eDirectory 8.8.8 Patch 8 supersedes eDirectory 8.8.8 Patch 7.
For a full list of all issues resolved in eDirectory 8.8, including all patches, refer to TID 3426981, “History of Issues Resolved in eDirectory 8.8.x”.
For the list of software fixes and enhancements in the previous releases, see eDirectory 8.8.8 Patch 7 Release Notes.
For information about security services that are bundled with eDirectory and other components used with eDirectory, see Section 7.0, Additional Documentation.
This release includes the following platform updates, enhancements and fixed issues:
This release introduces the following enhancements:
This release introduces support for trust association of a user or an identity with a group, or the trust association of two users in a domain-specific context for establishing a trust relationship. These events also relate to the association of identities within disparate authentication domains for federation purpose. There are two types of Trust Management events:
Associate Trust: This event is triggered when a new trust association is created.
De-Associate Trust: This event is triggered when an existing trust association is destroyed.
In addition to the platforms introduced in previous releases of eDirectory 8.8.8.x, this release adds support for the following operating systems:
SLES 12 SP1 (SUSE Linux Enterprise Server)
RHEL 6.8 (Red Hat Enterprise Linux)
In this release, the Java version has been updated to 1.8.0_92.
There are no manual steps required to update your current version of Java on both Linux and Windows platforms. After updating the patch, the Java version will be 1.8.0_92.
eDirectory 8.8 SP8 Patch 8 includes the following software fixes that resolve several previous issues:
This patch updates eDirectory to resolve the following Java vulnerabilities:
Issue: eDirectory displays an error message while restoring a recently backed up object. This occurs due to the DClient version mismatching between the backup and the restore.
Fix: This issue is fixed. Now eDirectory handles the DClient version correctly between the backup and the restore. (Bug 964463)
Issue: It is observed that eDirectory uses the CPU heavily while searching for dynamic groups and members when required attributes (groupmember and memberQuery) are not indexed, which delays the search results for these objects.
Fix: This patch resolves this issue by disabling optimization by default and by giving an option to export the NDSD_USE_MEMBER_OPTIMIZATION environment variable to true. (Bug 965226)
Issue: The advanced option of the ndsrepair utility does not handle the INTEGER64 flag while importing a schema from a remote tree.
Fix: This patch updates eDirectory to check for the INTEGER64 flag and retain the syntax (octet string) of the imported attribute. (Bug 938888)
Issue: When you search for a dynamic group, the search result does not return all the members of the dynamic group when the group members are distributed across multiple servers. This occurs because eDirectory does not store the referrals before returning the results to the LDAP server.
Fix: This patch updates eDirectory to store and follow the referrals properly and correctly return all the members of a dynamic group when they are searched. (Bug 944373)
Issue: eDirectory crashes due to buffer overflow when the DN contains the UID attribute.
Fix: This patch updates eDirectory to avoid the buffer overflow. (Bug 954030)
Issue: eDirectory crashes while converting the values of the LDAP attributes to the NDS attribute format due to buffer overflow.
Fix: This patch updates eDirectory to handle the memory allocation more effectively to prevent crashing. (Bug 965036)
Issue: eDirectory crashes while using the LDAP Password Modify Extended Operation due to buffer overflow.
Fix: This patch updates eDirectory to avoid the buffer overflow. (Bug 967433)
Issue: The LDAP servers become unresponsive under heavy load of write requests when eDirectory runs out of file descriptors. This occurs because the file descriptors are not closed after being removed from the file descriptor’s pool.
Fix: This patch updates eDirectory to close the file descriptors after they are removed from the pool. This improves the performance of the LDAP servers. (Bug 961773)
Issue: Upgrading eDirectory to version 8.8 SP8 Patch 8 fails when the locale is set to Japanese. You will also not be prompted for authentication during upgrade.
Fix: This patch updates eDirectory to resolve this issue. (Bug 955508)
Issue: Index type for ldapAttributeList attribute does not match on different servers for the same index with the same set of data.
Fix: This patch updates eDirectory to check for index type changes and update the changes in the index definition attribute. (Bug 932501)
Issue: LDAP server plug-in doesn’t refresh or prompts you to reload nldap module when a cipher is changed.
Fix: This patch updates eDirectory to display a warning message that prompts you to reload the nldap module when a cipher is changed. (Bug 870756)
Issue: The httpKeyMaterialObject attribute value is changed to SSL CertificateDNS after upgrading eDirectory. This occurs when a 3rd party certificate is set as the attribute value instead of the SSL CertificateDNS.
Fix: This patch updates eDirectory to resolve this issue. (Bug 957819)
For a detailed list of prerequisites for installing eDirectory, see the NetIQ eDirectory 8.8 SP8 Installation Guide.
NOTE:This version of eDirectory supports Identity Manager 4.5 SP4. For more information, see NetIQ Identity Manager 4.5 Service Pack 4 Release Notes.
To upgrade to eDirectory 8.8.8 Patch 7, go to the NetIQ Downloads page and follow the link that allows you to download the software.
NOTE:eDirectory 888 Patch 8 contains an older version of PA (Platform Agent) build which does not resolve the issue causing NDSD crash. Click here to download the latest PA build which resolves this issue.
The installation program provides the ability to upgrade from eDirectory 8.8 SP8 onwards or perform a new installation.
Ensure that you are currently on any one of the following eDirectory versions, before upgrading to eDirectory 8.8.8 Patch 8:
8.8.8 Patch 1
8.8.8 Patch 2
8.8.8 Patch 3
8.8.8 Patch 4
8.8.8 Patch 5
8.8.8 Patch 6
8.8.8 Patch 7
NOTE:If you have eDirectory 8.5.x or 8.6.x, you must first upgrade to eDirectory 8.7.x, then upgrade to eDirectory 8.8 SP8 and later.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. If you need further assistance with any issue, please contact Technical Support.
For the list of the known issues in eDirectory 8.8 SP8 Patch 7, refer to the Known Issues section in the respective release notes.
Issue: LDAP server is configured to allow only high strength ciphers after upgrading eDirectory to 8.8 SP8 Patch 8 if the eDirectory server doesn’t have any cipher restriction defined. But after upgrading eDirectory to 8.8 SP8 Patch 8, the LDAP server doesn’t enforce the high strength cipher restriction.
Workaround: Restart the eDirectory server or reload the nldap module to enforce the high strength cipher restriction.
Issue: Most of the recent browsers support high strength ciphers but iMonitor still allows only medium strength ciphers by default.
Workaround: Configure HTTP service to allow high strength ciphers by default to provide you with more secured iMonitor experience.
Issue: nds-cluster-config utility is moving the eDirectory configuration files to a shared location instead of the default directory (/etc/opt/novell/eDirectory/conf) resulting in an unstable eDirectory cluster configuration.
Workaround: Manually copy the configuration files to the default and to the all other directories where the configuration files are required to run the eDirectory cluster configuration successfully. To move the configuration files, perform the following steps:
Manually delete the /etc/opt/novell/eDirectory/conf directory.
Create the /etc/opt/novell/eDirectory/conf directory and copy the nds.conf file from the shared location and move to /etc/opt/novell/eDirectory/conf/ directory.
Change the value of parameter n4u.server.configdir to /etc/opt/novell/eDirectory/conf in the /etc/opt/novell/eDirectory/conf/nds.conf file.
Replace the content of /etc/opt/novell/eDirectory/conf/.eDir/instance.0 with eDir conf file path ie. /etc/opt/novell/eDirectory/conf/nds.conf.
(Conditional) On SLES 12 and later, perform the following steps:
Navigate to /usr/lib/systemd/system and search for the ndsdtmpl-database-conf-nds.conf file in the directory.
Move the service from ndsdtmpl-database-conf-nds.conf to ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf.
In this command, database is the name of your shared folder.
Start eDirectory by using ndsmanage.
NOTE:You must follow the above steps to move the configuration files to the default path after executing the nds-cluster-config command on the second node as well.
Issue: eDirectory crashes after upgrading to the latest version using the 2836 SAML NMAS methods. This occurs due to the unloading of the older method by the NMAS server to load the new method.
Workaround: A new configuration option is provided with the new SAML NMAS method (2837) which allows the latest version of the nmasisnt utility to load the new method only after restarting the eDirectory server.
Issue: The Modify Account, Modify Role and Create Role events are not fully functional in this release. If these three events are enabled, Modify Data Item Attribute event is not thrown for XDAS auditing.
Workaround: You must disable the Modify Account, Modify Role and Create Role events to audit the generic Add Value and Delete Value events. You can also interpret the data from the Modify Data Item Attribute event for the Modify Account, Modify Role and Create Role events.
For iManager information, refer to the iManager online documentation.
For NMAS information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.
For Password Management information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.
For Certificate Server information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.
For NICI information, refer to the NICI online documentation.
For more information on eDirectory issues on Open Enterprise Server (OES), refer to the OES Readme.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2016 NetIQ Corporation, a Micro Focus company. All Rights Reserved.