Understanding Novell eDirectory

Novell eDirectory is a list of objects that
represent network resources, such as
network users, servers, printers, print
queues, and applications.

It can store and manage millions of
objects.

Novell eDirectory is a highly scalable,
high-performing, secure directory
service.

.

A Brief History of NDS/eDirectory and Its Versioning

The meaning of the acronym NDS has changed a number of times since it
was first introduced with NetWare 4.0. When Novell initially introduced NDS
as a component of NetWare 4.0 in 1993, NDS stood for NetWare Directory
Service because at that time NDS was available only on NetWare. Working
with third-party vendors such as IBM, Hewlett-Packard (HP), Microsoft, and
Sun, in 1999 Novell made NDS available for a number of different platforms:

• NDS for Windows NT
• NetWare Services for UnixWare 7
• NDS for Solaris
• NetWare 4.1 Services for HP 9000
• Novell Network Services for AIX
• Novell Network Services for OS/390

.

Novell eDirectory offers a secure identity
management solution that runs across
multiple platforms, is internet-scalable, and
extensible.

• SUSE Linux Enterprise Server
• Red Hat Enterprise Linux
• Solaris
• AIX
• Windows

Novell eDirectory Architecture

eDirectory Features
LDAP Support
LDAP v3 support including SSL
OpenLDAP SDK
Cross-platform support
Already runs on NetWare, NT 4, Linux,
Windows and Solaris
Looking at other UNIX and mainframe
platforms (e.g AIX)
Improved administration tools
Monitoring and repair tools

ICE (Import/Convert/Export) utility
iMonitor utility
Filtered replica
A new replica type that enables flexible
control of what’s replicated
Down to the attribute level
DirXML Support
Provides foundation for integrating
network information for any system,
application, device, etc.
Console

NWAdmin
• A graphical utility that runs in Windows, used to perform
administrative tasks.

iManager
• A Web-based tool, which give you the ability to manage
your NetWare server using a Web browser.

ConsoleOne
• Both a server and workstation Java-based NetWare
utility that can be used to perform administrative tasks.
• Preferred tool for working with eDirectory.
• Newer product.

Novell iManager lets you
manage the directory and
users, and access rights
and network resources
within the directory, from a
Web browser and a variety
of handheld devices.

Ease of Management through Novell iManager
The eDirectory plug-ins to iManager
give you access to basic directory
management tasks, and to the
eDirectory management utilities you
previously had to run on the
eDirectory server, such as DSRepair,
DSMerge, and Backup and Restore.

Plug-ins in Novell iManager
Powerful Tree Structure.


Novell eDirectory organizes
objects in a tree structure,
beginning with the top Tree
object, which bears the tree's
name.
Whether your eDirectory servers
are running Linux, UNIX, or
Windows, all resources can be
kept in the same tree.
Single Login and Authentication



With eDirectory, users log in to a
global directory, so you don’t need
to manage multiple server or
domain accounts for each user,
and you don’t need to manage
trust relationships or pass-through
authentication among domains.

Object Classes and Properties



The definition of each type of
eDirectory object is called an object
class. For instance, User and
Organization are object classes.
Each class of object has certain
properties.

Schema


The schema defines the object
classes and properties, along
with the rules of containment

The Schema role in Novell
iManager lets users who have
the Supervisor rights to a tree
customize the schema of that
tree.
List of Objects
Installation
System Requirements

For Linux eDirectory support 32-bit and 64-bit (x86_64) installation.

Hardware requirements.

eDirectory also requires the following:

• A minimum of 512 MB RAM for eDirectory

•162 MB of disk space for the eDirectory server

•30 MB of disk space for the eDirectory administration utilities

•50 MB of disk space for every 50,000 users
List of Objects
Installation

Software requirements.

• Network server time synchronized
Use Network Time Protocol's (NTP) xntpd to synchronize
time across all network servers.

• Compat-libstdc++ RPM
If the compat-libstdc++ RPM is not present on your host
machine, install it. This RPM contains
libstdc++-libc6.1-1.so.2.

•Configuring Static IP Address
Static IP address must be configured on the server for the
eDirectory to perform efficiently.
Configuring eDirectory on the servers with DHCP address
can lead to unpredictable results.

Installation
Enter the following
command at the setup
directory:
./nds-install
Installation
The ndsconfig Utility
You can use the ndsconfig utility to configure eDirectory. This utility can
also be used to add the eDirectory Replica Server into an existing tree
or to create a new tree.

Creating A New Tree
Use the following syntax:
ndsconfig new [-t <treename>] [-n <server context>] [-a <admin FDN>]
[-i] [-S <server name>] [-d <path for dib>] [-m <module>] [e] [-L <ldap
port>] [-l <SSL port>] [-o <http port>] [-O <https port>] [-p <IP
address:[port]>] [-R] [-c] [-w <admin password>] [-b <port to bind>] [-B
<interface1@port1>, <interface2@port2>,..] [-D <custom_location>] [--
config-file <configuration_file>]

A new tree is installed with the specified tree name and context.
Installation
Adding a Server into an Existing Tree
Use the following syntax:
ndsconfig add [-t <treename>] [-n <server context>] [-a <admin FDN>] [-w
<admin password>] [-e] [-P <LDAP URL(s)>][-L <ldap port>] [-l <SSL port>]
[-o <http port>] [-O <https port>] [-S <server name>] [-d <path for dib>] [-m
<module>] [-p <IP address:[port]>] [-R] [-c] [-b <port to bind>] [-B
<interface1@port1>, <interface2@port2>,..] [-D <custom_location>] [--
config-file <configuration_file>][-E]

A server is added to an existing tree in the specified context. If the context
that the user wants to add the Server object to does not exist, ndsconfig
creates the context and adds the server.

Removing a Server Object And Directory Services From a Tree
Use the following syntax:
ndsconfig rm [-a <admin FDN>] [-w <admin password>] [-p <IP
address:[port]>] [-c]
eDirectory and its database are removed from the server.
eDirectory vs Active Directory
Feature eDirectory Active Directory

eDirectory advantage
Multi-platform
Support
eDirectory runs on Windows
NetWare, SUSE Linux, Red Hat,
Solaris*, AIX*,
Active Directory only runs on
Windows
Better for heterogeneous
server environments
Multi-platform
Access
Full support for Windows desktop,
, Windows Server, Macintosh,
Linux, UNIX, and AIX.
Full feature support only for
Windows,
Better for heterogeneous
client environments
Open Standards
Support
Supports LDAP, JNDI, ODBC,
JDBC, ADSI, XML, EJB, RADIUS,
DNS, DHCP, C/C++, ActiveX* and
Visual Basic* Libraries enabling
developers to write to open
standards rather than specific
APIs.
Requires applications written
to ADSI or customized
integration with Win32*
platforms.
More easily integrates with
other open-standard
applications and
configurations
Directory
Synchronization
Using eDirectory and Novell¨
DirXMLª, any other directory can
be synchronized bi-directionally
with eDirectory. Event engine
synchronizes changes as they
occur.
Active Directory provides
only one-way ynchronization
with other directories.
Changes must be searched
for (dredged), an inefficient
method producing latent
updates.
Makes it possible to make
changes in any directory and
all other directories are
automatically updated
eDirectory vs Active Directory
Feature eDirectory Active Directory

eDirectory advantage
Tree
Architecture
eDirectory can utilize a single tree
across all connected environments to
contain all objects and resources. All
resources are centrally managed from
a single interface.
Active Directory, due to the
constraints caused by the domain
model, is organized into separate
trees, contained within a forest.
Rights only flow in trees (not the
forest) with each tree administered
separately requiring and additional
layer of manual management.
Provides unified and
centralized management
for all resourcesÑnot just
resources in one domain
or location
Replication eDirectory allows directory partitions
defined at any point within the tree,
and replicas of these partitions can
be placed on any server in the tree.
This enables administrators to
optimize for authentication
efficiency, bandwidth utilization and
fault tolerance.
Active Directory partitioning
must be done with entire domains,
and only one domain can exist on
any server.
Increases authentication
performance and reduces
bandwidth requirements
by ensuring the data is
available where and when
its needed.
Directory
Maintenance
eDirectory includes a comprehensive
set of management tools for
managing the directory and
monitoring tree, replica and
partition status. eDirectoryÕs
crossplatform repair tools allow for |a
live repair of any portion of the
directory, ranging from the whole
tree, to a single object.
Active Directory must be downed
to reclaim lost directory space and
perform advanced repairs. There is
no ability to remotely repair a
database, rename domains, or
merge and split domains.
Simplifies and provides
greater power for irectory
management enabling
better monitoring and
more precise tools for
directory operations.
eDirectory vs Active Directory
Feature eDirectory Active Directory

eDirectory advantage
Database Size An eDirectory base instance
requires 1 MB of disk space,
growing to 75 MB for 50,000
objects. When access rights are
assigned, they are calculated
dynamically with little effect on
database size.
Active Directory requires a 44
MB base growing to 280 MB
with 50,000 objects. When
access rights are assigned,
they are actually written to
each object causing the
database to balloon even
larger.
Enables many more resources
to be managed with much
smaller database. A smaller
database provides higher
performance and distribution
efficiencies for overall better
scalability.
Integrated
Authentication
eDirectory utilizes PKI, the most
widely-used form of public-key
authentication, licensed from RSA
Security. Supported authentication
methods include digital certificates
and biometrics, smart cards and
tokens.
Active Directory uses a
Microsoft-altered version of
Kerberos, a secret-key
authentication method.
Provides greater flexibility in
integrating different types of
security solutions.