Back in the old days when NetWare 4.x was a pretty neat idea, the new innovation that it brought with it was Novell Directory Services, or NDS. While the world was waiting decades (at least, it felt like that long) for Microsoft to finally bring out Active Directory, NDS was happily servicing multi-site distributed directories to anyone with at least one NetWare server on the organisational network.
Although in the long term Novell didn’t manage to hold onto the server market they’d pretty much created single-handed in the 1980s and early 1990s, they were sensible enough to spin off NDS as a product in its own right, so you no longer needed to be a NetWare house to use it. They even gave it a whizzy new name: eDirectory.
The server product runs on a number of platforms: HP-UX, AIX, various Linuxes (SuSE included, naturally), NetWare (of course), Solaris and Windows. The Windows version we tried was downloaded as an ISO disc image; we installed it using a tool that lets you mount an image as a virtual disk, but we could just as easily have burned it off to a CD. In addition to the ability to accept LDAP connections from LDAP-capable networked devices, there are also Novell clients for Windows and Linux that let you use your eDirectory world as the repository of authentication and access control information for your desktop PCs. So on Windows in particular, instead of the usual login box, you have a Novell one instead (version 4.91 SP3 is the latest) which slaps eDirectory functionality on top of the existing Windows stuff.
Installation of the server is pretty straightforward. When you fire up the installer it checks to see if you have certain Novell-oriented prerequisites installed; our WS2003 server didn’t, so it installed them and insisted on a reboot. Once restarted, the installer was kicked off again and we were walked through a fairly simple wizard that asked us for essential things like whether we wanted to create a new NDS tree or join a new one (answer: the former), the name of the new tree, the administrator password, the various authentication methods the server is intended to accept, the ports on which the LDAP server and the admin server (a browser-based interface) are to listen, and so on. Note that if you’re going to install eDirectory (or any other similar directory service, for that matter) you ought to be familiar with basic X.500 and/or LDAP concepts (there’s a lot of overlap between the two) – if you don’t, you may well get lost in the swamp of organisational units, administrative contexts and other wacky-sounding things.
Once you’ve entered all you need to, the system goes off and installs itself. On our 1GHz PIII it took about eight minutes, but obviously the time depends on what options you chose and how whizzy your hardware is. Once it’s done, you won’t see anything in the Start->All Programs menu – administration is handled via a browser or via LDAP, so there’s no need for a desktop admin tool.
If you’ve accepted the default ports in the installation wizard, the admin screens are available by pointing a web browser at port 8028 – so in our case that meant http://192.168.1.41:8028/. It redirects you to an SSL connection (your browser will probably complain about the certificate, but just tell it not to worry). You’re prompted to log in, and here’s where a knowledge of directory services is needed – the username will be a proper LDAP entity string (ours was cn=admin,o=techworld, reflecting the fact that we wanted to log in as user admin in organisation techworld), not just some namby-pamby string like most of us are used to. Once you’re in, it gives you a choice of three admin applications.
DHost Console is the management console for the eDirectory software itself; this is where you can turn on and off the various components of the server, see what connections are currently active, get stats on the system’s behaviour, set the server admin password, and so on. DSTrace and NDS iMonitor are variants on a theme (the former seems to punt you into a subset of the latter) which are concerned with probing and diagnosis into what’s going on within the directory service.
To create and manipulate objects within your directory, you can use any old LDAP client tool. Just like when I wrote about setting up an OpenLDAP directory server recently, I decided to use Softerra LDAP Administrator 3.4; this is a Windows-based application that gives a very nice interface into your LDAP world and lets you define your various items and drag them around within the hierarchy, as well as doing all the niceties like making sure you include all the mandatory data for a given type of entity (so a Person record has to have a surname, for instance).
In short, eDirectory is a very nice directory service. It’s perhaps a bit top-heavy when you compare it to something like OpenLDAP, but to its credit it’s been around for donkey’s years (remember its NetWare 4.x heritage) and I for one have worked in companies with global WANs running NDS and so I’ve seen it running happily in a decent sized, real-world setup.
If you want a reliable directory service and you have a setup that doesn’t have Active Directory thrown in for free (e.g. you don’t have Windows servers) eDirectory is the product to look at first.