www.novell.com

Novell eDirectory™ Administration and Management Using iManager

Novell eDirectory™ Administration and Management Using iManager

Sophia K JohnsonSoftware Engineering ManagerNovell, Inc.skjohnson@novell.com

Wayne LongSenior Software EngineerNovell, Inc.wlong@novell.com

Vision…one NetA world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries

MissionTo solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Deployed Versions Novell eDirectory™ and Novell Directory Services® (NDS)

Product Version Build Version

Platforms

NetWare 5.1 SP4 (NDS 7) DS.nlm v7.57 NetWare 5.1

NetWare 5.1 SP 4 (NDS 8) DS.nlm v8.79 NetWare 5.1

eDirectory 8 DS.nlm & DS.dlm v8.79

NetWare 5.0,Win NT/2K

eDirectory 8.5.x DS v85.23 NetWare 5.x,Win,Solaris

NetWare 6 (eDirectory 8.6) DS.nlm v10110.20 NetWare 6

eDirectory 8.6.1 DS v10210.43 NW 5.1,NW 6,Win,Solaris,Linux

NetWare 6 SP1 (eDirectory 8.6.2)

DS.nlm v10310.17 NetWare 6

eDirectory 8.6.2 DS v103xx.xx NW 5.1,NW 6,Win,Solaris,Linux

eDirectory 8.7 DS v10410.xx NW 5.1,NW 6,Win,Solaris,Linux,AIX

Differences Between eDirectory and NDS®

NetWare 6

NetWare

NDS eDirectory

NOS directory focused on managing NetWare® servers

A cross-platform, scalable, standards-based directory

used for managing identities that span all aspects of the network—eDirectory

is the foundation for eBusiness

NetWare 5

Agenda

• Architectural overview Architecture overview

• eDirectory administration using iManager Install Role-based services eDirectory management eDirectory utilities eGuide—self-administration

Agenda (cont.)

• Role-based services in-depth Schema Administration

• Admin provisioning

• End user provisioning

Scope Administration hierarchies Best practices

Agenda (cont.)

• Using the Template Task Builder Extending the schema Creating a plug-in

• Task

• Book

• Demonstration

Terminology

• eMFrame Directory Management Framework (Framework)

• Plug-ins Content that extends eMFrame

• RBS Role-Based Services

• Scope The container and/or sub-containers where rights are granted

• RBS Collection The container where Roles and Tasks are stored in the

directory

Terminology (cont.)

• eDAS eDirectory Access Service

• Template Contains the HTML UI code

• Property Object Data returned from the directory

• Self-Administration The ability to edit/manage your own directory

attributes

Architectural Overview

eMFrame Is Client/Server Based

Request

ResponseClien

t Server

Client/Server Model (cont.)

Request

ResponseClient

Server

- NetWare

- NT

- Win2000

- Solaris

- Linux

- PC

- Pocket PC

- Phone

Client/Server Model (cont.)

Request

ResponseClient

Server

- OS

- Web Server

- Java Servlet Gateway

- iManager

- PC

- Pocket PC

- Phone

- PDA

- Other

Client UI(HTML, HDML, WML, Web Clippings, Compact HTML)

Middleware Server/eDirectory

Request

Response

- iManager

- eMFrame

- eMBox

ProtocolsLDAP, NDAP, SOAP

eDirectory

Novell iManager Architecture

iManager(eMFrame)

LDAP Plug-in

Schema Manager Plug-in

ICE Plug-in

DSMerge Plug-in

DSRepair Plug-in

Backup/Restore Plug-in

eD

ir S

DK

eM

Box S

DK

DHost Process

ServerWeb Server

LD

AP

eMBox

HTTP

Sta

ck

SO

AP

Serv

ice

...

Service Manager

Merge eMTool

Repair eMTool

Backup/Restore eMTool

eDirectory

iManager Web Server Configuration

• iManager installs Apache and Tomcat if a web server is not present (on Windows)

• eMFrame.cfg contains all configurable settings for iManager, for example

Default login information (tree name and context)

Log file location, size, and duration Other settings necessary for iManager to run

• iManager can run with other web servers and Servlet gateways

Web Security

• Authentication is passed from the client to the middleware server

If you are running outside a firewall, HTTPS needs

to be enabled on your web server Temporary cookies need to be turned on in your

browser to prevent hijacking Some LDAP plug-ins require LDAP SSL to be

enabled and will not work, if SSL is not on? LDAP SSL setting can be turned on or off in the

eMFrame.cfg

Role-Based Services

Role-Based Schema

• eMFrame uses the Role-Based Service (RBS) schema extension definitions

• The defined schema objects are

rbsCollection• rbsModule

– rbsBook

– rbsTask

• rbsRole– rbsScope

Role-Based Schema Objects

rbsCollection Object

• Top most container for all RBS objects

• There can be multiple collections in a tree

• Users are assigned as an owner of a collection to allow management of RBS

• Containment Country Domain Locality Organization Organizational Unit

rbsRole Object

• Container object that represents a role

• Tasks and books are assigned to a role

• Members are associated to a role in a specific scope of the tree

• A member can be a User, Group, Organization or OU

• Containment rbsCollection

rbsModule Object

• Container object that holds task and book objects

• Use product as name For example: NMAS, PKI, NSSO

• Containment rbsCollection

rbsTask Object

• Leaf object that describes the behavior of a task

• Entry point to invoke the task

• Parameters string for miscellaneous data to perform the task

• List of attributes that rights are assigned to perform the task

• Back link to all roles the task is assigned to

• Containment rbsModue

rbsBook Object

• Leaf object that describes a book

• Entry point to launch the book

• Parameters string for miscellaneous data for

the book

• List of page attributes that are assigned rights for the book

rbsBook Object (cont.)

• Back link to all roles the book is assigned

• List of pages assigned to the book

• Object class types the book supports

• Containment rbsModule

rbsScope Object

• Inherits from Group

• Leaf object used for ACL assignments instead of making assignments for each User object

• User objects are assigned to the rbsScope object

• Has a reference to the scope it is associated with

How Administration Hierarchies Work

• The “super admin” assigns roles and tasks to different administrators, depending on their job functions

• Those administrators only see the roles and tasks they are assigned

• Benefits Limited UI Small learning curve Division of labor Cost savings

Setting Up Administration Hierarchies

• Whoever installs iManager is given the super admin role

Assigned to all roles and tasks Assign the roles and tasks to various

administrators—depending on their job function

Flow of Administration Hierarchies“Super admin”

End users/self-administration with eGuide

Help desk eDirectory adminsiPrint admins

Tree View of Administration Hierarchies

Role Based Services Groups Users

iPrint Admins

Help Desk

eDirectory Admins

Module

Book

Task

Role

Scope

Self-Administration

Foo Tree

Setting Up Administration

Hierarchies

Novell iManager Content

iManager—Install

• InstallAnywhere

• Cross-platform Linux, Solaris, NetWare, Windows, AIX

• Detects the presence of a web server and servlet gateway

• On Windows, installs Apache and tomcat 3.3a if a web server and Servlet gateway are not present

iManager Framework(eMFrame)

• eMFrame provides the following functionality for plug-ins

Search and Browse mode for Object Selection Advanced Selection Multiple Object Operations (MOO) Template Task (Plug-in builder) Role-Based Administration Property Book Navigation

iManager eDirectory Administration

• eDirectory Management Plug-ins User management Group management LDAP Server management Password management Rights management Dynamic Groups management Auxiliary Class management Partition and Replication management Base Schema Object management

iManager eDirectory Utilities

• iManager eDirectory utilities: Repair Merge Backup and restore ICE WanMan

iManager/eGuide Self-Administration

• iManager manages eGuide Self-Administration

• eGuide consumes the assigned Roles and Tasks eGuide is an eDirectory enabled end user self

provisioning tool that allows users to quickly access directory information

Corporate White Pages With RBS, eGuide now empowers users to edit

information, without carnal knowledge of directories

iManager Content

demonstratio

Custom Content

iManager at Work at Mt. Sinai

• Novell Consulting Custom Development (NCCD) has built a custom browser-based console for Mt. Sinai called Web Console

• Web Console is based on Novell’s iManager—it allows administrators to add and edit users in eDirectory, while maintaining the strict control of data rules and formatting Mt. Sinai requires

DirXML™ Project Overview

DirXML Project Overview

In order to create the central user and group object repository for all synchronized directories the new (third) NDS tree, Workforce tree was created—It is a flat tree, containing users, groups and template objects only

The Workforce tree will act as the smart meta-directory that will be the central source for all information consolidated from the other directories and applications—All the user administration will originate from the WKF tree

All modifications will be synchronized to the main NOS infrastructure (INF) tree

Workforce Tree

Template Task

• What is the Template Task? Builds template files for developers and admins Supports most standard syntaxes

• Example: Boolean, Strings, Lists, Interval, etc.

• Can be extend by developers to handle to attributes or syntaxes

Uses eDirectory Access for reading and writing data to the directory

Task Builder

• What is the Task Builder? Dynamic Plug-in creation Supports most standard syntaxes

• Example: Boolean, Strings, Lists, Interval, etc.

Uses eDirectory Access to read and write data to the directory

Provides a step-by-step wizard Install the new plug-in, into the directory

Customer Scenario

• Scenario Company Foo customizes eDirectory to fit their

needs by extending the directory and adding the following objects

fooManager, fooEmployee, fooContractor, fooExec

How are they going to manage these new object?

Novell iManager

Create Custom Content

• Step 1 Extend schema using Schema Manager

• Step 2 Create the object in eDirectory

• Step 3 Create a plug-in using the Template Task

• Select the object type, device and task or property book type

• Select the attributes

• Position the labels

• Preview

• Assign to a book or a role

demonstratio

Creating Custom Content

Getting More Information:Brainshare 2002

• IO116 iManager Introduction and Overview

• DCB202 Developing to Novell iManager

• IO123 eGuide Introduction and Overview

• TUT340 Expose the Power of eDirectory Using Novell eGuide: Advanced Configuration and Customization

• BUS201 Creating Custom User Management Plug-ins for iManage

• TUT231 Tips and Tricks for Using eDirectory Utilities

• TUT234 Keeping Your Business Online with eDirectory Backup and Restore