Home > Articles

Novell eDirectory

This chapter is from the book

This chapter is from the book

This chapter covers the following testing objectives for Novell Course 3001: Foundations of Novell Networking:

  1. Identify basic Directory Service tasks.

  2. Identify common Directory Service uses.

  3. Describe how a Directory is structured.

  4. Identify the role and benefits of eDirectory.

  5. Identify how eDirectory 8.6 works.

  6. Identify and describe the composition of eDirectory.

  7. Identify and describe eDirectory object classes.

  8. Identify the flow and design of the eDirectory tree.

NetWare 6 introduces eDirectory 8.6, the greatest version to date of Novell's world-class directory service.

eDirectory is the world's leading Directory service. It provides a unifying, cross-platform infrastructure for managing, securing, accessing, and developing all major components of your network. eDirectory scales to the largest network environments, including the Internet. Because it is based on the X.500 standard, eDirectory supports Lightweight Directory Access Protocol (LDAP), Hypertext Transfer Protocol (HTTP), and the Java programming environment.

eDirectory can store and manage millions of objects in a seamless ballet of communications. It also provides the foundation network service for all NetWare servers and network resources. In fact, after network communications, it is the most fundamental network service offered by NetWare 6.

With all this in mind, I'm sure you would agree that eDirectory management is one of your key responsibilities as a Novell CNA (Certified Network Administrator). In this chapter, you will explore four important lessons regarding eDirectory management:

  • Introduction to Directory Services—You'll begin with a brief introduction to the basics of Directory services, including some common uses and how a Directory is structured.

  • Understanding eDirectory 8.6—Then you'll explore the architecture of Novell eDirectory version 8.6 and compare it to its predecessor, Novell Directory Services (NDS).

  • Using eDirectory Objects—You'll dig into the basics behind eDirectory's three types of objects: the Tree object, container objects, and leaf objects.

  • Implementing eDirectory 8.6 Naming—Finally, you'll learn about naming conventions used in eDirectory, including naming context rules and inheritance.

As you can see, there's a lot to learn in this chapter and when it's all done, you'll be an accomplished eDirectory administrator. So, let's get started!

Introduction to Directory Services

Test Objectives Covered:

  1. Identify basic Directory Service tasks.

  2. Identify common Directory Service uses.

  3. Describe how a Directory is structured.

  4. Identify the role and benefits of eDirectory.

The Directory Service is one of the most fundamental network services provided by all NetWare 6 servers. In fact, it represents the communications hub for administrative connectivity between all servers in a large NetWare 6 network. As such, Directory Service management is one of your key responsibilities as the network administrator.

As its name implies, the Directory service provides access to a database, called eDirectory, that contains all resources for the entire network. This object-oriented database is organized into a hierarchical structure called the tree. eDirectory provides the basic foundation for the Directory service, including capabilities for replication and distribution. Directory is capitalized in this case to differentiate it from the directory (or folder) in the file system. In fact, these two "directories" define the two major roles of a NetWare 6 CNA: File System Administrator (directories and files) and eDirectory Administrator (The Directory).

The Directory service is your friend. It may seem a little intimidating at first, but when you get to know the Directory service (and eDirectory, for that matter), it's actually fun. Really.

How Directory Services Work

A Directory service classifies all network resources into a finite number of objects. These objects can be organized by function, location, size, type, or color—it doesn't matter. The point is, a Directory service organizes network resources independently from their physical locations. For example, servers are organized according to function. Then users are placed in the appropriate containers to simplify connectivity. This increases productivity because users are near the resources they need. When a user logs in to the network, the user can access any object in the Tree, regardless of its location. This provides a slick means for managing not only users, but also all their hardware and applications. Of course, in the eDirectory tree (as in life), it is best to place User objects and their resources (Printers, Servers, and Volumes) in close proximity to each other.

A Directory service performs several basic tasks, including the following:

  • Connecting disparate systems—A Directory service integrates and organizes heterogeneous systems to allow them to share common management. In today's business world, such systems are required not only to communicate with each other, but also to share information and use common services to meet the objectives of the organization.

  • Satisfying the needs of the user, organization, and business—The network must be flexible enough to provide a set of unique services based on individual needs.

  • Emulating all business relationships—The network must be capable of ensuring that trusted relationships are built and maintained between people, business, the company's intranet, and the World Wide Web.

  • Coordinating information flow—Information may emanate either from the business (procedural) or from the network (technical). A Directory service coordinates information flow, no matter what the source or type of information.

  • Ensuring information availability—A Directory service provides a means for making all network information available to users, devices, applications, or other resources.

TIP

A Directory and a Relational Database Management System (RDBMS) are two separate entities with different functions. Even though a Directory is a collection of information, it does not replace the traditional RDBMS. Directories and databases complement one another, even though they serve different purposes.

Typically, a Directory service may be used in the following ways:

  • Organizing data—A Directory service organizes data or information for the network. In NetWare 6, eDirectory stores all user, server, printer, and other network device information.

  • Accessing information easily—Similar to the file-and-folder system used on a computer, a Directory service makes information about network resources available to users, devices, and applications. A Directory service provides employees with global access to network resources. Businesses and organizations also use Directory services to provide user authentication and authorization for using these network resources and services. For organizations with large numbers of mobile users, eDirectory provides a means for storing user information required by some applications. (Such applications are described as Directory-enabled.) From the user's point of view, a Directory service provides a global view of all network resources, such as users, applications, services, system resources, and devices.

  • Providing security—A Directory service uniquely identifies network resources, locates network objects when required, supports robust security features, and controls the user access to network resources.

  • Providing services to customers—For organizations taking advantage of the features of electronic business transactions, Directory services can help organize multiple databases while helping to mesh disparate network systems. This provides better management of processes between customers, employees, and supply-chain partners. The resulting benefits are as follows: reduced costs for administration and hardware, faster access to data and information, and secure network access with superior fault tolerance.

From a general perspective, Directory services can also provide electronic provisioning, enhanced security, customer profiling, electronic wallets, automated notification systems, customized Web interfaces, and virtual private networks (VPNs).

Note

A virtual private network (VPN) often is used to transfer sensitive company information across an untrusted network (such as the Internet) in a secure fashion (typically by encapsulating and encrypting data).

So, what do you think? Is a Directory service for you? Who knows—you might even like it.

Directory Architecture

As you recall, the Directory service provides access to the eDirectory database, which contains all resources for the entire network. What exactly does eDirectory look like? From the outside, it looks like a big cloud hovering over your network. On the inside, however, it follows a hierarchical tree structure similar to the Internet domain system. That is, starting at the WWW Root and expanding to ".com" domains and eventually to servers. In NetWare 6, this design is referred to as the Directory Information Tree, which is shortened to the "tree" for purposes of our discussion.

Think of the tree as actually being inverted. As in nature, the eDirectory tree starts with the Tree object (called the Tree Root) and builds from there. Next, it sprouts container objects, which are branches reaching toward the sky. Finally, leaf objects provide network functionality to users, servers, and the file system. As you can see in Figure 3.1, the tree analogy is alive and well.

Figure 3.1Figure 3.1 The figurative Directory services tree.

The real eDirectory tree is made up of logical network objects. eDirectory objects define logical or physical entities that provide organizational or technical function to the network. As you will see later in this chapter, they come in three flavors:

  • Tree Root

  • Container objects

  • Leaf objects

The Tree Root is the very top of the eDirectory tree. Because it represents the opening porthole to the eDirectory world, its icon is appropriately a picture of a tree. Container objects define the organizational boundaries of the eDirectory tree and house other container objects and/or leaf objects. When a container object contains other objects, it is called a parent object.

Finally, leaf objects are the physical or logical network resources that provide technical services and network functionality. Leaf objects define the lowest level of the eDirectory structure. You'll learn about the most interesting leaf objects later in this chapter.

The structure of the Directory is governed by a set of rules collectively known as the Directory schema. These rules define the type of data, the syntax of that data, and the objects the Directory can contain. Schema rules fall into two broad categories:

  • Object class definitions—These define the type of objects and the attributes of those objects.

  • Attribute definitions—These define the structure (syntax and constraints) of an attribute. Simply stated, the attribute value is the actual content or data.

Remember when I told you that eDirectory was based on the X.500 standard? Before you go tree climbing and explore the dynamics of eDirectory, take a quick look at that standard to see what that all means. I think you'll spot some amazing similarities between X.500 and what you've just learned about Directory services.

Understanding X.500

X.500 is an international standard for naming services. A variety of industry standards, such as DNA (Digital Network Architecture), use X.500 with their own naming services to provide address-to-name resolution and directory services. This enables these distributed machines to exist in a large hierarchical management system.

X.500 organizes network resources (such as users and servers) into a globally accessible Directory. The X.500 specification establishes guidelines for representing, accessing, and using information stored in a directory database. In fact, eDirectory is Novell's implementation of the following X.500 features:

  • Scalability—Large databases can be subdivided into smaller Directory System Agents (DSAs). A DSA can represent either a single organization or multiple organizations, and its contents may be distributed across multiple Directory servers. eDirectory calls them partitions.

  • Replication—This feature allows the Directory database, or portions thereof, to be replicated on backup Directory servers located throughout the network.

  • Synchronization—Because X.500 must manage a loosely coupled, distributed database, each server must be able to synchronize its database contents with other servers. Directory database updates may be made either at the original master database (master-shadow arrangement) or at any writable replica (peer-to-peer mechanism). In either case, X.500 propagates Directory database change information to all servers holding replicas of the database or a DSA.

The X.500 Directory is represented by a Directory Information Tree (DIT) and Directory Information Base (DIB). At least one of those should sound familiar. The DIB consists of objects (or nodes) and their associated properties and values. Intermediate objects act as containers that aid in organizing the DIT. Leaf objects represent individual network entities, such as servers, printers, and so on. Refer to Figure 3.2 for an illustration of the X.500 Directory architecture.

The rules that determine the type of information that may be stored in the DIB are held in the Directory's schema. (Now this should be sounding really familiar.) Each object in an X.500 DIT has a unique name that is referred to as its distinguished name, or DN, (that is, complete name). Each object may also be referred to by a relative distinguished name, or RDN, (that is, partial name).

Directory database access is managed by a DSA running on a local server. Users access the database through a Directory User Agent (DUA). DUAs are available in command-line, forms-based, and browser-style interfaces. DSAs and DUAs communicate with each other using the Directory Access Protocol (DAP). Furthermore, DSAs may communicate with one another using the Directory System Protocol (DSP), Directory Information Shadowing Protocol (DISP), or the Directory Operational Binding Management Protocol (DOP).

Figure 3.2Figure 3.2 X.500 Directory architecture.

Now that you know where Directory services came from and generally how they work in NetWare 6, it's time to do some tree climbing! Sounds like that fun I promised you, doesn't it?

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020