eDirectory And IDM Non-Root Install – Quick Start Guide

Have you ever needed a non-root install and just wanted a quick guide to get it in without having to do a lot of research? This is a quick example guide of getting you started from start to finish. This also gives guidance of how to structure a non-root install so that there isn’t a lot of guess work for someone that isn’t familiar with the existing environment.

Purpose: This is a quick start guide to assist in setting up an eDirectory and IDM installation onto a Linux box, without root access. This install was specific for a SuSE Linux server. Other distributions may have other prerequisites.

Prerequisites:

1) NICI, the cryptographic infrastructure, does need a root user to install or sudo rights. To install NICI, see the eDirectory online documentation. Steps discussed in the online documentation covers a root or non-root install. https://www.netiq.com/documentation/edir88/edirin88/data/a79kg0w.html#bjtfrfr

2) The install requires the non-root install media / binary. This guide uses the one included in the IDM 4.5 ISO.

3) Create an install mount point for the installation. Look at eDirectory sizing recommendations. A 50GB size for this mount point should be sufficient, with room to grow for organizations with fewer than 10k users. I used /idv in my environment, standing for Identity Vault.

4) Create a user and group named netiq. Set the primary group for the netiq user to the netiq group. Remove the default users and other groups from this user. Add this user to the daemon group. Change the owner of the /idv mount point to the netiq user and group.

5) Copy the IDM 4.5 ISO file to the path /idv. Create a folder called /idv/media. Mount the ISO as /idv/media. (mount -o loop /idv/media)

6) After NICI is installed and prior to installing eDirectory, go to the path /var/opt/novell/nici and run the set_server_mode script. This changes NICI to function in server mode.

Install eDirectory

1) Copy the /idv/media/products/eDirectory/x64/nonroot.tar.gz file to /idv

2) Go to the /idv path and run the command: tar xvf nonroot.tar.gz

Walakazam, your binary install is complete. The etc and opt directories are created under /idv/eDirectory. The /idv/eDirectory/var directory will be created after running ndsconfig command to configure the database.

3) Edit the /home/netiq/.bashrc file to contain the below export lines.

export LD_LIBRARY_PATH=/idv/eDirectory/opt/novell/eDirectory/lib64:/idv/eDirectory/opt/novell/eDirectory/lib64/nds-modules:/idv/eDirectory/opt/novell/lib64:$LD_LIBRARY_PATH

export PATH=/idv/eDirectory/opt/novell/eDirectory/bin:/idv/eDirectory/opt/novell/eDirectory/sbin:/opt/novell/eDirectory/bin:$PATH

export MANPATH=/idv/eDirectory/opt/novell/man:/idv/eDirectory/opt/novell/eDirectory/man:$MANPATH

export TEXTDOMAINDIR=/idv/eDirectory/opt/novell/eDirectory/share/locale:$TEXTDOMAINDIR

4) Restart putty/ssh session

5) Run command: ndsconfig new

Configured eDirectory instance with the below information. This is assuming some knowledge of the ndsconfig new command. Use the “man ndsconfig” for more information or the online documentation. It should prompt you for Tree name, ports, IP address, server name and context, admin user name and context, etc.

Below is the information I had used for my install.

Admin: admin.sa.system

password: P@$$w0rd

Tree Name : IDV-Tree (or what makes sense to you)

Server DN : IDV1.servers.system (server name followed by context)

Admin DN : admin.sa.system

NCP Interface(s) : 10.10.1.1@1524 (must use a high port for non-root install)

HTTP Interface(s) : 10.10.1.1@8028

HTTPS Interface(s) : 10.10.1.1@8030

LDAP TCP Port : 1389

LDAP TLS Port : 1636

LDAP TLS Required : Yes

Duplicate Tree Lookup : Yes

Configuration File : /idv/eDirectory/etc/opt/novell/eDirectory/conf/nds.conf

Instance Location : /idv/eDirectory/var/opt/novell/eDirectory/data

DIB Location : /idv/eDirectory/var/opt/novell/eDirectory/data/dib

Start and stop eDirectory with ndsmanage command — This also fully stops IDM

Install IDM

run the command: cd /idv/media/products/IDM/linux/setup and then run the command ./idm-nonroot-install

1) The Base directory is /idv/eDirectory

2) Login as admin and Extend schema

Install of IDM engine is now finished. Note that there is a RPM created for the IDM Packages. This is needed as you patch IDM in the future.

Remember that with the command dxcmd, to load it run, dxcmd -port 1524 (stop and start drivers, etc through the command line)

Results

You now have the following structure
/idv — I would suggest creating /idv/install path for patches and install documentation.
/idv/media — ISO install mount point
/idv/eDirectory — base eDirectory binary and database
/idv/idm — not created yet, recommended path for SSPR, postgres, tomcat, User Application, etc.
/idv/eDirectory/var/opt/novell/eDirectory — path to dib and logs
/idv/eDirectory/opt/novell/eDirectory — path to bin, conf, lib directories, etc.
/idv/eDirectory/rpm — package directory used for patching IDM.

Notes

To start up the eDirectory instance on server reboot, see TID here.

If you wish to install iManager on this server, it requires root or sudo.

Patching eDirectory is basically copying or replacing existing files under the /idv/eDirectory structure. Prior to patching, make sure you backup the full existing /idv structure.

To install Identity Applications: SSPR / OSP, User Application, postgres, and Reporting. These all require sudo / root rights. I recommend that these services be installed on different a different server(s). I don’t recommend attempting doing a silent install of these services at this time. Command line allows for a complete installation and configuration if the GUI is not available.

I also recommend an additional IDM/eDirectory server to have a different failback. If you choose to only have one eDirectory server, I would recommend that you backup nightly or in a virtual environment, snapshot nightly.

If you varied from these steps, document them so that NetIQ support or others will understand the structure.