Chapter 9: Manage eDirectory Upgrades, Resource Redirections, and Schema Extensions

Novell Network Management: NetWare 6

Chapter 9: Manage eDirectory Upgrades, Resource Redirections, and Schema Extensions

Objectives:

This chapter concerns upgrade tasks in an existing network that uses an earlier version of eDirectory. The objectives important to this chapter are found on page 9-1:

Prepare for Upgrading to eDirectory 8.6
Use the eDirectory Import/Export Wizard to Manage LDIF Files
Redirect Resources in the Tree
Extend the eDirectory Schema

Concepts:

Prepare for Upgrading to eDirectory 8.6

A stable network will run only one version of eDirectory. Even if you do not upgrade all the servers in a network to NetWare 6, you will want to upgrade the version of eDirectory that the older servers are running to be consistent with the version on your NetWare 6 servers.

In order prepare to upgrade eDirectory on existing servers, you must carry out several steps.

Install the latest support packs to your NetWare servers. Support packs are cumulative. A new support pack will typically include everything that was in the previous support packs for the same version of NetWare.
Run NetWare Deployment Manager (NWDEPLOY.EXE) from your installation CD, and update the schema of any server needing an intermediate update. This is different from previous versions: you previously could update to the current version without in-between steps.
Install or update Certificate Server. eDirectory 8.6 requires Certificate Server be running, in order to provide SSL services. Secure Sockets Layer services are also required by LDAP services, web servers, and Remote Manager.
The first NetWare 6 server installed in a new network will automatically receive the Certificate Server object and will act as the Certificate Server. The same thing happens when you upgrade to eDirectory 8.6: the first server to be upgraded gets the Certificate Server. (Make sure that the server that gets this upgrade first is the one you want to run the Certificate Server service. You do not want to move the CA object, since this will invalidate the certificates already issued.
To upgrade a network to eDirectory 8.6, your CA must be running Certificate Server 2.0 or later. If not, the CA must be upgraded first.

Perform a Health Check - The text lists this as a preparation step, but it follows installation of eDirectory 8.6, so it can't be preparatory. It is, however, a step to follow before you can be sure you are done.

If you installed eDirectory from a CD, it is possible you need to download and install patches to be current.
Time synchronization and replica synchronization should be checked. If either one is not working, you may have eDirectory problems.
Several console commands will help check the system.
- Run DSREPAIR, and check Time Synchronization. In addition to actually checking this feature, Time Syncronization will show you the version of DS.NLM running on each server you can reach. All servers running the same version of NetWare should run the same version of DS.NLM.
- Use DSTRACE to check two kinds of synchronzation:
  SET DSTRACE=ON to turn on the feature and create a results screen on the server console.
  SET DSTRACE=+S will check for synchronization of objects.
  SET DSTRACE=*H will tell the servers to synchronize.
  
  Other variations are used as well. Begin with the first line, then continue with these:
  SET DSTRACE=+SCHEMA will report schema information.
  SET DSTRACE=*SS will start a synchronization for the schema.
  
  When done using DSTRACE, the text recommends to turn it off to save resources.
  SET DSTRACE=nodebug will turn off the features currently in use.
  SET DSTRACE=+min will start default settings.
  SET DSTRACE=off will turn off the console screen for DSTRACE.

Use the eDirectory Import/Export Wizard to Manage LDIF Files

LDIF is an acronym that might have been LDAPDIF: Lightweight Directory Access Protocol Data Interchange Format. Aren't you glad they shortened it? LDAP is based on DAP (You don't need that expanded, do you?), which is based on a broader network standard called X.500.

LDIF files can be used to load information into an LDAP compliant Directory system. eDirectory is LDAP compliant. It uses NLDAP.NLM to provide LDAP service on a Novell network. LDAP service uses a different syntax than Novell services. The text makes two points about it:

Novell syntax uses periods as separators in names. LDAP uses commas.
Novell syntax can use typeful or typeless names. LDAP uses typeful distinguished names.

Some of this will be familiar to those of you who have worked on networks that used this notation.

The book offers a URL with more information about LDAP. You can't click your book, but you can click this link.

The contents of an LDIF file can be read with any text editor, since the file is stored in ASCII. The file may have several entries in it, corresponding to several objects in a database. Each object entry must include:

a distinguished name
an object class (at least one is required)
the required attributes for this type of object, and their values

The entry may include other attributes and values, as well as other classes for the object. It may also include an entry ID. If the file contains multiple object entries, they are separated by blank lines. Field identifiers in the file itself are followed by colons. The example in the book illustrates another concept, that of actions to be performed with the information. In the two examples in the text, there are lines that read:
changetype: add
This means that the object is to be added to the tree. The action for changetype could be add, delete, modify, or moddn. (moddn means "modify distinguished name". This means to change the name of what a Novell admin would call a leaf. Some sources say moddn stands for "modify down", which is a move command. This is consistent with changing a distinguished name.)

The utility used in NetWare 6 to import data from or export data to LDIF files is called ICE: Import/Conversion Export. (Previous versions of eDirectory used UIMPORT or BULKLOAD for these functions.) ICE can be used from a wizard in ConsoleOne, or from a command line interface.

When importing data with ICE, it is important to know the name and location of the LDIF file, and the name of a server running an eDirectory agent. It is not necessary to specify a partition or a container, since this information is included in the LDIF file. Exporting data to an LDIF file is similar.

As noted above, ICE can be used to import a number of objects at once. To do so, eDirectory 8.5 (and later) uses LDAP Bulk Update/Replication Protocol, which has the rather silly acronym LBURP. The text notes that you must disable LBURP if you are importing data to a version of eDirectory earlier than 8.5. If possible, use LBURP, to send multiple requests at one time, to process them in the order intended, and to process requests as fast as the server processor can handle them.

Redirect Resources in the Tree

This section of the chapter concerns two functions: moving objects in the tree, and creating alias objects.

The tree can be navigated in ConsoleOne. The concept will be familiar to anyone who has navigated a file system in Window Explorer, or the older File Manager.

The navigation screen is divided into two parts. The left panel is used to drill down into containers. Objects are selected in the right panel.

As in Windows applications, you can select multiple objects. In the image on the right, the admin object in the sales container is selected. Suppose you hold a shift key down, and click the XYZ_SERVER object (shift-click). The effect would be to select the admin object, the XYZ server object, and the three objects between them in the list as well.

If you wish to select multiple object without selecting those between them, hold down a control key and click each object (ctrl-click).

To move objects in the tree, first select them, then right-click over one of them. On the screen that appears, choose Move. You will be able to browse the tree from this screen, to select the destination container for the objects. You will also have the option to create alias objects in the original location of the objects being moved. An alias object is really a pointer that knows the new location of the moved objects. It serves as a forwarding point for requests the look for the objects in their old locations.

Alias objects can be created as noted above, to serve as pointers to objects that have been moved. Alias obejcts can also be created to provide easy access to objects in other parts of the tree. It is always easiest to grant a user rights to objects that are in the same container as the user's object. If, in the illustration above, a user in the sales container needed rights to an object in the manufacturing container, a simple way to do this would be to create an alias in the sales container, pointing to the specific object in the manufacturing container. In this way, a user in sales could be granted rights to the foreign object, without the possibility of being granted rights to any other object in the manufacturing container.

Extend the eDirectory Schema

The last topic in the chapter begins by defining what the schema is. (A little late for that, folks.) In short, the schema is the list of object classes that can exist in your tree. It includes the possible attributes of each object class, and specifies which attributes are required for object creation.

A schema can be extended by an administrator. Schema Manager, the tool used for this purpose, is accessed in ConsoleOne, from the Tools menu. Using Schema Manager, you can add or remove attributes from an object class, you can create a new object class based on an existing class, or create a new object class based on the needs of your tree. You can also use Schema Manager to remove object classes from the schema that you do not wish to be used. Schema Manager is not to be used for ordinary eDirectory management, but for making modifications that you believe are necessary.