syed_17 Super Contributor.
Super Contributor.
364 views

user account to carry edirectory operations

We have a Oes environment consisting of Netware 6.5, Oes11 sp1, oes11sp2 , Oes11sp3, Oes2015 sp1 servers where we need to carry out edirectory operations time and again eg: obituary cleanups etc using imonitor by logging in as admin user. Please suggest ways to create a User account with required rights so that we can avoid using the main Admin account and be able to do all the necessary eDirectory operations/tasks as and when needed using imanager, imonitor , NRM .

All helpful ideas will be highly appreciated.
Labels (2)
0 Likes
5 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: user account to carry edirectory operations

The way to create an equivalent tree admin is to give a user Supervisor to
[Entry Rights] at the tree [root], inheritable; that is all a tree admin
really is, and any user can become one with that one ACL granted there.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
Knowledge Partner
Knowledge Partner

Re: user account to carry edirectory operations

On 18.05.2019 10:44, squadri wrote:
>
> We have a Oes environment consisting of Netware 6.5, Oes11 sp1, oes11sp2
> , Oes11sp3, Oes2015 sp1 servers where we need to carry out edirectory
> operations time and again


Your question is covered by Aaron, but I have to ask: Have you ever
considered streamlining your version chaos a bit? You may no longer need
to do any such edirectpry operation when you stop running outdated and
unsupported code.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
syed_17 Super Contributor.
Super Contributor.

Re: user account to carry edirectory operations

mrosen;2499981 wrote:
On 18.05.2019 10:44, squadri wrote:
>
> We have a Oes environment consisting of Netware 6.5, Oes11 sp1, oes11sp2
> , Oes11sp3, Oes2015 sp1 servers where we need to carry out edirectory
> operations time and again


Your question is covered by Aaron, but I have to ask: Have you ever
considered streamlining your version chaos a bit? You may no longer need
to do any such edirectpry operation when you stop running outdated and
unsupported code.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de


Hello Massimo,
Thanks for sharing your concern. Ours is a complex network where we are trying to get rid of outdated and unsupported versions especially Netware etc taking various factors into consideration. It is an ongoing process but will take a while to completely eliminate using those versions. Now, we have the Our issue is that the a server(A) which is the member of the child partition(BX) which did not had the replica of its own partition shows up as subordinate reference in all the partitions , after getting copied with the replica of the root partition . Its understood as necessary for tree walking but we do not appreciate it to appear it that way and need to fix it. Would appreciate if you suggest a best way to be followed.
0 Likes
syed_17 Super Contributor.
Super Contributor.

Re: user account to carry edirectory operations

Hello Aaron, Thanks for your response. I understand that there is an option of making a security equivalent to admin but that would be then no different than just another admin user I suppose!! The point is that we are looking not to give admin equivalent but of a limited scope account which should be able to perform the needed operations for using imonitor,NRM etc as well with only certain required rights only.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: user account to carry edirectory operations

On 05/20/2019 01:34 AM, squadri wrote:
>
> Hello Aaron, Thanks for your response. I understand that there is an
> option of making a security equivalent to admin but that would be then
> no different than just another admin user I suppose!! The point is that


Yes, sorry; I took your request too literally I suppose. You not only
want to use your default tree admin account, but you do not want to use an
account with those rights at all.

> we are looking not to give admin equivalent but of a limited scope
> account which should be able to perform the needed operations for using
> imonitor,NRM etc as well with only certain required rights only.


I think iMonitor at least requires a user with tons of rights to the
server object, so you could try creating a user, giving that user
Supervisor rights just to the NCP Server object, and see if that works for
iMonitor. It is probably prudent to note that if you give somebody access
to the NCP Server and/or iMonitor, they inherently have access to do
things which impact the whole tree. iMonitor is primarily meant as a
troubleshooting tool, with a lot more features than things like
dsrepair/ndsrepair, but as a result it can still do things impacting the
whole tree like changing schema, causing replica ring inconsistencies, and
so on. It's great to have, but if you give somebody access to JUST
iMonitor on one server, they can still do things that are outside the
scope of that one server.

Before going down this too far, though, your need to do obituary cleanup
is likely just because your eDirectory versions are really old (as Massimo
mentioned already).

If the problem stems from the sub-ref replicas, perhaps we should figure
out why you have a [root] replica on this machine, but no other replicas.
It sounds like you have a partitioning setup that could be adjusted to
possibly help this out. If you care to do so, start a thread to find out
the best way to resolve those, or even the best way to partition things.
Lots of details around why you have the partitions defined (perhaps WAN
links, or maybe because you have always had them, or maybe because they
were recommended at some point), why this server has [root] but no other
partitions (including its own), and what problems have resulted, may help
us help you resolve the root problem. Even eDirectory 8.8.x should be
able to handle obituaries reliably, and that it cannot for you may imply
something else amiss in the environment (bad network links, an inability
to replicate reliably to one or more servers, etc.).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.