Installing OES for Linux into a NetWare 5.1 Tree (Revision 1)
Posted: 2 Mar 2005
The Deployment team at Novell has begun creating a series of
papers explaining exactly how they have deployed Open Enterprise Server in some
very specific scenarios. Here's how they did it in a NetWare 5.1 tree.
Preparation Steps
Preparation 1
NetWare 5.1 must be running Support Pack 7 or later, with NDS
8 or later.
Preparation 2
If running NDS 8 (earlier, non-eDirectory version), you must
run the "Prepare for New eDirectory" wizard from Deployment Manager located on
the NetWare 6.5 CD, or from the Installation task located in iManager 2.02 or
above.
Best Practice Tip - To help ensure a successful OES for Linux
installation into the existing NetWare tree, it is recommended that you apply
the OES for Linux schema to the production tree and let the schema synchronize
throughout the tree before installing your first OES for Linux server.
This can be done by installing one OES for Linux server into a
test tree with all the products that will eventually be deployed in the
production tree. Then follow TID
10066604 by importing the schema from this Linux test tree into the
Production tree.
Note: It is especially important to have the Linux User
Management Schema extended before inserting the first OES for Linux server into
a 5.1 NDS 8 tree.
Preparation 3
If using 51sp7, please apply the latest SAS.NLM. See TID
2970116.
Preparation 4
If using 51sp7, for better SLP compatibility between NetWare
SLP and Linux OpenSLP, it is recommended you run SLP modules (slp*.*) from
51sp8.
Issue - During the installation a dialog asks for the ip
address of an LDAP server to authenticate to. If a NetWare 5.1 server is chosen
and it is running the SAS.NLM from Support Pack 7 the installation may fail. To
prevent the problem, update your SAS.NLM.
Our Environment and Test
First we upgraded all 51sp7 servers to 5.1sp8. We ran the
preparation steps noted above. At this point, our Servers are now running NDS
8.85c (pre-eDirectory NDS 8).
We are documenting this environment because it has known
pre-requisites and compatibility issues in co-existing with eDirectory 8.73,
which runs on NetWare 6.5 and OES for Linux.
DNSDHCP, SLPDA and Timesync Time server are running on a
NW51sp8 server.
Installing the first OES for Linux server
See the OES
for Linux installation guide for complete information.
I will mention just a few of the steps during the OES
installation process.
First boot off the OES CD1 to bring up the installation
screen. You can choose to install off several CDs or do a network install. The
network install is much quicker, since you don't have to swap CDs several times
(See the OES
for Linux installation guide.) At this point, if using the network install
method with the Network install server setup for NFS, you can choose
"Installation" and then enter in the field below, something like
this,
Install=nfs://10.0.0.1/share/oes/final.
You could
also go choose "Manual Installation" and then go through a few more steps to do
a network install.
When getting to the product selections, the OES Pattern with
many of the OES packages should be selected by default. Go into the details, and
scroll to the bottom to see what OES Products are selected. NSS is not selected
by default -- please select it if desired. To install NSS on the same disk as
the Linux root partition special instructions must be followed; see the OES for
Linux Installation Guide for installing
NSS on an EVMS partition.
When getting to the CA creation screen, be sure not to skip
this step and do not enable OpenLDAP.
After putting in the eDirectory login information using an FDN
and dot notation (cn=admin.o=novell) and the password, we proceeded. You must
also put in the IP address of a server in the tree. In our case we put in the IP
address of the Master replica of root.
We then installed OES for Linux into the tree. On the NTP and
SLP install screen we put in the address of the 51sp8 server. NetWare 5.1 can
give an NTP timeout to a Linux NTP server. Although 5.1 is NTP compatible, it
does not contain the full NTPv3 functionality, but we saw no problems with time
synchronization other than noticing time took longer to synchronize than when
using timesync. Later after OES is installed, we will point all servers to the
Linux NTPv3 time source.
For SLP we chose the option of SLPDA configuration and put in
the scope (IE – OES-SCOPE) and IP address of the 5.1sp8 SLPDA.
The install will soon bring up a screen showing all product
configurations. You will notice that each product is configured with an IP
address. The install will do some LDAP authentication to these addresses.
NetWare 5.1 servers running older versions of NDS (pre-eDirectory versions such
as 8.85c -- code named Fusion) will contain an LDAP version that does not
understand all of the LDAP calls the OES products will be making.
Basically if you are running NetWare 5.1 with an eDirectory
version less than eDirectory 8.7.x you should not point these product
configurations to that server.
By default, these products will be configured to use the local
LDAP server, and in this case should not be changed to point to the 5.1 NDS 8
server. Since OES for Linux is installed with eDirectory 8.73IRX you will be
fine with the local configuration.
Continue with the remainder of the install.
Next we upgraded some of the 5.1 servers using the local
upgrade method to OES on NetWare 6.5. We also added in a couple more OES for
Linux servers.
In this type of NDS 8.85c environment it can co-exist with
eDirectory 8.73, but you should consider this a temporary solution and
eventually all servers should be upgraded to eDirectory 8.73.
Simple Troubleshooting
If anything fails, you can do a (ctrl-alt-f2) and toggle to
the Linux command line. Do an ndsstat to see if eDirectory is running properly.
Do a tail -f /var/log/YaST2/y2log to see a scrolling of the install log. Ctrl-C
to stop. To get back to the GUI, do a Ctrl-Alt-f7. Another important file to
check is /var/nds/ndsd.log.
If you start seeing a lot of products fail you may have a
communication problem or a security problem. For instance if SSL certificates
fail to get created or fail to be associated with LDAP, then some products will
fail. Check the two log files mentioned above.
We have seen a couple of strange cases, like using a
four-letter password for root, or fiddling around (for example, in certain odd
situations of changing the IP address several times on a multi-nic system (in
most cases it worked)) where security would fail. There are currently defects
for these issues for the next release.
NetWare SLP and OpenSLP
The service location protocol (SLP) was developed with the aim
of simplifying the configuration of networked clients within a local network. To
configure a network client, including all required services, the administrator
traditionally needs detailed knowledge of the servers available in the network.
SLP is used to make the availability of a certain service known to all clients
in the local network. Applications that support SLP can use the information
distributed and be configured automatically.
For more information, see this
section of the documentation.
Timesync to NTP
For more information see the OES
Time Synchronization guide.
There is a timesync Migration tool to Migration timesync
servers to NTP located in a role ask in NetWare iManager 2.5 (OES for NetWare).
This tool was not available at the time of our testing so we did a manual
procedure. First we configured an OES for Linux server to be the time provider.
Since we were in an isolated network we pointed this server to get local time by
using the "Server 127.127.1.0" entry in the /etc/ntp.conf. In a real environment
this server would probably be pointed to a more accurate stratum server.
Next, all the OES for NetWare servers had their Timeserv.ncf
file changed (uncomment XNTPD and comment out Timesync). Then these servers were
pointed to the Time Provider server by adding this entry to their ntp.conf
files:
server IP address_of_TimeProvider
Next unload timesync on all these servers and load xntpd.
Within a few minutes time should be synchronized on all the servers. The NTPDATE
IP address_of_TimeProvider can also be executed on each server to quickly slam
the time to that of the Time Provider before loading the XNTPD module. Next run
dsrepair | Time Synchronization and it now shows all servers in sync and shows
NTP as the time method.
For any existing NetWare 5.1 servers, the time source was
pointed to the OES for Linux server with a port of 123. Example –
10.0.0.8:123
|