Environment
Novell eDirectory 8.8 for Linux
Novell iManager 2.6
Novell Modular Authentication Service (NMAS) version 3.1.1
Novell Transport Layer Security (NTLS) 2.0
Novell SUSE Linux Enterprise Server 10
Novell SUSE Linux Enterprise Server 10Novell eDirectory 8.8 for Linux
Novell iManager 2.6
Novell NICI 2.7
Novell Modular Authentication Service (NMAS) version 3.1.1
Situation
There are times when a server's identity (the eDirectory database, NICI server and tree keys, etc.) must be moved from one server to another. The purpose in doing so may include server maintenance, backup for disaster recovery, internal testing or sending these files to Novell's Technical Support for troubleshooting.
With eDirectory 8.8.x it is no longer adequate to simply stop the ndsd daemon then tarball the dib directory. Nor is it enough to use eMBox or DSBK to backup the database files alone.
Along with eDirectory 8.8.x's ability to provide encrypted attributes\replication as well as preserving NMAS password information comes a dependence on having the server's NICI files preserved along with the database. These keys (found on the file system) may be required even to open the database on another server. Another consideration is that without these keys all information in the eDirectory database that has been encrypted with them may be lost in a disaster recovery scenario where all copies of other replicas have been lost. They are also required to run the database on another server for the reasons mentioned above.
NOTE: Restoration of an eDirectory database on a server requires very serious consideration. If performed improperly, the entire tree can be damaged beyond repair. Novell recommends that customers consult with Novell Technical Support before restoring an eDirectory database.
Resolution
Below are the steps to move an 8.8.1 eDirectory database (with NMAS passwords and encrypted attributes), the NICI 2.7 files and iManager 2.6 from one server running SLES 10 to another SLES 10 server. Prior to performing these steps both the original (source) server and the second server (target server) have had SLES 10 installed as well as eDirectory 8.8.1 and iManager 2.6 using only the tomcat web server. Tomcat is running the default certificates. No Apache is installed. The installations both used only the default locations with a root install. The target server was installed into a temporary tree and both servers are running only a single instance.
BACKUP EDIRECTORY AND NICI ON THE SOURCE SERVER
1. In order to find the file locations for the eDirectory database and conf files run " ndsconfig get " from a terminal.Note the following information from the returned data.
- Config File=Instance at: /etc/opt/novell/eDirectory/conf/nds.conf
This is the eDirectory conf file.
- eDirectory Database files=n4u.nds.dibdir /var/opt/novell/eDirectory/data/dib
This is the eDirectory database directory.
This is the eDirectory conf file.
- eDirectory Database files=n4u.nds.dibdir /var/opt/novell/eDirectory/data/dib
This is the eDirectory database directory.
2. Shutdown NDSD and iManager services.
/etc/init.d/ndsd stop
/etc/init.d/novell-tomcat4 stop
/etc/init.d/ndsd stop
/etc/init.d/novell-tomcat4 stop
NOTE: Once the database has been loaded on the target server the source server must never be active again or seen on the wire by any of the other servers in the tree.
3. Copy the database files from the source server. Location: /var/opt/novell/eDirectory/data/dib.
In this example we will tarball the directory. To tarball the database run the following commands:
In this example we will tarball the directory. To tarball the database run the following commands:
cd /var/opt/novell/eDirectory/data
tar -zcvf dibbak.tgz dib
Then copy the resulting tgz file to the target server.
4. Copy over the nds.conf file.
/etc/opt/novell/eDirectory/conf/nds.conf
/etc/opt/novell/eDirectory/conf/nds.conf
5. Copy over the NDSD script.
/etc/init.d/ndsd
BACKUP NICI KEYS AND CONFIG FILES
1. Copy the NICI Configuration file
/etc/opt/novell/nici.cfg
2. Copy the NICI Keys
/var/opt/novell/nici
To tarball:
cd /var/opt/novell
tar -zcvf nici.tgz nici
3. These servers will be running identical versions of eDirectory and NICI. However, if this were not the case the NICI Library file should also be backed up /opt/novell/lib/libccs2.so.2.7.0
NOTE: This file may end in a different version depending on the version of NICI installed.
BACKUP IMANAGER FILES
4. Backup the iManager configuration files:
/var/opt/novell/iManager/nps/WEB-INF/config.xml
/var/opt/novell/iManager/nps/WEB-INF/configiman.properties
RESTORING EDIRECTORY SERVICES TO THE TARGET SERVER
1. Stop eDirectory and Tomcat Services:
/etc/init.d/ndsd stop
/etc/init.d/novell-tomcat4 stop
2. Backup then copy over the eDirectory conf file.
mv /etc/opt/novell/eDirectory/conf/nds.conf /etc/opt/novell/eDirectory/conf/nds.conf.bak
cp nds.conf /etc/opt/novell/eDirectory/conf/nds.conf
mv /etc/opt/novell/eDirectory/conf/nds.conf /etc/opt/novell/eDirectory/conf/nds.conf.bak
cp nds.conf /etc/opt/novell/eDirectory/conf/nds.conf
3. Edit the nds.conf file to reflect the ip address of this server.
4. Backup then copy over the ndsd script
mv /etc/init.d/ndsd /etc/init.d/ndsd.bak
cp ndsd /etc/init.d/ndsd
mv /etc/init.d/ndsd /etc/init.d/ndsd.bak
cp ndsd /etc/init.d/ndsd
5. Ensure permissions are set correctly on the restored script file so it will execute.
chmod 755 /etc/init.d/ndsd
chmod 755 /etc/init.d/ndsd
6. Backup then copy the source server's eDirectory database.
mv /var/opt/novell/eDirectory/data/dib /var/opt/novell/eDirectory/data/dib.bak
cd /var/opt/novell/eDirectory/data
tar -zxvf dibbak.tgz
mv /var/opt/novell/eDirectory/data/dib /var/opt/novell/eDirectory/data/dib.bak
cd /var/opt/novell/eDirectory/data
tar -zxvf dibbak.tgz
NOTE: Novell does not support the use of symlinks to specify the location of the eDirectory database or its roll forward logs (RFLs). One must modify the nds.conf file to specify the database location, if it is not in the default location.
RESTORE NICI:
1. Backup then copy the NICI Configuration file.
mv /etc/opt/novell/nici.cfg /etc/opt/novell/nici.cfg.bak
cp nici.cfg /etc/opt/novell/nici.cfg
mv /etc/opt/novell/nici.cfg /etc/opt/novell/nici.cfg.bak
cp nici.cfg /etc/opt/novell/nici.cfg
2. Backup then copy the NICI keys.
mv /var/opt/novell/nici /var/opt/novell/nici.bak
cd /var/opt/novell
mv /var/opt/novell/nici /var/opt/novell/nici.bak
cd /var/opt/novell
tar -zxvf nici.tgz
RESTORE IMANAGER FILES
mv /var/opt/novell/iManager/nps/WEB-INF/config.xml /var/opt/novell/iManager/nps/WEB-INF/config.xml.bak
cp config.xml /var/opt/novell/iManager/nps/WEB-INF/config.xml
mv /var/opt/novell/iManager/nps/WEB-INF/configiman.properties /var/opt/novell/iManager/nps/WEB-INF/configiman.properties.bak
cp configiman.properties
/var/opt/novell/iManager/nps/WEB-INF/configiman.properties
RESTART SERVICES
/etc/init.d/ndsd start
/etc/init.d/novell-tomcat4 start
If all went well the server should report the following:
Executing customized settings before starting the Novell eDirectory server...
Starting Novell eDirectory server... done
Executing customized settings after starting the Novell eDirectory server...
Novell eDirectory LDAP Server is listening on the TCP port.
Novell eDirectory LDAP Server is listening on the TLS port.
Starting Novell eDirectory server... done
Executing customized settings after starting the Novell eDirectory server...
Novell eDirectory LDAP Server is listening on the TCP port.
Novell eDirectory LDAP Server is listening on the TLS port.
NETSTAT should now show the server listening on ports 524, 636, 8030 and 8443.
COMMON FIXES IF IMANAGER IS NOT WORKING OR THE IMANAGER FILES WERE NOT COPIED:
1. -626 errors on login.
Stop tomcat: /etc/init.d/novell-tomcat4 stop
Edit the /var/opt/novell/iManager/nps/WEB-INF/config.xml file. The following sections should match the target server's ipaddress and the restored tree name.
Edit the /var/opt/novell/iManager/nps/WEB-INF/config.xml file. The following sections should match the target server's ipaddress and the restored tree name.
< setting>
Restart Tomcat: /etc/init.d/novell-tomcat4 start
2. -111 errors when logging into iManager. The config.xml file may be bad. Copy and edit the config.xml from another working server.
3. Unable to see the task to configure iManager or detect new plugins.
The authorized user needs to be changed for the restored database.
The authorized user needs to be changed for the restored database.
Stop tomcat: /etc/init.d/novell-tomcat4 stop
Edit the /var/opt/novell/iManager/nps/WEB-INF/configiman.properties file to reflect the restored tree's authorized user's username, context and tree name.
IE., admin.emg.HINESLABTREE=eDirectory
IE., admin.emg.HINESLABTREE=eDirectory
Restart tomcat: /etc/init.d/novell-tomcat4 start
4. -625 errors logging in to iManager
Usually not enough time was allowed between restarting tomcat and authenticating to iManager. Wait several minutes for the tomcat connectors to initialize.
Usually not enough time was allowed between restarting tomcat and authenticating to iManager. Wait several minutes for the tomcat connectors to initialize.
Additional Information
Overview
To provide the ability to restore eDirectory in case of a disaster, AT A MINUMUM, the following directories and files should be backed up. The NICI and iManager files need only be backed up again when new versions are installed.
/var/opt/novell/eDirectory/data/dib
/etc/opt/novell/eDirectory/conf/nds.conf
/etc/init.d/ndsd
/etc/opt/novell/nici.cfg
/var/opt/novell/nici
/opt/novell/lib/libccs2.so.2.7.0
/var/opt/novell/iManager/nps/WEB-INF/config.xml
/var/opt/novell/iManager/nps/WEB-INF/configiman.properties
/etc/opt/novell/eDirectory/conf/nds.conf
/etc/init.d/ndsd
/etc/opt/novell/nici.cfg
/var/opt/novell/nici
/opt/novell/lib/libccs2.so.2.7.0
/var/opt/novell/iManager/nps/WEB-INF/config.xml
/var/opt/novell/iManager/nps/WEB-INF/configiman.properties
Additional information that may be required:
Symbolic Links:
/etc/nici.cfg --> /etc/opt/novell/nici.cfg
/var/novell/nici --> /var/opt/novell/nici
/usr/lib/libccs2.so --> /opt/novell/lib/libccs2.so.2.7.0
/opt/novell/lib/libccs2.so --> /opt/novell/lib/libccs2.so.2.7.0
/etc/nici.cfg --> /etc/opt/novell/nici.cfg
/var/novell/nici --> /var/opt/novell/nici
/usr/lib/libccs2.so --> /opt/novell/lib/libccs2.so.2.7.0
/opt/novell/lib/libccs2.so --> /opt/novell/lib/libccs2.so.2.7.0
Permissions:
/etc/init.d/ndsd Permissions=0755 Owner=root group=sys
/var/opt/novell/eDirectory/data/dib Permissions=0744 Owner and group=root
/var/opt/novell/nici Permissions=0711 Owner and group=root
/var/opt/novell/nici/0 Permissions=0700 Owner and group=root
/var/opt/novell/nici/103 Permissions=0700 Owner and group=novlwww
/etc/init.d/ndsd Permissions=0755 Owner=root group=sys
/var/opt/novell/eDirectory/data/dib Permissions=0744 Owner and group=root
/var/opt/novell/nici Permissions=0711 Owner and group=root
/var/opt/novell/nici/0 Permissions=0700 Owner and group=root
/var/opt/novell/nici/103 Permissions=0700 Owner and group=novlwww
NOTE: The two directories under nici must match the UID of root and novlwww. In this example root=0 and novlwww=103
Tree key=/var/opt/novell/nici/0/nicisdi.key Permissions=0644 Owner and group=root
NetWare information can be found in the following TIDs: 3290174 and 3303779.