Preparing for install
So there are a few things to cover in getting ready to prepare your system for installing eDirectory on Linux. The certified operating systems for eDirectory are SUSE Linux Enterprise Server (SLES) 12 SP3 and later or SLES 15, Red Hat Enterprise Linux 7.6, 7.7, 8.0, and 8.1 versions. The install will check OS and will cancel the install if it is not a supported version.
On RHEL 7.x systems you will need to make sure that yum-utils and createrepo are both installed. On RHEL 8.x systems you need dnf-utils and createrepo installed. On SLES systems you need to make sure Zypper is installed.
Next make sure that SELinux is either set to permissive mode, or disabled. You will do this by editing the /etc/selinux/config file. Normally you will see it set to enforcing. Edit the config file, save it, then restart the server. You can then run getenforce to verify that SELinux is set appropriately.
You also need to make sure that the Network Time Protocol (ntp) is installed and configured on the servers. It is essential that you have a good ntp setup because synchronization conflicts are handled based on timestamp of events. So the servers have to be within +/- 2 seconds of time between each other.
Next you need to make sure that all the servers have connection to one another on the network for port 524. This is the NCP or Netware Core Protocol port. This is how the servers talk to each other for replica synchronization. On Linux I will use the netcat command to test this. You will go to the new server you are adding and run the following command against each of the other servers running eDirectory.
On RHEL 7.x systems you will need to make sure that yum-utils and createrepo are both installed. On RHEL 8.x systems you need dnf-utils and createrepo installed. On SLES systems you need to make sure Zypper is installed.
Next make sure that SELinux is either set to permissive mode, or disabled. You will do this by editing the /etc/selinux/config file. Normally you will see it set to enforcing. Edit the config file, save it, then restart the server. You can then run getenforce to verify that SELinux is set appropriately.
You also need to make sure that the Network Time Protocol (ntp) is installed and configured on the servers. It is essential that you have a good ntp setup because synchronization conflicts are handled based on timestamp of events. So the servers have to be within +/- 2 seconds of time between each other.
Next you need to make sure that all the servers have connection to one another on the network for port 524. This is the NCP or Netware Core Protocol port. This is how the servers talk to each other for replica synchronization. On Linux I will use the netcat command to test this. You will go to the new server you are adding and run the following command against each of the other servers running eDirectory.
nc -v -w 3 myserv1 524 |
|
You then need to go to all the existing servers and do the same thing back toward the new server. One challenge though is that the new server does not have eDirectory running yet. So it won't be listening on port 524. Again netcat to the rescue. You can set netcat up to listen on 524 for the test. Run the following command on the server then go to all the other servers and test connectivity back to the new server. When you are all done you can stop netcat listening with a Ctrl-c. Easy Peesy.
nc -lk 524 |
|
Installing the binaries
Once you have your Linux server ready with the proper files the next thing is to install the binaries. This is the program code to actually run eDirectory. You need to install the binaries before creating/configuring eDirectory trees. On Linux you can install one or more trees on the same server. It is sort of like installing SQL server on your server then creating the different databases.
Download the latest eDirectory binary software package and copy it to your server. The file will be a gzipped tar file. Once you get the file on the server you will need to unzip/extract the file. You can decompress and extract it at the same time with the tar command by using the following command. This would be for eDirectory version 9.22.
Download the latest eDirectory binary software package and copy it to your server. The file will be a gzipped tar file. Once you get the file on the server you will need to unzip/extract the file. You can decompress and extract it at the same time with the tar command by using the following command. This would be for eDirectory version 9.22.
tar -zxvf eDirectory_922_Linux_x86_64.tar.gz |
|
Once this is done you will go to the subdirectory with the install program. You can extract the tar file as any user. But now you will need to change over to root to install the binaries. There is also a non-root install of eDirectory. But that is outside the scope of this page. Also, I don't recommend using that version if you can avoid it. It has a few quirks that are frustrating to deal with. And usually organizations will typically restrict root access to only Linux admins so application admins don't mess up the server. But typically eDirectory ldap engineers will be at least as careful as the Linux admin because if eDirectory goes down it is a much worse situation than issues with the operating system. So us eDirectory engineers are typically much more careful about what we do always.
cd ./eDirectory/setup/ |
|
Inside this directory you will see a whole bunch of rpm files along with two executable files. One to install the binaries, and the other to uninstall them. The one to install them is nds-install. So you will run this file to start the install process. You will see the EULA that you have to page through then accept. After that typically you will just accept the defaults for any additional options that come up.
Once the install completes you will see a reference to adding pathing to your system. In earlier releases of eDirectory you had to add that pathing manually. With eDirectory 9 the install will now add that to the system automatically. But for the path add to take effect the easiest way to handle it is log out of the server then log back in so that the shell environment loads fresh. There is a script file that you can run to add the paths. But hey I am lazy and it is just way easier to log out and back in again.
Once the install completes you will see a reference to adding pathing to your system. In earlier releases of eDirectory you had to add that pathing manually. With eDirectory 9 the install will now add that to the system automatically. But for the path add to take effect the easiest way to handle it is log out of the server then log back in so that the shell environment loads fresh. There is a script file that you can run to add the paths. But hey I am lazy and it is just way easier to log out and back in again.
Setting up hosts.nds
Note: This step is only done for adding more servers to a tree. Do not do it for the very first server in a new tree installation. You will get an error that the tree exists when it looks for duplicate tree names if you do.
Finally, the servers need to be able to find each other. You can use the Service Location Protocol (SLP). I am sure some people set that up. But in the environments I have been in we have opted to use hosts.nds files on each of the servers. The hosts.nds file is similar to the /etc/hosts file in LInux for name lookup, but is used specifically for eDirectory servers to find each other. At the top of the file you will put two or three entries that are for finding the tree itself. Each line will be the tree name followed by a dot. Then tab over and put the IP address of one of the servers in the tree. Then below those entries you will have a line for each server with it's IP address. So it will look roughly like the following.
ASGTREE. 192.168.10.5
ASGTREE. 192.168.10.6
myserver1 192.168.10.5
myserver2 192.168.10.6
myserver3 192.168.20.5
You will need to put this file on every server in the /etc/opt/novell/eDirectory/conf/ directory. When you get ready to add another server then edit a copy of this file and deploy it to all the existing files and the new file as well. The only thing is you won't be able to roll this file out to the new file until you have installed the binary files. ls /etc
Creating/installing your tree on the server
The final step is to create the tree on the server. If this is the first server being set up for a new tree you will run the command slightly different than when you are adding additional servers into the system. Typically you will want your eDirectory tree on at least three different servers for really good redundancy. One thing that is a little different with eDirectory commands is they use dot notation instead of the commas that people are familiar with for most ldap tools. Also, in the example I put in o= for organization, ou= for organizational unit, and cn= for common name of the person. But you don't technically need that.
ndsconfig new –t mytest –n ou=system.o=myorg –a cn=boss.ou=adm.o=myorg –S servername –e |
|
The command above will create a new tree called mytest. It will put all the server objects under ou=system.o=myorg and the administrator account will be under ou=adm.o=myorg. You can use whatever structure works best for you. Often I will actually put server object stuff under o=mysystem and the admin users under o=myadmin where my is an acronym for the company or organization. Then I will put all the users and groups etc under o=myorg in some structure that makes sense for that system. This makes granting rights a bit easier because of how things are separated out. I typically will always add the -e switch to allow for clear text ldap connectivity until I get the system up, tested, and configured. Then you can turn that off in iManager in the ldap setup a little later. You can also use a -d at the end of the command to put the dib, which is the directory database files, in a different location. Below is a listing of the switches and their meaning.
-t tree name |
|
The only difference between starting a brand new tree and adding a server to an existing tree is that you will put the word add after ndsconfig instead of new. Keep in mind that you need to have the hosts.nds file in place before you run ndsconfig so that the command can find other servers that hold a copy of the tree.
ndsconfig add –t mytest –n ou=system.o=myorg –a cn=boss.ou=adm.o=myorg –S servername –e |
|
This is the basics of installing eDirectory. I did not cover things like trees with multiple partitions, setting up to use non-standard network ports, or multiple trees on the same server. But these instructions will cover a majority of installations. Use the NetIQ documentation for more complicated installations and configurations. I am listing here though some additional switches for installation with some notes after them.
-R prevents replica being added at instance creation (Sometimes on trees with lots of objects you will want to schedule adding replicas as separate step) |
|
Home |
About |
Services |
Copyright © 2016