NetIQ 2.7 7 iManager Administration Guide

NetIQ 2.7 7 iManager Administration Guide
Add to My manuals

Below you will find brief information for iManager 2.7 7. This guide helps administrators to manage NetIQ eDirectory objects, schema, partitions and replicas. A single point of administration for many other network resources, iManager 2.7 7 provides management of many other NetIQ and Novell products using iManager plug-ins. Role-Based Services (RBS) for delegated administration is also included.

advertisement

Assistant Bot

Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.

NetIQ iManager 2.7 7 Administration Guide | Manualzz

NetIQ

®

iManager 2.7.7

Administration Guide

September 2013

Legal Notice

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE

SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY

SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY

KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF

EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY

TO YOU.

For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S.

Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4

(for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

© 2013 NetIQ Corporation and its affiliates. All Rights Reserved.

For information about NetIQ trademarks, see https://www.netiq.com/company/legal/ .

Contents

About this Book and the Library

About NetIQ Corporation

9

11

1 Overview

13

2 Accessing iManager

15

2.1

Using a Supported Web Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.2

Accessing iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.2.1

Accessing Server-based iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.2.2

Accessing iManager Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.3

Accessing NCP Server Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.4

Access Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.5

Authenticating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.5.1

Tree Name Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.5.2

Logging in to a Server without a Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.5.3

Unsuccessful Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.5.4

Expired Password Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.5.5

Contextless Login Using Alternate Object Classes and/or Alternate Attributes. . . . . . . . . . 19

3 Navigating the iManager Interface

21

3.1

iManager Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.1.1

Header Frame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.1.2

Navigation Frame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.1.3

Content Frame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.2

Special Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

4 Browsing Objects

25

4.1

Using the Object View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4.1.1

Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4.1.2

Browse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4.1.3

Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.2

Using the Object Selector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4.2.1

Browse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4.2.2

Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

5 Roles and Tasks

35

5.1

Navigating Roles and Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

5.1.1

Selecting and Filtering Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

5.2

Directory Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

5.2.1

Copying an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

5.2.2

Creating an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5.2.3

Deleting an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5.2.4

Modifying an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5.2.5

Moving an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5.2.6

Renaming an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5.3

Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Contents

3

5.3.1

Creating a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5.3.2

Deleting a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.3.3

Modifying a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.3.4

Modifying Members of Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.3.5

Move Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.3.6

Rename Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5.3.7

Viewing My Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5.4

Help Desk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5.4.1

Clearing a Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5.4.2

Creating a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5.4.3

Setting a Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5.5

Partitions and Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5.5.1

Creating a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5.5.2

Merging a Partition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5.5.3

Moving a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5.5.4

Viewing Replica Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

5.5.5

Viewing Partition Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

5.5.6

Using the Filtered Replica Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

5.6

Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

5.6.1

Modifying the Inherited Rights Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

5.6.2

Modifying Trustee Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

5.6.3

Rights to Other Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

5.6.4

Viewing Effective Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

5.7

Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

5.7.1

Adding an Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

5.7.2

Viewing Attribute Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

5.7.3

Viewing Class Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

5.7.4

Creating an Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

5.7.5

Creating a Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

5.7.6

Deleting an Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

5.7.7

Deleting a Class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

5.7.8

Extending a Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

5.7.9

Extending an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

5.8

Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

5.8.1

Creating a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

5.8.2

Deleting a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.8.3

Disabling an Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.8.4

Enabling an Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.8.5

Modifying a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5.8.6

Moving a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5.8.7

Renaming a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

6 Configuring and Customizing iManager

53

6.1

Role-Based Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

6.1.1

RBS Objects in eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

6.1.2

Installing RBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

6.1.3

Removing RBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

6.2

RBS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

6.2.1

The Role Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

6.2.2

The Task Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

6.2.3

The Property Book Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

6.2.4

The Module Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

6.2.5

The Category Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6.2.6

Plug-In Studio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6.2.7

Editing Member Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.2.8

Editing Owner Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

6.3

RBS Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

6.3.1

Creating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

4

NetIQ® iManager Administration Guide

6.3.2

Using Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

6.4

iManager Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

6.4.1

Configure iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

6.4.2

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

6.4.3

Look and Feel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

6.4.4

Logging Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

6.4.5

Redirection After Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

6.4.6

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

6.4.7

RBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

6.4.8

Plug-In Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

6.4.9

Misc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

6.4.10

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

6.5

Object Creation List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

6.5.1

Adding an Object Class to the Creation List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

6.5.2

Deleting an Object Class from the Creation List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

6.6

Plug-In Module Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

6.6.1

Available NetIQ Plug-in Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

6.6.2

Installed NetIQ Plug-in Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

6.7

Downloading and Installing Plug-in Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

6.7.1

If RBS is Configured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

6.7.2

Uninstalling a Plug-in Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

6.7.3

Customizing the Plug-In Download Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

6.8

E-Mail Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

6.8.1

Mail Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

6.8.2

Task Event Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

6.9

Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

6.9.1

Showing and Hiding iManager Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

6.9.2

Enabling and Disabling Identity Manager view as Default view in iManager on

Identity Manager Installed Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

7 Preferences

85

7.1

Manage Favorites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

7.2

Object Selector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

7.3

Object View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

7.4

Set Initial View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

7.5

Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

8 Troubleshooting

87

8.1

Authentication Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

8.1.1

HTTP 404 Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

8.1.2

HTTP 500 Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

8.1.3

601 Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

8.1.4

622 Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

8.1.5

632 Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

8.1.6

634 Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

8.1.7

669 Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

8.2

Accessing NCP Server Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

8.3

Deleting and Re-creating User Accounts with the Same Name (Windows XP/2000) . . . . . . . . . . . . 90

8.4

DNS 630 Error Message Appears When Creating a Property Book with Invalid Characters in

Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

8.5

eDirectory Maintenance Task Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

8.6

Enabling Debug Messages for Install and Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

8.7

History Does Not Automatically Sync Across Multiple Simultaneous User Logins . . . . . . . . . . . . . . 91

8.8

iManager Does Not Work After Installing Groupwise 7.0 WebAccess (Windows Server

2000/2003) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Contents

5

8.9

Missing Attribute, Object, or Value Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

8.10

Missing Roles or Tasks in the Configure View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

8.10.1

Possible Missing Roles or Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

8.10.2

Possible Reasons Why You Are Not an Authorized User . . . . . . . . . . . . . . . . . . . . . . . . . . 92

8.11

Performing a System Restore from Image Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

8.12

Running eDirectory and iManager on the Same Machine (Windows only) . . . . . . . . . . . . . . . . . . . . 93

8.13

“Service Unavailable” Message Appears During Multiple Plug-In Installs . . . . . . . . . . . . . . . . . . . . . 94

8.14

Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

8.14.1

Starting and Stopping Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

8.14.2

Tomcat Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

8.15

“Unable to Determine Universal Password Status” Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

8.16

iManager Workstation Does Not Display Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

8.17

Sometimes Refresh Button Does Not Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

8.18

iManager Plug-in Installation Hangs or Plug-ins Are Not Properly Installed . . . . . . . . . . . . . . . . . . . 96

8.19

Login Issue with Tree IP Address Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

8.20

Insufficient Java Heap Size Results in Failed Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

8.21

Java Error Messages are Displayed After Closing the Browser of iManager Workstation. . . . . . . . . 98

8.22

iManager and LDAP Use Different Date Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

8.23

iManager Installation Fails on SLES 9 and RedHat 4 Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

9 Auditing iManager Events

101

9.1

Installing the IMAN_EN.LSC File in iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

9.2

Enabling Audit in iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

9.3

Configuring Audit for iManager Instrumentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

9.4

Configuring Audit for iManager Instrumentation with Third-Party Certificates . . . . . . . . . . . . . . . . . 103

9.5

Enabling XDAS Audit in iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

9.6

Configuring XDAS Audit for iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

10 Best Practices and Common Questions

107

10.1

Backup and Restore Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

10.2

Coexistence with previous versions of iManager 2.x and Role-Based Services . . . . . . . . . . . . . . . 107

10.3

Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

10.4

Failed Installs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

10.4.1

Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

10.4.2

Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

10.5

High Availability: Running iManager in a Clustered Environment . . . . . . . . . . . . . . . . . . . . . . . . . . 109

10.6

Patching iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

10.7

Performance Tuning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

10.7.1

Using Dynamic Groups with RBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

10.7.2

Role Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

10.8

iManager AppArmor Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

10.9

Allocating Additional Tomcat Memory in Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

A iManager Security Issues 113

A.1

Secure LDAP Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

A.2

Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

A.3

iManager Authorized Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

A.4

Preventing User Name Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

A.5

Tomcat Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

A.6

Encrypted Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

A.7

Secure Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

6

NetIQ® iManager Administration Guide

B NetIQ Plug-in Modules 117

Contents

7

8

NetIQ® iManager Administration Guide

About this Book and the Library

The

Administratin Guide

provides conceptual information about the NetIQ iManager (iManager) product. This book defines terminology and includes implementation scenarios.

For the most current version of the

NetIQ iManager 2.7.7 Administration Guide

, see the English version of the documentation at the NetIQ iManager online documentation site (https://www.netiq.com/ documentation/imanager27/index.html) .

Intended Audience

This guide is intended for network administrators.

Other Information in the Library

The library provides the following information resources:

Š

NetIQ iManager 2.7.7 Installation Guide

(https://www.netiq.com/documentation/imanager/ imanager_install/data/hk42s9ot.html)

Š

NetIQ eDirectory home (https://www.netiq.com/products/edirectory/)

Š

NetIQ eDirectory documentation (https://www.netiq.com/documentation/edir88/)

Š

NetIQ Cool Solutions community (https://www.netiq.com/communities/coolsolutions/)

Š

Novell Technical Services (http://support.novell.com)

Š

Apache Tomcat (http://tomcat.apache.org/)

Š

Proxy Support HOW-TO (http://tomcat.apache.org/tomcat-4.1-doc/proxy-howto.html)

Š

Java Web site (http://www.oracle.com/technetwork/java/index.html)

Š

Microsoft IIS* Web site (http://www.iis.net/)

About this Book and the Library

9

10

NetIQ® iManager Administration Guide

About NetIQ Corporation

We are a global, enterprise software company, with a focus on the three persistent challenges in your environment: Change, complexity and risk—and how we can help you control them.

Our Viewpoint

Adapting to change and managing complexity and risk are nothing new

In fact, of all the challenges you face, these are perhaps the most prominent variables that deny you the control you need to securely measure, monitor, and manage your physical, virtual, and cloud computing environments.

Enabling critical business services, better and faster

We believe that providing as much control as possible to IT organizations is the only way to enable timelier and cost effective delivery of services. Persistent pressures like change and complexity will only continue to increase as organizations continue to change and the technologies needed to manage them become inherently more complex.

Our Philosophy

Selling intelligent solutions, not just software

In order to provide reliable control, we first make sure we understand the real-world scenarios in which IT organizations like yours operate — day in and day out. That's the only way we can develop practical, intelligent IT solutions that successfully yield proven, measurable results.

And that's so much more rewarding than simply selling software.

Driving your success is our passion

We place your success at the heart of how we do business. From product inception to deployment, we understand that you need IT solutions that work well and integrate seamlessly with your existing investments; you need ongoing support and training post-deployment; and you need someone that is truly easy to work with — for a change. Ultimately, when you succeed, we all succeed.

Our Solutions

Š

Identity & Access Governance

Š

Access Management

Š

Security Management

Š

Systems & Application Management

Š

Workload Management

Š

Service Management

About NetIQ Corporation

11

Contacting Sales Support

For questions about products, pricing, and capabilities, contact your local partner. If you cannot contact your partner, contact our Sales Support team.

Worldwide:

United States and Canada:

Email:

Web Site:

www.netiq.com/about_netiq/officelocations.asp

1-888-323-6768 [email protected]

www.netiq.com

Contacting Technical Support

For specific product issues, contact our Technical Support team.

Worldwide:

North and South America:

Europe, Middle East, and Africa:

Email:

Web Site:

www.netiq.com/support/contactinfo.asp

1-713-418-5555

+353 (0) 91-782 677 [email protected]

www.netiq.com/support

Contacting Documentation Support

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, click

Add Comment

at the bottom of any page in the HTML versions of the documentation posted at www.netiq.com/documentation . You can also email Documentation-

[email protected]

. We value your input and look forward to hearing from you.

Contacting the Online User Community

Qmunity, the NetIQ online community, is a collaborative network connecting you to your peers and

NetIQ experts. By providing more immediate information, useful links to helpful resources, and access to NetIQ experts, Qmunity helps ensure you are mastering the knowledge you need to realize the full potential of IT investments upon which you rely. For more information, visit http:// community.netiq.com

.

12

NetIQ® iManager Administration Guide

1

Overview

NetIQ iManager is a Web-based administration console that provides secure, customized access to network administration utilities and content from virtually anywhere you have access to the Internet and a Web browser.

iManager provides the following:

Š

Single point of administration for NetIQ eDirectory objects, schema, partitions, and replicas

Š

Single point of administration for many other network resources

Š

Management of many other NetIQ and Novell products using iManager plug-ins

Š

Role-Based Services (RBS) for delegated administration

Because iManager is a Web-based tool, it enjoys several advantages over client-based administrative tools:

Š

Upgrade once, on the server, for all administrative users

Š

Changes to iManager look, feel, and functionality are immediately available to all administrative users

Š

Do not need to open additional administrative ports for remote access. iManager leverages standard HTTP ports (80/443). With iManager 2.7.7, you can pass non- standard HTTP ports.

Š

Not necessary to download and maintain an administrative client

Š

Not necessary to keep client software synchronized with changes to server software

Overview

13

14

NetIQ® iManager Administration Guide

2

Accessing iManager

You access NetIQ iManager via a Web browser. This section includes the following topics:

Š

Section 2.1, “Using a Supported Web Browser,” on page 15

Š

Section 2.2, “Accessing iManager,” on page 15

Š

Section 2.3, “Accessing NCP Server Objects,” on page 16

Š

Section 2.4, “Access Modes,” on page 17

Š

Section 2.5, “Authenticating,” on page 17

2.1

Using a Supported Web Browser

For iManager access and complete use of all its features, use one of the following Web browsers.

Although you might be able to access iManager via a Web browser not listed, we do not guarantee or support full functionality with any browser other than the following:

Š

Safari 5.1.4

Š

Safari 6.0 is certified

Š

Google Chrome 22, 23, 25, 26, 27, and 28 are certified

Š

Internet Explorer 8, 9, or 10 (Normal and Compatibility modes)

Š

Firefox 4.0.1 and 9.0.1

Š

Firefox 21, 22, and 23 are certified iManager 2.7.7 does not support the following:

Š

Access through an iChain server with a path-based multihoming accelerator, and with Remove

Sub Path from URL enabled.

Š

Internet Explorer 10 Metro user interface view on Windows 7 and 8.

For some iManager wizards and help to work, you must enable pop-up windows in your Web browser. If you use an application that blocks pop-up windows, disable the blocking feature while working in iManager or allow pop-ups from the iManager host.

If you have configured your Web browser to not display Web site images, the iManager interface might become garbled and unusable. In Firefox v1.5.

x

, for example, users can disable image loading from

Tools

>

Options

>

Content

.

2.2

Accessing iManager

Accessing iManager varies based on the iManager version (server-based or workstation) and the platform on which iManager is running.

For information on installing iManager, see the

NetIQ® iManager Installation Guide

.

Accessing iManager

15

2.2.1

Accessing Server-based iManager

To access server-based iManager:

1

Enter one of the following in the Address (URL) field of a supported Web browser.

Š

To access iManager on the Novell Open Enterprise Server 2 (OES 2) platform:

Secure URL:

https://

<server ip address>

/nps/iManager.html

Š

To access iManager on a non-OES 2 platform:

Secure URL:

https://

<server ip address>

:8443/nps/iManager.html

NOTE:

iManager 2.7.7 uses only Tomcat 5 and 5.5 for its Web server requirements. On non-

OES 2 platforms, you must specify the Tomcat port in the URL.

In the examples, the IP address in

<server ip address>

can be either IPv4 or IPv6. For example, when accessing iManager on the OES 2 platform, the URL can either of the following:

Š

IPv4

: https://127.0.0.1/nps/iManager.html

Š

IPv6

: https://[2001:db8::6]/nps/iManager.html

Although slightly different iManager URLs might work on some platforms, NetIQ recommends using these URLs for consistency.

2

Log in using your user name, password and tree name.

2.2.2

Accessing iManager Workstation

To access iManager Workstation:

1

Execute the appropriate iManager Workstation startup script.

Linux:

Navigate to the imanager/bin

directory and execute

./iManager.sh

.

NOTE:

If you plan to run iManager Workstation as a non-root user in the future, do not run iManager as root the first time.

Windows:

Execute imanager\bin\iManager.bat

.

2

Log in by using your user name, password, and tree name

2.3

Accessing NCP Server Objects

To improve the performance of the NetWare Core Protocol (NCP) server objects, the

Modify Index

Location

option must be disabled.

To disable the

Modify index Location

option:

1

Open the config.xml

file from

<TOMCAT_HOME>

/webapps/nps/WEB-INF/config.xml

.

2

Add the following content to the config.xml

file.

<setting>

<name><![CDATA[IndexManagerPlugin_ModifyObjectTask_Disabled]]></name>

<value><![CDATA[true]]></value>

</setting>

3

Save the changes and restart Tomcat.

For information about restarting Tomcat, see

“Starting and Stopping Tomcat” on page 94 .

16

NetIQ® iManager Administration Guide

NOTE:

To modify the indexes of the NCP server objects, go to

Roles and Tasks

>

eDirectory Maintenance

>

Indexes

>

NCP Server Object

>

Indexes

>

Modify Index Location

.

2.4

Access Modes

When you start iManager, you are granted an

access mode

based on the rights you've been assigned. iManager has three access modes. The mode you are in is displayed on the iManager home page.

Unrestricted Access:

This is the default mode before RBS is configured. It displays all of the roles and tasks installed. Although all roles and tasks are visible, the authenticated user still needs the necessary rights to use the tasks.

There is a setting that you can add to the config.xml

file which forces Unrestricted Access, even if

Role-Based Services is installed. To force Unrestricted Access for all users, add this setting to

<TOMCAT_HOME>

\webapps\nps\WEB-INF\config.xml

, then restart Tomcat:

<setting>

<name><![CDATA[RBS.forceUnrestricted]]></name>

<value><![CDATA[true]]></value>

</setting>

For information about restarting Tomcat, see “Starting and Stopping Tomcat” on page 94

.

NOTE:

When using iManager in Unrestricted mode, you typically see the following message on the iManager Home Page:

Notice: Some of the roles and tasks are not available.

Clicking

View Details

might display a

Not supported by current authenticators

message for several of the tasks, even though the tasks work correctly. This message is misleading, and iManager removes these messages after you configure RBS.

Assigned Access:

Displays only the roles and tasks assigned to the authenticated user. This mode takes full advantage of the Role-Based Services technology.

Collection Owner:

Displays all of the roles and tasks installed in the collection. If you are a collection owner, though you are not assigned specific roles, it allows you to use all the roles and tasks in the collection. Role-Based Services must be installed in order to use this mode. Adding a group or user as a collection owner does not assign any RBS rights. To assign rights you must make explicit RBS role assignments or make trustee assignments.

NOTE:

When collection is assigned to a group, all the members of that group get the collection ownership. The collection owner sees all roles and tasks, regardless of role membership.

2.5

Authenticating

Be aware of the following issues related to iManager authentication:

Š

Section 2.5.1, “Tree Name Field,” on page 18

Š

Section 2.5.2, “Logging in to a Server without a Replica,” on page 18

Š

Section 2.5.3, “Unsuccessful Authentication,” on page 18

Accessing iManager

17

Š

Section 2.5.4, “Expired Password Information,” on page 18

Š

Section 2.5.5, “Contextless Login Using Alternate Object Classes and/or Alternate Attributes,” on page 19

NOTE:

If your network has more than three servers, or one or more servers that do not host eDirectory replicas, you must have SLP properly configured for iManager to log in. For more information, see the Novell Open Enterprise Server SLP documentation (http://www.novell.com/ documentation/oes/networking-protocols.html#slp) .

2.5.1

Tree Name Field

If eDirectory is installed and running on another port besides the default port 524, you can use the IP address or DNS name of the eDirectory server to log in if you also specify the port. For example:

Š

For an IPv4 address: https://127.0.0.1/nps/servlet/webacc?taskId=fw.Startup&forceMaster=true

Š

For an IPv6 address: https://[2001:db8::6]:1080/nps/servlet/ webacc?taskId=fw.Startup&forceMaster=true

If you use the tree name to log in, you do not have to specify a port.

Possible values for the Tree Name field are the tree name, the server IP address, and the server DNS name. For best results, use the IP address.

2.5.2

Logging in to a Server without a Replica

If necessary, iManager can log in to the eDirectory tree using a server that does not host an eDirectory replica. To do this, iManager maintains a connection cache with the information it needs to successfully log in. To populate the connection cache, the first time you login to an eDirectory tree with iManager you must log in to a server that hosts a replica.

Restarting Tomcat or the iManager server clears the connection cache, so the first time iManager logs in following one of these events, you must log in to a server that hosts a replica.

2.5.3

Unsuccessful Authentication

Login failures occur for a variety of reasons. Authentication error messages are addressed in

“Authentication Issues” on page 88 .

For information about limiting the error messages that iManager displays upon a failed authentication attempt, see

“Preventing User Name Discovery” on page 115 .

2.5.4

Expired Password Information

If a password expires, the user sees a message to this effect. However, users might not be aware that grace logins can be quickly consumed, depending on certain operations such as modifying a dynamic group, simple find, and setting a simple password.

These operations consume additional grace logins each time a user performs a task. We highly recommend that you encourage users to change their passwords the first time they are prompted.

18

NetIQ® iManager Administration Guide

2.5.5

Contextless Login Using Alternate Object Classes and/or Alternate

Attributes

To enable contextless authentication using an alternate object type, do the following:

1

Open iManager and browse to

Configure > iManager Server > Configure iManager > Authentication

.

If you do not see this task, you are not an authorized user. See “Authorized Users and Groups” on page 72 .

2

Set

Public Username

and

Password

to a user that has rights to read the desired attributes.

3

Modify

<TOMCAT_HOME>

\webapps\nps\WEB-INF\config.xml

to include a

<Setting>

property that lists the attributes you want to add to the contextless search, and then restart Tomcat.

For information about restarting Tomcat, see

“Starting and Stopping Tomcat” on page 94 .

For example, the following XML adds the Alias and User objects to the contextless search:

<setting>

<name><![CDATA[Authenticate.Form.ContextlessLoginClass.NDAP.

treename

]]></name>

<value><![CDATA[User]]></value>

<value><![CDATA[Alias]]></value>

</setting>

Similarly, the following XML allows users to log in with the

CN

or uniqueID

attribute:

<setting>

<name><![CDATA[Authenticate.Form.ContextlessLoginSearchAttributes.NDAP.

treename

]]>

</name>

<value><![CDATA[CN]]></value>

<value><![CDATA[uniqueID]]></value>

</setting>

IMPORTANT:

Š

In the sample code above, replace

treename

with the name of the appropriate directory tree in lower case.

Š

If you save any iManager Server settings from the

Configure iManager

task after editing the config.xml

file, verify that the tree name is still in lowercase or customized contextless login will fail.

Accessing iManager

19

20

NetIQ® iManager Administration Guide

3

Navigating the iManager Interface

This section describes how to navigate through the NetIQ iManager 2.7.7 interface.

Š

Section 3.1, “iManager Interface,” on page 21

Š

Section 3.2, “Special Characters,” on page 24

3.1

iManager Interface

The iManager interface comprises three main regions, or frames.

Š

Header Frame

Š

Navigation Frame

Š

Content Frame

Figure 3-1

iManager interface with default Roles and Tasks view

NOTE:

Use only the buttons within the interface when you are navigating in iManager. Do not use the Web browser's navigation buttons (

Back

,

Next

, etc.)

Navigating the iManager Interface

21

To change the default view in Preferences, see

“Set Initial View” on page 86

.

3.1.1

Header Frame

The Header frame is a largely static frame that occupies the top of the iManager interface. It provides icons with which you can access iManager’s various views. A

view

is a combination of Navigation and Content frames that deliver specific management functionality. For example, the default Roles and Tasks view lets you select a given task in the Navigation frame, and then perform the selected task in the Content frame.

Figure 3-2

iManager Header frame

The iManager Header frame includes the following icons:

Š

Š

Home: Returns the Content frame to its default view (as in Figure 3-1).

Exit: Logs you out of eDirectory.

Š

Roles and Tasks: This view displays all the tasks you are authorized to perform in the

Navigation frame. This is iManager’s default view. For more information, see

Chapter 5, “Roles and Tasks,” on page 35 .

Š

View Objects: This view contains browsing and searching functionality to find objects, including a Tree View feature similar to that used in ConsoleOne. For more information, see

Chapter 4, “Browsing Objects,” on page 25 .

Š

Configure: This view contains Role-Based Services, iManager Server, Object Creation List,

Plug-in Installation, E-mail Notification, and Views, all of which you can configure as you want.

Š

Favorites: This view displays your most frequent tasks, selected from the Preferences >

Favorites page.

Š

Preferences: This view sets your preferences according to your most frequent tasks, how the

Object Selector displays, how your Object View displays, what view appears after logging in to iManager, and what language iManager displays in.

Š

Help: Displays applicable context-sensitive help information, as determined by the current

Content frame.

Additionally, the Header frame identifies the currently authenticated user and the tree name to iManager in the upper left.

For information on how to change iManager’s default view, see Chapter 6, “Configuring and

Customizing iManager,” on page 53 .

3.1.2

Navigation Frame

The Navigation frame resides along the left side of the iManager UI. It displays task and functionality options related to the currently selected view. For example, the default Roles and Tasks view lists all the tasks your are authorized to perform. Tasks are organized into categories. The list of categories and tasks varies based on the installed plug-ins and the rights granted to you as an authenticated iManager user.

22

NetIQ® iManager Administration Guide

Figure 3-3

Contents of the Navigation frame when in the Roles and Tasks view

The ordering of tasks within each category is determined by the author of the applicable iManager plug-in. Base plug-in tasks (those that are included with iManager) typically display before tasks from other plug-ins.

3.1.3

Content Frame

The Content frame provides the specific task or object interface, based on the current selection in the

Navigation frame.

Navigating the iManager Interface

23

Figure 3-4

The default contents of the iManager Content view

When a task is not selected, the Content frame displays the iManager homepage with general information related to your iManager access rights.

3.2

Special Characters

In iManager, some characters have special significance and must be escaped with the backslash (\) character:

NDAP (eDirectory):

Š

Period (.)

Š

Equal sign (=)

Š

Plus sign (+)

Š

Backslash (\)

LDAP:

Š

Distinguished names (DNs) and = + \ @; < >

Š

Leading #

Š

Leading or trailing spaces

For LDAP, any character can be specified with

\

xx

. See RFC 2253 (http://www.faqs.org/rfcs/ rfc2253.html) for more information.

24

NetIQ® iManager Administration Guide

4

Browsing Objects

iManager lets you manipulate and manage directory objects. There are two paradigms for doing this.

First, you can browse for and select the objects with which you want to work, and then specify the task you want to perform on those objects (object-then-task.) Second, you can select the task you want to perform, and then specify the objects to which you want to apply the task (task-then-object.) Either way of doing things is valid, and iManager lets you use the method with which you are most comfortable.

iManager provides the Object View for those from the object-then-task school, and the Object Selector for those from the task-then-object school. The Object Selector is used extensively in the Roles and

Tasks view. For more information, see Chapter 5, “Roles and Tasks,” on page 35

.

This chapter includes the following sections:

Š

Section 4.1, “Using the Object View,” on page 26

Š

Section 4.2, “Using the Object Selector,” on page 31

NOTE:

iManager 2.7.7 now supports browsing and selecting objects in an NCP-enabled file system.

Access file system objects through Server and Volume objects in the directory tree.

The ability to browse and select file system objects is available from both the Object View and the

Object Selector. However, the actual tasks available for file system objects is provided by the NSS iManager plug-in, which is available separately.

Regardless of the tool you are using, remember the following guidelines when specifying object names:

Š

If the following characters are part of a dotted eDirectory name, escape them with a backslash

(\). You don't need escape characters in most values, but you do need them when the name is a distinguished name or relative distinguished name.

Š

Period (.)

Š

Equal sign (=)

Š

Plus sign (+)

Š

Backslash (\)

Š

If the following characters are part of a name you want to specify in a search, escape them with a backslash (\):

Š

Asterisk (*)

Š

Backslash (\)

For example:

Š

To search for all objects containing a period, use = *.* as the search filter

Š

To search for all objects containing a plus, use = *+* as the search filter

Š

To search for all objects containing a backslash, use = *\\* as the search filter

Browsing Objects

25

4.1

Using the Object View

The Object view is designed to let you browse for and locate objects in the directory. Once you have selected the objects with which you want to work, you can then specify the tasks to perform on those objects. Open the Object view by selecting the View Objects icon in the Header frame.

The Object View includes the following tabs in the Navigation frame, each of which give you a different way to browse for and locate directory objects:

Š

Tree

Š

Browse

Š

Search

4.1.1

Tree

The Tree tab lets you browse a directory tree with a look and feel similar to ConsoleOne™. Tree view uses both the Navigation frame and the Content frame to provide its functionality.

Figure 4-1

The Tree Tab in iManager’s Object View

Tree View Navigation Frame

In the Tree view, the Navigation frame displays the directory structure in the familiar ConsoleOne format. The Navigation frame displays Container, including Volume (file system), objects. Click on the plus and minus icons to expand and collapse the container objects and browse the directory tree.

By default, Tree View displays up to 100 subordinate objects per container, but you can change this setting in the

Object View Preferences .

Tree View Content Frame

Selecting one of the container objects in the Navigation frame causes the Content frame to display all the objects in that container. The Content frame is where you actually manipulate directory objects.

The Content frame includes a header from which you can select from among several available actions:

Bread Crumbs:

At the very top of the Content frame, Tree view provides a bread crumb feature that lets you navigate along the containers in the current context.

26

NetIQ® iManager Administration Guide

Title Bar:

The Content frame’s title bar displays the name of the currently selected container object.

Click the Pencil icon to edit the properties of this container.

Object List Header:

The object list header provides access to the following:

Š

Menu Bar: The Content frame’s menu bar provides access to the object-related actions you can perform. Options include the following:

Š

New

: Opens a dropdown menu of “create” tasks.

Š

Edit

: Opens the property book for the selected objects so you can modify their attributes.

Selecting multiple objects of the same type lets you set attributes for all the objects to the same value.

NOTE:

You can also open a leaf object’s property book by selecting it in the object list.

Selecting a container object in the object list opens the selected container and displays all that container’s subordinate. To edit the attributes of a container object, you must select its checkbox, then click

Edit

.

Š

Delete

: Deletes the selected objects. To select an object to edit, select its checkbox in the object list.

Š

Actions

: Opens a dropdown menu of supported tasks for the selected objects. To perform a task, select it from the dropdown menu and provide the required information.

NOTE:

If you have configured RBS, the Actions menu displays only those tasks in your assigned roles.

Š

Object Count

: To the right of the menu bar, Tree view lists the number of objects in the current page and the total number of objects in the selected container.

Š

Select All

: The checkbox in the header functions as a “select all” checkbox for the current page of objects.

Š

Sort

: Directly above the Object list is a “Name” column heading and a sort icon . Click either of these to toggle the object sort between ascending and descending alphabetical order.

Š

Define Filter

: At the far right of the header, under the object count, is the object filter icon .

Select this icon to create a filter that limits the objects displayed in the object list. You can filter on object type and object name, as needed.

Select

Show All Containers

to display container objects in the Object List regardless of the defined filter.

Select Advanced Filter

to open the Advanced Filter dialog that lets you create a filter using almost any object attribute. For more information, see

“Advanced Selection” on page 36 .

NOTE:

When a filter is active, the filter icon changes to a colored icon , and the filter setting is listed next to the icon. If you configure an advanced filter, iManager displays a checkmark icon

next to the filter icon.

Object List:

The Content frame’s object list displays all objects in the container currently selected in the Navigation frame. By default, the object list displays 100 objects on a page, but you can change this setting in the

Object View Preferences .

To perform an action on an object, select its checkbox, then select the action from the Object List header. Select the (current level) object to perform an action on the container in which you are currently browsing.

Select the double-period object to navigate up one level to the parent container.

Browsing Objects

27

IMPORTANT:

Tree view does not support selecting objects across multiple pages in the object list. If you need to do this, use Object View’s Browse tab to perform the multiple object action. For more

information, see “Browse” on page 28 .

4.1.2

Browse

The Browse tab leverages a user interface and functionality similar to the Object Selector to provide a directory browsing tool. For information on navigating the Browse user interface, see

“Using the

Object Selector” on page 31 .

Figure 4-2

The Browse tab in iManager’s Object View

The Browse tab uses only the Navigation frame to provide its functionality. It includes the following primary components:

Object Filter:

Located at the top of the Navigation frame, the object filter lets you limit the objects displayed in the object list. Once defined, click

Apply

to use the filter.

IMPORTANT:

The object filtering in the Browse tab only applies to directory objects. It does not filter file system objects, even though they might be visible in the Browse tab.

The object filter uses the following fields:

Š

Context: Displays only those objects in the specified context. This is identical to opening the container from the object list.

Š

Name: Displays only those objects that conform to the specified name filter. Use the asterisk (*) wildcard to specify a partial name. For example: ldap*

,

*cert

,

*server*

.

Š

Type: Displays only those objects of the type specified.

28

NetIQ® iManager Administration Guide

NOTE:

If you select a specific object type, a plus icon [+] appears that lets you open the

Advanced Selection tool, from which you can specify additional, attribute-level filter settings.

For more information, see “Advanced Selection” on page 36

.

Š

Load/Save: These two links let you load a previously defined filter definition and save the current filter so it can be re-used, respectively.

Multiple Select / Single Select:

Located above the right side of the object list, this link lets you toggle between selecting a single object or multiple objects against which you want to perform a task.

The default option is Single Select. For more information, see “Selecting and Filtering Objects” on page 35 .

Object List:

Displays a list of directory objects, as defined by the criteria in the Object Filter. By

default, the object list displays 100 objects on a page, but you can change this value in the Object View

Preferences

. Use the

Previous

and

Next

buttons to navigate between object pages. You can navigate amongst the objects in the object list by doing the following:

Š

Select the down arrow icon next to a container object to open that container and view its objects in the object list.

Š

Select the up arrow icon at the top of the object list to view the contents of the current container’s parent. This moves you up one level in the directory tree.

Š

Select an object, either container or leaf, to open a window with the available tasks for that type of object. Selecting a task opens that tasks UI in the Content frame.

4.1.3

Search

The Search tab is similar to the Browse tab, but instead of displaying a tree structure in the

Navigation frame, it displays only those objects resulting from the specified search.

Browsing Objects

29

Figure 4-3

The Search tab in iManager’s Object view

The Search tab uses only the Navigation frame to provide its functionality. It includes the following primary components:

Object Search:

Located at the top of the Navigation frame, the object search lets you define the search criteria. Once defined, click

Search

to perform the specified search operation.

IMPORTANT:

The object filtering in the Search tab only applies to directory objects. It does not filter file system objects, even though they might be visible in the Search tab.

You can define your search using the following fields:

Š

Context: Specifies the starting container for the search operation. If you want the search to include subordinate containers, select

Search sub-containers

.

Š

Name: Defines the object name filter for this search. Use the asterisk wildcard to specify a partial name. For example: ldap*

,

*cert

,

*server*

.

Š

Type: Defines the object type filter for this search. iManager only displays objects of the specified type.

NOTE:

If you select a specific object type, a plus icon [+] appears that lets you open the

Advanced Selection tool, from which you can specify additional, attribute-level filter settings.

For more information, see “Advanced Selection” on page 36

.

Š

Load/Save: These links let you load a previously defined search definition and save the current search so it can be re-used, respectively.

30

NetIQ® iManager Administration Guide

Multiple Select / Single Select:

Located above the right side of the results list, this link lets you toggle between selecting a single object or multiple objects against which you want to perform a task.

The default option is Single Select. For more information, see “Selecting and Filtering Objects” on page 35 .

Results List:

Displays the results of the search operation. By default, the object list displays 100

objects on a page, but you can change this value in the Object View Preferences . Use the

Previous and

Next

buttons to navigate between results pages. Select an object, either container or leaf, to open a window with the available tasks for that type of object. Selecting a task opens that tasks UI in the

Content frame.

NOTE:

The Search tab does not let you navigate objects, such as opening container objects, in the results list. If you want to be able to do this, use the Tree tab or the Browse tab.

4.2

Using the Object Selector

The Object Selector lets you select the objects with which you want to work in the current task. iManager provides this tool in any situation where you are selecting a task or action before specifying the objects to which the task or action is applied.

Access the Object Selector by selecting the magnifying glass icon anywhere it appears in the

Content frame. The Object Selector opens in its own window on top of iManager.

Figure 4-4

iManager’s Object Selector

Browsing Objects

31

Object Selector includes two tabs for locating target objects for the tasks you want to perform:

Š

Section 4.2.1, “Browse,” on page 32

Š

Section 4.2.2, “Search,” on page 32

4.2.1

Browse

The Browse tab (default) lets you navigate the directory tree to search for the desired objects. It includes the following primary components:

Object Filter:

Located on the left side of the Object Selector, the object filter lets you limit the objects displayed in the Contents list. Once defined, click Apply to use the filter. The object filter uses the following fields:

Š

Look in: Displays only those objects in the specified context. This is identical to opening the container from the Contents list.

Š

Look for objects named: Displays only those objects that conform to the specified name filter.

Use the asterisk (*) wildcard to specify a partial name. For example: ldap*

,

*cert

,

*server*

.

Š

Advanced Browsing: This link opens the Advanced Selection tool, from which you can specify additional, attribute-level filter settings. For more information, see

“Advanced Selection” on page 36

.

Š

Load Criteria/Save Criteria: These two links let you load a previously defined filter definition and save the current filter so it can be re-used, respectively.

Contents List:

Displays a list of directory objects, as defined by the criteria in the object filter. By default, the object list displays 100 objects on a page, but you can change this number, if desired. Use the

Previous

and

Next

buttons to navigate between object pages. You can navigate amongst the objects in the Contents list by doing the following:

Š

Select the down arrow icon next to a container object to open that container and view its objects in the Contents list.

Š

Select the up arrow icon at the top of the object list to view the contents of the current container’s parent. This moves you up one level in the directory tree.

Š

Selecting an object causes iManager to identify that object as one on which you want to perform the current task.

Selected Objects:

This component only appears when you are selecting multiple objects for the current task. The Selected Objects field lists the objects currently selected for the task. Click

OK

when the list is complete. Click Clear All if you want to empty the selected objects list and start over.

For more information about selecting single or multiple objects for a task, see

“Selecting and Filtering

Objects” on page 35

.

4.2.2

Search

The Search tab lets you specify a search operation to perform on the directory tree and display the results. It includes the following primary components:

Object Search:

Located on the left side of the Object Selector, the object search lets you define the search criteria. Once defined, click Search to perform the specified search operation. You can define your search using the following fields:

Š

Start search in: Specifies the starting container for the search operation. If you want the search to include subordinate containers, select

Search sub-containers

.

32

NetIQ® iManager Administration Guide

Š

Search for objects named: Defines the object name filter for this search. Use the asterisk wildcard to specify a partial name. For example: ldap*

,

*cert

,

*server*

.

Š

Advanced Browsing: This link opens the Advanced Selection tool, from which you can specify

additional, attribute-level search settings. For more information, see “Advanced Selection” on page 36

.

Š

Load Criteria/Save Criteria: These two links let you load a previously defined search definition and save the current filter so it can be re-used, respectively.

Multiple Select / Single Select:

Located above the right side of the results list, this link lets you toggle between selecting a single object or multiple objects against which you want to perform a task.

The default option is Single Select. For more information, see “Selecting and Filtering Objects” on page 35 .

Results List:

Displays the results of the search operation. By default, the results list displays 100 objects on a page, but you can change this number, if desired. Use the

Previous

and

Next

buttons to navigate between results pages.

NOTE:

The Search tab does not let you navigate objects, such as opening container objects, in the results list. If you want to be able to do this, use Object Selector’s Browse tab.

Selected Objects:

This component only appears when you are selecting multiple objects for the current task. The Selected Objects field lists the objects currently selected for the task. Click

OK

when the list is complete. Click Clear All if you want to empty the selected objects list and start over.

For more information about selecting single or multiple objects for a task, see

“Selecting and Filtering

Objects” on page 35

.

Browsing Objects

33

34

NetIQ® iManager Administration Guide

5

Roles and Tasks

Selecting the Roles and Tasks view in the Header frame displays all of iManager’s available roles and tasks in the Navigation frame. iManager groups related roles and tasks into categories. However, you can create custom category groups and assign roles and tasks to them. For more information, see

“The Category Tab” on page 64

.

This section includes the following topics:

Š

Section 5.1, “Navigating Roles and Tasks,” on page 35

Š

Section 5.2, “Directory Administration,” on page 39

Š

Section 5.3, “Groups,” on page 41

Š

Section 5.4, “Help Desk,” on page 43

Š

Section 5.5, “Partitions and Replicas,” on page 44

Š

Section 5.6, “Rights,” on page 46

Š

Section 5.7, “Schema,” on page 47

Š

Section 5.8, “Users,” on page 50

The first section in this chapter introduces Roles and Tasks navigation. The remaining sections provide a detailed description of the tasks available in iManager’s core set of roles and tasks. For information about the roles and tasks provided by a product-specific plug-in, consult that product’s documentation.

In addition to the Roles and Tasks view, you can configure iManager’s Favorites view to display your

most frequently used tasks. For more information, see “Manage Favorites” on page 85

.

5.1

Navigating Roles and Tasks

Navigating iManager’s tasks is a straight-forward process that includes the following general steps:

1

(Navigation frame) Open the category that contains the desired task.

2

(Navigation frame) Select the desired task from the category’s list of tasks.

3

(Content frame) Provide the necessary information to complete the task. When applicable, this includes specifying those objects to which the task is applied.

For information about selecting objects to which the task will apply, see “Selecting and Filtering

Objects” on page 35 .

4

(Content frame) Click

OK

to perform the task.

5.1.1

Selecting and Filtering Objects

For those tasks that can be applied to more than one object at a time (for example, Modify User), iManager provides options, selectable in the Content frame, for locating the desired objects.

Roles and Tasks

35

Figure 5-1

Object selection options in a task

Select a Single Object

This is the default object selection method. Select a Single Object lets you specify a single object to which the task is applied. When using the Object Selector to locate the object, selecting an object automatically closes the Object Selector and inserts the selected object in the task’s object name field.

For more information about the Object Selector, see “Using the Object Selector” on page 31

.

Select Multiple Objects

Select Multiple Objects modifies the tasks object name field to accept a list of objects instead of only one object. The Object Selector also runs in “multiple object” mode so that you can select more than

one object at a time. For more information about the Object Selector, see “Using the Object Selector” on page 31

.

Simple Selection

Simple Selection opens a basic search tool in the Content frame. With this tool, you can search for objects in the directory tree based on a specified property value.

Figure 5-2

Basic object filter in a task

The

attribute

list has a list of attributes on which you can perform the Search operation.

The

operator

list has a list of various operators to be used for the Search operation.

If you want the objects, which result after performing the search operation, to be sorted, select

Sort the resulting objects

.

Simple Selection includes the following limitations:

Š

Searches the entire directory tree

Š

Does not support wildcards in the search criteria

Š

Supports only “starts with” and “equals” filters for property values

Advanced Selection

Advanced Selection provides a more configurable environment for searching the directory for the desired objects.

36

NetIQ® iManager Administration Guide

Figure 5-3

iManager’s Advanced Selection Interface

Advanced Selection gives you more granular control over the object filter used during the search operation. You can configure advanced selection options using the following fields:

Object Type:

Specifies the object base class for which you are searching. For example, User.

Container:

Specifies the container at which you want to start the search. To search subordinate containers, select

Include sub-containers

.

Filter:

Specifies a filter to apply to the search. Select the Filter icon to open a separate window from which you can define the filter. Click

OK

when the filter is done.

Figure 5-4

iManager’s Advanced Filter dialog

The Filter interface includes the following fields:

Aux Classes:

Specifies an Auxiliary Class to include in the search.

Roles and Tasks

37

Attribute:

Specifies an attribute (property) that you want to utilize as part of the filter.

Operator:

Specifies the logical operator to apply to the filter. Options include

Value:

Specifies the attribute value you are using as a filter. You can use the asterisk (*) as a wildcard to indicate part of a value. For example, smi*, *th, and *mit*.

Additionally, you can chain multiple attribute filters together into a filter group by using the + icon to add a second attribute to the list. When using multiple attribute filters, link them together with a logical AND or logical OR.

After you define a filer, click

Preview

, and click

OK

, the Modify Object screen is displayed. It displays the attributes defined for the objects in the container. The common attribute values are listed. For

example, as per Figure 5-5

the First name, Last name, and Full name attributes have common value

(s) for all the objects in the specified container. The attributes whose fields are empty indicate that those attributes does not hold a common value for all the objects. You can add values to these attributes, as well.

Figure 5-5

The Modify Object Screen

You can do the following tasks to the attributes and all the objects in the container are updated:

38

NetIQ® iManager Administration Guide

Ignore:

Is used not to update any changes to the objects.

Replace:

Is used to replace an existing attribute value in the list. To replace, double-click the value, make the changes, and press

Enter.

Then, click

Replace

.

Add:

Is used to add values to an attribute. You can add more than one value to an attribute. For example, you have more than one First Names for all the objects.

Remove:

Is used to remove attribute values. To remove an attribute value (s):

1

If the attribute has more than one values, you must first hide the values that you do not want to remove by pressing the

Delete

key on your keyboard. This is done because the

Remove

option removes all the values listed. So, you must first hide the values that need not be removed.

Only the values that have to be deleted are displayed in the attribute list.

2

Click

Remove

from the drop-down list.

The specified values are deleted and the values that you hide are displayed in the list.

5.2

Directory Administration

Directory administration involves the management of objects in your directory tree. You can create, edit, and organize objects.

Š

Section 5.2.1, “Copying an Object,” on page 39

Š

Section 5.2.2, “Creating an Object,” on page 40

Š

Section 5.2.3, “Deleting an Object,” on page 40

Š

Section 5.2.4, “Modifying an Object,” on page 40

Š

Section 5.2.5, “Moving an Object,” on page 40

Š

Section 5.2.6, “Renaming an Object,” on page 41

For more information about eDirectory objects, see the

NetIQ eDirectory 8.8 SP8 Administration Guide

(https://www.netiq.com/documentation/edir88/edir88/data/bookinfo.html) .

5.2.1

Copying an Object

You can either create a new object with the same attribute values as an existing object, or copy attribute values from one object to another.

1

In Roles and Tasks, click

Directory Administration

>

Copy Object

.

2

In the

Object to Copy From

field, type the name and context of the object or use the Object Selector to find it.

3

Select one of the following options:

Š

Create New Object and Copy Attribute Values

Š

Copy Attribute Values to an Existing Object

The attributes whose class is not extended by the copied object, are not copied.

4

Select

Copy ACL Rights

if you want to copy access control list (ACL) rights to this object.

This step might take additional processing time, depending on your system and networking environment.

Roles and Tasks

39

NOTE:

The copy object operation does not copy the following object attributes:

Š

ACL (unless you select

Copy ACL Rights

)

Š

CN

Š

DirXML-Associations

Š

Equivalent To Me

Š

Group Membership

Š

Member

Š

Security Equals

Š

Any naming attribute

Š

Any Read Only attribute

Š

Any RBS attribute

5.2.2

Creating an Object

1

In Roles and Tasks, click

Directory Administration

>

Create Object

.

2

Select the object class from the list that appears, then click

OK

.

3

Specify the requested information that appears according to the object class you selected, then click

OK

.

If you are using Firefox, click the + symbol to add information instead of typing directly in the field.

4

When the confirmation message appears, click

OK

,

Repeat Task

, or

Modify

.

5.2.3

Deleting an Object

1

In Roles and Tasks, click

Directory Administration

>

Delete Object

.

2

Type the name and context of the object, or use the Object Selector to find it, and click

OK

.

A confirmation message appears indicating the object was successfully deleted.

5.2.4

Modifying an Object

1

In Roles and Tasks, click

Directory Administration

>

Modify Object

.

2

Type the name and context of the object or use the Object Selector to find it, then click

OK

.

The Modify Object page displays pages with the selected object’s attributes.

3

Modify the object as desired, then click

OK

.

If you are using Firefox, click the + symbol to add information instead of typing directly in the field.

5.2.5

Moving an Object

1

In Roles and Tasks, select

Directory Administration

>

Move Object

.

Type the name and context of the object or use the Object Selector to find it, then click

OK

.

2

In the

Move To

field, select the container to which you want to move the object.

40

NetIQ® iManager Administration Guide

3

Select

Create an Alias in Place of Moved Object

to create an alias in an old location for each object being moved.

4

Click

OK

.

A confirmation message appears indicating the move object operation was successful.

5.2.6

Renaming an Object

1

In Roles and Tasks, select

Directory Administration

>

Rename Object

.

2

Type the name and context of the object or use the search feature to find it.

Type only the name of the new object. Do not include a context.

3

Select to save the old name, if you want to save it.

This saves the old name as an additional unofficial value of the Name property. Saving the old name lets users search for the object based on that name. After renaming the object, you can view the old name in the

Other Name

field on the object’s

General Identification

tab.

4

Select

Create an Alias in Place of Renamed Object

, if you want to create an alias for the object being named.

This allows any operations that are dependent on the old object name to continue uninterrupted until you can update those operations to use the new object name.

5

Click

OK

.

A confirmation message appears indicating that the object renaming operation was successful.

5.3

Groups

Any user who creates a group automatically becomes the owner of the group. Available group operations include the following:

Š

Section 5.3.1, “Creating a Group,” on page 41

Š

Section 5.3.2, “Deleting a Group,” on page 42

Š

Section 5.3.3, “Modifying a Group,” on page 42

Š

Section 5.3.4, “Modifying Members of Group,” on page 42

Š

Section 5.3.5, “Move Group,” on page 42

Š

Section 5.3.6, “Rename Group,” on page 43

Š

Section 5.3.7, “Viewing My Groups,” on page 43

For more information about using and configuring Group objects, see the

NetIQ eDirectory 8.8 SP8

Administration Guide

(https://www.netiq.com/documentation/edir88/edir88/data/bookinfo.html) .

5.3.1

Creating a Group

1

In Roles and Tasks, select

Groups

>

Create Group

.

2

In the Create Group page, provide the required information, then click

OK

.

Select

Dynamic Group

to make the new group a dynamic group, of the class dynamicGroup.

Otherwise, the group is created as a static group, or the class Group.

Select

Set Owner

to make the creator of a group object the group owner. The group’s Owner attribute is set to the DN of iManager’s logged-in user. Deselect

Set Owner

to leave the Owner attribute undefined.

Roles and Tasks

41

Select

Nested Group

to make the new group a nested group so that the group is created with auxiliary class nestedGroupAux

.

NOTE:

You can convert a static group to a dynamic group after the fact by using the

Modifying a Group

option. This extends the selected Group object to belong to the dynamicGroupAux class.

A group can be either nested or dynamic. You cannot create a group that is both nested and dynamic.

You can convert a static group to a nested group by using the

Modifying a Group

option. This makes the selected group object belong to the nestedGroupAux class.

5.3.2

Deleting a Group

1

In Roles and Tasks, select

Groups

>

Delete Group

.

2

In the Delete Group page, specify the name of the group object to delete, or use the Object

Selector to locate it, then click

OK

.

The Delete Group page lets you Select a single object, Select multiple objects, or use Advanced

Selection option to specify the object to delete.

5.3.3

Modifying a Group

1

In Roles and Tasks, select

Groups

>

Modify Group

.

2

In the Modify Group page, specify the name of a Group object, or use the Object Selector to locate it, then click

OK

.

3

Make the desired changes to the Group object’s attributes, then click

OK

.

NOTE:

If you modify a static group to be a dynamic group, and you are using RBS, you must enable dynamicGroupAux class support. To do this, open

Configure

>

iManager Server

>

Configure iManager

>

RBS

>

Dynamic Group Search Type

. Select

DynamicGroupObjects&AuxClasses

from the drop-down menu, then click

Save

.

You cannot convert a dynamic group to a nested group and vice versa.

5.3.4

Modifying Members of Group

This task lets you make simultaneous identical modifications to the attributes of all member objects of a specified group.

1

In Roles and Tasks, select

Groups

>

Modify Members of Group

.

2

In the Modify Members of Group page, specify the name of a Group object, or use the Object

Selector to locate it, then click

OK

.

3

Make the desired changes to the member object’s attributes, then click

OK

.

5.3.5

Move Group

This link redirects you to the Move an Object task. For more information, see “Moving an Object” on page 40 .

42

NetIQ® iManager Administration Guide

5.3.6

Rename Group

This option is identical to the Rename an Object task. For more information, see “Renaming an

Object” on page 41 .

5.3.7

Viewing My Groups

This page displays the groups that you own. From it, you can create a new group, and edit or delete an existing group.

5.4

Help Desk

Help Desk provides access to a limited number of user-related tasks. The user who owns this role can do the following:

Š

Section 5.4.1, “Clearing a Lockout,” on page 43

Š

Section 5.4.2, “Creating a User,” on page 43

Š

Section 5.4.3, “Setting a Password,” on page 43

For more information about User objects, see the

NetIQ eDirectory 8.8 SP8 Administration Guide

(https://www.netiq.com/documentation/edir88/edir88/data/bookinfo.html) .

5.4.1

Clearing a Lockout

A user can be locked out for entering the wrong password too many times or trying to log in with an expired password.

1

In Roles and Tasks, select

Help Desk

>

Clear Lockout

.

2

In the Clear Lockout page, specify the name of a User object, or use the Object Selector to locate it, then click

OK

.

5.4.2

Creating a User

To create a new user object:

1

In Roles and Tasks, select

Help Desk

>

Create User

.

Fill out the necessary user information, as described in “Creating a User” on page 50

.

5.4.3

Setting a Password

1

In Roles and Tasks, select

Help Desk

>

Set Password

.

2

In the Set Password page, specify the name of the User Object. Use the Object Selector to browse for the User Object or use Simple Selection to search for it.

3

Specify the new password for the selected User object (twice), then click

OK

.

Select

Set simple password

to define a simple password, which is required for native file access for

Windows* and Macintosh* users. It is not necessary when Universal Password is enabled.

Roles and Tasks

43

5.5

Partitions and Replicas

Partition and replica operations let you manage eDirectory’s physical design and distribution across your directory servers, and includes the following tasks:

Š

Section 5.5.1, “Creating a Partition,” on page 44

Š

Section 5.5.2, “Merging a Partition,” on page 44

Š

Section 5.5.3, “Moving a Partition,” on page 44

Š

Section 5.5.4, “Viewing Replica Information,” on page 45

Š

Section 5.5.5, “Viewing Partition Information,” on page 45

Š

Section 5.5.6, “Using the Filtered Replica Wizard,” on page 45

For information about partitions and replicas, see the

NetIQ eDirectory 8.8 SP8 Administration Guide

(https://www.netiq.com/documentation/edir88/edir88/data/bookinfo.html) .

5.5.1

Creating a Partition

Partitions create logical divisions of the eDirectory tree. For example, if you choose an Organizational

Unit and create it as a new partition, you split the Organizational Unit and all of its subordinate objects from its parent partition. The Organizational Unit you choose becomes the root of a new partition. The replicas of the new partition exist on the same servers as the replicas of the parent, and objects in the new partition belong to the new partition’s root object.

1

In Roles and Tasks, select

Partitions and Replicas

>

Create Partition

.

2

In the Create Partition page, specify the container to use as the root of the new partition, or use the Object Selector to locate it, then click

OK

.

A confirmation message appears indicating that the partition create operation was successful.

5.5.2

Merging a Partition

Merging a partition effectively recombines it with its parent partition. Creating and merging partitions is how you determine how the directory is logically divided.

1

In Roles and Tasks, select

Partitions and Replicas

>

Merge Partition

.

2

In the Merge Partition page, specify the partition to merge with its parent, or use the Object

Selector to locate it, then click

OK

.

To specify a partition, specify the Container object that acts as the partition root.

A confirmation message appears indicating that the partition create operation was successful.

5.5.3

Moving a Partition

Moving a partition lets you move a subtree in your directory tree. This is also known as a prune and graft operation. You can only move partitions that have no subordinate partitions. If subordinate partitions exist, you must first merge those partitions before performing the move operation.

When you move a partition, eDirectory changes all references to the partition Root object. Although the object’s common name remains unchanged, the complete name of the container (and of all its subordinates) changes.

44

NetIQ® iManager Administration Guide

NOTE:

When you move a partition, you must follow eDirectory containment rules. For example, you cannot move an Organizational Unit directly under the root of the directory tree, because the root’s containment rules permit only Locality, Country, or Organization objects, but not Organizational

Unit objects.

1

In Roles and Tasks, select

Partitions and Replicas

>

Merge Partition

.

2

In the Move partition page, specify the required information, then click

OK

.

Š

The

Object name

field specifies the partition to move, or use the Object Selector to locate i

Š

The

Move to

field specifies the Container object into which you want to move the specified partition.

Š

The Create an alias in place of moved object creates a pointer to the partition’s new location.

This allows any operations that are dependent on the old location to continue uninterrupted until you can update those operations to reflect the new location. Users can continue to log in to the network and find objects in the original directory location.

WARNING:

Make sure your directory tree is synchronizing correctly before you move a partition. If you have any errors in synchronization in either the partition you want to move or the destination partition, do not perform a move partition operation. First, fix the synchronization errors. After moving the partition, if you don’t want the partition to remain a partition, merge it with its parent partition.

5.5.4

Viewing Replica Information

Viewing a replica tells you about its current state. An eDirectory replica can be in various states depending on the partition or replication operations it is undergoing.

1

In Roles and Tasks, click

Partitions and Replicas

>

Replica View

.

2

In the Replica View page, specify the partition or server whose replica table you want to view, then click

OK

.

A table appears listing the replica Partition, Type, Filter, and State. For information about replica states, see the

NetIQ eDirectory 8.8 SP8 Administration Guide

(https://www.netiq.com/ documentation/edir88/edir88/data/bookinfo.html) .

5.5.5

Viewing Partition Information

1

In Roles and Tasks, select

Partitions and Replicas

>

View Partition Information

.

2

In the Partition Information page, specify the partition for which you want to view information, then click

OK

.

To specify a partition, specify the Container object that acts as the partition root.

5.5.6

Using the Filtered Replica Wizard

Filtered replicas maintain a filtered subset of information from an eDirectory partition (objects or object classes along with a filtered set of attributes and values for those objects). The Filtered Replica

Wizard steps you through the configuration of the filtered replicas on the selected server.

1

In Roles and Tasks, select

Partitions and Replicas

>

Filtered Replica Wizard

.

2

Specify the name and context of the server on which you want to configure a filtered replica, or use the Object Selector to find it, then click

Next

.

Roles and Tasks

45

3

Click Define the Filter Set to specify the classes and attributes for a filter set on the selected server, then click

Next

.

The replication filter contains the set of eDirectory classes and attributes you want to host on this server’s set of filtered replicas.

4

Click

Finish

.

For more information about filtered replicas, see the

NetIQ eDirectory 8.8 SP8 Administration Guide

(https://www.netiq.com/documentation/edir88/edir88/data/bookinfo.html) .

5.6

Rights

Rights refers to eDirectory trustee rights and trustees. When you create a tree, the default rights assignments give your network generalized access and security. iManager lets you perform the following rights-related tasks:

Š

Section 5.6.1, “Modifying the Inherited Rights Filter,” on page 46

Š

Section 5.6.2, “Modifying Trustee Rights,” on page 46

Š

Section 5.6.3, “Rights to Other Objects,” on page 47

Š

Section 5.6.4, “Viewing Effective Rights,” on page 47

For more information about eDirectory rights, see the

NetIQ eDirectory 8.8 SP8 Administration Guide

(https://www.netiq.com/documentation/edir88/edir88/data/bookinfo.html) .

5.6.1

Modifying the Inherited Rights Filter

Both eDirectory and the NetWare file system provide an Inherited Rights Filter (IRF) mechanism to block rights inheritance on individual subordinate items. One exception is that the Supervisor right can’t be blocked in the NetWare file system.

For more information about Inherited Rights Filters, see the

NetIQ eDirectory 8.8 SP8 Administration

Guide

(https://www.netiq.com/documentation/edir88/edir88/data/bookinfo.html) .

1

In Roles and Tasks, select

Rights

>

Modify Inherited Rights Filter

.

2

Specify the full name of the object whose inherited rights filter you want to modify, or use the

Object Selector to find it, then click

OK

.

This displays a list of the inherited rights filters that have already been set on the object.

3

On the property page, edit the list of inherited rights filters as needed, then click

OK

.

To edit the list of filters, you must have the Supervisor or Access Control right to the ACL property of the object. You can set filters that block inherited rights to the object as a whole, to all the properties of the object, and to individual properties.

5.6.2

Modifying Trustee Rights

A trustee is one object that has been granted explicit rights to another object in your directory tree. To modify the trustee list for a given object:

1

In Roles and Tasks, select

Rights

>

Modify Trustees

.

2

Specify, or use the Object Selector to find, the name of the object whose trustee list you want to view, then click

OK

.

This opens a list of the object’s currently assigned trustees.

46

NetIQ® iManager Administration Guide

3

Modify the trustee list as needed, then click

OK

.

Š

Add a trustee by clicking

Add Trustee

.

Š

Remove a trustee by selecting its check box and clicking

Remove Selected

.

Š

Modify a trustee’s rights assignment by selecting the

Assigned Rights

link for that trustee.

5.6.3

Rights to Other Objects

This task allows you to view and modify the list of objects to which an object is a trustee.

1

In Roles and Tasks, select

Rights

>

Rights To Other Objects

.

2

In the Rights To Other Objects page, provide the required information, then click

OK

.

Š

Specify the name of the object in

Trustee name

.

Š

Specify the context in which you want to search for objects that have this trustee in

Context to search from

.

Select

Search entire subtree

to search all containers under the specified context.

3

Modify the object list as needed, then click

OK

.

Š

Add explicit rights to another object by clicking

Add Object

.

Š

Remove explicit rights to an object by selecting its check box and clicking

Remove Selected

.

Š

Modify the explicit rights granted to an object by selecting the

Assigned Rights

link for that object.

5.6.4

Viewing Effective Rights

Effective rights is the combination of explicit and inherited rights that an object has at any point in the directory tree. To view an object’s effective rights to another object:

1

In Roles and Tasks, select

Rights

>

View Effective Rights

.

2

Specify, or use the Object Selector to find, the name of the trustee whose rights you want to view, then click

OK

.

3

In the Object name field, specify the name of the object for which you want to calculate the trustee’s effective rights.

eDirectory calculates the effective rights and displays them in the

Effective Rights

field.

4

Click

Done

when finished.

5.7

Schema

The directory schema defines the types of objects that can be created in your tree (such as Users,

Printers, and Groups) and what information is required or optional at the time the object is created. iManager provides the following schema-related tasks:

Š

Section 5.7.1, “Adding an Attribute,” on page 48

Š

Section 5.7.2, “Viewing Attribute Information,” on page 48

Š

Section 5.7.3, “Viewing Class Information,” on page 48

Š

Section 5.7.4, “Creating an Attribute,” on page 49

Š

Section 5.7.5, “Creating a Class,” on page 49

Š

Section 5.7.6, “Deleting an Attribute,” on page 49

Roles and Tasks

47

Š

Section 5.7.7, “Deleting a Class,” on page 49

Š

Section 5.7.8, “Extending a Schema,” on page 49

Š

Section 5.7.9, “Extending an Object,” on page 50

For more information about eDirectory schema, see the

NetIQ eDirectory 8.8 SP8 Administration Guide

(https://www.netiq.com/documentation/edir88/edir88/data/bookinfo.html) .

5.7.1

Adding an Attribute

You can add optional attributes to existing classes if your organization’s information needs change or if you are preparing to merge trees. To add an attribute to an existing class:

NOTE:

Mandatory attributes can be defined only while creating a class. A mandatory attribute is one that must be completed when an object is being created.

1

In Roles and Tasks, select

Schema

>

Add Attribute

.

2

Select the class you want to add an attribute to, then click

OK

.

3

Select the attributes you want to add, then click

OK

.

Select the desired attributes from the

Available Optional Attributes

list, then click the

Right-arrow

to add these attributes to the

Add These Optional Attributes

list. Use the

Left-arrow

to remove attributes from

Add These Optional Attributes

.

Objects you create of this class now have the properties you added. To set values for the added properties, use the generic Other property page of the object.

5.7.2

Viewing Attribute Information

You can view an attribute’s structural details such as Syntax, flags and Classes that use the attribute.

To see an attribute’s information:

1

In Roles and Tasks, select

Schema

>

Attribute Information

.

2

Select the attribute for which you want to see information, then click

View

.

The Content frame displays information related to the selected attribute.

3

When finished, click

Close

.

5.7.3

Viewing Class Information

The Class Information page displays information about the selected class and lets you add attributes.

During class creation, if the class is specified to inherit attributes from another class, the inherited attributes are classified as they are in the parent class. For instance, if Object Class is a mandatory attribute for the parent class, then it displays on this screen as a mandatory attribute for the selected class.

To see a Class’s information:

1

In Roles and Tasks, select

Schema

>

Class Information

.

2

Select the class for which you want to see information, then click

View

.

The Content frame displays information related to the selected class. To add an attribute to the class, select

Add a new attribute

. To view the class’s parent class, select

View superclass

.

3

When finished, click

Close

.

48

NetIQ® iManager Administration Guide

5.7.4

Creating an Attribute

You can define your own custom types of attributes and add them as optional attributes to existing object classes. However, you cannot add mandatory attributes to existing classes. To create an attribute:

1

In Roles and Tasks, click

Schema

>

Create Attribute

.

2

Follow the steps in the Create Attribute Wizard to complete the attribute creation procedure.

5.7.5

Creating a Class

An auxiliary class is a set of properties (attributes) added to particular object rather than to an entire class of objects. For example, an e-mail application could extend the schema of your eDirectory tree to include an E-Mail Properties auxiliary class and then extend individual objects with those properties as needed.

Using Schema Manager, you can define your own auxiliary classes. You can then extend individual objects with the properties defined in your auxiliary classes. To create an auxiliary class:

1

In Roles and Tasks, click

Schema

>

Create Class

.

2

Follow the steps in the Create Class Wizard to define the new class.

5.7.6

Deleting an Attribute

You can delete unused attributes that aren’t part of the base schema of your eDirectory tree. This might be useful after merging two directory trees, or if an attribute has become obsolete over time. To delete an attribute:

1

In Roles and Tasks, click

Schema

>

Delete Attribute

.

2

Select the attribute you want to delete, then click

Delete

.

Only attributes that you can delete are displayed.

5.7.7

Deleting a Class

You can delete unused classes that aren’t part of the base schema of your eDirectory tree. iManager prevents you from deleting classes that are currently being used in locally replicated partitions. To delete a class:

1

In Roles and Tasks, click

Schema

>

Delete Class

.

2

Select the class you want to delete, then click

Delete

.

Only classes that are allowed to be deleted are shown.

5.7.8

Extending a Schema

You can extend the schema of a tree by creating a new class or attribute. To extend the schema of your eDirectory tree, you need Administrator/Supervisor right to the entire tree. To extend the schema:

1

In Roles and Tasks, click

Schema

>

Extend Schema

.

2

Follow the ICE Wizard through the import, export, migration of data, or schema update and compare operations.

Roles and Tasks

49

5.7.9

Extending an Object

1

In Roles and Tasks, click

Schema

>

Object Extensions

.

2

Specify the name and context of the object you want to extend, then click

OK

.

3

Depending on whether the auxiliary class that you want to use is already listed under Current

Auxiliary Class Extensions, click one of the following:

Š

Yes

: Quit this procedure. See Modifying an Object’s Auxiliary Properties in the

NetIQ eDirectory 8.8 SP8 Administration Guide

(https://www.netiq.com/documentation/edir88/ edir88/data/bookinfo.html) , instead.

Š

No

: Click

Add

, select the auxiliary class, then click

OK

.

4

Click

Close

.

You can also add or remove auxiliary classes at once for multiple objects.

1

In Roles and Tasks, click

Schema > Object Extensions

.

2

Click the

Select Multiple Objects

tab.

2a

Select the objects that you want to extend, then click

OK

.

The list of auxiliary class extensions is displayed which are common to all the selected objects.

2b

To add an auxiliary class, click

Add

, select the required auxiliary class, then click

OK

.

2c

To delete an existing auxiliary class, select the class, then click

Remove

.

3

Click

Close

to exit the page.

5.8

Users

Managing users and their network access is a central purpose of the directory. iManager provides the following user-related tasks:

Š

Section 5.8.1, “Creating a User,” on page 50

Š

Section 5.8.2, “Deleting a User,” on page 51

Š

Section 5.8.3, “Disabling an Account,” on page 51

Š

Section 5.8.4, “Enabling an Account,” on page 51

Š

Section 5.8.5, “Modifying a User,” on page 52

Š

Section 5.8.6, “Moving a User,” on page 52

Š

Section 5.8.7, “Renaming a User,” on page 52

For more information about user objects in the directory, see the

NetIQ eDirectory 8.8 SP8

Administration Guide

(https://www.netiq.com/documentation/edir88/edir88/data/bookinfo.html) .

5.8.1

Creating a User

To create a new user object:

1

In Roles and Tasks, select

User

>

Create User

.

2

In the Create User page provide, at a minimum, the required user-related information, then click

OK

.

Š

Username

50

NetIQ® iManager Administration Guide

Š

Last Name

Š

Context

Š

Password

(twice)

IMPORTANT:

If you fail to enter a password, you are prompted to either allow the user to log in without a password (not recommended) or require a password for login.

Select

Set simple password

to define a simple password, which is required for native file access for

Windows* and Macintosh* users. It is not necessary when Universal Password is enabled.

Select

Copy from template or user object

to create a user based on an existing Template or User object. When copying from a user object, iManager allows only a copy of the New Object NDS rights instead of a copy of NDS rights, to prevent users from receiving the same rights as the administrator.

Select

Create home directory

to specify a location for the user’s home directory, which is created when the user object is created. If you specify a path that doesn't exist, a message appears stating that the user's home directory has not been created.

5.8.2

Deleting a User

To delete a user object:

1

In Roles and Tasks, select

Users

>

Delete User

.

2

Type the name and context of the object or use the search feature to find it, then click

OK

.

3

Click

Delete

.

A confirmation appears indicating the user object has been deleted.

5.8.3

Disabling an Account

To disable a user account, thereby preventing the user from authenticating to the directory:

NOTE:

This only prevents a user from authenticating subsequent to disabling the account. If they are logged in when the account is disabled, their access continues unchanged until they log out.

1

In Roles and Tasks, select

Users

>

Disable Account

.

2

Specify, or use the Object Selector to find, the name and context of the object, then click

OK

.

3

Click

Disable

.

5.8.4

Enabling an Account

To enable a previously disabled user account:

1

In Roles and Tasks, select

Users

>

Enable Account

.

2

Specify, or use the Object Selector to find, the name and context of the object, then click

OK

.

3

Click

Enable

.

Roles and Tasks

51

5.8.5

Modifying a User

To modify an existing user object’s properties:

1

In Roles and Tasks, select

Users

>

Modify User

.

2

Specify, or use the Object Selector to find, the name and context of the object, then click

OK

.

The Content frame displays the user object’s property book.

3

Make your changes, then click

Apply

or

OK

to save the changes.

5.8.6

Moving a User

To move a user object:

1

In Roles and Tasks, select

Users

>

Move User

.

2

Provide the required information, as described in

“Moving an Object” on page 40 .

5.8.7

Renaming a User

To rename a user object:

1

In Roles and Tasks, select

Users

>

Rename User

.

2

Provide the required information, as described in

“Renaming an Object” on page 41

.

52

NetIQ® iManager Administration Guide

6

Configuring and Customizing iManager

This section describes the various features of NetIQ iManager configuration. You configure iManager from the Configure view. This section discusses the following topics:

Š

Section 6.1, “Role-Based Services,” on page 53

Š

Section 6.2, “RBS Configuration,” on page 57

Š

Section 6.3, “RBS Reporting,” on page 67

Š

Section 6.4, “iManager Server,” on page 71

Š

Section 6.5, “Object Creation List,” on page 77

Š

Section 6.6, “Plug-In Module Installation,” on page 78

Š

Section 6.7, “Downloading and Installing Plug-in Modules,” on page 79

Š

Section 6.8, “E-Mail Notification,” on page 82

Š

Section 6.9, “Views,” on page 83

IMPORTANT:

Using Role-Based Services is optional, although we recommend setting it up for the optimal use of the iManager software. RBS must be configured in the eDirectory tree in order to use the Plug-In Studio.

Do not use Novell ConsoleOne to modify or delete any RBS objects. RBS objects should be managed using only iManager.

If desired, you can prevent non-admin and non-collection-owner users from accessing iManager's

Configure view. For more information see the following topics:

Š

iManager Views: “Views” on page 83

.

Š

User Preferences: “Preferences” on page 85 .

Š

Authorized Users:

“Authorized Users and Groups” on page 72 .

6.1

Role-Based Services

iManager gives you the ability to assign specific responsibilities to users and to present them with the tools (and their accompanying rights) necessary to perform those sets of responsibilities. This functionality is called Role-Based Services (RBS).

Role-Based Services is a set of extensions to the eDirectory schema. RBS defines several object classes and attributes that provide a mechanism for administrators to grant a user access to management tasks based on the user's role in the organization. This gives users access to only those tasks that the users need to perform. RBS grants only the rights necessary to perform assigned tasks.

NOTE:

NetIQ iManager Role-Based Services (RBS) grants rights based upon the Access Control List

(ACL) capability of NetIQ eDirectory. The ACLs allow a trustee to be granted rights to a specific object or its subordinate objects. ACLs are not granted based upon specific object types. Each NetIQ

Configuring and Customizing iManager

53

iManager task defines its applicable object types and necessary ACLs. However, these ACLs allow the user to perform those operations with other object types through eDirectory APIs or other tools such as Novell ConsoleOne or NWAdmin.

Use RBS to create specific roles within your organization. The roles contain tasks that an assigned user can perform within iManager, such as creating a new user or changing a password. Tasks are preassigned to roles but can be replaced, reassigned, or removed altogether.

Furthermore, users are associated with roles in a specified scope, which is a container in the tree in which the user has the requisite permissions to perform a task. A role requires this threefold association of role, members, and scope to be complete.

An RBS Role object creates an association between users and tasks. An administrator grants a user access to a task by making the user a member of the role to which the task is assigned.

A user can be assigned to a role in the following ways:

Š

Directly as a user

Š

Through group and dynamic group assignments

If a user is a member of a group or a dynamic group that is assigned to a role, then the user has access to the role.

Š

Through organizational role assignments

If a user is an occupant of a organizational role that is assigned a role, then the user has access to the role.

Š

Through container assignment

A User object has access to all of the roles that its parent container is assigned. This could also include other containers up to the root of the tree.

A user can be associated with a role multiple times, each with a different scope.

6.1.1

RBS Objects in eDirectory

The following table lists the RBS objects. iManager extends the eDirectory schema to include these

objects when you install RBS. For more information, see “Installing RBS” on page 56 .

Object

rbsCollection

Description

A container object that holds all RBS Role and Module objects.

rbsCollection objects are the uppermost containers for all RBS objects. A tree can have any number of rbsCollection objects. These objects have owners, which are users who have management rights over the collection.

rbsCollection objects can be created in any of the following containers:

Š

Country

Š

Domain

Š

Locality

Š

Organization

Š

Organizational Unit

54

NetIQ® iManager Administration Guide

Object

rbsRole

rbsTask

rbsBook

(aka Property

Book)

rbsScope

rbs Module

rbs Category

Description

Defining a role includes creating an rbsRole object and specifying the tasks that the role can perform.

rbsRoles are container objects that can be created only in an rbsCollection container.

Role members can be Users, Groups, Organizations, Organization Roles, or

Organizational Units, and role members are associated to a role in a specific scope of the tree. The rbsTask and rbsBook objects are assigned to rbsRole objects.

A leaf object that holds a specific function, such as resetting login passwords.

rbsTask objects are located only in rbsModule containers.

A book is a leaf object that displays a group of pages that allow a user to view or modify the properties of an object or set of objects of the same type. Each page of the book has a tab that you click, to view a different page.

A book object resides only in rbsModule containers and can be assigned to one or more roles and to one or more object class types.

A leaf object used for ACL assignments (instead of making assignments for each

User object). rbsScope objects represent the context in the tree where a role is performed and are associated with rbsRole objects. They inherit from the Group class. User objects are assigned to an rbsScope object. These objects have a reference to the scope of the tree that they are associated with.

The objects are dynamically created when needed, then automatically deleted when no longer needed. They are located only in rbsRole containers.

WARNING:

Never change the configuration of an rbsScope object. Doing so has serious consequences and could possibly break the system.

Represents a container object that holds rbsTask and rbsBook objects. rbsModule objects have a module name attribute that represents the name of the product that defines the tasks or books (for example, eDirectory Maintenance

Utilities, NMAS Management, or NetIQ Certificate Server Access).

rbsModule objects can be created only in rbsCollection containers.

A category groups roles and tasks together which are specific to a particular function. iManager has 14 default categories: Authentication & Passwords,

Collaboration, Directory, File Management, Identity Manager, Infrastructure,

Install & Upgrade, Network, Novell Audit, Printing, Security, Servers, Software

Licenses & Network, Usage, and Users & Groups.

The All Categories selection displays all available roles and tasks.

You can also create new categories and assign roles and tasks to them.

RBS objects reside in the eDirectory tree as depicted in the following figure:

Configuring and Customizing iManager

55

Figure 6-1

Role-Based Services in eDirectory

6.1.2

Installing RBS

RBS is installed using the iManager Configuration Wizard.

1

In the Configure view, select

Role Based Services

>

RBS Configuration

.

2

Select

Configure iManager

.

3

Follow the on-screen instructions.

6.1.3

Removing RBS

If Role-Based Services is no longer needed in the tree, the RBS Collection object can be safely deleted through iManager. Deleting the RBS collection automatically cleans up all user role associations and scopes in the tree. Do not delete the RBS collection using other utilities, such as ConsoleOne.

To remove Roll-based Services:

1

In the Configure view, select

Role Based Services

>

RBS Configuration

.

2

Select the collection to be deleted.

3

Click

Delete

.

After the RBS collection is deleted, all users logging in to iManager enter in Assigned Access mode even though there is no RBS collection object in the tree.

To switch back to Unrestricted mode (the default mode):

1

In the Configure view, select

iManager Server

>

Configure iManager

.

2

Select the

RBS

tab.

3

Select the appropriate tree name in the

RBS Tree List

field, then click the minus button.

4

Click

Save

.

56

NetIQ® iManager Administration Guide

NOTE:

When using iManager in Unrestricted mode, you typically see the following message on the iManager Home Page:

Notice: Some of the roles and tasks are not available.

Clicking

View Details

might display a

Not supported by current authenticators

message for several of the tasks, even though the tasks work correctly. This message is misleading, and iManager removes these messages after you configure RBS.

6.2

RBS Configuration

The RBS Configuration task provides complete control over RBS objects. It is a central place for managing and configuring RBS objects. You can list and modify RBS objects by type. The task also gives you useful information about the RBS system, such as the number of modules in a collection, how many are installed, how many are not installed, and how many are outdated. Some tasks let you operate on multiple objects simultaneously. For example, you can associate or disassociate multiple members from a role at the same time.

From the Configure view, select

Role-Based Services

>

RBS Configuration

to open the RBS Configuration page in the Content frame.

The page includes two tabs:

iManager 2.x Collection:

Displays current RBS collections.

iManager 1.x Collections:

Displays older RBS collections that you can either delete or migrate to iManager 2.

x

. If you select Migrate, a wizard steps you through the migration process.

iManager displays only those collections you own, and includes the following information about each collection:

Š

Module: Indicates the number of modules on the Web server that you are logged in to.

Š

Installed: Indicates the number of modules that are currently installed.

Š

Outdated: Indicates the number of outdated modules currently installed.

Š

Not-Installed: Indicates the number of modules that are available but not installed.

To work with a particular collection, select it from the list. This opens a collection-specific view, as

shown in Figure 6-2 .

Configuring and Customizing iManager

57

Figure 6-2

Working with RBS collections in iManager

The remainder of this section describes the various tabs in the RBS Collection page as well as the other RBS-related tasks in the Role Based Services category.

Š

Section 6.2.1, “The Role Tab,” on page 58

Š

Section 6.2.2, “The Task Tab,” on page 60

Š

Section 6.2.3, “The Property Book Tab,” on page 61

Š

Section 6.2.4, “The Module Tab,” on page 63

Š

Section 6.2.5, “The Category Tab,” on page 64

Š

Section 6.2.6, “Plug-In Studio,” on page 64

Š

Section 6.2.7, “Editing Member Associations,” on page 66

Š

Section 6.2.8, “Editing Owner Collections,” on page 67

6.2.1

The Role Tab

The RBS Collection Role tab lets you manage the RBS roles in the collection. From this tab you can do the following:

Š

“Create a New Role” on page 59

Š

“Edit a Role” on page 59

Š

“Delete a Role” on page 59

Š

“Set a Member Association” on page 59

Š

“Assign a Category” on page 60

Š

“Add a Description to a Role” on page 60

58

NetIQ® iManager Administration Guide

NOTE:

To select a role, select the checkbox to the left of the role name.

Create a New Role

To create a new role in the collection:

1

In the

Role

tab, select

New

>

iManager Role

.

2

Complete the steps in the iManager Role Wizard.

The wizard steps you through naming the role, assigning tasks and categories to the role, and assigning role members and scopes to the role.

Edit a Role

To edit an existing role in the collection:

1

In the

Role

tab, select the role, then click

Edit

.

The role's task list appears.

2

Add or remove a task from this page as needed, then click

OK

.

Delete a Role

To delete a role in the collection:

1

In the

Role

tab select the role, then click

Delete

.

A message appears:

This operation will delete all of the selected roles. Do you want to continue?

2

Click

OK

to delete the role.

Set a Member Association

To add a member to an existing role:

1

In the

Role

tab select the role, then select

Actions

>

Member Associations

.

2

Provide the required member information, then click

Add

.

Š

Name

: Specify, or use the Object Selector to find, the desired object to be a role member.

Š

Scope

: Specify, or use the Object Selector to find, the container that defines the scope within which this member can perform the role.

3

In the members list, specify how you want rights related to this role assigned to the member, then click

OK

.

Š

Assign Rights

: Instructs eDirectory to automatically grant the member rights necessary to perform the assigned role. When not selected, the member is assigned the role but might not have rights to perform all tasks associated with the role. The member’s rights assignments are handled separately.

Š

Inheritable

: Select

subtree

to indicate that the member’s scope includes all sub-containers in the specified context. Select

base object

to indicate that the member can perform the role only in the specified container.

Configuring and Customizing iManager

59

NOTE:

If a user is a

collection owner

, and has a member association set, then he/she can manage all the RBS objects within the defined scope. For a list of RBS objects in eDirectory and their description,

see Section 6.1.1, “RBS Objects in eDirectory,” on page 54

.

Assign a Category

To add a category assignment to an existing role:

1

In the

Role

tab, select the role, then select

Actions

>

Category Assignment

.

The Category Assignment page appears.

2

Select a category, then click the right-arrow to assign it to the role.

3

Click

OK

.

Add a Description to a Role

To add a description to an existing role:

1

In the

Role

tab, select the role and click

Actions

>

Description

.

2

Specify the description in the text box, then click

OK

.

6.2.2

The Task Tab

A task is a plug-in that performs a distinct management function, such as creating a user or setting a password. iManager lists the tasks by group in the navigation area on the left side of the window.

The RBS Collection Task tab lets you do the following operations:

Š

“Creating a New Task” on page 60

Š

“Deleting a Task” on page 60

Š

“Editing the Role Assignment of a Task” on page 61

Š

“Adding a Description to a Task” on page 61

Creating a New Task

To create a new task:

1

In the

Task

tab, select

New

>

iManager Task

.

2

Complete the steps in the Create iManager Task Wizard.

The wizard steps you through providing the necessary detail about the new task you are creating.

For information on creating tasks in the Plug-in Studio, see

“Creating a New Task from Plug-In

Studio” on page 65

.

Deleting a Task

To delete an existing task:

1

In the

Task

tab, select the task, then select

Delete

.

60

NetIQ® iManager Administration Guide

A message appears:

This operation will delete all of the selected tasks. Do you want to continue?

2

Click

OK

.

Editing the Role Assignment of a Task

To edit the list of roles to which a task is assigned:

1

In the

Task

tab, select the task, then select

Actions

>

Role Assignment

.

2

On the Edit Role Assignment page, add or remove roles from the

Assigned Roles

field, then click

OK

.

Adding a Description to a Task

To add a description to an existing task:

1

In the

Task

tab, select the task, then select

Actions

>

Description

.

2

Specify the description in the text box, then click

OK

.

6.2.3

The Property Book Tab

A property book displays the attributes of a specific object type that you can modify. These properties are of an object or set of objects of the same type.

Property books can be assigned to roles and appear in the list of tasks for a role. For example, a property book that modifies the attributes of User objects might have a page that lets you to specify a user's login script. Another page could let you change a user's e-mail address and telephone number.

Property book pages are similar to tasks. However, they are for displaying and modifying attributes in a single view. For a more complex, wizard-like UI, you should create a task.

The RBS Collection Property Book tab lets you perform the following operations:

Š

“Creating a New Property Book” on page 61

Š

“Deleting a Property Book.” on page 62

Š

“Editing the Role Assignment in a Property Book” on page 62

Š

“Modifying the Page List for a Property Book” on page 62

Š

“Modifying the Object Type Assignment of a Property Book” on page 62

Š

“Adding/Modifying the Description of a Property Book” on page 62

Š

“Defining/Modifying a Preferred Object Selection Method for a Task of a Property Book” on page 63

Creating a New Property Book

To create a new property book:

1

In the

Property Book

tab, select

New

.

2

Complete the steps in the Create Property Book Wizard.

The wizard steps you through providing the necessary detail for the property book you are creating.

Configuring and Customizing iManager

61

IMPORTANT:

In iManager, some characters have special significance and must be escaped with the backslash (\) character. For more information, see

Section 3.2, “Special Characters,” on page 24

.

Deleting a Property Book.

To delete a property book:

1

Under the

Property Book

tab, select the property book, then select

Delete

.

A message appears:

This operation will delete all of the selected property books.

Do you want to continue?

2

Click

OK

.

Editing the Role Assignment in a Property Book

To modify the list of roles to which a property book is assigned:

1

Under the

Property Book

tab, select the property book, then select

Actions

>

Role Assignment

.

2

On the Edit Role Assignment page, add or remove roles from the

Assigned Roles

field, then click

OK

.

Modifying the Page List for a Property Book

To modify the attribute pages associated with a property book:

1

Under the

Property Book

tab, select the property book, then select

Actions

>

Page List

.

2

On the Edit Page List page, add or remove roles from the

Assigned Pages

field. To change the order of the pages, select a page and click

Move Up

or

Move Down

buttons.

Modifying the Object Type Assignment of a Property Book

To modify the list of object types associated with a property book:

1

Under the

Property Book

tab, select the property book, then select

Actions

>

Object Type

.

2

On the Edit Object Type page, add or remove roles from the

Assigned Object Types

field, then click

OK

.

Adding/Modifying the Description of a Property Book

To add/modify a description to an existing task:

1

In the

Property Book

tab, select the property book, then select

Actions

>

Description

.

2

Specify/modify the description in the text box, then click

OK

.

62

NetIQ® iManager Administration Guide

Defining/Modifying a Preferred Object Selection Method for a Task of a Property

Book

To define/modify a preferred object selection method for an existing task:

1

Under the

Property Book

tab, select the property book, then select

Actions

>

Target Chooser Mode

.

2

From the Mode list, select the appropriate mode:

single

,

multiple

,

simple

, or

advanced

and click

OK

.

A successful message is displayed. Click

OK

.

NOTE:

For the changes to iManager Base Content module to take effect, restart Tomcat.

6.2.4

The Module Tab

The Module page lists the RBS modules currently installed on a selected collection. Each module contains RBS property books and tasks. From this page, you can add (if you want to create a custom property book) and delete modules, and also type a description for a selected plug-in module.

The RBS Collection Module tab lets you perform the following operations:

Š

“Adding a New Plug-in Module” on page 63

Š

“Deleting an RBS Module” on page 63

Š

“Adding a Description” on page 63

Adding a New Plug-in Module

To add a new plug-in module:

1

In the

Module

tab, select

New

.

2

Specify the RBS module name and a destination context, then click

OK

.

iManager displays a message indicating the module has been added.

Deleting an RBS Module

To delete an existing plug-in module:

1

In the

Module

tab, select a module to delete, then select

Delete

.

2

Click

OK

to confirm the module deletion.

Adding a Description

To add a description to an existing plug-in module:

1

In the

Module

tab, select a module, then select

Actions

>

Description

.

2

Specify the module description, then click

OK

.

Configuring and Customizing iManager

63

6.2.5

The Category Tab

Categories group related roles and tasks together. The RBS Collection Category tab lets you perform the following operations:

Š

“Adding a New Category” on page 64

Š

“Deleting a Category” on page 64

Š

“Adding a Description” on page 64

Adding a New Category

To add a description to an existing plug-in module:

1

In the

Category

tab, select

New

.

This launches the Create Category Wizard.

2

Specify category name and description (optional), then click

Next

.

3

Select the roles to be associated with the new category, then click

Next

.

4

Review the new category summary, then click

Finish

.

Deleting a Category

To delete an existing category:

1

In the

Category

tab, select a module to delete, then select

Delete

.

2

Click

OK

to confirm the category deletion.

Adding a Description

To add or modify the description of an existing category:

1

In the

Category

tab, select a category, then select

Actions

>

Description

.

2

Specify the category description, then click

OK

.

6.2.6

Plug-In Studio

Plug-In Studio offers a quick and easy way to streamline the tasks that you do several times a day.

Use Plug-in Studio to dynamically create tasks for your most frequently used operations. You can also edit and delete tasks here.

For example, to modify a user, instead of selecting

Modify Object

, you can create a dynamic UI to edit only the attributes you have selected, such as first name or title. Data is stored in the

TOMCAT_HOME/ webapps/nps/portal/modules/custom

directory.

From the Plug-in Studio task, you can perform the following operations:

Š

“Creating a New Task from Plug-In Studio” on page 65

Š

“Editing a Task” on page 65

Š

“Deleting a Task” on page 65

Š

“Copying Custom Tasks” on page 66

64

NetIQ® iManager Administration Guide

Š

“Exporting Custom Tasks” on page 66

Š

“Importing Custom Tasks” on page 66

Creating a New Task from Plug-In Studio

To create a new task with Plug-In Studio:

1

In the Configure view, select

Role-Based Services

>

Plug-in Studio

.

2

Select

New

.

The Task Builder appears to help you build custom tasks and property pages.

3

Specify the object type and platform information, then click

Next

.

Available classes:

Specify the object class associated with the new task.

Target device:

Specify the platform on which the task is used. Typically, the default selection

(Default) works fine.

Plug-in type:

Specify the type of task you are creating.

Add Auxiliary Classes:

Select this option to add aux class support to the task.

4

In the Plug-in Fields screen, provide the necessary information, then click

Install

.

When you click

Install

, iManager dynamically builds the task’s

.xml

file,

.jsp

file, and the Java files that execute the task, then it installs those files into the system.

Attributes:

Select an attribute to associate with the task from the list of available attributes.

Double-click the attribute to move it to the

Plug-in Fields

field, using the default control.

Controls:

Displays the available controls for the attribute selected in the

Attributes

field.

Double-click a control to move the current attribute to the

Plug-in Fields

field, using the selected control.

Plug-in Fields:

Displays each attribute/control currently associated with the task. From this field, you can remove attributes from the task, change the control associated with an attribute, and modify the control properties for the attribute.

Plug-in Properties:

Lets you specify a

Plug-in ID

, assign the task to an

RBS collection

, and assign the task to a

Role

. The role you assign determines where this task appears in the Roles and Tasks

Navigation frame.

Editing a Task

To edit an existing plug-in with Plug-in Studio:

1

In the Configure view, select

Role-Based Services

>

Plug-in Studio

.

2

Select the task, then select

Edit

.

3

Modify the settings described in

“Creating a New Task” on page 60

, then click

Install

.

iManager displays a confirmation message indicating the plug-in was successfully created and installed.

Deleting a Task

To delete an existing plug-in with Plug-in Studio:

1

In the Configure view, select

Role-Based Services

>

Plug-in Studio

.

2

Select the plug-in from the list of installed custom plug-ins, then click

Delete

.

Configuring and Customizing iManager

65

A message appears:

Are you sure you want to delete this plug-in?

3

Click

OK

to delete the plug-in.

iManager displays a confirmation message indicating the plug-in was successfully deleted.

Copying Custom Tasks

To copy an existing plug-in with Plug-in Studio:

1

In the Configure view, select

Role-Based Services

>

Plug-in Studio

.

2

Select the plug-in from the list of installed custom plug-ins, then click

Actions > Copy

.

3

Specify a name for the copied plug-in, then click

OK

.

Exporting Custom Tasks

Use this task to export your custom tasks, making them deployable to other iManager servers.

1

In the Configure view, select

Role-Based Services

>

Plug-in Studio

.

2

Select the custom plug-in to export, then click

Actions

>

Export

.

Importing Custom Tasks

Use this task to deploy an exported custom tasks onto multiple iManager servers.

1

In the Configure view, select

Role-Based Services

>

Plug-in Studio

.

2

Select

Actions

>

Import

.

3

Specify, or use the Object Selector to find, the RBS collection into which you want to import the custom plug-ins.

4

Specify, or browse to, the NPM file that you previously exported.

5

Click

Import

.

6.2.7

Editing Member Associations

There are two ways to associate members with roles:

Š

Select a member, then assign it to a role within a scope as described in

“Set a Member

Association” on page 59

.

Š

Select a role, then assign members and a scope to it as described below.

To assign an existing role to a selected member

1

In the Configure view, select

Role Based Services

>

Edit Member Association

.

2

Specify, or use the Object Selector to find, a member, then click

OK

.

A list appears displaying the roles to which this member is assigned.

3

Specify a role and role scope to add to this member, then click

OK

.

This data is saved to eDirectory. After login, the newly assigned role appears in the left column of the member who owns it.

66

NetIQ® iManager Administration Guide

6.2.8

Editing Owner Collections

Use this task to change the owner assigned to a collection.

1

In the Configure view, select

Role Based Services

>

Edit Owner Collections

.

2

Specify, or use the Object Selector to find, a collection owner, then click

OK

.

3

Add or remove collections this person can own, then click

OK

.

6.3

RBS Reporting

The RBS Reporting feature lets you generate reports about RBS objects in the directory and their configuration. Reports are in chart format and can be exported to other formats and printed. RBS

Reporting generates the following reports:

Role Assignments

Role Tasks Assignments

User Roles Assignments

User Task Assignments

Role Rights Assignments

Unassigned Roles

Unassigned Tasks

Unassigned Categories

Custom Roles

Custom Tasks

Custom Categories

Collections

6.3.1

Creating Reports

To create an RBS Report:

1

In the Configure view, select

RBS Reporting

.

Each type of report is implemented as a task.

2

Select the desired report, provide the necessary information, then click

OK

.

Each report requires that you provide some initial information, such as the roles for which you want to generate a list of assigned members.

Configuring and Customizing iManager

67

Figure 6-3

iManager Configure View Showing the Role Assignments Task

6.3.2

Using Reports

The RBS Reporting tasks generate reports that you can sort, print, and export. The following figure shows an example of an iManager report.

Figure 6-4

Members Assigned to a Role

Sorting Reports

By default, the items listed in a report are sorted alphabetically in ascending order on the first column. To indicate the column in which items are sorted, iManager displays a small icon next to the column name, and the icon indicates the sort order. To change the column in which items are sorted, click the name of the column you want.To change the sort order, click the name of the column in which items are currently sorted.

68

NetIQ® iManager Administration Guide

Printing Reports

You can easily print RBS reports by clicking the

Print

button. This opens your browser's print dialog box, where you can select a printer and other printing options. This feature prints only the browser frame that contains the report and it prints the report as displayed in the frame, so you should make sure the items are sorted in the order you want before you click

Print

.

Exporting Reports

You can export report data to XML, CSV, and plain text files to use in other applications such as spreadsheets and databases. The export files contain only data and enough metadata to describe the report columns. Other information, such as the report title and date, is not exported. Items in a report are exported in the currently displayed sort order.

1

Click the

Export

button.

2

In the RBS Report Export window, select the format for the exported data, then click

Export

.

3

When your browser prompts you to open or save the file generated by iManager, select the option you prefer and proceed as required by your browser.

The following are examples of XML, CSV, and plain text files exported from the same RBS report:

XML:

<?xml version="1.0"?>

<rbs-report>

<rbs-report-header>

<user>admin.novell</user>

<report-time>Thursday, June 26, 2008 (10:33:17 AM IST)</report-time>

<selected-member-types>User, Group, Dynamic Group, Organizational Role,

Container</selected-member-types>

<dynamic-group>

<search-enabled>yes</search-enabled>

<role-search>parent sub-directory (novell)</role-search>

<search-for>Dynamic Group Objects</search-for>

</dynamic-group>

<container-role-search>up to parent (novell)</container-role-search>

</rbs-report-header>

<rbs-record>

<role-name>eDirectory Administration</role-name>

<role-object>eDirectory Administration.Role Based Service 2.novell</roleobject>

<member-type>User</member-type>

<member-object>admin.novell</member-object>

<scope>.MY_TREE.</scope>

<rights-assigned>true</rights-assigned>

<rights-inherit>true</rights-inherit>

</rbs-record>

<rbs-record>

<role-name>eDirectory Administration</role-name>

<role-object>eDirectory Administration.Role Based Service 2.novell</roleobject>

<member-type>User</member-type>

<member-object>jdoe.novell</member-object>

<scope>novell</scope>

<rights-assigned>true</rights-assigned>

<rights-inherit>true</rights-inherit>

</rbs-record>

</rbs-report>

Configuring and Customizing iManager

69

CSV:

RBS Report Query Settings

User:,"admin.novell"

Date:,"Thursday, June 26, 2008 (10:33:17 AM IST)"

Types:,"User, Group, Dynamic Group, Organizational Role, Container"

Dynamic Group Search Settings:,

Search Enabled:,"yes"

Role Search:,"parent sub-directory (novell)"

Role Search:,"Dynamic Group Objects"

Container Role Search:,"up to parent (novell)"

RBS Report: User Roles Assignments

User,"Role Name","Role Object","Type","Member","Scope","Assigned","Inherit", admin.novell,"Archive Version Management","Archive Version Management.Role Based

Service 2.novell","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"DFS Management","DFS Management.RBS 270 akpal.08","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"Directory Administration","eDirectory Administration.Role Based

Service 2.novell","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"Directory Administration","eDirectory Administration.RBS 270 akpal.08","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"eDirectory Maintenance Utilities","eDirectory Maintenance

Utilities.Role Based Service 2.novell","User","admin.novell",".BLR-ANIL-

TREE.","true","true", admin.novell,"File Protocols","File Protocols.RBS 270 akpal.08","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"Groups","Group Management.Role Based Service

2.novell","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"Groups","Group Management.RBS 270 akpal.08","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"Help Desk","Help Desk Management.Role Based Service

2.novell","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"Help Desk","Help Desk Management.RBS 270 akpal.08","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"IDE Demo Role","IDE Demo Role.Role Based Service

2.novell","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"Novell Certificate Access","Novell Certificate Access.RBS 270 akpal.08","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"Novell Certificate Server Management","Novell Certificate Server

Management.RBS 270 akpal.08","User","admin.novell",".BLR-ANIL-

TREE.","true","true", admin.novell,"Partitions and Replicas","Partition and Replica Management.Role

Based Service 2.novell","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"Partitions and Replicas","Partition and Replica Management.RBS 270 akpal.08","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"QuickFinder Administration","QuickFinder Administration.RBS 270 akpal.08","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"Rights","Rights Management.Role Based Service

2.novell","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"Rights","Rights Management.RBS 270 akpal.08","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"Schema","Schema Management.Role Based Service

2.novell","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"Schema","Schema Management.RBS 270 akpal.08","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"Storage Management","Storage Management.RBS 270 akpal.08","User","admin.novell",".BLR-ANIL-

TREE.","true","true",admin.novell,"Users","User Management.Role Based Service

2.novell","User","admin.novell",".BLR-ANIL-TREE.","true","true", admin.novell,"Users","User Management.RBS 270 akpal.08","User","admin.novell",".BLR-ANIL-TREE.","true","true",

70

NetIQ® iManager Administration Guide

Plain Text:

RBS Report Query Settings

User: admin.novell

Date: Thursday, June 26, 2008 (10:33:17 AM IST)

Types: User, Group, Dynamic Group, Organizational Role, Container

-------------------------------------------------

Dynamic Group Search Settings:

Search Enabled: yes

Role Search: parent sub-directory (novell)

Role Search: Dynamic Group Objects

Container Role Search: up to parent (novell)

-------------------------------------------------

Role Name: eDirectory Administration Role Object: eDirectory Administration.Role

Based Service 2.novell Type: User Member: jdoe.novell Scope: novell Assigned: true

Inherit: true

-------------------------------------------------

6.4

iManager Server

If you do not see this task, you are not an authorized user. See “Authorized Users and Groups” on page 72 . This topic includes the following information:

Š

Section 6.4.1, “Configure iManager,” on page 71

Š

Section 6.4.2, “Security,” on page 72

Š

Section 6.4.3, “Look and Feel,” on page 73

Š

Section 6.4.4, “Logging Events,” on page 73

Š

Section 6.4.5, “Redirection After Logout,” on page 74

Š

Section 6.4.6, “Authentication,” on page 74

Š

Section 6.4.7, “RBS,” on page 75

Š

Section 6.4.8, “Plug-In Download,” on page 75

Š

Section 6.4.9, “Misc,” on page 76

Š

Section 6.4.10, “Encryption,” on page 76

6.4.1

Configure iManager

There are three settings in the config.xml

file that control the security and the certificates used when iManager creates an LDAP SSL connection:

Security.Keystore.AutoUpdate:

If the value of AutoUpdate is

True

, when a user successfully logs in to iManager, the certificate from that eDirectory server might automatically be imported into the iManager-specific keystore. Select the setting

Auto Import Tree Certificate for Secure LDAP

(

Configure iManager

>

Security

).

Security.Keystore.UpdateAllowAll:

When UpdateAllowAll is

True

, then any successful user login imports/updates a certificate into the iManager certificate keystore. If the setting is false, only an

authorized user login imports/updates certificates.

Security.Keystore.Priority:

The priority setting contains two words that define the search order for certificates during a connection:

system,

and

imanager

.

system

uses the default JVM* keystore to locate certificates when created the SSL context. If that fails, it then goes to the iManager keystore.

You can change the search order of

system

and

iManager

by removing either word from the entry.

Configuring and Customizing iManager

71

To further tighten security, do not allow AutoUpdate and use only the system keystore. If you do this, you must manually import the certificates that you want to reside in the default system keystore by using the tools that come with Java. If you disable UpdateAllowAll, then certificate imports occur only from a successful iManager authorized user login.

6.4.2

Security

These settings affect your entire Web server configuration and are saved in the config.xml

file. You can either save as you go or click

Save

once after you have made all your changes.

Warn When Using a Nonsecure Connection

Select this option if you want users without a secure connection between the Web browser and the

Web server to receive the following warning:

You are using a non-secure connection

.

Enable Novell Audit

Make sure you have met the Audit Prerequisites

. Select the Enable Novell Audit option and select specific iManager logging events, then click

Save

.

Auto Import Tree Certificate for Secure LDAP

Secure LDAP connections require a certificate. If you select this feature, the system automatically imports a public tree certificate for secure LDAP.

Authorized Users and Groups

Authorized users and groups are those that iManager permits to perform its various administrative tasks. Authorized user data is saved in

TOMCAT_HOME

\webapps\nps\WEB-

INF\configiman.properties

. The iManager installation process creates this file only if authorized user and group information is provided, but doing it, is not required. Failure to do it results in iManager allowing any user to install iManager plug-ins and modify iManager server settings (not recommended long-term.)

When a group or an organizational role is added to this list, all members of the group or the organizational role become authorised users. Adding a nested group supports only first level of members. But adding a dynamic group is not supported because it can have any type of objects as its members.

After installing iManager, you can add an authorized user, group, or organizational role by specifying, or by using the Objector Selector icon next to the

Authorized Users and Groups

list. Doing this modifies the configiman.properties

file.

To designate all users of the tree as authorized users, type

AllUsers

.

NOTE:

You can add and save only valid users to the

Authorized Users and Groups

list. If you add invalid users and click

Save

, an error message, which says that the object is not found, is displayed. If you add only invalid users to the list and click

Save

, the error message is displayed and the list of invalid users is automatically replaced by

AllUsers

. If you do not want all the users of the tree to be authorized users, remove

AllUsers

from the list, add desired valid users to the list, and click

Save

.

72

NetIQ® iManager Administration Guide

IMPORTANT:

If you have installed iManager for the first time, the Authorized Users and Groups list is empty. As an Admin user, you must immediately add users and groups to the list to make them authorized, and to have rights to modify the list. Otherwise, a non-admin user might add users and groups to the list by which he/she acquires the rights to modify the list. You (Admin) might lose the rights to modify the list.

For security-related information about the configiman.properties

file, see

“iManager Authorized

Users and Groups” on page 115

.

6.4.3

Look and Feel

The

Look and Feel

tab lets you customize the appearance of the iManager interface. This information is stored in

TOMCAT_HOME\webapps\nps\WEB-INF\config.xml

.

Title Bar Name

Specify your organization name in this text box. It then appears in the title bar of the Web browser in place of the default text (NetIQ iManager).

Images

The Title bar contains three images: the header background image, the header filler image, and the header branding image. Your own images must conform to the dimensions given in the interface.

Store these files in nps/portal/modules/fw/images

. Specify the path of each image in its respective text field.

Navigation Menu Colors

You can customize the color of the menu header and the background of the navigation menu on the left.

You can type either color names or hexadecimal numbers. Entries do not need to be case sensitive.

Click

Reset

to return to default colors and images, or click

Save

to save the settings. to the config.xml

file.

6.4.4

Logging Events

The

Logging Events

tab lets you configure iManager’s logging environment. There are two logging settings:

Logging Level:

Select the types of messages you want to log, from four options:

No Logging

,

Errors only

,

Errors and Warnings

, and

Errors, Warnings and Debug Information

.

Select your logging output options.

Logging Output:

Select the destination for logged messages, from three options:

Send Log Output to

Standard Error Device

,

Send Log Output to Standard output Device

, and

Send Log Output to Debug.html

File

.

The log file path and log file size both appear on this page. Select

View

to display the current log file in

HTML format. Select

Clear

to clear the current log file and reset the log file size to 0 (zero) bytes.

Configuring and Customizing iManager

73

6.4.5

Redirection After Logout

The

Redirection After Logout

option allows you to specify the URL to be redirected to, after you log out of iManager. If you have not selected this option, when you click Exit, you are logged out of iManager. By default, the Login page is displayed.

Enable:

Select this option to enable Redirection After Logout feature.

URL:

Specify the URL to be redirected to, after you log out of iManager.

6.4.6

Authentication

The

Authentication

tab configures iManager’s login page. It contains the following options:

Remember login credentials:

When selected, users must only enter a password to log in.

Use Secure LDAP for auto-connection:

When selected, iManager performs LDAP communications using SSL. Some plug-ins, such as Dynamic Groups and NMAS, do not work if this option is not selected. This setting does not take effect until you log out of iManager.

Hide specific reason for login failure:

When selected, iManager replaces authentication-related eDirectory messages with a generic error message that reads:

Login Failure. Invalid Username or Password

. For more information, see “Preventing User Name Discovery” on page 115 .

Allow ‘Tree’ selection on Login page:

When selected, iManager’s login page displays the

Tree

field.

If you do not select this option, you must have a default tree name specified or you cannot log in.

Contextless Login:

Contextless login allows users to log in with only user name and password, without knowing their entire User object context. For example,

.admin.support.sales.netiq

.

If there are multiple users with the same user name in the tree, contextless login allows to log in by using the first user account it finds with the supplied password within the container order list that the user has specified. User can re-arrange and set the container order list.

If there are multiple users with the same user name in the tree, to log in with a specific user name, a user should provide full context when logging in, or limit the search containers that contextless login searches.

Select

Search from Root

to perform the user search from the root of the directory tree. Select

Search

Containers

to specify one or more containers where User objects can be found.

By default, iManager connects with public access, requiring no specific credentials. You can specify a user with specific credentials to do the search for the contextless lookup. The iManager public user is used if you don’t specify a user.

IMPORTANT:

If you specify a public user, consider carefully the implications of password expiration settings. If the password is set to expire for the public user, you do not have the opportunity to change the password during login after it expires.

iManager Server Timeout Settings:

If you want the iManager server to time out after a certain period, specify the number of days, hours, and minutes in the respective fields, in the Authentication page.

If you never want the server to time out, select the Never Timeout option.

74

NetIQ® iManager Administration Guide

Redirection After Logout:

In the Authentication page, you have to enable this option if you want to be redirected to a desired page after logging out of iManager. You have to specify the desired URL in the

URL:

field. If you do not specify any URL, when you click Exit, you are logged out of iManager.

By default, the Login page is displayed.

6.4.7

RBS

Role-Based Services (RBS) assigns the rights within eDirectory to perform tasks. When you assign a role to a user, by default RBS assigns the rights necessary to perform the tasks included with that role.

The

RBS

tab lets you configure the following settings:

Enable Dynamic Groups:

When selected, RBS allows dynamic groups to be members of a role. For more information about dynamic groups, see the

NetIQ eDirectory 8.8 SP8 Administration Guide

(https://www.netiq.com/documentation/edir88/edir88/data/bookinfo.html) .

Show Roles in Owned Collections:

When selected, collection owners see all roles and tasks whether they are members of them or not. Deselect this option to force collection owners to see only their assigned roles.

Role Discovery Domain:

Indicates where in the tree iManager is to search for roles that are assigned to a member.

Š

Parent, iManager searches for Dynamic Groups up to the parent container.

Š

Partition, iManager searches for Dynamic Groups up to the first eDirectory partition.

Š

Root, iManager searches for Dynamic Groups in the entire tree.

Dynamic Group Discovery Domain:

Indicates where in the tree iManager is to search for Dynamic

Group membership. Role membership is then checked in the Dynamic Groups found.

Š

Parent, iManager searches for roles in the user's parent container.

Š

Partition, iManager searches for roles up to the first eDirectory partition.

Š

Root, iManager searches for roles in the entire tree.

Dynamic Group Search Type:

Selects which type of Dynamic Groups should be searched for role membership.

Š

Dynamic Groups only, searches for objects that are of the Dynamic Group class type.

Š

Dynamic Group Objects and Aux classes, searches for objects that are either of the dynamicGroup class type or have been extended with the dynamicGroupAux class. This includes group objects that were later converted to Dynamic Groups.

RBS Tree List:

Auto-populated with the eDirectory tree's name when a collection owner or a role member authenticates. If RBS is removed from an eDirectory tree, remove that tree's entry in this list in order to return to Unassigned Access mode.

6.4.8

Plug-In Download

The

Plug-in Download

tab lets you configure the following settings:

Query Novell download site for new NetIQ Plug-in Modules (NPM):

Indicates that the iManager

Server should query the NetIQ Download site (http://download.novell.com/ index.jsp?product_id=&search=Search&build_type=SDBuildBean&families=&date_range=&keywor ds=iManager&x=23&y=4) for new plug-in modules (NPMs).

Configuring and Customizing iManager

75

Two radio buttons let you configure the query for every available NPM, or query only for updates to already-installed NPMs.

Downloading Plug-In Modules from a Custom Site:

You can download the plug-in modules from a custom site by specifying the URL of the custom site in the Download URL field, in the Plug-in

Download page.

Downloading Plug-In Modules Through Proxy:

If iManager Servers are running under the firewall proxy, the client can access the Internet through a proxy server. Only HTTP Proxy is supported. It is a

Web proxy HTTP. To download the plug-ins, the user has to do the following in the Plug-in

Download page:

1

Select

Enable Proxy

.

2

Enter in the following fields:

Š

Proxy Host

: Specify the proxy host IP address in this field.

Š

Proxy Port

: Specify the proxy port number in this field.

Š

Username

: Specify the user name in this field.

Š

Password

: Specify the password in this field.

Š

Retype Password

: Specify the password that you have specified in the

Password

field, in this field.

IMPORTANT:

iManager 2.7.7 plug-ins are not compatible with previous versions of iManager.

Additionally, any custom plug-ins you want to use with iManager 2.7.7 must be re-compiled in the iManager 2.7.7 environment.

6.4.9

Misc

The

Misc

tab lets you configure the following settings:

Enable [this]:

You can safely ignore this option. Enable [this] was added to iManager to allow some internal teams to modify their own objects. [this] is an attribute in the tree that enables specific selfmanagement functionality. If [this] is enabled, all eDirectory servers in the tree must be version 8.6.2 or later.

eGuide URL:

Specifies the URL to eGuide. This is used in the eGuide launch button in the header and in the eGuide role and task management tasks. This must be a full URL, for example, https:// my.dns.name/eGuide/servlet/eGuide

, or the keyword

EMFRAME_SERVER

. Using

EMFRAME_SERVER causes eMFrame to look for eGuide on the same server on which eMFrame is located.

For more information on eGuide, see the Novell eGuide documentation Web site (http:// www.novell.com/documentation/eguide212/index.html) .

6.4.10

Encryption

You can use the

Encryption

tab to choose the cipher level based on your security requirement. The four cipher levels are:

1.

NONE

- Allows any type of cipher.

2.

LOW

- Allows a 56-bit or a 64-bit cipher.

3.

MEDIUM

- Allows a 128-bit cipher.

4.

HIGH

- Allows ciphers that are greater than 128-bit.

76

NetIQ® iManager Administration Guide

By default, the cipher level is set to

NONE

. The selected cipher level is activated after the Tomcat server is restarted.

IMPORTANT:

By default, Firefox does not allow

LOW

cipher level.

To enable the

LOW

cipher algorithms in your Firefox browser:

1

Open Firefox, type about:config

in the location bar, then press

Enter

.

2

(Conditional) If a warning appears, click the

I'll be careful, I promise!

button to continue to the about:config page.

3

In the about:config page, under the Preference Name list, double-click the

security.ssl3.rsa_rc4_40_md5

preference to change the value to

True

.

This enables the

LOW

cipher algorithms in your Firefox browser.

By design, the

Encryption

tab is not available on OES. You need to manually change the cipher levels in the vhost-ssl.conf

file.

1

Go to

/etc/apache2/vhosts.d/vhost-ssl.conf

file, then modify the

SSLCipherSuite parameter based on your cipher level support.

For example, to configure only

HIGH

cipher level, modify the

SSLCipherSuite

parameter as follows:

<VirtualHost _default_:443>

--------------

----------------

SSLCipherSuite ALL:ADH:EXPORT56:RC4+RSA:+HIGH:!MEDIUM:!LOW:+SSLv2:+EXP:+eNULL

-------------

---------------

<VirtualHost>

You can use the following prefixes to modify the cipher levels:

Š

+

: adds ciphers to the list of ciphers and pulls them to the current location in the list.

Š

-

: removes a cipher from the list (can be added later again).

Š

!

: kills a cipher from the list completely (cannot be added later again).

For more information, see the Apache Module mod_ssl (http://httpd.apache.org/docs/2.0/mod/ mod_ssl.html) documentation.

6.5

Object Creation List

When you create an object, a preconfigured list of object classes is registered with the Create Object task. The Object Creation List Category contains the following tasks:

Š

Section 6.5.1, “Adding an Object Class to the Creation List,” on page 78

Š

Section 6.5.2, “Deleting an Object Class from the Creation List,” on page 78

Configuring and Customizing iManager

77

6.5.1

Adding an Object Class to the Creation List

Use this task to add more objects to the Object Creation List, which is the list of objects that can be created in iManager, using the Directory Administration > Create Object task.

1

In the Configure view, select

Object Creation List

>

Add Object Class to Creation List

.

2

Select the object to add, then click

Next

.

3

Review the XML definition information, then click Finish to create the

.xml

file.

6.5.2

Deleting an Object Class from the Creation List

Use this task to delete an object from the Object Creation List, which is the list of objects that can be created in iManager, using the Directory Administration > Create Object task.

1

In the Configure view, select

Object Creation List

>

Delete Object Class from Creation List

.

2

Select the object to delete, then click

Next

.

3

Review the XML definition information, then click Finish to delete the object from the Object

Creation List.

6.6

Plug-In Module Installation

If you do not see this role in your iManager interface, you are probably not an authorized user. See

“Authorized Users and Groups” on page 72 .

There are two types of modules used in iManager:

NetIQ Plug-in Module (NPM):

These are archives that contain the files for plug-ins to iManager.

When you install an NPM using the Available NetIQ Plug-in Modules task, you are installing a plugin to iManager to add to its functionality.

RBS Module:

These are objects in eDirectory that contain RBS Tasks and RBS Book objects. When

Role-Based Services has been configured in an eDirectory tree, click

Configure

>

RBS Configuration

to install the RBS Module after the NPM in order for the new tasks associated with the plug-in to become available for use.

Module Installation relates to NPMs only. For information about installing NPMs during the iManager installation process, see “ Downloading and Installing Plug-Ins During Installation ” in the

NetIQ iManager 2.7.7 Installation Guide

.

6.6.1

Available NetIQ Plug-in Modules

The Available NetIQ Plug-in Modules (NPM) page lists all the available NPMs contained in the

packages directory or on the download site. For more information, see “Plug-In Download” on page 75 . The name, version, and description of each module are in their respective manifest files.

You can hide the plug-ins by selecting the plug-in modules and clicking the

Hide

button. You can also hide all the plug-in modules so that the Home page doesn't display the

New iManager NPMs are available to install

notice.

You can also view the list of the hidden plug-in modules by clicking the

Show Hidden

button. You can unhide the hidden plug-in modules if required.

78

NetIQ® iManager Administration Guide

6.6.2

Installed NetIQ Plug-in Modules

This list contains the NPMs that have been installed in iManager. Each NPM is listed by name, local version, and description found in the current manifest files.

iManager 2.7.7 does not include all plug-in modules as part of the base product. Most iManager 2.7.7 plug-ins must be downloaded separately. However, the following plug-ins are included in the base.npm

module that ships with iManager 2.7.7:

Š

Directory Administration

Š

Partitions and Replicas

Š

Help Desk

Š

Schema

Š

Rights

Š

Users

Š

Groups

For more information, see

Chapter 5, “Roles and Tasks,” on page 35 .

IMPORTANT:

To function properly, a plug-in module's version must be compatible with the version of iManager on which it is running. Refer to the specific product documentation for information about iManager version requirements for a particular plug-in module.

For example, iManager 2.7.7 plug-ins are not compatible with previous versions of iManager.

Additionally, any custom plug-ins you want to use with iManager 2.7.7 must be re-compiled in the iManager 2.7.7 environment.

6.7

Downloading and Installing Plug-in Modules

iManager 2.7.7 lets you download and install updates to existing and new plug-ins from within iManager. iManager automatically queries the Novell Download Web site once a week for plug-ins.

NOTE:

Plug-in modules are not replicated between iManager servers. We recommend that you install the plug-in modules you want on each iManager server.

To download and install one or more plug-in modules:

1

Launch iManager and log in.

2

In the Configure view, select

Plug-in Installation

>

Available NetIQ Plug-in Modules

.

The Content frame lists all the available iManager plug-ins. iManager automatically checks the

Novell download site once a week for updated plug-ins. However, you can update the list at any time by clicking the

Refresh

link.

3

(Optional) If you have downloaded a plug-in, or have one locally that you want to install, click

Add

, then browse for the appropriate plug-in NPM file.

4

Click

OK

.

This returns you to the Available NetIQ Plug-in Modules page.

5

Select the plug-in you want, then click

Install

.

Configuring and Customizing iManager

79

The file location shows whether the plug-in is from Local Directory or the Novell Download site.

If you select at least one plug-in that has the

File Location

as

NetIQ Downloads

for installation, the

NetIQ iManager Plug-in Modules License Agreement page is displayed. Select

I Agree

, then click

OK

to proceed with the installation.

NOTE:

Installing a plug-in from the Novell download site can take several minutes, depending on your connection speed and number of plug-ins being installed. A status bar indicates the download time.

6

After the installation is completed, restart Tomcat.

Tomcat sometimes requires several minutes to fully initialize. Wait at least 5 minutes before trying to log in to iManager.

For information about restarting Tomcat, see

“Starting and Stopping Tomcat” on page 94 .

7

Verify that the new Role appears in the Roles and Tasks page.

To add members to the new Role, use the Modify Member Association task.

6.7.1

If RBS is Configured

IMPORTANT:

In order to reinstall an existing plug-in, you must first delete the rbsModule object for that plug-in from eDirectory using the

Module Configuration

>

Delete RBS Modul

e task.

1

From the Configure view, select

Role-Based Services

>

RBS Configuration

.

The table on the 2.x Collections tab displays any out-of-date modules.

2

To update them, select the number in the Out-of-Date column for the Collection you want to update.

The list of outdated modules is displayed.

3

Select the modules you want to update, then click Update at the top of the table.

6.7.2

Uninstalling a Plug-in Module

1

In the Configure view, select

Plug-in Installation

>

Installed NetIQ Plug-in Modules

.

2

Select the plug-in, then click Uninstall.

3

Restart Tomcat.

For information about restarting Tomcat, see

“Starting and Stopping Tomcat” on page 94 .

The steps for manually removing a plug-in module are available in TID #7006125 (http:// www.novell.com/support/ search.do?cmd=displayKC&docType=kc&externalId=7006125&sliceId=1&docTypeID=DT_TID_1_1& dialogID=790607&stateId=0%200%20792657) .

6.7.3

Customizing the Plug-In Download Location

You can create a plug-in download repository if a proxy server or firewall prevents iManager 2.7.7 from contacting the Novell Download site. This lets you host plug-in modules on a local Web server or a common file system location.

80

NetIQ® iManager Administration Guide

The best way to do this is to use the XML descriptor file from the Novell Download site (http:// www.novell.com/products/consoles/imanager/iman_mod_desc.xml) as a template. For more information about the iManager descriptor file, see “ Downloading and Installing Plug-Ins During

Installation ”“Downloading and Installing Plug-Ins During Installation” in the

NetIQ iManager 2.7.7

Installation Guide

.

To set up a local plug-in repository, save the descriptor file locally, then open the file and copy the

URL for each plug-in module you want to make available locally and paste it in a Web browser address bar to download the file. After downloading all desired plug-in modules, edit the local copy of the descriptor file to reflect the new URL for each downloaded plug-in module.

A plug-in module URL can be an HTTP link or a file system location. For example:

Windows File System

<url><![CDATA[file:///c:\iManager_plugins\NMAS.npm]]></url>

Linux File System

<url><![CDATA[file:///home/admin/iManager_plugins/NMAS.npm]]></url>

HTTP Link

<url><![CDATA[http://192.168.0.136/iManager_plugins/NMAS.npm]]></url>

Specifying a Local Descriptor File

You can specify a custom descriptor file either during the iManager 2.7.7 installation, or after iManager 2.7.7 has been installed.

During the installation process, the iManager 2.7.7 plug-in download URL can be redirected to a custom descriptor file. To do this, simply change the URL on the Select Plug-ins to Download and

Install page to the location of the custom descriptor file and click

Go

.

NOTE:

If the message

No plug-ins found or server not available

appears in the Plug-in download area, one or both of the following conditions can exist: There are no updated plug-ins available on the Novell download site, or the connection to download. novell.com from the install program was not successful. Verify your Internet connection.

When iManager 2.7.7 is installed, you can change the plug-in module download URL by modifying

<TOMCAT_HOME>

\webapps\nps\WEB-INF\config.xml

. For example:

Windows File System

<setting>

<name><![CDATA[ModuleDownloadDescriptorURL]]></name>

<value><![CDATA[file:///c:\iManager_plugins\custom.xml]]></value>

</setting>

Linux File System

<setting>

Configuring and Customizing iManager

81

<name><![CDATA[ModuleDownloadDescriptorURL]]></name>

<value><![CDATA[file:///home/admin/iManager_plugins/custom.xml]]></value>

</setting>

HTTP Link

<setting>

<name><![CDATA[ModuleDownloadDescriptorURL]]></name>

<value><![CDATA[http://192.168.0.136/iManager_plugins/custom.xml]]></value>

</setting>

IMPORTANT:

If you use iManager Workstation to access a custom plug-in URL over an SSL connection (HTTPS), make sure to import the target Web server’s certificate or you won’t be able to set up a secure connection.

6.8

E-Mail Notification

This role enables you to select plug-in-specific tasks that users want to be notified of whenever that specific task occurs. The tasks are set up by the plug-in itself. You decide whether or not to be notified, and specify who should be notified of selected events. Your first task is to set up the mail server.

TIP:

Depending on what you select, you could receive a

lot

of e-mail!

6.8.1

Mail Server Configuration

The mail server configuration specifies the SMTP server settings for event notification.

1

In the Configure view, select

Email Notification

>

Mail Server Configuration

.

2

Specify the mail server settings, then click

OK

.

From Address:

Specifies the address that appears in the From field of the iManager e-mail message.

Primary Mail Server:

Specifies an IP address or server name (for example: smtp.novell.com) of a mail server. You must also provide the user name and password for iManager to use to access the SMTP server.

Secondary Mail Server:

Specifies an optional backup mail server. Provide the same information as that for the primary mail server.

6.8.2

Task Event Notification

Plug-ins whose tasks are listed in their

.xml

files automatically register task events on this page.

1

In the Configure view, select

Email Notification

>

Task Event Notification

.

2

In the

Email Address

field, specify the E-mail addresses you want to receive this notification, separated by commas.

3

Select an event.

The Task Event Properties screen appears.

82

NetIQ® iManager Administration Guide

4

Specify the e-mail subject and the E-mail message in the appropriate fields.

5

In the

Additional Email Addresses

field, type any additional e-mail addresses (separated by commas) you want to notify.

6

Select

Override Default and Notify Only These Addresses

if you want the message to ignore the Email list in step 2 and go only to the e-mail addresses specified on this page.

6.9

Views

If you do not see this role in your iManager interface, you are probably not an authorized user. See

“Authorized Users and Groups” on page 72 .

iManager Views are management pages accessed from buttons in iManager’s Header frame. You might want to prevent users from accessing certain views, such as

View Objects

or

Configure

.

By default, all views inherit the settings of the parent set.

6.9.1

Showing and Hiding iManager Views

1

In the Configure view, select

Views

>

iManager Views

.

2

Specify, or use the Object Selector to find, a container at which you want to restrict access to

Views, then click

OK

.

3

Specify the appropriate view settings, then click

OK

.

There are three view settings from which you can choose:

Š

Do not set: Does not explicitly set the view state. This is the default setting.

Š

Hide: Hides the view.

Š

Show: Displays the view.

Select

Read parent containers of this object

to use the settings of the object's parent container for this object. When selected, the parent settings take precedence over the object’s local settings.

6.9.2

Enabling and Disabling Identity Manager view as Default view in iManager on Identity Manager Installed Servers

To enable iManager views:

1

Stop Tomcat.

2

Open the

/var/opt/novell/iManager/nps/WEB-INF/config.xml

file.

3

Add the following configuration details in the xml file:

<setting>

<name><![CDATA[IS_IDM_VIEW_AS_DEFAULT]]></name>

<value><![CDATA[true]]></value>

</setting>

4

Start tomcat.

NOTE:

By default, “IS_IDM_VIEW_AS_DEFAULT”is set to “true”.

Configuring and Customizing iManager

83

To disable iManager views:

1

Stop Tomcat.

2

Open the

/var/opt/novell/iManager/nps/WEB-INF/config.xml

file.

3

Add the following configuration details in the xml file:

<setting>

<name><![CDATA[IS_IDM_VIEW_AS_DEFAULT]]></name>

<value><![CDATA[false]]></value>

</setting>

4

Start tomcat.

84

NetIQ® iManager Administration Guide

7

Preferences

The Preferences view lets you configure iManager settings related to the application’s look and feel. It provides access to the following tasks:

Š

Section 7.1, “Manage Favorites,” on page 85

Š

Section 7.2, “Object Selector,” on page 85

Š

Section 7.3, “Object View,” on page 86

Š

Section 7.4, “Set Initial View,” on page 86

Š

Section 7.5, “Language,” on page 86

7.1

Manage Favorites

Configures the Favorites view, which displays a custom set of often-used tasks together in a special view.

1

From the Preferences view, select

Manage Favorites

.

2

Select the desired tasks from the

Tasks

field and move them to the

Favorites

field.

Double click tasks to move them, or select them and use the arrow icons to move them.

Select

Make favorites my initial view

to use the Favorites view as your iManager “Home page”.

3

Click

OK

.

7.2

Object Selector

Configures the Object Selector settings:

Window Size:

Specify Object Selector’s window width, height, and left column width, in pixels.

User-Specified Defaults:

Specify Object Selector’s default settings, including

Š

Startup Mode: Specifies whether the

Browse

tab or

Search

tab is displayed initially.

Š

Results per Page: Specifies the number or results to display per page.

Š

Starting Context: Specifies the default container to which Object Selector opens.

Š

Search on Startup: Specifies initial search actions when Object Selector opens to the

Search

tab.

Š

Show Subordinate Count: Enables/disables displaying the total number of objects next to each container object displayed in the Object Selector. When selected, iManager displays the subordinate object count, in parentheses, next to the container name.

NOTE:

The subordinate count does not take into account your assigned rights when calculating the subordinate object count, so the number of objects you can see might differ from the count specified.

Preferences

85

7.3

Object View

Configures the Object View settings:

Column Width:

Specifies Object View’s column width, in pixels.

Startup Mode:

Specifies whether the

Browse

,

Search, or Tree

tab is displayed initially.

Selection Mode:

Specifies Object View’s initial object selection mode: single object, or multiple objects.

Navigation Pane (Left Side):

Specifies the number of results to display in the Navigation frame. This setting applies to all tabs in the Object View. Valid settings include 1 - 500.

Tree Content Pane (Right Side):

Specifies the number of results to display one page in the Content frame. This setting applies only to the Tree tab in the Object View. Valid settings include 1 - 500.

Starting Context:

Specifies the default directory container to which Object View opens. You can have it open to the last container used, or have it always open to the same container.

Search on Startup:

Specifies initial search actions when Object View opens to the

Search

tab.

Show Subordinate Count:

Enables/disables displaying the total number of objects next to each container object displayed in the Object Selector. When selected, iManager displays the subordinate object count, in parentheses, next to the container name.

This applies to the Navigation frame in the Tree tab, and the results window in the Browse and

Search tabs in the Object View.

NOTE:

The subordinate count does not take into account your assigned rights when calculating the subordinate object count, so the number of objects you can see might differ from the count specified.

7.4

Set Initial View

Specifies the view that displays when you first log in to iManager. If nothing is selected, the

Roles and

Tasks

view defaults to the initial view.you select determines what appears after you log in to iManager.

7.5

Language

Specifies the language in which you want iManager to display. You must select the check box to remember the language will remember the language setting between iManager sessions. To make the language setting permanent, set your preferred default language in the Web browser.

NOTE:

Plug-ins cannot work properly if the first language (top position) listed in your Web browser's Language setting is not set to a supported language for iManager.

To avoid problems, in your Web browser, click

Tools

>

Options

>

Languages

or a sequence similar to this, then set the first language preference in the list to a supported language.

86

NetIQ® iManager Administration Guide

8

Troubleshooting

This section provides some troubleshooting tips resulting from NetIQ’s testing of iManager. These tips are arranged alphabetically in the following topics:

Š

Section 8.1, “Authentication Issues,” on page 88

Š

Section 8.2, “Accessing NCP Server Objects,” on page 90

Š

Section 8.3, “Deleting and Re-creating User Accounts with the Same Name (Windows XP/

2000),” on page 90

Š

Section 8.4, “DNS 630 Error Message Appears When Creating a Property Book with Invalid

Characters in Name,” on page 91

Š

Section 8.5, “eDirectory Maintenance Task Errors,” on page 91

Š

Section 8.6, “Enabling Debug Messages for Install and Configure,” on page 91

Š

Section 8.7, “History Does Not Automatically Sync Across Multiple Simultaneous User Logins,” on page 91

Š

Section 8.8, “iManager Does Not Work After Installing Groupwise 7.0 WebAccess (Windows

Server 2000/2003),” on page 91

Š

Section 8.9, “Missing Attribute, Object, or Value Errors,” on page 92

Š

Section 8.10, “Missing Roles or Tasks in the Configure View,” on page 92

Š

Section 8.11, “Performing a System Restore from Image Software,” on page 93

Š

Section 8.12, “Running eDirectory and iManager on the Same Machine (Windows only),” on page 93

Š

Section 8.13, ““Service Unavailable” Message Appears During Multiple Plug-In Installs,” on page 94

Š

Section 8.14, “Tomcat,” on page 94

Š

Section 8.15, ““Unable to Determine Universal Password Status” Error,” on page 95

Š

Section 8.16, “iManager Workstation Does Not Display Information,” on page 95

Š

Section 8.17, “Sometimes Refresh Button Does Not Function,” on page 96

Š

Section 8.18, “iManager Plug-in Installation Hangs or Plug-ins Are Not Properly Installed,” on page 96

Š

Section 8.19, “Login Issue with Tree IP Address Change,” on page 97

Š

Section 8.20, “Insufficient Java Heap Size Results in Failed Login,” on page 98

Š

Section 8.21, “Java Error Messages are Displayed After Closing the Browser of iManager

Workstation,” on page 98

Š

Section 8.22, “iManager and LDAP Use Different Date Ranges,” on page 98

Š

Section 8.23, “iManager Installation Fails on SLES 9 and RedHat 4 Platforms,” on page 99

Troubleshooting

87

8.1

Authentication Issues

Authentication is a complex topic, and your existing network infrastructure can affect your ability to successfully perform an initial iManager login. The following facts can help you minimize authentication-related difficulties. For more information about authentication-related topics, see the

NetIQ Modular Authentication Service (NMAS) documentation (https://www.netiq.com/ documentation/edir88/nmas88/data/bookinfo.html) and NetIQ eDirectory documentation (https:// www.netiq.com/documentation/edir88/) .

Š iManager authentication is a platform-dependent operation, meaning that it functions differently depending on the platform on which iManager is running

Linux and Windows servers:

When iManager runs on a Linux or Windows server it utilizes eDirectory’s legacy authentication mechanism and the regular eDirectory password. This mechanism supports eDirectory’s Universal Password option but does not support the Simple

Password option.

iManager Workstation:

iManager Workstation runs on a client workstation, either Linux or

Windows, and leverages the NMAS client that allows it to use Universal Password, if configured.

Š iManager does not use LDAP for the initial iManager authentication process. It utilizes eDirectory’s proprietary authentication protocol. However, following initial authentication, iManager can, create LDAP connections to eDirectory as needed to support directory access for the installed plug-ins that require LDAP access.

Š iManager does not support authenticating with eDirectory’s Simple Password.

You might encounter the following error messages when authenticating to iManager. Each error message section discusses possible causes.

Š

Section 8.1.1, “HTTP 404 Errors,” on page 88

Š

Section 8.1.2, “HTTP 500 Errors,” on page 88

Š

Section 8.1.3, “601 Error Messages,” on page 89

Š

Section 8.1.4, “622 Error Messages,” on page 89

Š

Section 8.1.5, “632 Error Messages,” on page 89

Š

Section 8.1.6, “634 Error Messages,” on page 89

Š

Section 8.1.7, “669 Error Messages,” on page 90

8.1.1

HTTP 404 Errors

If you receive a 404 error the first time you attempt to access iManager, you need to verify the ports that Apache is running on. Depending on how you installed iManager and whether you chose to use

Apache or IIS, the configuration file locations vary. Apache uses either the httpd.conf

file or the ssl.conf

file. Refer to the Microsoft documentation for information on IIS port settings.

8.1.2

HTTP 500 Errors

If you receive an internal server error or servlet container error (either unavailable or being upgraded), iManager is having one of two problems with Tomcat:

Š

Tomcat has not fully initialized after a reboot.

Š

Tomcat has failed to start.

88

NetIQ® iManager Administration Guide

Wait a few minutes and try again to access iManager. If you still receive the same errors, verify the status of Tomcat.

Checking the Status of Tomcat

1

Restart Tomcat.

For information about restarting Tomcat, see

“Starting and Stopping Tomcat” on page 94 .

2

Check the Tomcat logs for any errors.

The log file is located in the

$tomcat_home$

/logs

directory on the UNIX, Linux, and Windows platforms. On UNIX and Linux, the logs are named catalina.out

or localhost_log.

date

.txt

. On Windows, the log files are named stderr

and stdout

.

8.1.3

601 Error Messages

The object name entered could not be found in the context specified.

Some possible causes:

Š

Contextless login might be disabled.

Š

Your User object might not be in the configured search containers list. Either ask your administrator to add your user location to the contextless login search containers or log in with a full context.

8.1.4

622 Error Messages

The NDS password has been disabled in the Universal Password policy. This may also manifest itself with a 222 Error Message.

You can avoid this error with iManager Workstation by installing the client, which allows iManager to utilize the Universal Password authentication mechanism rather than eDirectory’s legacy authentication process.

8.1.5

632 Error Messages

This error is a system failure with several possible causes (http://www.novell.com/documentation/ nwec/) .

8.1.6

634 Error Messages

The target server does not have a copy of what the source server is requesting, or the source server has no objects that match the request and has no referrals on which to search for the object.

Some possible causes:

Š

You entered an incorrect tree or IP address. If you are using the IP address, make sure you include the port if eDirectory is installed on a nonstandard (524) port.

Š iManager cannot locate your tree or IP address before timing out. If the tree name fails, use the

IP address.

Troubleshooting

89

8.1.7

669 Error Messages

An invalid password was used, authentication failed, one server tried to synchronize with another one but the target server’s database was locked, or a problem exists with the remote ID or public key.

Some possible causes:

Š

You typed an incorrect password

Š

There are multiple users with the same user name in the tree. Contextless login tries to log in using the first user account it finds with the supplied password. In this case, provide a full context when you log in or limit the search containers that contextless login searches.

8.2

Accessing NCP Server Objects

To improve the performance of the NCP server objects, the

Modify Index Location

option must be disabled.

To disable the

Modify index Location

option:

1

Open the config.xml

file from

<TOMCAT_HOME>

/webapps/nps/WEB-INF/config.xml

.

2

Add the following content to the config.xml

file.

<setting>

<name><![CDATA[IndexManagerPlugin_ModifyObjectTask_Disabled]]></name>

<value><![CDATA[true]]></value>

</setting>

3

Save the changes and restart Tomcat.

For information about restarting Tomcat, see

“Starting and Stopping Tomcat” on page 94 .

NOTE:

To modify the indexes of the NCP server objects, goto

Roles and Tasks

>

eDirectory Maintenance

>

Indexes

>

NCP Server Object

>

Indexes

>

Modify Index Location

.

8.3

Deleting and Re-creating User Accounts with the Same

Name (Windows XP/2000)

If you have deleted one or more Windows user accounts, and then re-created them with the same name, do the following to use iManager Workstation with the re-created account:

1

Log in as a member of the Administrator group.

2

Take ownership of the

\system32\novell\nici\

username

directory. The absolute path varies between Windows 2000 and Windows XP.

3

Delete the folder.

When the user next logs in, this folder is automatically recreated using Novell International

Cryptographic Infrastructure (NICI) keys of the re-created user account, and the user can then run iManager Workstation.

90

NetIQ® iManager Administration Guide

8.4

DNS 630 Error Message Appears When Creating a Property

Book with Invalid Characters in Name

If you create a Property Book and name it using special characters that are invalid, a DNS Error 603 message might be returned. For more information about naming a Property Book, see

“Creating a

New Property Book” on page 61 .

8.5

eDirectory Maintenance Task Errors

Running eDirectory Maintenance Tasks requires that Role-Based Services (RBS) must be configured through iManager for the tree that is being administered. For RBS configuration information, see

Chapter 4, “Browsing Objects,” on page 25

.

For additional information, see

The eDirectory Management Toolbox

in the

NetIQ eDirectory 8.8 SP8

Administration Guide

(https://www.netiq.com/documentation/edir88/edir88/data/bookinfo.html) .

8.6

Enabling Debug Messages for Install and Configure

If installation fails, you must enable some debugging messages to help determine what is wrong.

Š

Linux: Export LAX_DEBUG=true in the terminal session that you start the iManager

InstallAnywhere program from.

Š

Windows: Hold the Ctrl key down as you start the iManager InstallAnywhere program and continue holding it until the debugging screen appears.

8.7

History Does Not Automatically Sync Across Multiple

Simultaneous User Logins

Using two instances of the same browser (such as two Firefox browsers but not Internet Explorer) avoids the problem. The history book is shared by the two instances.

8.8

iManager Does Not Work After Installing Groupwise 7.0

WebAccess (Windows Server 2000/2003)

On Windows 2000 and 2003 Server with IIS 5 or 6, installing Groupwise 7.0 WebAccess to IIS automatically installs Tomcat 5.5.

As the iManager installation begins, the iManager installer program detects that IIS and Tomcat are available for use. The installer reports the inability to stop the iisadmin service. Near the end of the install, the installer reports the inability to start Tomcat.

After the install is completed, Groupwise WebAccess still works, but iManager does not (HTTP 404:

Page not found).

Workaround: Do not install iManager and Groupwise on the same server.

Troubleshooting

91

8.9

Missing Attribute, Object, or Value Errors

If you have a large installation with synchronization delays, you can force iManager to communicate with the master replica. This ensures that you have access to any attributes, objects, or values that have been recently added or modified. This is not recommended for regular use of iManager, but can be helpful when you are experiencing synchronization delays.

To use this parameter when logging in to iManager, add

&forceMaster=true

to the end of the URL after you have loaded the login page. This setting can also be enabled in

TOMCAT_HOME

\webapps\nps\WEB-INF\config.xml

. For example:

Š

For an IPv4 address: https://127.0.0.1/nps/servlet/webacc?taskId=fw.Startup&forceMaster=true

Š

For an IPv6 address: https://[2001:db8::6]:1080/nps/servlet/ webacc?taskId=fw.Startup&forceMaster=true

You must restart Tomcat after making any changes to the config.xml

file. For information about

restarting Tomcat, see “Starting and Stopping Tomcat” on page 94 .

8.10

Missing Roles or Tasks in the Configure View

If the following Roles or Tasks are not present on the Configure view, you need to verify that you are an authorized user. For more information, see

“Authorized Users and Groups” on page 72

.

8.10.1

Possible Missing Roles or Tasks

Š

Configure iManager task

Š

Object Creation List role

Š

Plug-in Installation role

Š

E-mail Notification role

Š

View role

8.10.2

Possible Reasons Why You Are Not an Authorized User

Š

You renamed your tree.

Edit the configiman.properties

file and change the tree name for each user.

Š

Information entered during the iManager installation for the authorized user was incorrect.

Edit the configiman.properties

file and add the correct user name including the tree name.

Š

The configiman.properties

file is corrupted for some unknown reason.

Delete the configiman.properties

file and either re-create the file with the correct information or log in to iManager and go to

Configure view

>

iManager Server

>

Configure iManger

. On the

Security page, add the Authorized Users for the system by browsing the tree, or if you are sure of the full path to the user, you can manually enter it.

Š

The permissions on the configiman.properties

file have been changed to prevent iManager from reading the file.

Change the permissions on the file to match the files in the same directory.

92

NetIQ® iManager Administration Guide

Š

Your administrator has not added you as an authorized user.

Request to be added to the Authorized Users list. For more information, see “Authorized Users and Groups” on page 72

.

8.11

Performing a System Restore from Image Software

If you perform a system restore from image software such as Ghost, the sys:\tomcat5\conf\NPS-

APACHE.CONF

file could become truncated in the process.

If this file is truncated to

NPS-APACHE~1.CON

or some other corrupt filename, rename the file and then stop and restart Tomcat.

For information about restarting Tomcat, see “Starting and Stopping Tomcat” on page 94

.

8.12

Running eDirectory and iManager on the Same Machine

(Windows only)

If iManager was installed before eDirectory, you might experience any of the following errors when using iManager, LDAP(S), or HTTP(S) to access eDirectory.

-340 error when trying to access encrypted attributes with iManager

LDAP : SSL_CTX_use_KMO failed. Error stack: error:1412D0D4:SSL routines:SSL_CTX_use_KMO:read wrong packet type (err = -1418)

HTTP : 0016 TLS operation failed, err: 1, result: -1 --

HTTP : -- error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

HTTP : 0017 TLS operation failed, err: 1, result: -1 --

HTTP : -- error:1406B0BD:SSL routines:GET_CLIENT_MASTER_KEY:no p rivatekey

HTTP : Unable to access server certificate and key, handshakes will fail

--

HTTP :

-- error:1412D0D4:SSL routines:SSL_CTX_use_KMO:read wrong packet type

Limber : Error while setting NCP Key Material Name SSL CertificateDNS to server,

Err: failed, -340 (0xfffffeac)...

Limber : Error During syncKeyMaterialInfo -340 (0xfffffeac)

It could be that eDirectory’s initial system configuration has not occurred. The user who installed eDirectory and the user who is running the eDirectory server must coordinate the eDirectory configuration. Generally, eDirectory is installed as administrator and is run as SYSTEM. You can manually correct this issue, but an understanding of eDirectory, iManager, NICI, and other currently installed products is necessary. You must determine if the following steps are safe to perform. You should also check the product’s documentation and dependencies to see if any long-term encrypted data or secrets are used.

If eDirectory and iManager are installed on the same physical machine, you can manually configure eDirectory after eDirectory installation.

NOTE:

You should not do this if eDirectory was installed at a previous time and has been successfully running on the current machine.

1

Log in as an administrator.

2

Stop the eDirectory server and the Tomcat service.

Also stop any other service that may be using NICI.

Troubleshooting

93

3

Take ownership of the

%systemroot%\system32\novell\NICI\SYSTEM

directory.

Do this from the file properties'

Security

>

Advanced Options

.

4

Save the contents of the

SYSTEM

directory in a backup directory.

5

Delete the contents of the

SYSTEM

directory.

6

Copy the contents of

%systemroot%\system32\novell\NICI\Administrator

to

%systemroot%\system32\novell\NICI\SYSTEM

.

7

You can reset the permissions of

%systemroot%\system32\novell\NICI\SYSTEM

and its contents so that only SYSTEM has access.

8

Restart the NDS Server and Tomcat services and any other service you may have stopped.

8.13

“Service Unavailable” Message Appears During Multiple

Plug-In Installs

This situation occurs when you select several plug-ins to install, all at the same time. While the plugin installation continues over several minutes, the browser page times out and returns a 503 Error.

Although you probably don't need to do anything but wait, you can monitor plug-in installations through the Tomcat log files.

8.14

Tomcat

The following general Tomcat information can be useful in your troubleshooting efforts.

8.14.1

Starting and Stopping Tomcat

The following tables describe how to start and stop Tomcat on the platforms supported by iManager

2.7.7

Table 8-1

Stopping and Starting Tomcat

Platform

Linux

Restart Command

Enter

/etc/init.d/novell-tomcat7 stop

, then enter

/etc/init.d/novell-tomcat7 start .

Shut down and restart iManager Workstation.

iManager

Workstation

Windows Stop and start the Tomcat service.

8.14.2

Tomcat Ports

If you experience port conflicts while upgrading to iManager 2.7.7, or need to know the ports that

Tomcat is using, consult the platform-specific information in this section.

94

NetIQ® iManager Administration Guide

Linux

View Tomcat ports in the

/var/opt/novell/tomcat7/conf/server.xml

file.

The non-SSL port section of the file begins with

Define a non-SSL Coyote HTTP/1.1 Connector on port

n

, while the SSL port section begins with

Define an SSL Coyote HTTP/1.1 Connector

on port

n

.

Windows

Windows allows for relocation of all files. If you accept the defaults in the iManager installation, look for Tomcat configuration files in the

rootdir

\novell\tomcat7\conf\server.xml

file.

If you can't find a configuration file, search the Windows registry for the Tomcat settings.

8.15

“Unable to Determine Universal Password Status” Error

If a UNIX eDirectory server is configured to use SSL for LDAP communications, you might receive the following error when you select the option in iManager to set a Simple Password:

Unable to determine universal password status

To resolve this error, run the

/usr/bin/nmasinst/nmasinst

utility on the eDirectory server. This utility lets you install login methods into eDirectory from a UNIX machine and is required to run the

Universal Password feature.

For more information, see the

NetIQ Modular Authentication Services 3.3 Administration Guide

(https:// www.netiq.com/documentation/edir88/nmas88/data/bookinfo.html) .

8.16

iManager Workstation Does Not Display Information

iManager workstation might not display error messages, and load pages such as Tree View, Object

Browse, Create Objects, and page after clicking the Refresh button. This happens when the

XULRunner browser cache contains old data of the previous build of iManager 2.7.7 workstation.

Work around: You must manually clear the data from browser cache.

For Windows:

1

Exit iManager.

2

Browse for

C:\Users\

<username>

\AppData\

<Profile>

\Mozilla\eclipse\Cache

(the path varies depending on the configuration and OS).

3

Delete all the data from the

Cache

directory.

4

Restart iManager.

For Linux:

1

Exit iManager.

2

Browse for one of the following:

Š

/root/.mozilla/eclipse/Cache

(for root user)

Š

/$HOME/.mozilla/eclipse/Cache

(for non-root user)

Troubleshooting

95

3

Delete all the data from the

Cache

directory.

4

Restart iManager.

8.17

Sometimes Refresh Button Does Not Function

Sometimes the Refresh button in various pages does not function when you click it.

Work around:

1

Log out from iManager.

2

Clear the browser’s cache.

Š

For Internet Explorer,

1. Click

Tools > Internet Options

. The Internet Options dialog box is displayed.

2. Under the

General

tab, under

Browsing history

, click Delete.

Š

For Firefox,

1. Click

Tools > Clear Private Data...

. The Clear Private Data dialog box is displayed.

2. Select

Cache

and click

Clear Private Data Now

.

3

Log in to iManager.

8.18

iManager Plug-in Installation Hangs or Plug-ins Are Not

Properly Installed

When you install iManager plug-ins, sometimes either the installation hangs or the plug-ins are not properly installed.

Work around

For iManager Standalone:

1

Log out from iManager.

2

Clear the browser’s cache.

Š

For Internet Explorer, do the following:

1. Click

Tools > Internet Options

. The Internet Options dialog box is displayed.

2. Under the

General

tab, under

Browsing history

, click Delete.

Š

For Firefox, do the following:

1. Click

Tools > Clear Private Data...

. The Clear Private Data dialog box is displayed.

2. Select

Cache

and click

Clear Private Data Now

.

3

Log in to iManager.

4

Re-install the plug-ins.

For iManager workstation:

Š

For Windows:

1. Exit iManager.

96

NetIQ® iManager Administration Guide

2. Browse for

C:\Users\

<username>

\AppData\

<Profile>

\Mozilla\eclipse\Cache

(the path varies depending on the configuration and OS).

3. Delete all the data from the

Cache

directory.

4. Restart iManager.

Š

For Linux:

1. Exit iManager.

2. Browse for one of the following:

Š

/root/.mozilla/eclipse/Cache

(for root user)

Š

/$HOME/.mozilla/eclipse/Cache

(for non-root user)

3. Delete all the data from the

Cache

directory.

4. Restart iManager.

8.19

Login Issue with Tree IP Address Change

Consider the following scenario:

1

Your IP address is

<xxx.xx.xx.xx>

, you have configured eDirectory on it, and your tree name is

<XXX_TREE>

.

2

You have a login cache that maps

<XXX_TREE>

to

<xxx.xx.xx.xx>

.

3

Because of network movement, you have got a new IP address

<yyy.yy.yy.yy>

, configured eDirectory on it, and the tree name remains same (

<XXX_TREE>

).

4

Another user has taken your previous IP address

<xxx.xx.xx.xx>

, and configured a new eDirectory tree

<YYY_TREE>

.

Now, if you log in to iManager with

<XXX_TREE>

tree name, you would log in to

<YYY_TREE>

because

<XXX_TREE>

maps to

<xxx.xx.xx.xx>

, but

<xxx.xx.xx.xx>

is currently configured with

<YYY_TREE>

.

Work around:

Š

For Windows,

1. Go to

...\Program Files\Novell\Tomcat\webapps\nps\WEB-INF\

.

2. Open config.xml

file.

3. In the file, search for the

Cached-Tree

setting and delete your

Tree Name

value from the setting.

4. Delete the setting that starts with your tree name.

Š

For Linux,

1. Go to

/var/opt/novell/iManager/nps/WEB-INF

.

2. Open config.xml

file.

3. In the file, search for the

Cached-Tree

setting and delete your

Tree Name

value from the setting.

4. Delete the setting that starts with your tree name.

Troubleshooting

97

8.20

Insufficient Java Heap Size Results in Failed Login

To increase the heap size on a Linux server running Tomcat, stop Tomcat and open a terminal window. In the terminal, run the following command, then restart Tomcat: export CATALINA_OPTS="-Xms128m -Xmx1024m"

To increase the heap size on a Windows server running Tomcat, stop the Tomcat service, create a new environment variable called

JAVA_OPTS

, and set the value of the variable to

-Xms128m -Xmx1024m

, then restart the Tomcat service.

For information about stopping and starting Tomcat, see “Starting and Stopping Tomcat” on page 94 .

8.21

Java Error Messages are Displayed After Closing the

Browser of iManager Workstation

After logging out of iManager, when you close the browser, the following java error message is displayed.

#

# An unexpected error has been detected by Java Runtime Environment:

#

# SIGSEGV (0xb) at pc=0x8e4c6944, pid=4106, tid=3085011872

#

# Java VM: Java HotSpot(TM) Server VM (11.3-b02 mixed mode linux-x86)

# Problematic frame:

# C [libmozjs.so+0x2944] strftime+0x2944

Work around: Ignore the error message and the hs_err_pid####.log

files because they don’t affect the iManager workstation.

8.22

iManager and LDAP Use Different Date Ranges

If you create an attribute in iManager using the Time syntax, populate the attribute value, and then search for that value using LDAP, LDAP returns a value different from the value populated by iManager.

iManager and LDAP both natively store date values using the first 31 bits of a 32-bit unsigned integer. However, the two applications interpret the most significant bit (MSB) in the integer differently, with iManager using the MSB to store dates earlier than 1970 and LDAP using the MSB to store dates later than 2038. Therefore, the date range used by iManager is 1903-2038, while the date range used by LDAP is 1970-2106.

98

NetIQ® iManager Administration Guide

8.23

iManager Installation Fails on SLES 9 and RedHat 4

Platforms

When you try to launch iManager on platforms such as SLES 9 and Redhat 4, the installer throws the following exception. These platforms do not support Java 1.7 version. It is recommended not to install imanager on these platforms.

Invocation of this Java Application has caused an InvocationTargetException.

This application will now exit. (LAX)

Stack Trace: java.lang.NoClassDefFoundError: while resolving class: ZeroGe

at java.lang.VMClassLoader.resolveClass(java.lang.Class)

(/usr/lib/libgcj.so.5.0.0)

at java.lang.Class.initializeClass() (/usr/lib/libgcj.so.5.0.0)

at _Jv_ResolvePoolEntry(java.lang.Class, int) (/usr/lib/libgcj.so.5.0.0)

at ZeroGd.<clinit>() (Unknown Source)

Caused by: java.lang.ClassNotFoundException: com.apple.mrj.MRJOSType not found in [file:/tmp/install.dir.4728/InstallerData/, file:/tmp/install.dir.4728/InstallerData/installer.zip, file:/usr/share/java/libgcj-3.4.3.jar, file:./, core:/]

at java.net.URLClassLoader.findClass(java.lang.String)

(/usr/lib/libgcj.so.5.0.0)

at gnu.gcj.runtime.VMClassLoader.findClass(java.lang.String)

(/usr/lib/libgcj.so.5.0.0)

Troubleshooting

99

100

NetIQ® iManager Administration Guide

9

Auditing iManager Events

Use Novell Audit for auditing iManager events. For more information, see the

Novell Audit 2.0

Administration Guide

(http://www.novell.com/documentation/novellaudit20/index.html) .

Audit has the following prerequisites:

ˆ

A server (Solaris, Windows, Linux) in your directory tree with Audit 2.0.x.

ˆ

Novell Audit Platform Agent installed on the iManager server or iManager Workstation desktop and configured to point to the Secure Logging Server.

Audit captures data about the following events:

Table 9-1

iManager Events

Event ID

150013

150004

150009

150001

150011

150006

150012

150015

150006

150010

150002

Event Name Description

Added Authorized User

Successful Login

Successful NPM Install

Startup iManager

Failed SSL Connection

Logout

Changed Configuration

An authorized user is added to eDirectory

The login to eDirectory from iManager was successful

The NPM install was successful

Tomcat has started

An SSL connection to eDirectory has failed

Logged out of iManager

The configuration has changed

Successful NPM Upload The NPM upload was successful

Failed Login The login to eDirectory from iManager has failed

Failed NPM Install

Shutdown iManager

The NPM installation has failed

Tomcat has stopped

The

IMAN_EN.LSC

file which contains this data is distributed under nps/support/audit

and is installed via the Audit process. It can also be installed manually by using the Novell Audit iManager plug-in as described in the following section.

9.1

Installing the IMAN_EN.LSC File in iManager

Install Audit

before

you install the

IMAN_EN.LSC

file.

1

Log in to iManager.

2

Click

Roles and Tasks > Auditing and Logging > Logging Server Options.

Auditing iManager Events

101

3

Browse to and select the Logging Server object, then click

OK

.

4

Click

Log Applications > Applications.

5

Click the Applications Actions link, then click

New.

6

Click

OK

to create a new Log Application in the container.

7

Specify a Log Application name.

8

To import the

IMAN _EN.LSC

file, click Browse and select the file found in the

TOMCAT_HOME\webapps\nps\support\audit

directory, then click

OK

.

The new log application should now appear under the Applications container.

9.2

Enabling Audit in iManager

1

Log in to iManager.

2

Click

Configure > iManager Server > Configure iManager

. The Configure iManager page is displayed.

3

Click the

Security

tab, select

Enable Novell Audit

, select the events you want to record, then click

Save

.

9.3

Configuring Audit for iManager Instrumentation

1

If you have not installed naudit.npm

, follow from

Step 2 . Otherwise, go to Step 7

.

2

Log in to iManager.

3

Click

Configure > Plug-in Installation > Available NetIQ Plug-in Modules.

4

Click

Add.

5

Select naudit.npm

from the local directory and click

Install.

6

Restart Tomcat.

7

Import the Nsure® Audit formatting file that allows the audit server to format logging events.

7a

Locate the

IMAN_EN.lsc

file from one of the following locations where iManager server is installed.

Š

Sys:\tomcat\5.0\webapps\nps\support\audit

(for Windows)

Š

/var/opt/novell/tomcat5/webapps/nps/support/audit

(for Linux)

7b

Copy this file to a temporary location on the local machine.

8

In iManager, click

Roles and Tasks > Auditing and Logging > Logging Server Options

.

9

Browse for the Logging Server object and click

OK

. The Logging Server Options: page is displayed.

10

Click the

Log Applications

tab.

11

Select

Container Name

, then under

Application Actions Menu,

click

New

. The New Log Application dialog box is displayed.

12

Specify a name for the

Log Application Name

(for example, iManagerInst).

13

Browse for the

IMAN_EN.lsc

file on the local machine or from the server location (see

Step 7.1

), then click

OK

to save the new Log Application object.

14

In the Logging Server Options: page, under

Applications

, click the

Log Application Name

(which you have specified in Step 12 ) link. The Modify Object: page is displayed.

15

Click

Configure > Events

.

102

NetIQ® iManager Administration Guide

16

Select

iManager Events

from the

Not grouped

list, click

Apply

, then click

OK

.

17

Restart/Reload the Audit Secure Logging Server for the changes to take effect.

18

Click

Configure > iManager Server > Configure iManager

. The Configure iManager page is displayed.

19

Select

Enable Novell Audit

to log any events that you select.

9.4

Configuring Audit for iManager Instrumentation with Third-

Party Certificates

1

Make sure you have created a Logging Application for iManager Instrumentation in the Audit

Server. If you have not created a Logging Application, perform from Step 8 to

Step 17 in

Section 9.3, “Configuring Audit for iManager Instrumentation,” on page 102 to create it.

2

Type the following command to create a Logging Application Certificate for iManager

Instrumentation in the Audit Server: audcgen -app:iManagerInst -cert:c:\cacert.pem -pkey:c:\capkey.pem -f bits:2048 -serial:12345 -appcert:c:\imanicert.pem -apppkey:c:\imanipkey.pem

3

Copy the generated certificate files ( imanicert.pem

and imanipkey.pem

) to the respective folders of iManager server.

For Windows:

Š c:\windows\imanicert.pem

Š c:\windows\imanipkey.pem

For Linux:

Š

/etc/imanicert.pem

Š

/etc/imanipkey.pem

4

Restart Tomcat.

9.5

Enabling XDAS Audit in iManager

XDAS Audit comes with iManager by default. XDAS Audit captures data about the following events:

Š

Added Authorized User

Š

Successful Login

Š

Successful NPM Install

Š

Startup iManager

Š

Failed SSL Connection

Š

Logout

Š

Changed Configuration

Š

Successful NPM Upload

Š

Failed Login

Š

Failed NPM Install

Š

Shutdown iManager

Auditing iManager Events

103

To enable XDAS audit for iManager:

1

Log in to iManager.

2

Click

Configure > iManager Server > Configure iManager

.

3

In the Configure iManager page, on the

Security

tab, select

Enable XDAS Audit

.

4

Select the events you want to record, and then click

Save

.

9.6

Configuring XDAS Audit for iManager

Table 9-2 lists the default location of the

xdasconfig.properties

file in different operating systems.

You can customize the file according to your requirements.

Table 9-2

Location of the XDAS Configuration File

Operating System

Linux

Windows

Linux and Windows

Workstation

File

/var/opt/novell/iManager/nps/WEB-INF/imanager_logging.xml

c:\Program Files\Novell\Tomcat\webapps\nps\WEB-

INF\imanager_logging.xml

<

unzipped workstation folder

>\imanager\tomcat\webapps\nps\WEB-

INF\imanager_logging.xml

Table 9-3

lists the XDAS configuration files.

Table 9-3

XDAS Configuration File

Options

Syslog Appender

Rolling File Appender

Name

syslog file_appender

The following table provides an explanation of each setting in the imanager_logging.xml

file.

Table 9-4

Syslog Settings

Setting

syslogHost syslogProtocol syslogSslKeystoreFile syslogSslKeystorePassword

Threshold

Description

IP address of the host in which the Audit server is running.

The protocol that must be used for communication

(UDP/TCP/SSL).

Location of the key store file.(Used only for SSL).

Password for the keystore file.(Used only for SSL).

Specifies the minimum log level allowed in the Syslog appender. Currently, INFO log level is supported.

104

NetIQ® iManager Administration Guide

Setting

Facility=USER

Layout

Description

Specifies the type of facility. The facility is used to try to classify the message.Currently, USER facility is supported. These values may be specified as upper or lower case characters.

Layout setting for Syslog appender.

Table 9-5

File Appender Settings

Setting

File= ${catalina.home}/logs/imanager.log

MaxFileSize=10MB

MaxBackupIndex=10 layout class=org.apache.log4j.PatternLayout

ConversionPattern="%t %d %-5p [%c:%M] %m%n”

Description

The default location of the log file for a File appender

The maximum size, in MBs, of the log file for a File appender. Set this value to the maximum size that the client allows.

Specifies the maximum number of backup files for a

File appender. The maximum number of the backup files can be 10. If the value of MaxBackupIndex is set to 0, no backup file will be created.

Layout setting for File appender.

Layout setting for File appender.

For information about the conversion patters and their descriptions, see logging.apache.org

.

To enable the Syslog appender, make the following changes in the imanager_logging.xml

file:

1

Edit the following entries:

<param name="Facility" value="user"/>

<param name="syslogHost" value=" 192.168.1.5:1468 "/

<param name="syslogProtocol" value="tcp"/>

<param name="syslogSslKeystoreFile" value="/root/Desktop/sentinel/ mykeystore.jks"/> param name="syslogSslKeystorePassword" value="novell"/>

<param name="Threshold" value="INFO"/>

2

Log into iManager and change the log events.

To enable the File appender, make the following changes in the imanager_logging.xml

file:

1

Edit the following entries:

<param name="File" value="${catalina.home}/logs/imanager.log"/>

<param name="Append" value="true" />

<param name="MaxFileSize" value="10MB" />

<param name="MaxBackupIndex" value="10" />

You can customize the

File

value in either of the following platforms:

Linux: /home/imanager.log

Auditing iManager Events

105

Windows: C:\\<directory>\\imanager.log

2

Select the desired event from iManager and save changes.

NOTE:

The Failed SSL connection XDAS event is logged multiple times because internally several attempts are made to establish an LDAP connection.

106

NetIQ® iManager Administration Guide

10

Best Practices and Common Questions

This section contains recommendations about the following topics from some of our experts. If you find something that works well for you, please share it at Cool Solutions (http://www.novell.com/ coolsolutions) .

Š

Section 10.1, “Backup and Restore Options,” on page 107

Š

Section 10.2, “Coexistence with previous versions of iManager 2.x and Role-Based Services,” on page 107

Š

Section 10.3, “Collections,” on page 108

Š

Section 10.4, “Failed Installs,” on page 108

Š

Section 10.5, “High Availability: Running iManager in a Clustered Environment,” on page 109

Š

Section 10.6, “Patching iManager,” on page 110

Š

Section 10.7, “Performance Tuning,” on page 110

Š

Section 10.8, “iManager AppArmor Profile,” on page 111

Š

Section 10.9, “Allocating Additional Tomcat Memory in Windows,” on page 111

10.1

Backup and Restore Options

There is no automatic backup and restore feature included with iManager. iManager is composed of two parts: the local files on the server and the Role-Based Services objects in eDirectory.

To make a full backup of iManager, make sure you have a valid backup of the RBS collection and all subordinate objects in the tree, either through replica redundancy or with an eDirectory backup solution.

All local iManager files on the file system are stored in the Tomcat directory. As long as you have a backup of the Tomcat directory, all iManager content is preserved. If the Tomcat directory is somehow compromised on the server, shutting down Tomcat and recopying the directory allows you to recover iManager. If you are not using RBS, backing up the Tomcat directory is all that is needed.

10.2

Coexistence with previous versions of iManager 2.x and

Role-Based Services

You should update your RBS collection to version 2.7. Otherwise, if you use iManager to access a tree that has an RBS collection from a previous version of iManager 2.x, you won't see all of the roles and tasks that should display.

1

In the Configure view, click

Role Based Services

>

RBS Configuration

.

2

Click the link in the

Out-of-Date

column for a module that needs updating.

Best Practices and Common Questions

107

3

On the Out-Of-Date Modules page, select a module, then click

Update

.

A message appears that confirms a successful update.

Updated plug-ins are visible in all versions of iManager 2.x.

10.3

Collections

It is important to recognize that one configuration is not ideal for all companies. We recommend multiple collections in a tree only if you use a hierarchical structure using geographical or functional organizations with different administrators in each location. Following are the most common situations together with suggestions for managing their respective collections:

Š

A hierarchical tree organized to reflect a geographical organization

Create a collection in every geographical location and have one or more iManager servers per location. Login time is faster and tree navigation is simplified. Each geographical administrator manages the collection of a specified location.

Š

A hierarchical tree that reflects the company's organizational structure

Create one collection at the same level as the organization and have one or more iManager servers as company size requires. You manage only one collection.

Š

A flat tree in which all objects are in a unique container

Create one collection as a sibling of the unique container and have one or more iManager servers as company size requires. You manage only one collection.

10.4

Failed Installs

To avoid failed installs, make sure that your operating system is updated to the most current version and that all system requirements are met. For more information, see “ Prerequisites ” in the

NetIQ® iManager Installation Guide

.

To recover from a failed install, assess the problem from the error message generated during installation.

Š

Section 10.4.1, “Windows,” on page 108

Š

Section 10.4.2, “Linux,” on page 109

10.4.1

Windows

1

If the error involves one of these components, check the specified log files for errors:

NICI:

installed directory

\temp\wcniciu0.log

Tomcat:

tomcat install directory

\Apache_Tomcat_InstallLog.log

. For example,

C:\Program Files\Novell\Tomcat\Apache_Tomcat_InstallLog.log

.

2

Check the iManager install log file (

servlet root

\WEB_INF\log\iManager_Install_2.7_InstallLog.log

) for any errors.

3

If the log file does not give sufficient information to identify the problem, rerun the install in debug mode.

108

NetIQ® iManager Administration Guide

To view or capture the debug output from an installer, open and copy the console output to a text file for later review.

3a

Immediately after launching the installer, hold down the Ctrl key until a console window appears.

3b

After the install has completed, click the icon in the upper left corner of the console window and select

Properties

>

Layout

.

3c

Change the buffer size to 3000, then click

OK

.

3d

In the Layout window, select

Edit

>

Select All

>

Edit

>

Copy

.

3e

Open a text editor and paste the output of the debug in it.

4

Identify and correct any errors or stack traces, then rerun the install.

10.4.2

Linux

1

Check the iManager install log file (

/var/log/Novell/ iManager_Install_2.7_InstallLog.log

) for any errors.

2

If the log file does not give sufficient information to identify the problem, rerun the install in debug mode.

At the command line, type the following: export LAX_DEBUG=true

3

Identify and correct any errors or stack traces, then rerun the install.

10.5

High Availability: Running iManager in a Clustered

Environment

Although iManager is a session-based tool that ships without any failover features, you can run it in a clustered environment. For more information about clustering, see the OES Clustering documentation (http://www.novell.com/documentation/oes/cluster-services.html#cluster-services) .

1

Install and configure iManager on the nodes in the cluster where the virtual IP is moved to (that is, an Active/Active cluster).

If the node running iManager fails, NetIQ Cluster Services detects the node failure and moves

(reloads) the virtual IP address on another node in the cluster.

2

Using the Generic_IP_Service template that ships with NetIQ Cluster Services, create a new cluster resource called iManager.

This cluster resource uses a virtual IP address that moves between nodes in the cluster. When creating a new cluster resource, the wizard steps you through the creation of a load script and an unload script.

3

Verify the load and unload scripts.

The load script should contain only the following lines (any other lines should be commented out):

. /opt/novell/ncs/lib/ncsfuncs exit_on_error add_secondary_ipaddress

xxx.xxx.xxx.xxx

exit 0

The unload script should contain only the following lines (any other lines should be commented out):

Best Practices and Common Questions

109

. /opt/novell/ncs/lib/ncsfuncs ignore_error del_secondary_ipaddress

xxx.xxx.xxx.xxx

exit 0

4

Browse to the iManager URL . iManager services are now highly available. However, any live sessions are not failed over. If a service fails in the middle of user operations, users must reauthenticate and restart whatever operations were interrupted.

Because iManager and Tomcat are already running (Active/Active) on the other nodes, there is no load time for these applications if NetIQ Cluster Services has to migrate (move) the virtual IP to another node.

There is little benefit in using an Active/Passive cluster because it requires much more configuration and makes you wait the entire load time for each failover. If you really want iManager configured as an Active/Passive clustered resource, you must create a cluster resource that loads and unloads iManager and its dependencies (such as Tomcat). This identical configuration of iManager then needs to be done on all nodes where you want iManager highly available.

10.6

Patching iManager

Patching a server is as easy as installing a module. Any updates for iManager are packaged into an plug-in package (NPM) file. This file is installed like any other plug-in.

1

In the Configure view, select

Plug-in Module Installation

.

2

Select

Available NetIQ Plug-in Modules

.

3

Select the patch from the download list or Click

Add

.

4

Browse to the location of the patch file, then click

OK

.

5

Select the patch from the list, then click

Install

.

The server is patched with the latest code.

6

Restart Tomcat when the install is finished.

10.7

Performance Tuning

The following are tips for enhancing speed and efficiency.

10.7.1

Using Dynamic Groups with RBS

Disable Dynamic Group support for RBS if you are not using this feature. By default, Dynamic Group support is enabled and, when used, significantly taxes resources because of the extensive searches it conducts.

1

In the Configure view, click

iManager Server

>

Configure iManager

.

2

Select the

RBS

tab, then deselect

Enable Dynamic Groups

.

110

NetIQ® iManager Administration Guide

10.7.2

Role Assignments

If you have assigned more than five users to a role within the same scope, consider using Group objects to reduce the number of role assignments and make RBS administration more efficient. By doing so, you have fewer objects to update and you can manage the Group object by adding and removing members.

Also, consider using Dynamic Group objects. You can set up User objects to match a Dynamic Group search criteria.

10.8

iManager AppArmor Profile

Novell Open Enterprise Server 2—Linux includes an AppArmor profile for iManager 2.7.7. The profile name is etc.opt.novell.tomcat5.init.d.tomcat5

and is installed at

/etc/apparmor/ profiles/extras/iManager

.

The iManager AppArmor profile is not enabled by default. To enable it, copy the profile into the

/ etc/apparmor.d

folder.

For more information about AppArmor and AppArmor profiles, see the Novell AppArmor documentation (http://www.novell.com/documentation/apparmor/) .

10.9

Allocating Additional Tomcat Memory in Windows

1

Go to Tomcat/bin folder (For example, c:\Program Files\Novell\Tomcat\bin

)

2

Right-click on tomcat7w.exe

file.

3

Open

Tomcat7 Properties

window.

4

Click

Java

tab.

5

Specify the Initial & Maximum memory pool sizes.

IMPORTANT:

Ensure that the Initial & Maximum memory pool sizes that you specify is less than your physical RAM's size, otherwise it may cause more performance issues.

6

Click

Apply

, then click

Ok

.

7

Restart Tomcat Service.

TIP:

To verify the new settings, go to the URL of Tomcat server and click

Server Status

.

Best Practices and Common Questions

111

112

NetIQ® iManager Administration Guide

A

iManager Security Issues

This section provides information about potential security issues related to iManager, and includes information about the following topics:

Š

Section A.1, “Secure LDAP Certificates,” on page 113

Š

Section A.2, “Self-Signed Certificates,” on page 114

Š

Section A.3, “iManager Authorized Users and Groups,” on page 115

Š

Section A.4, “Preventing User Name Discovery,” on page 115

Š

Section A.5, “Tomcat Settings,” on page 115

Š

Section A.6, “Encrypted Attributes,” on page 116

Š

Section A.7, “Secure Connections,” on page 116

A.1

Secure LDAP Certificates

iManager can create secure LDAP connections behind the scenes without any user intervention. If the

LDAP server’s SSL certificate is updated for any reason (for example, new Organizational CA), iManager should automatically retrieve the new certificate using the authenticated connection and import it into its own keystore database.

If this does not happen correctly, you must delete the private key store that iManager uses, in order to force iManager and Tomcat to re-create the database and reacquire the certificate:

1

Shut down Tomcat.

2

Delete the

TOMCAT_HOME

\webapps\nps\WEB-INF\iMKS

file.

3

Restart Tomcat.

For information about restarting Tomcat, see

“Starting and Stopping Tomcat” on page 94 .

4

Open iManager in a browser and log back in to the tree, to automatically reacquire the new certificate and re-create the database store.

Alternately, you can also manually import the required certificate into Tomcat’s JVM default keystore using the keytool certificate management utility available in the JDK. When creating secure SSL connections, iManager first tries the JVM default keystore, then uses the iManager specific keystore database.

After you have an eDirectory certificate saved in DER format, you must import the trusted root certificate into the iManager keystore. To do this, you need a JDK to use keytool. If a JRE was installed with iManager, you must download a JDK to use the keytool.

iManager Security Issues

113

NOTE:

For information about creating a

.der

certificate file, see “Exporting a Trusted Root or Public

Key Certificate” (https://www.netiq.com/documentation/edir88/crtadmin88/data/bookinfo.html) in the

NetIQ Certificate Server Administration Guide

. You will want to export the trusted root certificate.

1

Open a command window.

2

Change to the

\bin

directory where you have installed the JDK.

For example, on a Windows system, you would enter the following command: cd j2sdk1.5.0_11\bin

3

Import the certificate into the keystore with the keytool, executing the following keytool commands (platform specific):

Š

Linux keytool -import -alias [

alias_name

] -file [

full_path

]/trustedrootcert.der keystore [

full_path

]/jre/lib/security/cacerts

Š

Windows keytool -import -alias [

alias_name

] -file [

full_path

]\trustedrootcert.der keystore [

full_path

]\jre\lib\security\cacerts

Replace

alias_name

with a unique name for this certificate and make sure you include the full path to trustedrootcert.der

and cacerts

.

The last path in the command specifies the keystore location. This varies from system to system because it is based on where iManager is installed. The following are the examples of default locations for iManager on Windows and Linux:

On Windows:

C:\Program Files\Novell\jre\lib\security\cacerts

On Linux:

/

<JAVA_HOME>

/jre/lib/security/cacerts

4

Enter changeit

for the keystore password.

5

Click

Yes

to trust this certificate.

NOTE:

This process must be repeated for each eDirectory tree you will be accessing with iManager.

If LDAP has been configured to use a certificate not signed by the tree’s Organizational CA, you must import that certificate’s Trusted Root. This is necessary, for example, if LDAP is configured to use a

VeriSign*-signed certificate.

A.2

Self-Signed Certificates

iManager includes a temporary, self-signed certificate that you use when installing iManager on

Linux or Windows platform. It has an expiration date of one year. For more information, see “ Self-

Signed Certificates ” in the

NetIQ® iManager Installation Guide

.

114

NetIQ® iManager Administration Guide

A.3

iManager Authorized Users and Groups

Authorized Users and Groups are those that iManager permits to perform its various administrative tasks. For more information about specifying and configuring Authorized Users and Groups, see

“Authorized Users and Groups” on page 72 .

Authorized Users and Groups data is stored in the configiman.properties

file, which must be secured to prevent unauthorized modification. To do this, modify the access controls for configman.properties

to restrict those users authorized to manually edit the file.

NOTE:

Not specifying an Authorized User or Group, which prevents the configiman.properties

file from being created, or specifying an Authorized User or Group of

AllUsers

, allows any user to install iManager plug-ins and modify iManager server settings. This is a security risk for server-based iManager environments.

A.4

Preventing User Name Discovery

In some installations, the eDirectory server is protected behind a firewall, but the iManager server is open to the outside world to allow management from home or on the road. Access to iManager is controlled with

Username

,

Password

, and

Treename

fields on the login screen. In such installations, it is often desirable to tighten security to avoid revealing any information about the system.

Standard iManager configurations pass through eDirectory messages related to invalid user names and passwords during iManager authentication. These messages can inadvertently provide too much information to potential crackers. To avoid this, iManager 2.7.7 includes a configuration option to hide the specific reason for login failure. When enabled, the following error messages are replaced with a generic error message that reads:

Login Failure. Invalid Username or Password

.

Š

Invalid Username (-601)

Š

Incorrect password (-669)

Š

Expired password or disabled account (-220)

To enable this setting, open the

Configure

view and select

iManager Server

>

Configure iManager

. On the

Authentication

tab, select

Hide specific reason for login failure

. This sets

Authenticate.Form.HideLoginFailReason=true

in iManager’s config.xml

file.

Additionally, iManager 2.7.7 does not support the asterisk (*) character as a wildcard in the

Username

field. This prevents unauthorized users from discovering valid user names. It also prevents possible denial-of-service attacks that attempt to overload the eDirectory server by continually attempting a login using only the wildcard (*), which forces eDirectory to search for and return all matching user names.

A.5

Tomcat Settings

Because iManager makes use of Tomcat Servlet Container, iManager administrators should be aware of the encryption-related configuration options of those resources as part of their overall security strategy. Of particular interest are cipher suites and trusted certificates, which directly impact the quality of your wire-level encryption. Consider the following rules when configuring your Tomcat environment:

Š

Do not use SSL 2.0 cipher suites, which are outdated and not guaranteed to be secure.

Š

Do not use the NULL cipher suite in a production environment.

iManager Security Issues

115

Š

Do not use any cipher suite classified as LOW or EXPORT quality, because these are less secure.

Š

Regularly review the list of trusted certificates, and limit the list of accepted Certificate

Authorities to only those you are actually using

More information for Tomcat is available at the Apache Tomcat Documentation Web site (http:// tomcat.apache.org/tomcat-4.1-doc/index.html) .

NOTE:

Because of the way that iManager interprets and uses data, there are no known risks of

HTML-based attacks such as cross-site scripting.

A.6

Encrypted Attributes

iManager is able to securely read eDirectory 8.8 encrypted attributes. However, because of the way it determines if an attribute is encrypted, iManager does not securely modify or delete these encrypted attributes. The impact of this, which can result in some wire-level data exposure, can be mitigated through normal network security practices such as the following:

Š

Locating all iManager servers behind the firewall

Š

Locating iManager servers physically near their associated eDirectory servers

Š

Physically securing iManager and eDirectory servers

Š

Requiring remote administrators to use a VPN to access iManager and eDirectory servers

A.7

Secure Connections

Although iManager leverages secure HTTP (SSL) for client communications, and secure LDAP connections between iManager and eDirectory servers, iManager does not, with the exception of reading encrypted attributes, utilize secure NCP connections for communications between iManager servers and eDirectory servers.

This is also true for the NCP connection used by Mobile iManager. The impact of this, which can result in some wire-level data exposure, can be mitigated through normal network security practices such as the following:

Š

Locating all iManager servers behind the firewall

Š

Locating iManager servers physically near their associated eDirectory servers

Š

Physically securing iManager and eDirectory servers

Š

Requiring remote administrators to use a VPN to access iManager and eDirectory servers

NOTE:

Regardless of the wire-level encryption being used, passwords are always encrypted and protected as part of the iManager authentication process.

116

NetIQ® iManager Administration Guide

B

NetIQ Plug-in Modules

iManager 2.7.7 ships with the following roles as part of the base.npm

plug-in. Additional plug-in modules must be downloaded separately.

Š

Directory Administration

Š

Partitions and Replicas

Š

Help Desk

Š

Schema

Š

Rights

Š

Users

Š

Groups

The best place to locate and download iManager plug-ins is within iManager on the

Available NetIQ

Plug-in Module

page. Alternately, you can download plug-ins from the NetIQ download site (https:// dl.netiq.com/index.jsp) . Select iManager as the product in the search criteria.

Additionally, NetIQ occasionally releases iManager plug-in updates. These updates are available on the NetIQ iManager Plug-ins download site (https://www.netiq.com/support/imanager/plugins/) .

iManager base plug-ins are only available as part of the complete iManager software download (for example, eDirectory administrative plug-ins). Unless there are specific updates to these plug-ins, they can only be downloaded and installed with the entire iManager product.

You can download the iManager plug-ins from For more information about downloading iManager plug-ins, see “ Downloading and Installing Plug-Ins During Installation ” in the

NetIQ® iManager

Installation Guide

.

NOTE:

By default, the plug-in modules are not replicated between iManager servers. We recommend that you install the plug-in modules you want on each iManager server.

NetIQ Plug-in Modules

117

118

NetIQ® iManager Administration Guide

advertisement

Key Features

  • Single point of administration for NetIQ eDirectory
  • Single point of administration for many other network resources
  • Management of many other NetIQ and Novell products
  • Role-Based Services (RBS) for delegated administration

Frequently Answers and Questions

How do I access iManager?
You access iManager via a Web browser. You can either access it directly on the server or using iManager Workstation.
What are the supported Web browsers for iManager?
The supported browsers are Safari 5.1.4, Safari 6.0, Google Chrome 22, 23, 25, 26, 27, and 28, Internet Explorer 8, 9, or 10, Firefox 4.0.1 and 9.0.1, Firefox 21, 22, and 23.
What are the advantages of using iManager?
iManager is a Web-based tool, so it enjoys several advantages over client-based administrative tools, such as upgrade once on the server for all administrative users, changes to iManager look, feel, and functionality are immediately available to all administrative users and no need to open additional administrative ports for remote access.

Related manuals

Download PDF

advertisement

Table of contents