as SAMPLE_TREE, then the output will be similar to the following:
service:ndap.novell:///SAMPLE_TREE
If you do not have a service registered with its svcname-ws attribute as SAMPLE_TREE, there will be no output.
For more information, see Section C.0, Configuring OpenSLP for eDirectory.
Use the nds-install utility to install eDirectory components on AIX systems. This utility is located in the Setup directory on the CD for the AIX platform. The utility adds the required packages based on what components you choose to install.
Enter the following command from the setup directory:
./nds-install
To install eDirectory components, use the following syntax:
nds-install [-h] [-i] [-j] [-u]
If you do not provide the required parameters in the command line, the nds-install utility will prompt you for the parameters.
The following table provides a description of the nds-install utility parameters:
|
nds-install Parameter |
Description |
|---|---|
|
-h |
Displays help for nds-install. |
|
-i |
Prevents the nds-install script from invoking ndsconfig upgrade if a DIB is detected at the time of the upgrade. |
|
-j |
Jumps or overrides the health check option before installing eDirectory. For more information about health checks, refer to Section B.0, eDirectory Health Checks. |
|
-m |
Specifies the module name to configure. While configuring a new tree, you can configure only the ds module. After configuring the ds module, you can add the NMAS, LDAP, SAS, SNMP, HTTP services, and Novell SecretStore (ss) using the add command. If the module name is not specified, all the modules are installed. |
|
-u |
Specifies the option to use an unattended install mode. |
The installation program installs the following depots:
|
eDirectory Component |
Packages Installed |
Description |
|---|---|---|
|
eDirectory Server |
NDSbase NDScommon NDSmasv NDSserv NDSimon NDSrepair NDSdexvnt NOVLsubag NOVLsnmp NOVLpkit NOVLpkis NOVLpkia NOVLembox NOVLlmgnt NOVLxis NLDAPsdk NLDAPbase NOVLsas NOVLntls NOVLnmas NOVLldif2dib NOVLncp |
The eDirectory replica server is installed on the specified server. |
|
Administration Utilities |
NOVLice NDSbase NLDAPbase NLDAPsdk NOVLpkia NOVLxis NOVLlmgnt |
The Novell Import Conversion Export and LDAP Tools administration utilities are installed on the specified workstation. |
If you are prompted, enter the complete path to the license file.
You will be prompted to enter the complete path to the license file only if the installation program cannot locate the file in the default location (/var, the mounted license diskette, or the current directory).
If the path you entered is not valid, you will be prompted to enter the correct path.
You can use the ndsconfig utility to configure eDirectory Server after installation.
Novell Modular Authentication Service (NMAS) is installed as part of the server component. By default ndsconfig configures NMAS. You can also use the nmasinst utility to configure NMAS server after installation. This must be done after configuring eDirectory with ndsconfig.
For more information on the ndsconfig utility, see The ndsconfig Utility.
For more information on the nmasinst utility, see Using the Nmasinst Utility to Configure NMAS.
After the installation is complete, you need to update the following environment variables and export them as follows:
Manually export the environment variables
export LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/nds-modules:/opt/novell/lib:/opt/novell/lib:/opt/novell/eDirectory/lib:$LD_LIBRARY_PATH
export LIBPATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/nds-modules:/opt/novell/lib:/opt/novell/lib:/opt/novell/eDirectory/lib:$LIBPATH
export PATH=/opt/novell/eDirectory/bin:/opt/novell/eDirectory/sbin:$PATH
export MANPATH=/opt/novell/man:/opt/novell/eDirectory/man:$MANPATH
export TEXTDOMAINDIR=/opt/novell/eDirectory/share/locale:$TEXTDOMAINDIR
Use the ndspath script to export the environment variables
If you do not want to export the paths manually, you can use the /opt/novell/eDirectory/bin/ndspath script as follows:
Prefix the ndspath script to the utility and run the utility you want as follows:
/opt/novell/eDirectory/bin/ndspath utility_name_with_parameters
Export the paths in the current shell as follows:
. /opt/novell/eDirectory/bin/ndspath
After entering the above command, run the utilities as you would normally do.
Call the script in your profile, bashrc, or similar scripts. Therefore, whenever you log in or open a new shell, you can start using the utilities directly.
A nonroot user can install eDirectory 8.8 using the tarball.
Ensure that NICI is installed.
For information on installing NICI, refer to Installing NICI.
If you want to use SLP and SNMP, ensure that they are installed by the root user.
Write rights to the directory where you want to install eDirectory.
If you are a nonadministrator user, ensure that you have the appropriate rights as mentioned in the Section 3.2, Prerequisites section.
NICI should be installed before you proceed with the eDirectory installation. Both root and nonroot users can install NICI, though the procedure to do so is different.
To install NICI, complete the following procedure:
Enter the following command:
installp -acgXd absolute_path_of_the_NICI_fileset NOVLniu0
For example:
installp -acgXd /home/build/AIX/AIX/setup/NOVLniu0.2.7.0.0 NOVLniu0
Execute the following script:
/var/opt/novell/nici/set_server_mode
Nonroot users can make use of the sudo utility to install NICI. Sudo (superuser do) allows a root user to give certain users the ability to run some commands as root. A root user can do this by editing the /etc/sudoers configuration file and adding appropriate entries in it.
For more information, refer to the sudo Website.
WARNING:sudo enables you to give limited root permissions to nonroot users. Therefore, you must understand the security implications before proceeding.
A root user needs to complete the following procedure to enable a nonroot user (for example, john) to install NICI:
Log in as root.
Edit the /etc/sudoers configuration file using the visudo command.
NOTE:There is no space between vi and sudo in the command.
Make an entry with the following information:
Username hostname=(root) NOPASSWD: /usr/sbin/installp
For example, to enable john to run /bin/rpm as root on the hostname aix-2, type the following:
john aix-2=(root) NOPASSWD: /usr/sbin/installp
A nonroot user (john in the example) needs to do the following to install NICI:
Log in as john and execute the following command:
sudo installp -acgXd absolute_path_of_the_NICI_fileset NOVLniu0
For example:
sudo installp -acgXd /home/build/AIX/AIX/setup/NOVLniu0.2.7.0.0 NOVLniu0
Execute the following script:
sudo /var/opt/novell/nici/set_server_mode
NICI gets installed in the server mode.
Go to the directory where you want to install eDirectory.
Untar the tar file as follows:
tar xvfp /tar_file_name
Export the paths as follows:
Manually export the environment variables
export LD_LIBRARY_PATH=custom_location/eDirectory/opt/novell/eDirectory/lib:custom_location/eDirectory/opt/novell/eDirectory/lib/nds-modules:custom_location/eDirectory/opt/novell/lib:/opt/novell/lib:/opt/novell/eDirectory/lib:$LD_LIBRARY_PATH
export LIBPATH=custom_location/eDirectory/opt/novell/eDirectory/lib:custom_location/eDirectory/opt/novell/eDirectory/lib/nds-modules:custom_location/eDirectory/opt/novell/lib:/opt/novell/lib:/opt/novell/eDirectory/lib:$LIBPATH
export PATH=custom_location/eDirectory/opt/novell/eDirectory/bin:custom_location/eDirectory/opt/novell/eDirectory/sbin:/opt/novell/eDirectory/bin:$PATH
export MANPATH=custom_location/eDirectory/opt/novell/man:custom_location/eDirectory/opt/novell/eDirectory/man:$MANPATH
export TEXTDOMAINDIR=custom_location/eDirectory/opt/novell/eDirectory/share/locale:$TEXTDOMAINDIR
Use the ndspath script to export the environment variables
If you do not want to export the paths manually, you can use the custom_location/eDirectory/opt/novell/eDirectory/bin/ndspath script as follows:
Prefix the ndspath script to the utility and run the utility you want as follows:
custom_location/eDirectory/opt/novell/eDirectory/bin/ndspath utility_name_with_parameters
Go to the custom_location/eDirectory/opt/novell/eDirectory/bin/ directory and export the paths in the current shell as follows:
. custom_location/eDirectory/opt/novell/eDirectory/bin/ndspath
NOTE:Ensure that you enter the above command from the custom_location/eDirectory/opt directory.
After entering the above command, run the utilities as you would normally do.
Call the script in your profile, bashrc, or similar scripts. Therefore, whenever you log in or open a new shell, you can start using the utilities directly.
Configure eDirectory in the usual manner.
You can configure eDirectory in any of the following ways:
Use the ndsconfig utility as follows:
ndsconfig new -t treename -n server_context -a admin_FDN [-i] [-S server_name] [-d path_for_dib] [-m module] [e] [-L ldap_port] [-l SSL_port] [-o http_port] -O https_port] [-b port_to_bind] [-B interface1@port1, interface2@port2,..] [-D custom_location] [--config-file configuration_file]
For example:
ndsconfig new -t mary-tree -n novell -a admin.novell -S linux1 -d /home/mary/inst1/data -b 1025 -L 1026 -l 1027 -o 1028 -O 1029 -D /home/mary/inst1/var --config-file /home/mary/inst1/nds.conf
The port numbers you enter need to be in the range 1024 to 65535. Port numbers lesser than 1024 are normally reserved for the super-user and standard applications. Therefore, you cannot assume the default port 524 for any eDirectory applications.
This might cause the following applications to break:
The applications that don't have an option to specify the target server port.
The older applications that use NCP, and are run as root for 524.
Use the ndsmanage utility to configure a new instance. For more information, refer to the Creating an Instance through ndsmanage.
Follow the onscreen instructions to complete the configuration.
For more information, see Section 3.6.5, Using the Ndsconfig Utility to Add or Remove the eDirectory Replica Server.
You must have Administrator rights to use the ndsconfig utility. When this utility is used with arguments, it validates all arguments and prompts for the password of the user having Administrator rights. If the utility is used without arguments, ndsconfig displays a description of the utility and available options. This utility can also be used to remove the eDirectory Replica Server and change the current configuration of eDirectory Server. For more information, see The ndsconfig Utility.
If you want to configure eDirectory in a specific locale, you need to export LC_ALL and LANG to that particular locale before eDirectory configuration. For example, to configure eDirectory in the Japanese locale, enter the following:
export LC_ALL=ja
export LANG=ja
Use the following syntax:
ndsconfig new -t treename -n server context -a admin FDN [-i] [-S server name] [-d path for dib] [-m module] [e] [-L ldap port] [-l SSL port] [-o http port] -O https port]
A new tree is installed with the specified tree name and context.
There is a limitation on the number of characters in the tree_name, admin FDN and server FDN variables. The maximum number of characters allowed for these variables is as follows:
tree_name: 32 characters
admin FDN: 256 characters
server FDN: 256 characters
If the parameters are not specified in the command line, ndsconfig prompts you to enter values for each of the missing parameters.
Or, you can also use the following syntax:
ndsconfig def -t treename -n server context -a admin FDN [-i] [-S server name] [-d path for dib] [-m module] [-e] [-L ldap port] [-l SSL port] [-o http port] -O https port]
A new tree is installed with the specified tree name and context. If the parameters are not specified in the command line, ndsconfig takes the default value for each of the missing parameters.
For example, to create a new tree, you could enter the following command:
ndsconfig new -t corp-tree -n o=company -a cn=admin.o=company
Use the following syntax:
ndsconfig add -t treename -n server context -a admin FDN [-e] [-L ldap port] [-l SSL port] [-o http port] -O https port] [-S server name] [-d path for dib] [-p IP address:port] [-m module] [-E]
A server is added to an existing tree in the specified context. If the context that the user wants to add the Server object to does not exist, ndsconfig creates the context and adds the server.
LDAP and security services can also be added after eDirectory has been installed into the existing tree.
For example, to add a server into an existing tree, you could enter the following command:
ndsconfig add -t corp-tree -n o=company -a cn=admin.o=company -S srv1
You can enable encrypted replication in the server you want to add using the -E option. For more information on encrypted replication, refer to Novell eDirectory 8.8 Administration Guide.
Use the following syntax:
ndsconfig rm -a admin FDN
eDirectory and its database are removed from the server.
NOTE:The HTML files created using iMonitor will not be removed. You must manually remove these files from /var/opt/novell/eDirectory/data/dsreports before removing eDirectory.
For example, to remove the eDirectory Server object and directory services from a tree, you could enter the following command:
ndsconfig rm -a cn=admin.o=company
Refer to ndsconfig Utility Parameters for more information.
You can configure multiple instances of eDirectory 8.8 on a single host. For information on multiple instances, refer to Section 1.6.5, Using ndsconfig to Configure Multiple Instances of eDirectory 8.8 in the Linux chapter.
You can use ndsconfig to install an AIX server into an eDirectory tree that has containers using dotted names (for example, novell.com).
Because ndsconfig is a command line utility, using containers with dotted names requires that those dots be escaped out, and the parameters containing these contexts must be enclosed in double quotes. For example, to install a new eDirectory tree on an AIX server using “O=novell.com” as the name of the O, use the following command:
ndsconfig new -a “admin.novell\.com” -t novell_tree -n “OU=servers.O=novell\.com”
The Admin name and context and the server context parameters are enclosed in double quotes, and only the dot (’.’) in novell.com is escaped using the ’\’ (backslash) character.
You can also use this format when installing a server into an existing tree.
NOTE:You should use this format when entering dotted admin name and context while using utilities such as ndsrepair, ndsbackup, ndsmerge, ndslogin, and ldapconfig.
For eDirectory 8.8, by default, ndsconfig configures NMAS. You can also use nmasinst on Linux, Solaris, and AIX systems to configure NMAS.
Ndsconfig only configures NMAS and does not install the login methods. To install these login methods, you can use nmasinst.
IMPORTANT:You must configure eDirectory with ndsconfig before you install the NMAS login methods. You must also have administrative rights to the tree.
By default, ndsconfig configures NMAS. You can also use nmasinst for the same.
To configure NMAS and create NMAS objects in eDirectory, enter the following at the server console command line:
nmasinst -i admin.context tree_name
nmasinst will prompt you for a password.
This command creates the objects in the Security container that NMAS needs, and installs the LDAP extensions for NMAS on the LDAP Server object in eDirectory.
The first time NMAS is installed in a tree, it must be installed by a user with enough rights to create objects in the Security container. However, subsequent installs can be done by container administrators with the Read-only right to the Security container. nmasinst will verify that the NMAS objects exist in the Security container before it tries to create them.
nmasinst does not extend the schema. The NMAS schema is installed as part of the base eDirectory schema.
To install login methods using nmasinst, enter the following at the server console command line:
nmasinst -addmethod admin.context tree_name config.txt_path
The last parameter specifies the config.txt file for the login method that is to be installed. A config.txt file is provided with each login method.
Here is an example of the -addmethod command:
nmasinst -addmethod admin.novell MY_TREE ./nmas-methods/novell/Simple Password/config.txt
If the login method already exists, nmasinst will update it.
For more information, see “Managing Login and Post-Login Methods and Sequences” in the Novell Modular Authentication Service Administration Guide.
NICI and NOVLsubag should be installed as root user.
Root User Installing NICI. Refer to Root User Installing NICI.
Install NOVLsubag as root.
Export the paths as follows:
Manually export the environment variables.
export LD_LIBRARY_PATH=custom_location/opt/novell/ eDirectory/lib:custom_location/opt/novell/lib:/opt/novell/lib:/ opt/novell/eDirectory/lib:$LD_LIBRARY_PATH export PATH=/opt/novell/eDirectory/bin:$PATH export MANPATH=/opt/novell/:$MANPATH