NetIQ eDirectory 8.8 SP8 for Linux

January 2014
4.2 NMAS

1.0 Documentation

NetIQ eDirectory 8.8 SP8 includes new features and resolves several previous issues. You can upgrade to eDirectory 8.8 SP8 from eDirectory 8.8 SP7 or before, or perform a new installation. eDirectory 8.8 SP8 includes all fixes and features addressed in each eDirectory 8.8 SP7 S Field Patches.

For a full list of all issues resolved in NetIQ eDirectory 8.8, including all patches and service packs, refer to TID 3426981, “History of Issues Resolved in eDirectory 8.8.x.”.

For information about what’s new in previous releases, see the “Previous Releases” section in the NetIQ eDirectory online documentation Web site.

To download this product, see the NetIQ Downloads Web site. For more information on eDirectory, see the eDirectory documentation Web site.

For information about security services that are bundled with eDirectory and other components used with eDirectory, see Section 4.0, Additional Documentation.

2.0 Installation

2.1 Prerequisites

NOTE:Check the currently installed NetIQ and third-party applications to determine if eDirectory 8.8 SP8 is supported before upgrading your existing eDirectory environment. It is also highly recommended that you back up eDirectory prior to any upgrades.

Linux

You can use any one of the platforms listed below.

For a eDirectory installation:

  • SLES 11 SP1, SP2, and SP3 64-bit

  • SLES 10 SP4 64-bit

  • RHEL 5.10, 5.9, 5.8, and 5.7

  • RHEL 6.5, 6.4, 6.3, and 6.2

For a detailed list of prerequisites for installing eDirectory on a Linux server, see the NetIQ eDirectory 8.8 SP8 Installation Guide.

You can run the above operating systems in a virtual mode on the following hypervisors:

  • Xen

  • VMware ESXi

  • Windows Server 2008 R2 Virtualization with Hyper-V

NOTE:Upgrading from eDirectory 8.7.3 to eDirectory 8.8 SP8 is not certified.

Using eDirectory 8.8 SP8 with a Firewall Enabled

On SLES, if you add an eDirectory 8.8 SP8 server from a SLES host to an existing tree running on different host, the process might fail if the firewall is enabled.

Enable SLP services and an NCP port (the default is 524) in the firewall to allow the secondary server addition.

On an RHEL system, if you add a secondary server to an eDirectory tree, ndsconfig hangs during schema synchronization. However, you can add it if you open port 524 in the firewall.

2.2 iManager Plug-In Installation

Download the eDir_88_iMan27_Plugins.npm iManager plug-in from the Downloads Web site.

Install the NPM as directed in the NetIQ iManager 2.7.7 Administration Guide.

3.0 Known Issues

The following sections provide information on known issues at the time of the product release.

3.1 Installation and Configuration Issues

Valid Version of NMAS Not Found

If you install NetIQ Identity Manager 4.0.2 on a computer running eDirectory 8.8 SP8, the setup program displays the following error:

Valid version of NMAS not found

The error message states NMAS 8.8.8 is not a valid version and asks if you want to proceed with the installation process. Ignore the error, and click Yes. The installation process completes successfully.

eDirectory Dumps the Core on Loading xdasauditds When the Syslog Appender Is Disabled

Install and configure eDirectory, then configure the xdasproperties file. Ensure that the syslog appender is enabled as follows:

log4j.appender.S=org.apache.log4j.net.SyslogAppender

Disable Layout definition for appender Syslog S as follows:

# Layout definition for appender Syslog S.
log4j.appender.S.layout=org.apache.log4j.PatternLayout
#log4j.appender.S.layout.ConversionPattern=%c : %p%m%n

When you attempt to load xdasauditds, eDirectory starts dumping the core and the program is terminated with signal 11.

This issue arises because log4cxx does not check for the existence of layout in the xdasproperties file before setting it up. It assumes that Layout definition for appender Syslog S is automatically enabled if the syslog appender is enabled in the xdasproperties file.

3.2 Upgrade Issues

Duplicate Files Are Created after Upgrading from eDirectory 8.8 SP2 to eDirectory 8.8 SP8

After upgrading eDirectory, the new configuration files have a .new extension. If there are any changes to these files, you can merge them in the new files.

Upgrading Simple Password Bind from an Older Version to a 64-Bit eDirectory 8.8 SP8 Version

After upgrading eDirectory to 64-bit, ensure you update the NMAS Simple Password method for simple password binds to work.

Instrumentation RPM Upgrade Issues While Upgrading eDirectory

If you upgrade an eDirectory server on which the eDirectory instrumentation RPM is installed, the eDirectory instrumentation RPM is not automatically upgraded. Therefore, you must manually upgrade the eDirectory instrumentation RPM.

NOTE:eDirectory instrumentation is automatically installed with Identity Manager 4.0.

For more information on upgrading the instrumentation, refer to the NetIQ eDirectory 8.8 SP8 Installation Guide.

Issue with ConsoleOne after Upgrading to eDirectory 8.8 SP8

After you upgrade to eDirectory 8.8 SP8 in an environment where ConsoleOne is installed, ConsoleOne displays an error. ConsoleOne requires a 32-bit package included in eDirectory 8.7.3 but removed in eDirectory 8.8 SP8. This issue only occurs on 64-bit installations of eDirectory.

To work around this issue, after upgrading eDirectory, reinstall ConsoleOne. The ConsoleOne installer installs the eDirectory 8.7.3 package and starts properly.

Prompting for Password Multiple Times While Upgrading to eDirectory 8.8 SP8

While upgrading from eDirectoy 8.8 SP6 and lower versions to eDirectory 8.8 SP8, you are prompted for password several times. It is safe to ignore the prompts.

3.3 Default Instance Path for Multiple Instances

While you configure the second instance of eDirectory on your host, you are prompted for the default path. Select a different path and proceed.

3.4 Localhost Issues in /etc/hosts

If you have a loopback address alias to the hostname of the system in an /etc/hosts entry, it must be changed to the hostname or IP address. That is, if you have an entry similar to the one below in your /etc/hosts file, it needs to be changed to the correct entry given in second example below.

The following example has problems when any utility tries to resolve to the ndsd server:

127.0.0.1 test-system localhost.localdomain localhost

The following is a correct example entry in /etc/hosts:

127.0.0.1 localhost.localdomain localhost
10.77.11.10 test-system

If any third-party tool or utility resolves through localhost, it needs to be changed to resolve through a hostname or IP address and not through the localhost address.

3.5 LDAP, TCP, and TLS Ports Issue with Large DIBs

When the DIB is large, the DS takes time to come up and wrongly displays the following errors:

LDAP TCP Port is not listening
LDAP TLS Port is not listening

In this scenario, the ports are not disabled but eDirectory services are slow to come up. To check the status of LDAP, refer to the ndsd.log file or enter the following command and grep for the LDAP TCP/TLS ports:

netstat -na

3.6 ldapInterfaces Behaves Differently in SLES10 SP4

In SLES10-SP4, while setting the LDAP interface address, you must set the assigned IP address in the beginning followed by unassigned address, if any. Else, ldapInterfaces does not behave as expected.

The following is an example of how you must set the LDAP interface address in SLES10 SP4:

ldapInterfaces:
ldap://<IPv4 address>:389,ldaps://<IPv4 address>:636,ldap://<IPv6 address>:389,ldaps://<IPv6 address>:636,ldap://:389,ldaps://:636

3.7 Uninstallation Issues

Uninstallation Fails if Installation Was Not Successfully Completed

If eDirectory installation fails, nds-uninstall cannot remove eDirectory.

To resolve this, install eDirectory again in the same location and then uninstall it.

The nds-uninstall -s Option Fails to Retain Configuration and DIB Files

You must not use the -s option to retain the nds.conf and the DIB. Ensure that you back them up before performing the nds-uninstall operation.

3.8 IPv6 Issues

Symantec Network Threat Protection Conflicts with IPv6

Symantec Network Threat Protection conflicts with IPv6 addresses. If you want to use IPv6 addresses in iManager 2.7.7, and your computer is running Network Threat Protection, you must disable Network Threat Protection.

Firefox Does Not Support IPv6

The Firefox browser does not support IPv6 addresses. If you want to use IPv6 addresses in iManager 2.7.7, you cannot use the Firefox browser.

4.0 Additional Documentation

4.1 iManager

For iManager information, refer to the iManager online documentation.

4.2 NMAS

For NMAS information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.

4.3 Password Management

For Password Management information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.

4.4 Certificate Server

For Certificate Server information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.

4.5 Novell International Cryptographic Infrastructure (NICI)

For NICI information, refer to the NICI online documentation.

4.6 eDirectory Issues on Open Enterprise Server

For more information on eDirectory issues on Open Enterprise Server (OES), refer to the OES Readme.