www.novell.com/documentation
chrome18 时间:2021-05-24 阅读:(
)
AdministrationGuideiManager2.
7.
6April2013LegalNoticesNovell,Inc.
,makesnorepresentationsorwarrantieswithrespecttothecontentsoruseofthisdocumentation,andspecificallydisclaimsanyexpressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.
Further,Novell,Inc.
,reservestherighttorevisethispublicationandtomakechangestoitscontent,atanytime,withoutobligationtonotifyanypersonorentityofsuchrevisionsorchanges.
Further,Novell,Inc.
,makesnorepresentationsorwarrantieswithrespecttoanysoftware,andspecificallydisclaimsanyexpressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.
Further,Novell,Inc.
,reservestherighttomakechangestoanyandallpartsofNovellsoftware,atanytime,withoutanyobligationtonotifyanypersonorentityofsuchchanges.
AnyproductsortechnicalinformationprovidedunderthisAgreementmaybesubjecttoU.
S.
exportcontrolsandthetradelawsofothercountries.
Youagreetocomplywithallexportcontrolregulationsandtoobtainanyrequiredlicensesorclassificationtoexport,re-exportorimportdeliverables.
Youagreenottoexportorre-exporttoentitiesonthecurrentU.
S.
exportexclusionlistsortoanyembargoedorterroristcountriesasspecifiedintheU.
S.
exportlaws.
Youagreetonotusedeliverablesforprohibitednuclear,missile,orchemicalbiologicalweaponryenduses.
SeetheNovellInternationalTradeServicesWebpage(http://www.
novell.
com/info/exports/)formoreinformationonexportingNovellsoftware.
Novellassumesnoresponsibilityforyourfailuretoobtainanynecessaryexportapprovals.
Copyright2010-2013Novell,Inc.
Allrightsreserved.
Nopartofthispublicationmaybereproduced,photocopied,storedonaretrievalsystem,ortransmittedwithouttheexpresswrittenconsentofthepublisher.
Novell,Inc.
1800SouthNovellPlaceProvo,UT84606U.
S.
A.
www.
novell.
comOnlineDocumentation:ToaccessthelatestonlinedocumentationforthisandotherNovellproducts,seetheNovellDocumentationWebpage(http://www.
netiq.
com/documentation).
NovellTrademarksForNovelltrademarks,seetheNovellTrademarkandServiceMarklist(http://www.
novell.
com/company/legal/trademarks/tmlist.
html).
Third-PartyMaterialsAllthird-partytrademarksarethepropertyoftheirrespectiveowners.
Contents3ContentsAboutThisGuide91Overview111.
1What'sNewiniManager2.
7.
6111.
2AdditionalResources112AccessingiManager132.
1UsingaSupportedWebBrowser.
132.
2AccessingiManager.
142.
2.
1AccessingServer-basediManager142.
2.
2AccessingiManagerWorkstation142.
3AccessingNCPServerObjects142.
4AccessModes152.
5Authenticating152.
5.
1TreeNameField162.
5.
2LoggingintoaServerwithoutaReplica162.
5.
3UnsuccessfulAuthentication162.
5.
4ExpiredPasswordInformation.
162.
5.
5ContextlessLoginUsingAlternateObjectClassesand/orAlternateAttributes.
163NavigatingtheiManagerInterface193.
1iManagerInterface193.
1.
1HeaderFrame.
203.
1.
2NavigationFrame213.
1.
3ContentFrame.
223.
2SpecialCharacters.
234BrowsingObjects254.
1UsingtheObjectView264.
1.
1Tree264.
1.
2Browse.
284.
1.
3Search294.
2UsingtheObjectSelector314.
2.
1Browse.
324.
2.
2Search325RolesandTasks355.
1NavigatingRolesandTasks355.
1.
1SelectingandFilteringObjects355.
2DirectoryAdministration395.
2.
1CopyinganObject395.
2.
2CreatinganObject.
405.
2.
3DeletinganObject405.
2.
4ModifyinganObject405.
2.
5MovinganObject.
405.
2.
6RenaminganObject414NovelliManager2.
7.
6AdministrationGuide5.
3Groups415.
3.
1CreatingaGroup415.
3.
2DeletingaGroup425.
3.
3ModifyingaGroup425.
3.
4ModifyingMembersofGroup425.
3.
5MoveGroup425.
3.
6RenameGroup435.
3.
7ViewingMyGroups435.
4HelpDesk.
435.
4.
1ClearingaLockout.
435.
4.
2CreatingaUser435.
4.
3SettingaPassword435.
5PartitionsandReplicas445.
5.
1CreatingaPartition445.
5.
2MergingaPartition.
445.
5.
3MovingaPartition445.
5.
4ViewingReplicaInformation455.
5.
5ViewingPartitionInformation455.
5.
6UsingtheFilteredReplicaWizard455.
6Rights465.
6.
1ModifyingtheInheritedRightsFilter465.
6.
2ModifyingTrusteeRights465.
6.
3RightstoOtherObjects475.
6.
4ViewingEffectiveRights475.
7Schema475.
7.
1AddinganAttribute485.
7.
2ViewingAttributeInformation.
485.
7.
3ViewingClassInformation485.
7.
4CreatinganAttribute495.
7.
5CreatingaClass495.
7.
6DeletinganAttribute495.
7.
7DeletingaClass.
495.
7.
8ExtendingaSchema495.
7.
9ExtendinganObject505.
8Users505.
8.
1CreatingaUser505.
8.
2DeletingaUser515.
8.
3DisablinganAccount515.
8.
4EnablinganAccount515.
8.
5ModifyingaUser525.
8.
6MovingaUser525.
8.
7RenamingaUser.
526ConfiguringandCustomizingiManager536.
1Role-BasedServices536.
1.
1RBSObjectsineDirectory546.
1.
2InstallingRBS566.
1.
3RemovingRBS566.
2RBSConfiguration576.
2.
1TheRoleTab586.
2.
2TheTaskTab.
606.
2.
3ThePropertyBookTab616.
2.
4TheModuleTab.
636.
2.
5TheCategoryTab646.
2.
6Plug-InStudio646.
2.
7EditingMemberAssociations666.
2.
8EditingOwnerCollections676.
3RBSReporting67Contents56.
3.
1CreatingReports676.
3.
2UsingReports686.
4iManagerServer.
716.
4.
1ConfigureiManager716.
4.
2Security726.
4.
3LookandFeel736.
4.
4LoggingEvents736.
4.
5RedirectionAfterLogout746.
4.
6Authentication746.
4.
7RBS756.
4.
8Plug-InDownload756.
4.
9Misc766.
4.
10Encryption766.
5ObjectCreationList776.
5.
1AddinganObjectClasstotheCreationList786.
5.
2DeletinganObjectClassfromtheCreationList786.
6Plug-InModuleInstallation.
786.
6.
1AvailableNovellPlug-inModules786.
6.
2InstalledNovellPlug-inModules796.
7DownloadingandInstallingPlug-inModules796.
7.
1IfRBSisConfigured806.
7.
2UninstallingaPlug-inModule806.
7.
3CustomizingthePlug-InDownloadLocation806.
8E-MailNotification826.
8.
1MailServerConfiguration826.
8.
2TaskEventNotification826.
9Views836.
9.
1ShowingandHidingiManagerViews836.
9.
2EnablingandDisablingIdentityManagerviewasDefaultviewiniManageronIdentityManagerInstalledServers837Preferences857.
1ManageFavorites857.
2ObjectSelector.
857.
3ObjectView867.
4SetInitialView867.
5Language868Troubleshooting878.
1AuthenticationIssues888.
1.
1HTTP404Errors888.
1.
2HTTP500Errors888.
1.
3601ErrorMessages898.
1.
4622ErrorMessages898.
1.
5632ErrorMessages898.
1.
6634ErrorMessages898.
1.
7669ErrorMessages908.
2AccessingNCPServerObjects908.
3DeletingandRe-creatingUserAccountswiththeSameName(WindowsXP/2000)908.
4DNS630ErrorMessageAppearsWhenCreatingaPropertyBookwithInvalidCharactersinName918.
5eDirectoryMaintenanceTaskErrors918.
6EnablingDebugMessagesforInstallandConfigure918.
7HistoryDoesNotAutomaticallySyncAcrossMultipleSimultaneousUserLogins916NovelliManager2.
7.
6AdministrationGuide8.
8iManagerDoesn'tWorkafterInstallingGroupwise7.
0WebAccess(WindowsServer2000/2003)918.
9MissingAttribute,Object,orValueErrors928.
10MissingRolesorTasksintheConfigureView.
928.
10.
1PossibleMissingRolesorTasks928.
10.
2PossibleReasonsWhyYouAreNotanAuthorizedUser928.
11PerformingaSystemRestorefromImageSoftware938.
12RunningeDirectoryandiManagerontheSameMachine(Windowsonly)938.
13"ServiceUnavailable"MessageAppearsDuringMultiplePlug-InInstalls948.
14Tomcat948.
14.
1StartingandStoppingTomcat948.
14.
2TomcatPorts948.
15"UnabletoDetermineUniversalPasswordStatus"Error.
958.
16iManagerWorkstationDoesNotDisplayInformation.
958.
17SometimesRefreshButtonDoesNotFunction968.
18iManagerPlug-inInstallationHangsorPlug-insAreNotProperlyInstalled968.
19LoginIssuewithTreeIPAddressChange.
978.
20InsufficientJavaHeapSizeResultsinFailedLogin978.
21JavaErrorMessagesareDisplayedAfterClosingtheBrowserofiManagerWorkstation.
988.
22iManagerandLDAPUseDifferentDateRanges.
988.
23iManagerInstallationFailsonSLES9andRedHat4Platforms989AuditingiManagerEvents1019.
1InstallingtheIMAN_EN.
LSCFileiniManager1019.
2EnablingAuditiniManager1029.
3ConfiguringAuditforiManagerInstrumentation.
1029.
4ConfiguringAuditforiManagerInstrumentationwithThird-PartyCertificates10310BestPracticesandCommonQuestions10510.
1BackupandRestoreOptions10510.
2CoexistencewithpreviousversionsofiManager2.
xandRole-BasedServices10510.
3Collections10610.
4FailedInstalls10610.
4.
1Windows10610.
4.
2Linux10710.
5HighAvailability:RunningiManagerinaClusteredEnvironment10710.
6PatchingiManager10810.
7PerformanceTuning.
10810.
7.
1UsingDynamicGroupswithRBS10810.
7.
2RoleAssignments10910.
8iManagerAppArmorProfile10910.
9AllocatingAdditionalTomcatMemoryinWindows.
109AiManagerSecurityIssues111A.
1SecureLDAPCertificates111A.
2Self-SignedCertificates112A.
3iManagerAuthorizedUsersandGroups113A.
4PreventingUserNameDiscovery113A.
5TomcatSettings113A.
6EncryptedAttributes.
114A.
7SecureConnections.
114Contents7BNovellPlug-inModules1158NovelliManager2.
7.
6AdministrationGuideAboutThisGuide9AboutThisGuideThisguidedescribeshowtoadministerNovelliManager2.
7,andcontainsthefollowingsections:Chapter1,"Overview,"onpage11Chapter2,"AccessingiManager,"onpage13Chapter3,"NavigatingtheiManagerInterface,"onpage19Chapter4,"BrowsingObjects,"onpage25Chapter5,"RolesandTasks,"onpage35Chapter6,"ConfiguringandCustomizingiManager,"onpage53Chapter7,"Preferences,"onpage85Chapter8,"Troubleshooting,"onpage87Chapter9,"AuditingiManagerEvents,"onpage101Chapter10,"BestPracticesandCommonQuestions,"onpage105AppendixA,"iManagerSecurityIssues,"onpage111AppendixB,"NovellPlug-inModules,"onpage115AudienceThisguideisintendedfornetworkadministrators.
FeedbackWewanttohearyourcommentsandsuggestionsaboutthismanualandtheotherdocumentationincludedwiththisproduct.
PleaseusetheUserCommentsfeatureatthebottomofeachpageoftheonlinedocumentation,orgotoNovellDocumentationFeedback(http://www.
netiq.
com/documentation/feedback.
html)andenteryourcommentsthere.
DocumentationUpdatesForthemostcurrentversionoftheNovelliManager2.
7.
6AdministrationGuide,seetheEnglishversionofthedocumentationattheNovelliManageronlinedocumentationsite(https://www.
netiq.
com/documentation/imanager27/index.
html).
AdditionalDocumentationNovelliManager2.
7.
6InstallationGuide(https://www.
netiq.
com/documentation/imanager/imanager_admin/data/hk42s9ot.
html)NovelleDirectoryhome(http://www.
novell.
com/products/edirectory)NovelleDirectorydocumentation(https://www.
netiq.
com/documentation/edir88/index.
html)eDirectoryCoolSolutionscommunity(http://www.
novell.
com/communities/coolsolutions/edirectory)NovellTechnicalServices(http://support.
novell.
com)10NovelliManager2.
7.
6AdministrationGuide1Overview111OverviewNovelliManagerisaWeb-basedadministrationconsolethatprovidessecure,customizedaccesstonetworkadministrationutilitiesandcontentfromvirtuallyanywhereyouhaveaccesstotheInternetandaWebbrowser.
iManagerprovidesthefollowing:SinglepointofadministrationforNovelleDirectoryobjects,schema,partitions,andreplicasSinglepointofadministrationformanyothernetworkresourcesManagementofmanyotherNovellproductsusingiManagerplug-insRole-BasedServices(RBS)fordelegatedadministrationBecauseiManagerisaWeb-basedtool,itenjoysseveraladvantagesoverclient-basedadministrativetools:Upgradeonce,ontheserver,foralladministrativeusersChangestoiManagerlook,feel,andfunctionalityareimmediatelyavailabletoalladministrativeusersDonotneedtoopenadditionaladministrativeportsforremoteaccess.
iManagerleveragesstandardHTTPports(80/443).
WithiManager2.
7.
6,youcanpassnon-standardHTTPports.
NotnecessarytodownloadandmaintainanadministrativeclientNotnecessarytokeepclientsoftwaresynchronizedwithchangestoserversoftware1.
1What'sNewiniManager2.
7.
6ThefollowingfeatureisnewlyavailablewithNovelliManager2.
7.
6:TomcatandJavaversionsupport:iManagernowsupportsTomcat7.
0.
32andJava1.
7.
0_04.
Browsersupport:iManagernowsupportsInternetExplorer10.
ImprovedUpgradeprocess:iManagernowensuresasmoothupgradeprocess.
Duringtheupgradeprocess,theinstallationprogramreplacestheexistingJREandTomcatinstallationswiththelatestversions.
ThiswillalsoupgradetheiManagertothelatestversion.
1.
2AdditionalResourcesFormoreinformationontopicsrelevanttoNovelliManager,refertothefollowingWebsites:ApacheTomcat(http://tomcat.
apache.
org/)ProxySupportHOW-TO(http://tomcat.
apache.
org/tomcat-4.
1-doc/proxy-howto.
html)JavaWebsite(http://www.
oracle.
com/technetwork/java/index.
html)MicrosoftIIS*Website(http://www.
iis.
net/)12NovelliManager2.
7.
6AdministrationGuide2AccessingiManager132AccessingiManagerYouaccessNovelliManagerviaaWebbrowser.
Thissectionincludesthefollowingtopics:Section2.
1,"UsingaSupportedWebBrowser,"onpage13Section2.
2,"AccessingiManager,"onpage14Section2.
3,"AccessingNCPServerObjects,"onpage14Section2.
4,"AccessModes,"onpage15Section2.
5,"Authenticating,"onpage152.
1UsingaSupportedWebBrowserForiManageraccessandcompleteuseofallitsfeatures,useoneofthefollowingWebbrowsers.
AlthoughyoumightbeabletoaccessiManagerviaaWebbrowsernotlisted,wedonotguaranteeorsupportfullfunctionalitywithanybrowserotherthanthefollowing:Safari5.
0.
Safari6.
0iscertifiedGoogleChrome18,21,22,23,and25arecertifiedInternetExplorer(IE)6SP2onWindowsXPIE7IE8IE9IE10Firefox1.
5.
x,2.
x,3.
0,3.
5,and3.
6Firefox4.
0.
1Firefox9.
0.
1Firefox10,11,12,13,14,15,16,and19InorderforsomeiManagerwizardsandhelptowork,youmustenablepop-upwindowsinyourWebbrowser.
Ifyouuseanapplicationthatblockspop-upwindows,thendisabletheblockingfeaturewhileworkinginiManagerorallowpop-upsfromtheiManagerhost.
IfyouhaveconfiguredyourWebbrowsertonotdisplayWebsiteimages,theiManagerinterfacemaybecomegarbledandunusable.
InFirefoxv1.
5.
x,forexample,userscandisableimageloadingfromTools>Options>Content.
14NovelliManager2.
7.
6AdministrationGuide2.
2AccessingiManagerAccessingiManagervariesbasedontheiManagerversion(server-basedorworkstation)andtheplatformonwhichiManagerisrunning.
ForinformationoninstallingiManager,seetheNovelliManager2.
7.
6InstallationGuide.
2.
2.
1AccessingServer-basediManagerToaccessserver-basediManager:1EnteroneofthefollowingintheAddress(URL)fieldofasupportedWebbrowser.
BecauseiManager2.
7usesonlyTomcat5/5.
5foritsWebserverrequirements,onplatformsotherthanNovellOpenEnterpriseServer2(OES2)youmustspecifytheTomcatportaspartoftheiManagerURL.
ThedefaultURLtostartiManager2.
7isasfollows:SecureURL:https://:8443/nps/iManager.
htmliManager2.
7ontheOES2platformusesthefollowingdefaultiManagerURL:SecureURL:https:///nps/iManager.
htmlAlthoughslightlydifferentiManagerURLsmightworkonsomeplatforms,NovellrecommendsusingtheseURLsforconsistency.
2Loginusingyourusername,passwordandtreename.
2.
2.
2AccessingiManagerWorkstationToaccessiManagerWorkstation:1ExecutetheappropriateiManagerWorkstationstartupscript.
Linux:Navigatetotheimanager/bindirectoryandexecute.
/iManager.
sh.
NOTE:IfyouplantoruniManagerWorkstationasanon-rootuserinthefuture,donotruniManagerasrootthefirsttime.
Windows:Executeimanager\bin\iManager.
bat.
2Loginbyusingyourusername,password,andtreename2.
3AccessingNCPServerObjectsToimprovetheperformanceoftheNetWareCoreProtocol(NCP)serverobjects,theModifyIndexLocationoptionmustbedisabled.
TodisabletheModifyindexLocationoption:1Opentheconfig.
xmlfilefrom/webapps/nps/WEB-INF/config.
xml.
2Addthefollowingcontenttotheconfig.
xmlfile.
3SavethechangesandrestartTomcat.
ForinformationaboutrestartingTomcat,see"StartingandStoppingTomcat"onpage94.
AccessingiManager15NOTE:TomodifytheindexesoftheNCPserverobjects,gotoRolesandTasks>eDirectoryMaintenance>Indexes>NCPServerObject>Indexes>ModifyIndexLocation.
2.
4AccessModesWhenyoustartiManager,youaregrantedanaccessmodebasedontherightsyou'vebeenassigned.
iManagerhasthreeaccessmodes.
ThemodeyouareinisdisplayedontheiManagerhomepage.
UnrestrictedAccess:ThisisthedefaultmodebeforeRBSisconfigured.
Itdisplaysalloftherolesandtasksinstalled.
Althoughallrolesandtasksarevisible,theauthenticateduserstillneedsthenecessaryrightstousethetasks.
Thereisasettingthatyoucanaddtotheconfig.
xmlfilewhichforcesUnrestrictedAccess,evenifRole-BasedServicesisinstalled.
ToforceUnrestrictedAccessforallusers,addthissettingto\webapps\nps\WEB-INF\config.
xml,thenrestartTomcat:ForinformationaboutrestartingTomcat,see"StartingandStoppingTomcat"onpage94.
NOTE:WhenusingiManagerinUnrestrictedmode,youtypicallyseethefollowingmessageontheiManagerHomePage:Notice:Someoftherolesandtasksarenotavailable.
ClickingViewDetailsmightdisplayaNotsupportedbycurrentauthenticatorsmessageforseveralofthetasks,eventhoughthetasksworkcorrectly.
Thismessageismisleading,andiManagerremovesthesemessagesafteryouconfigureRBS.
AssignedAccess:Displaysonlytherolesandtasksassignedtotheauthenticateduser.
ThismodetakesfulladvantageoftheRole-BasedServicestechnology.
CollectionOwner:Displaysalloftherolesandtasksinstalledinthecollection.
Ifyouareacollectionowner,thoughyouarenotassignedspecificroles,itallowsyoutousealltherolesandtasksinthecollection.
Role-BasedServicesmustbeinstalledinordertousethismode.
AddingagrouporuserasacollectionownerdoesnotassignanyRBSrights.
ToassignrightsyoumustmakeexplicitRBSroleassignmentsormaketrusteeassignments.
NOTE:Whencollectionisassignedtoagroup,allthemembersofthatgroupgetthecollectionownership.
Thecollectionownerseesallrolesandtasks,regardlessofrolemembership.
2.
5AuthenticatingBeawareofthefollowingissuesrelatedtoiManagerauthentication:Section2.
5.
1,"TreeNameField,"onpage16Section2.
5.
2,"LoggingintoaServerwithoutaReplica,"onpage16Section2.
5.
3,"UnsuccessfulAuthentication,"onpage1616NovelliManager2.
7.
6AdministrationGuideSection2.
5.
4,"ExpiredPasswordInformation,"onpage16Section2.
5.
5,"ContextlessLoginUsingAlternateObjectClassesand/orAlternateAttributes,"onpage16NOTE:Ifyournetworkhasmorethanthreeservers,oroneormoreserversthatdonothosteDirectoryreplicas,youmusthaveSLPproperlyconfiguredforiManagertologin.
Formoreinformation,seetheNovellOpenEnterpriseServerSLPdocumentation(http://www.
novell.
com/documentation/oes/networking-protocols.
html#slp).
2.
5.
1TreeNameFieldIfeDirectoryisinstalledandrunningonanotherportbesidesthedefaultport524,youcanusetheIPaddressorDNSnameoftheeDirectoryservertologinifyoualsospecifytheport(forexample,127.
0.
0.
1:1080).
Ifyouusethetreenametologin,youdonothavetospecifyaport.
PossiblevaluesfortheTreeNamefieldarethetreename,theserverIPaddress,andtheserverDNSname.
Forbestresults,usetheIPaddress.
2.
5.
2LoggingintoaServerwithoutaReplicaIfnecessary,iManagercanlogintotheeDirectorytreeusingaserverthatdoesnothostaneDirectoryreplica.
Todothis,iManagermaintainsaconnectioncachewiththeinformationitneedstosuccessfullylogin.
Topopulatetheconnectioncache,thefirsttimeyoulogintoaneDirectorytreewithiManageryoumustlogintoaserverthathostsareplica.
RestartingTomcatortheiManagerserverclearstheconnectioncache,sothefirsttimeiManagerlogsinfollowingoneoftheseevents,youmustlogintoaserverthathostsareplica.
2.
5.
3UnsuccessfulAuthenticationLoginfailuresoccurforavarietyofreasons.
Authenticationerrormessagesareaddressedin"AuthenticationIssues"onpage88.
ForinformationaboutlimitingtheerrormessagesthatiManagerdisplaysuponafailedauthenticationattempt,see"PreventingUserNameDiscovery"onpage113.
2.
5.
4ExpiredPasswordInformationIfapasswordexpires,theuserseesamessagetothiseffect.
However,usersmightnotbeawarethatgraceloginscanbequicklyconsumed,dependingoncertainoperationssuchasmodifyingadynamicgroup,simplefind,andsettingasimplepassword.
Theseoperationsconsumeadditionalgraceloginseachtimeauserperformsatask.
Wehighlyrecommendthatyouencourageuserstochangetheirpasswordsthefirsttimetheyareprompted.
2.
5.
5ContextlessLoginUsingAlternateObjectClassesand/orAlternateAttributesToenablecontextlessauthenticationusinganalternateobjecttype,dothefollowing:1OpeniManagerandbrowsetoConfigure>iManagerServer>ConfigureiManager>Authentication.
AccessingiManager17Ifyoudonotseethistask,youarenotanauthorizeduser.
See"AuthorizedUsersandGroups"onpage72.
2SetPublicUsernameandPasswordtoauserthathasrightstoreadthedesiredattributes.
3Modify\webapps\nps\WEB-INF\config.
xmltoincludeapropertythatliststheattributesyouwanttoaddtothecontextlesssearch,andthenrestartTomcat.
ForinformationaboutrestartingTomcat,see"StartingandStoppingTomcat"onpage94.
Forexample,thefollowingXMLaddstheAliasandUserobjectstothecontextlesssearch:Similarly,thefollowingXMLallowsuserstologinwiththeCNoruniqueIDattribute:IMPORTANT:Inthesamplecodeabove,replacetreenamewiththenameoftheappropriatedirectorytreeinlowercase.
IfyousaveanyiManagerServersettingsfromtheConfigureiManagertaskaftereditingtheconfig.
xmlfile,verifythatthetreenameisstillinlowercaseorcustomizedcontextlessloginwillfail.
18NovelliManager2.
7.
6AdministrationGuide3NavigatingtheiManagerInterface193NavigatingtheiManagerInterfaceThissectiondescribeshowtonavigatethroughtheNovelliManager2.
7interface.
Section3.
1,"iManagerInterface,"onpage19Section3.
2,"SpecialCharacters,"onpage233.
1iManagerInterfaceTheiManagerinterfacecomprisesthreemainregions,orframes.
HeaderFrameNavigationFrameContentFrame20NovelliManager2.
7.
6AdministrationGuideFigure3-1iManagerinterfacewithdefaultRolesandTasksviewNOTE:UseonlythebuttonswithintheinterfacewhenyouarenavigatinginiManager.
DonotusetheWebbrowser'snavigationbuttons(Back,Next,etc.
)TochangethedefaultviewinPreferences,see"SetInitialView"onpage86.
3.
1.
1HeaderFrameTheHeaderframeisalargelystaticframethatoccupiesthetopoftheiManagerinterface.
ItprovidesiconswithwhichyoucanaccessiManager'svariousviews.
AviewisacombinationofNavigationandContentframesthatdeliverspecificmanagementfunctionality.
Forexample,thedefaultRolesandTasksviewletsyouselectagiventaskintheNavigationframe,andthenperformtheselectedtaskintheContentframe.
Figure3-2iManagerHeaderframeNavigatingtheiManagerInterface21TheiManagerHeaderframeincludesthefollowingicons:Home:ReturnstheContentframetoitsdefaultview(asinFigure3-1).
Exit:LogsyououtofeDirectory.
RolesandTasks:ThisviewdisplaysallthetasksyouareauthorizedtoperformintheNavigationframe.
ThisisiManager'sdefaultview.
Formoreinformation,seeChapter5,"RolesandTasks,"onpage35.
ViewObjects:Thisviewcontainsbrowsingandsearchingfunctionalitytofindobjects,includingaTreeViewfeaturesimilartothatusedinConsoleOne.
Formoreinformation,seeChapter4,"BrowsingObjects,"onpage25.
Configure:ThisviewcontainsRole-BasedServices,iManagerServer,ObjectCreationList,Plug-inInstallation,E-mailNotification,andViews,allofwhichyoucanconfigureasyouwant.
Favorites:Thisviewdisplaysyourmostfrequenttasks,selectedfromthePreferences>Favoritespage.
Preferences:Thisviewsetsyourpreferencesaccordingtoyourmostfrequenttasks,howtheObjectSelectordisplays,howyourObjectViewdisplays,whatviewappearsafterloggingintoiManager,andwhatlanguageiManagerdisplaysin.
Help:Displaysapplicablecontext-sensitivehelpinformation,asdeterminedbythecurrentContentframe.
Additionally,theHeaderframeidentifiesthecurrentlyauthenticateduserandthetreenametoiManagerintheupperleft.
ForinformationonhowtochangeiManager'sdefaultview,seeChapter6,"ConfiguringandCustomizingiManager,"onpage53.
3.
1.
2NavigationFrameTheNavigationframeresidesalongtheleftsideoftheiManagerUI.
Itdisplaystaskandfunctionalityoptionsrelatedtothecurrentlyselectedview.
Forexample,thedefaultRolesandTasksviewlistsallthetasksyourareauthorizedtoperform.
Tasksareorganizedintocategories.
Thelistofcategoriesandtasksvariesbasedontheinstalledplug-insandtherightsgrantedtoyouasanauthenticatediManageruser.
22NovelliManager2.
7.
6AdministrationGuideFigure3-3ContentsoftheNavigationframewhenintheRolesandTasksviewTheorderingoftaskswithineachcategoryisdeterminedbytheauthoroftheapplicableiManagerplug-in.
Baseplug-intasks(thosethatareincludedwithiManager)typicallydisplaybeforetasksfromotherplug-ins.
3.
1.
3ContentFrameTheContentframeprovidesthespecifictaskorobjectinterface,basedonthecurrentselectionintheNavigationframe.
Figure3-4ThedefaultcontentsoftheiManagerContentviewNavigatingtheiManagerInterface23Whenataskisnotselected,theContentframedisplaystheiManagerhomepagewithgeneralinformationrelatedtoyouriManageraccessrights.
3.
2SpecialCharactersIniManager,somecharactershavespecialsignificanceandmustbeescapedwiththebackslash(\)character:NDAP(eDirectory):Period(.
)Equalsign(=)Plussign(+)Backslash(\)LDAP:Distinguishednames(DNs)andLeading#LeadingortrailingspacesForLDAP,anycharactercanbespecifiedwith\xx.
SeeRFC2253(http://www.
faqs.
org/rfcs/rfc2253.
html)formoreinformation.
24NovelliManager2.
7.
6AdministrationGuide4BrowsingObjects254BrowsingObjectsiManagerletsyoumanipulateandmanagedirectoryobjects.
Therearetwoparadigmsfordoingthis.
First,youcanbrowseforandselecttheobjectswithwhichyouwanttowork,andthenspecifythetaskyouwanttoperformonthoseobjects(object-then-task.
)Second,youcanselectthetaskyouwanttoperform,andthenspecifytheobjectstowhichyouwanttoapplythetask(task-then-object.
)Eitherwayofdoingthingsisvalid,andiManagerletsyouusethemethodwithwhichyouaremostcomfortable.
iManagerprovidestheObjectViewforthosefromtheobject-then-taskschool,andtheObjectSelectorforthosefromthetask-then-objectschool.
TheObjectSelectorisusedextensivelyintheRolesandTasksview.
Formoreinformation,seeChapter5,"RolesandTasks,"onpage35.
Thischapterincludesthefollowingsections:Section4.
1,"UsingtheObjectView,"onpage26Section4.
2,"UsingtheObjectSelector,"onpage31NOTE:iManager2.
7nowsupportsbrowsingandselectingobjectsinanNCP-enabledfilesystem.
AccessfilesystemobjectsthroughServerandVolumeobjectsinthedirectorytree.
TheabilitytobrowseandselectfilesystemobjectsisavailablefromboththeObjectViewandtheObjectSelector.
However,theactualtasksavailableforfilesystemobjectsisprovidedbytheNSSiManagerplug-in,whichisavailableseparately.
Regardlessofthetoolyouareusing,rememberthefollowingguidelineswhenspecifyingobjectnames:IfthefollowingcharactersarepartofadottedeDirectoryname,escapethemwithabackslash(\).
Youdon'tneedescapecharactersinmostvalues,butyoudoneedthemwhenthenameisadistinguishednameorrelativedistinguishedname.
Period(.
)Equalsign(=)Plussign(+)Backslash(\)Ifthefollowingcharactersarepartofanameyouwanttospecifyinasearch,escapethemwithabackslash(\):Asterisk(*)Backslash(\)Forexample:Tosearchforallobjectscontainingaperiod,use=*.
*asthesearchfilterTosearchforallobjectscontainingaplus,use=*+*asthesearchfilterTosearchforallobjectscontainingabackslash,use=*\\*asthesearchfilter26NovelliManager2.
7.
6AdministrationGuide4.
1UsingtheObjectViewTheObjectviewisdesignedtoletyoubrowseforandlocateobjectsinthedirectory.
Onceyouhaveselectedtheobjectswithwhichyouwanttowork,youcanthenspecifythetaskstoperformonthoseobjects.
OpentheObjectviewbyselectingtheViewObjectsiconintheHeaderframe.
TheObjectViewincludesthefollowingtabsintheNavigationframe,eachofwhichgiveyouadifferentwaytobrowseforandlocatedirectoryobjects:TreeBrowseSearch4.
1.
1TreeTheTreetabletsyoubrowseadirectorytreewithalookandfeelsimilartoConsoleOne.
TreeviewusesboththeNavigationframeandtheContentframetoprovideitsfunctionality.
Figure4-1TheTreeTabiniManager'sObjectViewTreeViewNavigationFrameIntheTreeview,theNavigationframedisplaysthedirectorystructureinthefamiliarConsoleOneformat.
TheNavigationframedisplaysContainer,includingVolume(filesystem),objects.
Clickontheplusandminusiconstoexpandandcollapsethecontainerobjectsandbrowsethedirectorytree.
Bydefault,TreeViewdisplaysupto100subordinateobjectspercontainer,butyoucanchangethissettingintheObjectViewPreferences.
BrowsingObjects27TreeViewContentFrameSelectingoneofthecontainerobjectsintheNavigationframecausestheContentframetodisplayalltheobjectsinthatcontainer.
TheContentframeiswhereyouactuallymanipulatedirectoryobjects.
TheContentframeincludesaheaderfromwhichyoucanselectfromamongseveralavailableactions:BreadCrumbs:AttheverytopoftheContentframe,Treeviewprovidesabreadcrumbfeaturethatletsyounavigatealongthecontainersinthecurrentcontext.
TitleBar:TheContentframe'stitlebardisplaysthenameofthecurrentlyselectedcontainerobject.
ClickthePencilicontoeditthepropertiesofthiscontainer.
ObjectListHeader:Theobjectlistheaderprovidesaccesstothefollowing:MenuBar:TheContentframe'smenubarprovidesaccesstotheobject-relatedactionsyoucanperform.
Optionsincludethefollowing:New:Opensadropdownmenuof"create"tasks.
Edit:Opensthepropertybookfortheselectedobjectssoyoucanmodifytheirattributes.
Selectingmultipleobjectsofthesametypeletsyousetattributesforalltheobjectstothesamevalue.
NOTE:Youcanalsoopenaleafobject'spropertybookbyselectingitintheobjectlist.
Selectingacontainerobjectintheobjectlistopenstheselectedcontaineranddisplaysallthatcontainer'ssubordinate.
Toedittheattributesofacontainerobject,youmustselectitscheckbox,thenclickEdit.
Delete:Deletestheselectedobjects.
Toselectanobjecttoedit,selectitscheckboxintheobjectlist.
Actions:Opensadropdownmenuofsupportedtasksfortheselectedobjects.
Toperformatask,selectitfromthedropdownmenuandprovidetherequiredinformation.
NOTE:IfyouhaveconfiguredRBS,theActionsmenudisplaysonlythosetasksinyourassignedroles.
ObjectCount:Totherightofthemenubar,Treeviewliststhenumberofobjectsinthecurrentpageandthetotalnumberofobjectsintheselectedcontainer.
SelectAll:Thecheckboxintheheaderfunctionsasa"selectall"checkboxforthecurrentpageofobjects.
Sort:DirectlyabovetheObjectlistisa"Name"columnheadingandasorticon.
Clickeitherofthesetotoggletheobjectsortbetweenascendinganddescendingalphabeticalorder.
DefineFilter:Atthefarrightoftheheader,undertheobjectcount,istheobjectfiltericon.
Selectthisicontocreateafilterthatlimitstheobjectsdisplayedintheobjectlist.
Youcanfilteronobjecttypeandobjectname,asneeded.
SelectShowAllContainerstodisplaycontainerobjectsintheObjectListregardlessofthedefinedfilter.
SelectAdvancedFiltertoopentheAdvancedFilterdialogthatletsyoucreateafilterusingalmostanyobjectattribute.
Formoreinformation,see"AdvancedSelection"onpage36.
NOTE:Whenafilterisactive,thefiltericonchangestoacoloredicon,andthefiltersettingislistednexttotheicon.
Ifyouconfigureanadvancedfilter,iManagerdisplaysacheckmarkiconnexttothefiltericon.
28NovelliManager2.
7.
6AdministrationGuideObjectList:TheContentframe'sobjectlistdisplaysallobjectsinthecontainercurrentlyselectedintheNavigationframe.
Bydefault,theobjectlistdisplays100objectsonapage,butyoucanchangethissettingintheObjectViewPreferences.
Toperformanactiononanobject,selectitscheckbox,thenselecttheactionfromtheObjectListheader.
Selectthe(currentlevel)objecttoperformanactiononthecontainerinwhichyouarecurrentlybrowsing.
Selectthedouble-periodobjecttonavigateuponeleveltotheparentcontainer.
IMPORTANT:Treeviewdoesnotsupportselectingobjectsacrossmultiplepagesintheobjectlist.
Ifyouneedtodothis,useObjectView'sBrowsetabtoperformthemultipleobjectaction.
Formoreinformation,see"Browse"onpage28.
4.
1.
2BrowseTheBrowsetableveragesauserinterfaceandfunctionalitysimilartotheObjectSelectortoprovideadirectorybrowsingtool.
ForinformationonnavigatingtheBrowseuserinterface,see"UsingtheObjectSelector"onpage31.
Figure4-2TheBrowsetabiniManager'sObjectViewTheBrowsetabusesonlytheNavigationframetoprovideitsfunctionality.
Itincludesthefollowingprimarycomponents:ObjectFilter:LocatedatthetopoftheNavigationframe,theobjectfilterletsyoulimittheobjectsdisplayedintheobjectlist.
Oncedefined,clickApplytousethefilter.
IMPORTANT:TheobjectfilteringintheBrowsetabonlyappliestodirectoryobjects.
Itdoesnotfilterfilesystemobjects,eventhoughtheymightbevisibleintheBrowsetab.
Theobjectfilterusesthefollowingfields:Context:Displaysonlythoseobjectsinthespecifiedcontext.
Thisisidenticaltoopeningthecontainerfromtheobjectlist.
BrowsingObjects29Name:Displaysonlythoseobjectsthatconformtothespecifiednamefilter.
Usetheasterisk(*)wildcardtospecifyapartialname.
Forexample:ldap*,*cert,*server*.
Type:Displaysonlythoseobjectsofthetypespecified.
NOTE:Ifyouselectaspecificobjecttype,aplusicon[+]appearsthatletsyouopentheAdvancedSelectiontool,fromwhichyoucanspecifyadditional,attribute-levelfiltersettings.
Formoreinformation,see"AdvancedSelection"onpage36.
Load/Save:Thesetwolinksletyouloadapreviouslydefinedfilterdefinitionandsavethecurrentfiltersoitcanbere-used,respectively.
MultipleSelect/SingleSelect:Locatedabovetherightsideoftheobjectlist,thislinkletsyoutogglebetweenselectingasingleobjectormultipleobjectsagainstwhichyouwanttoperformatask.
ThedefaultoptionisSingleSelect.
Formoreinformation,see"SelectingandFilteringObjects"onpage35.
ObjectList:Displaysalistofdirectoryobjects,asdefinedbythecriteriaintheObjectFilter.
Bydefault,theobjectlistdisplays100objectsonapage,butyoucanchangethisvalueintheObjectViewPreferences.
UsethePreviousandNextbuttonstonavigatebetweenobjectpages.
Youcannavigateamongsttheobjectsintheobjectlistbydoingthefollowing:Selectthedownarrowiconnexttoacontainerobjecttoopenthatcontainerandviewitsobjectsintheobjectlist.
Selecttheuparrowiconatthetopoftheobjectlisttoviewthecontentsofthecurrentcontainer'sparent.
Thismovesyouuponelevelinthedirectorytree.
Selectanobject,eithercontainerorleaf,toopenawindowwiththeavailabletasksforthattypeofobject.
SelectingataskopensthattasksUIintheContentframe.
4.
1.
3SearchTheSearchtabissimilartotheBrowsetab,butinsteadofdisplayingatreestructureintheNavigationframe,itdisplaysonlythoseobjectsresultingfromthespecifiedsearch.
30NovelliManager2.
7.
6AdministrationGuideFigure4-3TheSearchtabiniManager'sObjectviewTheSearchtabusesonlytheNavigationframetoprovideitsfunctionality.
Itincludesthefollowingprimarycomponents:ObjectSearch:LocatedatthetopoftheNavigationframe,theobjectsearchletsyoudefinethesearchcriteria.
Oncedefined,clickSearchtoperformthespecifiedsearchoperation.
IMPORTANT:TheobjectfilteringintheSearchtabonlyappliestodirectoryobjects.
Itdoesnotfilterfilesystemobjects,eventhoughtheymightbevisibleintheSearchtab.
Youcandefineyoursearchusingthefollowingfields:Context:Specifiesthestartingcontainerforthesearchoperation.
Ifyouwantthesearchtoincludesubordinatecontainers,selectSearchsub-containers.
Name:Definestheobjectnamefilterforthissearch.
Usetheasteriskwildcardtospecifyapartialname.
Forexample:ldap*,*cert,*server*.
Type:Definestheobjecttypefilterforthissearch.
iManageronlydisplaysobjectsofthespecifiedtype.
NOTE:Ifyouselectaspecificobjecttype,aplusicon[+]appearsthatletsyouopentheAdvancedSelectiontool,fromwhichyoucanspecifyadditional,attribute-levelfiltersettings.
Formoreinformation,see"AdvancedSelection"onpage36.
Load/Save:Theselinksletyouloadapreviouslydefinedsearchdefinitionandsavethecurrentsearchsoitcanbere-used,respectively.
BrowsingObjects31MultipleSelect/SingleSelect:Locatedabovetherightsideoftheresultslist,thislinkletsyoutogglebetweenselectingasingleobjectormultipleobjectsagainstwhichyouwanttoperformatask.
ThedefaultoptionisSingleSelect.
Formoreinformation,see"SelectingandFilteringObjects"onpage35.
ResultsList:Displaystheresultsofthesearchoperation.
Bydefault,theobjectlistdisplays100objectsonapage,butyoucanchangethisvalueintheObjectViewPreferences.
UsethePreviousandNextbuttonstonavigatebetweenresultspages.
Selectanobject,eithercontainerorleaf,toopenawindowwiththeavailabletasksforthattypeofobject.
SelectingataskopensthattasksUIintheContentframe.
NOTE:TheSearchtabdoesnotletyounavigateobjects,suchasopeningcontainerobjects,intheresultslist.
Ifyouwanttobeabletodothis,usetheTreetabortheBrowsetab.
4.
2UsingtheObjectSelectorTheObjectSelectorletsyouselecttheobjectswithwhichyouwanttoworkinthecurrenttask.
iManagerprovidesthistoolinanysituationwhereyouareselectingataskoractionbeforespecifyingtheobjectstowhichthetaskoractionisapplied.
AccesstheObjectSelectorbyselectingthemagnifyingglassiconanywhereitappearsintheContentframe.
TheObjectSelectoropensinitsownwindowontopofiManager.
Figure4-4iManager'sObjectSelector32NovelliManager2.
7.
6AdministrationGuideObjectSelectorincludestwotabsforlocatingtargetobjectsforthetasksyouwanttoperform:Section4.
2.
1,"Browse,"onpage32Section4.
2.
2,"Search,"onpage324.
2.
1BrowseTheBrowsetab(default)letsyounavigatethedirectorytreetosearchforthedesiredobjects.
Itincludesthefollowingprimarycomponents:ObjectFilter:LocatedontheleftsideoftheObjectSelector,theobjectfilterletsyoulimittheobjectsdisplayedintheContentslist.
Oncedefined,clickApplytousethefilter.
Theobjectfilterusesthefollowingfields:Lookin:Displaysonlythoseobjectsinthespecifiedcontext.
ThisisidenticaltoopeningthecontainerfromtheContentslist.
Lookforobjectsnamed:Displaysonlythoseobjectsthatconformtothespecifiednamefilter.
Usetheasterisk(*)wildcardtospecifyapartialname.
Forexample:ldap*,*cert,*server*.
AdvancedBrowsing:ThislinkopenstheAdvancedSelectiontool,fromwhichyoucanspecifyadditional,attribute-levelfiltersettings.
Formoreinformation,see"AdvancedSelection"onpage36.
LoadCriteria/SaveCriteria:Thesetwolinksletyouloadapreviouslydefinedfilterdefinitionandsavethecurrentfiltersoitcanbere-used,respectively.
ContentsList:Displaysalistofdirectoryobjects,asdefinedbythecriteriaintheobjectfilter.
Bydefault,theobjectlistdisplays100objectsonapage,butyoucanchangethisnumber,ifdesired.
UsethePreviousandNextbuttonstonavigatebetweenobjectpages.
YoucannavigateamongsttheobjectsintheContentslistbydoingthefollowing:SelectthedownarrowiconnexttoacontainerobjecttoopenthatcontainerandviewitsobjectsintheContentslist.
Selecttheuparrowiconatthetopoftheobjectlisttoviewthecontentsofthecurrentcontainer'sparent.
Thismovesyouuponelevelinthedirectorytree.
SelectinganobjectcausesiManagertoidentifythatobjectasoneonwhichyouwanttoperformthecurrenttask.
SelectedObjects:Thiscomponentonlyappearswhenyouareselectingmultipleobjectsforthecurrenttask.
TheSelectedObjectsfieldliststheobjectscurrentlyselectedforthetask.
ClickOKwhenthelistiscomplete.
ClickClearAllifyouwanttoemptytheselectedobjectslistandstartover.
Formoreinformationaboutselectingsingleormultipleobjectsforatask,see"SelectingandFilteringObjects"onpage35.
4.
2.
2SearchTheSearchtabletsyouspecifyasearchoperationtoperformonthedirectorytreeanddisplaytheresults.
Itincludesthefollowingprimarycomponents:ObjectSearch:LocatedontheleftsideoftheObjectSelector,theobjectsearchletsyoudefinethesearchcriteria.
Oncedefined,clickSearchtoperformthespecifiedsearchoperation.
Youcandefineyoursearchusingthefollowingfields:Startsearchin:Specifiesthestartingcontainerforthesearchoperation.
Ifyouwantthesearchtoincludesubordinatecontainers,selectSearchsub-containers.
BrowsingObjects33Searchforobjectsnamed:Definestheobjectnamefilterforthissearch.
Usetheasteriskwildcardtospecifyapartialname.
Forexample:ldap*,*cert,*server*.
AdvancedBrowsing:ThislinkopenstheAdvancedSelectiontool,fromwhichyoucanspecifyadditional,attribute-levelsearchsettings.
Formoreinformation,see"AdvancedSelection"onpage36.
LoadCriteria/SaveCriteria:Thesetwolinksletyouloadapreviouslydefinedsearchdefinitionandsavethecurrentfiltersoitcanbere-used,respectively.
MultipleSelect/SingleSelect:Locatedabovetherightsideoftheresultslist,thislinkletsyoutogglebetweenselectingasingleobjectormultipleobjectsagainstwhichyouwanttoperformatask.
ThedefaultoptionisSingleSelect.
Formoreinformation,see"SelectingandFilteringObjects"onpage35.
ResultsList:Displaystheresultsofthesearchoperation.
Bydefault,theresultslistdisplays100objectsonapage,butyoucanchangethisnumber,ifdesired.
UsethePreviousandNextbuttonstonavigatebetweenresultspages.
NOTE:TheSearchtabdoesnotletyounavigateobjects,suchasopeningcontainerobjects,intheresultslist.
Ifyouwanttobeabletodothis,useObjectSelector'sBrowsetab.
SelectedObjects:Thiscomponentonlyappearswhenyouareselectingmultipleobjectsforthecurrenttask.
TheSelectedObjectsfieldliststheobjectscurrentlyselectedforthetask.
ClickOKwhenthelistiscomplete.
ClickClearAllifyouwanttoemptytheselectedobjectslistandstartover.
Formoreinformationaboutselectingsingleormultipleobjectsforatask,see"SelectingandFilteringObjects"onpage35.
34NovelliManager2.
7.
6AdministrationGuide5RolesandTasks355RolesandTasksSelectingtheRolesandTasksviewintheHeaderframedisplaysallofiManager'savailablerolesandtasksintheNavigationframe.
iManagergroupsrelatedrolesandtasksintocategories.
However,youcancreatecustomcategorygroupsandassignrolesandtaskstothem.
Formoreinformation,see"TheCategoryTab"onpage64.
Thissectionincludesthefollowingtopics:Section5.
1,"NavigatingRolesandTasks,"onpage35Section5.
2,"DirectoryAdministration,"onpage39Section5.
3,"Groups,"onpage41Section5.
4,"HelpDesk,"onpage43Section5.
5,"PartitionsandReplicas,"onpage44Section5.
6,"Rights,"onpage46Section5.
7,"Schema,"onpage47Section5.
8,"Users,"onpage50ThefirstsectioninthischapterintroducesRolesandTasksnavigation.
TheremainingsectionsprovideadetaileddescriptionofthetasksavailableiniManager'scoresetofrolesandtasks.
Forinformationabouttherolesandtasksprovidedbyaproduct-specificplug-in,consultthatproduct'sdocumentation.
InadditiontotheRolesandTasksview,youcanconfigureiManager'sFavoritesviewtodisplayyourmostfrequentlyusedtasks.
Formoreinformation,see"ManageFavorites"onpage85.
5.
1NavigatingRolesandTasksNavigatingiManager'stasksisastraight-forwardprocessthatincludesthefollowinggeneralsteps:1(Navigationframe)Openthecategorythatcontainsthedesiredtask.
2(Navigationframe)Selectthedesiredtaskfromthecategory'slistoftasks.
3(Contentframe)Providethenecessaryinformationtocompletethetask.
Whenapplicable,thisincludesspecifyingthoseobjectstowhichthetaskisapplied.
Forinformationaboutselectingobjectstowhichthetaskwillapply,see"SelectingandFilteringObjects"onpage35.
4(Contentframe)ClickOKtoperformthetask.
5.
1.
1SelectingandFilteringObjectsForthosetasksthatcanbeappliedtomorethanoneobjectatatime(forexample,ModifyUser),iManagerprovidesoptions,selectableintheContentframe,forlocatingthedesiredobjects.
36NovelliManager2.
7.
6AdministrationGuideFigure5-1ObjectselectionoptionsinataskSelectaSingleObjectThisisthedefaultobjectselectionmethod.
SelectaSingleObjectletsyouspecifyasingleobjecttowhichthetaskisapplied.
WhenusingtheObjectSelectortolocatetheobject,selectinganobjectautomaticallyclosestheObjectSelectorandinsertstheselectedobjectinthetask'sobjectnamefield.
FormoreinformationabouttheObjectSelector,see"UsingtheObjectSelector"onpage31.
SelectMultipleObjectsSelectMultipleObjectsmodifiesthetasksobjectnamefieldtoacceptalistofobjectsinsteadofonlyoneobject.
TheObjectSelectoralsorunsin"multipleobject"modesothatyoucanselectmorethanoneobjectatatime.
FormoreinformationabouttheObjectSelector,see"UsingtheObjectSelector"onpage31.
SimpleSelectionSimpleSelectionopensabasicsearchtoolintheContentframe.
Withthistool,youcansearchforobjectsinthedirectorytreebasedonaspecifiedpropertyvalue.
Figure5-2BasicobjectfilterinataskTheattributelisthasalistofattributesonwhichyoucanperformtheSearchoperation.
TheoperatorlisthasalistofvariousoperatorstobeusedfortheSearchoperation.
Ifyouwanttheobjects,whichresultafterperformingthesearchoperation,tobesorted,selectSorttheresultingobjects.
SimpleSelectionincludesthefollowinglimitations:SearchestheentiredirectorytreeDoesnotsupportwildcardsinthesearchcriteriaSupportsonly"startswith"and"equals"filtersforpropertyvaluesAdvancedSelectionAdvancedSelectionprovidesamoreconfigurableenvironmentforsearchingthedirectoryforthedesiredobjects.
RolesandTasks37Figure5-3iManager'sAdvancedSelectionInterfaceAdvancedSelectiongivesyoumoregranularcontrolovertheobjectfilterusedduringthesearchoperation.
Youcanconfigureadvancedselectionoptionsusingthefollowingfields:ObjectType:Specifiestheobjectbaseclassforwhichyouaresearching.
Forexample,User.
Container:Specifiesthecontaineratwhichyouwanttostartthesearch.
Tosearchsubordinatecontainers,selectIncludesub-containers.
Filter:Specifiesafiltertoapplytothesearch.
SelecttheFiltericontoopenaseparatewindowfromwhichyoucandefinethefilter.
ClickOKwhenthefilterisdone.
Figure5-4iManager'sAdvancedFilterdialogTheFilterinterfaceincludesthefollowingfields:AuxClasses:SpecifiesanAuxiliaryClasstoincludeinthesearch.
38NovelliManager2.
7.
6AdministrationGuideAttribute:Specifiesanattribute(property)thatyouwanttoutilizeaspartofthefilter.
Operator:Specifiesthelogicaloperatortoapplytothefilter.
OptionsincludeValue:Specifiestheattributevalueyouareusingasafilter.
Youcanusetheasterisk(*)asawildcardtoindicatepartofavalue.
Forexample,smi*,*th,and*mit*.
Additionally,youcanchainmultipleattributefilterstogetherintoafiltergroupbyusingthe+icontoaddasecondattributetothelist.
Whenusingmultipleattributefilters,linkthemtogetherwithalogicalANDorlogicalOR.
Afteryoudefineafiler,clickPreview,andclickOK,theModifyObjectscreenisdisplayed.
Itdisplaystheattributesdefinedfortheobjectsinthecontainer.
Thecommonattributevaluesarelisted.
Forexample,asperFigure5-5theFirstname,Lastname,andFullnameattributeshavecommonvalue(s)foralltheobjectsinthespecifiedcontainer.
Theattributeswhosefieldsareemptyindicatethatthoseattributesdoesnotholdacommonvalueforalltheobjects.
Youcanaddvaluestotheseattributes,aswell.
Figure5-5TheModifyObjectScreenRolesandTasks39Youcandothefollowingtaskstotheattributesandalltheobjectsinthecontainerareupdated:Ignore:Isusednottoupdateanychangestotheobjects.
Replace:Isusedtoreplaceanexistingattributevalueinthelist.
Toreplace,double-clickthevalue,makethechanges,andpressEnter.
Then,clickReplace.
Add:Isusedtoaddvaluestoanattribute.
Youcanaddmorethanonevaluetoanattribute.
Forexample,youhavemorethanoneFirstNamesforalltheobjects.
Remove:Isusedtoremoveattributevalues.
Toremoveanattributevalue(s):1Iftheattributehasmorethanonevalues,youmustfirsthidethevaluesthatyoudonotwanttoremovebypressingtheDeletekeyonyourkeyboard.
ThisisdonebecausetheRemoveoptionremovesallthevalueslisted.
So,youmustfirsthidethevaluesthatneednotberemoved.
Onlythevaluesthathavetobedeletedaredisplayedintheattributelist.
2ClickRemovefromthedrop-downlist.
Thespecifiedvaluesaredeletedandthevaluesthatyouhidearedisplayedinthelist.
5.
2DirectoryAdministrationDirectoryadministrationinvolvesthemanagementofobjectsinyourdirectorytree.
Youcancreate,edit,andorganizeobjects.
Section5.
2.
1,"CopyinganObject,"onpage39Section5.
2.
2,"CreatinganObject,"onpage40Section5.
2.
3,"DeletinganObject,"onpage40Section5.
2.
4,"ModifyinganObject,"onpage40Section5.
2.
5,"MovinganObject,"onpage40Section5.
2.
6,"RenaminganObject,"onpage41FormoreinformationabouteDirectoryobjects,seetheNovelleDirectory8.
8SP7AdministrationGuide(http://www.
novell.
com/documentation/edir88/edir88/data/a2iii88.
html).
5.
2.
1CopyinganObjectYoucaneithercreateanewobjectwiththesameattributevaluesasanexistingobject,orcopyattributevaluesfromoneobjecttoanother.
1InRolesandTasks,clickDirectoryAdministration>CopyObject.
2IntheObjecttoCopyFromfield,typethenameandcontextoftheobjectorusetheObjectSelectortofindit.
3Selectoneofthefollowingoptions:CreateNewObjectandCopyAttributeValuesCopyAttributeValuestoanExistingObjectTheattributeswhoseclassisnotextendedbythecopiedobject,arenotcopied.
4SelectCopyACLRightsifyouwanttocopyaccesscontrollist(ACL)rightstothisobject.
Thisstepmighttakeadditionalprocessingtime,dependingonyoursystemandnetworkingenvironment.
40NovelliManager2.
7.
6AdministrationGuideNOTE:Thecopyobjectoperationdoesnotcopythefollowingobjectattributes:ACL(unlessyouselectCopyACLRights)CNDirXML-AssociationsEquivalentToMeGroupMembershipMemberSecurityEqualsAnynamingattributeAnyReadOnlyattributeAnyRBSattribute5.
2.
2CreatinganObject1InRolesandTasks,clickDirectoryAdministration>CreateObject.
2Selecttheobjectclassfromthelistthatappears,thenclickOK.
3Specifytherequestedinformationthatappearsaccordingtotheobjectclassyouselected,thenclickOK.
IfyouareusingFirefox,clickthe+symboltoaddinformationinsteadoftypingdirectlyinthefield.
4Whentheconfirmationmessageappears,clickOK,RepeatTask,orModify.
5.
2.
3DeletinganObject1InRolesandTasks,clickDirectoryAdministration>DeleteObject.
2Typethenameandcontextoftheobject,orusetheObjectSelectortofindit,andclickOK.
Aconfirmationmessageappearsindicatingtheobjectwassuccessfullydeleted.
5.
2.
4ModifyinganObject1InRolesandTasks,clickDirectoryAdministration>ModifyObject.
2TypethenameandcontextoftheobjectorusetheObjectSelectortofindit,thenclickOK.
TheModifyObjectpagedisplayspageswiththeselectedobject'sattributes.
3Modifytheobjectasdesired,thenclickOK.
IfyouareusingFirefox,clickthe+symboltoaddinformationinsteadoftypingdirectlyinthefield.
5.
2.
5MovinganObject1InRolesandTasks,selectDirectoryAdministration>MoveObject.
TypethenameandcontextoftheobjectorusetheObjectSelectortofindit,thenclickOK.
2IntheMoveTofield,selectthecontainertowhichyouwanttomovetheobject.
RolesandTasks413SelectCreateanAliasinPlaceofMovedObjecttocreateanaliasinanoldlocationforeachobjectbeingmoved.
4ClickOK.
Aconfirmationmessageappearsindicatingthemoveobjectoperationwassuccessful.
5.
2.
6RenaminganObject1InRolesandTasks,selectDirectoryAdministration>RenameObject.
2Typethenameandcontextoftheobjectorusethesearchfeaturetofindit.
Typeonlythenameofthenewobject.
Donotincludeacontext.
3Selecttosavetheoldname,ifyouwanttosaveit.
ThissavestheoldnameasanadditionalunofficialvalueoftheNameproperty.
Savingtheoldnameletsuserssearchfortheobjectbasedonthatname.
Afterrenamingtheobject,youcanviewtheoldnameintheOtherNamefieldontheobject'sGeneralIdentificationtab.
4SelectCreateanAliasinPlaceofRenamedObject,ifyouwanttocreateanaliasfortheobjectbeingnamed.
Thisallowsanyoperationsthataredependentontheoldobjectnametocontinueuninterrupteduntilyoucanupdatethoseoperationstousethenewobjectname.
5ClickOK.
Aconfirmationmessageappearsindicatingthattheobjectrenamingoperationwassuccessful.
5.
3GroupsAnyuserwhocreatesagroupautomaticallybecomestheownerofthegroup.
Availablegroupoperationsincludethefollowing:Section5.
3.
1,"CreatingaGroup,"onpage41Section5.
3.
2,"DeletingaGroup,"onpage42Section5.
3.
3,"ModifyingaGroup,"onpage42Section5.
3.
4,"ModifyingMembersofGroup,"onpage42Section5.
3.
5,"MoveGroup,"onpage42Section5.
3.
6,"RenameGroup,"onpage43Section5.
3.
7,"ViewingMyGroups,"onpage43FormoreinformationaboutusingandconfiguringGroupobjects,seetheNovelleDirectory8.
8SP7AdministrationGuide(http://www.
novell.
com/documentation/edir88/edir88/data/a2iii88.
html).
5.
3.
1CreatingaGroup1InRolesandTasks,selectGroups>CreateGroup.
2IntheCreateGrouppage,providetherequiredinformation,thenclickOK.
SelectDynamicGrouptomakethenewgroupadynamicgroup,oftheclassdynamicGroup.
Otherwise,thegroupiscreatedasastaticgroup,ortheclassGroup.
SelectSetOwnertomakethecreatorofagroupobjectthegroupowner.
Thegroup'sOwnerattributeissettotheDNofiManager'slogged-inuser.
DeselectSetOwnertoleavetheOwnerattributeundefined.
42NovelliManager2.
7.
6AdministrationGuideSelectNestedGrouptomakethenewgroupanestedgroupsothatthegroupiscreatedwithauxiliaryclassnestedGroupAux.
NOTE:YoucanconvertastaticgrouptoadynamicgroupafterthefactbyusingtheModifyingaGroupoption.
ThisextendstheselectedGroupobjecttobelongtothedynamicGroupAuxclass.
Agroupcanbeeithernestedordynamic.
Youcannotcreateagroupthatisbothnestedanddynamic.
YoucanconvertastaticgrouptoanestedgroupbyusingtheModifyingaGroupoption.
ThismakestheselectedgroupobjectbelongtothenestedGroupAuxclass.
5.
3.
2DeletingaGroup1InRolesandTasks,selectGroups>DeleteGroup.
2IntheDeleteGrouppage,specifythenameofthegroupobjecttodelete,orusetheObjectSelectortolocateit,thenclickOK.
TheDeleteGrouppageletsyouSelectasingleobject,Selectmultipleobjects,oruseAdvancedSelectionoptiontospecifytheobjecttodelete.
5.
3.
3ModifyingaGroup1InRolesandTasks,selectGroups>ModifyGroup.
2IntheModifyGrouppage,specifythenameofaGroupobject,orusetheObjectSelectortolocateit,thenclickOK.
3MakethedesiredchangestotheGroupobject'sattributes,thenclickOK.
NOTE:Ifyoumodifyastaticgrouptobeadynamicgroup,andyouareusingRBS,youmustenabledynamicGroupAuxclasssupport.
Todothis,openConfigure>iManagerServer>ConfigureiManager>RBS>DynamicGroupSearchType.
SelectDynamicGroupObjects&AuxClassesfromthedrop-downmenu,thenclickSave.
Youcannotconvertadynamicgrouptoanestedgroupandviceversa.
5.
3.
4ModifyingMembersofGroupThistaskletsyoumakesimultaneousidenticalmodificationstotheattributesofallmemberobjectsofaspecifiedgroup.
1InRolesandTasks,selectGroups>ModifyMembersofGroup.
2IntheModifyMembersofGrouppage,specifythenameofaGroupobject,orusetheObjectSelectortolocateit,thenclickOK.
3Makethedesiredchangestothememberobject'sattributes,thenclickOK.
5.
3.
5MoveGroupThislinkredirectsyoutotheMoveanObjecttask.
Formoreinformation,see"MovinganObject"onpage40.
RolesandTasks435.
3.
6RenameGroupThisoptionisidenticaltotheRenameanObjecttask.
Formoreinformation,see"RenaminganObject"onpage41.
5.
3.
7ViewingMyGroupsThispagedisplaysthegroupsthatyouown.
Fromit,youcancreateanewgroup,andeditordeleteanexistinggroup.
5.
4HelpDeskHelpDeskprovidesaccesstoalimitednumberofuser-relatedtasks.
Theuserwhoownsthisrolecandothefollowing:Section5.
4.
1,"ClearingaLockout,"onpage43Section5.
4.
2,"CreatingaUser,"onpage43Section5.
4.
3,"SettingaPassword,"onpage43FormoreinformationaboutUserobjects,seetheNovelleDirectory8.
8SP7AdministrationGuide(http://www.
novell.
com/documentation/edir88/edir88/data/a2iii88.
html).
5.
4.
1ClearingaLockoutAusercanbelockedoutforenteringthewrongpasswordtoomanytimesortryingtologinwithanexpiredpassword.
1InRolesandTasks,selectHelpDesk>ClearLockout.
2IntheClearLockoutpage,specifythenameofaUserobject,orusetheObjectSelectortolocateit,thenclickOK.
5.
4.
2CreatingaUserTocreateanewuserobject:1InRolesandTasks,selectHelpDesk>CreateUser.
Filloutthenecessaryuserinformation,asdescribedin"CreatingaUser"onpage50.
5.
4.
3SettingaPassword1InRolesandTasks,selectHelpDesk>SetPassword.
2IntheSetPasswordpage,specifythenameoftheUserObject.
UsetheObjectSelectortobrowsefortheUserObjectoruseSimpleSelectiontosearchforit.
3SpecifythenewpasswordfortheselectedUserobject(twice),thenclickOK.
SelectSetsimplepasswordtodefineasimplepassword,whichisrequiredfornativefileaccessforWindows*andMacintosh*users.
ItisnotnecessarywhenUniversalPasswordisenabled.
44NovelliManager2.
7.
6AdministrationGuide5.
5PartitionsandReplicasPartitionandreplicaoperationsletyoumanageeDirectory'sphysicaldesignanddistributionacrossyourdirectoryservers,andincludesthefollowingtasks:Section5.
5.
1,"CreatingaPartition,"onpage44Section5.
5.
2,"MergingaPartition,"onpage44Section5.
5.
3,"MovingaPartition,"onpage44Section5.
5.
4,"ViewingReplicaInformation,"onpage45Section5.
5.
5,"ViewingPartitionInformation,"onpage45Section5.
5.
6,"UsingtheFilteredReplicaWizard,"onpage45Forinformationaboutpartitionsandreplicas,seetheNovelleDirectory8.
8SP7AdministrationGuide(http://www.
novell.
com/documentation/edir88/edir88/data/a2iii88.
html).
5.
5.
1CreatingaPartitionPartitionscreatelogicaldivisionsoftheeDirectorytree.
Forexample,ifyouchooseanOrganizationalUnitandcreateitasanewpartition,yousplittheOrganizationalUnitandallofitssubordinateobjectsfromitsparentpartition.
TheOrganizationalUnityouchoosebecomestherootofanewpartition.
Thereplicasofthenewpartitionexistonthesameserversasthereplicasoftheparent,andobjectsinthenewpartitionbelongtothenewpartition'srootobject.
1InRolesandTasks,selectPartitionsandReplicas>CreatePartition.
2IntheCreatePartitionpage,specifythecontainertouseastherootofthenewpartition,orusetheObjectSelectortolocateit,thenclickOK.
Aconfirmationmessageappearsindicatingthatthepartitioncreateoperationwassuccessful.
5.
5.
2MergingaPartitionMergingapartitioneffectivelyrecombinesitwithitsparentpartition.
Creatingandmergingpartitionsishowyoudeterminehowthedirectoryislogicallydivided.
1InRolesandTasks,selectPartitionsandReplicas>MergePartition.
2IntheMergePartitionpage,specifythepartitiontomergewithitsparent,orusetheObjectSelectortolocateit,thenclickOK.
Tospecifyapartition,specifytheContainerobjectthatactsasthepartitionroot.
Aconfirmationmessageappearsindicatingthatthepartitioncreateoperationwassuccessful.
5.
5.
3MovingaPartitionMovingapartitionletsyoumoveasubtreeinyourdirectorytree.
Thisisalsoknownasapruneandgraftoperation.
Youcanonlymovepartitionsthathavenosubordinatepartitions.
Ifsubordinatepartitionsexist,youmustfirstmergethosepartitionsbeforeperformingthemoveoperation.
Whenyoumoveapartition,eDirectorychangesallreferencestothepartitionRootobject.
Althoughtheobject'scommonnameremainsunchanged,thecompletenameofthecontainer(andofallitssubordinates)changes.
RolesandTasks45NOTE:Whenyoumoveapartition,youmustfolloweDirectorycontainmentrules.
Forexample,youcannotmoveanOrganizationalUnitdirectlyundertherootofthedirectorytree,becausetheroot'scontainmentrulespermitonlyLocality,Country,orOrganizationobjects,butnotOrganizationalUnitobjects.
1InRolesandTasks,selectPartitionsandReplicas>MergePartition.
2IntheMovepartitionpage,specifytherequiredinformation,thenclickOK.
TheObjectnamefieldspecifiesthepartitiontomove,orusetheObjectSelectortolocateiTheMovetofieldspecifiestheContainerobjectintowhichyouwanttomovethespecifiedpartition.
TheCreateanaliasinplaceofmovedobjectcreatesapointertothepartition'snewlocation.
Thisallowsanyoperationsthataredependentontheoldlocationtocontinueuninterrupteduntilyoucanupdatethoseoperationstoreflectthenewlocation.
Userscancontinuetologintothenetworkandfindobjectsintheoriginaldirectorylocation.
WARNING:Makesureyourdirectorytreeissynchronizingcorrectlybeforeyoumoveapartition.
Ifyouhaveanyerrorsinsynchronizationineitherthepartitionyouwanttomoveorthedestinationpartition,donotperformamovepartitionoperation.
First,fixthesynchronizationerrors.
Aftermovingthepartition,ifyoudon'twantthepartitiontoremainapartition,mergeitwithitsparentpartition.
5.
5.
4ViewingReplicaInformationViewingareplicatellsyouaboutitscurrentstate.
AneDirectoryreplicacanbeinvariousstatesdependingonthepartitionorreplicationoperationsitisundergoing.
1InRolesandTasks,clickPartitionsandReplicas>ReplicaView.
2IntheReplicaViewpage,specifythepartitionorserverwhosereplicatableyouwanttoview,thenclickOK.
AtableappearslistingthereplicaPartition,Type,Filter,andState.
Forinformationaboutreplicastates,seetheNovelleDirectory8.
8SP7AdministrationGuide(http://www.
novell.
com/documentation/edir88/edir88/data/a2iii88.
html).
5.
5.
5ViewingPartitionInformation1InRolesandTasks,selectPartitionsandReplicas>ViewPartitionInformation.
2InthePartitionInformationpage,specifythepartitionforwhichyouwanttoviewinformation,thenclickOK.
Tospecifyapartition,specifytheContainerobjectthatactsasthepartitionroot.
5.
5.
6UsingtheFilteredReplicaWizardFilteredreplicasmaintainafilteredsubsetofinformationfromaneDirectorypartition(objectsorobjectclassesalongwithafilteredsetofattributesandvaluesforthoseobjects).
TheFilteredReplicaWizardstepsyouthroughtheconfigurationofthefilteredreplicasontheselectedserver.
1InRolesandTasks,selectPartitionsandReplicas>FilteredReplicaWizard.
2Specifythenameandcontextoftheserveronwhichyouwanttoconfigureafilteredreplica,orusetheObjectSelectortofindit,thenclickNext.
46NovelliManager2.
7.
6AdministrationGuide3ClickDefinetheFilterSettospecifytheclassesandattributesforafiltersetontheselectedserver,thenclickNext.
ThereplicationfiltercontainsthesetofeDirectoryclassesandattributesyouwanttohostonthisserver'ssetoffilteredreplicas.
4ClickFinish.
Formoreinformationaboutfilteredreplicas,seetheNovelleDirectory8.
8SP7AdministrationGuide(http://www.
novell.
com/documentation/edir88/edir88/data/a2iii88.
html).
5.
6RightsRightsreferstoeDirectorytrusteerightsandtrustees.
Whenyoucreateatree,thedefaultrightsassignmentsgiveyournetworkgeneralizedaccessandsecurity.
iManagerletsyouperformthefollowingrights-relatedtasks:Section5.
6.
1,"ModifyingtheInheritedRightsFilter,"onpage46Section5.
6.
2,"ModifyingTrusteeRights,"onpage46Section5.
6.
3,"RightstoOtherObjects,"onpage47Section5.
6.
4,"ViewingEffectiveRights,"onpage47FormoreinformationabouteDirectoryrights,seetheNovelleDirectory8.
8SP7AdministrationGuide(http://www.
novell.
com/documentation/edir88/edir88/data/a2iii88.
html).
5.
6.
1ModifyingtheInheritedRightsFilterBotheDirectoryandtheNetWarefilesystemprovideanInheritedRightsFilter(IRF)mechanismtoblockrightsinheritanceonindividualsubordinateitems.
OneexceptionisthattheSupervisorrightcan'tbeblockedintheNetWarefilesystem.
FormoreinformationaboutInheritedRightsFilters,seetheNovelleDirectory8.
8SP7AdministrationGuide(http://www.
novell.
com/documentation/edir88/edir88/data/a2iii88.
html).
1InRolesandTasks,selectRights>ModifyInheritedRightsFilter.
2Specifythefullnameoftheobjectwhoseinheritedrightsfilteryouwanttomodify,orusetheObjectSelectortofindit,thenclickOK.
Thisdisplaysalistoftheinheritedrightsfiltersthathavealreadybeensetontheobject.
3Onthepropertypage,editthelistofinheritedrightsfiltersasneeded,thenclickOK.
Toeditthelistoffilters,youmusthavetheSupervisororAccessControlrighttotheACLpropertyoftheobject.
Youcansetfiltersthatblockinheritedrightstotheobjectasawhole,toallthepropertiesoftheobject,andtoindividualproperties.
5.
6.
2ModifyingTrusteeRightsAtrusteeisoneobjectthathasbeengrantedexplicitrightstoanotherobjectinyourdirectorytree.
Tomodifythetrusteelistforagivenobject:1InRolesandTasks,selectRights>ModifyTrustees.
2Specify,orusetheObjectSelectortofind,thenameoftheobjectwhosetrusteelistyouwanttoview,thenclickOK.
Thisopensalistoftheobject'scurrentlyassignedtrustees.
RolesandTasks473Modifythetrusteelistasneeded,thenclickOK.
AddatrusteebyclickingAddTrustee.
RemoveatrusteebyselectingitscheckboxandclickingRemoveSelected.
Modifyatrustee'srightsassignmentbyselectingtheAssignedRightslinkforthattrustee.
5.
6.
3RightstoOtherObjectsThistaskallowsyoutoviewandmodifythelistofobjectstowhichanobjectisatrustee.
1InRolesandTasks,selectRights>RightsToOtherObjects.
2IntheRightsToOtherObjectspage,providetherequiredinformation,thenclickOK.
SpecifythenameoftheobjectinTrusteename.
SpecifythecontextinwhichyouwanttosearchforobjectsthathavethistrusteeinContexttosearchfrom.
SelectSearchentiresubtreetosearchallcontainersunderthespecifiedcontext.
3Modifytheobjectlistasneeded,thenclickOK.
AddexplicitrightstoanotherobjectbyclickingAddObject.
RemoveexplicitrightstoanobjectbyselectingitscheckboxandclickingRemoveSelected.
ModifytheexplicitrightsgrantedtoanobjectbyselectingtheAssignedRightslinkforthatobject.
5.
6.
4ViewingEffectiveRightsEffectiverightsisthecombinationofexplicitandinheritedrightsthatanobjecthasatanypointinthedirectorytree.
Toviewanobject'seffectiverightstoanotherobject:1InRolesandTasks,selectRights>ViewEffectiveRights.
2Specify,orusetheObjectSelectortofind,thenameofthetrusteewhoserightsyouwanttoview,thenclickOK.
3IntheObjectnamefield,specifythenameoftheobjectforwhichyouwanttocalculatethetrustee'seffectiverights.
eDirectorycalculatestheeffectiverightsanddisplaysthemintheEffectiveRightsfield.
4ClickDonewhenfinished.
5.
7SchemaThedirectoryschemadefinesthetypesofobjectsthatcanbecreatedinyourtree(suchasUsers,Printers,andGroups)andwhatinformationisrequiredoroptionalatthetimetheobjectiscreated.
iManagerprovidesthefollowingschema-relatedtasks:Section5.
7.
1,"AddinganAttribute,"onpage48Section5.
7.
2,"ViewingAttributeInformation,"onpage48Section5.
7.
3,"ViewingClassInformation,"onpage48Section5.
7.
4,"CreatinganAttribute,"onpage49Section5.
7.
5,"CreatingaClass,"onpage49Section5.
7.
6,"DeletinganAttribute,"onpage4948NovelliManager2.
7.
6AdministrationGuideSection5.
7.
7,"DeletingaClass,"onpage49Section5.
7.
8,"ExtendingaSchema,"onpage49Section5.
7.
9,"ExtendinganObject,"onpage50FormoreinformationabouteDirectoryschema,seetheNovelleDirectory8.
8SP7AdministrationGuide(http://www.
novell.
com/documentation/edir88/edir88/data/a2iii88.
html).
5.
7.
1AddinganAttributeYoucanaddoptionalattributestoexistingclassesifyourorganization'sinformationneedschangeorifyouarepreparingtomergetrees.
Toaddanattributetoanexistingclass:NOTE:Mandatoryattributescanbedefinedonlywhilecreatingaclass.
Amandatoryattributeisonethatmustbecompletedwhenanobjectisbeingcreated.
1InRolesandTasks,selectSchema>AddAttribute.
2Selecttheclassyouwanttoaddanattributeto,thenclickOK.
3Selecttheattributesyouwanttoadd,thenclickOK.
SelectthedesiredattributesfromtheAvailableOptionalAttributeslist,thenclicktheRight-arrowtoaddtheseattributestotheAddTheseOptionalAttributeslist.
UsetheLeft-arrowtoremoveattributesfromAddTheseOptionalAttributes.
Objectsyoucreateofthisclassnowhavethepropertiesyouadded.
Tosetvaluesfortheaddedproperties,usethegenericOtherpropertypageoftheobject.
5.
7.
2ViewingAttributeInformationYoucanviewanattribute'sstructuraldetailssuchasSyntax,flagsandClassesthatusetheattribute.
Toseeanattribute'sinformation:1InRolesandTasks,selectSchema>AttributeInformation.
2Selecttheattributeforwhichyouwanttoseeinformation,thenclickView.
TheContentframedisplaysinformationrelatedtotheselectedattribute.
3Whenfinished,clickClose.
5.
7.
3ViewingClassInformationTheClassInformationpagedisplaysinformationabouttheselectedclassandletsyouaddattributes.
Duringclasscreation,iftheclassisspecifiedtoinheritattributesfromanotherclass,theinheritedattributesareclassifiedastheyareintheparentclass.
Forinstance,ifObjectClassisamandatoryattributefortheparentclass,thenitdisplaysonthisscreenasamandatoryattributefortheselectedclass.
ToseeaClass'sinformation:1InRolesandTasks,selectSchema>ClassInformation.
2Selecttheclassforwhichyouwanttoseeinformation,thenclickView.
TheContentframedisplaysinformationrelatedtotheselectedclass.
Toaddanattributetotheclass,selectAddanewattribute.
Toviewtheclass'sparentclass,selectViewsuperclass.
3Whenfinished,clickClose.
RolesandTasks495.
7.
4CreatinganAttributeYoucandefineyourowncustomtypesofattributesandaddthemasoptionalattributestoexistingobjectclasses.
However,youcannotaddmandatoryattributestoexistingclasses.
Tocreateanattribute:1InRolesandTasks,clickSchema>CreateAttribute.
2FollowthestepsintheCreateAttributeWizardtocompletetheattributecreationprocedure.
5.
7.
5CreatingaClassAnauxiliaryclassisasetofproperties(attributes)addedtoparticularobjectratherthantoanentireclassofobjects.
Forexample,ane-mailapplicationcouldextendtheschemaofyoureDirectorytreetoincludeanE-MailPropertiesauxiliaryclassandthenextendindividualobjectswiththosepropertiesasneeded.
UsingSchemaManager,youcandefineyourownauxiliaryclasses.
Youcanthenextendindividualobjectswiththepropertiesdefinedinyourauxiliaryclasses.
Tocreateanauxiliaryclass:1InRolesandTasks,clickSchema>CreateClass.
2FollowthestepsintheCreateClassWizardtodefinethenewclass.
5.
7.
6DeletinganAttributeYoucandeleteunusedattributesthataren'tpartofthebaseschemaofyoureDirectorytree.
Thismightbeusefulaftermergingtwodirectorytrees,orifanattributehasbecomeobsoleteovertime.
Todeleteanattribute:1InRolesandTasks,clickSchema>DeleteAttribute.
2Selecttheattributeyouwanttodelete,thenclickDelete.
Onlyattributesthatyoucandeletearedisplayed.
5.
7.
7DeletingaClassYoucandeleteunusedclassesthataren'tpartofthebaseschemaofyoureDirectorytree.
iManagerpreventsyoufromdeletingclassesthatarecurrentlybeingusedinlocallyreplicatedpartitions.
Todeleteaclass:1InRolesandTasks,clickSchema>DeleteClass.
2Selecttheclassyouwanttodelete,thenclickDelete.
Onlyclassesthatareallowedtobedeletedareshown.
5.
7.
8ExtendingaSchemaYoucanextendtheschemaofatreebycreatinganewclassorattribute.
ToextendtheschemaofyoureDirectorytree,youneedAdministrator/Supervisorrighttotheentiretree.
Toextendtheschema:1InRolesandTasks,clickSchema>ExtendSchema.
2FollowtheICEWizardthroughtheimport,export,migrationofdata,orschemaupdateandcompareoperations.
50NovelliManager2.
7.
6AdministrationGuide5.
7.
9ExtendinganObject1InRolesandTasks,clickSchema>ObjectExtensions.
2Specifythenameandcontextoftheobjectyouwanttoextend,thenclickOK.
3DependingonwhethertheauxiliaryclassthatyouwanttouseisalreadylistedunderCurrentAuxiliaryClassExtensions,clickoneofthefollowing:Yes:Quitthisprocedure.
See"ModifyinganObject'sAuxiliaryProperties"(http://www.
novell.
com/documentation/edir88/edir88/data/fbbdchgh.
html#a3olrac)intheNovelleDirectory8.
8SP7AdministrationGuide,instead.
No:ClickAdd,selecttheauxiliaryclass,thenclickOK.
4ClickClose.
Youcanalsoaddorremoveauxiliaryclassesatonceformultipleobjects.
1InRolesandTasks,clickSchema>ObjectExtensions.
2ClicktheSelectMultipleObjectstab.
2aSelecttheobjectsthatyouwanttoextend,thenclickOK.
Thelistofauxiliaryclassextensionsisdisplayedwhicharecommontoalltheselectedobjects.
2bToaddanauxiliaryclass,clickAdd,selecttherequiredauxiliaryclass,thenclickOK.
2cTodeleteanexistingauxiliaryclass,selecttheclass,thenclickRemove.
3ClickClosetoexitthepage.
5.
8UsersManagingusersandtheirnetworkaccessisacentralpurposeofthedirectory.
iManagerprovidesthefollowinguser-relatedtasks:Section5.
8.
1,"CreatingaUser,"onpage50Section5.
8.
2,"DeletingaUser,"onpage51Section5.
8.
3,"DisablinganAccount,"onpage51Section5.
8.
4,"EnablinganAccount,"onpage51Section5.
8.
5,"ModifyingaUser,"onpage52Section5.
8.
6,"MovingaUser,"onpage52Section5.
8.
7,"RenamingaUser,"onpage52Formoreinformationaboutuserobjectsinthedirectory,seetheNovelleDirectory8.
8SP7AdministrationGuide(http://www.
novell.
com/documentation/edir88/edir88/data/a2iii88.
html).
5.
8.
1CreatingaUserTocreateanewuserobject:1InRolesandTasks,selectUser>CreateUser.
2IntheCreateUserpageprovide,ataminimum,therequireduser-relatedinformation,thenclickOK.
UsernameRolesandTasks51LastNameContextPassword(twice)IMPORTANT:Ifyoufailtoenterapassword,youarepromptedtoeitherallowtheusertologinwithoutapassword(notrecommended)orrequireapasswordforlogin.
SelectSetsimplepasswordtodefineasimplepassword,whichisrequiredfornativefileaccessforWindows*andMacintosh*users.
ItisnotnecessarywhenUniversalPasswordisenabled.
SelectCopyfromtemplateoruserobjecttocreateauserbasedonanexistingTemplateorUserobject.
Whencopyingfromauserobject,iManagerallowsonlyacopyoftheNewObjectNDSrightsinsteadofacopyofNDSrights,topreventusersfromreceivingthesamerightsastheadministrator.
SelectCreatehomedirectorytospecifyalocationfortheuser'shomedirectory,whichiscreatedwhentheuserobjectiscreated.
Ifyouspecifyapaththatdoesn'texist,amessageappearsstatingthattheuser'shomedirectoryhasnotbeencreated.
5.
8.
2DeletingaUserTodeleteauserobject:1InRolesandTasks,selectUsers>DeleteUser.
2Typethenameandcontextoftheobjectorusethesearchfeaturetofindit,thenclickOK.
3ClickDelete.
Aconfirmationappearsindicatingtheuserobjecthasbeendeleted.
5.
8.
3DisablinganAccountTodisableauseraccount,therebypreventingtheuserfromauthenticatingtothedirectory:NOTE:Thisonlypreventsauserfromauthenticatingsubsequenttodisablingtheaccount.
Iftheyareloggedinwhentheaccountisdisabled,theiraccesscontinuesunchangeduntiltheylogout.
1InRolesandTasks,selectUsers>DisableAccount.
2Specify,orusetheObjectSelectortofind,thenameandcontextoftheobject,thenclickOK.
3ClickDisable.
5.
8.
4EnablinganAccountToenableapreviouslydisableduseraccount:1InRolesandTasks,selectUsers>EnableAccount.
2Specify,orusetheObjectSelectortofind,thenameandcontextoftheobject,thenclickOK.
3ClickEnable.
52NovelliManager2.
7.
6AdministrationGuide5.
8.
5ModifyingaUserTomodifyanexistinguserobject'sproperties:1InRolesandTasks,selectUsers>ModifyUser.
2Specify,orusetheObjectSelectortofind,thenameandcontextoftheobject,thenclickOK.
TheContentframedisplaystheuserobject'spropertybook.
3Makeyourchanges,thenclickApplyorOKtosavethechanges.
5.
8.
6MovingaUserTomoveauserobject:1InRolesandTasks,selectUsers>MoveUser.
2Providetherequiredinformation,asdescribedin"MovinganObject"onpage40.
5.
8.
7RenamingaUserTorenameauserobject:1InRolesandTasks,selectUsers>RenameUser.
2Providetherequiredinformation,asdescribedin"RenaminganObject"onpage41.
6ConfiguringandCustomizingiManager536ConfiguringandCustomizingiManagerThissectiondescribesthevariousfeaturesofNovelliManagerconfiguration.
YouconfigureiManagerfromtheConfigureview.
Thissectiondiscussesthefollowingtopics:Section6.
1,"Role-BasedServices,"onpage53Section6.
2,"RBSConfiguration,"onpage57Section6.
3,"RBSReporting,"onpage67Section6.
4,"iManagerServer,"onpage71Section6.
5,"ObjectCreationList,"onpage77Section6.
6,"Plug-InModuleInstallation,"onpage78Section6.
7,"DownloadingandInstallingPlug-inModules,"onpage79Section6.
8,"E-MailNotification,"onpage82Section6.
9,"Views,"onpage83IMPORTANT:UsingRole-BasedServicesisoptional,althoughwerecommendsettingitupfortheoptimaluseoftheiManagersoftware.
RBSmustbeconfiguredintheeDirectorytreeinordertousethePlug-InStudio.
DonotuseNovellConsoleOnetomodifyordeleteanyRBSobjects.
RBSobjectsshouldbemanagedusingonlyiManager.
Ifdesired,youcanpreventnon-adminandnon-collection-ownerusersfromaccessingiManager'sConfigureview.
Formoreinformationseethefollowingtopics:iManagerViews:"Views"onpage83.
UserPreferences:"Preferences"onpage85.
AuthorizedUsers:"AuthorizedUsersandGroups"onpage72.
6.
1Role-BasedServicesiManagergivesyoutheabilitytoassignspecificresponsibilitiestousersandtopresentthemwiththetools(andtheiraccompanyingrights)necessarytoperformthosesetsofresponsibilities.
ThisfunctionalityiscalledRole-BasedServices(RBS).
Role-BasedServicesisasetofextensionstotheeDirectoryschema.
RBSdefinesseveralobjectclassesandattributesthatprovideamechanismforadministratorstograntauseraccesstomanagementtasksbasedontheuser'sroleintheorganization.
Thisgivesusersaccesstoonlythosetasksthattheusersneedtoperform.
RBSgrantsonlytherightsnecessarytoperformassignedtasks.
NOTE:NovelliManagerRole-BasedServices(RBS)grantsrightsbasedupontheAccessControlList(ACL)capabilityofNovelleDirectory.
TheACLsallowatrusteetobegrantedrightstoaspecificobjectoritssubordinateobjects.
ACLsarenotgrantedbaseduponspecificobjecttypes.
EachNovell54NovelliManager2.
7.
6AdministrationGuideiManagertaskdefinesitsapplicableobjecttypesandnecessaryACLs.
However,theseACLsallowtheusertoperformthoseoperationswithotherobjecttypesthrougheDirectoryAPIsorothertoolssuchasNovellConsoleOneorNWAdmin.
UseRBStocreatespecificroleswithinyourorganization.
TherolescontaintasksthatanassignedusercanperformwithiniManager,suchascreatinganewuserorchangingapassword.
Tasksarepreassignedtorolesbutcanbereplaced,reassigned,orremovedaltogether.
Furthermore,usersareassociatedwithrolesinaspecifiedscope,whichisacontainerinthetreeinwhichtheuserhastherequisitepermissionstoperformatask.
Arolerequiresthisthreefoldassociationofrole,members,andscopetobecomplete.
AnRBSRoleobjectcreatesanassociationbetweenusersandtasks.
Anadministratorgrantsauseraccesstoataskbymakingtheuseramemberoftheroletowhichthetaskisassigned.
Ausercanbeassignedtoaroleinthefollowingways:DirectlyasauserThroughgroupanddynamicgroupassignmentsIfauserisamemberofagrouporadynamicgroupthatisassignedtoarole,thentheuserhasaccesstotherole.
ThroughorganizationalroleassignmentsIfauserisanoccupantofaorganizationalrolethatisassignedarole,thentheuserhasaccesstotherole.
ThroughcontainerassignmentAUserobjecthasaccesstoalloftherolesthatitsparentcontainerisassigned.
Thiscouldalsoincludeothercontainersuptotherootofthetree.
Ausercanbeassociatedwitharolemultipletimes,eachwithadifferentscope.
6.
1.
1RBSObjectsineDirectoryThefollowingtableliststheRBSobjects.
iManagerextendstheeDirectoryschematoincludetheseobjectswhenyouinstallRBS.
Formoreinformation,see"InstallingRBS"onpage56.
ObjectDescriptionrbsCollectionAcontainerobjectthatholdsallRBSRoleandModuleobjects.
rbsCollectionobjectsaretheuppermostcontainersforallRBSobjects.
AtreecanhaveanynumberofrbsCollectionobjects.
Theseobjectshaveowners,whichareuserswhohavemanagementrightsoverthecollection.
rbsCollectionobjectscanbecreatedinanyofthefollowingcontainers:CountryDomainLocalityOrganizationOrganizationalUnitConfiguringandCustomizingiManager55RBSobjectsresideintheeDirectorytreeasdepictedinthefollowingfigure:rbsRoleDefiningaroleincludescreatinganrbsRoleobjectandspecifyingthetasksthattherolecanperform.
rbsRolesarecontainerobjectsthatcanbecreatedonlyinanrbsCollectioncontainer.
RolememberscanbeUsers,Groups,Organizations,OrganizationRoles,orOrganizationalUnits,androlemembersareassociatedtoaroleinaspecificscopeofthetree.
TherbsTaskandrbsBookobjectsareassignedtorbsRoleobjects.
rbsTaskAleafobjectthatholdsaspecificfunction,suchasresettingloginpasswords.
rbsTaskobjectsarelocatedonlyinrbsModulecontainers.
rbsBook(akaPropertyBook)Abookisaleafobjectthatdisplaysagroupofpagesthatallowausertoviewormodifythepropertiesofanobjectorsetofobjectsofthesametype.
Eachpageofthebookhasatabthatyouclick,toviewadifferentpage.
AbookobjectresidesonlyinrbsModulecontainersandcanbeassignedtooneormorerolesandtooneormoreobjectclasstypes.
rbsScopeAleafobjectusedforACLassignments(insteadofmakingassignmentsforeachUserobject).
rbsScopeobjectsrepresentthecontextinthetreewherearoleisperformedandareassociatedwithrbsRoleobjects.
TheyinheritfromtheGroupclass.
UserobjectsareassignedtoanrbsScopeobject.
Theseobjectshaveareferencetothescopeofthetreethattheyareassociatedwith.
Theobjectsaredynamicallycreatedwhenneeded,thenautomaticallydeletedwhennolongerneeded.
TheyarelocatedonlyinrbsRolecontainers.
WARNING:NeverchangetheconfigurationofanrbsScopeobject.
Doingsohasseriousconsequencesandcouldpossiblybreakthesystem.
rbsModuleRepresentsacontainerobjectthatholdsrbsTaskandrbsBookobjects.
rbsModuleobjectshaveamodulenameattributethatrepresentsthenameoftheproductthatdefinesthetasksorbooks(forexample,eDirectoryMaintenanceUtilities,NMASManagement,orNovellCertificateServerAccess).
rbsModuleobjectscanbecreatedonlyinrbsCollectioncontainers.
rbsCategoryAcategorygroupsrolesandtaskstogetherwhicharespecifictoaparticularfunction.
iManagerhas14defaultcategories:Authentication&Passwords,Collaboration,Directory,FileManagement,IdentityManager,Infrastructure,Install&Upgrade,Network,NovellAudit,Printing,Security,Servers,SoftwareLicenses&Network,Usage,andUsers&Groups.
TheAllCategoriesselectiondisplaysallavailablerolesandtasks.
Youcanalsocreatenewcategoriesandassignrolesandtaskstothem.
ObjectDescription56NovelliManager2.
7.
6AdministrationGuideFigure6-1Role-BasedServicesineDirectory6.
1.
2InstallingRBSRBSisinstalledusingtheiManagerConfigurationWizard.
1IntheConfigureview,selectRoleBasedServices>RBSConfiguration.
2SelectConfigureiManager.
3Followtheon-screeninstructions.
6.
1.
3RemovingRBSIfRole-BasedServicesisnolongerneededinthetree,theRBSCollectionobjectcanbesafelydeletedthroughiManager.
DeletingtheRBScollectionautomaticallycleansupalluserroleassociationsandscopesinthetree.
DonotdeletetheRBScollectionusingotherutilities,suchasConsoleOne.
ToremoveRoll-basedServices:1IntheConfigureview,selectRoleBasedServices>RBSConfiguration.
2Selectthecollectiontobedeleted.
3ClickDelete.
AftertheRBScollectionisdeleted,allusersloggingintoiManagerenterinAssignedAccessmodeeventhoughthereisnoRBScollectionobjectinthetree.
ToswitchbacktoUnrestrictedmode(thedefaultmode):1IntheConfigureview,selectiManagerServer>ConfigureiManager.
2SelecttheRBStab.
3SelecttheappropriatetreenameintheRBSTreeListfield,thenclicktheminusbutton.
4ClickSave.
ConfiguringandCustomizingiManager57NOTE:WhenusingiManagerinUnrestrictedmode,youtypicallyseethefollowingmessageontheiManagerHomePage:Notice:Someoftherolesandtasksarenotavailable.
ClickingViewDetailsmightdisplayaNotsupportedbycurrentauthenticatorsmessageforseveralofthetasks,eventhoughthetasksworkcorrectly.
Thismessageismisleading,andiManagerremovesthesemessagesafteryouconfigureRBS.
6.
2RBSConfigurationTheRBSConfigurationtaskprovidescompletecontroloverRBSobjects.
ItisacentralplaceformanagingandconfiguringRBSobjects.
YoucanlistandmodifyRBSobjectsbytype.
ThetaskalsogivesyouusefulinformationabouttheRBSsystem,suchasthenumberofmodulesinacollection,howmanyareinstalled,howmanyarenotinstalled,andhowmanyareoutdated.
Sometasksletyouoperateonmultipleobjectssimultaneously.
Forexample,youcanassociateordisassociatemultiplemembersfromaroleatthesametime.
FromtheConfigureview,selectRole-BasedServices>RBSConfigurationtoopentheRBSConfigurationpageintheContentframe.
Thepageincludestwotabs:iManager2.
xCollection:DisplayscurrentRBScollections.
iManager1.
xCollextions:DisplaysolderRBScollectionsthatyoucaneitherdeleteormigratetoiManager2.
x.
IfyouselectMigrate,awizardstepsyouthroughthemigrationprocess.
iManagerdisplaysonlythosecollectionsyouown,andincludesthefollowinginformationabouteachcollection:Module:IndicatesthenumberofmodulesontheWebserverthatyouareloggedinto.
Installed:Indicatesthenumberofmodulesthatarecurrentlyinstalled.
Outdated:Indicatesthenumberofoutdatedmodulescurrentlyinstalled.
Not-Installed:Indicatesthenumberofmodulesthatareavailablebutnotinstalled.
Toworkwithaparticularcollection,selectitfromthelist.
Thisopensacollection-specificview,asshowninFigure6-2.
58NovelliManager2.
7.
6AdministrationGuideFigure6-2WorkingwithRBScollectionsiniManagerTheremainderofthissectiondescribesthevarioustabsintheRBSCollectionpageaswellastheotherRBS-relatedtasksintheRoleBasedServicescategory.
Section6.
2.
1,"TheRoleTab,"onpage58Section6.
2.
2,"TheTaskTab,"onpage60Section6.
2.
3,"ThePropertyBookTab,"onpage61Section6.
2.
4,"TheModuleTab,"onpage63Section6.
2.
5,"TheCategoryTab,"onpage64Section6.
2.
6,"Plug-InStudio,"onpage64Section6.
2.
7,"EditingMemberAssociations,"onpage66Section6.
2.
8,"EditingOwnerCollections,"onpage676.
2.
1TheRoleTabTheRBSCollectionRoletabletsyoumanagetheRBSrolesinthecollection.
Fromthistabyoucandothefollowing:"CreateaNewRole"onpage59"EditaRole"onpage59"DeleteaRole"onpage59"SetaMemberAssociation"onpage59"AssignaCategory"onpage60"AddaDescriptiontoaRole"onpage60ConfiguringandCustomizingiManager59NOTE:Toselectarole,selectthecheckboxtotheleftoftherolename.
CreateaNewRoleTocreateanewroleinthecollection:1IntheRoletab,selectNew>iManagerRole.
2CompletethestepsintheiManagerRoleWizard.
Thewizardstepsyouthroughnamingtherole,assigningtasksandcategoriestotherole,andassigningrolemembersandscopestotherole.
EditaRoleToeditanexistingroleinthecollection:1IntheRoletab,selecttherole,thenclickEdit.
Therole'stasklistappears.
2Addorremoveataskfromthispageasneeded,thenclickOK.
DeleteaRoleTodeletearoleinthecollection:1IntheRoletabselecttherole,thenclickDelete.
Amessageappears:Thisoperationwilldeletealloftheselectedroles.
Doyouwanttocontinue2ClickOKtodeletetherole.
SetaMemberAssociationToaddamembertoanexistingrole:1IntheRoletabselecttherole,thenselectActions>MemberAssociations.
2Providetherequiredmemberinformation,thenclickAdd.
Name:Specify,orusetheObjectSelectortofind,thedesiredobjecttobearolemember.
Scope:Specify,orusetheObjectSelectortofind,thecontainerthatdefinesthescopewithinwhichthismembercanperformtherole.
3Inthememberslist,specifyhowyouwantrightsrelatedtothisroleassignedtothemember,thenclickOK.
AssignRights:InstructseDirectorytoautomaticallygrantthememberrightsnecessarytoperformtheassignedrole.
Whennotselected,thememberisassignedtherolebutmightnothaverightstoperformalltasksassociatedwiththerole.
Themember'srightsassignmentsarehandledseparately.
Inheritable:Selectsubtreetoindicatethatthemember'sscopeincludesallsub-containersinthespecifiedcontext.
Selectbaseobjecttoindicatethatthemembercanperformtheroleonlyinthespecifiedcontainer.
60NovelliManager2.
7.
6AdministrationGuideNOTE:Ifauserisacollectionowner,andhasamemberassociationset,thenhe/shecanmanagealltheRBSobjectswithinthedefinedscope.
ForalistofRBSobjectsineDirectoryandtheirdescription,seeSection6.
1.
1,"RBSObjectsineDirectory,"onpage54.
AssignaCategoryToaddacategoryassignmenttoanexistingrole:1IntheRoletab,selecttherole,thenselectActions>CategoryAssignment.
TheCategoryAssignmentpageappears.
2Selectacategory,thenclicktheright-arrowtoassignittotherole.
3ClickOK.
AddaDescriptiontoaRoleToaddadescriptiontoanexistingrole:1IntheRoletab,selecttheroleandclickActions>Description.
2Specifythedescriptioninthetextbox,thenclickOK.
6.
2.
2TheTaskTabAtaskisaplug-inthatperformsadistinctmanagementfunction,suchascreatingauserorsettingapassword.
iManagerliststhetasksbygroupinthenavigationareaontheleftsideofthewindow.
TheRBSCollectionTasktabletsyoudothefollowingoperations:"CreatingaNewTask"onpage60"DeletingaTask"onpage60"EditingtheRoleAssignmentofaTask"onpage61"AddingaDescriptiontoaTask"onpage61CreatingaNewTaskTocreateanewtask:1IntheTasktab,selectNew>iManagerTask.
2CompletethestepsintheCreateiManagerTaskWizard.
Thewizardstepsyouthroughprovidingthenecessarydetailaboutthenewtaskyouarecreating.
ForinformationoncreatingtasksinthePlug-inStudio,see"CreatingaNewTaskfromPlug-InStudio"onpage65.
DeletingaTaskTodeleteanexistingtask:1IntheTasktab,selectthetask,thenselectDelete.
ConfiguringandCustomizingiManager61Amessageappears:Thisoperationwilldeletealloftheselectedtasks.
Doyouwanttocontinue2ClickOK.
EditingtheRoleAssignmentofaTaskToeditthelistofrolestowhichataskisassigned:1IntheTasktab,selectthetask,thenselectActions>RoleAssignment.
2OntheEditRoleAssignmentpage,addorremoverolesfromtheAssignedRolesfield,thenclickOK.
AddingaDescriptiontoaTaskToaddadescriptiontoanexistingtask:1IntheTasktab,selectthetask,thenselectActions>Description.
2Specifythedescriptioninthetextbox,thenclickOK.
6.
2.
3ThePropertyBookTabApropertybookdisplaystheattributesofaspecificobjecttypethatyoucanmodify.
Thesepropertiesareofanobjectorsetofobjectsofthesametype.
Propertybookscanbeassignedtorolesandappearinthelistoftasksforarole.
Forexample,apropertybookthatmodifiestheattributesofUserobjectsmighthaveapagethatletsyoutospecifyauser'sloginscript.
Anotherpagecouldletyouchangeauser'se-mailaddressandtelephonenumber.
Propertybookpagesaresimilartotasks.
However,theyarefordisplayingandmodifyingattributesinasingleview.
Foramorecomplex,wizard-likeUI,youshouldcreateatask.
TheRBSCollectionPropertyBooktabletsyouperformthefollowingoperations:"CreatingaNewPropertyBook"onpage61"DeletingaPropertyBook.
"onpage62"EditingtheRoleAssignmentinaPropertyBook"onpage62"ModifyingthePageListforaPropertyBook"onpage62"ModifyingtheObjectTypeAssignmentofaPropertyBook"onpage62"Adding/ModifyingtheDescriptionofaPropertyBook"onpage62"Defining/ModifyingaPreferredObjectSelectionMethodforaTaskofaPropertyBook"onpage63CreatingaNewPropertyBookTocreateanewpropertybook:1InthePropertyBooktab,selectNew.
2CompletethestepsintheCreatePropertyBookWizard.
Thewizardstepsyouthroughprovidingthenecessarydetailforthepropertybookyouarecreating.
62NovelliManager2.
7.
6AdministrationGuideIMPORTANT:IniManager,somecharactershavespecialsignificanceandmustbeescapedwiththebackslash(\)character.
Formoreinformation,seeSection3.
2,"SpecialCharacters,"onpage23.
DeletingaPropertyBook.
Todeleteapropertybook:1UnderthePropertyBooktab,selectthepropertybook,thenselectDelete.
Amessageappears:Thisoperationwilldeletealloftheselectedpropertybooks.
Doyouwanttocontinue2ClickOK.
EditingtheRoleAssignmentinaPropertyBookTomodifythelistofrolestowhichapropertybookisassigned:1UnderthePropertyBooktab,selectthepropertybook,thenselectActions>RoleAssignment.
2OntheEditRoleAssignmentpage,addorremoverolesfromtheAssignedRolesfield,thenclickOK.
ModifyingthePageListforaPropertyBookTomodifytheattributepagesassociatedwithapropertybook:1UnderthePropertyBooktab,selectthepropertybook,thenselectActions>PageList.
2OntheEditPageListpage,addorremoverolesfromtheAssignedPagesfield.
Tochangetheorderofthepages,selectapageandclickMoveUporMoveDownbuttons.
ModifyingtheObjectTypeAssignmentofaPropertyBookTomodifythelistofobjecttypesassociatedwithapropertybook:1UnderthePropertyBooktab,selectthepropertybook,thenselectActions>ObjectType.
2OntheEditObjectTypepage,addorremoverolesfromtheAssignedObjectTypesfield,thenclickOK.
Adding/ModifyingtheDescriptionofaPropertyBookToadd/modifyadescriptiontoanexistingtask:1InthePropertyBooktab,selectthepropertybook,thenselectActions>Description.
2Specify/modifythedescriptioninthetextbox,thenclickOK.
ConfiguringandCustomizingiManager63Defining/ModifyingaPreferredObjectSelectionMethodforaTaskofaPropertyBookTodefine/modifyapreferredobjectselectionmethodforanexistingtask:1UnderthePropertyBooktab,selectthepropertybook,thenselectActions>TargetChooserMode.
2FromtheModelist,selecttheappropriatemode:single,multiple,simple,oradvancedandclickOK.
Asuccessfulmessageisdisplayed.
ClickOK.
NOTE:ForthechangestoiManagerBaseContentmoduletotakeeffect,restartTomcat.
6.
2.
4TheModuleTabTheModulepageliststheRBSmodulescurrentlyinstalledonaselectedcollection.
EachmodulecontainsRBSpropertybooksandtasks.
Fromthispage,youcanadd(ifyouwanttocreateacustompropertybook)anddeletemodules,andalsotypeadescriptionforaselectedplug-inmodule.
TheRBSCollectionModuletabletsyouperformthefollowingoperations:"AddingaNewPlug-inModule"onpage63"DeletinganRBSModule"onpage63"AddingaDescription"onpage63AddingaNewPlug-inModuleToaddanewplug-inmodule:1IntheModuletab,selectNew.
2SpecifytheRBSmodulenameandadestinationcontext,thenclickOK.
iManagerdisplaysamessageindicatingthemodulehasbeenadded.
DeletinganRBSModuleTodeleteanexistingplug-inmodule:1IntheModuletab,selectamoduletodelete,thenselectDelete.
2ClickOKtoconfirmthemoduledeletion.
AddingaDescriptionToaddadescriptiontoanexistingplug-inmodule:1IntheModuletab,selectamodule,thenselectActions>Description.
2Specifythemoduledescription,thenclickOK.
64NovelliManager2.
7.
6AdministrationGuide6.
2.
5TheCategoryTabCategoriesgrouprelatedrolesandtaskstogether.
TheRBSCollectionCategorytabletsyouperformthefollowingoperations:"AddingaNewCategory"onpage64"DeletingaCategory"onpage64"AddingaDescription"onpage64AddingaNewCategoryToaddadescriptiontoanexistingplug-inmodule:1IntheCategorytab,selectNew.
ThislaunchestheCreateCategoryWizard.
2Specifycategorynameanddescription(optional),thenclickNext.
3Selecttherolestobeassociatedwiththenewcategory,thenclickNext.
4Reviewthenewcategorysummary,thenclickFinish.
DeletingaCategoryTodeleteanexistingcategory:1IntheCategorytab,selectamoduletodelete,thenselectDelete.
2ClickOKtoconfirmthecategorydeletion.
AddingaDescriptionToaddormodifythedescriptionofanexistingcategory:1IntheCategorytab,selectacategory,thenselectActions>Description.
2Specifythecategorydescription,thenclickOK.
6.
2.
6Plug-InStudioPlug-InStudiooffersaquickandeasywaytostreamlinethetasksthatyoudoseveraltimesaday.
UsePlug-inStudiotodynamicallycreatetasksforyourmostfrequentlyusedoperations.
Youcanalsoeditanddeletetaskshere.
Forexample,tomodifyauser,insteadofselectingModifyObject,youcancreateadynamicUItoeditonlytheattributesyouhaveselected,suchasfirstnameortitle.
DataisstoredintheTOMCAT_HOME/webapps/nps/portal/modules/customdirectory.
FromthePlug-inStudiotask,youcanperformthefollowingoperations:"CreatingaNewTaskfromPlug-InStudio"onpage65"EditingaTask"onpage65"DeletingaTask"onpage65"CopyingCustomTasks"onpage66ConfiguringandCustomizingiManager65"ExportingCustomTasks"onpage66"ImportingCustomTasks"onpage66CreatingaNewTaskfromPlug-InStudioTocreateanewtaskwithPlug-InStudio:1IntheConfigureview,selectRole-BasedServices>Plug-inStudio.
2SelectNew.
TheTaskBuilderappearstohelpyoubuildcustomtasksandpropertypages.
3Specifytheobjecttypeandplatforminformation,thenclickNext.
Availableclasses:Specifytheobjectclassassociatedwiththenewtask.
Targetdevice:Specifytheplatformonwhichthetaskisused.
Typically,thedefaultselection(Default)worksfine.
Plug-intype:Specifythetypeoftaskyouarecreating.
AddAuxiliaryClasses:Selectthisoptiontoaddauxclasssupporttothetask.
4InthePlug-inFieldsscreen,providethenecessaryinformation,thenclickInstall.
WhenyouclickInstall,iManagerdynamicallybuildsthetask's.
xmlfile,.
jspfile,andtheJavafilesthatexecutethetask,thenitinstallsthosefilesintothesystem.
Attributes:Selectanattributetoassociatewiththetaskfromthelistofavailableattributes.
Double-clicktheattributetomoveittothePlug-inFieldsfield,usingthedefaultcontrol.
Controls:DisplaystheavailablecontrolsfortheattributeselectedintheAttributesfield.
Double-clickacontroltomovethecurrentattributetothePlug-inFieldsfield,usingtheselectedcontrol.
Plug-inFields:Displayseachattribute/controlcurrentlyassociatedwiththetask.
Fromthisfield,youcanremoveattributesfromthetask,changethecontrolassociatedwithanattribute,andmodifythecontrolpropertiesfortheattribute.
Plug-inProperties:LetsyouspecifyaPlug-inID,assignthetasktoanRBScollection,andassignthetasktoaRole.
TheroleyouassigndetermineswherethistaskappearsintheRolesandTasksNavigationframe.
EditingaTaskToeditanexistingplug-inwithPlug-inStudio:1IntheConfigureview,selectRole-BasedServices>Plug-inStudio.
2Selectthetask,thenselectEdit.
3Modifythesettingsdescribedin"CreatingaNewTask"onpage60,thenclickInstall.
iManagerdisplaysaconfirmationmessageindicatingtheplug-inwassuccessfullycreatedandinstalled.
DeletingaTaskTodeleteanexistingplug-inwithPlug-inStudio:1IntheConfigureview,selectRole-BasedServices>Plug-inStudio.
2Selecttheplug-infromthelistofinstalledcustomplug-ins,thenclickDelete.
66NovelliManager2.
7.
6AdministrationGuideAmessageappears:Areyousureyouwanttodeletethisplug-in3ClickOKtodeletetheplug-in.
iManagerdisplaysaconfirmationmessageindicatingtheplug-inwassuccessfullydeleted.
CopyingCustomTasksTocopyanexistingplug-inwithPlug-inStudio:1IntheConfigureview,selectRole-BasedServices>Plug-inStudio.
2Selecttheplug-infromthelistofinstalledcustomplug-ins,thenclickActions>Copy.
3Specifyanameforthecopiedplug-in,thenclickOK.
ExportingCustomTasksUsethistasktoexportyourcustomtasks,makingthemdeployabletootheriManagerservers.
1IntheConfigureview,selectRole-BasedServices>Plug-inStudio.
2Selectthecustomplug-intoexport,thenclickActions>Export.
ImportingCustomTasksUsethistasktodeployanexportedcustomtasksontomultipleiManagerservers.
1IntheConfigureview,selectRole-BasedServices>Plug-inStudio.
2SelectActions>Import.
3Specify,orusetheObjectSelectortofind,theRBScollectionintowhichyouwanttoimportthecustomplug-ins.
4Specify,orbrowseto,theNPMfilethatyoupreviouslyexported.
5ClickImport.
6.
2.
7EditingMemberAssociationsTherearetwowaystoassociatememberswithroles:Selectamember,thenassignittoarolewithinascopeasdescribedin"SetaMemberAssociation"onpage59.
Selectarole,thenassignmembersandascopetoitasdescribedbelow.
Toassignanexistingroletoaselectedmember1IntheConfigureview,selectRoleBasedServices>EditMemberAssociation.
2Specify,orusetheObjectSelectortofind,amember,thenclickOK.
Alistappearsdisplayingtherolestowhichthismemberisassigned.
3Specifyaroleandrolescopetoaddtothismember,thenclickOK.
ThisdataissavedtoeDirectory.
Afterlogin,thenewlyassignedroleappearsintheleftcolumnofthememberwhoownsit.
ConfiguringandCustomizingiManager676.
2.
8EditingOwnerCollectionsUsethistasktochangetheownerassignedtoacollection.
1IntheConfigureview,selectRoleBasedServices>EditOwnerCollections.
2Specify,orusetheObjectSelectortofind,acollectionowner,thenclickOK.
3Addorremovecollectionsthispersoncanown,thenclickOK.
6.
3RBSReportingTheRBSReportingfeatureletsyougeneratereportsaboutRBSobjectsinthedirectoryandtheirconfiguration.
Reportsareinchartformatandcanbeexportedtootherformatsandprinted.
RBSReportinggeneratesthefollowingreports:6.
3.
1CreatingReportsTocreateanRBSReport:1IntheConfigureview,selectRBSReporting.
Eachtypeofreportisimplementedasatask.
2Selectthedesiredreport,providethenecessaryinformation,thenclickOK.
Eachreportrequiresthatyouprovidesomeinitialinformation,suchastherolesforwhichyouwanttogeneratealistofassignedmembers.
RoleAssignmentsUnassignedTasksRoleTasksAssignmentsUnassignedCategoriesUserRolesAssignmentsCustomRolesUserTaskAssignmentsCustomTasksRoleRightsAssignmentsCustomCategoriesUnassignedRolesCollections68NovelliManager2.
7.
6AdministrationGuideFigure6-3iManagerConfigureViewShowingtheRoleAssignmentsTask6.
3.
2UsingReportsTheRBSReportingtasksgeneratereportsthatyoucansort,print,andexport.
ThefollowingfigureshowsanexampleofaniManagerreport.
Figure6-4MembersAssignedtoaRoleSortingReportsBydefault,theitemslistedinareportaresortedalphabeticallyinascendingorderonthefirstcolumn.
Toindicatethecolumninwhichitemsaresorted,iManagerdisplaysasmalliconnexttothecolumnname,andtheiconindicatesthesortorder.
Tochangethecolumninwhichitemsaresorted,clickthenameofthecolumnyouwant.
Tochangethesortorder,clickthenameofthecolumninwhichitemsarecurrentlysorted.
ConfiguringandCustomizingiManager69PrintingReportsYoucaneasilyprintRBSreportsbyclickingthePrintbutton.
Thisopensyourbrowser'sprintdialogbox,whereyoucanselectaprinterandotherprintingoptions.
Thisfeatureprintsonlythebrowserframethatcontainsthereportanditprintsthereportasdisplayedintheframe,soyoushouldmakesuretheitemsaresortedintheorderyouwantbeforeyouclickPrint.
ExportingReportsYoucanexportreportdatatoXML,CSV,andplaintextfilestouseinotherapplicationssuchasspreadsheetsanddatabases.
Theexportfilescontainonlydataandenoughmetadatatodescribethereportcolumns.
Otherinformation,suchasthereporttitleanddate,isnotexported.
Itemsinareportareexportedinthecurrentlydisplayedsortorder.
1ClicktheExportbutton.
2IntheRBSReportExportwindow,selecttheformatfortheexporteddata,thenclickExport.
3WhenyourbrowserpromptsyoutoopenorsavethefilegeneratedbyiManager,selecttheoptionyoupreferandproceedasrequiredbyyourbrowser.
ThefollowingareexamplesofXML,CSV,andplaintextfilesexportedfromthesameRBSreport:XML:admin.
novellThursday,June26,2008(10:33:17AMIST)User,Group,DynamicGroup,OrganizationalRole,Containeryesparentsub-directory(novell)DynamicGroupObjectsuptoparent(novell)eDirectoryAdministrationeDirectoryAdministration.
RoleBasedService2.
novellUseradmin.
novell.
MY_TREE.
truetrueeDirectoryAdministrationeDirectoryAdministration.
RoleBasedService2.
novellUserjdoe.
novellnovelltruetrue70NovelliManager2.
7.
6AdministrationGuideCSV:RBSReportQuerySettingsUser:,"admin.
novell"Date:,"Thursday,June26,2008(10:33:17AMIST)"Types:,"User,Group,DynamicGroup,OrganizationalRole,Container"DynamicGroupSearchSettings:,SearchEnabled:,"yes"RoleSearch:,"parentsub-directory(novell)"RoleSearch:,"DynamicGroupObjects"ContainerRoleSearch:,"uptoparent(novell)"RBSReport:UserRolesAssignmentsUser,"RoleName","RoleObject","Type","Member","Scope","Assigned","Inherit",admin.
novell,"ArchiveVersionManagement","ArchiveVersionManagement.
RoleBasedService2.
novell","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"DFSManagement","DFSManagement.
RBS270akpal.
08","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"DirectoryAdministration","eDirectoryAdministration.
RoleBasedService2.
novell","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"DirectoryAdministration","eDirectoryAdministration.
RBS270akpal.
08","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"eDirectoryMaintenanceUtilities","eDirectoryMaintenanceUtilities.
RoleBasedService2.
novell","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"FileProtocols","FileProtocols.
RBS270akpal.
08","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"Groups","GroupManagement.
RoleBasedService2.
novell","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"Groups","GroupManagement.
RBS270akpal.
08","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"HelpDesk","HelpDeskManagement.
RoleBasedService2.
novell","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"HelpDesk","HelpDeskManagement.
RBS270akpal.
08","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"IDEDemoRole","IDEDemoRole.
RoleBasedService2.
novell","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"NovellCertificateAccess","NovellCertificateAccess.
RBS270akpal.
08","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"NovellCertificateServerManagement","NovellCertificateServerManagement.
RBS270akpal.
08","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"PartitionsandReplicas","PartitionandReplicaManagement.
RoleBasedService2.
novell","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"PartitionsandReplicas","PartitionandReplicaManagement.
RBS270akpal.
08","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"QuickFinderAdministration","QuickFinderAdministration.
RBS270akpal.
08","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"Rights","RightsManagement.
RoleBasedService2.
novell","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"Rights","RightsManagement.
RBS270akpal.
08","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"Schema","SchemaManagement.
RoleBasedService2.
novell","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"Schema","SchemaManagement.
RBS270akpal.
08","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"StorageManagement","StorageManagement.
RBS270akpal.
08","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"Users","UserManagement.
RoleBasedService2.
novell","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",admin.
novell,"Users","UserManagement.
RBS270akpal.
08","User","admin.
novell",".
BLR-ANIL-TREE.
","true","true",ConfiguringandCustomizingiManager71PlainText:RBSReportQuerySettingsUser:admin.
novellDate:Thursday,June26,2008(10:33:17AMIST)Types:User,Group,DynamicGroup,OrganizationalRole,ContainerDynamicGroupSearchSettings:SearchEnabled:yesRoleSearch:parentsub-directory(novell)RoleSearch:DynamicGroupObjectsContainerRoleSearch:uptoparent(novell)RoleName:eDirectoryAdministrationRoleObject:eDirectoryAdministration.
RoleBasedService2.
novellType:UserMember:jdoe.
novellScope:novellAssigned:trueInherit:true6.
4iManagerServerIfyoudonotseethistask,youarenotanauthorizeduser.
See"AuthorizedUsersandGroups"onpage72.
Thistopicincludesthefollowinginformation:Section6.
4.
1,"ConfigureiManager,"onpage71Section6.
4.
2,"Security,"onpage72Section6.
4.
3,"LookandFeel,"onpage73Section6.
4.
4,"LoggingEvents,"onpage73Section6.
4.
5,"RedirectionAfterLogout,"onpage74Section6.
4.
6,"Authentication,"onpage74Section6.
4.
7,"RBS,"onpage75Section6.
4.
8,"Plug-InDownload,"onpage75Section6.
4.
9,"Misc,"onpage76Section6.
4.
10,"Encryption,"onpage766.
4.
1ConfigureiManagerTherearethreesettingsintheconfig.
xmlfilethatcontrolthesecurityandthecertificatesusedwheniManagercreatesanLDAPSSLconnection:Security.
Keystore.
AutoUpdate:IfthevalueofAutoUpdateisTrue,whenausersuccessfullylogsintoiManager,thecertificatefromthateDirectoryservermightautomaticallybeimportedintotheiManager-specifickeystore.
SelectthesettingAutoImportTreeCertificateforSecureLDAP(ConfigureiManager>Security).
Security.
Keystore.
UpdateAllowAll:WhenUpdateAllowAllisTrue,thenanysuccessfuluserloginimports/updatesacertificateintotheiManagercertificatekeystore.
Ifthesettingisfalse,onlyanauthorizeduserloginimports/updatescertificates.
Security.
Keystore.
Priority:Theprioritysettingcontainstwowordsthatdefinethesearchorderforcertificatesduringaconnection:system,andimanager.
systemusesthedefaultJVM*keystoretolocatecertificateswhencreatedtheSSLcontext.
Ifthatfails,itthengoestotheiManagerkeystore.
YoucanchangethesearchorderofsystemandiManagerbyremovingeitherwordfromtheentry.
72NovelliManager2.
7.
6AdministrationGuideTofurthertightensecurity,donotallowAutoUpdateanduseonlythesystemkeystore.
Ifyoudothis,youmustmanuallyimportthecertificatesthatyouwanttoresideinthedefaultsystemkeystorebyusingthetoolsthatcomewithJava.
IfyoudisableUpdateAllowAll,thencertificateimportsoccuronlyfromasuccessfuliManagerauthorizeduserlogin.
6.
4.
2SecurityThesesettingsaffectyourentireWebserverconfigurationandaresavedintheconfig.
xmlfile.
YoucaneithersaveasyougoorclickSaveonceafteryouhavemadeallyourchanges.
WarnWhenUsingaNonsecureConnectionSelectthisoptionifyouwantuserswithoutasecureconnectionbetweentheWebbrowserandtheWebservertoreceivethefollowingwarning:Youareusinganon-secureconnection.
EnableNovellAuditMakesureyouhavemettheNovellAuditPrerequisites.
SelecttheEnableNovellAuditoptionandselectspecificiManagerloggingevents,thenclickSave.
AutoImportTreeCertificateforSecureLDAPSecureLDAPconnectionsrequireacertificate.
Ifyouselectthisfeature,thesystemautomaticallyimportsapublictreecertificateforsecureLDAP.
AuthorizedUsersandGroupsAuthorizedusersandgroupsarethosethatiManagerpermitstoperformitsvariousadministrativetasks.
AuthorizeduserdataissavedinTOMCAT_HOME\webapps\nps\WEB-INF\configiman.
properties.
TheiManagerinstallationprocesscreatesthisfileonlyifauthorizeduserandgroupinformationisprovided,butdoingit,isnotrequired.
FailuretodoitresultsiniManagerallowinganyusertoinstalliManagerplug-insandmodifyiManagerserversettings(notrecommendedlong-term.
)Whenagrouporanorganizationalroleisaddedtothislist,allmembersofthegrouportheorganizationalrolebecomeauthorisedusers.
Addinganestedgroupsupportsonlyfirstlevelofmembers.
Butaddingadynamicgroupisnotsupportedbecauseitcanhaveanytypeofobjectsasitsmembers.
AfterinstallingiManager,youcanaddanauthorizeduser,group,ororganizationalrolebyspecifying,orbyusingtheObjectorSelectoriconnexttotheAuthorizedUsersandGroupslist.
Doingthismodifiestheconfigiman.
propertiesfile.
Todesignateallusersofthetreeasauthorizedusers,typeAllUsers.
NOTE:YoucanaddandsaveonlyvaliduserstotheAuthorizedUsersandGroupslist.
IfyouaddinvalidusersandclickSave,anerrormessage,whichsaysthattheobjectisnotfound,isdisplayed.
IfyouaddonlyinvaliduserstothelistandclickSave,theerrormessageisdisplayedandthelistofinvalidusersisautomaticallyreplacedbyAllUsers.
Ifyoudonotwantalltheusersofthetreetobeauthorizedusers,removeAllUsersfromthelist,adddesiredvaliduserstothelist,andclickSave.
ConfiguringandCustomizingiManager73IMPORTANT:IfyouhaveinstallediManagerforthefirsttime,theAuthorizedUsersandGroupslistisempty.
AsanAdminuser,youmustimmediatelyaddusersandgroupstothelisttomakethemauthorized,andtohaverightstomodifythelist.
Otherwise,anon-adminusermightaddusersandgroupstothelistbywhichhe/sheacquirestherightstomodifythelist.
You(Admin)mightlosetherightstomodifythelist.
Forsecurity-relatedinformationabouttheconfigiman.
propertiesfile,see"iManagerAuthorizedUsersandGroups"onpage113.
6.
4.
3LookandFeelTheLookandFeeltabletsyoucustomizetheappearanceoftheiManagerinterface.
ThisinformationisstoredinTOMCAT_HOME\webapps\nps\WEB-INF\config.
xml.
TitleBarNameSpecifyyourorganizationnameinthistextbox.
ItthenappearsinthetitlebaroftheWebbrowserinplaceofthedefaulttext(NovelliManager).
ImagesTheTitlebarcontainsthreeimages:theheaderbackgroundimage,theheaderfillerimage,andtheheaderbrandingimage.
Yourownimagesmustconformtothedimensionsgivenintheinterface.
Storethesefilesinnps/portal/modules/fw/images.
Specifythepathofeachimageinitsrespectivetextfield.
NavigationMenuColorsYoucancustomizethecolorofthemenuheaderandthebackgroundofthenavigationmenuontheleft.
Youcantypeeithercolornamesorhexadecimalnumbers.
Entriesdonotneedtobecasesensitive.
ClickResettoreturntodefaultcolorsandimages,orclickSavetosavethesettings.
totheconfig.
xmlfile.
6.
4.
4LoggingEventsTheLoggingEventstabletsyouconfigureiManager'sloggingenvironment.
Therearetwologgingsettings:LoggingLevel:Selectthetypesofmessagesyouwanttolog,fromfouroptions:NoLogging,Errorsonly,ErrorsandWarnings,andErrors,WarningsandDebugInformation.
Selectyourloggingoutputoptions.
LoggingOutput:Selectthedestinationforloggedmessages,fromthreeoptions:SendLogOutputtoStandardErrorDevice,SendLogOutputtoStandardoutputDevice,andSendLogOutputtoDebug.
htmlFile.
Thelogfilepathandlogfilesizebothappearonthispage.
SelectViewtodisplaythecurrentlogfileinHTMLformat.
SelectCleartoclearthecurrentlogfileandresetthelogfilesizeto0(zero)bytes.
74NovelliManager2.
7.
6AdministrationGuide6.
4.
5RedirectionAfterLogoutTheRedirectionAfterLogoutoptionallowsyoutospecifytheURLtoberedirectedto,afteryoulogoutofiManager.
Ifyouhavenotselectedthisoption,whenyouclickExit,youareloggedoutofiManager.
Bydefault,theLoginpageisdisplayed.
Enable:SelectthisoptiontoenableRedirectionAfterLogoutfeature.
URL:SpecifytheURLtoberedirectedto,afteryoulogoutofiManager.
6.
4.
6AuthenticationTheAuthenticationtabconfiguresiManager'sloginpage.
Itcontainsthefollowingoptions:Rememberlogincredentials:Whenselected,usersmustonlyenterapasswordtologin.
UseSecureLDAPforauto-connection:Whenselected,iManagerperformsLDAPcommunicationsusingSSL.
Someplug-ins,suchasDynamicGroupsandNMAS,donotworkifthisoptionisnotselected.
ThissettingdoesnottakeeffectuntilyoulogoutofiManager.
Hidespecificreasonforloginfailure:Whenselected,iManagerreplacesauthentication-relatedeDirectorymessageswithagenericerrormessagethatreads:LoginFailure.
InvalidUsernameorPassword.
Formoreinformation,see"PreventingUserNameDiscovery"onpage113.
Allow'Tree'selectiononLoginpage:Whenselected,iManager'sloginpagedisplaystheTreefield.
Ifyoudonotselectthisoption,youmusthaveadefaulttreenamespecifiedoryoucannotlogin.
ContextlessLogin:Contextlessloginallowsuserstologinwithonlyusernameandpassword,withoutknowingtheirentireUserobjectcontext.
Forexample,.
admin.
support.
sales.
novell.
Iftherearemultipleuserswiththesameusernameinthetree,contextlessloginallowstologinbyusingthefirstuseraccountitfindswiththesuppliedpasswordwithinthecontainerorderlistthattheuserhasspecified.
Usercanre-arrangeandsetthecontainerorderlist.
Iftherearemultipleuserswiththesameusernameinthetree,tologinwithaspecificusername,ausershouldprovidefullcontextwhenloggingin,orlimitthesearchcontainersthatcontextlessloginsearches.
SelectSearchfromRoottoperformtheusersearchfromtherootofthedirectorytree.
SelectSearchContainerstospecifyoneormorecontainerswhereUserobjectscanbefound.
Bydefault,iManagerconnectswithpublicaccess,requiringnospecificcredentials.
Youcanspecifyauserwithspecificcredentialstodothesearchforthecontextlesslookup.
TheiManagerpublicuserisusedifyoudon'tspecifyauser.
IMPORTANT:Ifyouspecifyapublicuser,considercarefullytheimplicationsofpasswordexpirationsettings.
Ifthepasswordissettoexpireforthepublicuser,youdonothavetheopportunitytochangethepasswordduringloginafteritexpires.
iManagerServerTimeoutSettings:IfyouwanttheiManagerservertotimeoutafteracertainperiod,specifythenumberofdays,hours,andminutesintherespectivefields,intheAuthenticationpage.
Ifyouneverwanttheservertotimeout,selecttheNeverTimeoutoption.
ConfiguringandCustomizingiManager75RedirectionAfterLogout:IntheAuthenticationpage,youhavetoenablethisoptionifyouwanttoberedirectedtoadesiredpageafterloggingoutofiManager.
YouhavetospecifythedesiredURLintheURL:field.
IfyoudonotspecifyanyURL,whenyouclickExit,youareloggedoutofiManager.
Bydefault,theLoginpageisdisplayed.
6.
4.
7RBSRole-BasedServices(RBS)assignstherightswithineDirectorytoperformtasks.
Whenyouassignaroletoauser,bydefaultRBSassignstherightsnecessarytoperformthetasksincludedwiththatrole.
TheRBStabletsyouconfigurethefollowingsettings:EnableDynamicGroups:Whenselected,RBSallowsdynamicgroupstobemembersofarole.
Formoreinformationaboutdynamicgroups,seetheNovelleDirectory8.
8SP7AdministrationGuide(http://www.
novell.
com/documentation/edir88/edir88/data/a2iii88.
html).
ShowRolesinOwnedCollections:Whenselected,collectionownersseeallrolesandtaskswhethertheyaremembersofthemornot.
Deselectthisoptiontoforcecollectionownerstoseeonlytheirassignedroles.
RoleDiscoveryDomain:IndicateswhereinthetreeiManageristosearchforrolesthatareassignedtoamember.
Parent,iManagersearchesforDynamicGroupsuptotheparentcontainer.
Partition,iManagersearchesforDynamicGroupsuptothefirsteDirectorypartition.
Root,iManagersearchesforDynamicGroupsintheentiretree.
DynamicGroupDiscoveryDomain:IndicateswhereinthetreeiManageristosearchforDynamicGroupmembership.
RolemembershipisthencheckedintheDynamicGroupsfound.
Parent,iManagersearchesforrolesintheuser'sparentcontainer.
Partition,iManagersearchesforrolesuptothefirsteDirectorypartition.
Root,iManagersearchesforrolesintheentiretree.
DynamicGroupSearchType:SelectswhichtypeofDynamicGroupsshouldbesearchedforrolemembership.
DynamicGroupsonly,searchesforobjectsthatareoftheDynamicGroupclasstype.
DynamicGroupObjectsandAuxclasses,searchesforobjectsthatareeitherofthedynamicGroupclasstypeorhavebeenextendedwiththedynamicGroupAuxclass.
ThisincludesgroupobjectsthatwerelaterconvertedtoDynamicGroups.
RBSTreeList:Auto-populatedwiththeeDirectorytree'snamewhenacollectionownerorarolememberauthenticates.
IfRBSisremovedfromaneDirectorytree,removethattree'sentryinthislistinordertoreturntoUnassignedAccessmode.
6.
4.
8Plug-InDownloadThePlug-inDownloadtabletsyouconfigurethefollowingsettings:QueryNovelldownloadsitefornewNovellPlug-inModules(NPM):IndicatesthattheiManagerServershouldquerytheNovellDownloadsite(http://download.
novell.
com/index.
jspproduct_id=&search=Search&build_type=SDBuildBean&families=&date_range=&keywords=iManager&x=23&y=4)fornewplug-inmodules(NPMs).
76NovelliManager2.
7.
6AdministrationGuideTworadiobuttonsletyouconfigurethequeryforeveryavailableNPM,orqueryonlyforupdatestoalready-installedNPMs.
DownloadingPlug-InModulesfromaCustomSite:Youcandownloadtheplug-inmodulesfromacustomsitebyspecifyingtheURLofthecustomsiteintheDownloadURLfield,inthePlug-inDownloadpage.
DownloadingPlug-InModulesThroughProxy:IfiManagerServersarerunningunderthefirewallproxy,theclientcanaccesstheInternetthroughaproxyserver.
OnlyHTTPProxyissupported.
ItisaWebproxyHTTP.
Todownloadtheplug-ins,theuserhastodothefollowinginthePlug-inDownloadpage:1SelectEnableProxy.
2Enterinthefollowingfields:ProxyHost:SpecifytheproxyhostIPaddressinthisfield.
ProxyPort:Specifytheproxyportnumberinthisfield.
Username:Specifytheusernameinthisfield.
Password:Specifythepasswordinthisfield.
RetypePassword:SpecifythepasswordthatyouhavespecifiedinthePasswordfield,inthisfield.
IMPORTANT:iManager2.
7plug-insarenotcompatiblewithpreviousversionsofiManager.
Additionally,anycustomplug-insyouwanttousewithiManager2.
7mustbere-compiledintheiManager2.
7environment.
6.
4.
9MiscTheMisctabletsyouconfigurethefollowingsettings:Enable[this]:Youcansafelyignorethisoption.
Enable[this]wasaddedtoiManagertoallowsomeinternalteamstomodifytheirownobjects.
[this]isanattributeinthetreethatenablesspecificself-managementfunctionality.
If[this]isenabled,alleDirectoryserversinthetreemustbeversion8.
6.
2orlater.
eGuideURL:SpecifiestheURLtoeGuide.
ThisisusedintheeGuidelaunchbuttonintheheaderandintheeGuideroleandtaskmanagementtasks.
ThismustbeafullURL,forexample,https://my.
dns.
name/eGuide/servlet/eGuide,orthekeywordEMFRAME_SERVER.
UsingEMFRAME_SERVERcauseseMFrametolookforeGuideonthesameserveronwhicheMFrameislocated.
FormoreinformationoneGuide,seetheNovelleGuidedocumentationWebsite(http://www.
novell.
com/documentation/eguide212/index.
html).
6.
4.
10EncryptionYoucanusetheEncryptiontabtochoosethecipherlevelbasedonyoursecurityrequirement.
Thefourcipherlevelsare:1.
NONE-Allowsanytypeofcipher.
2.
LOW-Allowsa56-bitora64-bitcipher.
3.
MEDIUM-Allowsa128-bitcipher.
4.
HIGH-Allowsciphersthataregreaterthan128-bit.
ConfiguringandCustomizingiManager77Bydefault,thecipherlevelissettoNONE.
TheselectedcipherlevelisactivatedaftertheTomcatserverisrestarted.
IMPORTANT:Bydefault,FirefoxdoesnotallowLOWcipherlevel.
ToenabletheLOWcipheralgorithmsinyourFirefoxbrowser:1OpenFirefox,typeabout:configinthelocationbar,thenpressEnter.
2(Conditional)Ifawarningappears,clicktheI'llbecareful,Ipromise!
buttontocontinuetotheabout:configpage.
3Intheabout:configpage,underthePreferenceNamelist,double-clickthesecurity.
ssl3.
rsa_rc4_40_md5preferencetochangethevaluetoTrue.
ThisenablestheLOWcipheralgorithmsinyourFirefoxbrowser.
Bydesign,theEncryptiontabisnotavailableonOES.
Youneedtomanuallychangethecipherlevelsinthevhost-ssl.
conffile.
1Goto/etc/apache2/vhosts.
d/vhost-ssl.
conffile,thenmodifytheSSLCipherSuiteparameterbasedonyourcipherlevelsupport.
Forexample,toconfigureonlyHIGHcipherlevel,modifytheSSLCipherSuiteparameterasfollows:SSLCipherSuiteALL:ADH:EXPORT56:RC4+RSA:+HIGH:!
MEDIUM:!
LOW:+SSLv2:+EXP:+eNULLYoucanusethefollowingprefixestomodifythecipherlevels:+:addscipherstothelistofciphersandpullsthemtothecurrentlocationinthelist.
-:removesacipherfromthelist(canbeaddedlateragain).
!
:killsacipherfromthelistcompletely(cannotbeaddedlateragain).
Formoreinformation,seetheApacheModulemod_ssl(http://httpd.
apache.
org/docs/2.
0/mod/mod_ssl.
html)documentation.
6.
5ObjectCreationListWhenyoucreateanobject,apreconfiguredlistofobjectclassesisregisteredwiththeCreateObjecttask.
TheObjectCreationListCategorycontainsthefollowingtasks:Section6.
5.
1,"AddinganObjectClasstotheCreationList,"onpage78Section6.
5.
2,"DeletinganObjectClassfromtheCreationList,"onpage7878NovelliManager2.
7.
6AdministrationGuide6.
5.
1AddinganObjectClasstotheCreationListUsethistasktoaddmoreobjectstotheObjectCreationList,whichisthelistofobjectsthatcanbecreatediniManager,usingtheDirectoryAdministration>CreateObjecttask.
1IntheConfigureview,selectObjectCreationList>AddObjectClasstoCreationList.
2Selecttheobjecttoadd,thenclickNext.
3ReviewtheXMLdefinitioninformation,thenclickFinishtocreatethe.
xmlfile.
6.
5.
2DeletinganObjectClassfromtheCreationListUsethistasktodeleteanobjectfromtheObjectCreationList,whichisthelistofobjectsthatcanbecreatediniManager,usingtheDirectoryAdministration>CreateObjecttask.
1IntheConfigureview,selectObjectCreationList>DeleteObjectClassfromCreationList.
2Selecttheobjecttodelete,thenclickNext.
3ReviewtheXMLdefinitioninformation,thenclickFinishtodeletetheobjectfromtheObjectCreationList.
6.
6Plug-InModuleInstallationIfyoudonotseethisroleinyouriManagerinterface,youareprobablynotanauthorizeduser.
See"AuthorizedUsersandGroups"onpage72.
TherearetwotypesofmodulesusediniManager:NovellPlug-inModule(NPM):Thesearearchivesthatcontainthefilesforplug-instoiManager.
WhenyouinstallanNPMusingtheAvailableNovellPlug-inModulestask,youareinstallingaplug-intoiManagertoaddtoitsfunctionality.
RBSModule:TheseareobjectsineDirectorythatcontainRBSTasksandRBSBookobjects.
WhenRole-BasedServiceshasbeenconfiguredinaneDirectorytree,clickConfigure>RBSConfigurationtoinstalltheRBSModuleaftertheNPMinorderforthenewtasksassociatedwiththeplug-intobecomeavailableforuse.
ModuleInstallationrelatestoNPMsonly.
ForinformationaboutinstallingNPMsduringtheiManagerinstallationprocess,see"DownloadingandInstallingPlug-InsDuringInstallation"intheNovelliManager2.
7.
6InstallationGuide.
6.
6.
1AvailableNovellPlug-inModulesTheAvailableNovellPlug-inModules(NPM)pagelistsalltheavailableNPMscontainedinthepackagesdirectoryoronthedownloadsite.
Formoreinformation,see"Plug-InDownload"onpage75.
Thename,version,anddescriptionofeachmoduleareintheirrespectivemanifestfiles.
Youcanhidetheplug-insbyselectingtheplug-inmodulesandclickingtheHidebutton.
Youcanalsohidealltheplug-inmodulessothattheHomepagedoesn'tdisplaytheNewiManagerNPMsareavailabletoinstallnotice.
Youcanalsoviewthelistofthehiddenplug-inmodulesbyclickingtheShowHiddenbutton.
Youcanunhidethehiddenplug-inmodulesifrequired.
ConfiguringandCustomizingiManager796.
6.
2InstalledNovellPlug-inModulesThislistcontainstheNPMsthathavebeeninstallediniManager.
EachNPMislistedbyname,localversion,anddescriptionfoundinthecurrentmanifestfiles.
iManager2.
7doesnotincludeallplug-inmodulesaspartofthebaseproduct.
MostiManager2.
7plug-insmustbedownloadedseparately.
However,thefollowingplug-insareincludedinthebase.
npmmodulethatshipswithiManager2.
7:DirectoryAdministrationPartitionsandReplicasHelpDeskSchemaRightsUsersGroupsFormoreinformation,seeChapter5,"RolesandTasks,"onpage35.
IMPORTANT:Tofunctionproperly,aplug-inmodule'sversionmustbecompatiblewiththeversionofiManageronwhichitisrunning.
RefertothespecificproductdocumentationforinformationaboutiManagerversionrequirementsforaparticularplug-inmodule.
Forexample,iManager2.
7plug-insarenotcompatiblewithpreviousversionsofiManager.
Additionally,anycustomplug-insyouwanttousewithiManager2.
7mustbere-compiledintheiManager2.
7environment.
6.
7DownloadingandInstallingPlug-inModulesiManager2.
7letsyoudownloadandinstallupdatestoexistingandnewplug-insfromwithiniManager.
iManagerautomaticallyqueriestheNovellDownloadWebsiteonceaweekforplug-ins.
NOTE:Plug-inmodulesarenotreplicatedbetweeniManagerservers.
Werecommendthatyouinstalltheplug-inmodulesyouwantoneachiManagerserver.
Todownloadandinstalloneormoreplug-inmodules:1LaunchiManagerandlogin.
2IntheConfigureview,selectPlug-inInstallation>AvailableNovellPlug-inModules.
TheContentframelistsalltheavailableiManagerplug-ins.
iManagerautomaticallycheckstheNovelldownloadsiteonceaweekforupdatedplug-ins.
However,youcanupdatethelistatanytimebyclickingtheRefreshlink.
3(Optional)Ifyouhavedownloadedaplug-in,orhaveonelocallythatyouwanttoinstall,clickAdd,thenbrowsefortheappropriateplug-inNPMfile.
4ClickOK.
ThisreturnsyoutotheAvailableNovellPlug-inModulespage.
5Selecttheplug-inyouwant,thenclickInstall.
80NovelliManager2.
7.
6AdministrationGuideThefilelocationshowswhethertheplug-inisfromLocalDirectory,orNovellDownloadsite.
Ifyouselectatleastoneplug-inthathastheFileLocationasNovellDownloadsforinstallation,theNovelliManagerPlug-inModulesLicenseAgreementpageisdisplayed.
SelectIAgree,thenclickOKtoproceedwiththeinstallation.
NOTE:Installingaplug-infromtheNovelldownloadsitecantakeseveralminutes,dependingonyourconnectionspeedandnumberofplug-insbeinginstalled.
Astatusbarindicatesthedownloadtime.
6Aftertheinstallationiscompleted,restartTomcat.
Tomcatsometimesrequiresseveralminutestofullyinitialize.
Waitatleast5minutesbeforetryingtologintoiManager.
ForinformationaboutrestartingTomcat,see"StartingandStoppingTomcat"onpage94.
7VerifythatthenewRoleappearsintheRolesandTaskspage.
ToaddmemberstothenewRole,usetheModifyMemberAssociationtask.
6.
7.
1IfRBSisConfiguredIMPORTANT:Inordertoreinstallanexistingplug-in,youmustfirstdeletetherbsModuleobjectforthatplug-infromeDirectoryusingtheModuleConfiguration>DeleteRBSModuletask.
1FromtheConfigureview,selectRole-BasedServices>RBSConfiguration.
Thetableonthe2.
xCollectionstabdisplaysanyout-of-datemodules.
2Toupdatethem,selectthenumberintheOut-of-DatecolumnfortheCollectionyouwanttoupdate.
Thelistofoutdatedmodulesisdisplayed.
3Selectthemodulesyouwanttoupdate,thenclickUpdateatthetopofthetable.
6.
7.
2UninstallingaPlug-inModule1IntheConfigureview,selectPlug-inInstallation>InstalledNovellPlug-inModules.
2Selecttheplug-in,thenclickUninstall.
3RestartTomcat.
ForinformationaboutrestartingTomcat,see"StartingandStoppingTomcat"onpage94.
Thestepsformanuallyremovingaplug-inmoduleareavailableinTID#7006125(http://www.
novell.
com/support/search.
docmd=displayKC&docType=kc&externalId=7006125&sliceId=1&docTypeID=DT_TID_1_1&dialogID=790607&stateId=0%200%20792657).
6.
7.
3CustomizingthePlug-InDownloadLocationYoucancreateaplug-indownloadrepositoryifaproxyserverorfirewallpreventsiManager2.
7fromcontactingtheNovelldownloadWebsite.
Thisletsyouhostplug-inmodulesonalocalWebserveroracommonfilesystemlocation.
ConfiguringandCustomizingiManager81ThebestwaytodothisistousetheXMLdescriptorfilefromtheNovelldownloadWebsite(http://www.
novell.
com/products/consoles/imanager/iman_mod_desc.
xml)asatemplate.
FormoreinformationabouttheiManagerdescriptorfile,see"DownloadingandInstallingPlug-InsDuringInstallation""DownloadingandInstallingPlug-InsDuringInstallation"intheNovelliManager2.
7.
6InstallationGuide.
Tosetupalocalplug-inrepository,savethedescriptorfilelocally,thenopenthefileandcopytheURLforeachplug-inmoduleyouwanttomakeavailablelocallyandpasteitinaWebbrowseraddressbartodownloadthefile.
Afterdownloadingalldesiredplug-inmodules,editthelocalcopyofthedescriptorfiletoreflectthenewURLforeachdownloadedplug-inmodule.
Aplug-inmoduleURLcanbeanHTTPlinkorafilesystemlocation.
Forexample:WindowsFileSystemLinuxFileSystemHTTPLinkSpecifyingaLocalDescriptorFileYoucanspecifyacustomdescriptorfileeitherduringtheiManager2.
7installation,orafteriManager2.
7hasbeeninstalled.
Duringtheinstallationprocess,theiManager2.
7plug-indownloadURLcanberedirectedtoacustomdescriptorfile.
Todothis,simplychangetheURLontheSelectPlug-instoDownloadandInstallpagetothelocationofthecustomdescriptorfileandclickGo.
NOTE:IfthemessageNoplug-insfoundorservernotavailableappearsinthePlug-indownloadarea,oneorbothofthefollowingconditionscanexist:Therearenoupdatedplug-insavailableontheNovelldownloadsite,ortheconnectiontodownload.
novell.
comfromtheinstallprogramwasnotsuccessful.
VerifyyourInternetconnection.
WheniManager2.
7isinstalled,youcanchangetheplug-inmoduledownloadURLbymodifying\webapps\nps\WEB-INF\config.
xml.
Forexample:WindowsFileSystemLinuxFileSystem82NovelliManager2.
7.
6AdministrationGuideHTTPLinkIMPORTANT:IfyouuseiManagerWorkstationtoaccessacustomplug-inURLoveranSSLconnection(HTTPS),makesuretoimportthetargetWebserver'scertificateoryouwon'tbeabletosetupasecureconnection.
6.
8E-MailNotificationThisroleenablesyoutoselectplug-in-specifictasksthatuserswanttobenotifiedofwheneverthatspecifictaskoccurs.
Thetasksaresetupbytheplug-initself.
Youdecidewhetherornottobenotified,andspecifywhoshouldbenotifiedofselectedevents.
Yourfirsttaskistosetupthemailserver.
TIP:Dependingonwhatyouselect,youcouldreceivealotofe-mail!
6.
8.
1MailServerConfigurationThemailserverconfigurationspecifiestheSMTPserversettingsforeventnotification.
1IntheConfigureview,selectEmailNotification>MailServerConfiguration.
2Specifythemailserversettings,thenclickOK.
FromAddress:SpecifiestheaddressthatappearsintheFromfieldoftheiManagere-mailmessage.
PrimaryMailServer:SpecifiesanIPaddressorservername(forexample:smtp.
novell.
com)ofamailserver.
YoumustalsoprovidetheusernameandpasswordforiManagertousetoaccesstheSMTPserver.
SecondaryMailServer:Specifiesanoptionalbackupmailserver.
Providethesameinformationasthatfortheprimarymailserver.
6.
8.
2TaskEventNotificationPlug-inswhosetasksarelistedintheir.
xmlfilesautomaticallyregistertaskeventsonthispage.
1IntheConfigureview,selectEmailNotification>TaskEventNotification.
2IntheEmailAddressfield,specifytheE-mailaddressesyouwanttoreceivethisnotification,separatedbycommas.
3Selectanevent.
TheTaskEventPropertiesscreenappears.
ConfiguringandCustomizingiManager834Specifythee-mailsubjectandtheE-mailmessageintheappropriatefields.
5IntheAdditionalEmailAddressesfield,typeanyadditionale-mailaddresses(separatedbycommas)youwanttonotify.
6SelectOverrideDefaultandNotifyOnlyTheseAddressesifyouwantthemessagetoignoretheE-maillistinstep2andgoonlytothee-mailaddressesspecifiedonthispage.
6.
9ViewsIfyoudonotseethisroleinyouriManagerinterface,youareprobablynotanauthorizeduser.
See"AuthorizedUsersandGroups"onpage72.
iManagerViewsaremanagementpagesaccessedfrombuttonsiniManager'sHeaderframe.
Youmightwanttopreventusersfromaccessingcertainviews,suchasViewObjectsorConfigure.
Bydefault,allviewsinheritthesettingsoftheparentset.
6.
9.
1ShowingandHidingiManagerViews1IntheConfigureview,selectViews>iManagerViews.
2Specify,orusetheObjectSelectortofind,acontaineratwhichyouwanttorestrictaccesstoViews,thenclickOK.
3Specifytheappropriateviewsettings,thenclickOK.
Therearethreeviewsettingsfromwhichyoucanchoose:Donotset:Doesnotexplicitlysettheviewstate.
Thisisthedefaultsetting.
Hide:Hidestheview.
Show:Displaystheview.
SelectReadparentcontainersofthisobjecttousethesettingsoftheobject'sparentcontainerforthisobject.
Whenselected,theparentsettingstakeprecedenceovertheobject'slocalsettings.
6.
9.
2EnablingandDisablingIdentityManagerviewasDefaultviewiniManageronIdentityManagerInstalledServersToenableiManagerviews:1StopTomcat.
2Openthe/var/opt/novell/iManager/nps/WEB-INF/config.
xmlfile.
3Addthefollowingconfigurationdetailsinthexmlfile:4Starttomcat.
NOTE:Bydefault,"IS_IDM_VIEW_AS_DEFAULT"issetto"true".
84NovelliManager2.
7.
6AdministrationGuideTodisableiManagerviews:1StopTomcat.
2Openthe/var/opt/novell/iManager/nps/WEB-INF/config.
xmlfile.
3Addthefollowingconfigurationdetailsinthexmlfile:4Starttomcat.
7Preferences857PreferencesThePreferencesviewletsyouconfigureiManagersettingsrelatedtotheapplication'slookandfeel.
Itprovidesaccesstothefollowingtasks:Section7.
1,"ManageFavorites,"onpage85Section7.
2,"ObjectSelector,"onpage85Section7.
3,"ObjectView,"onpage86Section7.
4,"SetInitialView,"onpage86Section7.
5,"Language,"onpage867.
1ManageFavoritesConfigurestheFavoritesview,whichdisplaysacustomsetofoften-usedtaskstogetherinaspecialview.
1FromthePreferencesview,selectManageFavorites.
2SelectthedesiredtasksfromtheTasksfieldandmovethemtotheFavoritesfield.
Doubleclicktaskstomovethem,orselectthemandusethearrowiconstomovethem.
SelectMakefavoritesmyinitialviewtousetheFavoritesviewasyouriManager"Homepage".
3ClickOK.
7.
2ObjectSelectorConfigurestheObjectSelectorsettings:WindowSize:SpecifyObjectSelector'swindowwidth,height,andleftcolumnwidth,inpixels.
User-SpecifiedDefaults:SpecifyObjectSelector'sdefaultsettings,includingStartupMode:SpecifieswhethertheBrowsetaborSearchtabisdisplayedinitially.
ResultsperPage:Specifiesthenumberorresultstodisplayperpage.
StartingContext:SpecifiesthedefaultcontainertowhichObjectSelectoropens.
SearchonStartup:SpecifiesinitialsearchactionswhenObjectSelectoropenstotheSearchtab.
ShowSubordinateCount:Enables/disablesdisplayingthetotalnumberofobjectsnexttoeachcontainerobjectdisplayedintheObjectSelector.
Whenselected,iManagerdisplaysthesubordinateobjectcount,inparentheses,nexttothecontainername.
NOTE:Thesubordinatecountdoesnottakeintoaccountyourassignedrightswhencalculatingthesubordinateobjectcount,sothenumberofobjectsyoucanseemightdifferfromthecountspecified.
86NovelliManager2.
7.
6AdministrationGuide7.
3ObjectViewConfigurestheObjectViewsettings:ColumnWidth:SpecifiesObjectView'scolumnwidth,inpixels.
StartupMode:SpecifieswhethertheBrowse,Search,orTreetabisdisplayedinitially.
SelectionMode:SpecifiesObjectView'sinitialobjectselectionmode:singleobject,ormultipleobjects.
NavigationPane(LeftSide):SpecifiesthenumberofresultstodisplayintheNavigationframe.
ThissettingappliestoalltabsintheObjectView.
Validsettingsinclude1-500.
TreeContentPane(RightSide):SpecifiesthenumberofresultstodisplayonepageintheContentframe.
ThissettingappliesonlytotheTreetabintheObjectView.
Validsettingsinclude1-500.
StartingContext:SpecifiesthedefaultdirectorycontainertowhichObjectViewopens.
Youcanhaveitopentothelastcontainerused,orhaveitalwaysopentothesamecontainer.
SearchonStartup:SpecifiesinitialsearchactionswhenObjectViewopenstotheSearchtab.
ShowSubordinateCount:Enables/disablesdisplayingthetotalnumberofobjectsnexttoeachcontainerobjectdisplayedintheObjectSelector.
Whenselected,iManagerdisplaysthesubordinateobjectcount,inparentheses,nexttothecontainername.
ThisappliestotheNavigationframeintheTreetab,andtheresultswindowintheBrowseandSearchtabsintheObjectView.
NOTE:Thesubordinatecountdoesnottakeintoaccountyourassignedrightswhencalculatingthesubordinateobjectcount,sothenumberofobjectsyoucanseemightdifferfromthecountspecified.
7.
4SetInitialViewSpecifiestheviewthatdisplayswhenyoufirstlogintoiManager.
Ifnothingisselected,theRolesandTasksviewdefaultstotheinitialview.
youselectdetermineswhatappearsafteryoulogintoiManager.
7.
5LanguageSpecifiesthelanguageinwhichyouwantiManagertodisplay.
YoumustselectthecheckboxtorememberthelanguagewillrememberthelanguagesettingbetweeniManagersessions.
Tomakethelanguagesettingpermanent,setyourpreferreddefaultlanguageintheWebbrowser.
NOTE:Plug-inscannotworkproperlyifthefirstlanguage(topposition)listedinyourWebbrowser'sLanguagesettingisnotsettoasupportedlanguageforiManager.
Toavoidproblems,inyourWebbrowser,clickTools>Options>Languagesorasequencesimilartothis,thensetthefirstlanguagepreferenceinthelisttoasupportedlanguage.
8Troubleshooting878TroubleshootingThissectionprovidessometroubleshootingtipsresultingfromNovell'stestingofiManager.
Thesetipsarearrangedalphabeticallyinthefollowingtopics:Section8.
1,"AuthenticationIssues,"onpage88Section8.
2,"AccessingNCPServerObjects,"onpage90Section8.
3,"DeletingandRe-creatingUserAccountswiththeSameName(WindowsXP/2000),"onpage90Section8.
4,"DNS630ErrorMessageAppearsWhenCreatingaPropertyBookwithInvalidCharactersinName,"onpage91Section8.
5,"eDirectoryMaintenanceTaskErrors,"onpage91Section8.
6,"EnablingDebugMessagesforInstallandConfigure,"onpage91Section8.
7,"HistoryDoesNotAutomaticallySyncAcrossMultipleSimultaneousUserLogins,"onpage91Section8.
8,"iManagerDoesn'tWorkafterInstallingGroupwise7.
0WebAccess(WindowsServer2000/2003),"onpage91Section8.
9,"MissingAttribute,Object,orValueErrors,"onpage92Section8.
10,"MissingRolesorTasksintheConfigureView,"onpage92Section8.
11,"PerformingaSystemRestorefromImageSoftware,"onpage93Section8.
12,"RunningeDirectoryandiManagerontheSameMachine(Windowsonly),"onpage93Section8.
13,""ServiceUnavailable"MessageAppearsDuringMultiplePlug-InInstalls,"onpage94Section8.
14,"Tomcat,"onpage94Section8.
15,""UnabletoDetermineUniversalPasswordStatus"Error,"onpage95Section8.
16,"iManagerWorkstationDoesNotDisplayInformation,"onpage95Section8.
17,"SometimesRefreshButtonDoesNotFunction,"onpage96Section8.
18,"iManagerPlug-inInstallationHangsorPlug-insAreNotProperlyInstalled,"onpage96Section8.
19,"LoginIssuewithTreeIPAddressChange,"onpage97Section8.
20,"InsufficientJavaHeapSizeResultsinFailedLogin,"onpage97Section8.
21,"JavaErrorMessagesareDisplayedAfterClosingtheBrowserofiManagerWorkstation,"onpage98Section8.
22,"iManagerandLDAPUseDifferentDateRanges,"onpage98Section8.
23,"iManagerInstallationFailsonSLES9andRedHat4Platforms,"onpage9888NovelliManager2.
7.
6AdministrationGuide8.
1AuthenticationIssuesAuthenticationisacomplextopic,andyourexistingnetworkinfrastructurecanaffectyourabilitytosuccessfullyperformaninitialiManagerlogin.
Thefollowingfactscanhelpyouminimizeauthentication-relateddifficulties.
Formoreinformationaboutauthentication-relatedtopics,seetheNovellModularAuthenticationService(NMAS)documentation(http://www.
novell.
com/documentation/nmas33/index.
html)andNovelleDirectorydocumentation(http://www.
novell.
com/documentation/edir88/index.
html).
iManagerauthenticationisaplatform-dependentoperation,meaningthatitfunctionsdifferentlydependingontheplatformonwhichiManagerisrunningLinuxandWindowsservers:WheniManagerrunsonaLinuxorWindowsserveritutilizeseDirectory'slegacyauthenticationmechanismandtheregulareDirectorypassword.
ThismechanismsupportseDirectory'sUniversalPasswordoptionbutdoesnotsupporttheSimplePasswordoption.
iManagerWorkstation:iManagerWorkstationrunsonaclientworkstation,eitherLinuxorWindows,andleveragestheNMASclientthatallowsittouseUniversalPassword,ifconfigured.
iManagerdoesnotuseLDAPfortheinitialiManagerauthenticationprocess.
ItutilizeseDirectory'sproprietaryauthenticationprotocol.
However,followinginitialauthentication,iManagercan,createLDAPconnectionstoeDirectoryasneededtosupportdirectoryaccessfortheinstalledplug-insthatrequireLDAPaccess.
iManagerdoesnotsupportauthenticatingwitheDirectory'sSimplePassword.
YoumightencounterthefollowingerrormessageswhenauthenticatingtoiManager.
Eacherrormessagesectiondiscussespossiblecauses.
Section8.
1.
1,"HTTP404Errors,"onpage88Section8.
1.
2,"HTTP500Errors,"onpage88Section8.
1.
3,"601ErrorMessages,"onpage89Section8.
1.
4,"622ErrorMessages,"onpage89Section8.
1.
5,"632ErrorMessages,"onpage89Section8.
1.
6,"634ErrorMessages,"onpage89Section8.
1.
7,"669ErrorMessages,"onpage908.
1.
1HTTP404ErrorsIfyoureceivea404errorthefirsttimeyouattempttoaccessiManager,youneedtoverifytheportsthatApacheisrunningon.
DependingonhowyouinstallediManagerandwhetheryouchosetouseApacheorIIS,theconfigurationfilelocationsvary.
Apacheuseseitherthehttpd.
conffileorthessl.
conffile.
RefertotheMicrosoftdocumentationforinformationonIISportsettings.
8.
1.
2HTTP500ErrorsIfyoureceiveaninternalservererrororservletcontainererror(eitherunavailableorbeingupgraded),iManagerishavingoneoftwoproblemswithTomcat:Tomcathasnotfullyinitializedafterareboot.
Tomcathasfailedtostart.
Troubleshooting89WaitafewminutesandtryagaintoaccessiManager.
Ifyoustillreceivethesameerrors,verifythestatusofTomcat.
CheckingtheStatusofTomcat1RestartTomcat.
ForinformationaboutrestartingTomcat,see"StartingandStoppingTomcat"onpage94.
2ChecktheTomcatlogsforanyerrors.
Thelogfileislocatedinthe$tomcat_home$/logsdirectoryontheUNIX,Linux,andWindowsplatforms.
OnUNIXandLinux,thelogsarenamedcatalina.
outorlocalhost_log.
date.
txt.
OnWindows,thelogfilesarenamedstderrandstdout.
8.
1.
3601ErrorMessagesTheobjectnameenteredcouldnotbefoundinthecontextspecified.
Somepossiblecauses:Contextlessloginmightbedisabled.
YourUserobjectmightnotbeintheconfiguredsearchcontainerslist.
Eitheraskyouradministratortoaddyouruserlocationtothecontextlessloginsearchcontainersorloginwithafullcontext.
8.
1.
4622ErrorMessagesTheNDSpasswordhasbeendisabledintheUniversalPasswordpolicy.
Thismayalsomanifestitselfwitha222ErrorMessage.
YoucanavoidthiserrorwithiManagerWorkstationbyinstallingtheclient,whichallowsiManagertoutilizetheUniversalPasswordauthenticationmechanismratherthaneDirectory'slegacyauthenticationprocess.
8.
1.
5632ErrorMessagesThiserrorisasystemfailurewithseveralpossiblecauses(http://www.
novell.
com/documentation/nwec/nwec_enu/nwec_ids_t_err_system_failure.
html).
8.
1.
6634ErrorMessagesThetargetserverdoesnothaveacopyofwhatthesourceserverisrequesting,orthesourceserverhasnoobjectsthatmatchtherequestandhasnoreferralsonwhichtosearchfortheobject.
Somepossiblecauses:YouenteredanincorrecttreeorIPaddress.
IfyouareusingtheIPaddress,makesureyouincludetheportifeDirectoryisinstalledonanonstandard(524)port.
iManagercannotlocateyourtreeorIPaddressbeforetimingout.
Ifthetreenamefails,usetheIPaddress.
90NovelliManager2.
7.
6AdministrationGuide8.
1.
7669ErrorMessagesAninvalidpasswordwasused,authenticationfailed,oneservertriedtosynchronizewithanotheronebutthetargetserver'sdatabasewaslocked,oraproblemexistswiththeremoteIDorpublickey.
Somepossiblecauses:YoutypedanincorrectpasswordTherearemultipleuserswiththesameusernameinthetree.
Contextlesslogintriestologinusingthefirstuseraccountitfindswiththesuppliedpassword.
Inthiscase,provideafullcontextwhenyouloginorlimitthesearchcontainersthatcontextlessloginsearches.
8.
2AccessingNCPServerObjectsToimprovetheperformanceoftheNCPserverobjects,theModifyIndexLocationoptionmustbedisabled.
TodisabletheModifyindexLocationoption:1Opentheconfig.
xmlfilefrom/webapps/nps/WEB-INF/config.
xml.
2Addthefollowingcontenttotheconfig.
xmlfile.
3SavethechangesandrestartTomcat.
ForinformationaboutrestartingTomcat,see"StartingandStoppingTomcat"onpage94.
NOTE:TomodifytheindexesoftheNCPserverobjects,gotoRolesandTasks>eDirectoryMaintenance>Indexes>NCPServerObject>Indexes>ModifyIndexLocation.
8.
3DeletingandRe-creatingUserAccountswiththeSameName(WindowsXP/2000)IfyouhavedeletedoneormoreWindowsuseraccounts,andthenre-createdthemwiththesamename,dothefollowingtouseiManagerWorkstationwiththere-createdaccount:1LoginasamemberoftheAdministratorgroup.
2Takeownershipofthe\system32\novell\nici\usernamedirectory.
TheabsolutepathvariesbetweenWindows2000andWindowsXP.
3Deletethefolder.
Whentheusernextlogsin,thisfolderisautomaticallyrecreatedusingNovellInternationalCryptographicInfrastructure(NICI)keysofthere-createduseraccount,andtheusercanthenruniManagerWorkstation.
Troubleshooting918.
4DNS630ErrorMessageAppearsWhenCreatingaPropertyBookwithInvalidCharactersinNameIfyoucreateaPropertyBookandnameitusingspecialcharactersthatareinvalid,aDNSError603messagemightbereturned.
FormoreinformationaboutnamingaPropertyBook,see"CreatingaNewPropertyBook"onpage61.
8.
5eDirectoryMaintenanceTaskErrorsRunningeDirectoryMaintenanceTasksrequiresthatRole-BasedServices(RBS)mustbeconfiguredthroughiManagerforthetreethatisbeingadministered.
ForRBSconfigurationinformation,seeChapter4,"BrowsingObjects,"onpage25.
Foradditionalinformation,seethe"TheeDirectoryManagementToolbox"intheNovelleDirectory8.
8SP7AdministrationGuide(http://www.
novell.
com/documentation/lg/edir88/edir88/data/agabn4a.
html).
8.
6EnablingDebugMessagesforInstallandConfigureIfinstallationfails,youmustenablesomedebuggingmessagestohelpdeterminewhatiswrong.
Linux:ExportLAX_DEBUG=trueintheterminalsessionthatyoustarttheiManagerInstallAnywhereprogramfrom.
Windows:HoldtheCtrlkeydownasyoustarttheiManagerInstallAnywhereprogramandcontinueholdingituntilthedebuggingscreenappears.
8.
7HistoryDoesNotAutomaticallySyncAcrossMultipleSimultaneousUserLoginsUsingtwoinstancesofthesamebrowser(suchastwoFirefoxbrowsersbutnotInternetExplorer)avoidstheproblem.
Thehistorybookissharedbythetwoinstances.
8.
8iManagerDoesn'tWorkafterInstallingGroupwise7.
0WebAccess(WindowsServer2000/2003)OnWindows2000and2003ServerwithIIS5or6,installingGroupwise7.
0WebAccesstoIISautomaticallyinstallsTomcat5.
5.
AstheiManagerinstallationbegins,theiManagerinstallerprogramdetectsthatIISandTomcatareavailableforuse.
Theinstallerreportstheinabilitytostoptheiisadminservice.
Neartheendoftheinstall,theinstallerreportstheinabilitytostartTomcat.
Aftertheinstalliscompleted,GroupwiseWebAccessstillworks,butiManagerdoesnot(HTTP404:Pagenotfound).
Workaround:DonotinstalliManagerandGroupwiseonthesameserver.
92NovelliManager2.
7.
6AdministrationGuide8.
9MissingAttribute,Object,orValueErrorsIfyouhavealargeinstallationwithsynchronizationdelays,youcanforceiManagertocommunicatewiththemasterreplica.
Thisensuresthatyouhaveaccesstoanyattributes,objects,orvaluesthathavebeenrecentlyaddedormodified.
ThisisnotrecommendedforregularuseofiManager,butcanbehelpfulwhenyouareexperiencingsynchronizationdelays.
TousethisparameterwhenloggingintoiManager,add&forceMaster=truetotheendoftheURLafteryouhaveloadedtheloginpage.
ThissettingcanalsobeenabledinTOMCAT_HOME\webapps\nps\WEB-INF\config.
xml.
Forexample:https://127.
0.
0.
1/nps/servlet/webacctaskId=fw.
Startup&forceMaster=true.
YoumustrestartTomcataftermakinganychangestotheconfig.
xmlfile.
ForinformationaboutrestartingTomcat,see"StartingandStoppingTomcat"onpage94.
8.
10MissingRolesorTasksintheConfigureViewIfthefollowingRolesorTasksarenotpresentontheConfigureview,youneedtoverifythatyouareanauthorizeduser.
Formoreinformation,see"AuthorizedUsersandGroups"onpage72.
8.
10.
1PossibleMissingRolesorTasksConfigureiManagertaskObjectCreationListrolePlug-inInstallationroleE-mailNotificationroleViewrole8.
10.
2PossibleReasonsWhyYouAreNotanAuthorizedUserYourenamedyourtree.
Edittheconfigiman.
propertiesfileandchangethetreenameforeachuser.
InformationenteredduringtheiManagerinstallationfortheauthorizeduserwasincorrect.
Edittheconfigiman.
propertiesfileandaddthecorrectusernameincludingthetreename.
Theconfigiman.
propertiesfileiscorruptedforsomeunknownreason.
Deletetheconfigiman.
propertiesfileandeitherre-createthefilewiththecorrectinformationorlogintoiManagerandgotoConfigureview>iManagerServer>ConfigureiManger.
OntheSecuritypage,addtheAuthorizedUsersforthesystembybrowsingthetree,orifyouaresureofthefullpathtotheuser,youcanmanuallyenterit.
Thepermissionsontheconfigiman.
propertiesfilehavebeenchangedtopreventiManagerfromreadingthefile.
Changethepermissionsonthefiletomatchthefilesinthesamedirectory.
Youradministratorhasnotaddedyouasanauthorizeduser.
RequesttobeaddedtotheAuthorizedUserslist.
Formoreinformation,see"AuthorizedUsersandGroups"onpage72.
Troubleshooting938.
11PerformingaSystemRestorefromImageSoftwareIfyouperformasystemrestorefromimagesoftwaresuchasGhost,thesys:\tomcat5\conf\NPS-APACHE.
CONFfilecouldbecometruncatedintheprocess.
IfthisfileistruncatedtoNPS-APACHE~1.
CONorsomeothercorruptfilename,renamethefileandthenstopandrestartTomcat.
ForinformationaboutrestartingTomcat,see"StartingandStoppingTomcat"onpage94.
8.
12RunningeDirectoryandiManagerontheSameMachine(Windowsonly)IfiManagerwasinstalledbeforeeDirectory,youmightexperienceanyofthefollowingerrorswhenusingiManager,LDAP(S),orHTTP(S)toaccesseDirectory.
-340errorwhentryingtoaccessencryptedattributeswithiManagerLDAP:SSL_CTX_use_KMOfailed.
Errorstack:error:1412D0D4:SSLroutines:SSL_CTX_use_KMO:readwrongpackettype(err=-1418)HTTP:0016TLSoperationfailed,err:1,result:-1--HTTP:--error:1408A0C1:SSLroutines:SSL3_GET_CLIENT_HELLO:nosharedcipherHTTP:0017TLSoperationfailed,err:1,result:-1--HTTP:--error:1406B0BD:SSLroutines:GET_CLIENT_MASTER_KEY:noprivatekeyHTTP:Unabletoaccessservercertificateandkey,handshakeswillfail--HTTP:--error:1412D0D4:SSLroutines:SSL_CTX_use_KMO:readwrongpackettypeLimber:ErrorwhilesettingNCPKeyMaterialNameSSLCertificateDNStoserver,Err:failed,-340(0xfffffeac).
.
.
Limber:ErrorDuringsyncKeyMaterialInfo-340(0xfffffeac)ItcouldbethateDirectory'sinitialsystemconfigurationhasnotoccurred.
TheuserwhoinstalledeDirectoryandtheuserwhoisrunningtheeDirectoryservermustcoordinatetheeDirectoryconfiguration.
Generally,eDirectoryisinstalledasadministratorandisrunasSYSTEM.
Youcanmanuallycorrectthisissue,butanunderstandingofeDirectory,iManager,NICI,andothercurrentlyinstalledproductsisnecessary.
Youmustdetermineifthefollowingstepsaresafetoperform.
Youshouldalsochecktheproduct'sdocumentationanddependenciestoseeifanylong-termencrypteddataorsecretsareused.
IfeDirectoryandiManagerareinstalledonthesamephysicalmachine,youcanmanuallyconfigureeDirectoryaftereDirectoryinstallation.
NOTE:YoushouldnotdothisifeDirectorywasinstalledataprevioustimeandhasbeensuccessfullyrunningonthecurrentmachine.
1Loginasanadministrator.
2StoptheeDirectoryserverandtheTomcatservice.
AlsostopanyotherservicethatmaybeusingNICI.
3Takeownershipofthe%systemroot%\system32\novell\NICI\SYSTEMdirectory.
Dothisfromthefileproperties'Security>AdvancedOptions.
4SavethecontentsoftheSYSTEMdirectoryinabackupdirectory.
5DeletethecontentsoftheSYSTEMdirectory.
94NovelliManager2.
7.
6AdministrationGuide6Copythecontentsof%systemroot%\system32\novell\NICI\Administratorto%systemroot%\system32\novell\NICI\SYSTEM.
7Youcanresetthepermissionsof%systemroot%\system32\novell\NICI\SYSTEManditscontentssothatonlySYSTEMhasaccess.
8RestarttheNDSServerandTomcatservicesandanyotherserviceyoumayhavestopped.
8.
13"ServiceUnavailable"MessageAppearsDuringMultiplePlug-InInstallsThissituationoccurswhenyouselectseveralplug-instoinstall,allatthesametime.
Whiletheplug-ininstallationcontinuesoverseveralminutes,thebrowserpagetimesoutandreturnsa503Error.
Althoughyouprobablydon'tneedtodoanythingbutwait,youcanmonitorplug-ininstallationsthroughtheTomcatlogfiles.
8.
14TomcatThefollowinggeneralTomcatinformationcanbeusefulinyourtroubleshootingefforts.
8.
14.
1StartingandStoppingTomcatThefollowingtablesdescribehowtostartandstopTomcatontheplatformssupportedbyiManager2.
7.
6Table8-1StoppingandStartingTomcat8.
14.
2TomcatPortsIfyouexperienceportconflictswhileupgradingtoiManager2.
7.
6,orneedtoknowtheportsthatTomcatisusing,consulttheplatform-specificinformationinthissection.
LinuxViewTomcatportsinthe/var/opt/novell/tomcat7/conf/server.
xmlfile.
Thenon-SSLportsectionofthefilebeginswithDefineanon-SSLCoyoteHTTP/1.
1Connectoronportn,whiletheSSLportsectionbeginswithDefineanSSLCoyoteHTTP/1.
1Connectoronportn.
PlatformRestartCommandLinuxEnter/etc/init.
d/novell-tomcat7stop,thenenter/etc/init.
d/novell-tomcat7start.
iManagerWorkstationShutdownandrestartiManagerWorkstation.
WindowsStopandstarttheTomcatservice.
Troubleshooting95WindowsWindowsallowsforrelocationofallfiles.
IfyouacceptthedefaultsintheiManagerinstallation,lookforTomcatconfigurationfilesintherootdir\novell\tomcat7\conf\server.
xmlfile.
Ifyoucan'tfindaconfigurationfile,searchtheWindowsregistryfortheTomcatsettings.
8.
15"UnabletoDetermineUniversalPasswordStatus"ErrorIfaUNIXeDirectoryserverisconfiguredtouseSSLforLDAPcommunications,youmightreceivethefollowingerrorwhenyouselecttheoptioniniManagertosetaSimplePassword:UnabletodetermineuniversalpasswordstatusToresolvethiserror,runthe/usr/bin/nmasinst/nmasinstutilityontheeDirectoryserver.
ThisutilityletsyouinstallloginmethodsintoeDirectoryfromaUNIXmachineandisrequiredtoruntheUniversalPasswordfeature.
Formoreinformation,seetheNovellModularAuthenticationServices3.
3AdministrationGuide(http://www.
novell.
com/documentation/nmas33/admin/data/a20gkue.
html).
8.
16iManagerWorkstationDoesNotDisplayInformationiManagerworkstationmightnotdisplayerrormessages,andloadpagessuchasTreeView,ObjectBrowse,CreateObjects,andpageafterclickingtheRefreshbutton.
ThishappenswhentheXULRunnerbrowsercachecontainsolddataofthepreviousbuildofiManager2.
7workstation.
Workaround:Youmustmanuallyclearthedatafrombrowsercache.
ForWindows:1ExitiManager.
2BrowseforC:\Users\\AppData\\Mozilla\eclipse\Cache(thepathvariesdependingontheconfigurationandOS).
3DeleteallthedatafromtheCachedirectory.
4RestartiManager.
ForLinux:1ExitiManager.
2Browseforoneofthefollowing:/root/.
mozilla/eclipse/Cache(forrootuser)/$HOME/.
mozilla/eclipse/Cache(fornon-rootuser)3DeleteallthedatafromtheCachedirectory.
4RestartiManager.
96NovelliManager2.
7.
6AdministrationGuide8.
17SometimesRefreshButtonDoesNotFunctionSometimestheRefreshbuttoninvariouspagesdoesnotfunctionwhenyouclickit.
Workaround:1LogoutfromiManager.
2Clearthebrowser'scache.
ForInternetExplorer,1.
ClickTools>InternetOptions.
TheInternetOptionsdialogboxisdisplayed.
2.
UndertheGeneraltab,underBrowsinghistory,clickDelete.
ForFirefox,1.
ClickTools>ClearPrivateData.
.
.
.
TheClearPrivateDatadialogboxisdisplayed.
2.
SelectCacheandclickClearPrivateDataNow.
3LogintoiManager.
8.
18iManagerPlug-inInstallationHangsorPlug-insAreNotProperlyInstalledWhenyouinstalliManagerplug-ins,sometimeseithertheinstallationhangsortheplug-insarenotproperlyinstalled.
WorkaroundForiManagerStandalone:1LogoutfromiManager.
2Clearthebrowser'scache.
ForInternetExplorer,dothefollowing:1.
ClickTools>InternetOptions.
TheInternetOptionsdialogboxisdisplayed.
2.
UndertheGeneraltab,underBrowsinghistory,clickDelete.
ForFirefox,dothefollowing:1.
ClickTools>ClearPrivateData.
.
.
.
TheClearPrivateDatadialogboxisdisplayed.
2.
SelectCacheandclickClearPrivateDataNow.
3LogintoiManager.
4Re-installtheplug-ins.
ForiManagerworkstation:ForWindows:1.
ExitiManager.
2.
BrowseforC:\Users\\AppData\\Mozilla\eclipse\Cache(thepathvariesdependingontheconfigurationandOS).
3.
DeleteallthedatafromtheCachedirectory.
4.
RestartiManager.
Troubleshooting97ForLinux:1.
ExitiManager.
2.
Browseforoneofthefollowing:/root/.
mozilla/eclipse/Cache(forrootuser)/$HOME/.
mozilla/eclipse/Cache(fornon-rootuser)3.
DeleteallthedatafromtheCachedirectory.
4.
RestartiManager.
8.
19LoginIssuewithTreeIPAddressChangeConsiderthefollowingscenario:1YourIPaddressis,youhaveconfiguredeDirectoryonit,andyourtreenameis.
2Youhavealogincachethatmapsto.
3Becauseofnetworkmovement,youhavegotanewIPaddress,configuredeDirectoryonit,andthetreenameremainssame().
4AnotheruserhastakenyourpreviousIPaddress,andconfiguredaneweDirectorytree.
Now,ifyoulogintoiManagerwithtreename,youwouldlogintobecausemapsto,butiscurrentlyconfiguredwith.
Workaround:ForWindows,1.
Goto.
.
.
\ProgramFiles\Novell\Tomcat\webapps\nps\WEB-INF\.
2.
Openconfig.
xmlfile.
3.
Inthefile,searchfortheCached-TreesettinganddeleteyourTreeNamevaluefromthesetting.
4.
Deletethesettingthatstartswithyourtreename.
ForLinux,1.
Goto/var/opt/novell/iManager/nps/WEB-INF.
2.
Openconfig.
xmlfile.
3.
Inthefile,searchfortheCached-TreesettinganddeleteyourTreeNamevaluefromthesetting.
4.
Deletethesettingthatstartswithyourtreename.
8.
20InsufficientJavaHeapSizeResultsinFailedLoginToincreasetheheapsizeonaLinuxserverrunningTomcat,stopTomcatandopenaterminalwindow.
Intheterminal,runthefollowingcommand,thenrestartTomcat:exportCATALINA_OPTS="-Xms128m-Xmx1024m"98NovelliManager2.
7.
6AdministrationGuideToincreasetheheapsizeonaWindowsserverrunningTomcat,stoptheTomcatservice,createanewenvironmentvariablecalledJAVA_OPTS,andsetthevalueofthevariableto-Xms128m-Xmx1024m,thenrestarttheTomcatservice.
ForinformationaboutstoppingandstartingTomcat,see"StartingandStoppingTomcat"onpage94.
8.
21JavaErrorMessagesareDisplayedAfterClosingtheBrowserofiManagerWorkstationAfterloggingoutofiManager,whenyouclosethebrowser,thefollowingjavaerrormessageisdisplayed.
##AnunexpectederrorhasbeendetectedbyJavaRuntimeEnvironment:##SIGSEGV(0xb)atpc=0x8e4c6944,pid=4106,tid=3085011872##JavaVM:JavaHotSpot(TM)ServerVM(11.
3-b02mixedmodelinux-x86)#Problematicframe:#C[libmozjs.
so+0x2944]strftime+0x2944Workaround:Ignoretheerrormessageandthehs_err_pid####.
logfilesbecausetheydon'taffecttheiManagerworkstation.
8.
22iManagerandLDAPUseDifferentDateRangesIfyoucreateanattributeiniManagerusingtheTimesyntax,populatetheattributevalue,andthensearchforthatvalueusingLDAP,LDAPreturnsavaluedifferentfromthevaluepopulatedbyiManager.
iManagerandLDAPbothnativelystoredatevaluesusingthefirst31bitsofa32-bitunsignedinteger.
However,thetwoapplicationsinterpretthemostsignificantbit(MSB)intheintegerdifferently,withiManagerusingtheMSBtostoredatesearlierthan1970andLDAPusingtheMSBtostoredateslaterthan2038.
Therefore,thedaterangeusedbyiManageris1903-2038,whilethedaterangeusedbyLDAPis1970-2106.
8.
23iManagerInstallationFailsonSLES9andRedHat4PlatformsWhenyoutrytolaunchiManageronplatformssuchasSLES9andRedhat4,theinstallerthrowsthefollowingexception.
TheseplatformsdonotsupportJava1.
7version.
Itisrecommendednottoinstallimanagerontheseplatforms.
Troubleshooting99InvocationofthisJavaApplicationhascausedanInvocationTargetException.
Thisapplicationwillnowexit.
(LAX)StackTrace:java.
lang.
NoClassDefFoundError:whileresolvingclass:ZeroGeatjava.
lang.
VMClassLoader.
resolveClass(java.
lang.
Class)(/usr/lib/libgcj.
so.
5.
0.
0)atjava.
lang.
Class.
initializeClass()(/usr/lib/libgcj.
so.
5.
0.
0)at_Jv_ResolvePoolEntry(java.
lang.
Class,int)(/usr/lib/libgcj.
so.
5.
0.
0)atZeroGd.
()(UnknownSource)Causedby:java.
lang.
ClassNotFoundException:com.
apple.
mrj.
MRJOSTypenotfoundin[file:/tmp/install.
dir.
4728/InstallerData/,file:/tmp/install.
dir.
4728/InstallerData/installer.
zip,file:/usr/share/java/libgcj-3.
4.
3.
jar,file:.
/,core:/]atjava.
net.
URLClassLoader.
findClass(java.
lang.
String)(/usr/lib/libgcj.
so.
5.
0.
0)atgnu.
gcj.
runtime.
VMClassLoader.
findClass(java.
lang.
String)(/usr/lib/libgcj.
so.
5.
0.
0)100NovelliManager2.
7.
6AdministrationGuide9AuditingiManagerEvents1019AuditingiManagerEventsUseNovellAuditforauditingiManagerevents.
Formoreinformation,seetheNovellAudit2.
0AdministrationGuide(http://www.
novell.
com/documentation/novellaudit20/index.
html).
NovellAudithasthefollowingprerequisites:Aserver(Solaris,Windows,Linux)inyourdirectorytreewithNovellAudit2.
0.
x.
NovellAuditPlatformAgentinstalledontheiManagerserveroriManagerWorkstationdesktopandconfiguredtopointtotheSecureLoggingServer.
NovellAuditcapturesdataaboutthefollowingevents:AddedAuthorizedUserSuccessfulLoginSuccessfulNPMInstallStartupiManagerFailedSSLConnectionLogoutChangedConfigurationSuccessfulNPMUploadFailedLoginFailedNPMInstallShutdowniManagerTheIMAN_EN.
LSCfilewhichcontainsthisdataisdistributedundernps/support/auditandisinstalledviatheNovellAuditprocess.
ItcanalsobeinstalledmanuallybyusingtheNovellAuditiManagerplug-inasdescribedinthefollowingsection.
9.
1InstallingtheIMAN_EN.
LSCFileiniManagerInstallNovellAuditbeforeyouinstalltheIMAN_EN.
LSCfile.
1LogintoiManager.
2ClickRolesandTasks>AuditingandLogging>LoggingServerOptions.
3BrowsetoandselecttheLoggingServerobject,thenclickOK.
4ClickLogApplications>Applications.
5ClicktheApplicationsActionslink,thenclickNew.
6ClickOKtocreateanewLogApplicationinthecontainer.
102NovelliManager2.
7.
6AdministrationGuide7SpecifyaLogApplicationname.
8ToimporttheIMAN_EN.
LSCfile,clickBrowseandselectthefilefoundintheTOMCAT_HOME\webapps\nps\support\auditdirectory,thenclickOK.
ThenewlogapplicationshouldnowappearundertheApplicationscontainer.
9.
2EnablingAuditiniManager1LogintoiManager.
2ClickConfigure>iManagerServer>ConfigureiManager.
TheConfigureiManagerpageisdisplayed.
3ClicktheSecuritytab,selectEnableNovellAudit,selecttheeventsyouwanttorecord,thenclickSave.
9.
3ConfiguringAuditforiManagerInstrumentation1Ifyouhavenotinstallednaudit.
npm,followfromStep2.
Otherwise,gotoStep7.
2LogintoiManager.
3ClickConfigure>Plug-inInstallation>AvailableNovellPlug-inModules.
4ClickAdd.
5Selectnaudit.
npmfromthelocaldirectoryandclickInstall.
6RestartTomcat.
7ImporttheNsureAuditformattingfilethatallowstheauditservertoformatloggingevents.
7aLocatetheIMAN_EN.
lscfilefromoneofthefollowinglocationswhereiManagerserverisinstalled.
Sys:\tomcat\5.
0\webapps\nps\support\audit(forWindows)/var/opt/novell/tomcat5/webapps/nps/support/audit(forLinux)7bCopythisfiletoatemporarylocationonthelocalmachine.
8IniManager,clickRolesandTasks>AuditingandLogging>LoggingServerOptions.
9BrowsefortheLoggingServerobjectandclickOK.
TheLoggingServerOptions:pageisdisplayed.
10ClicktheLogApplicationstab.
11SelectContainerName,thenunderApplicationActionsMenu,clickNew.
TheNewLogApplicationdialogboxisdisplayed.
12SpecifyanamefortheLogApplicationName(forexample,iManagerInst).
13BrowsefortheIMAN_EN.
lscfileonthelocalmachineorfromtheserverlocation(seeStep7.
1),thenclickOKtosavethenewLogApplicationobject.
14IntheLoggingServerOptions:page,underApplications,clicktheLogApplicationName(whichyouhavespecifiedinStep12)link.
TheModifyObject:pageisdisplayed.
15ClickConfigure>Events.
16SelectiManagerEventsfromtheNotgroupedlist,clickApply,thenclickOK.
17Restart/ReloadtheAuditSecureLoggingServerforthechangestotakeeffect.
AuditingiManagerEvents10318ClickConfigure>iManagerServer>ConfigureiManager.
TheConfigureiManagerpageisdisplayed.
19SelectEnableNovellAudittologanyeventsthatyouselect.
9.
4ConfiguringAuditforiManagerInstrumentationwithThird-PartyCertificates1MakesureyouhavecreatedaLoggingApplicationforiManagerInstrumentationintheAuditServer.
IfyouhavenotcreatedaLoggingApplication,performfromStep8toStep17inSection9.
3,"ConfiguringAuditforiManagerInstrumentation,"onpage102tocreateit.
2TypethefollowingcommandtocreateaLoggingApplicationCertificateforiManagerInstrumentationintheAuditServer:audcgen-app:iManagerInst-cert:c:\cacert.
pem-pkey:c:\capkey.
pem-f-bits:2048-serial:12345-appcert:c:\imanicert.
pem-apppkey:c:\imanipkey.
pem3Copythegeneratedcertificatefiles(imanicert.
pemandimanipkey.
pem)totherespectivefoldersofiManagerserver.
ForWindows:c:\windows\imanicert.
pemc:\windows\imanipkey.
pemForLinux:/etc/imanicert.
pem/etc/imanipkey.
pem4RestartTomcat.
104NovelliManager2.
7.
6AdministrationGuide10BestPracticesandCommonQuestions10510BestPracticesandCommonQuestionsThissectioncontainsrecommendationsaboutthefollowingtopicsfromsomeofourexperts.
Ifyoufindsomethingthatworkswellforyou,pleaseshareitatCoolSolutions(http://www.
novell.
com/coolsolutions).
Section10.
1,"BackupandRestoreOptions,"onpage105Section10.
2,"CoexistencewithpreviousversionsofiManager2.
xandRole-BasedServices,"onpage105Section10.
3,"Collections,"onpage106Section10.
4,"FailedInstalls,"onpage106Section10.
5,"HighAvailability:RunningiManagerinaClusteredEnvironment,"onpage107Section10.
6,"PatchingiManager,"onpage108Section10.
7,"PerformanceTuning,"onpage108Section10.
8,"iManagerAppArmorProfile,"onpage109Section10.
9,"AllocatingAdditionalTomcatMemoryinWindows,"onpage10910.
1BackupandRestoreOptionsThereisnoautomaticbackupandrestorefeatureincludedwithiManager.
iManageriscomposedoftwoparts:thelocalfilesontheserverandtheRole-BasedServicesobjectsineDirectory.
TomakeafullbackupofiManager,makesureyouhaveavalidbackupoftheRBScollectionandallsubordinateobjectsinthetree,eitherthroughreplicaredundancyorwithaneDirectorybackupsolution.
AlllocaliManagerfilesonthefilesystemarestoredintheTomcatdirectory.
AslongasyouhaveabackupoftheTomcatdirectory,alliManagercontentispreserved.
IftheTomcatdirectoryissomehowcompromisedontheserver,shuttingdownTomcatandrecopyingthedirectoryallowsyoutorecoveriManager.
IfyouarenotusingRBS,backinguptheTomcatdirectoryisallthatisneeded.
10.
2CoexistencewithpreviousversionsofiManager2.
xandRole-BasedServicesYoushouldupdateyourRBScollectiontoversion2.
7.
Otherwise,ifyouuseiManagertoaccessatreethathasanRBScollectionfromapreviousversionofiManager2.
x,youwon'tseealloftherolesandtasksthatshoulddisplay.
1IntheConfigureview,clickRoleBasedServices>RBSConfiguration.
2ClickthelinkintheOut-of-Datecolumnforamodulethatneedsupdating.
106NovelliManager2.
7.
6AdministrationGuide3OntheOut-Of-DateModulespage,selectamodule,thenclickUpdate.
Amessageappearsthatconfirmsasuccessfulupdate.
Updatedplug-insarevisibleinallversionsofiManager2.
x.
10.
3CollectionsItisimportanttorecognizethatoneconfigurationisnotidealforallcompanies.
Werecommendmultiplecollectionsinatreeonlyifyouuseahierarchicalstructureusinggeographicalorfunctionalorganizationswithdifferentadministratorsineachlocation.
Followingarethemostcommonsituationstogetherwithsuggestionsformanagingtheirrespectivecollections:AhierarchicaltreeorganizedtoreflectageographicalorganizationCreateacollectionineverygeographicallocationandhaveoneormoreiManagerserversperlocation.
Logintimeisfasterandtreenavigationissimplified.
Eachgeographicaladministratormanagesthecollectionofaspecifiedlocation.
Ahierarchicaltreethatreflectsthecompany'sorganizationalstructureCreateonecollectionatthesamelevelastheorganizationandhaveoneormoreiManagerserversascompanysizerequires.
Youmanageonlyonecollection.
AflattreeinwhichallobjectsareinauniquecontainerCreateonecollectionasasiblingoftheuniquecontainerandhaveoneormoreiManagerserversascompanysizerequires.
Youmanageonlyonecollection.
10.
4FailedInstallsToavoidfailedinstalls,makesurethatyouroperatingsystemisupdatedtothemostcurrentversionandthatallsystemrequirementsaremet.
Formoreinformation,see"Prerequisites"intheNovelliManager2.
7.
6InstallationGuide.
Torecoverfromafailedinstall,assesstheproblemfromtheerrormessagegeneratedduringinstallation.
Section10.
4.
1,"Windows,"onpage106Section10.
4.
2,"Linux,"onpage10710.
4.
1Windows1Iftheerrorinvolvesoneofthesecomponents,checkthespecifiedlogfilesforerrors:NICI:installeddirectory\temp\wcniciu0.
logTomcat:tomcatinstalldirectory\Apache_Tomcat_InstallLog.
log.
Forexample,C:\ProgramFiles\Novell\Tomcat\Apache_Tomcat_InstallLog.
log.
2ChecktheiManagerinstalllogfile(servletroot\WEB_INF\log\iManager_Install_2.
7_InstallLog.
log)foranyerrors.
3Ifthelogfiledoesnotgivesufficientinformationtoidentifytheproblem,reruntheinstallindebugmode.
BestPracticesandCommonQuestions107Tovieworcapturethedebugoutputfromaninstaller,openandcopytheconsoleoutputtoatextfileforlaterreview.
3aImmediatelyafterlaunchingtheinstaller,holddowntheCtrlkeyuntilaconsolewindowappears.
3bAftertheinstallhascompleted,clicktheiconintheupperleftcorneroftheconsolewindowandselectProperties>Layout.
3cChangethebuffersizeto3000,thenclickOK.
3dIntheLayoutwindow,selectEdit>SelectAll>Edit>Copy.
3eOpenatexteditorandpastetheoutputofthedebuginit.
4Identifyandcorrectanyerrorsorstacktraces,thenreruntheinstall.
10.
4.
2Linux1ChecktheiManagerinstalllogfile(/var/log/Novell/iManager_Install_2.
7_InstallLog.
log)foranyerrors.
2Ifthelogfiledoesnotgivesufficientinformationtoidentifytheproblem,reruntheinstallindebugmode.
Atthecommandline,typethefollowing:exportLAX_DEBUG=true3Identifyandcorrectanyerrorsorstacktraces,thenreruntheinstall.
10.
5HighAvailability:RunningiManagerinaClusteredEnvironmentAlthoughiManagerisasession-basedtoolthatshipswithoutanyfailoverfeatures,youcanrunitinaclusteredenvironment.
Formoreinformationaboutclustering,seetheOESClusteringdocumentation(http://www.
novell.
com/documentation/oes/cluster-services.
html#cluster-services).
1InstallandconfigureiManageronthenodesintheclusterwherethevirtualIPismovedto(thatis,anActive/Activecluster).
IfthenoderunningiManagerfails,NovellClusterServicesdetectsthenodefailureandmoves(reloads)thevirtualIPaddressonanothernodeinthecluster.
2UsingtheGeneric_IP_ServicetemplatethatshipswithNovellClusterServices,createanewclusterresourcecallediManager.
ThisclusterresourceusesavirtualIPaddressthatmovesbetweennodesinthecluster.
Whencreatinganewclusterresource,thewizardstepsyouthroughthecreationofaloadscriptandanunloadscript.
3Verifytheloadandunloadscripts.
Theloadscriptshouldcontainonlythefollowinglines(anyotherlinesshouldbecommentedout):.
/opt/novell/ncs/lib/ncsfuncsexit_on_erroradd_secondary_ipaddressxxx.
xxx.
xxx.
xxxexit0Theunloadscriptshouldcontainonlythefollowinglines(anyotherlinesshouldbecommentedout):108NovelliManager2.
7.
6AdministrationGuide.
/opt/novell/ncs/lib/ncsfuncsignore_errordel_secondary_ipaddressxxx.
xxx.
xxx.
xxxexit04BrowsetotheiManagerURL.
iManagerservicesarenowhighlyavailable.
However,anylivesessionsarenotfailedover.
Ifaservicefailsinthemiddleofuseroperations,usersmustreauthenticateandrestartwhateveroperationswereinterrupted.
BecauseiManagerandTomcatarealreadyrunning(Active/Active)ontheothernodes,thereisnoloadtimefortheseapplicationsifNovellClusterServiceshastomigrate(move)thevirtualIPtoanothernode.
ThereislittlebenefitinusinganActive/Passiveclusterbecauseitrequiresmuchmoreconfigurationandmakesyouwaittheentireloadtimeforeachfailover.
IfyoureallywantiManagerconfiguredasanActive/Passiveclusteredresource,youmustcreateaclusterresourcethatloadsandunloadsiManageranditsdependencies(suchasTomcat).
ThisidenticalconfigurationofiManagerthenneedstobedoneonallnodeswhereyouwantiManagerhighlyavailable.
10.
6PatchingiManagerPatchingaserverisaseasyasinstallingamodule.
AnyupdatesforiManagerarepackagedintoanplug-inpackage(NPM)file.
Thisfileisinstalledlikeanyotherplug-in.
1IntheConfigureview,selectPlug-inModuleInstallation.
2SelectAvailableNovellPlug-inModules.
3SelectthepatchfromthedownloadlistorClickAdd.
4Browsetothelocationofthepatchfile,thenclickOK.
5Selectthepatchfromthelist,thenclickInstall.
Theserverispatchedwiththelatestcode.
6RestartTomcatwhentheinstallisfinished.
10.
7PerformanceTuningThefollowingaretipsforenhancingspeedandefficiency.
10.
7.
1UsingDynamicGroupswithRBSDisableDynamicGroupsupportforRBSifyouarenotusingthisfeature.
Bydefault,DynamicGroupsupportisenabledand,whenused,significantlytaxesresourcesbecauseoftheextensivesearchesitconducts.
1IntheConfigureview,clickiManagerServer>ConfigureiManager.
2SelecttheRBStab,thendeselectEnableDynamicGroups.
BestPracticesandCommonQuestions10910.
7.
2RoleAssignmentsIfyouhaveassignedmorethanfiveuserstoarolewithinthesamescope,considerusingGroupobjectstoreducethenumberofroleassignmentsandmakeRBSadministrationmoreefficient.
Bydoingso,youhavefewerobjectstoupdateandyoucanmanagetheGroupobjectbyaddingandremovingmembers.
Also,considerusingDynamicGroupobjects.
YoucansetupUserobjectstomatchaDynamicGroupsearchcriteria.
10.
8iManagerAppArmorProfileNovellOpenEnterpriseServer2—LinuxincludesanAppArmorprofileforiManager2.
7.
Theprofilenameisetc.
opt.
novell.
tomcat5.
init.
d.
tomcat5andisinstalledat/etc/apparmor/profiles/extras/iManager.
TheiManagerAppArmorprofileisnotenabledbydefault.
Toenableit,copytheprofileintothe/etc/apparmor.
dfolder.
FormoreinformationaboutAppArmorandAppArmorprofiles,seetheNovellAppArmordocumentation(http://www.
novell.
com/documentation/apparmor/).
10.
9AllocatingAdditionalTomcatMemoryinWindows1GotoTomcat/binfolder(Forexample,c:\ProgramFiles\Novell\Tomcat\bin)2Right-clickontomcat7w.
exefile.
3OpenTomcat7Propertieswindow.
4ClickJavatab.
5SpecifytheInitial&Maximummemorypoolsizes.
IMPORTANT:EnsurethattheInitial&MaximummemorypoolsizesthatyouspecifyislessthanyourphysicalRAM'ssize,otherwiseitmaycausemoreperformanceissues.
6ClickApply,thenclickOk.
7RestartTomcatService.
TIP:Toverifythenewsettings,gototheURLofTomcatserverandclickServerStatus.
110NovelliManager2.
7.
6AdministrationGuideAiManagerSecurityIssues111AiManagerSecurityIssuesThissectionprovidesinformationaboutpotentialsecurityissuesrelatedtoiManager,andincludesinformationaboutthefollowingtopics:SectionA.
1,"SecureLDAPCertificates,"onpage111SectionA.
2,"Self-SignedCertificates,"onpage112SectionA.
3,"iManagerAuthorizedUsersandGroups,"onpage113SectionA.
4,"PreventingUserNameDiscovery,"onpage113SectionA.
5,"TomcatSettings,"onpage113SectionA.
6,"EncryptedAttributes,"onpage114SectionA.
7,"SecureConnections,"onpage114A.
1SecureLDAPCertificatesiManagercancreatesecureLDAPconnectionsbehindthesceneswithoutanyuserintervention.
IftheLDAPserver'sSSLcertificateisupdatedforanyreason(forexample,newOrganizationalCA),iManagershouldautomaticallyretrievethenewcertificateusingtheauthenticatedconnectionandimportitintoitsownkeystoredatabase.
Ifthisdoesnothappencorrectly,youmustdeletetheprivatekeystorethatiManageruses,inordertoforceiManagerandTomcattore-createthedatabaseandreacquirethecertificate:1ShutdownTomcat.
2DeletetheTOMCAT_HOME\webapps\nps\WEB-INF\iMKSfile.
3RestartTomcat.
ForinformationaboutrestartingTomcat,see"StartingandStoppingTomcat"onpage94.
4OpeniManagerinabrowserandlogbackintothetree,toautomaticallyreacquirethenewcertificateandre-createthedatabasestore.
Alternately,youcanalsomanuallyimporttherequiredcertificateintoTomcat'sJVMdefaultkeystoreusingthekeytoolcertificatemanagementutilityavailableintheJDK.
WhencreatingsecureSSLconnections,iManagerfirsttriestheJVMdefaultkeystore,thenusestheiManagerspecifickeystoredatabase.
AfteryouhaveaneDirectorycertificatesavedinDERformat,youmustimportthetrustedrootcertificateintotheiManagerkeystore.
Todothis,youneedaJDKtousekeytool.
IfaJREwasinstalledwithiManager,youmustdownloadaJDKtousethekeytool.
112NovelliManager2.
7.
6AdministrationGuideNOTE:Forinformationaboutcreatinga.
dercertificatefile,see"ExportingaTrustedRootorPublicKeyCertificate"(http://www.
novell.
com/documentation/crt33/crtadmin/data/a2ebopb.
html#a2ebopd)intheNovellCertificateServerAdministrationGuide.
Youwillwanttoexportthetrustedrootcertificate.
1Openacommandwindow.
2Changetothe\bindirectorywhereyouhaveinstalledtheJDK.
Forexample,onaWindowssystem,youwouldenterthefollowingcommand:cdj2sdk1.
5.
0_11\bin3Importthecertificateintothekeystorewiththekeytool,executingthefollowingkeytoolcommands(platformspecific):Linuxkeytool-import-alias[alias_name]-file[full_path]/trustedrootcert.
der-keystore[full_path]/jre/lib/security/cacertsWindowskeytool-import-alias[alias_name]-file[full_path]\trustedrootcert.
der-keystore[full_path]\jre\lib\security\cacertsReplacealias_namewithauniquenameforthiscertificateandmakesureyouincludethefullpathtotrustedrootcert.
derandcacerts.
Thelastpathinthecommandspecifiesthekeystorelocation.
ThisvariesfromsystemtosystembecauseitisbasedonwhereiManagerisinstalled.
ThefollowingaretheexamplesofdefaultlocationsforiManageronWindowsandLinux:OnWindows:C:\ProgramFiles\Novell\jre\lib\security\cacertsOnLinux://jre/lib/security/cacerts4Enterchangeitforthekeystorepassword.
5ClickYestotrustthiscertificate.
NOTE:ThisprocessmustberepeatedforeacheDirectorytreeyouwillbeaccessingwithiManager.
IfLDAPhasbeenconfiguredtouseacertificatenotsignedbythetree'sOrganizationalCA,youmustimportthatcertificate'sTrustedRoot.
Thisisnecessary,forexample,ifLDAPisconfiguredtouseaVeriSign*-signedcertificate.
A.
2Self-SignedCertificatesiManagerincludesatemporary,self-signedcertificatethatyouusewheninstallingiManageronLinuxorWindowsplatform.
Ithasanexpirationdateofoneyear.
Formoreinformation,see"Self-SignedCertificates"intheNovelliManager2.
7.
6InstallationGuide.
iManagerSecurityIssues113A.
3iManagerAuthorizedUsersandGroupsAuthorizedUsersandGroupsarethosethatiManagerpermitstoperformitsvariousadministrativetasks.
FormoreinformationaboutspecifyingandconfiguringAuthorizedUsersandGroups,see"AuthorizedUsersandGroups"onpage72.
AuthorizedUsersandGroupsdataisstoredintheconfigiman.
propertiesfile,whichmustbesecuredtopreventunauthorizedmodification.
Todothis,modifytheaccesscontrolsforconfigman.
propertiestorestrictthoseusersauthorizedtomanuallyeditthefile.
NOTE:NotspecifyinganAuthorizedUserorGroup,whichpreventstheconfigiman.
propertiesfilefrombeingcreated,orspecifyinganAuthorizedUserorGroupofAllUsers,allowsanyusertoinstalliManagerplug-insandmodifyiManagerserversettings.
Thisisasecurityriskforserver-basediManagerenvironments.
A.
4PreventingUserNameDiscoveryInsomeinstallations,theeDirectoryserverisprotectedbehindafirewall,buttheiManagerserverisopentotheoutsideworldtoallowmanagementfromhomeorontheroad.
AccesstoiManageriscontrolledwithUsername,Password,andTreenamefieldsontheloginscreen.
Insuchinstallations,itisoftendesirabletotightensecuritytoavoidrevealinganyinformationaboutthesystem.
StandardiManagerconfigurationspassthrougheDirectorymessagesrelatedtoinvalidusernamesandpasswordsduringiManagerauthentication.
Thesemessagescaninadvertentlyprovidetoomuchinformationtopotentialcrackers.
Toavoidthis,iManager2.
7includesaconfigurationoptiontohidethespecificreasonforloginfailure.
Whenenabled,thefollowingerrormessagesarereplacedwithagenericerrormessagethatreads:LoginFailure.
InvalidUsernameorPassword.
InvalidUsername(-601)Incorrectpassword(-669)Expiredpasswordordisabledaccount(-220)Toenablethissetting,opentheConfigureviewandselectiManagerServer>ConfigureiManager.
OntheAuthenticationtab,selectHidespecificreasonforloginfailure.
ThissetsAuthenticate.
Form.
HideLoginFailReason=trueiniManager'sconfig.
xmlfile.
Additionally,iManager2.
7doesnotsupporttheasterisk(*)characterasawildcardintheUsernamefield.
Thispreventsunauthorizedusersfromdiscoveringvalidusernames.
Italsopreventspossibledenial-of-serviceattacksthatattempttooverloadtheeDirectoryserverbycontinuallyattemptingaloginusingonlythewildcard(*),whichforceseDirectorytosearchforandreturnallmatchingusernames.
A.
5TomcatSettingsBecauseiManagermakesuseofTomcatServletContainer,iManageradministratorsshouldbeawareoftheencryption-relatedconfigurationoptionsofthoseresourcesaspartoftheiroverallsecuritystrategy.
Ofparticularinterestareciphersuitesandtrustedcertificates,whichdirectlyimpactthequalityofyourwire-levelencryption.
ConsiderthefollowingruleswhenconfiguringyourTomcatenvironment:DonotuseSSL2.
0ciphersuites,whichareoutdatedandnotguaranteedtobesecure.
DonotusetheNULLciphersuiteinaproductionenvironment.
114NovelliManager2.
7.
6AdministrationGuideDonotuseanyciphersuiteclassifiedasLOWorEXPORTquality,becausethesearelesssecure.
Regularlyreviewthelistoftrustedcertificates,andlimitthelistofacceptedCertificateAuthoritiestoonlythoseyouareactuallyusingMoreinformationforTomcatisavailableattheApacheTomcatDocumentationWebsite(http://tomcat.
apache.
org/tomcat-4.
1-doc/index.
html).
NOTE:BecauseofthewaythatiManagerinterpretsandusesdata,therearenoknownrisksofHTML-basedattackssuchascross-sitescripting.
A.
6EncryptedAttributesiManagerisabletosecurelyreadeDirectory8.
8encryptedattributes.
However,becauseofthewayitdeterminesifanattributeisencrypted,iManagerdoesnotsecurelymodifyordeletetheseencryptedattributes.
Theimpactofthis,whichcanresultinsomewire-leveldataexposure,canbemitigatedthroughnormalnetworksecuritypracticessuchasthefollowing:LocatingalliManagerserversbehindthefirewallLocatingiManagerserversphysicallyneartheirassociatedeDirectoryserversPhysicallysecuringiManagerandeDirectoryserversRequiringremoteadministratorstouseaVPNtoaccessiManagerandeDirectoryserversA.
7SecureConnectionsAlthoughiManagerleveragessecureHTTP(SSL)forclientcommunications,andsecureLDAPconnectionsbetweeniManagerandeDirectoryservers,iManagerdoesnot,withtheexceptionofreadingencryptedattributes,utilizesecureNCPconnectionsforcommunicationsbetweeniManagerserversandeDirectoryservers.
ThisisalsotruefortheNCPconnectionusedbyMobileiManager.
Theimpactofthis,whichcanresultinsomewire-leveldataexposure,canbemitigatedthroughnormalnetworksecuritypracticessuchasthefollowing:LocatingalliManagerserversbehindthefirewallLocatingiManagerserversphysicallyneartheirassociatedeDirectoryserversPhysicallysecuringiManagerandeDirectoryserversRequiringremoteadministratorstouseaVPNtoaccessiManagerandeDirectoryserversNOTE:Regardlessofthewire-levelencryptionbeingused,passwordsarealwaysencryptedandprotectedaspartoftheiManagerauthenticationprocess.
BNovellPlug-inModules115BNovellPlug-inModulesiManager2.
7.
6shipswiththefollowingrolesaspartofthebase.
npmplug-in.
Additionalplug-inmodulesmustbedownloadedseparately.
DirectoryAdministrationPartitionsandReplicasHelpDeskSchemaRightsUsersGroupsThebestplacetolocateanddownloadiManagerplug-insiswithiniManagerontheAvailableNovellPlug-inModulepage.
Alternately,youcandownloadplug-insfromtheNovelldownloadsite(http://download.
novell.
com).
SelectiManagerastheproductinthesearchcriteria.
Additionally,NovelloccasionallyreleasesiManagerplug-inupdates.
TheseupdatesareavailableontheNovellPatches&Securitydownloadsite(http://support.
novell.
com/patches.
html).
iManagerbaseplug-insareonlyavailableaspartofthecompleteiManagersoftwaredownload(forexample,eDirectoryadministrativeplug-ins).
Unlesstherearespecificupdatestotheseplug-ins,theycanonlybedownloadedandinstalledwiththeentireiManagerproduct.
FormoreinformationaboutdownloadingiManagerplug-ins,see"DownloadingandInstallingPlug-InsDuringInstallation"intheiManager2.
7.
6InstallationGuide.
NOTE:Bydefault,theplug-inmodulesarenotreplicatedbetweeniManagerservers.
Werecommendthatyouinstalltheplug-inmodulesyouwantoneachiManagerserver.
116NovelliManager2.
7.
6AdministrationGuide
今天CloudCone发布了最新的消息,推送了几款特价独立服务器/杜甫产品,美国洛杉矶MC机房,分配100Mbps带宽不限流量,可以选择G口限制流量计划方案,存储分配的比较大,选择HDD硬盘的话2TB起,MC机房到大陆地区线路还不错,有需要美国特价独立服务器的朋友可以关注一下。CloudCone怎么样?CloudCone服务器好不好?CloudCone值不值得购买?CloudCone是一家成立于2...
火数云怎么样?火数云主要提供数据中心基础服务、互联网业务解决方案,及专属服务器租用、云服务器、专属服务器托管、带宽租用等产品和服务。火数云提供洛阳、新乡、安徽、香港、美国等地骨干级机房优质资源,包括BGP国际多线网络,CN2点对点直连带宽以及国际顶尖品牌硬件。专注为个人开发者用户,中小型,大型企业用户提供一站式核心网络云端服务部署,促使用户云端部署化简为零,轻松快捷运用云计算!多年云计算领域服务经...
hostwebis怎么样?hostwebis昨天在webhosting发布了几款美国高配置大硬盘机器,但报价需要联系客服。看了下该商家的其它产品,发现几款美国服务器、法国服务器还比较实惠,100Mbps不限流量,高配置大硬盘,$44/月起,有兴趣的可以关注一下。HostWebis是一家国外主机品牌,官网宣称1998年就成立了,根据目标市场的不同,以不同品牌名称提供网络托管服务。2003年,通过与W...
chrome18为你推荐
ionizationios10计划ipad支持ipad支持ipad支持ipad尺寸(mm)操作區域手控ipad如何上网如何用手机流量在IPAD上上网ipadwifiIPAD连上了WIFI,但是无法上网,急!!iphone连不上wifi苹果iphone6/plus wifi连接不上怎么办itunes备份如何用iTunes备份iPhone
根域名服务器 河北服务器租用 工信部域名备案 如何注册中文域名 ftp空间 vir z.com webhosting 国内永久免费云服务器 sockscap 英文简历模板word 双11抢红包攻略 服务器怎么绑定域名 商家促销 浙江独立 免费个人网站申请 本网站在美国维护 100m免费空间 坐公交投2700元 godaddy域名证书 更多