Posted: 2 Mar 2005

The Deployment team at Novell has begun creating a series of papers explaining exactly how they have deployed Open Enterprise Server in some very specific scenarios. Here's how they did it in a NetWare 5.1 tree.

Preparation Steps

Preparation 1

NetWare 5.1 must be running Support Pack 7 or later, with NDS 8 or later.

Preparation 2

If running NDS 8 (earlier, non-eDirectory version), you must run the "Prepare for New eDirectory" wizard from Deployment Manager located on the NetWare 6.5 CD, or from the Installation task located in iManager 2.02 or above.

Best Practice Tip - To help ensure a successful OES for Linux installation into the existing NetWare tree, it is recommended that you apply the OES for Linux schema to the production tree and let the schema synchronize throughout the tree before installing your first OES for Linux server.

This can be done by installing one OES for Linux server into a test tree with all the products that will eventually be deployed in the production tree. Then follow TID 10066604 by importing the schema from this Linux test tree into the Production tree.

Note: It is especially important to have the Linux User Management Schema extended before inserting the first OES for Linux server into a 5.1 NDS 8 tree.

Preparation 3

If using 51sp7, please apply the latest SAS.NLM. See TID 2970116.

Preparation 4

If using 51sp7, for better SLP compatibility between NetWare SLP and Linux OpenSLP, it is recommended you run SLP modules (slp*.*) from 51sp8.

Issue - During the installation a dialog asks for the ip address of an LDAP server to authenticate to. If a NetWare 5.1 server is chosen and it is running the SAS.NLM from Support Pack 7 the installation may fail. To prevent the problem, update your SAS.NLM.

Our Environment and Test

First we upgraded all 51sp7 servers to 5.1sp8. We ran the preparation steps noted above. At this point, our Servers are now running NDS 8.85c (pre-eDirectory NDS 8).

We are documenting this environment because it has known pre-requisites and compatibility issues in co-existing with eDirectory 8.73, which runs on NetWare 6.5 and OES for Linux.

DNSDHCP, SLPDA and Timesync Time server are running on a NW51sp8 server.

Installing the first OES for Linux server

See the OES for Linux installation guide for complete information.

I will mention just a few of the steps during the OES installation process.

First boot off the OES CD1 to bring up the installation screen. You can choose to install off several CDs or do a network install. The network install is much quicker, since you don't have to swap CDs several times (See the OES for Linux installation guide.) At this point, if using the network install method with the Network install server setup for NFS, you can choose "Installation" and then enter in the field below, something like this,

Install=nfs://10.0.0.1/share/oes/final.

You could also go choose "Manual Installation" and then go through a few more steps to do a network install.

When getting to the product selections, the OES Pattern with many of the OES packages should be selected by default. Go into the details, and scroll to the bottom to see what OES Products are selected. NSS is not selected by default -- please select it if desired. To install NSS on the same disk as the Linux root partition special instructions must be followed; see the OES for Linux Installation Guide for installing NSS on an EVMS partition.

When getting to the CA creation screen, be sure not to skip this step and do not enable OpenLDAP.

After putting in the eDirectory login information using an FDN and dot notation (cn=admin.o=novell) and the password, we proceeded. You must also put in the IP address of a server in the tree. In our case we put in the IP address of the Master replica of root.

We then installed OES for Linux into the tree. On the NTP and SLP install screen we put in the address of the 51sp8 server. NetWare 5.1 can give an NTP timeout to a Linux NTP server. Although 5.1 is NTP compatible, it does not contain the full NTPv3 functionality, but we saw no problems with time synchronization other than noticing time took longer to synchronize than when using timesync. Later after OES is installed, we will point all servers to the Linux NTPv3 time source.

For SLP we chose the option of SLPDA configuration and put in the scope (IE – OES-SCOPE) and IP address of the 5.1sp8 SLPDA.

The install will soon bring up a screen showing all product configurations. You will notice that each product is configured with an IP address. The install will do some LDAP authentication to these addresses. NetWare 5.1 servers running older versions of NDS (pre-eDirectory versions such as 8.85c -- code named Fusion) will contain an LDAP version that does not understand all of the LDAP calls the OES products will be making.

Basically if you are running NetWare 5.1 with an eDirectory version less than eDirectory 8.7.x you should not point these product configurations to that server.

By default, these products will be configured to use the local LDAP server, and in this case should not be changed to point to the 5.1 NDS 8 server. Since OES for Linux is installed with eDirectory 8.73IRX you will be fine with the local configuration.

Continue with the remainder of the install.

Next we upgraded some of the 5.1 servers using the local upgrade method to OES on NetWare 6.5. We also added in a couple more OES for Linux servers.

In this type of NDS 8.85c environment it can co-exist with eDirectory 8.73, but you should consider this a temporary solution and eventually all servers should be upgraded to eDirectory 8.73.

Simple Troubleshooting

If anything fails, you can do a (ctrl-alt-f2) and toggle to the Linux command line. Do an ndsstat to see if eDirectory is running properly. Do a tail -f /var/log/YaST2/y2log to see a scrolling of the install log. Ctrl-C to stop. To get back to the GUI, do a Ctrl-Alt-f7. Another important file to check is /var/nds/ndsd.log.

If you start seeing a lot of products fail you may have a communication problem or a security problem. For instance if SSL certificates fail to get created or fail to be associated with LDAP, then some products will fail. Check the two log files mentioned above.

We have seen a couple of strange cases, like using a four-letter password for root, or fiddling around (for example, in certain odd situations of changing the IP address several times on a multi-nic system (in most cases it worked)) where security would fail. There are currently defects for these issues for the next release.

NetWare SLP and OpenSLP

The service location protocol (SLP) was developed with the aim of simplifying the configuration of networked clients within a local network. To configure a network client, including all required services, the administrator traditionally needs detailed knowledge of the servers available in the network. SLP is used to make the availability of a certain service known to all clients in the local network. Applications that support SLP can use the information distributed and be configured automatically.

For more information, see this section of the documentation.

Timesync to NTP

For more information see the OES Time Synchronization guide.

There is a timesync Migration tool to Migration timesync servers to NTP located in a role ask in NetWare iManager 2.5 (OES for NetWare). This tool was not available at the time of our testing so we did a manual procedure. First we configured an OES for Linux server to be the time provider. Since we were in an isolated network we pointed this server to get local time by using the "Server 127.127.1.0" entry in the /etc/ntp.conf. In a real environment this server would probably be pointed to a more accurate stratum server.

Next, all the OES for NetWare servers had their Timeserv.ncf file changed (uncomment XNTPD and comment out Timesync). Then these servers were pointed to the Time Provider server by adding this entry to their ntp.conf files:

server IP address_of_TimeProvider

Next unload timesync on all these servers and load xntpd. Within a few minutes time should be synchronized on all the servers. The NTPDATE IP address_of_TimeProvider can also be executed on each server to quickly slam the time to that of the Time Provider before loading the XNTPD module. Next run dsrepair | Time Synchronization and it now shows all servers in sync and shows NTP as the time method.

For any existing NetWare 5.1 servers, the time source was pointed to the OES for Linux server with a port of 123.
Example – 10.0.0.8:123