| |
To install a basic iChain infrastructure, complete the following procedures:
The iChain Proxy Server should only be installed on compatible hardware (see iChain Proxy Server Requirements). To install the proxy server software:
Insert the iChain 2.1 Proxy Server CD in the CD drive of the appliance or machine.
At the license screen, type YES and press Enter.
The disk image is copied. When the copy is complete, the system reboots itself.
Make sure the LAN adapter IP address is configured correctly.
After installation, the first LAN adapter on the iChain Proxy Server is preconfigured with the IP address 10.1.1.1 and subnet mask 255.255.255.0. In order to administrate the server using the browser-based administration utility, you will either need to have a client workstation with an IP address on the same subnet (such as 10.1.1.2) or you will need to use the command line interface to set the IP address on the iChain Proxy Server.
The following commands from the iChain proxy server console will configure the first LAN adapter with an IP address of 123.45.67.89 and a subnet mask of 255.255.252.0:
>unlock
At the Password prompt, press Enter (no password exists yet).
>set eth0 address = 123.45.67.89/255.255.252.0 >apply
You will need to restart the server after resetting the eth0 address.
If you are going to configure the iChain Proxy Server from a different segment than the one the iChain Proxy Server is on, you will also need to use the following commands to configure the gateway:
>set gateway nexthop = 123.45.69.254
>apply
NOTE: After installation, your iChain Proxy Server will require some basic setup to support your iChain implementation. The basic steps are detailed in Setting Up the iChain Proxy Server .
If you will be using the iChain Wizard to assist with configuration, you will need to enable FTP on at least one IP address for your proxy server. Once you have configured a LAN adapter as described above, enable the FTP server with the following commands:
>set miniftpserver address = 123.45.67.89 >apply
NOTE: Because FTP is an insecure protocol, enabling FTP can be a security risk on your network. We recommend that you enable the FTP server on an IP address which is only accessible from a private network such as an isolated hub or crossover cable. See Using the iChain Wizard to Create a Basic Configuration for details on using the iChain Wizard.
The iChain Authorization server is the access point that the iChain Proxy Services uses to retrieve authentication, access privileges, user, and group information for your iChain implementation from the eDirectory database. All you need to do to make your NDS eDirectory server platform into an iChain Authorization Server is install the iChain schema extensions onto the NDS tree for that server.
To install iChain schema extensions on the iChain Authorization Server:
If you have not already done so, install NDS eDirectory 8.5 on the machine that will be your iChain Authorization Server.
Insert the iChain authorization CD into the CD drive of a Windows client machine with IP connectivity to the iChain Authorization Server.
If this is a Windows 2000 or Windows NT machine, you will need administrator-level access to the client. The installation program launches automatically.
Click Install iChain Schema.
At the Welcome screen, click Next.
Read the license agreement. If you accept the terms of the agreement, click Yes.
Enter the administrator user name in comma-delimited LDAP format (for example, cn=admin, o=novell).
Enter the administrator password.
Enter the IP address (and port, if necessary) for the server where you want to extend the schema.
Click Next.
The installation program will notify you whether the schema extension was successful. If an error occurs, you should look at the log file to determine what LDAP errors occurred. If a bind error occurs, the installation was not able to log in to the LDAP server.
Some of the most common bind errors are:
ldap_simple_bind failed: 49(Invalid credentials), dn: cn=admin,o=novell: Usually denotes an incorrect password. Check the password and try again.
ldap_simple_bind failed: 32(No such object), dn: cn=adm,o=novell: The administrator specified does not exist. Verify the username and try again.
ldap_simple_bind_failed: 13(Confidentiality required), dn: cn=admin,o=novell: You need to enable the Allow Clear Text Passwords option on the LDAP Group object. Open the LDAP Group object in ConsoleOne and make sure the check box labeled Allow Clear Text Passwords is selected.
ldap_simple_bind failed 81(Can't contact LDAP server), dn: cn=admin,o=novell: Either the IP address/port combination is incorrect or the LDAP server is not running. Verify the IP address and LDAP port, make sure the server is running, and try again.
NOTE: Contact Novell Technical Support if you are unable to resolve an error or if you have trouble creating or modifying iChain objects after extending the schema.
Sometimes the LDAP bind will succeed but there are other errors in the log file. In these cases, there are usually multiple instances of the same error. Some common non-bind related errors are:
The LBURP extension is not available on the server. Using standard LDAP calls: This generally means the LDAP server is out of date. You should verify that the latest LDAP server (included with NDS eDirectory 8.5 or later) is installed on the server to ensure that the schema is completely extended.
Record1: LBURP operation failed: 50(Insufficent access), dn:cn=schema: This error means that the administrator specified does not have sufficient rights to extend the schema.
Record1: LBURP operation failed: 20(Type or value exists), dn:cn=schema: This error is expected if the server has already been extended with a previous version of iChain. The new iChain 2.1 schema attributes will still be added.
NOTE: Contact Novell Technical Support if you are unable to resolve an error or if you have trouble creating or modifying iChain objects after extending the schema.
You must install the iChain ConsoleOne snap-in files in order to administer the iChain eDirectory objects such as the iChain Service Object. You can install the snap-in files to be used with ConsoleOne running from the iChain Authorization Server, another server in the tree, or from an administrator workstation.
NOTE: iChain 2.1 requires ConsoleOne 1.3.2 or later for all of the snap-ins to function correctly.
To install the iChain ConsoleOne snap-ins to a server or an administrator workstation:
If the server or workstation does not already have ConsoleOne installed, install ConsoleOne.
NOTE: After ConsoleOne is installed, make sure you close it before starting to install the snap-ins.
Insert the iChain authorization CD into the CD drive of the server or the administrator workstation.
The installation program launches automatically.
Click Install ConsoleOne Snapins for iChain.
At the Welcome screen, click Next.
Read the license agreement. If you accept the terms of the agreement, click Yes.
Select the target drive where you want to copy the snap-in files.
Click Next to start copying the files.
Click Finish.
After completing the full installation, you will need to use ConsoleOne to create the iChain service group object, along with the access control list (ACL) rule objects, and make any other configuration adjustments. See Setting Up a Basic Configuration for more details.
| |