eDirectory Preparation, v5.0

 

 

Copy the “eDirecory” catalog from the installation set to the GlobalID server.

1. Export CA Certificate

Login into iManager https://<SERVERNAME>:8443/nps using the admin user “admin.sa.system” and server tree= GlobalID (or localhost) and do the following:

  • In the iManager menu choose: “Objects”.

  • Click on the Security container (the red lock) on the left and the objects in the container show up

  • Click the CA object, named “<treename> CA”

  • Click the tab “Certificates”

  • Click the checkmark on the “Self Signed Certificate RSA”

  • Click the “Export” button

  • Remove the checkmark in “Export private key”

  • Choose “DER” in export format

  • Click “Next”

  • Click “Save the exported certificate”

  • Store the certificate file in the “eDirectory” folder, which was copied to the server in the section above.

 

Repeat the steps above to export the same CA certificate as Base64. The Base64 certificate will be used later for the AD integration.

 

2. Create certificate for LDAP service

Open → Roles and Tasks → NetIQ Certificate Server

Select “Create Server Certificate”

Select the eDirectory server in servers.system

Give the new certificate a meaningful name, eg. LDAP-Cert-31-12-2029

Select “Custom” and click “Next”

Select “Organizational Certificate Authority”

Leave all key settings as suggested and click “Next”

Change the “Subject name” CN to include the full FQDN of the server.

Click “Next”

Select “Your Organizations CA” as trusted root and click “Next”

Click “Finish to create the new certificate.

In “Roles and Tasks” select “LDAP” and “LDAP Options”

Select the eDirectory server

Select “Connections” and change the server certificate to the newly issued.

Click “OK”

 

3. Extend eDirectory Schema

Open a terminal and change directory to the “eDirectory” folder, where the files in “1. Export CA Certificate” were copied to.

Execute the file “GlobalID_Scheme.sh <ServerDNS>” with the FULL DNS server name as parameter.

Type in the administrator password.

Verify that the schema import did not return any errors.

 

4. Create eDirectory Indexes

Open a terminal to the catalog where the files in “2. Extend eDirectory Schema” was copied to.

Open the file “GlobalID_Index.ldif” , change line 3 to “dn: <full LDAP name of the installed server>”, save the updated file.

E.g.
dn: cn=GlobalID,ou=servers,o=system

Execute the file “GlobalID_Index.sh <ServerDNS>” with the FULL DNS server name as parameter.

Type in the administrator password.

Verify that the index import did not return any errors.

 

5. Create GlobalID eDirectory Objects

Open a terminal to the catalog where the files were copied to.

Execute the file “GlobalID_Objects.sh <ServerDNS>” with the FULL DNS server name as parameter.

Type in the administrator password.

Verify that the object import did not return any errors.

 

1 2 chmod +x GlobalID_Schema.sh ./GlobalID_Schema.sh [hostname]

6. Create Universal Password Policy for Admins

Login into iManager https://<SERVERNAME>:8443/nps using the admin user “admin.sa.system” and server tree= GlobalID_Tree (or IP of the GlobalID Server) and do the following:

  • Select “Roles and Tasks”

  • Select Passwords → Password Policies

  • Click “New..”

  • Policy Name = “Admin policy”

  • Click “Next”

  • Select the “No (skip to step 4)” option and remove the checkmark at “Enable the Advanced Password Rules”

  • Click “Next”

  • Select “NO” to the forgotten password feature

  • Click “Next”

  • In “Assign To:” add all service accounts and admin users in OU=SA,O=System.

  • Click “Next”

  • Review the summary

  • Click “Finish”

 

7. Create Universal Password Policy for all other Users

Login into iManager https://<SERVERNAME>:8443/nps using the admin user and server tree= GlobalID_Tree (or IP of the GlobalID Server) and do the following:

  • Select “Roles and Tasks”

  • Select Passwords → Password Policies

  • Click “New..”

  • Policy Name = “Global policy”

  • Click “Next”

  • Select the “Yes (skip to step 4)” option and enable the checkmark at “Enable the Advanced Password Rules”

  • Click “Next”

  • Define the policy to match the company policies. The best match for MS customers is “Use Microsoft complexity policy“

  • Click “Next”

  • Select “NO” to the forgotten password feature

  • Click “Next”

  • In “Assign To:” add only the Login policy in the Security container (Login Policy.Security).

  • Click “Next”

  • Review the summary

  • Click “Finish”