Novell eDirectory 8.8 SP3 for Linux, Solaris, and AIX

August 25, 2008

1.1.1 Linux
1.1.2 Solaris
1.1.3 AIX
2.6.1 Schema
2.6.4 Options
3.3.1 iManager

1.0 Installation

1.1 Prerequisites

NOTE:Check the currently installed Novell and third party applications to determine if eDirectory™ 8.8 SP3 is supported before upgrading your existing eDirectory environment. You can find out the current status for Novell products in the TID - What products are supported with Novell eDirectory 8.8 SP3?. It is also highly recommended to backup eDirectory prior to any upgrades.

1.1.1 Linux

  • Following are the supported platforms for 32-bit eDirectory:

    • 32-bit operating system such as,

      • SUSE Linux Enterprise Server 9 SP4

      • SUSE Linux Enterprise Server 10 SP1 or later versions

      • SUSE Linux Enterprise Server (SLES) 10 SP1 XEN

      • Red Hat Advanced Server 4

      • Red Hat 5.0 or later versions

      • Red Hat 5.0 AP Virtualization

    • 64-bit operating system such as,

      • SUSE Linux Enterprise Server (SLES) 9 SP4

      • SUSE Linux Enterprise Server (SLES) 10 SP1 or later versions

      • SUSE Linux Enterprise Server (SLES) 10 SP1 XEN

        NOTE:eDirectory 8.8 SP3 is supported on SLES 10 XEN virtualization service that runs the SLES 10 guest OS. The following updates are available at https://update.novell.com.

        For registering and updating SUSE Linux Enterprise 10, refer to Registering SUSE Linux Enterprise 10 with the Novell Customer Center. After installating the latest update, ensure that the minimum patch level of the installed update is 3.0.2_09763-0.8.

        • SUSE-Linux-Enterprise-Server-X86_64-10-0-20061011-020434

        • SLES10-Updates

        To determine the version of SUSE Linux you are running, see the /etc/SuSE-release file.

      • Red Hat Advanced Server 4

      • Red Hat 5.0 or later versions

      • Red Hat 5.0 AP Virtualization

        Ensure that the latest glibc patches are applied from Red Hat Errata on Red Hat systems. The minimum required version of the glibc library is version 2.1.

        NOTE:GSSAPI configuration is not supported on Red Hat platform.

    • Following are the supported platforms for 64-bit eDirectory:

      • SLES 10 SP1 64-bit or later versions

      • Red Hat 5.0 64-bit

  • 256 MB RAM minimum

  • 90 MB of disk space for the eDirectory server

  • 25 MB of disk space for the eDirectory administration utilities

  • 74 MB of disk space for every 50,000 users

  • Ensure that gettext is installed. To install gettext, search the rpmfind Web site for gettext.

    NOTE:The net-snmp-32-bit RPM should be installed on 64-bit SLES or OES Linux.

  • Ensure that net-snmp-32-bit RPM is installed on 64-bit SLES or OES Linux.

  • For OES1 servers, apply hotpatch ZLM6.6.2 HP4 before upgrading to eDirectory 8.8 SP3. On servers running SLES 10 or SLES 10 SP1, the client package rcd and rcd-devel (if not present earlier) should be upgraded to the latest patch level by using the YaST online update.

1.1.2 Solaris

  • Any one of the following:

    • Solaris 9 on Sun* SPARC*

    • Solaris 10 on Sun* SPARC*

  • Solaris Express Developer Edition

  • All latest recommended patches available on the SunSolve* Web page. If you do not update your system with the latest patches before installing eDirectory, you might have problems while installing and configuring eDirectory.

  • A minimum of 128 MB RAM

  • 120 MB of disk space for the eDirectory server

  • 32 MB of disk space for the eDirectory administration utilities

  • 74 MB of disk space for every 50,000 users

1.1.3 AIX

  • AIX* 5L Version 5.3

  • All recommended AIX OS patches, available at the IBM* Tech Support Web site Web site

  • 128 MB RAM minimum

  • 190 MB of disk space for the eDirectory server

  • 12 MB of disk space for the eDirectory administration utilities

  • 74 MB of disk space for every 50,000 users

1.2 Installing eDirectory on Linux, Solaris, and AIX

Use the nds-install command in the setup directory for installing eDirectory:

./nds-install

If you download Novell® eDirectory 8.8 SP3 from http://download.novell.com, use gunzip downloaded file name to extract the downloaded file to a tar file. Then use tar xvf eDirectory file name.tar to get packages and RPMs with the eDirectory installation and uninstallation scripts.

For more information on installing eDirectory, refer to the Novell eDirectory 8.8 SP3 Installation Guide.

1.3 Interoperability Between eDirectory and Nsure Audit 1.0.x

eDirectory 8.8 SP3 does not function properly with Nsure™ Audit 1.0.x. For full functionality with eDirectory 8.8 SP3, upgrade to Nsure Audit 2.0.

1.4 iManager Plug-Ins Installation

2.0 Known Issues

2.1 Installation and Configuration Issues

2.1.1 No Port Conflict Checks for the Same Instance

With ndsconfig, during eDirectory configuration, if same port number is passed for different interfaces of the instance that is being configured, port conflict checking is not performed.

For example,

# ndsconfig new -o 1234 -L 1234 --config-file /home/user1/eDir/etc/nds.conf

In this command 1234 is passed as the port number for HTTP (-o) and LDAP TCP (-L) interfaces. ndsconfig does not check this conflict.

2.1.2 Error While Loading Shared Libraries: libstdc++.so.6

eDirectory installation fails if the libstdc++.so.6 library is not installed on SLES 9.

To resolve this issue, download this library from Recommended update for LSB.

2.1.3 SLP Interoperability Issues on OES Linux

OpenSLP implements SLPv2, but Novell SLP (NDSslp) on UNIX* and Windows* platforms implements SLPv1.

SLPv1 UAs do not receive replies from SLPv2 SAs, and SLPv2 UAs do not receive replies from SLPv1 SAs. That is, the clients with OpenSLP cannot see trees with NDSslp. Similarly, the clients with NDSslp cannot see trees with OpenSLP. For SLPv1 and SLPv2 to interact, you need to configure a DA that is running SLPv2.OES Linux ships with OpenSLP. However, eDirectory installed other UNIX platforms, such as Solaris and Red Hat Linux, might use NDSslp, which is shipped with eDirectory. Because of interoperability issues with the two versions of SLP, a tree advertised via OpenSLP multicast might not be visible to NDSslp and vice versa. To overcome this problem, you need to configure a DA that runs OpenSLP.

2.1.4 ldif2dib Fails to Open the Error Log File When the DIB Directory Exists In the Custom Path

ldif2dib fails to open the default log file, ldif2dib.log when the dib directory is relocated to a custom location.

To work around this issue, explicitly provide the log file location by using the -b switch.

2.1.5 eDirectory 8.8 SP3 Fails to Add SLES10 with a Firewall Enabled

While adding eDirectory 8.8 SP3 server from a SLES 10 host (or to SLES 10) to an existing tree running on different host, the process might fail to add the server if the firewall is enabled.

Enable SLP services and an NCP™ port (the default is 524) in the firewall to allow the secondary server addition.

2.1.6 ndsconfig Does Not Verify an Invalid Configuration File Path

To create the necessary configuration file, ndsconfig requires the full path and the configuration filename. When the same path name is passed for both the configuration file and the instance directory, ndsconfig cannot create the configuration file and aborts the operation.

2.1.7 NDS Server Does Not Start Automatically in the Virtual SLES 10

After adding packages, if you do not configure eDirectory by using YaST, you need to run the following command at the command line.

chkconfig -a ndsd

2.1.8 ndsd Does Not Start After a System Crash

In some situations, eDirectory services (ndsd) doesn't start after a system crash or a power failure. To start the eDirectory again, do the following:

  1. Delete /var/opt/novell/eDirectory/data/ndsd.pid file.

  2. Enter /etc/init.d/ndsd start command.

2.1.9 ndsd Dumps the Core while Accessing the NDS Server

ndsd dumps the core in the dib directory of eDirectory because of a failed install while shutting down the server. This can be ignored because it does not corrupt data or disrupt services.

2.1.10 ndsd Might Fail to Start after Upgrading from eDirectory 8.7.3 SP7 to eDirectory 8.8.3 in OES 1.0 SP3

After the eDirectory upgrade, ndsd might fail to start automatically while rebooting the system.

To work around this issue, start ndsd manually.

2.1.11 eDirectory 8.8 SP3 Configuration Fails on RHEL 5.0

When you configure eDirectory on RHEL 5.0, it fails because libstdc++6.0 is automatically installed with Red Hat 5.0. Because the embox, pkiinst, and pkiserver modules are linked to libstdc++5, the incorrect compat library causes the eDirectory configuration to fail.

To work around this issue, manually install the compat-libstdc++-33-3.2.3-61.i386.rpm library.

2.1.12 eDirectory 8.8 SP3 64-bit SNMP Sub Agent Fails to Start on Red Hat 5.0

The eDirectory SNMP subagent fails to start while attempting to load libnetsnmpagent.so master agent module because it cannot resolve boot_DynaLoader symbol.

2.1.13 Do not Execute ndstrace With All Tags Enabled on UNIX Systems

With all tags enabled, ensure you do not run ndstrace on the following:

  • A loaded system in Journal mode: It tends to build up ndsd memory.

  • Servers in inline mode: It crashes ndsd.

2.1.14 LDAP is Not RFC Compliant For Anonymous Search Requests

If a client performs an unauthenticated search operation when anonymous binds are disabled, the LDAP server responds with the bind result of inappropiate authentication instead of the search result, operationsError.

2.1.15 nds-install Script Fails if eDirectory Installation is Aborted on AIX

If eDirectory installation is stopped midway, the fileset might be installed, but in an uncommitted state. This fileset must be removed completely to reinstall eDirectory.

Use the following command to clean the fileset:

installp -ug <fileset>

Example: installp -ug NDS.NDSserv

2.1.16 Cannot install eDirectory 88 SP3 64-bit on Red Hat 5.X

Installation fails because eDirectory 8.8 SP3 64-bit nds-install script looks for libstdc++.so.6 and libstdc++.so.6.0.8 libraries in 32-bit path instead of 64-bit path.

To install eDirectory 8.8 SP3 successfully:

  1. Comment all the lines that verify the libstdc++.so.5 library in the nds-install script.

  2. If libstdc++ rpm is not installed, manually install the following rpms:

    • 32-bit eDirectory: libstdc++-4.1.2-14.el5.i386.rpm

    • 64-bit eDirectory: libstdc++-4.1.2-14.el5.x86_64.rpm

2.1.17 Incorrect libccs2.so Path Might Cause eDirectory Configuration Error on Red Hat 5.0

You might get the following error while configuring eDirectory.

ndsconfig: error while loading shared libraries: libccs2.so

To resolve this issue, run the following command to point the libccs2.so link to the correct path at /opt/novell/usr/lib64/libccs2.so.

ln -s /opt/novell/usr/lib64/libccs2.so /usr/lib64/libccs2.so

2.2 eDirectory Behavior on SElinux enabled Red Hat Systems

  • New Tree: When you add a server to a new eDirectory tree, the following error displays:

    ndsconfig: error while loading shared libraries: /opt/novell/lib/libccs2.so:
    cannot restore segment prot after reloc: Permission denied.
    
  • Existing Tree: When you add a server to an existing eDirectory tree, ndsconfig does not respond while synchronizing schema because SELinux is enabled on the system.

    To disable the SELinux for an application and continue the configuration, refer to the Redhat documentation.

2.3 Uninstallation Issues

2.3.1 Uninstallation Fails if Installation Was Not Successfully Completed

If eDirectory installation fails, nds-uninstall can't remove eDirectory.

To resolve this, install eDirectory again in the same location and then uninstall it.

2.3.2 nds-uninstall -s option Fails to Retain Configuration and DIB Files

You must not use -s option to retain the nds.conf and the DIB. Ensure you backup them before performing nds-uninstall operation.

2.4 Upgrade Issues

2.4.1 Duplicate Files Created after Upgrading from eDirectory 8.8.2 to eDirectory 8.8.3

After upgrading eDirectory, the new configuration files get .new extension. If there are any changes to these files, they can be absorbed in your files.

2.4.2 Upgrading OES1 / SLES9 Servers from eDirectory 8.7.3.x to eDirectory 8.8.x Fails When IDM 3.x is Installed

When you run ndsconfig upgrade, the following error message displays:

n4u_send_command failed.

To work around this issue: Ensure you reinstall IDM before executing ndsconfig upgrade.

For more information on upgrading to eDirectory 8.8.3, refer to the Upgrading to eDirectory 8.8.3.

2.4.3 Upgrading Simple Password Bind from an Older Version to 64-bit 8.8.3 Version

After upgrading eDirectory from 32-bit to 64-bit, ensure you update NMAS Simple Password method, for simple password binds to work.

If you are installing simple password method for the first time, do the following:

  1. Add simple password method from the NMAS folder.

  2. If bind does not work, add it again to refresh the NMAS policy.

2.4.4 ndsstat Shows Wrong eDirectory versions

When eDirectory is upgraded to 8.8.3 version by stopping ndsd on Linux and Solaris, ndsstat shows incorrect product version.

To work around this issue, restart ndsd. It shows proper eDirectory versions in ndsstat.

You can restart or stop the server and then run ndsconfig upgrade command to get the correct eDirectory version.

2.5 Multiple Instances Issues

2.5.1 Default Instance Path

While configuring the second instance of eDirectory on your host, you are prompted for the default path. Select a different path and proceed.

2.5.2 Troubleshooting Ports with Custom eDirectory 8.8 Instances

In eDirectory 8.8, if you configure a new instance in a custom location when the default instance server is down, it takes the default instance ports. The default instance does not come up, because the ports of the default instance are alloted to the custom location instance.

Follow the procedure in Troubleshooting Ports with Custom eDirectory 8.8 Instances before rebooting the host.

2.5.3 Rebooting the Host

Only the default instance created through using the default instance binaries is started after reboot.

You can set the paths and use ndsmanage to start the other instances.

2.5.4 ndsd Not Listening at the Loopback Address on a Given NCP Port

When you have more than one eDirectory instance, the second instance and subsequent instances try to listen at the default 524 port instead of the NCP™ port on the loopback address.

To work around this issue, set the n4u.server.tcp-port parameter of the second instance to the port that it is supposed to listen on. The n4u.server.tcp-port parameter is located in the nds.conf file.

IMPORTANT:All eDirectory instances must be up before upgrading to eDirectory 8.8 SP3.

2.6 ldif2dib Limitations

2.6.1 Schema

The LDIF file should mention all the object classes that an entry belongs to. You should also include the classes that an entry belongs to because of inheritance of classes. For example, an entry of type inetOrgPerson has following syntax in the LDIF file:

  • objectclass: inetorgperson

  • objectclass: organizationalPerson

  • objectclass: person

  • objectclass: top

2.6.2 ACL Templates

Objects that are bulkloaded with the ldif2dib utility are not added with ACLs that are specified in the ACL templates for the object class of the object.

2.6.3 Signal Handler

You can temporarily suspend the offline bulkload operation by pressing the s or S key. You can use Escape key (Esc) to stop the bulkload operation.

2.6.4 Options

On Linux, if the -b option is used, the statistics display menu disappears after the bulkload is complete.

2.6.5 Ldif2dib Might Fail to Upload Objects Beyond Several Millions on RHEL 5.0

When you attempt uploading millions of objects to eDirectory using ldif2dib, and the checkpoint interval is explicitly specified, the operation might halt with an error stating that the directory is full.

To work around this issue, skip the checkpoint interval (Use -i option with ldif2dib command).

2.7 Cannot Add a Secondary Server in a Red Hat System

While adding a secondary server to an eDirectory tree, ndsconfig hangs during schema synchronization. However, you can add it if you open the port 524 in the firewall.

2.8 Viewing French and Japanese Manpages

To view the French man page on Red Hat Linux, export the following:

export MANPATH=/opt/novell/man/frutf8:/opt/novell/eDirectory/man/frutf8

To view the man pages on AIX, use English locale.

2.9 ndsconfig get Outputs Junk Characters for Non-English Characters

The ndsconfig get outputs junk characters (on Linux and AIX) or nothing (on Solaris) for some parameters that contain non-English characters.

To work around this, enter the specify parameter name you want to get, as follows:

ndsconfig get <parameter_to_be_displayed >

For a list of parameters, refer to the nds.conf man page.

2.10 Executing edirutil Utility Displays Error

When 32-bit Linux eDirectory is installed on 64-bit Linux eDirectory running edirutil, it displays the following error:

Exception in thread 'main' java.lang.NoClassDefFoundError: embox

edirutil is a command line utility and fails to execute for embox; however, embox works fine by using iManager.

To resolve it, you must change line 14 of edirutil script from

test -d /usr/lib64

to

test -d $NDSHOME/opt/novell/eDirectory/lib64

2.11 Unable to Limit the Number of Concurrent Users on Non-NetWare Platforms

The concurrent connection limit behavior of non-NetWare platforms is changed to match that of Netware. To resort to the old behavior (strict port based checking), set following parameter in nds.conf file.

n4u.server.mask-port-number=0

2.12 Catalog Services with eDirectory 8.8 SP3

Catalog services running with eDirectory 8.8 SP3 are not supported. This is an old technology and has been largely replaced by the contextless login feature in the 4.9 Novell Client.

2.13 Localhost Issues in /etc/hosts

If you have a loopback address alias to the hostname of the system in /etc/hosts entry, that must be changed to the hostname or IP address. That is, if you have an entry similar to the one below in your /etc/hosts file, it needs to be changed to the correct entry given in second example below.

The following example has problems when any utility tries to resolve to ndsd server:

127.0.0.1 test-system localhost.localdomain localhost

The following is a correct example entry in /etc/hosts:

127.0.0.1 localhost.localdomain localhost

10.77.11.10 test-system

If any third-party tool or utility resolves through localhost, then it needs to be changed to resolve through a hostname or IP address and not through the localhost address.

2.14 LDAP TCP and TLS Ports Issue with Large DIBs

When the DIB is large, the DS takes time to come up and wrongly displays the following errors:

LDAP TCP Port is not listening
LDAP TLS Port is not listening

In this scenario, the ports are not disabled but eDirectory services are slow to come up. To check the status of LDAP, refer to the ndsd.log file or enter the following command and grep for the LDAP TCP/TLS ports:

netstat -na

2.15 LDAP Transaction OIDs

In LDAP transaction support, supportedGroupingTypes OID and transactionGroupingType OIDs are the same ( 2.16.840.1.113719.1.27.103.7).

2.16 iMonitor Issues

2.16.1 Browsing for Objects Containing Double-Byte Characters in iMonitor

When using iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not correctly hyperlink to the object properties.

2.16.2 Agent Health Check on a Single-Server Tree

The Agent Health check feature in iMonitor shows a Warning icon in the Results column when run on a single server tree because of the Perishable Data status. This does not mean that the tree is not healthy or that the Agent Health check is not working as designed. Perishable Data indicates the amount of data that has not yet been synchronized to at least one replica. A single server tree, by its nature, means that the data is always at risk for catastrophic failure because there is no other place that the data is replicated. If you lose the hard disk, you lose the data.

If you don't want to view health check warnings about Perishable Data or Readable Replica Counts on your single server tree, you can turn off these health checks by editing the ndsimonhealth.ini file to change the following entries:

perishable_data-active: OFF

and

ring_readable-Min_Marginal: 1 or ring_readable-active: OFF

This turns off the warnings for Readable Replica Count and Perishable Data.

2.16.3 iMonitor Report Does Not Save the Records for Each Hour

The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor.

2.16.4 Creation and Modification Time Stamps

Because UNIX platforms do not maintain the creation time of a file, iMonitor shows both the creation and modification times to be the same.

2.16.5 iMonitor Issues in Older versions of Mozilla

Using Mozilla versions earlier than 1.5 for iMonitor might have problems during DSTrace Flag selection. Mozilla might not support all the operations.

2.16.6 Run Report Screen Layout Not Aligned on iMonitor

The navigation and assistant frames appear twice on Linux and Solaris.

To work around this problem, refresh the page.

2.17 SNMP Issues

2.17.1 Errors While Starting the NDS Subagent

The subagent can fail with the following message:

Unable to load library: libnetsnmp.so

To resolve this, export the environment variable SNMP_MAJOR_VERSION with the net-snmp library’s (libnetsnmp.so) major version number. For example,

export SNMP_MAJOR_VERSION=10

2.17.2 Restarting ndssnmpsa

When the master agent is restarted on Solaris and Linux, ndssnmpsa needs to be restarted.

To restart ndssnmpsa, stop ndssnmpsa and then start it again.

To stop ndssnmpsa, enter the following:

  • Solaris: /etc/rc.d/init.d/ndssnmpsa stop

  • Linux: /etc/init.d/ndssnmpsa stop

To start ndssnmpsa, enter the following:

  • Solaris: /etc/rc.d/init.d/ndssnmpsa start

  • Linux: /etc/init.d/ndssnmpsa start

2.17.3 Errors While Starting ndssnmpsa

When you start ndssnmpsa on UNIX, you might get the following errors:

Error: eDirectory SNMP Initialization component. Error code: -168
Error: eDirectory SNMP Initialization component. Error code: 9

To resolve this:

  1. Unload and load ndssnmp as follows:

    /opt/novell/eDirectory/bin/ndssnmp -u

    /opt/novell/eDirectory/bin/ndssnmp -l

2.17.4 Errors While Stopping ndssnmpsa

When ndssnmpsa is stopped on SLES 9, an error message similar to "*** glibc detected *** double free or corruption (!prev): 0x0819cdd0 *** " is displayed on the screen.

You can ignore these messages.

2.18 Encrypted Attributes and Encrypted Replication Issues

2.18.1 Configuring Encrypted Replication through iManager

You cannot configure encrypted replication through iManager if any server in the replica ring is down.

2.18.2 Viewing or Modifying Encrypted Attributes through iManager

If an attribute of an object is encrypted, you cannot view or modify the object by using iManager 2.5.

To work around this issue, you can view or modify the encrypted attribute over a secure channel, using any of the following methods:

  • LDAP: The LDAP request must be send over a secure channel, which means that the trusted root certificate of the server must be used.

  • ICE: LDIF scripts can be used to modify the object. If you do this, ICE must use a secure channel.

  • Use iManager 2.5 FP2, iManager 2.6, or later.

NOTE:We recommend using iManager 2.6 or later for viewing or modifying encrypted attributes.

Alternatively, you can turn off the secure channel required option for viewing or modifying the encrypted attributes by disabling the requireSecure attribute in the EA policy. This makes the object and the encrypted attributes accessible by any client over clear text channel. After this, iManager will be able to access the object.

2.18.3 Merging Trees With Encrypted Replication Enabled Fails

When encrypted replication is enabled, merging trees fails. Disable secure replication on each tree before doing a merge.

2.18.4 Limber Displays -603 Error

Limber displays the -603 error if the server has only sub-ref replica of the encrypted attribute policy partition.

To work around this issue, do any one of the following:

  • Give read access to the NCP server object. You can do this through iManager by adding

    a trustee at the tree root and giving read access to NCP server object. In the attributes, specify attrEncryptionDefinition and attrEncryptionRequiresSecure.

  • Give Public Read access to the following attributes through LDAP or ndssch:

    • attrEncryptionDefinition

    • attrEncryptionRequiresSecure

2.19 iManager Issues

2.19.1 LDAP Operations Fail After Creating a New LDAP Group Using Quick Create

Quick Create only creates an LDAP group object with dummy attributes that you can later modify. It creates the LDAP Group object with version one instead of nine. Therefore, all the LDAP operations fail as it is not possible to associate any LDAP server due to version incompatibility.

To work around this issue, after creating the LDAP group using Quick Create, change the LDAP Group object version number to nine.

2.19.2 Issues While Backing Up on Red Hat EUC in the Japanese Locale

You might have problems while backing up by using iManager on Red Hat EUC in the Japanese locale. The fix for this issue will be available with iManager 2.6.

2.20 ndsrepair Issues

2.20.1 Running ndsrepair on an NFS Mounted DIB on Linux

You might get -732 or -6009 errors while trying to run the ndsrepair operations on an NFS mounted DIB on Linux systems.

2.20.2 Running ndsrepair with -R Option Hangs

After you enable encrypted attributes on indexed attributes, if you run ndsrepair with the -R option, it hangs.

2.21 SASL-GSSAPI Issues

2.21.1 GSSAPI With Multiple User Objects

If multiple user objects are associated with the same Kerberos principal name, the user or client must specify the bind DN.

2.21.2 Authorization ID

RFC2222 specifies support for an authorization ID sent by the user and client. This is not supported by the SASL GSSAPI method.

2.22 Viewing SLP Man Pages

To view the man pages for SLP, you need to set the paths for the man pages. For example, on AIX, you must set the manpath to /usr/share/man instead of /opt/novell/man.

2.23 Clone DIB Issues

2.23.1 Clone DIB Fails With -601 and -603 Errors

When encrypted attributes and encrypted replication is enabled at the tree level, clone DIB fails with the following errors:

  • Clone DIB on target server fails with the -601 error while configuring SAS

  • After Clone DIB, the newly created clone object fails with the -603 error

To work around these issues, disable encrypted attributes and encrypted replication.

2.23.2 Clone DIB Can Fail Immediately After Offline Bulkload

If you try taking the clone of a server immediately after an offline bulkload, it might result in a failure, if the bulkload has been done with the disable indices option.

However, this is not an issue if the dibclone is initiated a few hours after the bulkload completion.

2.23.3 Issue in Cloning with Enabled Encrypted Replication Feature

While cloning with the Encrypted Replication feature enabled on the source server, modify the ER policy to temporarily exclude the cloned server. This can be changed after the configuration of the cloned server is complete.

2.24 dsbk Issues Configuration File Location

2.24.1 dsbk Configuration File Location

The dsbk.conf file is located in /etc instead of the location relative to the specific instance of eDirectory.

2.24.2 dsbk Usability Issue

When you use dsbk from the command line, if the temporary file location is not mentioned in the /etc/dsbk.conf file, it gives script errors.

2.25 Deletion of a Moved Object Fails (error -637)

Deletion of a moved object can fail in a tree with two or more servers.

2.26 Issues with running Identity Manager with eDirectory on AIX

For proper functioning of Identity Manager with eDirectory, increase the max stack size of the ndsd by using the following command:

ldedit -b maxstack=0x10000000 /opt/novell/eDirectory/sbin/ndsd

Ensure that ndsd is not running when you execute this command.

NOTE:To avoid compatibility issues, ensure you upgrade to IDM 3.6 on any server that has eDirectory 8.8 SP3 installed.

3.0 Documentation

3.1 Viewing eDirectory Documentation

Novell eDirectory 8.8 SP3 has the following documentation:

  • Novell eDirectory 8.8 What's New Guide

  • Novell eDirectory 8.8 Installation Guide

  • Novell eDirectory 8.8 Administration Guide

  • Novell eDirectory 8.8 Troubleshooting Guide

These documents are available at the Novell eDirectory 8.8 online documentation Web site.

3.2 Readme Information

The latest version of this readme is available at the Novell eDirectory 8.8 online documentation Web site.

3.3 Additional Documentation

3.3.1 iManager

3.3.2 NMAS 3.3.0

For NMAS information, refer to the NMAS online documentation.

3.3.3 Certificate Server 3.3.1

For Certificate Server information, refer to the Certificate Server online documentation.

3.3.4 NICI 2.7.4

For NICI information, refer to the NICI online documentation.

4.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (® , TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark.

5.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.

For a list of Novell trademarks, see the Novell Trademark and Service Mark list at http://www.novell.com/company/legal/trademarks/tmlist.html.

All third-party trademarks are the property of their respective owners.