Environment
NetIQ eDirectory 8.8 SP8
SLES 11
SLES 10
Situation
There are advantages to both root and non-root based installations of eDirectory. Root based installations make the actual installation process and subsequant patching process easier. Non-root based installations are often specified due to percieved security advantages or auditing requirements.
The following describes the use case covered by this TID. A root-based installation of eDirectory has been in place for some time using a standard location. The admin is now tasked with ensuring that the NDSD process no longer run as root while preserving all the data in the dib. Below is the supported way to acheive this. After completing the steps below the root installed binaries will remain in place but now support a non-root instance running the same database as before.
Resolution
Assumptions:
- At the conclusion there will be only one instance of eDirectory on this server.
- That instance will be the original instance that was on this server but will now run as a non-root user.
- Communication is good so that other servers can be made aware of the port changes.
Note: SLES 12 is not currently supported for this conversion.
Pre-installation notes:
- Create the non-root user if it does not already exist.
- The instructions below indicate whether the steps should be done as root or the non-root user. The non-root ports are simply appended by "1". (Examples: NCP 524 --> 1524 LDAPS 636 --> 1636)
Summary of Steps:
- Create a dummy tree
- Change the source tree's ports to match the dummy tree.
- Change the source's dib ownership.
- Swap the dummy tree's dib for the source's dib.
- Modify non-root's nds.conf file.
- Swap and change ownership of the source tree's NICI files.
Optional (but recommended): backup the current database and NICI files. A quick method as ROOT is:
- stop NDSD
- " cd /var/opt/novell/eDirectory/data " " tar -cvzf ndsbackup.tgz dib "
" cd /var/opt/novell " " tar -cvzf nici.tgz nici "
" cd /var/opt/novell " " tar -cvzf nici.tgz nici "
Begin Conversion:
NONROOT
1. Create the dummy tree.
A. As the nonroot user create the dummy tree in a custom location.
"ndsconfig new -t dummy-tree -n novell -a admin.novell -w n -i -S srv2 --config-file /home/hvuser/inst1/nds.conf"
Once complete there should be two instances of eDirectory running: one for the root instance and another for the just created non-root instance.
B. Stop the non-root instance using ndsmanage.
ndsmanage - Instance 1 - select [k] Stop the instance - then "q" to quit.
ROOT
2. Change the root instance's ports and dib ownership.
A. Change the LDAP ports to that used by the non-root instance.
ldapconfig set "ldapInterfaces=ldap://151.155.213.137:1389,ldaps://151.155.213.137:1636"
Note: though unspecified addresses can be used it is recommended that the addresses be explicitly stated as some iManager plugins can have problems otherwise.
B. Change the NCP, HTTP and HTTPS ports to that used by the non-root instance.
- Edit the /etc/opt/novell/eDirectory/conf/nds.conf file to reflect this.
- Restart NDSD for the port changes to take effect.
C. Change the source (root) instance dib directory's ownership to that of the non-root user.
- Stop the root instance
/etc/init.d/ndsd stop
- Run the chown command
"chown -R hvuser /var/opt/novell/eDirectory/data/dib"
3. Copy the dib from the root instance to the non-root instance.
A. Change to the non-root instance's data directory
"cd /home/hvuser/var/opt/novell/eDirectory/data"
B. Rename the dummy tree's dib directory
"mv dib dib-dummy"
C. Move the source tree's (root-based) dib to the non-root location.
"mv /var/opt/novell/eDirectory/data/dib ."
4. Make final changes to the /home/hvuser/inst1/nds.conf file. Change the following parameters to that of the root instance:
n4u.nds.server-name=
n4u.base.tree-name=
n4u.nds.preferred-server=
n4u.nds.server-context=
n4u.nds.server-name=
n4u.base.tree-name=
n4u.nds.preferred-server=
n4u.nds.server-context=
The original can still be referenced at /etc/opt/novell/eDirectory/conf/.
ROOT
5. Move or Copy NICI files and start NDSD.
A. Match NICI directories with the users. The orginal database is wrapped with root's NICI keys. These need to be copied or moved to the non-root user's NICI directory in order for the non-root user to open the database and unwrap encrypted items. First the directories under /var/opt/novell/nici need to be identified. As one instance is run as root and the other as the non-root user the following commands will verify the users' UID:
"id -u root" (Though root is usually 0 it is best to be sure.)
0 is returned.
"id -u hvuser"
1002 is returned.
From this information it is determined that /var/opt/novell/nici/0 holds root's keys and /var/opt/novell/nici/1002 is the non-root's NICI directory. (The number of the non-root's directory will vary with the associated UID. Root's is normally 0.)
At this point a decision needs to be made in how the NICI files are to be transferred: whether to Move or Copy them. Either choice will work for this exercise but they result in different security implications.
Moving: recommended. Moving the files is best from a security aspect. In this way the keys will continue to be assigned to and accessable by only one user. However, eDirectory is not the only application that can call into NICI to create secrets. Anything that was wrapped using the original non-root based keys in the dummy tree will be lost. In this TID's use case the dummy tree was used only temporarily and the end result is only the one orginal instance of eDirectory running. If this is so, then this should not be a concern.
Copying: copying the files results in both the root user and non-root user sharing the same NICI keys. This means that root can decrypt the non-root user's data and the non-root user can decrypt root's data. The benefit is that there is less of a chance of affecting any applications that may have called into NICI to wrap secrets while both sets of keys were available. Again, for this use case, it should not be a concern.
If Copying the NICI files skip to step C.
MOVING
ROOT
B. If Moving the NICI files
1. Move the nonroot user's NICI directory to a backup location.
"mv /var/opt/novell/nici/1002 /var/opt/novell/nici/1002-dummy
"mv /var/opt/novell/nici/1002 /var/opt/novell/nici/1002-dummy
2. Move the root user's NICI directory to the non-root location.
"mv /var/opt/novell/nici/0 /var/opt/novell/nici/1002"
"mv /var/opt/novell/nici/0 /var/opt/novell/nici/1002"
3. 3. Change the ownership of the moved NICI directory, files and subdirectories from root to that of the non-root user.
"chown -R hvuser /var/opt/novell/nici/1002"
"chown -R hvuser /var/opt/novell/nici/1002"
4. Verify that the top level directory, 0, was correctly renamed to 1002.
"ll /var/opt/novell/nici"
"ll /var/opt/novell/nici"
NONROOT
5. Start the instance using 'ndsmanage startall'
5. Start the instance using 'ndsmanage startall'
6. Verify that eDirectory is running fine.
ROOT
7. Optional: as the root user clean up the root instance's data directory.
COPYING
ROOT
C. If Copying the NICI files
C. If Copying the NICI files
1. Move the nonroot user's NICI directory to a backup location.
"mv /var/opt/novell/nici/1002 /var/opt/novell/nici/1002-dummy
"mv /var/opt/novell/nici/1002 /var/opt/novell/nici/1002-dummy
2. Copy the root user's NICI directory to the non-root location.
"cp -rfp /var/opt/novell/nici/0 /var/opt/novell/nici/1002"
"cp -rfp /var/opt/novell/nici/0 /var/opt/novell/nici/1002"
3. Change the ownership of the moved NICI directory, files and subdirectories from root to that of the non-root user.
"chown -R hvuser /var/opt/novell/nici/1002"
"chown -R hvuser /var/opt/novell/nici/1002"
4. Verify that the files and directories were correctly copied and are the same. There are multiple methods for doing so. One example is using the following two commands:
- "md5sum /var/opt/novell/nici/0/*/ $(find -type f)"
- "md5sum /var/opt/novell/nici/1002/*/ $(find -type f)"
This can be useful for ensuring the directory structure came over. In this case all the md5sums should be identical.
- "md5sum /var/opt/novell/nici/0/*/ $(find -type f)"
- "md5sum /var/opt/novell/nici/1002/*/ $(find -type f)"
This can be useful for ensuring the directory structure came over. In this case all the md5sums should be identical.
NONROOT
5. Start the instance using 'ndsmanage startall'
6. Verify that eDirectory is running fine.
ROOT
7. Optional: as the root user clean up the root instance's data directory.
Additional Information
Note: once the instance is converted to a non-root instance it will no longer auto start on reboot. As a workaround please see: How to enable non-root instances of eDirectory to start at server boot: KB 3048495. An enhancement has been entered to allow ndsd to start as root then run as non-root so this process is easier and lower (standard) ports can be used.