Novell iManager 2.5 Administration Guide

Novell

www.novell.com

novdocx (ENU) 01 February 2006

iManager

2.5

March 15, 2006

ADMINISTRATION GUIDE

novdocx (ENU) 01 February 2006

Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and

specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.

Further, Novell, Inc. , reserves the right to revise this publication and to make changes to its content, at any time,

without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims

any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.

reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to

notify any person or entity of such changes.

You may not use, export, or re-export this product in violation of any applicable laws or regulations including,

without limitation, U.S. export regulations or the laws of the country in which you reside.

stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this

document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.

patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent

applications in the U.S. and in other countries.

Novell, Inc.

404 Wyman Street, Suite 500

Waltham, MA 02451

U.S.A.

www.novell.com

Online Documentation: To access the online documentation for this and other Novell products, and to get

updates, see www.novell.com/documentation.

novdocx (ENU) 01 February 2006

Novell Trademarks

ConsoleOne is a registered trademark of Novell, Inc. , in the United States and other countries.

DirXML is a registered trademark of Novell, Inc. , in the United States and other countries.

eDirectory is a trademark of Novell, Inc.

exteNd is a trademark of Novell, Inc.

exteNd Director is a trademark of Novell, Inc.

NetWare is a registered trademark of Novell, Inc. , in the United States and other countries.

NMAS is a trademark of Novell, Inc.

Novell is a registered trademark of Novell, Inc. , in the United States and other countries.

Novell Directory Services and NDS are registered trademarks of Novell, Inc. in the United States and other countries.

Nterprise is a trademark of Novell, Inc.

SUSE is a registered trademark of SUSE LINUX AG, a Novell company.

Novell Distributed Print Services is a tradement of Novell, Inc. , in the United States and other countries.

NDPS is a registered trademark of Novell, Inc. , in the United States and other countries.

Nsure is a registered trademark of Novell, Inc. , in the United States and other countries.

Novell Certificate Server is a trademark of Novell, Inc. , in the United States and other countries.

Third-Party Materials

All third-party trademarks are the property of their respective owners.

novdocx (ENU) 01 February 2006

5

About This Guide

This guide describes how to administer Novell

®

iManager 2.5. It is intended for network

administrators and contains the following sections:

• Chapter 1, “Overview,” on page 7

• Chapter 2, “Accessing iManager,” on page 9

• Chapter 3, “Navigating the iManager Interface,” on page 13

• Chapter 4, “Roles and Tasks,” on page 17

• Chapter 5, “Configuring for iManager Auditing,” on page 37

• Chapter 6, “Configuring and Customizing iManager,” on page 39

• Chapter 7, “Preferences,” on page 57

• Chapter 8, “Troubleshooting,” on page 59

• Chapter 9, “Best Practices and Common Questions,” on page 65

Additional Documentation

Documentation for all Novell software products is available at www.novell.com/documentation

(http://www.novell.com/documentation).

For documentation on installing and using NetWare

®

, see the Novell NetWare documentation Web

site (http://www.novell.com/documentation/NetWare.html).

For documentation on installing and running eDirectory

TM

, see the Novell eDirectory documentation

Web site (http://www.novell.com/documentation/eDirectory.html).

For additional information on current iManager 2.5 issues, please see TID #10097429, Novell

iManager 2.5 Readme Addendum (http://support.novell.com/cgi-bin/search/searchtid.cgi?/

10097429.htm).

For support documentation, see http://support.novell.com (http://support.novell.com).

For other documentation resources, see Section 1.2, “Additional Resources,” on page 7.

Documentation Updates

For the latest iManager documentation, see the Novell documentation Web site (http://

www.novell.com/documentation).

Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items

within a cross-reference path.

A trademark symbol (

®

,

TM

, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party

trademark.

6 Novell iManager 2.5 Administration Guide

novdocx (ENU) 01 February 2006

When a single pathname can be written with a backslash for some platforms or a forward slash for

other platforms, the pathname is presented with a backslash. Users of platforms that require a

forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.

Overview

1

novdocx (ENU) 01 February 2006

7

1

Overview

Novell

®

iManager is a Web-based administration console that provides secure, customized access to

network administration utilities and content from virtually anywhere you have access to the Internet

and a Web browser.

iManager provides the following:

• Single point of administration for Novell eDirectory

TM

objects, schema, partitions and replicas

• Single point of administration for many other network resources

• Management of many other Novell products using iManager plug-ins

• Role-Based Services (RBS) for delegated administration

1.1 What's New in Version 2.5

Novell iManager 2.5 contains the following new features:

• Improved installation programs

• Enhanced group management capabilities

• Backward compatibility with most iManager 2.0.x plug-ins

• Enhanced Role-Based Services (RBS) management and reporting

• Improved interface customization options

• Mobile iManager software, which allows you to run iManager locally on a Linux* or

Microsoft* Windows* workstation

1.2 Additional Resources

For more information on topics relevant to Novell iManager, refer to the following Web sites:

• Apache HTTP server (http://httpd.apache.org)

• Tomcat servlet container (http://jakarta.apache.org/tomcat)

• Java* Web site (http://java.sun.com)

• Microsoft Windows Web Services (http://www.microsoft.com/technet/treeview/

default.asp?url=/technet/prodtechnol/iis/default.asp)

• Novell eDirectory product home page (http://www.novell.com/products/edirectory)

• Novell eDirectory product documentation (http://www.novell.com/documentation/

eDirectory.html)

• Novell eDirectory Cool Solutions community (http://www.novell.com/coolsolutions/nds)

8 Novell iManager 2.5 Administration Guide

novdocx (ENU) 01 February 2006

Accessing iManager

2

novdocx (ENU) 01 February 2006

9

2

Accessing iManager

Novell

®

iManager is accessed via a Web browser. This section includes the following topics:

• Section 2.1, “Using a Supported Web Browser,” on page 9

• Section 2.2, “Accessing iManager,” on page 9

• Section 2.3, “Accessing iManager with a Screen Reader and Other Accessibility Options,” on

page 10

• Section 2.4, “Access Modes,” on page 10

• Section 2.5, “Authenticating,” on page 11

• Section 2.6, “iManager Session Timeouts,” on page 11

2.1 Using a Supported Web Browser

For iManager access and complete use of all its features, you must use a computer running one of

the following Web browsers:

• Microsoft Internet Explorer 6.0 SP1

• Mozilla* 1.7

• Mozilla Firefox* 1.0

IMPORTANT: Although you might be able to access iManager via a Web browser not listed, we do

not guarantee or support full functionality with any browser other than those listed above.

2.2 Accessing iManager

To access Novell iManager:

1 Enter the following in the address (URL) field from a supported Web browser:

http://server_IP_address/nps/iManager.html

For example:

http://127.0.0.1/nps/iManager.html

NOTE: You might be redirected to an https secure page, depending on your platform.

2 Log in using your username and password.

You will have access only to those features you have rights to. To have full access to all Novell

iManager features, you must log in as Supervisor of the tree.

10 Novell iManager 2.5 Administration Guide

novdocx (ENU) 01 February 2006

2.3 Accessing iManager with a Screen Reader

and Other Accessibility Options

iManager includes a simple display that can be effectively used with screen readers in Internet

Explorer on a Windows* platform (client side).

1 Enter the following in the Address (URL) field of a supported Web browser:

http://server_IP_address/nps/Simple.html

For example:

http://127.0.0.1/nps/Simple.html

2 Log in using your username, context, password, and eDirectory

TM

tree name.

You will have access only to those features you have rights to. To have full access to all Novell

iManager features, you must log in as Supervisor of the tree.

Complete accessibility statements are available on the Novell Web site (http://www.novell.com/

accessibility).

2.4 Access Modes

When you start iManager, you are granted an access mode based on the rights you've been assigned.

iManager has three access modes. The mode you are in is displayed in the upper left corner of the

iManager interface.

• Unrestricted Access

This is the default mode before RBS is configured. It displays all of the roles and tasks

installed. Although all roles and tasks are visible, the authenticated user still needs the

necessary rights to use the tasks.

There is a setting that you can add to the config.xml file in <tomcat

location>\webapps\nps\WEB-INF which forces Unrestricted Access, even if Role Based

Services is installed. Add the following setting to config.xml and restart Tomcat:

</setting>

• Assigned Access

Displays only the roles and tasks assigned to the authenticated user. This mode takes full

advantage of the Role-Based Services technology.

• Collection Owner

Displays all of the roles and tasks installed in the collection. It allows you to use all of the roles

and tasks in the collection, even if specific rights have not been assigned. Role-Based Services

must be installed in order to use this mode.

NOTE: The collection owner sees all roles and tasks, regardless of role membership.

Accessing iManager 11

novdocx (ENU) 01 February 2006

2.5 Authenticating

If eDirectory is installed and running on another port besides the default port 524, you can use the IP

address or DNS name of the eDirectory server to log in if you also specify the port. If you use the

tree name to log in, you do not have to specify a port. (Example: 127.0.0.1: 1080)

2.5.1 The Tree Name Field

Possible values for the tree name field are: Tree name, Server IP Address, and Server DNS name.

2.5.2 Single Sign-on

Single Sign-on functionality (including Forward authentication, OLAC, and Form Fill) is not

compatible with iManager 2.5. iManager 2.5 requires a username, password, and tree name for

login, so Single Sign-on using Forward authentication or OLAC will not work. Form Fill also fails

because the Exit button in the iManager toolbar directs you back to the initial login form. When

FormFill is active, you are simply logged back in to iManager.

2.5.3 Logging into a Server without a Replica

You can log in to a server without a replica if you have previously logged in to the tree using the tree

name, or if you have logged in to the tree using a server that contains a replica.

2.5.4 Unsuccessful Authentication

Login failures occur for a variety of reasons. Authentication Error Messages are addressed in the

Troubleshooting chapter.

2.6 iManager Session Timeouts

iManager session timeouts are controlled by a timeout setting in the web.xml file located in

webapps/nps/WEB-INF/. Remove the comment tags to change the timeout from the default of 30

minutes.

<session-config>

<session-timeout>10</session-timeout>

</session-config>

12 Novell iManager 2.5 Administration Guide

novdocx (ENU) 01 February 2006

Navigating the iManager Interface

3

novdocx (ENU) 01 February 2006

13

3

Navigating the iManager Interface

This section describes how to navigate through the Novell

®

iManager 2.5 interface.

• Section 3.1, “iManager Interface,” on page 13

• Section 3.2, “Special Characters,” on page 14

• Section 3.3, “Using the Object Selector,” on page 15

• Section 3.4, “Enable Pop-ups,” on page 15

3.1 iManager Interface

Use only the buttons within the interface when you are navigating in iManager. The Web browser's

toolbar buttons (Back, Next, etc.) are not supported.

Figure 3-1 By default, the iManager Interface displays Roles and Tasks

3.1.1 Views

iManager 2.5 has several views that you access using the icons at the top of the iManager interface:

• Roles and Tasks: contains all the tasks you are authorized to perform

• View Objects: contains browsing and searching functionality to find objects

• Configure: contains Role-Based Services, iManager Server, Object Creation List, Module

Installation, E-mail Notification, and Views, all of which you can configure as you want

14 Novell iManager 2.5 Administration Guide

novdocx (ENU) 01 February 2006

• Favorites: displays your most frequent tasks, selected from the Preferences > Favorites page

• Preferences: Set your preferences according to your most frequent tasks, how the Object

Selector displays, how your Object View displays, what view appears after logging in to

iManager, and what language iManager displays in.

• Help: Applicable information related to the page you are on appears when you select this

icon

Roles and Tasks is the default view. For information on how to change the default view, see Chapter

6, “Configuring and Customizing iManager,” on page 39.

3.1.2 Contents Panel

The Contents Panel displays a navigation pane. Its contents vary, depending on which view you

have selected.

New in iManager 2.5 is the Category selector, which provides groups of roles and tasks specific to a

particular function. Categories include the following:

•All Categories

• Authentication & Passwords

• Collaboration

• Directory

• File Management

• Identity Manager

• Infrastructure

•Install & Upgrade

•Network

•Nsure Audit

•Printing

• Security

•Servers

• Software Licenses & Network Usage

• Users and Groups

Tasks under categories are listed in order of probable use.

3.2 Special Characters

In iManager, some characters have special significance and must be escaped with the backslash (\)

character:

NDAP (NDS):

•period (.)

•equal sign (=)

•plus (+)

Navigating the iManager Interface 15

novdocx (ENU) 01 February 2006

• backslash (\)

LDAP:

• DNs:, = + \ @; < >

• Leading #

• Leading or trailing spaces

For LDAP, any character can be specified with \xx. See RFC 2253 (http://www.faqs.org/rfcs/

rfc2253.html) for more information.

3.3 Using the Object Selector

Follow these guidelines when using the iManager search feature, Object Selector:

1. In dotted NDS

®

names, you must escape the following characters with a backslash (\):

•period (.)

• equal (=)

•plus (+)

• backslash (\)

2. You don't need escape characters in most values, but you do need them when the name is a

Distinguished Name or R Distinguied Name.

3. In a search filter, you must escape these characters with a backslash:

•asterisk (*)

• backslash (\)

For example:

To search for all objects containing a period, the search filter = *.*

To search for all objects containing a plus the search filter = *+*

However, to search for all objects containing a backslash, the search filter = *\\*

3.4 Enable Pop-ups

For some iManager wizards and help to work, you must enable pop-up windows in your Web

browser while working in iManager. If you use an application that blocks pop-up windows, you

must disable the blocking feature while working in iManager or allow pop-ups from the iManager

host.

16 Novell iManager 2.5 Administration Guide

novdocx (ENU) 01 February 2006

Roles and Tasks

4

novdocx (ENU) 01 February 2006

17

4

Roles and Tasks

The Roles and Tasks icon displays all of the roles and tasks that you have set up; some are part of

iManager and others are plug-ins. This chapter describes only those roles and tasks that are intrinsic

to iManager.

• Section 4.1, “eDirectory Administration,” on page 17

• Section 4.3, “Groups,” on page 21

• Section 4.4, “Help Desk,” on page 23

• Section 4.5, “Partitions and Replicas,” on page 24

• Section 4.6, “Passwords,” on page 28

• Section 4.7, “Rights,” on page 31

• Section 4.8, “Schema,” on page 32

• Section 4.9, “Users,” on page 35

4.1 eDirectory Administration

eDirectory

TM

administration involves the management of objects in your directory tree. You can

create, edit, and organize objects. You can also set up user accounts and assign rights, grant

equivalence, and block inheritance. When you configure Role-Based Services, you can define

administrator roles for specific administrative applications through the Role-Based Services object.

4.1.1 Copy Object

You can either create a new object with the same attribute values as an existing object, or copy

attribute values from one object to another.

1 In Roles and Tasks, select eDirectory Administration > Copy Object.

2 In the Object to Copy From field, type the name and context of the object or use the search

feature to find it.

3 Select one of the following options:

• Create New Object and Copy Attribute Values

• Copy Attribute Values to an Existing Object

4 Select the Copy ACL Rights check box if you want to copy access control list rights to this

object. This step might take additional processing time, depending on your system and

networking environment.

4.1.2 Create Object

1 In Roles and Tasks, select eDirectory Administration > Create Object.

2 Select the object class from the list that appears and click OK.

18 Novell iManager 2.5 Administration Guide

novdocx (ENU) 01 February 2006

3 Enter the requested information that appears according to the object class you selected, and

click OK.

4 A confirmation message appears: “The Create Object request succeeded.” Click OK, Repeat

Task, or Modify.

4.1.3 Delete Object

1 In Roles and Tasks, select eDirectory Administration > Delete Object.

2 Type the name and context of the object, or use the search feature to find it, and click OK.

3 A confirmation message appears: The Delete Object request succeeded.

4.1.4 Modify Object

1 In Roles and Tasks, select eDirectory Administration > Modify Object.

2 Type the name and context of the object, or use the search feature to find it, and click OK. The

Modify Objects screen appears, displaying a set of tabs which are specific to the object you

selected. Tabs and their features are described below this task.

3 Complete the modification based on the tabs you select and click OK.

General

The General tab displays the Identification page.

1 Complete the form with the following information:

• Other Name

• Owner

• Location

• Department

• Organization

• Description

Modify your description using the add, delete, and edit features.

2 Click OK.

The See Also page displays the search feature (Object Selector) to help you locate the object to

modify.

The Other page displays the Valued Attributes and Unvalued Attributes list boxes. You can move,

edit, or delete attributes for the object.

Security

The Security tab displays one or both of the following options, according to the object selected. The

following attributes are used in rights calculation for eDirectory.

• Security Equal To Me

This attribute specifies other objects that are security equivalent to this object.

• Security Equal To

Roles and Tasks 19

novdocx (ENU) 01 February 2006

This attribute specifies objects that this object is security equivalent to.

Restrictions

Use the Limit Grace Login option to force users to change their passwords after a number of logins

using an expired password.

Set the maximum number of concurrent connections a user is allowed.

Dynamic

Use the Member Query page to specify the search criteria when looking for members of a Dynamic

Group object.

1 Select the Dynamic Group check box to make a static group dynamic.

After a static group becomes dynamic, it can be converted back to static status by clearing the

Dynamic Group check box.

2 Complete the Start Search at (Base dn) text box with the location that you are searching from.

3 Specify the search scope. If you do not specify, the base scope is assumed.

• Search Base DN, searches only the base object.

• Search One Level, searches the direct subordinates of the base object, but the base object

itself is not searched.

• Search Sub Containers, searches the base object and all objects in the subtree below it.

4 Choose whether the search for Dynamic Members should involve multiple servers or only the

server containing the Dynamic Group object.

• Yes, the server communicates with other servers while searching for Dynamic Members.

• No, the search for Dynamic Members returns only local results.

5 Use the two Search Filter icons to refine the search and manually edit the string if you know the

syntax.

6 Click Apply to update the Query Results.

Use the Settings page to establish an identity object and other object-related search parameters.

1 Select the Identity Object. This is the object that the LDAP server uses to log in to the tree as, to

query.

2 Leave the Time Out blank unless you give iManager a reasonable amount of time to load the

objects it finds.

If you do not allow enough time for iManager to load and it times out, the object becomes

unusable. You must delete the object and start over.

3 Select Allow Duplicates to reduce the load on the server while listing dynamic group members.

Unless you fully understand the implications of this feature, leave it unchecked.

4 Leave Allow Unknowns unselected unless you fully understand the implications of this feature.

Allow Unknowns determines the inclusion or exclusion of members in the dynamic group

when the membership cannot be correctly determined.

20 Novell iManager 2.5 Administration Guide

novdocx (ENU) 01 February 2006

RPM

This configuration task applies only to NDPS

®

printers. iPrint printers are not affected.

1 Select Do Not Update Workstations if Remote Printer Management is disabled and printers are

not installed or removed from workstations.

2 Select Allow Only Specified Printers to Reside on Workstations to allow only the printers

specified in Remote Printer Management.

All other NDPS printers on the workstation are removed. This does not remove any iPrint

printers.

3 Select Show the Results Window on Workstations to display a window on the workstation that

shows the printers that were installed and removed.

4 Select the printers to install.

5 Set a default printer.

6 Indicate printers to be removed, if, any, and click OK, or Apply.

4.1.5 Move Object

1 In Roles and Tasks, select eDirectory Administration > Move Object.

2 Type the name and context of the object, or use the search feature (Object Selector) to find it,

and click OK.

3 In the Move To field, select the container you want to move the object to.

4 Select Create an Alias in Place of Moved Object if you want to create an alias in an old location

for each object being moved.

5 Click OK. A confirmation message appears: The Move Object request succeeded.

4.1.6 Rename Object

1 In Roles and Tasks, select eDirectory Administration > Rename Object.

2 Type the name and context of the object, or use the search feature to find it.

3 Type only the name of the new object; do not include a context.

4 Select to save the old name if you want to save it.

This saves the old name as an additional unofficial value of the Name property. Saving the old

name lets users search for the object based on that name. After renaming the object, you can

view the old name in the Other Name field on the General Identification tab for that object.

5 Select Create an Alias in Place of Renamed Object if you want to create an alias for the object

being named.

This allows any operations that are dependent on the old object name to continue uninterrupted

until you can update those operations to reflect the new name.

6 Click OK. A confirmation message appears: The Rename Object request

succeeded.

4.2 eDirectory Maintenance

Page is loading ...

Novell iManager 2.5 Administration Guide

Novell iManager 2.5 Administration Guide

Related papers

Other documents