6.1 Using namconfig

The namconfig utility lets you add or remove Linux User Management from a specified eDirectory context, as well as retrieve or set Linux User Management configuration parameters.

6.1.1 namconfig Command Line Parameters

Table 6-1 Command Line Parameters for namconfig

Parameter

Description

add

Configures Linux User Management against the specified Workstation object context in eDirectory.

rm

Removes configuration from Linux User Management.

upgrade

Upgrades from an earlier version of Linux User Management.

set valuelist

Sets the value for the specified Linux User Management configuration parameters. For a complete list of configurable parameters, refer to Table 6-2.

get paramlist

Retrieves the value for the specified Linux User Management configuration parameters. For a complete list of configurable parameters, refer to Table 6-2.

-k

Specifies that the SSL certificate file is to be imported into the local machine.

help paramlist

Lets you view the help strings for the Linux User Management configurable parameters. For a complete list of configurable parameters, refer to Table 6-2.

-w workstation_context

Specifies, in LDAP format, the context where the Workstation object will be created.

-a adminFDN

Specifies, in LDAP format, the administrator's name.

-S servername

Specifies the preferred eDirectory server. The server can be specified in terms of its IP address or host name.

This is a mandatory parameter.

-r base_context

Specifies, in LDAP format, the base context of the UNIX/Linux Config object that contains the list of workstations contexts.

-o

Specifies the existing LUM configuration to be overwritten. Be aware that this removes the associated Workstation object and creates it again.

port

Specifies the non-SSL port.

-l sslport

Specifies the SSL port.

cache_refresh

Specifies how frequently user and group entries stored in the persistent cache are to be refreshed from eDirectory.

A larger value results in less network traffic and less load on the server, but the cache might reflect stale information if the eDirectory database is modified. The value can range from 1 to 2147483647 seconds.

-R alternative-ldap-server-list

Specifies a comma-separated list of alternative LDAP replica servers. The server can be specified by IP address or host name.

NOTE:You must ensure that the alternate ldap server list does not contain any separator other than a comma. Ensure that the comma separator is not followed by a space as this could lead to unfavorable results.

6.1.2 Configuring a Failover Mechanism

LUM fails if the LDAP server against which LUM is configured is unavailable. To avoid failure, populate the alternative-ldap-servers in /etc/nam.conf with a list of LDAP servers where LUM can fall back when the primary LDAP server is down.

Ensure that the LDAP servers are replica servers. Otherwise, the persistent-search feature does not work.

6.1.3 Configuring a Workstation with Linux User Management

To configure a specified workstation with Linux User Management, use the following syntax:

namconfig add -a adminFDN -r base_context -w workstation_context [-o] -S servername [:port] [-l sslport] [-R server [:port],server [:port],...]

Example:

namconfig add -a cn=admin,o=novell -r ou=nam,o=novell -w ou=ws,ou=nam,o=novell -S MYSERVER:389

Example (secure LDAP):

namconfig add -a cn=admin,o=novell -r ou=lum,o=novell -w ou=ws,ou=nam,o=novell -S MYSERVER:389 -l 636

NOTE:At a minimum, you must supply the adminFDN, workstation_context, base_context, and servername parameters.

For a description of the command line parameters, refer to Table 6-1.

After the configuration, you need to change the /etc/nsswitch.conf and PAM configuration files to start the product.

6.1.4 Configuring Linux User Management with LDAP SSL

To configure Linux User Management with SSL, use the following command:

namconfig add -a cn=admin,o=novell -r ou=lum,o=novell -w ou=ws,ou=nam,o=novell -S MYSERVER:389 -l 636

where the emphasized fields match your eDirectory containers, etc.

Configuring Linux User Management to use secure LDAP ensures that the information exchanged between the OES server and eDirectory is securely encrypted.

If you configure Linux User Management for secure LDAP, the configuration utility adds parameters to the /etc/nam.conf file: type-of-authentication=2 and ldap-ssl-port parameters.

During the configuration, the server certificate is created in the /var/lib/novell-lum directory as a hidden file with a .der extension.

All PAM authentication requests are then handled by using secure LDAP.

To get user profile information from eDirectory, nss_nam uses a regular LDAP connection.

If the server's SSL certificate expires, it can be re-created by using the namconfig utility with the -k option. The same certificate file can be used by other applications that want to use secure LDAP for communicating with eDirectory.

6.1.5 Removing Linux User Management Configuration

To remove the Linux User Management configuration, use the following syntax:

namconfig rm -a adminFDN

Example:

namconfig rm -a cn=admin, o=novell

For a description of the command line parameters, refer to Table 6-1.

NOTE:If you delete or change the name of the container originally passed to namconfig, you need to delete nam.conf and rerun namconfig.

6.1.6 Setting or Getting Linux User Management Configuration Parameters

The namconfig utility lets you set values for specific Linux User Management configuration parameters or retrieve these values on the command line. To do so, use the following syntax:

namconfig {set valuelist | get paramlist | help paramlist}

Example:

namconfig set servername=namserver

This specifies that the server named namserver is to be used as the preferred eDirectory server.

namconfig get base-name

This displays the current eDirectory context in which Linux User Management is installed.

For a description of the command line parameters, refer to Table 6-1.

The following parameters cannot be set:

  • base-name

  • schema

  • certificate-file-type

After Linux User Management is configured under a base name, it should not be moved or renamed. If moving or renaming is required, you must manually edit the /etc/nam.conf file.

The type of the eDirectory schema is determined during configuration.

6.1.7 Using namconfig to Import an SSL Certificate

To import an SSL certificate in to the local machine, use the following syntax:

namconfig -k

For a description of the command line parameters, refer to Table 6-1.