August 25, 2008
NOTE:Check the currently installed Novell and third party applications to determine if eDirectory™ 8.8 SP3 is supported before upgrading your existing eDirectory environment. You can find out the current status for Novell products in the TID - What products are supported with Novell eDirectory 8.8 SP3?. It is also highly recommended to backup eDirectory prior to any upgrades.
Following are the supported platforms for 32-bit eDirectory:
32-bit operating system such as,
SUSE Linux Enterprise Server 9 SP4
SUSE Linux Enterprise Server 10 SP1 or later versions
SUSE Linux Enterprise Server (SLES) 10 SP1 XEN
Red Hat Advanced Server 4
Red Hat 5.0 or later versions
Red Hat 5.0 AP Virtualization
64-bit operating system such as,
SUSE Linux Enterprise Server (SLES) 9 SP4
SUSE Linux Enterprise Server (SLES) 10 SP1 or later versions
SUSE Linux Enterprise Server (SLES) 10 SP1 XEN
NOTE:eDirectory 8.8 SP3 is supported on SLES 10 XEN virtualization service that runs the SLES 10 guest OS. The following updates are available at https://update.novell.com.
For registering and updating SUSE Linux Enterprise 10, refer to Registering SUSE Linux Enterprise 10 with the Novell Customer Center. After installating the latest update, ensure that the minimum patch level of the installed update is 3.0.2_09763-0.8.
SUSE-Linux-Enterprise-Server-X86_64-10-0-20061011-020434
SLES10-Updates
To determine the version of SUSE Linux you are running, see the /etc/SuSE-release file.
Red Hat Advanced Server 4
Red Hat 5.0 or later versions
Red Hat 5.0 AP Virtualization
Ensure that the latest glibc patches are applied from Red Hat Errata on Red Hat systems. The minimum required version of the glibc library is version 2.1.
NOTE:GSSAPI configuration is not supported on Red Hat platform.
Following are the supported platforms for 64-bit eDirectory:
SLES 10 SP1 64-bit or later versions
Red Hat 5.0 64-bit
256 MB RAM minimum
90 MB of disk space for the eDirectory server
25 MB of disk space for the eDirectory administration utilities
74 MB of disk space for every 50,000 users
Ensure that gettext is installed. To install gettext, search the rpmfind Web site for gettext.
NOTE:The net-snmp-32-bit RPM should be installed on 64-bit SLES or OES Linux.
Ensure that net-snmp-32-bit RPM is installed on 64-bit SLES or OES Linux.
For OES1 servers, apply hotpatch ZLM6.6.2 HP4 before upgrading to eDirectory 8.8 SP3. On servers running SLES 10 or SLES 10 SP1, the client package rcd and rcd-devel (if not present earlier) should be upgraded to the latest patch level by using the YaST online update.
Any one of the following:
Solaris 9 on Sun* SPARC*
Solaris 10 on Sun* SPARC*
Solaris Express Developer Edition
All latest recommended patches available on the SunSolve* Web page. If you do not update your system with the latest patches before installing eDirectory, you might have problems while installing and configuring eDirectory.
A minimum of 128 MB RAM
120 MB of disk space for the eDirectory server
32 MB of disk space for the eDirectory administration utilities
74 MB of disk space for every 50,000 users
AIX* 5L Version 5.3
All recommended AIX OS patches, available at the IBM* Tech Support Web site Web site
128 MB RAM minimum
190 MB of disk space for the eDirectory server
12 MB of disk space for the eDirectory administration utilities
74 MB of disk space for every 50,000 users
Use the nds-install command in the setup directory for installing eDirectory:
./nds-install
If you download Novell® eDirectory 8.8 SP3 from http://download.novell.com, use gunzip downloaded file name to extract the downloaded file to a tar file. Then use tar xvf eDirectory file name.tar to get packages and RPMs with the eDirectory installation and uninstallation scripts.
For more information on installing eDirectory, refer to the Novell eDirectory 8.8 SP3 Installation Guide.
eDirectory 8.8 SP3 does not function properly with Nsure™ Audit 1.0.x. For full functionality with eDirectory 8.8 SP3, upgrade to Nsure Audit 2.0.
Download the following iManager plug-ins from the Web.
eDir_88_iMan26_Plugins.npm
eDir_88_iMan27_Plugins.npm
Install the NPMs as directed in the iManager 2.6 Administration Guide and iManager 2.7 Administration Guide.
NOTE:These plug-ins are available at download.novell.com Web site.
With ndsconfig, during eDirectory configuration, if same port number is passed for different interfaces of the instance that is being configured, port conflict checking is not performed.
For example,
# ndsconfig new -o 1234 -L 1234 --config-file /home/user1/eDir/etc/nds.conf
In this command 1234 is passed as the port number for HTTP (-o) and LDAP TCP (-L) interfaces. ndsconfig does not check this conflict.
eDirectory installation fails if the libstdc++.so.6 library is not installed on SLES 9.
To resolve this issue, download this library from Recommended update for LSB.
OpenSLP implements SLPv2, but Novell SLP (NDSslp) on UNIX* and Windows* platforms implements SLPv1.
SLPv1 UAs do not receive replies from SLPv2 SAs, and SLPv2 UAs do not receive replies from SLPv1 SAs. That is, the clients with OpenSLP cannot see trees with NDSslp. Similarly, the clients with NDSslp cannot see trees with OpenSLP. For SLPv1 and SLPv2 to interact, you need to configure a DA that is running SLPv2.OES Linux ships with OpenSLP. However, eDirectory installed other UNIX platforms, such as Solaris and Red Hat Linux, might use NDSslp, which is shipped with eDirectory. Because of interoperability issues with the two versions of SLP, a tree advertised via OpenSLP multicast might not be visible to NDSslp and vice versa. To overcome this problem, you need to configure a DA that runs OpenSLP.
ldif2dib fails to open the default log file, ldif2dib.log when the dib directory is relocated to a custom location.
To work around this issue, explicitly provide the log file location by using the -b switch.
While adding eDirectory 8.8 SP3 server from a SLES 10 host (or to SLES 10) to an existing tree running on different host, the process might fail to add the server if the firewall is enabled.
Enable SLP services and an NCP™ port (the default is 524) in the firewall to allow the secondary server addition.
To create the necessary configuration file, ndsconfig requires the full path and the configuration filename. When the same path name is passed for both the configuration file and the instance directory, ndsconfig cannot create the configuration file and aborts the operation.
After adding packages, if you do not configure eDirectory by using YaST, you need to run the following command at the command line.
chkconfig -a ndsd
In some situations, eDirectory services (ndsd) doesn't start after a system crash or a power failure. To start the eDirectory again, do the following:
Delete /var/opt/novell/eDirectory/data/ndsd.pid file.
Enter /etc/init.d/ndsd start command.
ndsd dumps the core in the dib directory of eDirectory because of a failed install while shutting down the server. This can be ignored because it does not corrupt data or disrupt services.
After the eDirectory upgrade, ndsd might fail to start automatically while rebooting the system.
To work around this issue, start ndsd manually.
When you configure eDirectory on RHEL 5.0, it fails because libstdc++6.0 is automatically installed with Red Hat 5.0. Because the embox, pkiinst, and pkiserver modules are linked to libstdc++5, the incorrect compat library causes the eDirectory configuration to fail.
To work around this issue, manually install the compat-libstdc++-33-3.2.3-61.i386.rpm library.
The eDirectory SNMP subagent fails to start while attempting to load libnetsnmpagent.so master agent module because it cannot resolve boot_DynaLoader symbol.
With all tags enabled, ensure you do not run ndstrace on the following:
A loaded system in Journal mode: It tends to build up ndsd memory.
Servers in inline mode: It crashes ndsd.
If a client performs an unauthenticated search operation when anonymous binds are disabled, the LDAP server responds with the bind result of inappropiate authentication instead of the search result, operationsError.
If eDirectory installation is stopped midway, the fileset might be installed, but in an uncommitted state. This fileset must be removed completely to reinstall eDirectory.
Use the following command to clean the fileset:
installp -ug <fileset>
Example: installp -ug NDS.NDSserv
Installation fails because eDirectory 8.8 SP3 64-bit nds-install script looks for libstdc++.so.6 and libstdc++.so.6.0.8 libraries in 32-bit path instead of 64-bit path.
To install eDirectory 8.8 SP3 successfully:
Comment all the lines that verify the libstdc++.so.5 library in the nds-install script.
If libstdc++ rpm is not installed, manually install the following rpms:
32-bit eDirectory: libstdc++-4.1.2-14.el5.i386.rpm
64-bit eDirectory: libstdc++-4.1.2-14.el5.x86_64.rpm
You might get the following error while configuring eDirectory.
ndsconfig: error while loading shared libraries: libccs2.so
To resolve this issue, run the following command to point the libccs2.so link to the correct path at /opt/novell/usr/lib64/libccs2.so.
ln -s /opt/novell/usr/lib64/libccs2.so /usr/lib64/libccs2.so
New Tree: When you add a server to a new eDirectory tree, the following error displays:
ndsconfig: error while loading shared libraries: /opt/novell/lib/libccs2.so: cannot restore segment prot after reloc: Permission denied.
Existing Tree: When you add a server to an existing eDirectory tree, ndsconfig does not respond while synchronizing schema because SELinux is enabled on the system.
To disable the SELinux for an application and continue the configuration, refer to the Redhat documentation.
If eDirectory installation fails, nds-uninstall can't remove eDirectory.
To resolve this, install eDirectory again in the same location and then uninstall it.
You must not use -s option to retain the nds.conf and the DIB. Ensure you backup them before performing nds-uninstall operation.
After upgrading eDirectory, the new configuration files get .new extension. If there are any changes to these files, they can be absorbed in your files.
When you run ndsconfig upgrade, the following error message displays:
n4u_send_command failed.
To work around this issue: Ensure you reinstall IDM before executing ndsconfig upgrade.
For more information on upgrading to eDirectory 8.8.3, refer to the Upgrading to eDirectory 8.8.3.
After upgrading eDirectory from 32-bit to 64-bit, ensure you update NMAS Simple Password method, for simple password binds to work.
If you are installing simple password method for the first time, do the following:
Add simple password method from the NMAS folder.
If bind does not work, add it again to refresh the NMAS policy.
When eDirectory is upgraded to 8.8.3 version by stopping ndsd on Linux and Solaris, ndsstat shows incorrect product version.
To work around this issue, restart ndsd. It shows proper eDirectory versions in ndsstat.
You can restart or stop the server and then run ndsconfig upgrade command to get the correct eDirectory version.
While configuring the second instance of eDirectory on your host, you are prompted for the default path. Select a different path and proceed.
In eDirectory 8.8, if you configure a new instance in a custom location when the default instance server is down, it takes the default instance ports. The default instance does not come up, because the ports of the default instance are alloted to the custom location instance.
Follow the procedure in Troubleshooting Ports with Custom eDirectory 8.8 Instances before rebooting the host.
Only the default instance created through using the default instance binaries is started after reboot.
You can set the paths and use ndsmanage to start the other instances.
When you have more than one eDirectory instance, the second instance and subsequent instances try to listen at the default 524 port instead of the NCP™ port on the loopback address.
To work around this issue, set the n4u.server.tcp-port parameter of the second instance to the port that it is supposed to listen on. The n4u.server.tcp-port parameter is located in the nds.conf file.
IMPORTANT:All eDirectory instances must be up before upgrading to eDirectory 8.8 SP3.
The LDIF file should mention all the object classes that an entry belongs to. You should also include the classes that an entry belongs to because of inheritance of classes. For example, an entry of type inetOrgPerson has following syntax in the LDIF file:
objectclass: inetorgperson
objectclass: organizationalPerson
objectclass: person
objectclass: top
Objects that are bulkloaded with the ldif2dib utility are not added with ACLs that are specified in the ACL templates for the object class of the object.
You can temporarily suspend the offline bulkload operation by pressing the s or S key. You can use Escape key (Esc) to stop the bulkload operation.
On Linux, if the -b option is used, the statistics display menu disappears after the bulkload is complete.
When you attempt uploading millions of objects to eDirectory using ldif2dib, and the checkpoint interval is explicitly specified, the operation might halt with an error stating that the directory is full.
To work around this issue, skip the checkpoint interval (Use -i option with ldif2dib command).
While adding a secondary server to an eDirectory tree, ndsconfig hangs during schema synchronization. However, you can add it if you open the port 524 in the firewall.
To view the French man page on Red Hat Linux, export the following:
export MANPATH=/opt/novell/man/frutf8:/opt/novell/eDirectory/man/frutf8
To view the man pages on AIX, use English locale.
The ndsconfig get outputs junk characters (on Linux and AIX) or nothing (on Solaris) for some parameters that contain non-English characters.
To work around this, enter the specify parameter name you want to get, as follows:
ndsconfig get <parameter_to_be_displayed >
For a list of parameters, refer to the nds.conf man page.
When 32-bit Linux eDirectory is installed on 64-bit Linux eDirectory running edirutil, it displays the following error:
Exception in thread 'main' java.lang.NoClassDefFoundError: embox
edirutil is a command line utility and fails to execute for embox; however, embox works fine by using iManager.
To resolve it, you must change line 14 of edirutil script from
test -d /usr/lib64
to
test -d $NDSHOME/opt/novell/eDirectory/lib64
The concurrent connection limit behavior of non-NetWare platforms is changed to match that of Netware. To resort to the old behavior (strict port based checking), set following parameter in nds.conf file.
n4u.server.mask-port-number=0
Catalog services running with eDirectory 8.8 SP3 are not supported. This is an old technology and has been largely replaced by the contextless login feature in the 4.9 Novell Client.
If you have a loopback address alias to the hostname of the system in /etc/hosts entry, that must be changed to the hostname or IP address. That is, if you have an entry similar to the one below in your /etc/hosts file, it needs to be changed to the correct entry given in second example below.
The following example has problems when any utility tries to resolve to ndsd server:
127.0.0.1 test-system localhost.localdomain localhost
The following is a correct example entry in /etc/hosts:
127.0.0.1 localhost.localdomain localhost
10.77.11.10 test-system
If any third-party tool or utility resolves through localhost, then it needs to be changed to resolve through a hostname or IP address and not through the localhost address.
When the DIB is large, the DS takes time to come up and wrongly displays the following errors:
LDAP TCP Port is not listening
LDAP TLS Port is not listening
In this scenario, the ports are not disabled but eDirectory services are slow to come up. To check the status of LDAP, refer to the ndsd.log file or enter the following command and grep for the LDAP TCP/TLS ports:
netstat -na
In LDAP transaction support, supportedGroupingTypes OID and transactionGroupingType OIDs are the same ( 2.16.840.1.113719.1.27.103.7).
When using iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not correctly hyperlink to the object properties.
The Agent Health check feature in iMonitor shows a Warning icon in the Results column when run on a single server tree because of the Perishable Data status. This does not mean that the tree is not healthy or that the Agent Health check is not working as designed. Perishable Data indicates the amount of data that has not yet been synchronized to at least one replica. A single server tree, by its nature, means that the data is always at risk for catastrophic failure because there is no other place that the data is replicated. If you lose the hard disk, you lose the data.
If you don't want to view health check warnings about Perishable Data or Readable Replica Counts on your single server tree, you can turn off these health checks by editing the ndsimonhealth.ini file to change the following entries:
perishable_data-active: OFF
and
ring_readable-Min_Marginal: 1 or ring_readable-active: OFF
This turns off the warnings for Readable Replica Count and Perishable Data.
The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor.
Because UNIX platforms do not maintain the creation time of a file, iMonitor shows both the creation and modification times to be the same.
Using Mozilla versions earlier than 1.5 for iMonitor might have problems during DSTrace Flag selection. Mozilla might not support all the operations.
The navigation and assistant frames appear twice on Linux and Solaris.
To work around this problem, refresh the page.
The subagent can fail with the following message:
Unable to load library: libnetsnmp.so
To resolve this, export the environment variable SNMP_MAJOR_VERSION with the net-snmp library’s (libnetsnmp.so) major version number. For example,
export SNMP_MAJOR_VERSION=10
When the master agent is restarted on Solaris and Linux, ndssnmpsa needs to be restarted.
To restart ndssnmpsa, stop ndssnmpsa and then start it again.
To stop ndssnmpsa, enter the following:
Solaris: /etc/rc.d/init.d/ndssnmpsa stop
Linux: /etc/init.d/ndssnmpsa stop
To start ndssnmpsa, enter the following:
Solaris: /etc/rc.d/init.d/ndssnmpsa start
Linux: /etc/init.d/ndssnmpsa start
When you start ndssnmpsa on UNIX, you might get the following errors:
Error: eDirectory SNMP Initialization component. Error code: -168
Error: eDirectory SNMP Initialization component. Error code: 9
To resolve this:
Unload and load ndssnmp as follows:
/opt/novell/eDirectory/bin/ndssnmp -u
/opt/novell/eDirectory/bin/ndssnmp -l
When ndssnmpsa is stopped on SLES 9, an error message similar to "*** glibc detected *** double free or corruption (!prev): 0x0819cdd0 *** " is displayed on the screen.
You can ignore these messages.
You cannot configure encrypted replication through iManager if any server in the replica ring is down.
If an attribute of an object is encrypted, you cannot view or modify the object by using iManager 2.5.
To work around this issue, you can view or modify the encrypted attribute over a secure channel, using any of the following methods:
LDAP: The LDAP request must be send over a secure channel, which means that the trusted root certificate of the server must be used.
ICE: LDIF scripts can be used to modify the object. If you do this, ICE must use a secure channel.
Use iManager 2.5 FP2, iManager 2.6, or later.
NOTE:We recommend using iManager 2.6 or later for viewing or modifying encrypted attributes.
Alternatively, you can turn off the secure channel required option for viewing or modifying the encrypted attributes by disabling the requireSecure attribute in the EA policy. This makes the object and the encrypted attributes accessible by any client over clear text channel. After this, iManager will be able to access the object.
When encrypted replication is enabled, merging trees fails. Disable secure replication on each tree before doing a merge.
Limber displays the -603 error if the server has only sub-ref replica of the encrypted attribute policy partition.
To work around this issue, do any one of the following:
Give read access to the NCP server object. You can do this through iManager by adding
a trustee at the tree root and giving read access to NCP server object. In the attributes, specify attrEncryptionDefinition and attrEncryptionRequiresSecure.
Give Public Read access to the following attributes through LDAP or ndssch:
attrEncryptionDefinition
attrEncryptionRequiresSecure
Quick Create only creates an LDAP group object with dummy attributes that you can later modify. It creates the LDAP Group object with version one instead of nine. Therefore, all the LDAP operations fail as it is not possible to associate any LDAP server due to version incompatibility.
To work around this issue, after creating the LDAP group using Quick Create, change the LDAP Group object version number to nine.
You might have problems while backing up by using iManager on Red Hat EUC in the Japanese locale. The fix for this issue will be available with iManager 2.6.
You might get -732 or -6009 errors while trying to run the ndsrepair operations on an NFS mounted DIB on Linux systems.
After you enable encrypted attributes on indexed attributes, if you run ndsrepair with the -R option, it hangs.
If multiple user objects are associated with the same Kerberos principal name, the user or client must specify the bind DN.
RFC2222 specifies support for an authorization ID sent by the user and client. This is not supported by the SASL GSSAPI method.
To view the man pages for SLP, you need to set the paths for the man pages. For example, on AIX, you must set the manpath to /usr/share/man instead of /opt/novell/man.
When encrypted attributes and encrypted replication is enabled at the tree level, clone DIB fails with the following errors:
Clone DIB on target server fails with the -601 error while configuring SAS
After Clone DIB, the newly created clone object fails with the -603 error
To work around these issues, disable encrypted attributes and encrypted replication.
If you try taking the clone of a server immediately after an offline bulkload, it might result in a failure, if the bulkload has been done with the disable indices option.
However, this is not an issue if the dibclone is initiated a few hours after the bulkload completion.
While cloning with the Encrypted Replication feature enabled on the source server, modify the ER policy to temporarily exclude the cloned server. This can be changed after the configuration of the cloned server is complete.
The dsbk.conf file is located in /etc instead of the location relative to the specific instance of eDirectory.
When you use dsbk from the command line, if the temporary file location is not mentioned in the /etc/dsbk.conf file, it gives script errors.
Deletion of a moved object can fail in a tree with two or more servers.
For proper functioning of Identity Manager with eDirectory, increase the max stack size of the ndsd by using the following command:
ldedit -b maxstack=0x10000000 /opt/novell/eDirectory/sbin/ndsd
Ensure that ndsd is not running when you execute this command.
NOTE:To avoid compatibility issues, ensure you upgrade to IDM 3.6 on any server that has eDirectory 8.8 SP3 installed.
Novell eDirectory 8.8 SP3 has the following documentation:
Novell eDirectory 8.8 What's New Guide
Novell eDirectory 8.8 Installation Guide
Novell eDirectory 8.8 Administration Guide
Novell eDirectory 8.8 Troubleshooting Guide
These documents are available at the Novell eDirectory 8.8 online documentation Web site.
The latest version of this readme is available at the Novell eDirectory 8.8 online documentation Web site.
iManager 2.6
For iManager 2.6 information, refer to the iManager 2.6 online documentation.
iManager 2.7
For iManager 2.7 information, refer to the iManager 2.7 online documentation.
For NMAS information, refer to the NMAS online documentation.
For Certificate Server information, refer to the Certificate Server online documentation.
For NICI information, refer to the NICI online documentation.
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.
A trademark symbol (® , TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.
For a list of Novell trademarks, see the Novell Trademark and Service Mark list at http://www.novell.com/company/legal/trademarks/tmlist.html.
All third-party trademarks are the property of their respective owners.