eDirectory 8.8.8 Patch 9

November 2016

eDirectory 8.8.8 Patch 9 supersedes eDirectory 8.8.8 Patch 8.

For the list of all issues resolved in eDirectory 8.8, including all patches, refer to TID 3426981, “History of Issues Resolved in eDirectory 8.8.x”.

For the list of software fixes and enhancements in the previous releases, see eDirectory 8.8.8 Patch 8 Release Notes.

To download this product, see the NetIQ Downloads. For more information about eDirectory, see the eDirectory documentation.

For information about security services that are bundled with eDirectory and other components used with eDirectory, see Section 6.0, Additional Documentation.

1.0 What’s New

eDirectory 8.8.8 Patch 9 includes the following platform updates, enhancements, and fixed issues:

1.1 Enhancements

This release introduces the following enhancements:

New eDirectory Events to Monitor Login and Authenticate Session Events

This release introduces the following two events to monitor login and authenticate session events:

  • DSE_LOGIN_EX

  • DSE_AUTHENTICATE

    NOTE:To monitor these two events, you need to enable both the XDAS and NMAS Auditing.

The DSE_LOGIN_EX event is mapped to the Create Session event in XDAS, which is used to monitor the login attempts to the eDirectory tree. For more information, see Configuring XDAS Events in the NetIQ eDirectory Administration Guide.

NOTE:eDirectory 8.8 SP8 Patch 9 onwards, DSE_LDAP_CONNECTION event is not available to monitor the Create Session event.

The DSE_AUTHENTICATE event is mapped to the Authenticate Session event in XDAS, which is used to monitor the background authentication in the eDirectory tree. For more information, see For more information, see Configuring XDAS Events in the NetIQ eDirectory Administration Guide.

NOTE:eDirectory 8.8 SP8 Patch 9 onwards, DSE_LDAP_BIND, DSE_LDAP_BINDRESPONSE and DSE_LOGIN events are not available to monitor the Authenticate Session event.

Creating and Managing Compound Indexes

In previous releases, eDirectory allowed you to create indexes only on one attribute based on a value, presence, or a substring index. This release introduces a new option to create and manage value indexes on multiple attributes. This feature helps to perform search operations on multiple attributes much faster. For more information, see Index Manager in the NetIQ eDirectory Administration Guide.

1.2 Upgrading the Java Version

In this release, the Java version has been updated to 1.8.0_112. The patch installer automatically upgrade the Java version. No manual steps are required for this.

1.3 Operating System Support

In addition to the platforms introduced in previous releases of eDirectory, this release adds support for the following operating system:

  • RHEL 7.3 (Red Hat Enterprise Linux)

1.4 Fixed Issues

This release includes the following software fixes that resolve several previous issues:

Resolved Clickjacking Web Application Vulnerablity CVE-2016-9168

This Service Pack updates eDirectory to resolve the Clickjacking web application vulnerability CVE-2016-9168. (Bug 981593)

eDirectory Throws Multiple Login Events to the SLM Server

Issue: Each login attempt to the eDirectory server triggers two events; one event from NMAS and another event from the DS.

Fix: The XDAS event mechanism has been updated to trigger only one event for the login either by NMAS or by DS. The Create Session event is mapped to DSE_LOGIN_EX which is used to monitor the login events now. (Bug 613609)

An LDAP Search Using Paged Results and Sort Controls Causes eDirectory Crash

Issue: eDirectory crashes when an LDAP search is performed using both the paged result control and the server-side sort.

Fix: The LDAP server has been enhanced to handle both the paged results control and the server-side sort control in the same search request. Capability to determine the order in which the two controls are performed has also been added.(Bug 834316)

PKI Certificates Do Not Comply With RFC 5280

Issue: Certificates created by the PKI CA contain serial numbers longer than 20 bytes, these do not comply with the RFC 5280.

Fix: PKI CA now generates certificates with serial numbers smaller than 20 bytes.(Bug 934091)

eDirectory Displays Error Message While Restoring a Backed Up Object

Issue: eDirectory displays the 0xFFFDFE0B error while backing up a restored object.

Fix: This issue is fixed.(Bug 964463)

eDirectory Crashes in FSGetDomain While Performing Heavy LDAP Operations

Issue: eDirectory crashes while performing heavy LDAP operations. This occurs while getting the next reference from a cursor if the block is not read properly while accessing it.

Fix: eDirectory has been upgraded to read the block properly and position the cursor to it before accessing.(Bug 965402)

eDirectory Crashes While Searching on an Object with Multiple Naming Attribute

Issue: eDirectory crashes while searching on an object with multiple naming attribute and the operational attribute name.

Fix: eDirectory has been upgraded to allocate sufficient buffer while reading the RDN from the object.(Bug 969168)

Intermittent Long Delays While Performing LDAP Searches

Issue: LDAP searches get delayed because of intermittent long delays.

Fix: eDirectory has been upgraded to handle the LDAP searches without causing any delay.(Bug 981856)

CIFS Users Cannot Access DFS Junctions Because of Socket Leak in eDirectory

Issue: Socket leaks in eDirectory is noticed when an interface name is used instead of an IP address.

Fix: This patch updates eDirectory not to leak sockets any more.(Bug 987581)

2.0 System Requirements

For information about prerequisites for installing eDirectory, see the NetIQ eDirectory 8.8 SP8 Installation Guide.

NOTE:This version of eDirectory supports Identity Manager 4.5 SP4. For more information, see NetIQ Identity Manager 4.5 Service Pack 4 Release Notes.

3.0 Installing or Upgrading

To upgrade to eDirectory 8.8.8 Patch 9, go to the NetIQ Downloads page and follow the link to download the software.

NOTE:eDirectory 888 Patch 9 contains an older version of Platform Agent build which is vulnerable to NDSD crash. Click here to download the latest PA build that resolves this issue.

4.0 Supported Upgrade Paths

The installation program provides the ability to upgrade from eDirectory 8.8 SP8 onwards or perform a new installation.

Ensure that you are currently on any one of the following eDirectory versions, before upgrading to eDirectory 8.8.8 Patch 9:

  • 8.8.8

  • 8.8.8 Patch 1

  • 8.8.8 Patch 2

  • 8.8.8 Patch 3

  • 8.8.8 Patch 4

  • 8.8.8 Patch 5

  • 8.8.8 Patch 6

  • 8.8.8 Patch 7

  • 8.8.8 Patch 8

For more information, see Installing or Upgrading eDirectory in the NetIQ eDirectory 8.8 SP8 Installation Guide.

NOTE:If you have eDirectory 8.5.x or 8.6.x, you must first upgrade to eDirectory 8.7.x, then upgrade to eDirectory 8.8 SP8 and later.

5.0 Installing iManager Plug-Ins

  1. Download the iManager plug-in (eDir_88_iMan27_Plugins.npm) from the Downloads website.

  2. Install the NPM. For installation instructions, see the NetIQ iManager 2.7.7 Installation Guide.

6.0 Additional Documentation

6.1 iManager

For iManager information, refer to the iManager online documentation.

6.2 NMAS

For NMAS information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.

6.3 Password Management

For Password Management information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.

6.4 Certificate Server

For Certificate Server information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.

6.5 Novell International Cryptographic Infrastructure (NICI)

For NICI information, refer to the NICI online documentation.

6.6 eDirectory Issues on Open Enterprise Server

For more information on eDirectory issues on Open Enterprise Server (OES), refer to the OES Readme.