- Understanding eDirectory 8.6
- Implementing eDirectory 8.6
- Maintaining eDirectory 8.6
Implementing eDirectory 8.6
Test Objectives Covered:
-
Integrate eDirectory 8.6 into an existing network.
-
Use the eDirectory Import/Export Wizard to manage LDIF files.
Now that you understand the fundamental architecture of the eDirectory tree, it's time to explore how it works. As you manage network objects within eDirectory, pay particular attention to its treelike structure. A well-designed tree will make resource access and management much easier. The structure of the eDirectory tree is both organizational and functional. The location of an object in the tree can affect how users access it and how network administrators manage it.
In this lesson, you will learn how to integrate eDirectory 8.6 objects in two simple steps:
Step 1: eDirectory IntegrationYou must complete four tasks to prepare your network for eDirectory 8.6.
Step 2: eDirectory Import/Export WizardYou can use the eDirectory Import/Export Wizard to create large groups of eDirectory objects from existing LDAP databases.
Step 1: eDirectory Integration
When you install NetWare 6, eDirectory 8.6 is installed by default. If you upgrade to NetWare 6 from an existing network, however, you must carefully complete the following four tasks to prepare your network for eDirectory 8.6:
Apply the latest support packs.
Update the eDirectory schema.
Configure the Novell Certificate Server.
Perform an eDirectory health check.
Let's explore step 1 in more depth, staring with support packs.
Applying the Latest Support Packs
eDirectory 8.6 operates at the core of your network. Thus, you should ensure that the latest NetWare Support Packs have been installed on all of your NetWare servers before implementing eDirectory 8.6. These updates can be downloaded from the Novell Web site at http://support.Novell.com.
Updating the eDirectory Schema
eDirectory uses a mechanism called the schema to define the object naming structure for all network resources. The schema is distributed to all NetWare servers and follows specific rules. Think of the schema as the pulse of eDirectory 8.6.
Prior to installing NetWare 6 and updating your network to eDirectory 8.6, you must update your network's eDirectory schema. This is easily accomplished using NetWare Deployment Manager (which is located in the root of the NetWare 6 Operating System CD). As you recall from Chapter 2, NetWare Deployment Manager is a graphical tool that guides you through the steps required to ensure that all of your servers are using the latest version of the eDirectory schema. The good news is you only have to complete this procedure once!
Configuring the Novell Certificate Server
Prior to installing NetWare 6 and upgrading your network to eDirectory 8.6, you must configure the Novell Certificate Server.
The Novell Certificate Server allows you to mint, issue, and manage digital certificates from within eDirectory by using two key objects:
Security container objectThe Security container holds security- related objects for the eDirectory tree, including the Organizational CA object. This container physically resides at the very top of the eDirectory tree. The first server installed in eDirectory creates and stores the Security container.
Organizational CA objectThe Organizational CA object enables secure data transmissions. This object is stored inside the Security container and thus, also resides at the very top of the eDirectory tree. Only one Organizational CA object can exist in an eDirectory tree. Once this object is created, it should not be moved to another server. Deleting and re-creating an organizational CA will invalidate any certificates associated with it.
CAUTION
Make sure that the first eDirectory server is the most reliable one in the tree. This special server will host the Organizational CA object and must be operational during the installation of all other servers into the tree.
You must be running the latest version of the Novell Certificate Server in order to implement eDirectory 8.6. To upgrade your network, follow these simple steps:
Identify the server that is acting as the organizational CAUse ConsoleOne to browse to your tree's Security container. Double-click the organizational CA and select the Other tab. The server acting as the CA is listed in the Host Server field.
Verify that the CA server is running Novell Certificate Server 2.0 or laterMove to the server that you identified in step 1. From the server console, execute NWCONFIG. Select Product Options, then View/Configure/Remove Installed Products. Finally, look for the PKIS entry to validate the version of Novell Certificate Server you are running.
Verify that the necessary security-related objects exist in your Security containerInside the Security container, you should find the following three security-related objects: a KAP container object, a W0 security object within the KAP container, and an Organizational CA object. If these objects don't exist, the first NetWare 6 server will create them. The network administrator performing the installation, however, must have Supervisor rights in the Security container, as well as at the [Root] of the eDirectory tree.
Establish the necessary eDirectory rights for operating the CATo properly administer the Novell Certificate Server, you must have Supervisor eDirectory rights to the W0 object and to the host server's container. In addition, you must have Read entry rights to the NDSPKI:Private Key attribute of the organizational CA.
Download and install the client NICI on the ConsoleOne administrative workstationThe Client NICI can be downloaded from the Novell Web site at http://www.Novell.com/products/cryptograpy.
After you have successfully accomplished these five tasks, updated the directory schema, and applied the latest support packs, your network is ready to accommodate eDirectory 8.6. Ready, set, go!
If you use the Novell Certificate Server 2.20 ConsoleOne Snap-In (which is included with NetWare 6), you will need to ensure that Client NICI 2.02 (or later) is installed on the ConsoleOne administrative workstation.
Performing an eDirectory Health Check
After you install eDirectory 8.6 on your new network, you should run a health check on each NetWare server to ensure that the integration was successful.
TIP
Regular health checks will help keep your directory running smoothly and make upgrades and troubleshooting much easier. In fact, one of the most frequent problems encountered by Novell Technical Support engineers is caused by network administrators who fail to run a health check on their eDirectory tree after a new server has been installed.
A complete health check begins with verifying the version of eDirectory that you are using. Every NetWare server on your network should be running the same version of DS.NLM. Next, you should check time synchronization because all object and property updates rely on consistent time stamps. Then, you should check partition continuity to ensure that all replicas of a partition are in sync. Finally, you should ensure that all NDS SET parameters are operating correctly.
Following are the detailed steps for the four most important eDirectory health checks, as well as a step-by-step guide to repairing the local database if anything goes wrong.
TIP
You must perform these health check procedures for every server in the eDirectory tree. You can start by performing the steps on the server holding the Master replica for each partition (starting with the Tree partition) and working down the Directory tree.
Time Synchronization Check
Start at the NetWare server holding the Master replica for the Tree partition. At the server console, execute DSREPAIR, and then select Time Synchronization to check the version of DS.NLM on each server synchronizing with this one. Also, verify that time stamps are properly synchronized.
Server-to-Server Synchronization Check
At the server console, enter the following DSTRACE commands to check server-to-server synchronization:
SET DSTRACE=ONActivates the trace screen for eDirectory transactions.
SET DSTRACE=+SPermits you to view the synchronization of objects.
SET DSTRACE=*HInitiates synchronization between servers.
Next press Ctrl+Esc and select Directory Services from the Current Screens list to view the Directory Services Trace screen. If there are no errors, a message will appear indicating that All Processed=YES. This message should appear for each partition on this server.
Replica Check
In DSREPAIR, you can perform four different health check procedures to ensure that replicas are synchronizing correctly. Follow these simple procedures:
Replica SynchronizationSelect Report Synchronization Status to view replica synchronization. A server must have a replica for this operation to work.
External ReferencesIn the Advanced Options menu, select Check External References. This option shows external references, obituaries, and the states of all servers in the backlink list for the obituaries.
Replica StateIn the Advanced Options menu, select Replica and Partition Operations. Verify that the replica state is on.
Replica RingIn the Advanced Options menu, select Replica and Partition Operations. Then choose a particular partition and select View Replica Ring. Verify that the servers holding replicas of that partition are on and correct.
NOTE
Obituaries are objects that are deleted from the tree and waiting to be purged.
Schema Check
At the server console, enter the following DSTRACE commands to check the health of your eDirectory schema:
SET DSTRACE=ONActivates the trace screen for eDirectory transactions.
SET DSTRACE=+SCHEMADisplays schema information.
SET DSTRACE=*SSInitiates schema synchronization.
At the server console, press Ctrl+Esc and select Directory Services from the Current Screens list to view the Directory Services Trace screen. If there are no errors, a message will appear indicating that All Processed=YES.
Repair the Local Database
If you find errors in your eDirectory database after performing the health checks described above, you can attempt to repair the local database using DSREPAIR. This process may take a considerable amount of time and does lock the database during repair, so make sure that you perform the repair procedure after normal business hours.
In DSREPAIR,
-
Select the Advanced Options menu.
-
Choose Repair Local DS Database.
-
Mark the options on this page as follows:
Check Local ReferencesYes
Rebuild Operational SchemaYes
All Other OptionsNo
-
DSREPAIR displays a message stating that authentication cannot occur with this server when the eDirectory database is locked. Press F10 and select Yes.
-
When the repair process is complete, exit DSREPAIR.
This option locks the eDirectory database.
After you have completed all of the eDirectory health checks and repaired the local database, you're done. Now you can rest easy knowing that your eDirectory database is in the best possible condition it can be. And the good news is that you are ready to begin populating your tree with users, servers, containers, and other network objects.
Let's shift our focus to step 2 of eDirectory Implementationthe eDirectory Import/Export Wizard.
After you have completed all of the health check procedures described above, you will need to enter the following commands at the server console to turn off DSTRACE:
-
SET DSTRACE=nodebugErases all DSTRACE SET commands.
-
SET DSTRACE=+minSets DSTRACE to minimum settings.
-
SET DSTRACE=offTurns off the DSTRACE screen.
If left running, DSTRACE uses server resources that can slow down critical procedures. So when in doubt, turn it off.
Lab Exercise 3.1: Implement Novell eDirectory 8.6
In Chapter 2, you used the NetWare 6 migration process to move data from a NetWare 5.1 (source) server across the network to a new temporary (destination) NetWare 6 server. After the migration, the temporary NetWare 6 (destination) server then assumed the identity of the source server.
In this lab exercise, you will run the following types of tests to verify that the LABS-SRV1 server is operating properly after the migration:
Part I: Verify that Time Synchronization Is Properly Configured
Part II: Run a Health Check
In this lab exercise, you will need the following servers:
LABS-SRV1 server created in Lab Exercise 2.2.
WHITE-SRV1 server created in Lab Exercise 2.2.
Part I: Verify that Time Synchronization Is Properly Configured
Complete the following tasks:
-
Verify that the LABS-SRV1 server is configured as a Single Reference time provider.
At the LABS-SRV1 server prompt, enter MONITOR.
When the Available Options menu appears, select Server Parameters.
TIP
If you hesitate a too long when making your selection, you'll notice that the General Information window automatically expands, and in the process, hides the Available Options menu. If this occurs, simply press Tab to gain access to the Available Options menu.
When the Select a Parameter Category menu appears, select Time.
When the Time Parameters window appears
Verify that the TIMESYNC Type is SINGLE.
Verify that the Default Time Server Type is SINGLE.
Exit MONITOR.
Part II: Run a Health Check
Complete the following tasks:
-
Check server-to-server synchronization:
- At the LABS-SRV1 server console prompt, enter each of these commands:
SET DSTRACE=ON SET DSTRACE=+S SET DSTRACE=*H
- At the LABS-SRV1 server console prompt, enter each of these commands:
TIP
At the server console, you can press Alt+Esc to toggle between screens or Ctrl+Esc to display a list of active screens.
Press Ctrl+Esc.
When the Current Screens menu appears, select Directory Services.
When the DSTRACE screen appears, review the information on the screen:
If no errors were found, skip to step 2.
If any errors were found, try reentering the following commands at the server console prompt:
SET DSTRACE=+S
SET DSTRACE=*Hand then return to step 1b.
-
Check schema information:
-
At the LABS-SRV1 server console prompt, enter these commands:
SET DSTRACE=+SCHEMA
SET DSTRACE=*SS -
Press Ctrl+Esc.
-
When the Current Screens menu appears, select Directory Services.
-
When the DSTRACE screen appears, verify that the following message is displayed: All Processed = YES.
-
-
Verify the DS.NLM version and check time synchronization:
-
At the LABS-SRV1 server console prompt, enter DSREPAIR.
-
When the Available Options menu appears, select Time Synchronization.
-
When the View Log File (Last Entry): SYS:SYSTEM\DSREPAIR.LOG window appears:
-
Verify that the DS.NLM version is 10110.20 or later.
-
Verify that time is synchronized.
-
-
Press Esc to return to the Available Options menu.
-
-
Check replica synchronization:
-
When the Available Options menu appears, select Report Synchronization Status.
-
When the View Log File (Last Entry): SYS:SYSTEM\DSREPAIR.LOG window appears, verify that the replicas on all servers are synchronized up to time for each partition.
-
Press Esc to return to the Available Options menu.
-
-
Check external references:
-
When the Available Options menu appears, select Advanced Options Menu.
-
When the Advanced Options menu appears, select Check External References.
-
When the View Log File (Last Entry): SYS:SYSTEM\DSREPAIR.LOG window appears, you'll notice that no external references were checked.
-
Press Esc to return to the Advanced Options menu.
-
-
Check the replica state:
-
When the Advanced Options menu appears, select Replica and Partition Operations.
-
When the Replicas Stored on This Server window appears, verify that the Replica State is On for all partitions.
-
Press Esc to return to the Advanced Options menu.
-
-
Check the replica ring:
-
In the Advanced Options menu, select Replica and Partition Operations.
-
When the Replicas Stored on This Server window appears, select the [Root] partition.
-
When the Replica Options, Partition: .[Root]. menu appears, select View Replica Ring.
-
When the Replicas of Partition .[Root]. window appears:
-
Verify that the servers holding replicas of this partition are correct.
-
Verify that the replica state of the [Root] partition is On.
-
-
Press Esc three times to return to the Advanced Options menu.
-
-
Repair the local database:
-
When the Advanced Options menu appears, select Repair Local DS Database.
-
When the Repair Local Database Options window appears
-
In the Rebuild Operational Schema field, you'll notice there is a warning indicating that you should not enable this option unless directed by Technical Support. Change the value to Yes anyway. (To do so, press Y, and then press Enter.)
-
In the Repair All Local References field, verify that Yes is displayed.
-
Leave all other parameters on the page at their default settings.
-
Press F10.
-
-
When the Repair Directory menu appears
-
Read the warning indicating that you have selected to lock the DB (DIB) database while the repair operating is running and that users will be prevented from logging in.
-
Select Yes to continue.
-
-
Wait while the repair operation proceeds.
-
When prompted that the repair is complete:
-
In the Total Errors field, note the number of errors. (It should be 0.)
-
Press Enter to continue.
-
-
When the View the Current Log File menu appears, select No.
-
When the Repair Local Database Options window appears
-
If errors were encountered in step 8e, press F10 to repeat the repair process.
-
If errors no were encountered in step 8e, exit DSREPAIR.
-
NOTE
If errors were encountered, you may want to continue running Repair Local DS Database until no errors are displayed.
-
Turn off DSTRACE. At the server console prompt, enter these commands:
Set DSTRACE=nodebug Set DSTRACE=+min Set DSTRACE=off
Step 2: eDirectory Import/Export Wizard
Once your network is ready to accept eDirectory 8.6 objects, you can take advantage of Novell's new eDirectory Import/Export Wizard to create large batches of objects with the touch of a single button. The wizard uses the Novell Import/Conversion Export (ICE) engine installed with ConsoleOne. This engine allows you to convert LDAP Data Interchange Format (LDIF) files into eDirectory objects.
In this second eDirectory implementation lesson, you will learn how to use the eDirectory Import/Export Wizard to manage LDIF files. But, first, let's review the basics of LDAP and LDIF.
TIP
The NetWare 6 installation program copies two versions of the Novell Import/Conversion Export engine to your server automatically: a Win32 version (ICE.EXE) and a NetWare version (ICE.NLM). On Linux, Solaris, and Tru64 UNIX systems, ICE is included in the "NDSadmut1" package.
LDAP and LDIF Basics
LDAP and LDIF combine to create the directory access file format used by the ICE engine to create large groups of eDirectory objects with the touch of a single button.
LDAP is an Internet communications protocol based on the X.500 Directory Access Protocol (DAP). Fundamentally, LDAP allows client applications to access directory information running on a NetWare server. This is accomplished using an eDirectory service called LDAP Services for eDirectory, which is provided by NLDAP.NLM.
LDIF is a standard that defines an ASCII text file format that is used to exchange data between LDAP-compliant directories. LDIF files are commonly used to initially build a directory database or to add a large number of entries to a directory all at once. In this case, we are using LDIF files with the ICE engine to add a large number of network object entries to eDirectory with the touch of a single button.
So how do they work? LDIF files consist of one or more entries separated by a blank line. Each LDIF entry has an optional entry ID, a required distinguished name, one or more object classes, and multiple attribute definitions. You can specify object classes and attributes in any order.
Table 3.2 describes the LDIF fields used in the following example. This example accomplishes two tasks: it creates an Organization object named ACME, and then it creates a user named AEinstein in the ACME container.
dn: o=ACME changetype: add o: ACME objectClass: organization objectClass: ndsLoginProperties objectClass: ndsContainerLoginProperties objectClass: top ACL: 2#entry#o=ACME#loginScript ACL: 2#entry#o=ACME#printJobConfiguration dn: cn=aeinstein,o=ACME changetype: add uid: aeinstein otherGUID:: bsaWkLmDlk+Sdcy8z17PpA== givenName: Albert fullName: Albert Einstein Language: ENGLISH Title: Chief Scientist sn: Einstein ou: LABS objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: ndsLoginProperties objectClass: top ou: NORAD cn: aeinstein ACL: 2#subtree#cn=aeinstein,o=ACME#[All Attributes Rights] ACL: 6#entry#cn=aeinstein,o=ACME#loginScript ACL: 2#entry#[Public]#messageServer ACL: 2#entry#[Root]#groupMembership ACL: 6#entry#cn=aeinstein,o=ACME#printJobConfiguration ACL: 2#entry#[Root]#networkAddress
Table 3.2 LDIF Field Formats
Parameter |
Description |
Dn |
Specifies the distinguished name for the entry. |
changetype |
Valid changetype values are add, modify, moddn, and delete. |
objectClass |
Specifies an object class to use with this entry. Each object class defines the types of attributes allowed or required for the entry. |
attribute type |
Specifies an attribute to define for the entry. |
attribute value |
Specifies a value to be assigned to the attribute type. |
LDAP and eDirectory share a similar naming syntax. There are, however, two important differences when specifying object names in LDAP:
-
LDAP uses commas (,) as naming separators instead of periods (.)
-
LDAP names always uses typeful full distinguished names
Using the eDirectory Import/Export Wizard
The eDirectory Import/Export Wizard is a snap-in utility built into ConsoleOne. The wizard uses ICE as an import/export engine to manage a collection of handlers that read from or write to LDIF files. For example, to import LDIF data into an LDAP directory, ICE uses an LDIF source handler to read the LDIF file and an LDAP destination handler to send the data to the correct LDAP directory server.
NOTE
ICE replaces BULKLOAD and UIMPORT that were included with previous versions of eDirectory. ICE supports a command-line interface in addition to the Import/Export Wizard.
As you can see in Figure 3.3, the ConsoleOne Import/Export Wizard supports three different tasks:
Import data from LDIF files to an LDAP directory
Export data from an LDAP directory to an LDIF file
Migrate data between LDAP servers
Figure 3.3 Using the eDirectory Import/Export Wizard in ConsoleOne.
Whether you are importing, exporting, or migrating LDIF data, the steps are nearly identical. Following is a step-by-step description of all three tasks and how to accomplish them by using the eDirectory Import/Export Wizard:
-
In ConsoleOne, select Wizards, and then select NDS Import/Export.
-
In the Select Task screen shown in Figure 3.3, choose Import, Export, or Migrate, depending on the task you want to accomplish.
-
Based on the task you chose in option 2, perform one of the following:
-
ImportEnter the name of the LDIF file containing the data you want to import, select Next, and then specify the LDAP- complaint server where the data will be imported.
-
ExportSpecify the LDAP-compliant server holding the entries you want to export. Enter a DNS name or IP address.
-
MigrateSpecify the LDAP-complaint server holding the entries you want to migrate. Enter a DNS name or IP address.
-
-
Regardless of the task you select, the wizard will ask you to fill out a form full of import/export options. Follow along in Table 3.3 as you complete the appropriate form. Select Next when you are done.
-
Based on the option you chose in step 2 above, perform the appropriate task below:
-
ImportClick Finish to begin the LDIF import.
-
ExportSpecify the search criteria for the entries you want to export. These criteria include Base DN, Scope, Filter, and search Attributes. After you have specified the search criteria, select Next and enter the name of the LDIF file that will store the exported information. Finally, select Next and Finish to begin the LDIF export.
-
MigrateSpecify the search criteria for the entries you want to migrate, and then select Next and choose an LDAP server where the data will be migrated. Finally, select Next and Finish to migrate the LDIF data.
-
Table 3.3 eDirectory Import/Export Configuration Options
Option |
Description |
Server DNS Name/IP |
Enter the DNS name or IP address of the source or Address destination LDAP server. |
Server DNS Name/IP |
Enter the DNS name or IP address of the source or Address destination LDAP server. |
Port |
Enter the integer port number of the source or destination LDAP server. By default, you can use the number "389" for clear-text or "636" for secure transmissions. |
Login Method |
Select "Authenticated Login" or "Anonymous" for Guidelines the entry specified in the User DN field. |
User DN |
If using Authenticated Login, enter the distinguished name of the entry that should be used when binding to the server. |
Password |
If using Authenticated Login, enter the password for the entry specified in the User DN field. |
DER file |
(optional) Enter the name of the DER file containing a server key used for SSL authentication. This field is required if you use Port 636 for secure communications. Of course, you can always use the default "RootCert.der" file created during installation in the SYS:\PUBLIC directory. |
Using the LBURP Protocol
In addition to the standard synchronous protocol that ICE uses, you can also take advantage of the LDAP Bulk Update/Replication Protocol (LBURP). Excuse me.
LBURP allows ICE to send several update operations in a single request and to receive a response for all update operations in a single response. This asynchronous update processing guarantees that import/export requests are processed in the order specified and adds a tremendous amount of network efficiency to the overall system. LBURP lets ICE present data to the server as fast as the network connection will allow. In fact, if the network connection is fast enough, LBURP will keep the server busy processing update operations 100 percent of the time.
LBURP is enabled by default but you can disable it during an LDIF import by using the Advanced Options screen shown in Figure 3.4. To enable or disable LBURP during an LDIF import, select or deselect the Use LBURP option in Figure 3.4. You can find the Advanced Options screen by selecting the Advanced tab on the LDAP Server Selection screen.
Figure 3.4 eDirectory Import/Export Wizard Advanced Options.
TIP
Because LBURP is relatively new, eDirectory servers prior to version 8.5 and most non-eDirectory LDAP servers do not support it. If you are using the eDirectory Import/Export Wizard to import an LDIF file to one of these servers, you must disable the LBURP option in order for the import to work.
This completes our comprehensive lesson in eDirectory 8.6 implementation. In this two-step process, you learned how to integrate eDirectory 8.6 into an existing network and import large groups of eDirectory objects using the eDirectory Import/Export Wizard. In step 1, you learned there are three important preintegration tasks that you must accomplish in order to prepare your network for eDirectory 8.6. In addition, you learned how to perform a variety of eDirectory health check procedures after your network has been updated. These procedures included a time synchronization check, server-to-server synchronization check, replica check, and schema check.
Once eDirectory 8.6 was in place, we shifted our attention to the eDirectory Import/Export Wizard. This wizard uses an import/export engine called ICE to manage directory entries in LDIF format. You learned how to use the eDirectory Import/Export Wizard to import data from LDIF files to an LDAP directory, export data from an LDAP directory, and perform a data migration between two LDAP servers.
Congratulations, you are now an eDirectory 8.6 pro! Now it's time to build a comprehensive maintenance plan. At this point, your attention shifts from building it to keeping it running.
Lab Exercise 3.2: Import Users with eDirectory Import/Export Wizard
In this lab exercise, you will learn to use the ConsoleOne eDirectory Import/Export Wizard to import LDIF files that are located on the Sams Publishing web site. You will then use these files to create two Organizational Unit containers in the ACME container and to add users to these containers by using the information in Table 3.4.
In this lab exercise, you will need the following servers:
LABS-SRV1 server created in Lab Exercise 2.1.
WHITE-SRV1 server created in Lab Exercise 2.2.
Table 3.4 LDIF Import File Information
File |
Related Information |
First LDIF file |
Organizational Unit: Administrators |
First LDIF file |
Log File: ADM-ICE.LOG |
First LDIF file |
LDIF File: ADM-LDIF.LDF |
Second LDIF file |
Organizational Unit: Contractors |
Second LDIF file |
Log File: CON-ICE.LOG |
Second LDIF file |
LDIF file: CON-LDIF.LDF |
Complete the following tasks:
-
At the WHITE-SRV1 server console prompt, execute ConsoleOne. If necessary, authenticate as admin.
-
Import the ADM-LDIF.LDF file.
In ConsoleOne, browse to the ACME Organization object.
Select Wizards, NDS Import/Export.
When the Select Task dialog box appears:
Verify that Import LDIF File is selected.
Select Advanced.
When the Advanced Options dialog box appears
In the Log File field, change the name of the log file to ADM-ICE.LOG.
Select Overwrite Existing Log File.
Select OK.
When the Select Task dialog box reappears, select Next.
When the Select Source LDIF file dialog box appears
Browse to and select the ADM-LDIF.LDF file.
Select Advanced.
When the Advanced Options dialog box appears, deselect Exit on Error; then select OK.
When the Select Source LDIF File dialog box reappears, select Next.
When the Select Destination LDAP Server dialog box appears, select New.
When the Add Server dialog box appears
In the Description field, enter ACME Import.
In the Server DNS Name/IP Address field, enter the IP address of your server. (If you're using the IP address listed in this book, enter 192.168.1.100.)
In the Port field, enter 389.
In the User DN field, enter cn=admin,o=ACME.
Select OK.
TIP
Make sure you use a comma (,) after cn=admin instead of a period (.) because the use of a comma is an LDAP syntax rule.
When the Select Destination LDAP Server screen appears
Select ACME Import.
In the Password field, enter acme.
Select Advanced.
When the Advanced Options dialog box appears, select Allow Forward References, and then select OK.
TIP
When working with LDIF, you may encounter a situation where an operation to add an entry precedes an operation to add its parent. If this occurs, an error is generated because the parent does not exist. This problem can be solved through the use of forward references. Under such a scenario, when an entry is created before its parent, a forward reference is created, which allows the entry to be created. If a subsequent operation creates the parent, the forward reference is converted to a normal entry.
When the Select Destination LDAP Server screen reappears, select Next.
When the summary window appears, select Finish.
- You see text similar to the following:
Source Handler: ICE LDIF handler for Novell eDirectory 8.6.0 version: 10110.05 Destination Handler: ICE LDAP handler for Novell eDirectory 8.6.0 version: 10110.05 ICE log file: ADM-ICE.LOG Start time: Friday, January 25, 2001 5:40:32 am operation in progress . Total entries processed: 24 Total number of errors: 0 End time: Friday, January 25, 2001 5:40:33 am Total Time: 0:00:01.107 Time per entry: 00:00-044Select Close.
Refresh your tree view by selecting View, Refresh.
-
Repeat step 2 using the CON-LDIF.LDF file. Also, make the following changes to the process:
-
Log File: CON-ICE.LOG.
-
Source File: CON-LDIF.LDF.
-
-
After both LDIF files are imported, make sure the following Organizational Unit containers appear in the ACME container:
-
Administrators
-
Contractors
-