Novell eDirectory 8.8 SP3 for NetWare

July 31, 2008

3.3.1 iManager

1.0 Installation

1.1 Prerequisites

NOTE:Check the currently installed Novell and third party applications to determine if eDirectory™ 8.8 SP3 is supported before upgrading your existing eDirectory environment. You can find out the current status for Novell products in the TID - What products are supported with Novell eDirectory 8.8 SP3?. It is also highly recommended to backup eDirectory prior to any upgrades.

  • OES SP2 NetWare 6.5 SP7

    NOTE:Installing eDirectory 8.8 SP3 is not supported on NetWare 5.1, NetWare 6.0, NetWare 6.5 SP4, SP5, and SP6.

  • If you are using RCONSOLE, you need a ConsoleOne® 1.3.6e administrator workstation with the following:

    • A 200 MHz or faster processor

    • A minimum of 128 MB RAM

    • Novell Client™ for Windows NT*/2000/XP version 4.9 or later or Novell Client for Windows 95/98 version 3.4 or later

1.2 Distributing the Correct Versions of DSRepair to All Servers in the Tree

For information on preparing an existing tree for an eDirectory 8.8 SP3 installation, see “Updating the eDirectory Schema for NetWare” in the Novell eDirectory 8.8 Installation Guide.

1.3 Upgrading from a Previous Version

1.3.1 Prerequisites

Before you upgrade to eDirectory 8.8 SP3, make sure you have the latest eDirectory patches installed on all servers in the tree. You can get eDirectory patches from the Novell Support Web site.

If you have eDirectory 8.5.x or 8.6.x, you must first upgrade to eDirectory 8.7.x and then upgrade to eDirectory 8.8 SP3.

1.3.2 Upgrading to Novell eDirectory 8.8 SP3 on a Double-Byte System

In previous releases of eDirectory, some index keys were built incorrectly in double-byte language (Japanese, Korean, or Chinese) systems. Because of the incorrect keys, some searches did not work correctly. This issue was resolved in Novell eDirectory 8.7. However, because existing eDirectory databases on these systems still have these incorrect keys, there might be times even after your upgrade to eDirectory 8.8 SP3 when eDirectory reports corruption errors because of incorrect keys.

To resolve this issue, run dsrepair.nlm after the upgrade is complete and perform a physical rebuild of the database. This is only necessary if the database is a double-byte language database (Japanese, Korean, or Chinese). It is not necessary to run DSRepair after upgrading if you are not using one of these languages.

1.3.3 Upgrading from eDirectory 8.7.x to eDirectory 8.8 SP3

Upgrading from eDirectory 8.7.x to eDirectory 8.8 SP3 rebuilds the LDAP mapping table and re-adds the inetOrgPerson --> User mapping, causing any new objects created via LDAP to be of the User base class instead of the inetOrgPerson base class. This is only an issue if you deleted the mapping for inetOrgPerson --> User and defined a real inetOrgperson Class in your previous version of eDirectory.

To work around this problem, use iManager to remove the mapping from the Class Mappings page of the LDAP Group Object.

1.3.4 Upgrading to eDirectory 8.8 SP3 in a System Running Identity Manager

During the upgrade from eDirectory 8.7.x to eDirectory 8.8.3, the location of the Identity Manager files is changed, requiring a reinstall of the Identity Manager engine and drivers. Any third-party jar files are not automatically copied to the new location and must be manually placed prior to startingthe drivers affected. It is recommended that all drivers be set to manual prior to upgrading to eDirectory 8.8 SP3.

1.3.5 Xis11.nlm Does Not Upgrade When eDirectory is Upgraded from 8.7.3.x Versions to 8.8.3 Version

Xis11.nlm is not upgraded automatically with eDirectory upgrade.

For ICE and embox to work, manually copy Xis11.nlm from the NetWare package to sys:/system location, then reboot the system.

1.3.6 Disk Space Check While Upgrading to eDirectory 8.8.3

When an eDirectory server is upgraded from versions earlier than eDirectory 8.8.1 to eDirectory 8.8 SP1 or later, the disk space check for the DIB upgrade is performed. The free disk space necessary in the file system where the DIB resides is equal to that of the DIB size. The messages of the disk space check are updated in the ndscheck.log located in the instance’s specific log directory. For default instance, sys:\system\dscheck.log.

NOTE:The disk space check is required only during the DIB upgrade process. For more information, refer to Upgrade Requirements of eDirectory 8.8.

1.4 Reinstalling eDirectory

If you use NWCONFIG to uninstall eDirectory, follow these steps to reinstall eDirectory:

  1. Use the following command to remove the eDirectory entry from the products.dat file so you can reinstall eDirectory on the same server:

    uinstall edir

  2. Edit the sys:system\schema\schema.cfg file and remove the comment markers from the ndps*.sch files.

  3. From the NetWare console, run NWCONFIG.

  4. Select Product Options.

  5. Select Install a Product Not Listed.

  6. Specify the location containing the Novell eDirectory 8.8 SP3 installation package.

1.5 Video Cards and Driver Settings

The eDirectory, ConsoleOne, Novell iManager, and eGuide installs use Java* 1.4. This means that a minimum color depth of 8 bits (256 colors) is required by your video card and driver setting to run the installations properly. On NetWare, the video card must also be VESA-compliant.

1.6 Manually Extending the Schema Before Installation

1.6.1 Synchronizing Schema Extensions

In some cases, schema extensions do not synchronize fast enough to the lower levels of a tree where the first new eDirectory 8.8 SP3 server is being installed, so some features are not completely installed.

This problem can be avoided by manually extending the schema in your tree before you install eDirectory 8.8 SP3, using the eDirectory 8.8 SP3 schema files located in the \nw\sys\system\schema directory.

1.6.2 Using NWConfig to Extend the Schema

With eDirectory 8.7, enhancements were made to the DSI that added more flexibility in extending the schema. Many of the schema files located in the \nw\sys\system\schema directory take advantage of this new functionality. If an older version of dsi.nlm or dsisch.nlm (anything older than version 10411.14, dated September 26, 2002) is used by nwconfig.nlm to extend the new schema, the following error will occur:

Error: Parsing the NDS500.sch file while extending schema.

To avoid this error:

  1. Copy nw\sys\system\dsi.nlm and nw\sys\system\dsisch.nlm to the server that will do the schema extension.

    This should be a server that holds a copy of the root partition.

  2. Copy the desired schema files to a temporary directory on the NetWare server.

  3. Run nwconfig.nlm and use the Directory Services option to extend the schema.

    There are some dependencies among the schema files in the nw\sys\system\schema directory. Because of these dependencies, we recommend that the schema files be extended in the order that is listed in the nw\sys\system\schema\schema.cfg file.

1.7 NMAS Version After Upgrading to eDirectory 8.8 SP3

When you install eDirectory 8.8 SP3, it comes with NMAS™ 3.3.0. However, if you do a later install of NetWare products, and if an earlier NMAS version is selected, you should deselect it.

1.8 DIB Upgrade Issues

The following issue has been identified:

1.8.1 DIB Upgrade Operation While Upgrading to eDirectory 8.8 SP3

When eDirectory is upgraded to eDirectory 8.8 SP3, the server is stopped and a DIB upgrade operation is performed before the server is started and the normal upgrade is performed. The time taken for this upgrade depends on the number of objects in the tree.

For more details on the DIB upgrade, refer to the “Upgrade Requirements of eDirectory 8.8 SP3” in the eDirectory 8.8 Installation Guide.

1.9 Configuring IPX on a NetWare Server

Do not configure IPX™ while installing and configuring eDirectory 8.8 SP3 on NetWare servers. If you configure IPX, you might get some random issues.

1.10 Interoperability between eDirectory and Nsure Audit 1.0.x

eDirectory 8.8 SP3 does not function properly with Nsure™ Audit 1.0.x. For full functionality with eDirectory 8.8 SP3, upgrade to Novell Audit 2.0.

1.11 iManager Plug-ins Installation

  • Download the following iManager plug-ins from the Web.

    • eDir_88_iMan26_Plugins.npm

    • eDir_88_iMan27_Plugins.npm

  • Install the NPMs as directed in the iManager 2.6 and iManager 2.7.

    NOTE:These plug-ins are available at download.novell.com Web site.

2.0 Known Issues

2.1 Universal Password Issue

By default, LDAP and other server-side utilities use NDS® login first, and if this fails, they use the Simple Password login. For Universal Password to work, the login needs to use NMAS. Therefore, you need to set the environment variable NDSD_TRY_NMASLOGIN_FIRST to True before DS.NLM is loaded. We recommend that you edit c:\nwserver\startup.ncf and set the environmental variable there.

You can set the NDSD_TRY_NMASLOGIN_FIRST environmental variable in the c:\nwserver\startup.ncf file by using any of the following methods:

  • Set the environment variable by adding the following to the c:\nwserver\startup.ncf file, then restart the server:

    env NDSD_TRY_NMASLOGIN_FIRST=true

  • Set the environmental variable through command line and reload DS.NLM as follows:

    UNLOAD DS.NLM

    env NDSD_TRY_NMASLOGIN_FIRST=true

    LOAD DS.NLM

    We recommend that you use the first option, because you need to do it only once. With the second option, you need to export the environmental variable every time you reboot your server.

2.2 iManager Login to a Remote Tree Fails

After you upgrade to eDirectory 8.8 SP3 on NetWare, you cannot log in to a remote tree through iManager. To resolve this issue, you need to specify the NDSD_TRY_NMASLOGIN_FIRST environmental variable in the c:\nwserver\startup.ncf file.

For more information, refer to the Section 2.1, Universal Password Issue.

2.3 LDAP Issues

2.3.1 LDAP Transaction OIDs

In LDAP transaction support, supportedGroupingTypes OID and transactionGroupingType OIDs are the same ( 2.16.840.1.113719.1.27.103.7).

2.3.2 LDAP is Not RFC Compliant For Anonymous Search Requests

If a client performs an unauthenticated search operation when anonymous binds are disabled, the LDAP server responds with the bind result of inappropiate authentication instead of the search result, operationsError.

2.4 Encrypted Attributes and Encrypted Replication Issues

2.4.1 Encrypted Replication

Encryption on the wire is not supported on NetWare.

  • If you enable encrypted replication at the partition level or between replicas and there is a NetWare server in the replica ring, encrypted replication does not happen on that server.

  • The Always Require Secure option is disabled for NetWare.

2.4.2 Viewing or Modifying Encrypted Attributes Through iManager

If an attribute of an object is encrypted, you cannot view or modify the object by using iManager 2.5.

To work around this issue, you can view or modify the encrypted attribute over a secure channel, using any of the following methods:

  • LDAP: The LDAP request must be send over a secure channel, which means that the trusted root certificate of the server must be used.

  • ICE: LDIF scripts can be used to modify the object. If you do this, ICE must use a secure channel.

  • Use iManager 2.5 FP2, iManager 2.6, or later.

NOTE:We recommend using iManager 2.6 or later for viewing or modifying encrypted attributes.

Alternatively, you can turn off the secure channel required option for viewing or modifying the encrypted attributes by disabling the requireSecure attribute in the Encrypted Attributes policy. This makes the object and the encrypted attributes accessible by any client over clear text channel. After this, iManager can access the object.

2.5 iMonitor Issues

2.5.1 Browsing for Objects Containing Double-Byte Characters in iMonitor

When using iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not correctly hyperlink to the object properties.

2.5.2 Agent Health Check on a Single-Server Tree

The Agent Health check feature in iMonitor shows a Warning icon in the Results column when run on a single server tree because of the Perishable Data status. This does not mean that the tree is not healthy or that the Agent Health check is not working as designed. Perishable Data indicates the amount of data that has not yet been synchronized to at least one replica. A single server tree, by its nature, means that the data is always at risk for catastrophic failure because there is no other place that the data is replicated. If you lose the hard disk, you lose the data.

If you don't want to view health check warnings about Perishable Data or Readable Replica Counts on your single server tree, you can turn off these health checks by editing the ndsimonhealth.ini file to change the following entries:

perishable_data-active: OFF

and

ring_readable-Min_Marginal: 1 or ring_readable-active: OFF

This turns off the warnings for Readable Replica Count and Perishable Data.

2.5.3 iMonitor Report Does Not Save the Records for Each Hour

The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor.

2.5.4 iMonitor Issues in the Older Versions of Mozilla

Using Mozilla* versions lower than 1.5 for iMonitor might have issues during DSTrace Flag selection. Mozilla might not support all the operations.

2.5.5 Run Report Screen Layout Not Aligned on iMonitor

The navigation and assistant frames appear twice.

To work around this problem, refresh the page.

2.6 iManager Issues

2.6.1 LDAP Operations Fail After Using Quick Create to Create a New LDAP Group

Quick Create creates an LDAP group object with dummy attributes that you can later modify. It creates the LDAP Group object with version one instead of nine. Therefore, all the LDAP operations fail because it is not possible to associate any LDAP server because of version incompatibility.

To work around this issue after using Quick Create to creating the LDAP group, change the LDAP Group object version number to nine.

2.7 SNMP Issues

The following issues have been identified:

2.7.1 Auto-Loading DSSNMPSA

On NetWare, DSSNMPSA is not loaded by default. If you configure it to auto-load, save the credentials by selecting the Remember Password option when it is manually loaded.

The INTERACTIVE option must be set to ON in the sys:\etc\dssnmp.cfg file in order for DSSNMPSA to read the remembered credentials.

2.8 eDirectory Service Manager Issues

2.8.1 Service Manager Dependencies

Some Service Manager modules, such as httpstk, have dependencies. On NetWare, these dependencies are not displayed in the information frame as they are on Windows.

2.8.2 Using Service Manager to Stop eDirectory

If you use the eDirectory Service Manager in Novell iManager to stop eDirectory, restarting it through Service Manager is not possible. At the NetWare server console, enter the following:

load DS

2.9 Backup and Restore Issues

2.9.1 Changes to Server-Specific Information

Backing up server-specific information has been implemented through the Backup eMTool. See “Changes to Server Specific Information Backup (Netware Only)” in the “Backing Up and Restoring Novell eDirectory” section in the Novell eDirectory 8.8 Administration Guide for more information.

If you are creating server-specific information backups by using filesystem TSA, be aware that the bigger backup file size might be too large for your sys: volume. A user-specified file location is implemented to allow the file to be placed in a larger, more convenient location.

2.9.2 Backup Issues Using Nbackup

nbackup doesn’t support backing up eDirectory on an earlier version of NetWare.

2.10 Netscape Schema Attributes

The attributes related to Netscape* have been removed from the default schema installed with LDAP in eDirectory 8.8 SP3. If you want to use those attributes, they are present in a tree that was installed prior to eDirectory 8.8, or you can add them to any new trees by using the Novell Import Conversion Export utility to run the netscape-mappings.ldif file in the schema directory.

2.11 Emboxmgr.nlm Issue

emboxmgr.nlm leaks memory when you use the eMBox Client to perform many simultaneous backups or local repairs.

This issue will be fixed in an upcoming release of eDirectory.

3.0 Documentation

3.1 Viewing eDirectory Documentation

Novell eDirectory 8.8 SP3 has the following documentation:

  • Novell eDirectory 8.8 What's New Guide

  • Novell eDirectory 8.8 Installation Guide

  • Novell eDirectory 8.8 Administration Guide

  • Novell eDirectory 8.8 Troubleshooting Guide

These documents are available at the Novell eDirectory 8.8 online documentation Web site.

3.2 Readme Information

The latest version of this readme is available at the Novell eDirectory 8.8 online documentation Web site.

3.3 Additional Documentation

3.3.1 iManager

3.3.2 NMAS 3.3.0

For NMAS information, refer to the NMAS online documentation.

3.3.3 Certificate Server 3.3.1

For Certificate Server information, refer to the Certificate Server online documentation.

3.3.4 NICI 2.7.4

For NICI information, refer to the NICI online documentation.

4.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (® , TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark.

5.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.

For a list of Novell trademarks, see the Novell Trademark and Service Mark list at http://www.novell.com/company/legal/trademarks/tmlist.html.

All third-party products are the property of their respective owners.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. Please refer to \documentation\english\license\license.txt for additional information and license terms.