NetIQ eDirectory 8.8 SP8 Patch 5 includes new features and resolves several previous issues. The installation program provides the ability to upgrade from eDirectory 8.8 SP8 onwards or perform a new installation.
For a full list of all issues resolved in NetIQ eDirectory 8.8, including all patches and service packs, refer to TID 3426981, “History of Issues Resolved in eDirectory 8.8.x.”.
For information about what’s new in previous releases, see the “Previous Releases” section in the NetIQ eDirectory online documentation Web site.
For information about security services that are bundled with eDirectory and other components used with eDirectory, see Section 5.0, Additional Documentation.
This section lists the following new functionalities and features for this release:
iMonitor supports the following browers:
Internet Explorer 11
Mozilla Firefox 34.0.5
NOTE:Check the currently installed NetIQ and third-party applications to determine if eDirectory 8.8 SP8 is supported before upgrading your existing eDirectory environment. NetIQ Corporation recommends that you back up eDirectory before performing any upgrades.
You can install eDirectory on any of the platforms listed below.
SLES 12 (64-bit)
SLES 11 SP1, SP2, and SP3 (64-bit)
SLES 10 SP4 (64-bit)
RHEL 5.10, 5.9, 5.8, and 5.7 (64-bit)
RHEL 6.6, 6.5, 6.4, 6.3, and 6.2 (64-bit)
RHEL 7 (64-bit)
For a detailed list of prerequisites for installing eDirectory on a Linux server, see the NetIQ eDirectory 8.8 SP8 Installation Guide.
You can run the above operating systems in a virtual mode on the following hypervisors:
Windows Server 2008 R2 Virtualization with Hyper-V
NOTE:You can upgrade from eDirectory 8.8 SP8 onwards to eDirectory 8.8 SP8 Patch 5.
On SLES, if you add an eDirectory 8.8 SP8 server from a SLES host to an existing tree running on different host, the process might fail if the firewall is enabled.
Enable SLP services and an NCP port (the default is 524) in the firewall to allow the secondary server addition.
On an RHEL system, if you add a secondary server to an eDirectory tree, ndsconfig hangs during schema synchronization. However, you can add it if you open port 524 in the firewall.
Download the eDir_88_iMan27_Plugins.npm iManager plug-in from the Downloads Web site.
Install the NPM as directed in the NetIQ iManager 2.7.7 Administration Guide.
On Linux, eDirectory doesn't listen on all interfaces on the computer, but on the specific IP mentioned in nds.conf only. Adding a new network interface address to the computer should not have any impact on the referrals, until corresponding protocol interface entry in nds.conf is modified to specify the new address, listener for that would not be started.
The following sections provide information on known issues at the time of the product release.
If you install NetIQ Identity Manager 4.0.2 on a computer running eDirectory 8.8 SP8, the setup program displays the following error:
Valid version of NMAS not found
The error message states NMAS 8.8.8 is not a valid version and asks if you want to proceed with the installation process. Ignore the error, and click Yes. The installation process completes successfully.
ndsd dumps the core when it attempts to load the xdasconfig.properties file in which the layout definition for Syslog is not defined correctly.
This is because of an issue with the SNMP modules that Redhat provides.
To overcome this issue, install the latest RHEL patch from the Red Hat update service. For more information about this workaround, see TID 7011659.
The non-root eDirectory 8.8.8 Patch 4 comes with an empty <eDirectroy install path>/sbin/pre_ndsd_start script that does not allow to set the paths for Identity Manager. As the paths are not set, Identity Manager. is not able to start.
To workaround this issue, set the correct path of eDirectory installation as mentioned in TID 7016136.
This issue occurs because of the mismatch in the Java versions supported by the latest eDirectory patch and Identity Manager. Earlier versions of Identity Manager supported Java 1.6 while eDirectory 8.8.8 Patch 4 shipped with Java 1.7.
RHEL 7 provides NET-SNMP version 5.7.2 and installs the following versions of SSL libraries:
When NET-SNMP is loaded with a newer version, the openssl-1.0.1e-34.el7.x86_64 library causes missing of symbols and dumps the core.
To workaround this issue, perform the following actions:
Load the "LD_PRELOAD" libssl.so.0.9.8* library before loading ndssnmpsa by using the /etc/init.d/ndssnmpsa script.
Modify the line that loads ndssnmpsa to look like the following:
Currently, there is no fix for this issue.
If Universal Password is being used, then it must be synced to the ndspassword in order for all eDirectory command line tools to authenticate.
By default, eDirectory disables logging for a failed login event. To enable this, configure the Nsure Audit settings for eDirectory to log the Add Value events in the NCP server object. You also need to enable the intruder detection on containers where auditing of these events is required. For more information, see TID 10092488.
If you log in as a non-root user, RHEL 7 does not allow you to start the services. Therefore, eDirectory does not support a non-root user on this platform.
There is no workaround at this time.
If your RHEL server is installed with the pprof package provided by RedHat, the eDirectory installation program installs a majority of the packages until it detects this package and fails to install eDirectory.
When you re-run the installation script regardless of a new installation or an upgrade, the installation script fails again because it encounters the RPMs laid down by the earlier installation attempt.
To workaround this issue: Uninstall the pprof package from RedHat before starting the eDirectory installation.
IMPORTANT: In case of a failed upgrade, manually install the novell-ncpenc-220.127.116.11-0.x86_64 package before resuming the upgrade process by using the ndsconfig upgrade command.
To get the SLPD working, either build your own version of SLPD after downloading it from the OpenSLP web site on your platform or contact NTS for further assistance.
After upgrading eDirectory, the new configuration files have a .new extension. If there are any changes to these files, you can merge them in the new files.
After upgrading eDirectory to 64-bit, ensure you update the NMAS Simple Password method for simple password binds to work.
If you upgrade an eDirectory server on which the eDirectory instrumentation RPM is installed, the eDirectory instrumentation RPM is not automatically upgraded. Therefore, you must manually upgrade the eDirectory instrumentation RPM.
NOTE:eDirectory instrumentation is automatically installed with Identity Manager 4.0.
For more information on upgrading the instrumentation, refer to the NetIQ eDirectory 8.8 SP8 Installation Guide.
After you upgrade to eDirectory 8.8 SP8 in an environment where ConsoleOne is installed, ConsoleOne displays an error. ConsoleOne requires a 32-bit package included in eDirectory 8.7.3 but removed in eDirectory 8.8 SP8. This issue only occurs on 64-bit installations of eDirectory.
To work around this issue, after upgrading eDirectory, reinstall ConsoleOne. The ConsoleOne installer installs the eDirectory 8.7.3 package and starts properly.
While upgrading from eDirectoy 8.8 SP6 and lower versions to eDirectory 8.8 SP8, you are prompted for password several times. It is safe to ignore the prompts.
eDirectory 8.8 SP8 Patch 1 fails to upgrade on an Identity Manager remote loader machine.
To work around this issue:
Go to the \Linux64 folder of patch directory.
Upgrade the following 8.8.7 rpms, by using the -Uvh option:
Apply eDirectory 8.8 SP8 Patch 1.
After upgrading to the latest patch, the eDirectory related environment variables in the env file located in /etc/opt/novell/eDirectory/conf directory needs to be re-entered.
NOTE:To avoid this issue , before upgrading to Patch 5 backup the environment file.
While you configure the second instance of eDirectory on your host, you are prompted for the default path. Select a different path and proceed.
If you have a loopback address alias to the hostname of the system in an /etc/hosts entry, it must be changed to the hostname or IP address. That is, if you have an entry similar to the one below in your /etc/hosts file, it needs to be changed to the correct entry given in second example below.
The following example has problems when any utility tries to resolve to the ndsd server:
127.0.0.1 test-system localhost.localdomain localhost
The following is a correct example entry in /etc/hosts:
127.0.0.1 localhost.localdomain localhost
If any third-party tool or utility resolves through localhost, it needs to be changed to resolve through a hostname or IP address and not through the localhost address.
When the DIB is large, the DS takes time to come up and wrongly displays the following errors:
LDAP TCP Port is not listening
LDAP TLS Port is not listening
In this scenario, the ports are not disabled but eDirectory services are slow to come up. To check the status of LDAP, refer to the ndsd.log file or enter the following command and grep for the LDAP TCP/TLS ports:
If your eDirectory uses LDAPS protocol with SSLv3 for a secure communication, be aware that SSLv3 is vulnerable to POODLE attack as per CVE-2014-3566.
To disable SSLv3 in the LDAPS protocol, perform the following steps:
Download and install the latest iManager plug-in for eDirectory from the NetIQ Downloads Web site.
Launch iManager and click.
Click LDAP>LDAP Options>View LDAP Server, select LDAP Server.
Enable theand click .
NOTE:In non-English environment you cannot access the Disable SSLv3 option. To access this option change the preferred display language to English.
Unload and load the LDAP Services for eDirectory.
For more information, see Loading and Unloading LDAP Services for eDirectory.
For other protocols that eDirectory uses, SSLv3 is disabled by default.
In SLES10-SP4, while setting the LDAP interface address, you must set the assigned IP address in the beginning followed by unassigned address, if any. Else, ldapInterfaces does not behave as expected.
The following is an example of how you must set the LDAP interface address in SLES10 SP4:
ldapInterfaces: ldap://<IPv4 address>:389,ldaps://<IPv4 address>:636,ldap://<IPv6 address>:389,ldaps://<IPv6 address>:636,ldap://:389,ldaps://:636
If eDirectory installation fails, nds-uninstall cannot remove eDirectory.
To resolve this, install eDirectory again in the same location and then uninstall it.
You must not use the -s option to retain the nds.conf and the DIB. Ensure that you back them up before performing the nds-uninstall operation.
Symantec Network Threat Protection conflicts with IPv6 addresses. If you want to use IPv6 addresses in iManager 2.7.7, and your computer is running Network Threat Protection, you must disable Network Threat Protection.
For managing Kerberos Principals, use Kerberos Administration programs from MIT. For managing a Kerberos realm, use the Kerberos iManager plug-ins.
To workaround this issue, after reboot, manually restart the eDirectory server.
For iManager information, refer to the iManager online documentation.
For NMAS information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.
For Password Management information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.
For Certificate Server information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.
For NICI information, refer to the NICI online documentation.
For more information on eDirectory issues on Open Enterprise Server (OES), refer to the OES Readme.
NetIQ Corporation, and its affiliates, have intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more U.S. patents and one or more additional patents or pending patent applications in the U.S. and in other countries.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
For purposes of clarity, any module, adapter or other similar material (“Module”) is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
© 2015 NetIQ Corporation. All Rights Reserved.
For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.