user account to carry edirectory operations

We have a Oes environment consisting of Netware 6.5, Oes11 sp1, oes11sp2 , Oes11sp3, Oes2015 sp1 servers where we need to carry out edirectory operations time and again eg: obituary cleanups etc using imonitor by logging in as admin user. Please suggest ways to create a User account with required rights so that we can avoid using the main Admin account and be able to do all the necessary eDirectory operations/tasks as and when needed using imanager, imonitor , NRM .

All helpful ideas will be highly appreciated.
  • The way to create an equivalent tree admin is to give a user Supervisor to
    [Entry Rights] at the tree [root], inheritable; that is all a tree admin
    really is, and any user can become one with that one ACL granted there.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • On 18.05.2019 10:44, squadri wrote:
    >
    > We have a Oes environment consisting of Netware 6.5, Oes11 sp1, oes11sp2
    > , Oes11sp3, Oes2015 sp1 servers where we need to carry out edirectory
    > operations time and again


    Your question is covered by Aaron, but I have to ask: Have you ever
    considered streamlining your version chaos a bit? You may no longer need
    to do any such edirectpry operation when you stop running outdated and
    unsupported code.

    CU,
    --
    Massimo Rosen
    Micro Focus Knowledge Partner
    No emails please!
    http://www.cfc-it.de
  • mrosen;2499981 wrote:
    On 18.05.2019 10:44, squadri wrote:
    >
    > We have a Oes environment consisting of Netware 6.5, Oes11 sp1, oes11sp2
    > , Oes11sp3, Oes2015 sp1 servers where we need to carry out edirectory
    > operations time and again


    Your question is covered by Aaron, but I have to ask: Have you ever
    considered streamlining your version chaos a bit? You may no longer need
    to do any such edirectpry operation when you stop running outdated and
    unsupported code.

    CU,
    --
    Massimo Rosen
    Micro Focus Knowledge Partner
    No emails please!
    http://www.cfc-it.de


    Hello Massimo,
    Thanks for sharing your concern. Ours is a complex network where we are trying to get rid of outdated and unsupported versions especially Netware etc taking various factors into consideration. It is an ongoing process but will take a while to completely eliminate using those versions. Now, we have the Our issue is that the a server(A) which is the member of the child partition(BX) which did not had the replica of its own partition shows up as subordinate reference in all the partitions , after getting copied with the replica of the root partition . Its understood as necessary for tree walking but we do not appreciate it to appear it that way and need to fix it. Would appreciate if you suggest a best way to be followed.
  • Hello Aaron, Thanks for your response. I understand that there is an option of making a security equivalent to admin but that would be then no different than just another admin user I suppose!! The point is that we are looking not to give admin equivalent but of a limited scope account which should be able to perform the needed operations for using imonitor,NRM etc as well with only certain required rights only.
  • On 05/20/2019 01:34 AM, squadri wrote:
    >
    > Hello Aaron, Thanks for your response. I understand that there is an
    > option of making a security equivalent to admin but that would be then
    > no different than just another admin user I suppose!! The point is that


    Yes, sorry; I took your request too literally I suppose. You not only
    want to use your default tree admin account, but you do not want to use an
    account with those rights at all.

    > we are looking not to give admin equivalent but of a limited scope
    > account which should be able to perform the needed operations for using
    > imonitor,NRM etc as well with only certain required rights only.


    I think iMonitor at least requires a user with tons of rights to the
    server object, so you could try creating a user, giving that user
    Supervisor rights just to the NCP Server object, and see if that works for
    iMonitor. It is probably prudent to note that if you give somebody access
    to the NCP Server and/or iMonitor, they inherently have access to do
    things which impact the whole tree. iMonitor is primarily meant as a
    troubleshooting tool, with a lot more features than things like
    dsrepair/ndsrepair, but as a result it can still do things impacting the
    whole tree like changing schema, causing replica ring inconsistencies, and
    so on. It's great to have, but if you give somebody access to JUST
    iMonitor on one server, they can still do things that are outside the
    scope of that one server.

    Before going down this too far, though, your need to do obituary cleanup
    is likely just because your eDirectory versions are really old (as Massimo
    mentioned already).

    If the problem stems from the sub-ref replicas, perhaps we should figure
    out why you have a [root] replica on this machine, but no other replicas.
    It sounds like you have a partitioning setup that could be adjusted to
    possibly help this out. If you care to do so, start a thread to find out
    the best way to resolve those, or even the best way to partition things.
    Lots of details around why you have the partitions defined (perhaps WAN
    links, or maybe because you have always had them, or maybe because they
    were recommended at some point), why this server has [root] but no other
    partitions (including its own), and what problems have resulted, may help
    us help you resolve the root problem. Even eDirectory 8.8.x should be
    able to handle obituaries reliably, and that it cannot for you may imply
    something else amiss in the environment (bad network links, an inability
    to replicate reliably to one or more servers, etc.).

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.