Sometimes I have a need to remigrate or re-sync certain objects through a driver. Sometimes there are only a couple of objects which is easy or maybe it's all objects in a container which is also easy.

But there are those occasions where I may need to re-sync several thousands of objects that match a certain criteria.

In those cases I have several options at my disposal, these are the ones I know about:

1* Use iManager and create an advanced search query when performing a "Migrate from Identity Vault". The problem with using iManager is that the performance drops dramatically if you are trying to add thousands of users to the list, while processing the list you will need to wait quite a long time and be prepared to answer the question if the script should be stopped or allowed to continue. If there was some way to work around the poor performance then iManager would be my choice.

2* Use DA Modifier to perform the re-sync, very nice tool and quite fast if you are on the same LAN as the Identity Vault, running it over VPN isn't recommended. You also need Windows and the Novell Client to run it. The only drawback this solution has is that you can only specify two attributes as the search criteria and from what I have seen, you can't specify auxiliary attributes. Most of the time it works just fine.

3* Use an LDAP tool to export associations, edit them using awk/sed or some other tool and re-import them to trigger a sync. The advantage with this approach is that you can specify any LDAP filter you can think of and just get those objects. The bad side is trying to edit those files and get them the way you want to.

4* Forget the criteria, sync all objects and let the IDM rules veto those that don't fulfill your conditions in a event policy. Works OK, the problem is that you need to edit the rule with the conditions each time, deploy and restart the driver and that you'll get a bunch of objects with a 3 (manual) or 4 (migrate) state in the association attribute.

* Use a dynamic group.
This approach allows you to have all the flexibility of no 1 and no 3.
Create a dynamic group that will be used as the scope for a subscriber channel trigger.
The policy will transform <trigger> events to <sync> events.

My group is named "TriggerSyncOnTrigger".
Since a dynamic group is basically an LDAP filter you can build any search criteria you want.

On the driver where you want to do the re-sync create a job that has the type "Subscriber channel trigger" and associate it with the appropriate server. The schedule should be set to "Run manually".

As the scope point out your dynamic group and select "Apply job to the members of this group.".

On the parameters tab set the options that fit your needs, my settings are:

Submit a trigger document for objects without a driver association? = TRUE
Use Job CN as trigger document identifier? = TRUE
Method for submitting trigger documents = Queue (Use cache)

Now you'll need a policy that will take care of the <trigger> and create a <sync> event.

On the subscriber channel event transformation create a new policy and move it to the top so it runs before all other policies.

My policy looks like this:

sub-etp:SyncOnTrigger

<policy>
	<rule>
		<description>Break if not trigger</description>
		<comment name="author" xml:space="preserve">alekz</comment>
		<comment name="version" xml:space="preserve">1.0</comment>
		<comment name="lastchanged" xml:space="preserve">2010-08-29</comment>
		<conditions>
			<and>
				<if-operation mode="case" op="not-equal">trigger</if-operation>
			</and>
		</conditions>
		<actions>
			<do-break/>
		</actions>
	</rule>
	<rule>
		<description>Break if not correct trigger</description>
		<comment name="author" xml:space="preserve">alekz</comment>
		<comment name="version" xml:space="preserve">1.0</comment>
		<comment name="lastchanged" xml:space="preserve">2010-08-29</comment>
		<conditions>
			<and>
				<if-op-property mode="nocase" name="source" op="not-equal">TriggerSyncOnTrigger</if-op-property>
			</and>
		</conditions>
		<actions>
			<do-break/>
		</actions>
	</rule>
	<rule>
		<description>Create <sync> event for each triggered object</description>
		<comment name="author" xml:space="preserve">alekz</comment>
		<comment name="version" xml:space="preserve">1.0</comment>
		<comment name="lastchanged" xml:space="preserve">2010-08-29</comment>
		<conditions>
			<and>
				<if-src-dn op="available"/>
				<if-operation mode="case" op="equal">trigger</if-operation>
				<if-op-property mode="nocase" name="source" op="equal">TriggerSyncOnTrigger</if-op-property>
			</and>
		</conditions>
		<actions>
			<do-append-xml-element expression=".." name="sync"/>
			<do-set-xml-attr expression="../sync[last()]" name="class-name">
				<arg-string>
					<token-class-name/>
				</arg-string>
			</do-set-xml-attr>
			<do-set-xml-attr expression="../sync[last()]" name="src-dn">
				<arg-string>
					<token-src-dn/>
				</arg-string>
			</do-set-xml-attr>
			<do-set-xml-attr expression="../sync[last()]" name="qualified-src-dn">
				<arg-string>
					<token-xpath expression="@qualified-src-dn"/>
				</arg-string>
			</do-set-xml-attr>
		</actions>
	</rule>
	<rule>
		<description>Veto trigger</description>
		<comment name="author" xml:space="preserve">alekz</comment>
		<comment name="version" xml:space="preserve">1.0</comment>
		<comment name="lastchanged" xml:space="preserve">2010-08-29</comment>
		<conditions>
			<and>
				<if-operation mode="case" op="equal">trigger</if-operation>
			</and>
		</conditions>
		<actions>
			<do-veto/>
		</actions>
	</rule>
</policy>

You can add this policy to all your drivers.

When you need to do a re-sync just edit the dynamic group search filter to get those objects you need and then run the job using iManager and you're done.

Update 2010-09-06:

You might need to assign trustee rights for the Job so it can access the dynamic group and the members of that group.

Recently, I got hit with the sporadic Missing LAG/"Null Value" bug. For those that are unfamiliar with this little feature, I'll give you the scenario. Perhaps a reboot of the Access Console when eDirectory has not finished a sync with Tomcat or for what ever reason. You open up the Access Console'd iManager and notice that you're either missing a Access Gateway, a Gateway Cluster or similar.

Click to view.

In investigating, you might see that in the Troubleshooting section a gateway device has become corrupt. You can take this associated ID, and using the View Objects button in iManager, browse to the following container and select the object with that ID to view it.

Click to view.

ou=AppliancesContainer.ou=Partition.ou=PartitionsContainer.ou=VCDN_Root.ou=accessManagerContainer.o=novell

Since iManager doesn't have a plug-in for the Access Manager schema, you'll be presented with the Other tab. Look for the Attribute, "romaAGDeviceXMLDoc" and click Edit. You will notice that it is blank.

Novell TID 7005800 recommends clicking the Repair button, under Audit->Troubleshooting->Configuration, scroll down to Devices with Corrupt Data Store Entries in the Access Console. If this fails, one option is to send Novell Support your last AM backup file along with the password and the value can be sent back to you. Then, you can simply copy and paste the data back into the object as described above, logout of the Access Console, wait 3-5 minutes and log back in to the Console to see the restored Gateway.

Thinking to myself, "That was relatively painless", I opened FireFox and clicked the bookmark for my Access Console.

Here, is what happened next.

I logged back into the Access Console and was faced with something new and different.

Click to view.

There were no options, just a nice little picture.

I went and checked the logs on the Access Console server (currently a Windows Server). I opened C:\Program Files\Novell\logs\app_sc.0.log and noticed many java errors similar to this:

5853(D)2010-09-04T00:27:00Z(L)application.sc.core(T)29(C)com.volera.vcdn.application.sc.core.Info(M)getDocument(E)org.jdom.input.JDOMParseException: Error on line 2: Attribute name "Manage" associated with an element type "romaAGDevice" must be followed by the ' = ' character.

I went back to iManager and browsed back to that particular AG object in the tree.

Click to view.

Since I knew that the "romaAGDevice", mentioned in the log, was relative to that attribute "romaAGDeviceXMLDoc", I opened the related object to look at with further examination.

Click to view.

I found the word Manage and noticed a space and a carriage return (CR) after it. XML does not allow for stray characters within fields. Because Manage had a space after it, the XML parser was expecting an equals "=" and then a value.

Click to view.

The XML tag should have read, "ManagementAddress=192.168.1.2". I, very carefully, removed the space and CR and applied my change. I logged off the Console and restarted Tomcat on the Access Console server.

When I logged back into the Access Console, I got the same screen as above and immediately checked the logs again. Apparently there were more of these stray spaces in the attribute's value. This time, I went through all of the values to make sure they were clean. I found 4 other places where a space had been inserted. I cleaned the value and applied my changes. Restart Tomcat once again.

I logged in to the Access Console, once again and found that all was right with the world and I could also see and open the Access Gateways.
Since I had just remedied the issue, I immediately took a new backup of the Access Console.

Access Manager does not have a built in backup scheduler and must be backed up manually from the Access Console. It is recommended that a backup be performed prior to any changes to any of the components, Identity Providers (IDP), Access Gateway configurations or Reverse Proxy. Then after the changes have been made and shown successful, perform another backup to ensure a current backup of the new configuration.

If I had not had a fairly recent backup of the environment, there is a good chance that the my LAGs would have had to be redone and re-added back into the cluster.

One of the problems I find with iManager is that although you can list the currently installed versions of the various plug-ins (NPMs) from within iManager itself you can't easily find out when particular plug-ins were last updated. This is especially a problem if you're in the (bad!) habit of selecting all available plug-ins and then hitting Install!

Anyway I did a bit of poking about out the filesystem and found that plug-ins are installed to /var/opt/novell/iManager/nps/packages/ (on NetWare it's SYS:\tomcat\5.0\webapps\nps\packages\). However listing that directory in date order doesn't reveal when plug-ins were installed/updated, simply which plug-in file is later than another.

Then I discovered that iManager records information that can be used to uninstall plug-ins in /var/opt/novell/iManager/nps/UninstallerData (with NetWare it's SYS:\tomcat\5.0\webapps\nps\uninstallerdata\). Here the date of the directory is when the plug-in was installed or last updated (this is important to note - see later) so could be useful for a changelog.

So on an OES Linux server you can use

ls -lrt /var/opt/novell/iManager/nps/UninstallerData

which will produce a directory listing sorted in reverse date (actually modification time) order that is then your changelog. All directory names start with Uninstall_ followed by the name of the plug-in.

oeslinux:~ # ls -lrt /var/opt/novell/iManager/nps/UninstallerData
total 176
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_base
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_fw
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_afp
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_ark
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_eDirectoryBackupAndRestore
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_cifsmgmt
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_CaseSensitivePassword
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_dfsmgmt
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_eDirectoryMerge
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_eDirectoryRepairAndLogfile
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_EA
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_eDirectory88_Plugins
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_eDirExtended
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_ER
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_fileman
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_ICEWizardModule
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_ifolder3
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_IndexManagerPlugin
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_Kerberos
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_LDAPConfiguration
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_LinuxUserManagement
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_ncs
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_NMAS
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_NetStorage
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_nssmgmt
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_dhcp
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_CertServerPlugins
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_PS
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_novell_imanager_pwdmanagement_plugins
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_notfconfig
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_pwdpolicy
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_SharedContentV1
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_QFSearch
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_RWiz
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_samba
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_ServiceManager
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_SMS
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_SNMPConfiguration
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_storage
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_WanManConfiguration
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_iman_supportpack
drwxrwxr-x 2 wwwrun www 4096 Mar 15  2010 Uninstall_iPrintX
drwxrwxr-x 2 wwwrun www 4096 Nov  2 20:02 Uninstall_dns

With most directory names it's kind of obvious which plug-in it relates to - for example Uninstall_dns is for the DNS plug-in. If you're not sure which plug-in a particular Uninstall_ directory relates to you can check iman_mod_desc.xml in /var/opt/novell/iManager/nps/packages.

If you'd like a tidier output, perhaps just containing the date, time and directory name for each Uninstall_ directory then you can filter the output from the ls command through cut so the command becomes

ls -lrt /var/opt/novell/iManager/nps/UninstallerData/ | cut -d "" -f 6-

which produces

oeslinux:~ # ls -lrt /var/opt/novell/iManager/nps/UninstallerData/ | cut -d "" -f 6- 

Mar 15  2010 Uninstall_base
Mar 15  2010 Uninstall_
Mar 15  2010 Uninstall_fw
Mar 15  2010 Uninstall_afp
Mar 15  2010 Uninstall_ark
Mar 15  2010 Uninstall_eDirectoryBackupAndRestore
Mar 15  2010 Uninstall_cifsmgmt
Mar 15  2010 Uninstall_CaseSensitivePassword
Mar 15  2010 Uninstall_dfsmgmt
Mar 15  2010 Uninstall_eDirectoryMerge
Mar 15  2010 Uninstall_eDirectoryRepairAndLogfile
Mar 15  2010 Uninstall_EA
Mar 15  2010 Uninstall_eDirectory88_Plugins
Mar 15  2010 Uninstall_eDirExtended
Mar 15  2010 Uninstall_ER
Mar 15  2010 Uninstall_fileman
Mar 15  2010 Uninstall_ICEWizardModule
Mar 15  2010 Uninstall_ifolder3
Mar 15  2010 Uninstall_IndexManagerPlugin
Mar 15  2010 Uninstall_Kerberos
Mar 15  2010 Uninstall_LDAPConfiguration
Mar 15  2010 Uninstall_LinuxUserManagement
Mar 15  2010 Uninstall_ncs
Mar 15  2010 Uninstall_NMAS
Mar 15  2010 Uninstall_NetStorage
Mar 15  2010 Uninstall_nssmgmt
Mar 15  2010 Uninstall_dhcp
Mar 15  2010 Uninstall_CertServerPlugins
Mar 15  2010 Uninstall_PS
Mar 15  2010 Uninstall_novell_imanager_pwdmanagement_plugins
Mar 15  2010 Uninstall_notfconfig
Mar 15  2010 Uninstall_pwdpolicy
Mar 15  2010 Uninstall_SharedContentV1
Mar 15  2010 Uninstall_QFSearch
Mar 15  2010 Uninstall_RWiz
Mar 15  2010 Uninstall_samba
Mar 15  2010 Uninstall_ServiceManager
Mar 15  2010 Uninstall_SMS
Mar 15  2010 Uninstall_SNMPConfiguration
Mar 15  2010 Uninstall_storage
Mar 15  2010 Uninstall_WanManConfiguration
Mar 15  2010 Uninstall_iman_supportpack
Mar 15  2010 Uninstall_iPrintX
Nov  2 20:02 Uninstall_dns

You could actually take this one step further and remove the Uninstall_ prefix by filtering output through sed so command becomes

ls -lrt /var/opt/novell/iManager/nps/UninstallerData/ | cut -d "" -f 6- | sed -e 's/Uninstall_//'

producing

oeslinux:~ # ls -lrt /var/opt/novell/iManager/nps/UninstallerData/ | cut -d "" -f 6- | sed -e 's/Uninstall_//'

Mar 15  2010 base
Mar 15  2010 
Mar 15  2010 fw
Mar 15  2010 afp
Mar 15  2010 ark
Mar 15  2010 eDirectoryBackupAndRestore
Mar 15  2010 cifsmgmt
Mar 15  2010 CaseSensitivePassword
Mar 15  2010 dfsmgmt
Mar 15  2010 eDirectoryMerge
Mar 15  2010 eDirectoryRepairAndLogfile
Mar 15  2010 EA
Mar 15  2010 eDirectory88_Plugins
Mar 15  2010 eDirExtended
Mar 15  2010 ER
Mar 15  2010 fileman
Mar 15  2010 ICEWizardModule
Mar 15  2010 ifolder3
Mar 15  2010 IndexManagerPlugin
Mar 15  2010 Kerberos
Mar 15  2010 LDAPConfiguration
Mar 15  2010 LinuxUserManagement
Mar 15  2010 ncs
Mar 15  2010 NMAS
Mar 15  2010 NetStorage
Mar 15  2010 nssmgmt
Mar 15  2010 dhcp
Mar 15  2010 CertServerPlugins
Mar 15  2010 PS
Mar 15  2010 novell_imanager_pwdmanagement_plugins
Mar 15  2010 notfconfig
Mar 15  2010 pwdpolicy
Mar 15  2010 SharedContentV1
Mar 15  2010 QFSearch
Mar 15  2010 RWiz
Mar 15  2010 samba
Mar 15  2010 ServiceManager
Mar 15  2010 SMS
Mar 15  2010 SNMPConfiguration
Mar 15  2010 storage
Mar 15  2010 WanManConfiguration
Mar 15  2010 iman_supportpack
Mar 15  2010 iPrintX
Nov  2 20:02 dns

(note the unknown plug-in listed second)

Perhaps not the best example to use but you can see that I've just updated the DNS Management plug-in having installed the server ready for presenting at BrainShare 2010 and then not updating since (not wanting to break a working demo!).

Don't forget that at a NetWare server console you can use the dir command that becomes available when you load TBX.NLM (or TOOLBOX.NLM). Or of course you can can connect from a Windows or Linux machine.

Now as I noted earlier, the date of the directory is when the plug-in was installed or last updated and this is important because it appears that you can only uninstall a plug-in once - only one Uninstall_ directory is possible per plug-in as only the plug-in name is used and no date/time-stamp.

I prefer to administer my OES and NetWare servers from an OS X client, but iManager, SSH, X-Windows, and RconsoleJ can only take you so far. If you wanted to use the DNS / DHCP Console (which is more reliable than iManager for DNS and DHCP), you had to use a Windows or Linux client.

Then, two years ago, junaid_s84 posted a way of running the Novell DNS / DHCP Console on OS X. Unfortunately, that solution did not allow the use of SSL, and it required you to start the application with a script. That original post can be found at http://www.novell.com/communities/node/9176/dns-dhcp-management-console-apple-macintosh

We now have a solution that offers the following advantages:
1. It allows SSL.
2. It behaves like a real OS X application bundle.
3. It uses the version of the Console included with OES 2 sp3.

In order to create this application bundle, we did have to modify the code a little bit, and you will have to run a script once to correctly set environmental variables for the application. For details, please see the README.TXT included in the zip file.

Once you are done, you will be able to use the DNS/DHCP Console exactly as if you were running it on Windows or Linux, except with all the Aqua-goodness of OS X!

As you know, the daylight saving policy has been changed in Russia, effective from September 1st 2011. New time zones and DST rules have been established within the Russian regions; Moscow will use UTC+4 all year round, and all other Russian regions will keep current Summer time all year round (see http://www.government.ru/gov/results/16355/)

Among other Novell software that deals with time zones and calendars, this change affects the NetWare OS and its components. In particular, Java Runtime Environment and software that uses JRE (like iManager, ZENworks Server Management) are affected.

Ignoring this fact, and leaving NetWare and JRE time settings untouched, could lead to undesirable results such as time synchronization malfunction. For banking or large enterprise environment such issues could be critical and unacceptable.

NetWare administrators must have made Time Zone changes on their servers before the 30th Oct (Last October Sunday) to avoid incorrect time appearing on NetWare servers and connected Windows workstations (actually the summer time would be set to 'Off', so local time would be erroneously set one hour behind the correct time).

Preparing clients' workstations

Don't forget to install the latest Windows hotfixes that reflect Time Zone changes in Russia. For Windows XP it is WindowsXP-KB2570791-x86-ENU.exe (if your Windows language is English).

Updating Time Zone configuration on the NetWare OS

The main aim while changing time zone settings on NetWare server is to keep the UTC time calculated on the server unchanged. This is crucial for eDirectory health.
To check how your changes affect the current system time, you should use the TIME command before and after the changes have been made.

1. Enter the console command TIME. Note the result:
   
   Click to view.

   Figure 1 - TIME: old time zone configuration

2. Modify AUTOEXEC.NCF.

   SET Daylight Savings Time Offset = 0:00:00
   SET Start Of Daylight Savings Time =
   SET End Of Daylight Savings Time =
   #SET Time Zone = EAT-3EATD
   SET Time Zone = MSK-4

   Time Zone format is well described on Novell support site (see http://support.novell.com/techcenter/articles/ana19931101.html).

   Time zone abbreviations can be any abbreviation as you prefer. As for the number after the minus sign, you should increase it by 1 in all Russian time zones. Summer time zone abbreviations after the number should be removed as unnecessary.

   For example, in Moscow region the Time Zone variable might be changed from EAT-3EATD to MSK-4.

3. If you:
   
   • can reboot the server now and
   • do not use Java applications on NetWare, or don't care about JRE internal time,

   please reboot the server at this point. It is necessary to apply changes made in the AUTOEXEC.NCF. After the server has restarted, enter the TIME command and ensure that:

   • Time Zone has changed,
   • summer time (DST) is set to OFF,
   • UTC time remains continuous,
   • the difference between UTC and local time remains the same (see picture below).
   Click to view.

   Figure 2 - TIME: new time zone configuration, server is restarted

   At this step, Time Zone modifications for your server have complete.

4. If you can't reboot the server immediately for some reason, you might apply time zone changes manually with a minor drawback (see later). Using any way you prefer (server console, NCF-file, MONITOR utility, NRM) you just should change appropriately the four system variables mentioned in the paragraph #2 above. 4. I used MONITOR.NLM utility and made changes in the following order:

   Daylight Savings Time Offset = 0:00:00
   Time Zone = MSK-4
   End Of Daylight Savings Time =
   Start Of Daylight Savings Time =

   Having completed manual configuration you will get a result like this:

   Click to view.

   Figure 3 - TIME: new time zone configuration, server is not restarted

As you can see, UTC and local time are correct, but because summer time zone abbreviation is empty, and DST status is still ON, the DST time zone abbreviation is undefined and shown as a <?>. You are unlikely to face with serious issues as a result, but to be perfect it would be better to reboot when possible. Reloading XNTPD/TIMESYNC does not help it this case. Unfortunately the only way to get DST status changed to OFF is to reboot the server.

Updating Time Zone configuration in JRE on NetWare OS

The Java Runtime Environment uses its own Time Zones database. Time zone ID format in Java ("Region/City") differs from NetWare syntax, so there is no direct conformity between NetWare Time Zone and JRE Time Zone ID.

The JRE Time Zone that is set by default is based on the time zone where the program is running. Therefore it might depend on the country chosen during NetWare installation. This is why it is important to keep JRE Time Zone information up-to-date.

You need TZupdater v1.3.40 or a more recent version. It contains the latest information about Russian time zones and corresponds to the Olson Tzdata version tzdata2011h. The TZupdater tool supports JDK/JRE version 1.4.0 and later releases (1.4.0, 1.4.1,1.4.2, 5.0, and 6), and is applicable to NetWare 6.0 (with JRE v1.4.1 or 1.4.2 installed) and 6.5.

1. Download TZupdater from the Oracle site. Go to the URLhttp://www.oracle.com/technetwork/java/javase/downloads/ and select the link "JDK DST Timezone Update Tool".
2. Copy TZupdater ZIP file to a temporary directory on the NetWare server (for example sys:\tmp). Unzip it with the console command:
   

   unzip -j sys:\tmp\tzupdater-1_3_40-2011h.zip -d sys:\tmp
   	
   	

3. Update the JRE:
   

   java -jar sys:\tmp\tzupdater.jar -f -bc -v
   	
   	

4. Force the JRE to use an exact time zone. It is done by adding the -Duser.timezone parameter to the command line used to start Java application.
   

   java -Duser.timezone="Asia/Vladivostok" ...
   
   

   Useful timezone values in Russia are as follows:

   Europe/Kaliningrad
   Europe/Moscow
   Europe/Samara
   Europe/Volgograd
   Asia/Yekaterinburg
   Asia/Novokuznetsk
   Asia/Novosibirsk
   Asia/Omsk
   Asia/Krasnoyarsk
   Asia/Irkutsk
   Asia/Yakutsk
   Asia/Sakhalin
   Asia/Vladivostok
   Asia/Anadyr
   Asia/Kamchatka
   Asia/Magadan

Useful tools

To check current time and time zone in JRE you can use the Java programming examples available in the Internet. I used the following ones:

• GetSystemTimeZone (http://www.roseindia.net/java/java-get-example/GetSystemTimeZone.zip);
• GetGMTTime (http://www.roseindia.net/java/java-get-example/GetGMTTime.zip);
• DSTTest (http://java.sun.com/javase/timezones/DSTTest.java).

Using these Java programming examples is pretty simple.

1. Extract downloaded ZIP files. Copy *.java files to a temporary directory on NetWare server.
2. Compile java program:
   

   javac -g sys:/tmp/GetSystemTimeZone.java
   	
   	

3. Run java program:
   

   java -cp sys:\tmp GetSystemTimeZone
   	
   	

   You might use the -Duser.timezone parameter here as well:

   java -Duser.timezone="Asia/Omsk" -cp sys:\tmp GetSystemTimeZone
   	
   	

4. Look at the Logger Screen to check the result

What if you missed the last Sunday in October?

If you missed the last Sunday in October, the local time on your servers would be erroneously shifted one hour back. On the other hand, hopeful news for you in November would be the fact that UTC time still remains continuous. This is good for eDirectory health.

Please keep in mind that UTC time is calculated based on the local time and time zone information (zone offset and DST offset):

UTC = local time + time zone offset - daylight savings time offset

Because in November you would have to change all three items in the right-hand side of the equation, there is no way to keep UTC time continous while the NetWare OS is running. As for the latest time zone changes in Russia, if you had changed the Time Zone to the correct configuration, the server local time would retain unchanged but UTC time would jump one hour back. It would lead to the Synthetic Time error.

The safe way to tackle this, is to make changes in offline mode.

1. Make changes in AUTOEXEC.NCF as described in the part "Updating Time Zone configuration on NetWare OS" point #2 above.
2. Initiate the server warm boot with the console command RESET SERVER
3. At the beginning of boot up process start server BIOS Setup utility by pressing a dedicated button (it depends on the hardware model, could be "Del", "F2", "F10" and so on)
4. Set hardware clock to the correct local time
5. Boot up the server and check current time as described in the part "Updating Time Zone configuration on NetWare OS" point #3 above.

How to use Internet Explorer with a local installation of iManager so you can update Windows print drivers.

I prefer to use a local installation of iManager rather than to run it from a server, but it uses a variety of Mosaic as a web browser, which means that you can't upload Windows printer drivers.

However if you start up the local iManager as normal, but give IE the URLhttp://127.0.0.1:48080/nps then you have the advantages of the local installation and can manage print drivers and so on using Internet Explorer.

If you're an experienced NetWare engineer and need to prepare to migrate your skills and your servers to OES 11 on Linux, this free beta class, being held in Provo Jan 31-Feb 2, is an opportunity you won't want to miss.

Migrating from NetWare to Novell Open Enterprise Server 11, Course 8018, is designed to help experienced NetWare administrators to make the move to Open Enterprise Server 11 for Linux. It's a three-day course that focuses on installing and configuring OES 11 services on Linux and preparing for and completing service migration from NetWare to Linux. You'll learn how to migrate services such as iFolder, NSS, eDirectory, and iPrint (among others). You'll also learn how to implement the new storage and volume management features of OES 11.

In addition to migrating services and servers, you'll migrate your skills by learning what the equivalent NetWare commands are on a Linux server so you can keep doing your regular server management tasks after you move to Linux. Finally, you'll also learn how you manage those OES services you've migrated to Linux (for all intents and purposes, the management tools are the same whether the service is running on NetWare or Linux).

Please use the link below to register for this free class, being held in Provo, Jan 31 - Feb 2.

http://register.novell.com/login/?action=prelogin&...

Please follow Novell Training on:
http://twitter.com/novell_training
http://www.facebook.com/NovellTraining

In this article I will show an example integration of Openvpn + eDir.

After performance of the actions described in this article:

1. For connection to VPN, users will enter the login and password they use to login to the network of the enterprise.
2. All users who were connected on VPN, will have identical access rights inside the network (the general list of IP addresses, ports, protocols)
   (In another article, I will describe how to make it so each user VPN has access rights in a network. And how to control from C1 and iManager)
3. To specify the users that have rights to be connected on VPN. It is possible from C1 or iManager.

Restrictions:

1. VPN users should enter their login ONLY in lowercase letters. ( if there are uppercase letters in the login - access will be denied )
2. In the directory, eDir names of users should be unique.
   (For example:
   user1.office1.df
   user1.office2.df
   )

I assume that you are able to:

• Install the openvpn-server and configure it for operation in a mode WITHOUT KEYS of USERS and With EXTERNAL AUTHENTICATION.
• Create simple rules in iptables.

So:

This is your server SLES11SP1:

ISP------[eth1](SERVER)[eth0]----LOCALLAN
eth0 = 172.17.17.10
eth1 = Piblic IP
tun0 - this is will be Virtual Interface ( 10.0.2.0/24 )
DNS=172.17.17.254
DNS=172.17.17.151

1. All your VPN-users(10.0.2.0/24) should have the full access to these 2 hosts: 172.17.17.200 and 172.17.17.201.
2. Create the file: /etc/openvpn/ldap/iptsave
   

   # Generated by iptables-save v1.3.5 on Thu Jan 26 13:46:24 2012
   *filter
   :INPUT ACCEPT [493:38960]
   :FORWARD DROP [0:0]
   :OUTPUT ACCEPT [296:81728]
   -A INPUT -i tun0 -p tcp -m tcp --dport 22:1024 -j DROP
   -A FORWARD -s 172.17.17.0/24 -j ACCEPT
   -A FORWARD -i tun0 -d 172.17.17.0/24 -j ACCEPT
   COMMIT
   # Completed on Thu Jan 26 13:46:24 2012
   

3. Create the file: /etc/openvpn/ldap/scrptup.sh
   

   #!/bin/bash
   # Executed after TCP/UDP socket bind and TUN/TAP open
   #
   /usr/sbin/iptables-restore < /etc/openvpn/ldap/iptsave
   

   and chmod to 100755 for this file

4. server.conf /etc/openvpn/server.conf

   (for example)

   port 1197
   proto udp
   
   dev tun
   
   ca /etc/openvpn/easy-rsa/keys/ca.crt
   cert /etc/openvpn/easy-rsa/keys/nod1firma.ua.crt
   key /etc/openvpn/easy-rsa/keys/nod1firma.ua.key # This file should be kept secret
   dh /etc/openvpn/easy-rsa/keys/dh1024.pem
   
   server 10.0.2.0 255.255.255.0
   
   ifconfig-pool-persist ipp.txt
   keepalive 10 120
   comp-lzo
   persist-key
   persist-tun
   status /var/log/openvpn/openvpn-status.log
   log-append /var/log/openvpn/openvpn.log
   verb 3
   tls-server
   tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
   tls-timeout 120
   auth MD5
   cipher BF-CBC
   keepalive 10 120
   comp-lzo
   max-clients 100
   # ! ! ! start
   # This is script will be used for Authentication in to the LDAP
   auth-user-pass-verify /etc/openvpn/ldap/ldapauth.pl via-file
   
   tmp-dir /tmp
   # ! ! ! end
   client-cert-not-required
   script-security 3 system
   username-as-common-name
   
   # ! ! ! start
   # This is script will be run after /etc/init.d/openvpn start
   up /etc/openvpn/ldap/scrptup.sh
   # ! ! ! end
   tun-mtu 1500
   fragment 576
   mssfix
   
   # After connection to openvpn at station of the user this record in a routing table will be added
   push "route 172.17.17.0 255.255.255.0"
   # After connection to openvpn at station of the user this records in the DNS table will be inserted
   push "dhcp-option DNS 172.17.17.254"
   push "dhcp-option DNS 172.17.17.151"

5. Download, unpack, and copy the file here: /etc/openvpn/ldap/ldapauth.pl

   and chmod to 100755 for this file.

6. Create in your eDir group:

   Example: cn=openvpngrp.ou=vpnou.ou=firmaua.o=uaa

7. Modify strings in the /etc/openvpn/ldap/ldapauth.pl

   my $ldap_server = "A.B.C.D";

   A.B.C.D - ip address of your server with LDAP(eDir). This is the server with Master or R/W replyc. Allow anonymous access for check users name.

   my $base_dn_user = "o=uaa"
   my $base_dn_group = "o=uaa"
   my $allow_group = "openvpngrp"

8. Create the dir: /var/log/openvpn
9. Check - in your SLES11SP1 exist perl ?
10. If it does not exist, add the following perl modules:
    

    Net::LDAP
    Net::LDAPS

    You can install the modules from YaST or as shown below:

    # cpan
    cpan> install Net::LDAP
    ....
    cpan> install Net::LDAPS
    ....
    cpan>quit
    #
    

All!

By: Victor Gehring, CNE, CCDA, ITIL, VTSP
Updated: 5/24/2012

For those IT shops wanting to enjoy the advantages of Novell clustering in their VMware environments, this article pulls together information from various sources, along with personal experience, for what is intended be a complete configuration guide in terms of the platform discussed. The target audience is assumed to have a working knowledge of SLES/OES, SAN's and VMware.

This article will likely apply to you if you are running SLES10.x/OES2; vSphere4; fiber channel or iSCSI SAN's and desire a CAB (cluster across boxes) architecture in a production environment. SLES11/OES 11 clustering should also work the same using this architecture, but the examples used herein will be based on SLES10/OES2. Using VMware to create a CIB (Cluster In a Box) also works, but isn't generally recommended for high-availability applications.

There are some things you need to consider before heading down this path to determine if this solution will work for your needs. Currently, VMware allows you to create two types of storage disks, VMware Virtual Disks and RDM (Raw Device Mapped) disks. This article requires BOTH disk types to create a stable solution. As such, be aware that VMware has a 2TB less 512k limit on disk sizes in vSphere 4x. Also understand that VMware only allows one virtual machine to host an RDM disk per physical vSphere host. While both disks will be configured for sharing, the traditional VMware Virtual Disk will only be needed to store the RDM configuration file(s), and therefore does not require a large disk. The RDM disk is intended to be used for general data storage. The SLES VM's can either be running in the VMware virtual disk or if you are using physical or blade servers, on the local disk storage, but typically not in the RDM storage area.

Finally, allow me to apologize in advance for redacting the screenshots to mask the identity of the systems. This was the most expeditious way of providing illustrations without compromising client information.

Click to view.

Figure 1. Topology

1. LUN Configuration:

This article assumes that you or your SAN administrator will configure the two dedicated LUNs for presentation to your vSphere hosts. This LUN configuration is typically performed using the SAN manufacturer's disk array management software. Recall from above that one LUN will be used for a VMware Virtual Disk and the other for the RDM disk. From the host's Configuration tab, navigate to the storage adapters to verify and/or rescan for the new LUNs and make note of which LUN is provisioned for which disk type.

2. VMware Virtual Disk Configuration:

Click to view.

Figure 2. Node 2 shared VMDK on LUN 1

Make sure SCSI bus sharing for SCSI Controller 1 is set to physical. Again, this disk is simply setup just like any typical SAN disk resource that provides shared access to VM's.

3. VMware RDM Disk Configuration:

Click to view.

Figure 3. Node 1 RDM disk on LUN 2.

When configuring this disk, it is critical to make sure you add a new dedicated SCSI bus to the VM's configuration. To function properly, the SCSI bus hosting the RDM disk should not be hosting any other disks. Also be sure to note the SCSI bus address of the added hard drive (ex. 2:1). When completing the disk add wizard, be sure to "Save Configuration" to the SHARED virtual disk created in #2 (do NOT store with VM) by using the browse function. Don't worry about setting up a folder ahead of time to store the RDM map file in the shared virtual disk since VMware will create its own – all you need to do is browse to the root of the disk.

4. NSSMU Configuration:

Click to view.

Figure 4. NSSMU showing LUN 2 data partition enabled for sharing.

Click to view.

Figure 5. NSSMU showing sdc partition detail.

Depending on the state of your OES2 cluster configuration, your SBD partition may or may not have been created. If you have already installed the cluster option from the OES2 installation and were not able to get the SBD setup, one way to complete that is to use the sbdutil command line utility. Please refer to the Novell documentation and/or command line help for usage instructions. As shown in Figure 5, it is important to understand that the SBD partition is contained within the RDM disk on LUN 2.

5. Create Master Cluster Node:

If you have already installed the clustering feature on the master node via the OES2 installation process, you may need to reconfigure it following the SAN and VMware disk configuration effort. If the OES2 installer does not allow reconfiguration of the clustering feature stating that it is already configured, you will likely need to run yast ncs and select Yes to reconfigure NCS. Again, please refer to the Novell documentation for assistance with completing the NCS wizard setup questions. Upon successful configuration of the master node, you should be able to run iManager and view the cluster status where both the master node and the master IP resource objects should be viewable, online and ready for user access.

6. Create 2nd Cluster Node:

Click to view.

Figure 6. Node 2 RDM disk added.

This step assumes you have already installed the 2nd SLES Node and now need to join it to Node 1 to complete the cluster. So the next step is to add the RDM hard disk to Node 2. When doing so, make sure to add a dedicated SCSI bus having the SAME addressing as in the RDM disk created in step #3. (Ex. 2:0) Then use the Add hard drive using the Existing disk option.

Browse to the shared virtual disk from step #3 and locate the RDM map file. Make sure to assign the hard drive the same SCSI address from step #3 (Ex. 2:1)

Execute the OES2 Install and Configuration, add or reconfigure NCS, and select the "add node to an existing cluster" option. While going thru the wizard should be rather straightforward, please refer to the Novell cluster installation documentation for assistance with this configuration if necessary. When completed, you should then be able to go into iManager and see the 2nd Node has now joined the cluster. You should also be able to use iManager to fail-over and fail-back the nodes seamlessly. There are also command line utilities you can use to as well. Enter cluster –help at a prompt to view available choices.

So before turning your users loose to access this new resource, please heed these cautionary caveats. Please be sure to keep your SLES/OES servers patching current via Novell's auto-updater and service pack application processes. Just as important, be sure to deploy the most current Novell Client relative to the platform your shop is running. Particularly in this environment, it is still one of the best ways to avoid trouble.

Why Choose This Topology?

You may be wondering why this LUN arrangement is used. Given VMware's 2TB limit, why wouldn't you simply use one shared virtual disk? While you can successfully configure this, I have found in practice that particularly with larger disks (<400GB) that it will not be stable. Users will lose connectivity to drives mapped to the SAN disk resource. It may only happen occasionally, but it will be enough to drive you nuts. So what about just one RDM disk? This won't work because after the 1st/master node grabs the LUN to create the RDM, it will no longer be accessible by other nodes since you cannot store the RDM mapping file within the RDM disk. This is why a 2nd LUN needs to be created and setup as a VMware shared virtual disk for RDM map file storage, so that all cluster nodes can access the mapping file. Additionally, wrapping your arms around this method will likely be useful in the event you are tasked with installing a Windows server cluster, as I have seen other blogs and articles that discuss this same approach. One of the main differences is that the Windows terminology refers to the two LUN's as a "quorum" and "data" LUN, where the quorum LUN is made available to all cluster nodes to control ownership and access of the cluster data. Finally, it's also nice to know (at least when this article was written – April 2012) that Novell allows you to create a two-node SLES cluster without incurring any extra license fees.

Your comments on this article are invited: victor.gehring@pcn-inc.com