Novell Home

My Favorites

Close

Please to see your favorites.

Getting started with the enhanced XDAS features found in eDirectory 88 SP7 Patch 3

This document (7012483) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ eDirectory
NetIQ iManager
Novell eDirectory 8.8 SP7 Patch 3 for Linux
Novell iManager 2.7 SP6 Patch 1

Situation

What's New?    
 
Additional XDAS functionality is enabled with eDirectory 8.8 SP7 Patch 3 and a new XDAS plugin for iManager.  Among the new features are:
- new configuration attribute
- new interface for the iManager plugin
- feature parity with eDirectory Instrumentation
- ability to filter replicated events
- object class and attribute filtering
- Select all / Deselect all events option
    
In order to enable this new functionality on eDirectory 8.8 SP7 Patch 3, some manual steps are required whether this is a first time setup or an existing one.  If eDirectory 8.8 SP8 is installed the schema update and updating the XDAS configuration update steps can be skipped.
 
New configuration attribute
- The latest edirxdas.sch file laid down by applying eDirectory 8.8 SP7 Patch 3 is used to extend schema.
 
New iManager interface
- Available after installing and using the latest 'eDirectory88 Plugins' available from the iManager plugin update service.  (Note: do not select the 'eDirectory Instrumentation' plugin from the list.  The instrumentation plugin is part of the 88 plugins and will get installed as well.)
- If there is an existing configuration then it must be migrated to the new configuration attribute using the new migration option within the iManager XDAS plugin.

Resolution

 

Non-OES Linux Quick Start Example

 

 A. Configuring XDAS

 
1. Patch server to eDirectory to 8.8 SP7 Patch 3 or greater.  8.8 SP7 Patch 3 for Linux can be found here:
eDirectory 8.8 SP7 Patch 3 for Linux & Unix.  (Note: the latest version of iManager can be found on http://dl.netiq.com.)
 
This can be verified by running ndsstat at the command line.
 
 
 
 
 
2. Extend schema for XDAS using the edirxdas.sch file laid down by the eDirectory 887 Patch 3 installer.
(ndssch -t MY_TREE admin.myorg /opt/novell/eDirectory/lib64/nds-schema/edirxdas.sch)
 
 
Alternately, one can access the schema files via the edir887_patch3_schema.zip file found in this patch:
  NOTE: If eDirectory 8.8 SP8 is installed the schema has already been extended.  Step 2 can be skipped.
 
 
3. Patch iManager to 2761 HF1.  iManager patches can be found by going to http://download.novell.com/patch/finder/ and selecting the appropriate drop down.
 
4. Download and install the new 'eDirectory88 Plugins' plugin for iManager.  At the time this TID was written the latest is:
- eDirectory88 Plugins 2.7.20130214 eDirectory88 Plugins. 
To check for your version of plugin, within iManager go to: Configure - Plug-in Installation - Available Plugins.
 
(NOTE: The eDirectory88 Plugin installs the latest Instrumentation Plugin.  Do not install the older standalone eDirectory Instrumentation plugin.  This will prevent the new plugin's UI from being displayed.  If this plugin was installed, uninstall both plugins then re-install the latest eDirectory88 Plugins.)
 
 
 
 
5. Stop and start Tomcat  
/etc/init.d/novell-tomcatx restart       (where x is the version of Tomcat on the server)
 
 
6. Update RBS if configured
The eDirectory Auditing Role will not show up if this step is skipped.
 
 
7. Stop and start Tomcat again if RBS was updated in Step 6.      
/etc/init.d/novell-tomcatx restart       (where x is the version of Tomcat on the server) 
 
 
8. Modify the XDAS configuration file
Edit /etc/opt/novell/eDirectory/conf/xdasconfig.properties and uncomment\modify the following for Rolling File Appender
log4j.rootLogger=debug, R
log4j.appender.R=org.apache.log4j.RollingFileAppender
log4j.appender.R.File=/var/opt/novell/eDirectory/log/xdas-events.log
log4j.appender.R.MaxFileSize=100MB
log4j.appender.R.MaxBackupIndex=10
log4j.appender.R.layout=org.apache.log4j.PatternLayout
log4j.appender.R.layout.ConversionPattern=%d{MMM dd HH:mm:ss} %c : %p%m%n

 
 
 
 
9. Modify the ndsmodules.conf file to autoload the xdas module
Uncomment the xdasauditds section of the /etc/opt/novell/eDirectory/conf/ndsmodules.conf file.  If it is not listed then add the following to the end of the file
   - xdasauditds       auto      #XDASauditds
 
 
 
 
10. Load the xdas module 
- ndstrace -c "load xdasauditds"
 
11. Verify it is running
- A tail of the /var/opt/novell/eDirectory/log/ndsd.log should show 'NetIQ eDirectory XDASv2 Instrumentation module started'
- Running 'ndstrace -c modules |grep xdasauditds' should return
xdasauditds     Running
 
 
7. Configure XDAS auditing in iManager.  Role: eDirectory Auditing - Audit Configuration - select server then the auditing options. 
The new UI is invoked if the Global option: Do Not Send Replicated Events is seen under the XDASEvents tab.
 
NEW:
 
OLD:
 
If the old UI is still displayed (Global option is not seen) and the Upgrade XDAS Configuration option is displayed select this Upgrade link and refresh the browser when instructed.  The auditing options (Object classes, attributes, events, etc.) can now be configured.  (See Step B below.)
                                      
8. Once the auditing configuration is complete wait 3 minutes for the new configuration to load or type the following commands to restart the XDAS module:
ndstrace -c "unload xdasauditds"
ndstrace -c "load xdasauditds"
 
The events will be collected in the log file specified in the previously modified /etc/opt/novell/eDirectory/conf/xdasconfig.properties file.  The default for the Rolling File Appender is /var/opt/novell/eDirectory/log/xdas-events.log.
 
* To view the server's current event configuration the following ldap command can be used:
/opt/novell/eDirectory/bin/ldapsearch -x -h x.x.x.x -D cn=admin,o=novell -w novell cn=SERVERNAME xdasConfiguration
 
 

B. Configuring Event Filters

 
In this example the customer is only concerned with tracking changes of his users' Telephone Number attribute value.  In order to do this the correct class or set of events then the event itself must be selected.  In reviewing the XDASv2 Administration Guide one can see these listed in Appendix A with a description of each in Section 3.4.1.  The event classes or sets that are available to the administrator are:
 
Account Management Events
Session Management Events
Data Item and Resource Element Management Events
Service or Application Management Events
Service or Application Utilization Events
Peer Association Management Events
Data Item or Resource Element Content Access Events
Work Flow Management Events
Role Management Events
Exceptional Events
Audit Service Management Events
Authentication Event
 
It is determined that selecting the Create and Delete Role events under the Role Management class will log all changes to an attribute (deletes and adds).  This information can be found in the XDAS Admin guide as well as the XDAS user guides found here:
http://openxdas.sourceforge.net/documentation.html .  The following steps show how to configure the filter using the XDAS iManager plugin.
 
 
1. Log into iManager and navigate to the eDirectory Auditing - Audit Configuration task.  Select the server and click on OK.
 
2. Ensure the XDAS Events tab is selected at the top of the screen.  Scroll down the event sets under the XDAS Events Configuration Section until the Role Management set is seen.  The attribute to be logged can be selected by clicking on the Role Management Events link.
 
 
 
3. On the next screen, XDAS Roles Configuration Filtering, scroll through the Available Attribute(s) until Telephone Number is seen.  Highlight the attribute, add it to the Selected Attribute(s) and click on OK.  * 
 
 
 
4. Once back at the Role Management Events class, select both the Create Role and the Delete Role.  Select both DS and LDAP type events then click on OK.  **
 
 
 
5. Once the audit filter configuration is complete wait 3 minutes for the new configuration to load or type the following commands to restart the XDAS module:
ndstrace -c "unload xdasauditds"
ndstrace -c "load xdasauditds"
 
The ldap search return from " /opt/novell/eDirectory/bin/ldapsearch -x -h x.x.x.x -D cn=admin,o=novell -w novell cn=SERVERNAME xdasConfiguration " should show the following audit attributes on the ncp server object:
xdasConfiguration: loglargevalues=false
xdasConfiguration: DSNoReplicatedEvents=1
xdasConfiguration: dsaccount=
xdasConfiguration: ldapaccount=
xdasConfiguration: xdasEvents=CREATE_ROLE$DS$LDAP$$DELETE_ROLE$DS$LDAP
xdasConfiguration: dsrole=$$Telephone Number
xdasConfiguration: ldaprole=$$telephoneNumber
 
 
The event data in the xdas event log from adding a Telephone Number value of 777-7777 to user object testuser1.novell.
 
Jan 06 16:52:11 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "HV_888TREE_8","Name" : "CN=SLES11SP2-SVR1,O  =novell"},"Entity" : {"SysAddr" : "192.168.1.1","SysName" : "mysvr8"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32806"}  ,"Entity" : {"SysAddr" : "192.168.1.1:3457"}},"Target" : {"Data" : {"Attribute Name" : "Telephone Number","Attribute Value" : "777-7777","Cl  assName" : "User","Name" : "CN=testuser1,O=novell","Syntax" : "10"}},"Action" : {"Event" : {"Id" : "0.0.8.0","Name" : "CREATE_ROLE","CorrelationID"   : "eDirectory#20#26dc4b35-011e-4e48-4b95-354bdc261e01","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1389052331},"Log" : {"Severity" : 7},  "Outcome" : "0","ExtendedOutcome" : "0"}}
 
 

 
Notes:
 
* Currently, in the XDAS Roles Configuration Filtering screen, either an attribute or an object class can be selected.  In the version that ships with eDirectory 8.8 SP8 selecting both is not supported.
** While on the XDAS Events Configuration Section - Role Management, if the Modify Role is selected an additional (and unwanted) logging of modifiersname is added to the log.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7012483
  • Creation Date:24-MAY-13
  • Modified Date:15-JAN-14
    • NetIQeDirectory
      iManager

Did this document solve your problem? Provide Feedback