eDirectory 8.8 SP8 Patch 6 for Linux

September 2015

eDirectory 8.8 SP8 Patch 6 includes new features, improves usability, and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable inputs. We hope you continue to help us ensure our products meet all your needs.

For a full list of all issues resolved in eDirectory 8.8, including all patches, refer to TID 3426981, “History of Issues Resolved in eDirectory 8.8.x”.

For the list of software fixes and enhancements in the previous releases, see eDirectory 8.8.8 Patch 5 Release Notes.

To download this product, see the NetIQ Downloads Web site. For more information on eDirectory, see the eDirectory documentation Web site.

For information about security services that are bundled with eDirectory and other components used with eDirectory, see Section 9.0, Additional Documentation.

9.2 NMAS

1.0 What’s New

eDirectory 8.8 SP8 Patch 6 provides the following key features, enhancements, and fixes in this release:

1.1 New Features

This release introduces the following new feature:

Support for LDAP Password Modify Extended Operation

This release introduces the support for configuring and using the LDAP password modify extended operation. For more information, see Configuring and Using the LDAP Password Modify Extended Operation in the NetIQ eDirectory 8.8 SP8 Administration Guide.

1.2 Operating System Support

In addition to the platforms introduced in previous releases of eDirectory 8.8.x releases, this release adds support for the following operating systems:

  • SLES 11 SP4 (SUSE Linux Enterprise Server)

  • RHEL 6.7 (Red Hat Enterprise Linux)

  • RHEL 7.1

1.3 Updates for Dependent Components

In this release, the Java version has been updated to 1.8.0_60. There are no manual steps required to update the version of Java. After upgrading, the Java version is 1.8.0_60.

For more information on other Oracle critical patch updates, see http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html.

1.4 Browser Support for iMonitor

This release adds support to the following browsers, in addition to the browsers introduced in eDirectory 8.8.8 Patch 5 or earlier releases:

  • Internet Explorer 11

  • Mozilla Firefox 40

1.5 Software Fixes

eDirectory 8.8.8 Patch 6 includes the following software fixes that resolve several previous issues.

Resolves an Issue with Increased Memory Consumption When XDAS is Used

Issue: If you enable XDAS on your eDirectory, it results in increased memory consumption and slows the response time. (Bug 916049)

Fix: This patch updates the eDirectory code to avoid memory build up when XDAS is enabled.

The ICE Wizard Displays java.lang.NullPointerException Error Message

Issue: eDirectory records java.lang.NullPointerException exception and displays a 239 error code when you try to import or export objects by using the ICE plug-in. (Bug 921636)

Fix: You can now successfully import and export objects by using the ICE plug-in.

Identity Manager 4.0.2 Patch 7 Fails to Load Drivers When eDirectory 8.8.8 Patch 5 Is Reinstalled

Issue: The eDirectory upgrade process shows that each package is already installed. Therefore, it does not remove or install any package. However, the soft links to libjclnt.so are no longer valid. (Bug 926652)

Fix: This patch updates the eDirectory installer code to ensure that the soft links to libjclnt.so are valid.

Resolves an Issue with Inconsistent Usage of SSL CertificateDNS as a Certificate For the http Server httpkeymaterialobject Attribute

Issue: eDirectory does not consistently use SSL CertificateDNS as the certificate for http server httpkeymaterialobject attribute. (Bug 924300)

Fix: With this patch, eDirectory automatically provides the SSL Certificate DNS for the httpkeymaterialobject attribute of the http server object.

Resolves an Issue with NDSD Memory Consumption

Issue: eDirectory triggers the LDAP server refresh code every 10 seconds. The NDSD memory consumption increases when the LDAP server is not associated with a proper certificate. (Bug 938608)

Fix: eDirectory is updated to frequently execute the LDAP refresh code when a proper certificate is not associated with the LDAP server. This resolves the memory leak issue that existed in the LDAP refresh code in the previous version.

Reading Members of a Dynamic Group Causes an Endless Loop

Issue: Reading the members of a dynamic group causes an endless loop when the group has 480 members. (Bug 927868)

Fix: eDirectory now successfully sends all the attributes of the dynamic group members to the client without any looping issues.

LDAP Search Returns Error on Invalid Assertion Values

Issue: When an LDAP search filter contains an invalid assertion value, eDirectory returns Invalid DN Syntax error, which may cause inconvenience to certain LDAP applications. (Bug 923392)

Fix: To handle invalid assertion values in compliance with RFC4511, eDirectory provides a configuration option in the LDAP server. By using the configuration option, eDirectory can now return proper search results to the LDAP client.

Issue with Case Sensitivity of sadmin User Name

Issue: The eDirectory utilities treat sadmin user name as case sensitive. (Bug 909247)

Fix: This patch updates the utilities code, so they uniformly treat the sadmin user name as case insensitive.

Changes to the Tsands API to Allow Backing Up of Partition Object Class Values on Objects with Extended Auxiliary Classes

Issue: eDirectory does not allow backing up and restoring a partitioned object that has an auxiliary class added to it. (Bug 908834)

Fix: This patch includes a new switch, P, to the TSANDS backup utility to restore a partitioned object with an auxiliary class.

eDirectory Limits the Maximum Number of Idle Threads to 128

Issue: eDirectory does not allow you to set the maximum number of idle threads greater than 128. (Bug 918444)

Fix: This patch enables you to set the maximum number of idle threads between a range of 128 and 512.

NMAS Ignores Validation for Some Characters in Passwords

Issue: NMAS does not correctly recognize a password with uppercase or lowercase characters and characters exceeding the 0x7f hexadecimal number. (Bug 944055)

Fix: If the password contains uppercase, lowercase, and extended characters, NMAS removes the character from the extended character list and treats it as uppercase or lowercase character.

2.0 Other Considerations Before Installing the Patch

2.1 Default Listeners for New Network Interface

eDirectory doesn't listen on all interfaces on a Linux computer, but only on the IP address specified in the nds.conf file. Adding a new network interface address to the computer, and restarting eDirectory will make it start listening on that address automatically, and have referrals also added correspondingly.

2.2 Using eDirectory 8.8 SP8 with a Firewall Enabled

On SLES computers, if you add an eDirectory 8.8 SP8 server from a SLES host to an existing tree running on different host, the process might fail if the firewall is enabled.

Enable SLP services and an NCP port (the default is 524) in the firewall to allow the secondary server addition.

On RHEL computers, if you add a secondary server to an eDirectory tree, ndsconfig hangs during schema synchronization. However, you can add it if you open port 524 in the firewall.

3.0 System Requirements

For a detailed list of prerequisites for installing eDirectory, see the NetIQ eDirectory 8.8 SP8 Installation Guide.

4.0 Installing or Upgrading

To upgrade to eDirectory 8.8.8 Patch 6, go to the NetIQ Downloads page and follow the link that allows you to download the software.

5.0 Supported Upgrade Paths

The installation program provides the ability to upgrade from eDirectory 8.8 SP8 onwards or perform a new installation.

Ensure that you are currently on any one of the following eDirectory versions, before upgrading to eDirectory 8.8.8 Patch 6:

  • 8.8.8

  • 8.8.8 Patch 1

  • 8.8.8 Patch 2

  • 8.8.8 Patch 3

  • 8.8.8 Patch 4

  • 8.8.8 Patch 5

For more details, see Installing or Upgrading eDirectory in the NetIQ eDirectory 8.8 SP8 Installation Guide.

6.0 Installing iManager Plug-Ins

  1. Download the iManager plug-in (eDir_88_iMan27_Plugins.npm) from the Downloads Web site.

  2. Install the NPM. For installation instructions, see NetIQ iManager 2.7.7 Installation Guide.

7.0 Additions to Documentation

The following topic has been added to the eDirectory documentation:

7.1 Updating Passwords Through LDAP Password Modify Extended Operation

eDirectory provides a way for LDAP clients to update user passwords using the LDAP Password Modify Extended Operation and allows the extended operation through a secure channel (LDAPS or LDAP Start TLS). For more information, see Configuring and Using the LDAP Password Modify Extended Operation in the NetIQ eDirectory 8.8 SP8 Administration Guide.

8.0 Known Issues

The following sections provide information on known issues at the time of the product release.

8.1 Installation and Configuration Issues

Valid Version of NMAS Not Found

If you install NetIQ Identity Manager 4.0.2 on a computer running eDirectory 8.8 SP8, the setup program displays the following error:

Valid version of NMAS not found

The error message states NMAS 8.8.8 is not a valid version and asks if you want to proceed with the installation process. Ignore the error, and click Yes. The installation process completes successfully.

eDirectory Dumps the Core on Loading xdasauditds When the Syslog Appender Is Disabled

ndsd dumps the core when it attempts to load the xdasconfig.properties file in which the layout definition for Syslog is not defined correctly.

eDirectory 8.8 SP8 SNMP Fails on RHEL Version 6.2 and Above

This is because of an issue with the SNMP modules that Redhat provides.

To overcome this issue, install the latest RHEL patch from the Red Hat update service. For more information about this workaround, see TID 7011659.

Identity Manager Fails to Start After Updating Non-Root eDirectory 8.8.8 with eDirectory 8.8.8 Patch 4

The non-root eDirectory 8.8.8 Patch 4 comes with an empty <eDirectroy install path>/sbin/pre_ndsd_start script that does not allow to set the paths for Identity Manager. As the paths are not set, Identity Manager. is not able to start.

To workaround this issue, set the correct path of eDirectory installation as mentioned in TID 7016136.

Identity Manager 3.6 and 4.0.x Engine Fails to Start After Upgrading to eDirectory 8.8 SP8 Patch 4

This issue occurs because of the mismatch in the Java versions supported by the latest eDirectory patch and Identity Manager. Earlier versions of Identity Manager supported Java 1.6 while eDirectory 8.8.8 Patch 4 shipped with Java 1.7.

To workaround this issue, upgrade Identity Manager 3.6.1 or 4.0.x to Identity Manager 4.0.2 or 4.5 including the latest engine patch. For more information, see TID 7016009 or TID 7016010.

eDirectory Dumps the Core on Loading the SNMP Subagent on RHEL 7 with NET-SNMP Version 5.7.2

RHEL 7 provides NET-SNMP version 5.7.2 and installs the following versions of SSL libraries:

  • *)openssl-1.0.1e-34.el7.x86_64

  • *)openssl098e-0.9.8e-29.el7.x86_64

When NET-SNMP is loaded with a newer version, the openssl-1.0.1e-34.el7.x86_64 library causes missing of symbols and dumps the core.

To workaround this issue, perform the following actions:

  1. Load the "LD_PRELOAD" libssl.so.0.9.8* library before loading ndssnmpsa by using the /etc/init.d/ndssnmpsa script.

  2. Modify the line that loads ndssnmpsa to look like the following:



  3. Restart ndsd.

eDirectory Configuration Fails on SLES12 and RHEL 7 If the Configuration File Path Contains a Hyphen

Currently, there is no fix for this issue.

eDirectory Utilities Require Users to Authenticate Using ndspassword

If Universal Password is being used, then it must be synced to the ndspassword in order for all eDirectory command line tools to authenticate.

eDirectory Does Not Log an Event For a Failed Login

By default, eDirectory disables logging for a failed login event. To enable this, configure the Nsure Audit settings for eDirectory to log the Add Value events in the NCP server object. You also need to enable the intruder detection on containers where auditing of these events is required. For more information, see TID 10092488.

A Non-Root User Cannot Start Services On RHEL 7

If you log in as a non-root user, RHEL 7 does not allow you to start the services. Therefore, eDirectory does not support a non-root user on this platform.

There is no workaround at this time.

Installation Fails On RHEL Servers Installed With pprof Package From RedHat

If your RHEL server is installed with the pprof package provided by RedHat, the eDirectory installation program installs a majority of the packages until it detects this package and fails to install eDirectory.

When you re-run the installation script regardless of a new installation or an upgrade, the installation script fails again because it encounters the RPMs laid down by the earlier installation attempt.

To workaround this issue: Uninstall the pprof package from RedHat before starting the eDirectory installation.

IMPORTANT:In case of a failed upgrade, manually install the novell-ncpenc- package before resuming the upgrade process by using the ndsconfig upgrade command.

eDirectory Fails to Automatically Start After a System Reboot on RHEL 7.1

This issue is observed only on RHEL 7.1 platform.

To work around this issue, manually start the eDirectory service every time the system reboots.

SLPD Provided with SLES 12 and RHEL 7 Platforms Does Not Work

To get the SLPD working, either build your own version of SLPD after downloading it from the OpenSLP web site on your platform or contact NTS for further assistance.

8.2 Upgrade Issues

Duplicate Files Are Created after Upgrading from eDirectory 8.8 SP2 to eDirectory 8.8 SP8

After upgrading eDirectory, the new configuration files have a .new extension. If there are any changes to these files, you can merge them in the new files.

Upgrading Simple Password Bind from an Older Version to a 64-Bit eDirectory 8.8 SP8 Version

After upgrading eDirectory to 64-bit, ensure you update the NMAS Simple Password method for simple password binds to work.

Instrumentation RPM Upgrade Issues While Upgrading eDirectory

If you upgrade an eDirectory server on which the eDirectory instrumentation RPM is installed, the eDirectory instrumentation RPM is not automatically upgraded. Therefore, you must manually upgrade the eDirectory instrumentation RPM.

NOTE:eDirectory instrumentation is automatically installed with Identity Manager 4.0.

For more information on upgrading the instrumentation, refer to the NetIQ eDirectory 8.8 SP8 Installation Guide.

Issue with ConsoleOne after Upgrading to eDirectory 8.8 SP8

After you upgrade to eDirectory 8.8 SP8 in an environment where ConsoleOne is installed, ConsoleOne displays an error. ConsoleOne requires a 32-bit package included in eDirectory 8.7.3 but removed in eDirectory 8.8 SP8. This issue only occurs on 64-bit installations of eDirectory.

To work around this issue, after upgrading eDirectory, reinstall ConsoleOne. The ConsoleOne installer installs the eDirectory 8.7.3 package and starts properly.

Prompting for Password Multiple Times While Upgrading to eDirectory 8.8 SP8

While upgrading from eDirectoy 8.8 SP6 and lower versions to eDirectory 8.8 SP8, you are prompted for password several times. It is safe to ignore the prompts.

eDirectory 8.8 SP8 Patch 1 Does Not Upgrade on Identity Manager Remote Loader

eDirectory 8.8 SP8 Patch 1 fails to upgrade on an Identity Manager remote loader machine.

To work around this issue:

  1. Stop eDirectory.

  2. Go to the \Linux64 folder of patch directory.

  3. Upgrade the following 8.8.7 rpms, by using the -Uvh option:

    • novell-edirectory-expat-32bit-8.8.7-1.x86_64

    • novell-edirectory-expat-8.8.7-1.x86_64

    • novell-edirectory-xdaslog-conf-8.8.7-1.noarch

    • novell-edirectory-xdaslog-32bit-8.8.7-1.x86_64

    • novell-edirectory-xdaslog-8.8.7-1.x86_64

  4. Apply eDirectory 8.8 SP8 Patch 1.

  5. Start eDirectory.

On SLES 12 Platform After Upgrading to the Latest Patch the eDirectory Variables are Lost

After upgrading to the latest patch, the eDirectory related environment variables in the env file located in /etc/opt/novell/eDirectory/conf directory needs to be re-entered.

NOTE:To avoid this issue , before upgrading to Patch 5 backup the environment file.

8.3 Default Instance Path for Multiple Instances

While you configure the second instance of eDirectory on your host, you are prompted for the default path. Select a different path and proceed.

8.4 Localhost Issues in /etc/hosts

If you have a loopback address alias to the hostname of the system in an /etc/hosts entry, it must be changed to the hostname or IP address. That is, if you have an entry similar to the one below in your /etc/hosts file, it needs to be changed to the correct entry given in second example below.

The following example has problems when any utility tries to resolve to the ndsd server: test-system localhost.localdomain localhost

The following is a correct example entry in /etc/hosts: localhost.localdomain localhost test-system

If any third-party tool or utility resolves through localhost, it needs to be changed to resolve through a hostname or IP address and not through the localhost address.

8.5 LDAP, TCP, and TLS Ports Issue with Large DIBs

When the DIB is large, the DS takes time to come up and wrongly displays the following errors:

LDAP TCP Port is not listening
LDAP TLS Port is not listening

In this scenario, the ports are not disabled but eDirectory services are slow to come up. To check the status of LDAP, refer to the ndsd.log file or enter the following command and grep for the LDAP TCP/TLS ports:

netstat -na

8.6 Preventing POODLE Attack by Disabling SSLv3

If your eDirectory uses LDAPS protocol with SSLv3 for a secure communication, be aware that SSLv3 is vulnerable to POODLE attack as per CVE-2014-3566.

To disable SSLv3 in the LDAPS protocol, perform the following steps:

  1. Download and install the latest iManager plug-in for eDirectory from the NetIQ Downloads Web site.

  2. Launch iManager and click Roles and Tasks.

  3. Click LDAP>LDAP Options>View LDAP Server, select LDAP Server.

  4. Click the Connections tab.

  5. Enable the Disable SSLv3 and click Apply.

    NOTE:In non-English environment you cannot access the Disable SSLv3 option. To access this option change the preferred display language to English.

  6. Unload and load the LDAP Services for eDirectory.

    For more information, see Loading and Unloading LDAP Services for eDirectory.

For other protocols that eDirectory uses, SSLv3 is disabled by default.

8.7 ldapInterfaces Behaves Differently in SLES10 SP4

In SLES10-SP4, while setting the LDAP interface address, you must set the assigned IP address in the beginning followed by unassigned address, if any. Else, ldapInterfaces does not behave as expected.

The following is an example of how you must set the LDAP interface address in SLES10 SP4:

ldap://<IPv4 address>:389,ldaps://<IPv4 address>:636,ldap://<IPv6 address>:389,ldaps://<IPv6 address>:636,ldap://:389,ldaps://:636

8.8 Uninstallation Issues

Uninstallation Fails if Installation Was Not Successfully Completed

If eDirectory installation fails, nds-uninstall cannot remove eDirectory.

To resolve this, install eDirectory again in the same location and then uninstall it.

The nds-uninstall -s Option Fails to Retain Configuration and DIB Files

You must not use the -s option to retain the nds.conf and the DIB. Ensure that you back them up before performing the nds-uninstall operation.

8.9 IPv6 Issues

Symantec Network Threat Protection Conflicts with IPv6

Symantec Network Threat Protection conflicts with IPv6 addresses. If you want to use IPv6 addresses in iManager 2.7.7, and your computer is running Network Threat Protection, you must disable Network Threat Protection.

8.10 Kerberos iManager Plug-In Issues

For managing Kerberos Principals, use Kerberos Administration programs from MIT. For managing a Kerberos realm, use the Kerberos iManager plug-ins.

8.11 eDirectory Does Not Automatically Start After a System Reboot on SLES 12

To workaround this issue, manually start the eDirectory service every time the system reboots.

8.12 eDirectory Does Not Automatically Start After a System Reboot on RHEL 7.1

This issue is observed only on RHEL 7.1 platform.

To work around this issue, manually start the eDirectory service every time the system reboots.

8.13 Issues while Configuring Predicate Statistics

NetIQ recommends that you do not try to configure the predicate statistics in this version of the product. There is no workaround at this time.

9.0 Additional Documentation

9.1 iManager

For iManager information, refer to the iManager online documentation.

9.2 NMAS

For NMAS information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.

9.3 Password Management

For Password Management information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.

9.4 Certificate Server

For Certificate Server information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.

9.5 Novell International Cryptographic Infrastructure (NICI)

For NICI information, refer to the NICI online documentation.

9.6 eDirectory Issues on Open Enterprise Server

For more information on eDirectory issues on Open Enterprise Server (OES), refer to the OES Readme.