4.8 eDirectory 9.2.4

4.8.1 eDirectory Containers for Clusters

Each cluster that you want to add to a business continuity cluster should reside in its own OU level container.

As a best practice for each peer cluster, put its Server objects, Cluster object, Driver objects, and Landing Zone in the same eDirectory container. See Table 4-3 for an example.

Table 4-3 Sample eDirectory Containers for Peer Clusters

ou=cluster1

ou=cluster2

ou=cluster3

You can use the cluster OU as the landing zone.

Optionally, you can create an OU in the cluster OU for the landing zone.

ou=cluster1LandingZone

You can use the cluster OU as the landing zone.

Optionally, you can create an OU in the cluster OU for the landing zone.

ou=cluster2LandingZone

You can use the cluster OU as the landing zone.

Optionally, you can create an OU in the cluster OU for the landing zone.

ou=cluster3LandingZone

cn=cluster1

cn=cluster2

cn=cluster3

c1_node1 (IDM node with read/write access to ou=cluster1)

c1_node2

c1_node3

c2_node1 (IDM node with read/write access to ou=cluster2)

c2_node2

c3_node3

c3_node1 (IDM node with read/write access to ou=cluster3)

c3_node2

c3_node3

cluster1BCCDriverSet

  • c1toc2BCCDriver

  • c1toc3BCCDriver

cluster2BCCDriverSet

  • c2toc1BCCDriver

cluster3BCCDriverSet

  • c3toc1BCCDriver

4.8.2 eDirectory Read/Write Replica on Each IDM Node

The node where the Identity Manager engine and the eDirectory driver are installed must have an eDirectory full replica with at least Read/Write access to all eDirectory objects that will be synchronized between clusters. This does not apply to all eDirectory objects in the tree.

4.8.3 Rights Needed for Installing BCC

The first time that you install the Business Continuity Clustering software in an eDirectory tree, the eDirectory schema is automatically extended with BCC auxiliary object classed and attributes.

IMPORTANT:The user that installs BCC must have the eDirectory credentials necessary to extend the schema.

If the eDirectory administrator user name or password contains special characters (such as $, #, and so on), you might need to escape each special character by preceding it with a backslash (\) when you enter credentials for some interfaces.

4.8.4 Rights Needed for BCC Management

The BCC Administrator user should have at least Read and Write rights to the All Attribute Rights property on the Cluster object of each peer cluster. Before you install BCC, create the BCC Administrator user and group identities in eDirectory to use when you manage the BCC.

The following trustee settings are recommended for the BCC Administrator user on the Cluster object of each peer cluster:

Property Name

Assigned Rights

Inherit

Description

ACL

None

No

Explicitly removing the rights for the ACL property ensures that no rights flow from eDirectory to the file system.

[All Attributes Rights]

Compare, Read, Write

Yes

Read and Write are required.

[Entry Rights]

Create, Delete

Yes

The Create right allows the trustee to create new objects below the container and also includes the Browse right.

The Delete right allows the trustee to delete the target from the directory.

For information, see Section 5.3, Configuring a BCC Administrator User and Group.

4.8.5 Rights Needed by the BCC Administrator to Manage Peer Clusters

The BCC Administrator user is not automatically assigned the rights necessary to manage all aspects of each peer cluster. When you manage individual clusters, you must log in as the Cluster Administrator user, or as administrator-equivalent to this user. You can manually assign the Cluster Administrator rights to the BCC Administrator user for each of the peer clusters if you want the BCC Administrator user to have all rights.

You can assign the BCC Administrator user as an administrator-equivalent account for each peer cluster by configuring the following for the user account:

  • Give the user the Supervisor right to the Server object of each server in the cluster.

  • Linux-enable the user account with Linux User Management (LUM).

  • Make the user a member of a LUM-enabled administrator group that is associated with the servers in the cluster.

For information about configuring permissions for cluster administrator-equivalent users, see Configuring Additional Administrators in the OES 2018 SP3: OES Cluster Services for Linux Administration Guide.

4.8.6 Rights Needed by BCC Drivers

Each Identity Manager Driver object must have sufficient rights to any object it reads or writes in the following containers:

  • The Identity Manager driver set container.

  • The container where the Cluster object resides.

  • The container where the Server objects reside.

    If Server objects reside in multiple containers, this must be a container high enough in the tree to be above all containers that contain Server objects.

    The best practice is to have all Server objects in one container.

  • The container where the cluster Pool objects and Volume objects are placed when they are synchronized to this cluster. This container is referred to as the landing zone. The NCP Server objects for the virtual server of a BCC-enabled resource are also placed in the landing zone.

You can do this by making the Identity Manager Driver object the security equivalent to the BCC Administrator User object after you create the driver.

4.8.7 eDirectory Requirements for Identity Manager

The node where Identity Manager is installed must have an eDirectory full replica with at least Read/Write access to all eDirectory objects that will be synchronized between clusters.

IMPORTANT:Full eDirectory replicas are required. Filtered eDirectory replicas are not supported.