How to backup and restore eDirectory 8.8 SP1, NICI 2.7 and iManager 2.6 to another Linux server.

  • 3295479
  • 23-Jul-2007
  • 25-Mar-2013


Novell eDirectory 8.8 for Linux
Novell iManager 2.6
Novell Modular Authentication Service (NMAS) version 3.1.1
Novell Transport Layer Security (NTLS) 2.0
Novell SUSE Linux Enterprise Server 10
Novell SUSE Linux Enterprise Server 10
Novell eDirectory 8.8 for Linux
Novell iManager 2.6
Novell NICI 2.7
Novell Modular Authentication Service (NMAS) version 3.1.1


There are times when a server's identity (the eDirectory database, NICI server and tree keys, etc.) must be moved from one server to another. The purpose in doing so may include server maintenance, backup for disaster recovery, internal testing or sending these files to Novell's Technical Support for troubleshooting.
With eDirectory 8.8.x it is no longer adequate to simply stop the ndsd daemon then tarball the dib directory. Nor is it enough to use eMBox or DSBK to backup the database files alone.
Along with eDirectory 8.8.x's ability to provide encrypted attributes\replication as well as preserving NMAS password information comes a dependence on having the server's NICI files preserved along with the database. These keys (found on the file system) may be required even to open the database on another server. Another consideration is that without these keys all information in the eDirectory database that has been encrypted with them may be lost in a disaster recovery scenario where all copies of other replicas have been lost. They are also required to run the database on another server for the reasons mentioned above.
NOTE: Restoration of an eDirectory database on a server requires very serious consideration. If performed improperly, the entire tree can be damaged beyond repair. Novell recommends that customers consult with Novell Technical Support before restoring an eDirectory database.


Below are the steps to move an 8.8.1 eDirectory database (with NMAS passwords and encrypted attributes), the NICI 2.7 files and iManager 2.6 from one server running SLES 10 to another SLES 10 server. Prior to performing these steps both the original (source) server and the second server (target server) have had SLES 10 installed as well as eDirectory 8.8.1 and iManager 2.6 using only the tomcat web server. Tomcat is running the default certificates. No Apache is installed. The installations both used only the default locations with a root install. The target server was installed into a temporary tree and both servers are running only a single instance.
1. In order to find the file locations for the eDirectory database and conf files run " ndsconfig get " from a terminal.
Note the following information from the returned data.
- Config File=Instance at: /etc/opt/novell/eDirectory/conf/nds.conf
This is the eDirectory conf file.
- eDirectory Database files=n4u.nds.dibdir /var/opt/novell/eDirectory/data/dib
This is the eDirectory database directory.

2. Shutdown NDSD and iManager services.
/etc/init.d/ndsd stop
/etc/init.d/novell-tomcat4 stop
NOTE: Once the database has been loaded on the target server the source server must never be active again or seen on the wire by any of the other servers in the tree.

3. Copy the database files from the source server. Location: /var/opt/novell/eDirectory/data/dib.
In this example we will tarball the directory. To tarball the database run the following commands:
cd /var/opt/novell/eDirectory/data
tar -zcvf dibbak.tgz dib
Then copy the resulting tgz file to the target server.
4. Copy over the nds.conf file.

5. Copy over the NDSD script.

1. Copy the NICI Configuration file

2. Copy the NICI Keys
To tarball:
cd /var/opt/novell
tar -zcvf nici.tgz nici

3. These servers will be running identical versions of eDirectory and NICI. However, if this were not the case the NICI Library file should also be backed up /opt/novell/lib/
NOTE: This file may end in a different version depending on the version of NICI installed.

4. Backup the iManager configuration files:
1. Stop eDirectory and Tomcat Services:
/etc/init.d/ndsd stop
/etc/init.d/novell-tomcat4 stop
2. Backup then copy over the eDirectory conf file.
mv /etc/opt/novell/eDirectory/conf/nds.conf /etc/opt/novell/eDirectory/conf/nds.conf.bak
cp nds.conf /etc/opt/novell/eDirectory/conf/nds.conf
3. Edit the nds.conf file to reflect the ip address of this server.
4. Backup then copy over the ndsd script
mv /etc/init.d/ndsd /etc/init.d/ndsd.bak
cp ndsd /etc/init.d/ndsd
5. Ensure permissions are set correctly on the restored script file so it will execute.
chmod 755 /etc/init.d/ndsd
6. Backup then copy the source server's eDirectory database.
mv /var/opt/novell/eDirectory/data/dib /var/opt/novell/eDirectory/data/dib.bak
cd /var/opt/novell/eDirectory/data
tar -zxvf dibbak.tgz
NOTE: Novell does not support the use of symlinks to specify the location of the eDirectory database or its roll forward logs (RFLs).  One must modify the nds.conf file to specify the database location, if it is not in the default location.
1. Backup then copy the NICI Configuration file.
mv /etc/opt/novell/nici.cfg /etc/opt/novell/nici.cfg.bak
cp nici.cfg /etc/opt/novell/nici.cfg
2. Backup then copy the NICI keys.
mv /var/opt/novell/nici /var/opt/novell/nici.bak
cd /var/opt/novell
tar -zxvf nici.tgz
mv /var/opt/novell/iManager/nps/WEB-INF/config.xml /var/opt/novell/iManager/nps/WEB-INF/config.xml.bak
cp config.xml /var/opt/novell/iManager/nps/WEB-INF/config.xml
mv /var/opt/novell/iManager/nps/WEB-INF/ /var/opt/novell/iManager/nps/WEB-INF/

/etc/init.d/ndsd start
/etc/init.d/novell-tomcat4 start
If all went well the server should report the following:
Executing customized settings before starting the Novell eDirectory server...
Starting Novell eDirectory server... done
Executing customized settings after starting the Novell eDirectory server...
Novell eDirectory LDAP Server is listening on the TCP port.
Novell eDirectory LDAP Server is listening on the TLS port.

NETSTAT should now show the server listening on ports 524, 636, 8030 and 8443.
1. -626 errors on login.
Stop tomcat: /etc/init.d/novell-tomcat4 stop
Edit the /var/opt/novell/iManager/nps/WEB-INF/config.xml file. The following sections should match the target server's ipaddress and the restored tree name.

< setting>

Restart Tomcat: /etc/init.d/novell-tomcat4 start
2. -111 errors when logging into iManager. The config.xml file may be bad. Copy and edit the config.xml from another working server.
3. Unable to see the task to configure iManager or detect new plugins.
The authorized user needs to be changed for the restored database.
Stop tomcat: /etc/init.d/novell-tomcat4 stop
Edit the /var/opt/novell/iManager/nps/WEB-INF/ file to reflect the restored tree's authorized user's username, context and tree name.
IE., admin.emg.HINESLABTREE=eDirectory
Restart tomcat: /etc/init.d/novell-tomcat4 start
4. -625 errors logging in to iManager
Usually not enough time was allowed between restarting tomcat and authenticating to iManager. Wait several minutes for the tomcat connectors to initialize.

Additional Information

To provide the ability to restore eDirectory in case of a disaster, AT A MINUMUM, the following directories and files should be backed up. The NICI and iManager files need only be backed up again when new versions are installed.
Additional information that may be required:
Symbolic Links:
/etc/nici.cfg --> /etc/opt/novell/nici.cfg
/var/novell/nici --> /var/opt/novell/nici
/usr/lib/ --> /opt/novell/lib/
/opt/novell/lib/ --> /opt/novell/lib/
/etc/init.d/ndsd Permissions=0755 Owner=root group=sys
/var/opt/novell/eDirectory/data/dib Permissions=0744 Owner and group=root
/var/opt/novell/nici Permissions=0711 Owner and group=root
/var/opt/novell/nici/0 Permissions=0700 Owner and group=root
/var/opt/novell/nici/103 Permissions=0700 Owner and group=novlwww
NOTE: The two directories under nici must match the UID of root and novlwww. In this example root=0 and novlwww=103
Tree key=/var/opt/novell/nici/0/nicisdi.key Permissions=0644 Owner and group=root
NetWare information can be found in the following TIDs: 3290174 and 3303779.