http://forums.novell.com/ en Sun, 22 Nov 2009 07:17:24 GMT vBulletin 60 http://forums.novell.com/images/ca_serenity/misc/rss.jpg http://forums.novell.com/ http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/393509-apply-network-restrictions-ldap-proxy-user.html Sat, 21 Nov 2009 04:08:20 GMT (re-post from OES Client forum) Implemented LDAP contextless login using an LDAP Proxy user, and that is working fine. Since the LDAP Proxy... (re-post from OES Client forum)

Implemented LDAP contextless login using an LDAP Proxy user, and that is working fine.

Since the LDAP Proxy user has null password, I wish to lock it down in some way since anyone who knows or guesses the username can login to the directory (not a huge concern but still, want to be thorough).

As far as I can tell from the docs, the only thing I can really do is impose network address restrictions on it ("You can limit the locations that the user can log in from by setting address restrictions for the Proxy User object.")

However, exactly what addr restrictions can / should I impose (such as are just the server IPs of the LDAP servers enough?) and especially, will imposing the address restriction have impact on any other services? Using OES2SP1-Linux and also using NSS clustering if it matters.

Thanks
GM ]]> eDir: Linux gmarsh http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/393509-apply-network-restrictions-ldap-proxy-user.html http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/393322-pre-post_ndsd-scripts-moved.html Thu, 19 Nov 2009 19:17:01 GMT I was looking in /etc/init.d for the pre/post_ndsd_stop/start scripts and could not find them. I then searched and found they were moved to... I was looking in /etc/init.d for the pre/post_ndsd_stop/start scripts and could not find them. I then searched and found they were moved to /opt/novell/eDirectory/sbin (and appear to be working just fine). I then looked at another server and found them still in /etc/init.d. The server with the moved scripts was recently upgraded to 8.8.5 FTF1. Was this script move part of the upgrade? I looked at the docs and don't see any mention of moving the scripts but I may have missed it somewhere. Thanks. ]]> eDir: Linux cperilli http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/393322-pre-post_ndsd-scripts-moved.html http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/393130-8-8-5-ftf1-how-critical.html Wed, 18 Nov 2009 13:30:13 GMT We have a very strict procedure we need to follow on any software updates. Everything needs to go through a documented test cycle before going into... We have a very strict procedure we need to follow on any software updates. Everything needs to go through a documented test cycle before going into production. Testing has been completed for 8.8.5 but the test cycle was started before FTF1 was out. We are scheduled to do the production upgrade to 8.8.5 this weekend. We have already started testing on FTF1 but it will not complete the cycle for weeks. Is 8.8.5 "safe" to install without FTF1 or are there some critical problems in unpatched 8.8.5 that would make that a bad idea. We have had no issues with our local testing. Our eDirectory environment is all based on SLES10.2 boxes used for IDM and LDAP authentication purposes.

Also, it sure would be nice if Novell provided install scripts with FTFs. FTF1 is 17 rpms. The documentation says this is a "manual" installation. On 20+ servers?...NOT! Of course we write scripts to take care of it but it would be nice if the scripts were provided. Just a friendly suggestion if Novell is listening.

Thanks! ]]> eDir: Linux cperilli http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/393130-8-8-5-ftf1-how-critical.html http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/393090-where-download-edirectory-8-8-sp3-sles10-64bit.html Wed, 18 Nov 2009 04:11:48 GMT HI,

I need someone here to provide me the link to download "eDir_88_SP3_Linux-x86_64".

Thanks. ]]> eDir: Linux lihtian http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/393090-where-download-edirectory-8-8-sp3-sles10-64bit.html http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392974-ms-ad-novell-edirectory-migration.html Tue, 17 Nov 2009 12:09:26 GMT is there any migration tool available that migrates MS AD 2003 objects(ou, users, groups, computers, printers) to Novell eDirectory ? if yes, then... is there any migration tool available that migrates MS AD 2003 objects(ou, users, groups, computers, printers) to Novell eDirectory ?

if yes, then when migrating from MS AD 2003 to Novell eDirectory... does the passwords of MS AD 2003 users, also migrates to Novell eDirectory ?

e.g in MS AD, a user name 'abc' has passowrd 'abc123+', does the password remains same in Novell eDirectory ?

regards
needee ]]> eDir: Linux needee http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392974-ms-ad-novell-edirectory-migration.html http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392768-import-certificate-after-server-rebuild.html Mon, 16 Nov 2009 21:39:17 GMT Question about certificates (third party, specifically). If I have a third party cert loaded into a PKI Key Material object, and I then rebuild that... Question about certificates (third party, specifically). If I have a third party cert loaded into a PKI Key Material object, and I then rebuild that server (say to move from Netware 6.5 to SLES), is it possible to reimport that cert if I've exported it with the private key? Or do I have to go get another one from Verisign or wherever? I know that you can replace the cert in iManager, but I'm wondering if the key pairs will still be valid since I would have had to generate a new key pair to get the new object out there. I haven't done this before and I really don't have spare Verisign certs to test with. =) ]]> eDir: Linux infinity9999 http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392768-import-certificate-after-server-rebuild.html http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392751-error-1497-ddsinit-failed.html Mon, 16 Nov 2009 19:28:20 GMT I am attempting to run

ndsconfig new def -s ServerName -t mytree -n o=org -a "admin.pipsc"

and I get the above error

ERROR -1497 DDSInit failed.

eDirectory 8.8 on a suse 10 Enterprise server

I have gone through the prerequisistes and I think I have everything.

I'm not using SLP so I created a hosts.nds
I didn't install nici, I don't currently use it on any of our NetWare
servers.

Thanks for the insight
]]> eDir: Linux candaced http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392751-error-1497-ddsinit-failed.html http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392723-ldap-logins-best-practices.html Mon, 16 Nov 2009 16:20:02 GMT Hi all,
Got a question about how best to provision LDAP services in a network. We've got eDirectory logins configured via ldap for many Macintosh client machines throughout our county. Our county's server structure is 4 replicas physically spread around, with each school having a dedicated sles/oes2sp1 server that handles dhcp and iprint, they are not replicas.. I have configured the mac ldap clients at each school reference their own school's Linux OES2sp1 server for ldap logins - thinking this would help load balance.
What we've found sofar is that if an entire lab logs in at one time, the logins slow to a crawl - taking 2 minutes or more to fully go from login screen to a usable desktop. One fix that we've found right now is to reconfigure the clients to point directly at one of the replicas.
We're doing this for labs currently, but now my worry is at what point that will overload the replica server. Is there a best practice for this? Is there a way to speed up the logins on the non-replica school servers? Should I just point everything at that one server and feel confident that it can handle the load?
Thanks
P ]]> eDir: Linux petefuller http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392723-ldap-logins-best-practices.html http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392693-auxiliary-class.html Mon, 16 Nov 2009 11:52:37 GMT Guys, if I have created an Auxiliary class with some optional attributes, can I add on later with some mandatory attributes? As I try to do such... Guys, if I have created an Auxiliary class with some optional attributes, can I add on later with some mandatory attributes? As I try to do such action in iManager but can't find the way. Thx ]]> eDir: Linux kkyen http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392693-auxiliary-class.html http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392681-edir-885ftf1-java-crash.html Mon, 16 Nov 2009 09:17:27 GMT this morning editr on my IDM server was down and ndsd.log has the following: Nov 13 11:12:28 Repair utility for Novell eDirectory 8.8 - 8.8 SP5...
this morning editr on my IDM server was down and ndsd.log has the following:

Nov 13 11:12:28 Repair utility for Novell eDirectory 8.8 - 8.8 SP5 v20501.00 Successfully loaded
Nov 13 11:12:28 Repair utility for Novell eDirectory 8.8 - 8.8 SP5 v20501.00 Successfully unloaded
#
# An unexpected error has been detected by Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0xb09ee4cc, pid=28172, tid=2499664800
#
# Java VM: Java HotSpot(TM) Server VM (10.0-b22 mixed mode linux-x86)
# Problematic frame:
# CNov 16 09:30:34 Path of Novell eDirectory configuration file /etc/opt/novell/eDirectory/conf/nds.conf
Nov 16 09:30:36 Host process for Novell eDirectory 8.8 SP5 v20501.00 successfully started
Nov 16 09:30:36 DHLog: file size 1048576
[ -- DHost Logging STARTED Mon Nov 16 09:30:36 2009 -- ]
Nov 16 09:30:36 MASV Init called

any idea where to look for the cause? Individual driver traces don't show any error messages ,they all just end on saturday evening withing a 5 min timeframe...

Cheers, Lothar
]]> eDir: Linux lhaeger http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392681-edir-885ftf1-java-crash.html http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392660-certificate-chain-ad.html Sun, 15 Nov 2009 22:12:39 GMT wanting to know if it is possible to chain an eDirectory certificate server as a subordinate to an active directiry root server. I have read in the... wanting to know if it is possible to chain an eDirectory certificate server as a subordinate to an active directiry root server. I have read in the documentation that it is possible to chain with 3rd party such as verisign. I also want to know if this is possible without the need to delete the existing CA from my tree. I basically want to be able to issue certificates as subsiduary1.company.com from an eDirectory server, but have company.com remain as the active directory root certificate server. ]]> eDir: Linux pcoombs http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392660-certificate-chain-ad.html http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392638-edirectory-design.html Sun, 15 Nov 2009 12:11:45 GMT Hi, We are creating eDirectory design and after discussion with novell expert, we have finalized two strategy based on experince we have. I am... Hi,

We are creating eDirectory design and after discussion with novell expert, we have finalized two strategy based on experince we have. I am giving details of our network.......

Let say, our organization XYZ is speaded around the globe with having around 30,000 associates. In the organization, we have 3 countries with organization structure as 4 departments and almost 6-7 sub departments in every department and we have almost 10,000 associates accessing the eDir from geographically different locations.

Now we are working two kind of designs as described below:

Design Strategy A:
---------------------------
O=XYZ-TREE
|--C=X1
| |--OU=Dep1
| | |--OU=SubDep1
| | |--OU=Users
| | |--OU=Resources
|
|
|--C=X2
| |----
-----------------------------------
NOTE: We have hierarchy as Organization-Country-Department-Sub Department. And under each sub-department we have two containers named, Users and Resources. Users contains the all Users belongs to the particular sub-department and resources contains the shared resources for that sub-department. We found that there are multiple resources which are shared within multiple departments so we created Resources container and put all resources under that by sub-department. If any resource is being shared by any other sub-department then we create alias of the resource in that sub-department’s resources.

Benefits of this kind of structure is, we could easily partition and create the server based on geographical requirements.

Design Strategy B:
---------------------------
O=XYZ-TREE
|--OU=Users
|--OU=Resources
|
|--C=X1
| |--OU=Dep1
| | |--OU=SubDep1
|
|
|--C=X2
| |----

Note: Although the above strategy is same as explained in A with the difference is User and resources containers are placed just below to the Organization and Users and Resources are linked with the department, sub-department using attributes.

What you would suggest to opt for better eDirectory extendable structure?

Thanks in advance for your recommendation.
HeavenAlive ]]> eDir: Linux HeavenAlive http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392638-edirectory-design.html http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392423-re-imported-cert-not-same.html Thu, 12 Nov 2009 15:43:34 GMT We have a problem where eDirectory (8.8.1) keeps corrupting its database. The most annoying part about having to reinstall is that the server in... We have a problem where eDirectory (8.8.1) keeps corrupting its database. The most annoying part about having to reinstall is that the server in question is the CA. To avoid having to update all the LDAPS clients with a new cert, I exported the CA certificate with its private key into a .pfx file using iManager (2.6).

(Yes, these are old versions, the upgrade project is moving slowly...)

I tried deleting the CA object and recreating it with the wizard as an import, but it threw a null pointer exception and SSL operations logged errors to dstrace about not being able to access the server's KMO.

So I deleted the CA again and recreated it using default settings, but then used the Replace option on the certificates tab to replace the CA certificate with the exported .pfx file.

That seemed to work, but the cert is not the same as it was before. It has the same serial number but a different RSA modulus.

So what am I doing wrong? How do I get the same cert I had before? If I didn't do the export properly, what are the missing steps so I can at least avoid having to do this yet again? ]]> eDir: Linux markjreed http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392423-re-imported-cert-not-same.html http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392361-user-object-class.html Thu, 12 Nov 2009 06:50:53 GMT I am working on eDirectory from past 6months or so and found one fact to clarify. It is related to User ObjectClass. I was just browsing eDir and... I am working on eDirectory from past 6months or so and found one fact to clarify. It is related to User ObjectClass.

I was just browsing eDir and found that if i search eDir to find the User having ObjectClass=User, it result me all User object but if i look at the ObjectClass values of the serached Users, i do not see any value having "User". I am sure that it coz we search User thru LDAP API and there must be some twiking on that (correct me if I am wrong).

It is quite similar to encapsulation concept. Now my question is, how could we create Object class with same functionality?

Somthing like, I want to create object class named "A" and in search, i would be able to search the "A" objects with "B".

Thanks in advance!! ]]> eDir: Linux rajeshemailto http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392361-user-object-class.html http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392321-replicas-showing-replicas-but-not-replicating.html Wed, 11 Nov 2009 22:29:10 GMT We have a sles10 sp2 oes2 sp1 server that is in eDirectory as a replica server. However in our ds ring it is not showing up. It shows up as synched... We have a sles10 sp2 oes2 sp1 server that is in eDirectory as a replica server. However in our ds ring it is not showing up. It shows up as synched for time but it will not show up in our replica ring. Any ideas? ]]> eDir: Linux lilott8 http://forums.novell.com/novell-product-support-forums/edirectory/edir-linux/392321-replicas-showing-replicas-but-not-replicating.html