NOTE:Check the currently installed Novell and third-party applications to determine if eDirectory 8.8 SP7 is supported before upgrading your existing eDirectory environment. It is also highly recommended that you back up eDirectory prior to any upgrades.
You can use any one of the platforms listed below.
32-bit eDirectory supported platforms:
Windows Server 2003 Enterprise Edition with latest Service Pack
32-bit Windows Server 2008 (Standard/Enterprise/Data Center Edition) and its service packs
64-bit eDirectory supported platforms:
64-bit Windows Server 2008 (Standard/Enterprise/Data Center Edition) and its service packs
Windows Server 2008 R2 (Standard/Enterprise/Data Center Edition) and its service packs
You must use an account that has administrative rights to install eDirectory 8.8 SP7 on Windows Server 2008 R2.
You should apply the latest available patch for eDirectory.
Windows XP is not a supported eDirectory 8.8 platform.
eDirectory also requires the following:
An assigned IP address
Administrative rights to the Windows server and to all portions of the eDirectory tree that contain domain-enabled User objects. For an installation into an existing tree, you need administrative rights to the Tree object so that you can extend the schema and create objects.
For a detailed list of prerequisites for installing eDirectory on a Windows server, see the Novell eDirectory 8.8 SP7 Installation Guide.
When you try to add an eDirectory 8.8 SP7 server from a Windows host to an existing tree running on a different host, it might fail if the firewall is enabled.
To work around this issue, enable SLP services and an NCP port (default 524) in the firewall to allow the secondary server addition.
The eDirectory and Novell iManager installs use Java 1.4 or later versions. This means that a minimum color depth of 8 bits (256 colors) is required by your video card and driver setting to run the installations properly.
With some video cards, and with some driver versions, you might notice some visual abnormalities in the installation screens. Examples include a pastel color scheme and a strange mottling effect that might look like the resolution is much lower than the actual setting. Some installation screens do not display at all. This makes it appear that the installation is hung up, or that it has aborted. If you see that the installation screens do not appear correctly, download a newer version of the driver for your video card. Otherwise, the installation might not complete successfully.
With some video cards, when 256 colors are set, the installation screen might seem to disappear after the SNMP portion of the installation, even though install.exe and launch.exe are still running (as shown in the Windows Task Manager). If this happens, use Task Manager to terminate the launch.exe process, set your display to more than 256 colors, then rerun the installation. This performs an upgrade installation over the top of the existing installation, and the upgrade should complete successfully.
Prior to the installation of eDirectory 8.8 SP7 on any Windows server, make sure that the native Master Agent is installed.
If you have the Windows SNMP service installed and running on your system, the eDirectory installation temporarily shuts it down while it installs the Novell SNMP subagent. After the Novell SNMP subagent is installed, the Windows SNMP service is restarted.
If your IPX configuration (in Network Settings in the Windows Control Panel) is configured with an Internal Network Number of 0, the eDirectory 8.8 SP7 installation might fail if the machine has multiple NICs. The Internal Network Number must be set to something other than 0 in order for the eDirectory installation to complete properly, and for eDirectory to run properly after installation.
If you choose to uninstall IPX, IPX should be completely uninstalled as a protocol, not merely disabled on some or all adapters.
If you use IPX, it must be configured correctly. That is, multiple adapters (LAN or WAN) must have a valid internal IPX net number set.
You cannot install, remove, enable, or disable a protocol on any adapter while eDirectory is running.
In some cases, schema extensions do not synchronize fast enough to the lower levels of a tree where the first new eDirectory 8.8 SP7 server is being installed, so some features are not completely installed.
This problem can be avoided by manually extending the schema in your tree before you install eDirectory 8.8 SP7, using the eDirectory 8.8 SP7 schema files located in the <Unzip Location>\Novell\NDS folder (for 32-bit) and <Unzip Location>\Novell\NDS\x64 folder (for 64-bit).
For more information on extending the schema, refer to the “Extending the Schema on Windows” section in the Novell eDirectory 8.8 SP7 Administration Guide.
When eDirectory 8.8 SP7 is installed on a Windows 2000 machine already containing the Novell Client, eDirectory installs an SLP service, but sets the service to manual mode so that it does not run when the server is booted. eDirectory then uses the SLP service from the Novell Client. If the Novell Client is removed, leaving no SLP service for eDirectory to use, you must manually start the SLP service, or change it to start automatically when the server boots.
If you have eDirectory 8.5.x or 8.6.x, you must first upgrade to eDirectory 8.7.x, then upgrade to eDirectory 8.8 SP7.
During the upgrade from eDirectory 8.7.x to eDirectory 8.8 SP7, the location of the Identity Manager files is changed, requiring a reinstall of the Identity Manager engine and drivers. Any third-party jar files are not automatically copied to the new location and must be manually placed prior to starting the affected drivers. All drivers should be set to manual prior to upgrading to eDirectory 8.8 SP7.
When an eDirectory server is upgraded from previous versions to eDirectory 8.8 SP7, the disk space check for the Directory Information Base (DIB) upgrade is performed. The free disk space necessary in the file system where the DIB resides is equal to that of the DIB size. The messages of the disk space check are updated in the ndscheck.log located in the instance’s specific log folder. The default location is C:\Novell\NDS\ndscheck.log.
NOTE:The disk space check is required only during the DIB upgrade process. For more information, refer to the “Upgrade Requirements of eDirectory 8.8” section in the Novell eDirectory 8.8 SP7 Installation Guide.
When eDirectory is upgraded to eDirectory 8.8 SP7, the server is stopped and a DIB upgrade operation is performed before the server is started and the normal upgrade is performed. The time taken for this upgrade depends on the number of objects in the tree.
For more details on the DIB upgrade, refer to “Upgrade Requirements of eDirectory 8.8” in the Novell eDirectory 8.8 SP7 Installation Guide.
The following error is displayed:
Admin user does not have enough rights to modify the tree schema.
To resolve this issue, complete the following steps:
From the Administrator Login page of eDirectory installation, browse to and select the admin user.
Specify the password, then clickto continue.
If you upgrade an eDirectory server on which the eDirectory instrumentation is installed, the eDirectory instrumentation files are not upgraded automatically. Therefore, you must manually upgrade the eDirectory instrumentation files.
NOTE:eDirectory instrumentation is automatically installed with Identity Manager 4.0.
For more information on upgrading the instrumentation, refer to the Novell eDirectory 8.8 SP7 Installation Guide.
When specifying the eDirectory information during the installation, if an invalid Server object container type is specified, the installation does not detect the error until later, and the eDirectory installation fails with a -611 or -634 error.
The valid Server object container types are:
Organizational Unit (OU)
On rare occasions, the eDirectory installation fails during its core DS component installation. If so, an error like the following is displayed:
The DS component of eDirectory failed to install correctly. The error received was: ’<error text>’. Please view DSInstall.log for more detailed information. The eDirectory installation will now be terminated.
If you receive this error, you should try to reinstall the product, or remove it and then reinstall it. If the reinstallation fails because of a partial installation already on your system, or for any other reason, visit the Novell Support Web site Web site for possible solutions.
Download the eDir_88_iMan27_Plugins.npm iManager plug-in from the Novell Downloads Web site.
Install the NPM as directed in the Novell iManager 2.7.5 Installation Guide.
If, after uninstalling the Novell International Cryptographic Infrastructure (NICI), you want to completely remove NICI from your server, delete the \windows\system32\Novell\NICI subdirectory (for 32-bit NICI) or delete the \windows\SysWOW64\Novell\NICI subdirectory (for 64-bit NICI). You might need to take ownership of some of the files and directories under the NICI subdirectory to delete them.
WARNING:When the NICI subdirectory is removed, any data or information that was previously encrypted with NICI cannot be recovered.
Install and configure eDirectory, then configure the xdasproperties file. Ensure that the syslog appender is enabled as follows:
Disable Layout definition for appender Syslog S as follows:
# Layout definition for appender Syslog S. #log4j.appender.S.layout=org.apache.log4j.PatternLayout log4j.appender.S.layout.ConversionPattern=%c : %p%m%n
When you attempt to load xdasauditds, eDirectory starts dumping the core and the program is terminated with signal 11.
This issue arises because log4cxx does not check for the existence of layout in the xdasproperties file before setting it up. It assumes that Layout definition for appender Syslog S is automatically enabled if the syslog appender is enabled in the xdasproperties file.
The auto save feature of the iManager property page causes it to save the default object class when you visit XDAS roles or XDAS accounts page before moving to other pages. To make sure that the settings are appropriate for your requirement, check the xdasconfiguration attribute on the NCP Server object after you are done with settings through iManager.
Before upgrading to eDirectory 8.8 SP7 on Windows, if other Novell products are installed (such as ZENWorks and NetMail Manager), you must first manually stop the currently running NDS server service before proceeding with the installation of eDirectory 8.8 SP7. Restart the applications after the eDirectory installation.
Because of some security issues, Windows Server 2003 restricts console access from within a service. Because eDirectory evokes as a service on Windows, it has restricted access to the console, which prevents it from opening the help dialog box. This is observed for utilities such as DSRepair, DSMerge, and DSBrowse.
To view the help files for these utilities, open them directly by double-clicking them in the folder they are located in. For example, C:/Novell/NDS/NLS/Nihongo for the Japanese help file.
If the login fails during the secondary server installation, click thebutton next to the Administrator Login Name dialog box. After this, you might see an error message and a dialog box prompting you to enter an IP address. Enter the IP address of any server in the tree, preferably the Master server of the partition to which the server is being added.
If the server is running on a port number other than 524, enter the port number as well (such as 126.96.36.199:1524). This connects to the server, displays the tree name, and prompts for a login name and password. Follow the dialog boxes to continue with the installation. Ensure that the time between the primary and secondary servers is synchronized.
When you upgrade eDirectory 8.7.3.x to eDirectory 8.8 SP7 and enable encrypted replication, replication fails in rare scenarios.
To work around this issue:
In Novell iManager, select, then select the NCP Server object.
Under the General tab, select.
Addfrom Unvalued Attributes to Valued Attributes with the certificate name. For example, .
Run Limber on the server where the attribute changed in Step 3. For information about using Limber, see the Novell eDirectory 8.8 SP7 Administration Guide.
After eDirectory 8.8 SP7 installation is complete, you might see a -5984 error when you log in to iMonitor or use NDSCons to start the sas.dlm service.
This issue occurs on systems where Client32 is not installed. To resolve this issue, add \novell\nds\sms to the path environmental variable.
eDirectory installation fails when the install files are run from a path that contains double-byte or extended ASCII characters.
The installer fails to find the correct path to load the rt.jar file. This issue does not occur if the eDirectory installation folder has a relatively short path. For example, eDirectory installation can fail if the length of the folder path is more than 115 characters.
If you use a remote desktop connection to install, the installation fails with an error message. Because a remote desktop connection is slower than the actual/physical access, the install process fails to acquire the local referrals, resulting in a failed installation.
You can avoid this by installing eDirectory on an actual/physical connection of the server or by using a VNC connection.
On Windows, while uploading LDIF with a simple password, ldif2dib might fail if the NICI keys in the system and Administrator folders are not in sync.
To work around this issue, use the following procedure to access the keys in the nici/system folder:
Go to the C:\Windows\system32\novell\nici\ folder (for 32-bit NICI).
Go to the C:\Windows\SysWOW64\novell\nici\ folder (for 64-bit NICI).
Back up the files in the Administrator folder.
Go to the system folder.tab in the Properties window of the
Selectand go to the tab.
Go back to thetab and add Administrator to the list.
Repeat Step 3 through Step 6 to get read access to all the files inside the system folder.
Overwrite the files in the Administrator folder with the ones in the system folder.
After the upload is done, copy the backed-up files to the Administrator folder.
Change the Administrator’s access to the system folder and also the files within the folder.
The LDIF file should mention all the object classes that an entry belongs to. You should also include the classes that an entry belongs to because of inheritance of classes. For example, an entry of type inetOrgPerson has following syntax in the LDIF file:
Objects bulkloaded using the ldif2dib utility are not added with ACLs that are specified in the ACL templates for the object class of the object.
You can temporarily suspend the offline bulkload operation by pressing the s or S key. You can use the Escape key (Esc) to stop the bulkload operation.
You cannot configure encrypted replication through iManager if any server in the replica ring is down.
When encrypted replication is enabled, merging trees fails. Disable secure replication on each tree before doing a merge.
If you try taking the clone of a server immediately after an offline bulkload, it might result in a failure, if the bulkload has been done with the disable indices option.
However, this is not an issue if the dibclone is initiated a few hours after the bulkload completion.
While cloning with the Encrypted Replication feature enabled on the source server, modify the ER policy to temporarily exclude the cloned server. This can be changed after the configuration of the cloned server is complete.
On Windows, after NLDAP is stopped, you need to restart the server to load NLDAP.
iManager requires Novell Modular Authentication Service (NMAS) support to be installed on the Windows system on which iManager is installed. It does not require the Novell Client. If you are going to use the Novell Client, iManager requires a version with NMAS support.
When you use iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not correctly hyperlink to the object properties.
The Agent Health check feature in iMonitor shows a Warning icon in the Results column when run on a single-server tree because of the Perishable Data status. This does not mean that the tree is not healthy or that the Agent Health check is not working as designed. Perishable Data indicates the amount of data that has not yet been synchronized to at least one replica. A single-server tree, by its nature, means that the data is always at risk for catastrophic failure because there is no other place that the data is replicated. If you lose the hard disk, you lose the data.
If you don't want to view health check warnings about Perishable Data or Readable Replica Counts on your single-server tree, you can turn off these health checks by editing the ndsimonhealth.ini file to change the following entries:
ring_readable-Min_Marginal: 1 or ring_readable-active: OFF
This turns off the warnings for Readable Replica Count and Perishable Data.
The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor.
Click, then click the tab.
Select theicon, then click .
Scroll down to the Scripting section and setto .
When running eDirectory utilities such as dsbrowse.dlm and dsrepair.dlm on a Windows Terminal Server, the utility opens on the main desktop, not in the Terminal Services window. This is because Windows Server 2003, for security reasons, does not allow a service to display a window on the Terminal screen.
DHost crashes if the administrator logs off when a repair window is still open. When you run a repair utility, all the repair windows must be closed before logging out of the Windows session.
During upgrade or installation of other Novell products such as Identity Manager, DHost crashes randomly with the following error while shutting down eDirectory:
Memory could not be written.
However, there is no data loss.
The Novell SecretStore functionality does not work over LDAP. To resolve this, you need to refresh LDAP through iManager.
The eDirectory MIB file (<eDirectoryInstallRootDir>\snmp\edir.mib) on Windows compiles with some errors and warnings on HP OpenView. You can ignore these errors.
If LDAP is not configured to run in clear text mode, the name of the trusted root certificate file must be given in the SNMP configuration file (for example, SSLKEY C:\Novell\nds\trust.der) before bringing up the eDirectory SNMP subagent.
ndssnmp.cfg is found in C:\novell\nds\snmp on Windows.
When you install eDirectory 8.8 SP7 for the first time (creating a new tree), if the Windows SNMP Service is installed on the server, and the SNMP Service has one or more dependent services, eDirectory cannot shut down the SNMP Service. If this happens, SNMP is not ready to use after the eDirectory installation.
Follow these steps to restart the SNMP service:
Right-clickin the list, then click .
Right-clickin the list, then click .
While installing eDirectory on any supported Windows platform server, if you get an SNMP group object creation error, you need to manually create the SNMP group object. For information on the steps to manually create an SNMP object, refer to the “eDirectory and SNMP” section of the Novell eDirectory 8.8 SP7 Administration Guide.
If the Windows SNMP Service is installed on a server, and the SNMP Service has one or more dependent services, the eDirectory uninstall does not delete all the SNMP files in the C:\novell\nds folder. However, the other uninstallation processes complete successfully, including the deletion of the SNMP registry entries, and the deconfiguration process that the Novell SNMP agent does with DS and the SNMP Service.
To complete the uninstallation:
Right-clickin the list, then click .
Right-clickin the list, then click .
Manually delete the remaining SNMP files in the C:\novell\nds folder.
When you invoke any of the eDirectory utilities through the eDirectory GUI (C:\novell\NDS\NDSCons.exe) on Windows Server 2008, an interactive dialog box appears.
To launch and continue using the invoked utility, click theoption in the interactive dialog box.
NOTE:When configuring the Directory Agent for Novell eDirectory module (ds.dlm), ensure that you exit the ds.dlm dialog box to continue using the Novell eDirectory services.
If you use the eDirectory Service Manager in Novell iManager to stop eDirectory, restarting it through Service Manager is not possible. Use the Novell eDirectory Services utility (C:\novell\NDS\NDSCons.exe) on the eDirectory server to restart eDirectory.
Attributes related to Netscape have been removed from the default schema installed with LDAP in eDirectory 8.8 SP7. If you want to use those attributes, they are present in a tree that was installed prior to eDirectory 8.8, or you can add them to any new trees by using the Novell Import Conversion Export utility to run the netscape-mappings.ldif file in the schema folder.
Deletion of a moved object might fail (error -637) in a tree with two or more servers.
Moving a Dynamic Group object with dynamicgroup in the Object Class attribute to another container breaks the dynamic group functionality. After the move, queries and searches on dynamic members do not work.
When you repair the network addresses through eMBox, it throws the following errors because eMBox is not updated with the recent fixes for repair:
ERROR: Could not find a net address for this server - Error : 11004
ERROR: Could not connect. Error : 11004
Although eDirectory can be installed in a custom location, the location of the xdasconfig.properties file is currently set as c:\. Therefore, you should move this configuration file from the c:\novell\nds folder to the c:\ drive.
When you install the eDirectory 8.8 SP6 or later, the installer automatically includes a more recent version of the JClient/DClient package than used by earlier versions of Identity Manager. If you have eDirectory and Identity Manager 3.5 or earlier installed in the same environment, compatibility issues with JClient/DClient stop Identity Manager from starting up successfully.
The Novell eDirectory Management Toolbox (eMBox) does not handle double-byte characters for setting a roll-forward directory through the eMBox client and iManager. This can still be done by using DSBK.
In a French localized Windows environment, if you try to run the utility for configuring eDirectory on a cluster (dsclusterconfig.exe), the localized O option does not work. You must provide the corresponding English Y option for the utility to run.
If you use the dsclusterconfig.exe utility in a Japanese localized Windows environment, the utility displays corrupted Japanese characters in the Windows terminal. You must change the localization settings for the utility to use English in order to properly configure eDirectory.
Novell eDirectory 8.8 SP7 has the following documentation:
Novell eDirectory 8.8 SP7 What's New Guide
Novell eDirectory 8.8 SP7 Installation Guide
Novell eDirectory 8.8 SP7 Administration Guide
Novell eDirectory 8.8 SP7 Troubleshooting Guide
Novell XDASv2 Administration Guide for eDirectory, Identity Manager, and NMAS v1
These documents are available at the Novell eDirectory 8.8 online documentation Web site.
The latest version of this Readme is available at the Novell eDirectory 8.8 online documentation Web site.
For a full list of all issues resolved in Novell eDirectory 8.8, including all patches and service packs, refer to TID 3426981, “History of Issues Resolved in eDirectory 8.8.x.”.
For iManager information, refer to the iManager online documentation.
For NMAS information, refer to the NMAS online documentation.
For Password Management information, refer to the Password Management online documentation.
For Certificate Server information, refer to the Certificate Server online documentation.
For NICI information, refer to the NICI online documentation.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2012 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.