Novell eDirectory

From AdminWiki

(Difference between revisions)
Jump to: navigation, search

Revision as of 02:23, 25 May 2006

There is no need for tuning eDirectory. Period. You can tune your hardware (e.g. get better disk io, more ram, etc), but thats it - eDirectory just runs, tunes itself, stays consistent.

eDirectory (formerly known as NDS) is an X.500 compliant Directory Service and implements its own DAP (Directory Access Protocol) on top of NCP. As no one cares about X.500 or DAP today, you will probably want to use LDAP to access it. NLDAP is the LDAP server of eDirectory.

Contents

Gotchas

User Password handling is very different from other implementations.

By default, userPassword gets mapped to a public/private key pair - and is therefore never stored in plain text. This makes it almost impossible to migrate away from eDirectory and keeping the user passwords.

Also, newer versions of NDS support multiple authentication mechanisms (keyword: NMAS), so you should look into them.

If you are running anything below NDS version 8.6, upgrade now. Mixing 7.x or earlier, 8.0, 8.5+ is *NOT* a good idea (altough it should work if your Master replica is 8.5).

Performance

As mentioned above, you usually dont tune eDirectory - there is no need to. Cache sizes etc. will depend on your tree size and get set automatically. It's easy to outperform OpenLDAP on the same hardware with a big directory tree.

Replication

Replication relies on a working time synchronization, so if you have problems with replication, check timesync/ntp. eDirectory can support read-only slaves, but there is no point of doing it (every login/connect will write back to the user object, so this only creates load). Better have read/write replicas everywhere - maybe filtered (not recommended if you dont know what you are doing).

Troubleshooting

NDS has a nice Web Tool, called iMonitor. Go use it. You can access logging, debug stuff, etc. using iMonitor or the DSTRACE command line tool (on NetWare: SET DSTRACE=ON, on other opsys: run (n)dstrace). DSTRACE understands lots of different flags. Of interest will usually be +LDAP and some of the default flags. Use +SYNC if you are checking Replication problems and pay attention to the time vectors.

You can fix lots of problems by just running dsrepair in automatic mode.

Have a look here and here. Most of the older NDS docs is still valid.

Danger: dsrepair knows of some command line parameters named like -XK3, -XK4 etc. DO NOT USE THEM. They are dangerous and will cause data loss. Still they are sometimes useful, but then you a) need a backup, b) need a backup of all your replicas, c) know what you are doing.

Personal tools