2.5 Preparing eDirectory for OES 11 SP3

2.5.1 If Your Directory Tree Is Earlier than eDirectory 8.6

If you are installing an OES 11 SP3 server into an eDirectory tree that is earlier than eDirectory 8.6, do the following before installing your first OES server in an existing NetWare tree:

  1. Extend the schema by using Deployment Manager. See Schema Update in the NW65 SP8: Installation Guide.

  2. Ensure that the schema is synchronized throughout the tree from root:

    1. Enter the following commands at the System Console prompt of the NetWare server with the Master of root:

      • set DSTRACE=on
      • set DSTRACE=nodebug
      • set DSTRACE=+Schema
      • set DSTRACE=*SSD
      • set DSTRACE=*SSA
    2. Toggle to the Directory Services screen and look for the message All Processed = YES.

    3. On each server that holds a Master of a partition, enter the following commands at the System Console prompt:

      • set DSTRACE=off
      • set DSTRACE=nodebug
      • set DSTRACE=+Schema
      • set DSTRACE=*SS
    4. Toggle to the Directory Services screen and look for the message All Processed = YES.

2.5.2 If Your LDAP Server Is Running NetWare 6.5 SP2 or Earlier

If you are installing into an eDirectory tree that is using a NetWare server to supply LDAP, you should upgrade the LDAP server that the OES installation will communicate with to NetWare 6.5 SP3 or later. A server running NetWare 6.5 SP2 or earlier will probably abend.

2.5.3 If Your Tree Has Ever Contained an OES 1 Linux Server with LUM and NSS Installed

Having NSS volumes on OES servers requires certain system-level modifications, most of which are automatic. For more information, see System User and Group Management in OES 11 SP3 in the OES 11 SP3: Planning and Implementation Guide.

NetStorage, X-Tier, and Their System Users

By default, certain OES services, such as NetStorage, rely on a background Novell service named X-Tier.

To run on an OES server, X-Tier requires two system-created users (named novlxsrvd and novlxregd) and one system-created group that the users belong to (named novlxtier).

An NSS Complication

The two X-Tier users mentioned above, and their group, are created on the local system when X-Tier is installed. For example, they are created when you install NetStorage, and their respective UIDs and GID are used to establish ownership of the service’s directories and files.

For NetStorage to run, these X-Tier users and group must be able to read data on all volume types that exist on the OES server.

As long as the server has only Linux traditional file systems, such as Ext3 and Reiser, NetStorage runs well.

However, if the server has NSS volumes, an additional requirement is introduced. NSS data can only be accessed by eDirectory users. Consequently, the local X-Tier users can’t access NSS data, and NetStorage can’t run properly.

eDirectory Solves the Basic Problem

When NSS volumes are created on the server, the two X-Tier system users and their group are moved to eDirectory and enabled for Linux User Management (LUM). See Linux User Management: Access to Linux for eDirectory Users in the OES 11 SP3: Planning and Implementation Guide.

After the move to eDirectory, they can function as both eDirectory and POSIX users, and they no longer exist on the local system.

The OES 2 Solution: Standardizing the UIDs on all OES servers

If your eDirectory tree has ever contained an OES 1 Linux server with NSS and LUM installed, do the following on each server (including OES 2) that has NSS and LUM installed:

  1. Log in as root and open a terminal prompt. Then enter the following commands:

    id novlxregd

    id novlxsrvd

    The standardized X-Tier IDs are UID 81 for novlxregd, UID 82 for novlxsrvd, and GID 81 for novlxtier.

  2. If you see the following ID information, the X-Tier IDs are standardized and you can move to the next server:

    uid=81(novlxregd) gid=81(novlxtier) groups=81(novlxtier)
    uid=82(novlxsrvd) gid=81(novlxtier) groups=81(novlxtier),8(www)
    

    If you see different IDs than those listed above, such as 101, 102, 103, etc., record the numbers for both X-Tier users and the novlxtier group. You need these IDs to standardize the IDs on the server.

  3. Download the following script file:

  4. Customize the template file by replacing the variables in angle brackets (<>) as follows:

    • <server_name>: The name of the server object in eDirectory.

      Replace this variable with the server name.

      For example, if the server name is myserver, replace <server_name> with myserver so that the line in the settings section of the script reads

      server=myserver

    • <context>: The context of the X-Tier user and group objects.

      Replace this variable with the fully distinguished name of the context where the objects reside.

      For example, if the objects are an Organizational Unit object named servers, replace ou=servers,o=company.

    • <admin fdn>: The full context of an eDirectory admin user, such as the Tree Admin, who has rights to modify the X-Tier user and group objects.

      Replace this variable with the admin name and context, specified with comma-delimited syntax.

      For example, if the tree admin is in an Organization container named company, the full context is cn=admin,o=company and the line in the settings section of the script reads

      admin_fdn="cn=admin,o=company"

    • <novlxregd_uid>: The UID that the system assigned to the local novlxregd user. It might or might not be the same on each server, depending on whether the nssid.sh script ran successfully.

      Replace this variable with the UID reported for the novlxregd user on this server as listed when you ran the commands in Step 1.

      In the example script, the original UID is 101. It is changed to 81 in the third line of the script. The sixth line changes the UID on all of the files and directories on the server that are owned by the novlxregd user from 101 to 81.

    • <novlxsrvd_uid>: The UID that the system assigned to the local novlxsrvd user. It might not be the same on each server, depending on whether the nssid.sh script ran successfully.

      Replace this variable with the UID reported for the novlxsrvd user on this server as listed when you ran the commands in Step 1.

      In the example script, the original UID is 103. It is changed to 82 in the fourth line of the script. The seventh line changes the UID on all of the files and directories on the server that are owned by the novlxsrvd user from 103 to 82.

    • <novlxtier_gid>: The GID that the system assigned to the local novlxtier group. It might not be the same on each server, depending on whether the nssid.sh script ran successfully.

      Replace this variable with the GID reported for the novlxtier group on this server as listed when you ran the commands in Step 1.

      In the example script, the original GID is 101. It is changed to 81 in the second line of the script. The sixth and seventh lines change the GID from 101 to 81 for all of the files and directories on the server that are owned by the novlxtier group.

  5. Make the script executable and run it on the server.

    IMPORTANT:Changes to the X-Tier files are not reported on the terminal.

    Error messages are reported, but you can safely ignore them. The script scans the entire file system, and some files are locked because the system is running.

  6. Repeat from Step 1 for each of the other servers in the same context.

2.5.4 Extending the Schema

An eDirectory tree must have its schema extended to accommodate OES 11 servers and services as explained in the following sections:

Who Can Extend the Schema?

Only an administrator with the Supervisor right at the root of an eDirectory tree can extend the tree’s schema.

Which OES 11 SP3 Services Require a Schema Extension?

The following service schema extensions are included with OES 11 SP3.

A single asterisk (*) indicates a service that is either required for OES 11 SP3 servers or for the default services that are installed on every OES 11 SP3 server.

Unmarked extensions are implemented the first time their respective services are installed, unless the schema was previously extended using another method, such as the YaST plug-in (see Using the YaST Plug-In to Extend the Schema).

Extending the Schema While Installing OES 11 SP3

The simplest way to extend the schema for OES 11 SP3 servers is to have a tree admin install the first OES 11 SP3 server and the first instance of each OES 11 SP3 service that you plan to run on your network.

After this initial installation, you can assign subcontainer admins with the required rights to install additional servers and services. For more information on the required rights for the various OES services, see Rights Required for Subcontainer Administrators.

Using the YaST Plug-In to Extend the Schema

If you want a subcontainer admin to install the first OES 11 SP3 server or the first instance of an OES 11 SP3 service in an existing tree, and you don’t want to grant that admin the Supervisor right to the root of the tree, someone with the Supervisor right to root can extend the schema by using YaST from any of the following locations:

  • An OES 11 SP3 server running in another tree

  • Install a fully patched SLES 11 SP4 server, then install OES 11 SP3 without installing any of the services, followed by the yast2 novell-schema tool installation.

To run the Novell Schema Tool:

  1. On the server’s desktop, click Computer and open the YaST Control Center.

  2. Click Open Enterprise Server > Novell Schema Tool.

  3. Depending on the installation method you used, you might be required to insert your OES 11 SP3 installation media.

  4. On the NetIQ eDirectory Extension Utility page, specify the information for an eDirectory server with a Read/Write replica of the Root partition.

    Be sure to provide the correct information to authenticate as an admin user with the Supervisor right at the root of the target tree. Otherwise, the schema extension fails.

  5. Select all of the other services you plan to run on any of the OES 11 SP3 servers in the tree.

  6. Click Next.

    The schema is extended.

    The YaST2 novell-schematool utility writes the schema event messages to the /var/opt/novell/eDirectory/log/oes_schema.log file on the server where the utility is running.

Extending the Schema for Novell Cluster Services

If you want a subcontainer administrator to install the first instance of Novell Cluster Services in a tree, you can extend the schema by following the instructions in Installing, Configuring, and Repairing Novell Cluster Services in the OES 11 SP3: Novell Cluster Services for Linux Administration Guide.