NOTE:Check the currently installed Novell and third-party applications to determine if eDirectory 8.8 SP7 is supported before upgrading your existing eDirectory environment. It is also highly recommended that you back up eDirectory prior to any upgrades.
You can use any one of the platforms listed below.
NOTE:eDirectory 8.8 SP7 does not support installing eDirectory components on Novell NetWare servers.
For a 32-bit eDirectory installation:
32-bit (x86_32)
SUSE Linux Enterprise Server (SLES) 11 SP1 and later Support Packs
SLES 10 SP4 and later Support Packs
Red Hat Enterprise Linux (RHEL) AP 5.4 and later Support Packs
RHEL 6 AP and its Support Packs
RHEL 6 AP Virtualization
64-bit (x86_64)
SLES 11 SP1 and later Support Packs
SLES 10 SP4 and later Support Packs
RHEL AP 5.4 and later Support Packs
RHEL 6 AP and its Support Packs
RHEL 6 AP Virtualization
For a 64-bit eDirectory installation:
SLES 11 SP1 64-bit and later Support Packs
SLES 10 SP4 64-bit and later Support Packs
RHEL AP 5.4 and later Support Packs
RHEL 6 and its Support Packs
RHEL virtualization (5 and 6)
You can run the above operating systems in a virtual mode on the following hypervisors:
Xen
VMware ESX
Windows Server 2008 R2 Virtualization with Hyper-V
eDirectory also requires the following prerequisites:
A minimum of 512 MB RAM for eDirectory
200 MB of disk space for the eDirectory installation (server and administration utilities)
150 MB of disk space for every 50,000 users
Ensure that gettext is installed. To install gettext, search the rpmfind Web site for gettext.
Ensure that the net-snmp-32-bit RPM is installed on 64-bit SLES. The RPM is available in the SLES 10 64-bit install CD.
If you use ZLM for patch management, apply the hotpatch ZLM6.6.2 HP4 before upgrading to eDirectory 8.8 SP7. On servers such as Vanilla SLES 10 or SLES 10 SP1, libredcarpet should be upgraded to the latest patch level using YaST Online Update.
On SLES, if you add an eDirectory 8.8 SP7 server from a SLES host to an existing tree running on different host, the process might fail if the firewall is enabled.
Enable SLP services and an NCP port (the default is 524) in the firewall to allow the secondary server addition.
On an RHEL system, if you add a secondary server to an eDirectory tree, ndsconfig hangs during schema synchronization. However, you can add it if you open port 524 in the firewall.
You can use any one of the platforms listed below.
For a 32-bit eDirectory installation:
Solaris 10 on Sun SPARC
For a 64-bit eDirectory installation:
Solaris 10 on Sun Sparc
Solaris 10 Zones (Small Zone and Big Zone)
eDirectory also requires the following prerequisites:
All latest recommended patches available on the My Oracle Support Web page. If you do not update your system with the latest patches before installing eDirectory, you might have problems while installing and configuring eDirectory.
A minimum of 512 MB RAM
200 MB of disk space for the eDirectory installation (server and administration utilities)
150 MB of disk space for every 50,000 users
eDirectory 8.8 SP7 (32-bit only) can be installed on servers running AIX Version 6.1.x.
eDirectory also requires the following prerequisites:
All recommended AIX OS patches, available at the IBM Fix Central Web site Web site
A minimum of 512 MB RAM
200 MB of disk space for the eDirectory installation (server and administration utilities)
150 MB of disk space for every 50,000 users
Use the nds-install command in the setup directory to install eDirectory:
./nds-install
If you download Novell eDirectory 8.8 SP7 from the Novell Downloads Web site, use gunzip downloaded file name to extract the downloaded file to a tar file. Then use tar xvf eDirectory file name.tar to get packages and RPMs with the eDirectory installation and uninstallation scripts.
For more information on installing eDirectory, refer to the Novell eDirectory 8.8 SP7 Installation Guide.
Download the eDir_88_iMan27_Plugins.npm iManager plug-in from the Novell Downloads Web site.
Install the NPM as directed in the Novell iManager 2.7.5 Administration Guide.
IMPORTANT:Ensure that the supported version of SSP is installed on eDirectory 8.7.3 SPSection 1.1, Prerequisites for more information.
before upgrading to eDirectory 8.8 SP7. Refer toInstall and configure eDirectory, then configure the xdasproperties file. Ensure that the syslog appender is enabled as follows:
log4j.appender.S=org.apache.log4j.net.SyslogAppender
Disable Layout definition for appender Syslog S as follows:
# Layout definition for appender Syslog S. log4j.appender.S.layout=org.apache.log4j.PatternLayout #log4j.appender.S.layout.ConversionPattern=%c : %p%m%n
When you attempt to load xdasauditds, eDirectory starts dumping the core and the program is terminated with signal 11.
This issue arises because log4cxx does not check for the existence of layout in the xdasproperties file before setting it up. It assumes that Layout definition for appender Syslog S is automatically enabled if the syslog appender is enabled in the xdasproperties file.
The auto save feature of the iManager property page causes it to save the default object class when you visit XDAS roles or XDAS accounts page before moving to other pages. To make sure that the settings are appropriate for your requirement, check the xdasconfiguration attribute on the NCP Server object after you are done configuring settings through iManager.
When you configure eDirectory on RHEL 5.4, it fails because libstdc++6.0 is automatically installed with Red Hat 5.4. Because the embox, pkiinst, and pkiserver modules are linked to libstdc++5, the incorrect compat library causes the eDirectory configuration to fail.
To work around this issue, manually install the compat-libstdc++-33-3.2.3-61.i386.rpm library.
The upgrade causes eDirectory packages to be marked for deletion. You can deselect this option to avoid eDirectory deletion.
If eDirectory is accidentally deleted, there is no data loss and it can be reinstalled.
While shutting down the server after eDirectory is successfully configured, ndsd sometimes dumps the core in the Directory Information Base (DIB) directory of eDirectory. This can be ignored because it does not corrupt data or disrupt services.
If eDirectory installation is stopped midway, the fileset might be installed, but in an uncommitted state. This fileset must be removed completely to reinstall eDirectory.
Use the following command to clean the fileset:
installp -ug <fileset>
Example: installp -ug NDS.NDSserv
When you select a radio button from the Novell eDirectory Management Toolbox (eMBox) graphical interface, the command line window does not match with the result of the button selection. It shows as selected, but if it is executed, it works as expected.
If eDirectory installation fails, nds-uninstall can't remove eDirectory.
To resolve this, install eDirectory again in the same location and then uninstall it.
You must not use the -s option to retain the nds.conf and the DIB. Ensure that you back them up before performing the nds-uninstall operation.
After upgrading eDirectory, the new configuration files have a .new extension. If there are any changes to these files, they can be absorbed in your files.
After upgrading eDirectory from 32-bit to 64-bit, ensure you update the Novell Modular Authentication Service (NMAS) Simple Password method for simple password binds to work.
When you upgrade from eDirectory 8.7.3 to 8.8 SP7 in an environment with Identity Manager installed, the eDirectory files reside in a different path from the files used by Identity Manager. The Identity Manager engine and Remote Loader still reside at the original install location from the eDirectory 8.7.3 installation.
For Identity Manager to work with eDirectory 8.8 SP7, you must reinstall any previously installed Identity Manager components on the system to have them relocated to the new paths, as defined by the Directory 8.8 SP7 installation.
If you upgrade an eDirectory server on which the eDirectory instrumentation RPM is installed, the eDirectory instrumentation RPM is not automatically upgraded. Therefore, you must manually upgrade the eDirectory instrumentation RPM.
NOTE:eDirectory instrumentation is automatically installed with Identity Manager 4.0.
For more information on upgrading the instrumentation, refer to the Novell eDirectory 8.8 SP7 Installation Guide.
After you upgrade to eDirectory 8.8 SP7 in an environment where ConsoleOne is installed, ConsoleOne displays an error. ConsoleOne requires a 32-bit package included in eDirectory 8.7.3 but removed in eDirectory 8.8 SP7. This issue only occurs on 64-bit installations of eDirectory.
To work around this issue, after upgrading eDirectory, reinstall ConsoleOne. The ConsoleOne installer installs the eDirectory 8.7.3 package and starts properly.
While you configure the second instance of eDirectory on your host, you are prompted for the default path. Select a different path and proceed.
The LDIF file should mention all the object classes that an entry belongs to. You should also include the classes that an entry belongs to because of inheritance of classes. For example, an entry of type inetOrgPerson has following syntax in the LDIF file:
objectclass: inetorgperson
objectclass: organizationalPerson
objectclass: person
objectclass: top
Objects that are bulkloaded with the ldif2dib utility are not added with ACLs that are specified in the ACL templates for the object class of the object.
You can temporarily suspend the offline bulkload operation by pressing the s or S key. You can use the Escape key (Esc) to stop the bulkload operation.
On Linux, if the -b option is used, the statistics display menu disappears after the bulkload is complete.
When you attempt to upload millions of objects to eDirectory by using ldif2dib, and the checkpoint interval is explicitly specified, the operation might halt with an error stating that the directory is full.
To work around this issue, skip the checkpoint interval by using the -i option with ldif2dib command.
To view the French man page on Red Hat Linux, export the following:
export MANPATH=/opt/novell/man/frutf8:/opt/novell/eDirectory/man/frutf8
To view the man pages on AIX, use the English locale.
Catalog services running with eDirectory 8.8 SP7 are not supported. This is an old technology and has been largely replaced by the contextless login feature in the 4.9 Novell Client.
If you have a loopback address alias to the hostname of the system in an /etc/hosts entry, it must be changed to the hostname or IP address. That is, if you have an entry similar to the one below in your /etc/hosts file, it needs to be changed to the correct entry given in second example below.
The following example has problems when any utility tries to resolve to the ndsd server:
127.0.0.1 test-system localhost.localdomain localhost
The following is a correct example entry in /etc/hosts:
127.0.0.1 localhost.localdomain localhost
10.77.11.10 test-system
If any third-party tool or utility resolves through localhost, it needs to be changed to resolve through a hostname or IP address and not through the localhost address.
If the /etc/hosts file has an entry with 127.0.0.2 loopback address, the default IP certificate is created for 127.0.0.2 loopback address.
To work around this issue, edit the /etc/hosts file if the hosts file has an entry with 127.0.0.2 loopback address.
For example: 127.0.0.2 hostname.
Comment it and make sure that the real IP address entry is present in the file.
When the DIB is large, the DS takes time to come up and wrongly displays the following errors:
LDAP TCP Port is not listening
LDAP TLS Port is not listening
In this scenario, the ports are not disabled but eDirectory services are slow to come up. To check the status of LDAP, refer to the ndsd.log file or enter the following command and grep for the LDAP TCP/TLS ports:
netstat -na
Deletion of a moved object might fail (error -637) in a tree with two or more servers.
For proper functioning of Identity Manager with eDirectory, increase the max stack size of the ndsd process by using the following command:
ldedit -b maxstack=0x10000000 /opt/novell/eDirectory/sbin/ndsd
Ensure that the ndsd process is not running when you execute this command.
eDirectory does not generate a Logout event when you log out of iManager. This is because of a technical limitation in the client part of eDirectory.
Auditing applications can use NWDS APIs to receive logout events. Applications that use LDAP can monitor logout with unbind events.
TIME and TAGS tags are displayed as enabled (underlined), but not by default. When the TERM is set to VT100 or xterm from a Linux terminal, these tags are displayed as if they are enabled (underlined). This issue does not occur for any other term, such as dtterm.
eMBox does not handle double-byte characters for setting a roll-forward directory through the eMBox client and iManager. This can still be done by using DSBK.
On Solaris, a 64-bit eDirectory benefits by being able to grow beyond a 4 GB virtual address space. However, there might not be much performance improvement. In some scenarios, a 64-bit eDirectory might not perform as well as a 32-bit eDirectory.
On Solaris 10 64-bit, when you try to install the Novell International Cryptographic Infrastructure (NICI) package manually, the install throws the following error:
For 32-bit install: ln: cannot create /usr/lib/libccs2.so: File exists
For 64-bit install: ln: cannot create /usr/lib/sparcv9/libccs2.so: File exists
To resolve this issue,
Remove the links from the following directory:
For 32-bit: /usr/lib/
For 64-bit: /usr/lib/sparcv9/
Install the NICI 32-bit and 64-bit packages by using pkgadd.
Follow the same procedure for a non-root install where NICI needs to be installed manually.
If both non-root and root eDirectory are configured on the same machine, you cannot export the root eDirectory ndspath from a directory in which the non-root eDirectory is extracted.
For example, while exporting a path for a root eDirectory, if the non-root eDirectory path is /home/non-root/eDirectory/ and a user at /home/non-root/eDirectory/opt/ is exporting the path . /opt/novell/eDirectory/bin/ndspath, this ndspath script exports the path for the non-root eDirectory.
To resolve this issue, export the ndspath for root eDirectory from any directory other than the path extracted for the non-root eDirectory. For example, /home/non-root/eDirectory/opt/.
Moving a Dynamic Group object with dynamicgroup in the Object Class attribute to another container breaks the Dynamic Group functionality. After the move, queries and searches on dynamic members do not work.
On Linux 64-bit, when a user tries to start the subagent (ndssnmpsa) by using an incorrect eDirectory password, a segmentation fault error occurs.
To avoid getting this error, ensure that you use the correct eDirectory password while starting the subagent.
If you install eDirectory 8.8 SP6 or later on a Red Hat Enterprise Linux server with the YUM package manager installed, you may encounter an issue when using YUM.
YUM and eDirectory 8.8 both use the libexpat.so.0 library, and when you run YUM with one or more options, YUM returns an error in the console. To work around this error, use a text editor to comment out the following line in the /etc/ld.so.conf.d/novell-NDSbase.conf file and then run ldconfig:
/opt/novell/eDirectory/lib64
After commenting out the line and running ldconfig, ensure that you run the following command in a terminal window each time you start eDirectory:
source /opt/novell/eDirectory/bin/ndspath
Restart eDirectory using the same terminal. ndspath resolves the necessary path dependencies.
When you install the eDirectory 8.8 SP6 or later, the installer automatically includes a more recent version of the JClient/DClient package than used by earlier versions of Identity Manager. If you have eDirectory and Identity Manager 3.5 or earlier installed in the same environment, compatibility issues with JClient/DClient stop Identity Manager from starting up successfully.
If you install eDirectory on a SUSE Linux Enterprise Server 11 SP2 server within a BTRFS filesystem, you may experience performance issues when performing LDAP operations or using the Novell Import Conversion Export Utility (ICE). For performance reasons, it is recommended that you use the ext3 filesystem for your eDirectory server.
SecretStore locks if you try to retrieve a forgotten password by logging in with user credentials and a wrong passphrase. You can unlock SecretStore with administrator rights, and the Novell SecureLogin client allows you to log in without a passphrase. If you try changing the passphrase, the login fails and returns an error.
When you try saving new credentials in SecretStore by using the iManager plug-in, a blank credential column displays because iManager fails to save the changes.
You can change the credentials from the SecretStore iManager plug-in only by logging in as a user instead of an administrator.
When you save an alternate credential set, SecretStore fails to retain the first set and only the latest credential set is visible.
You can change the credentials from the SecretStore iManager plug-in only by logging in as a user instead of an administrator.
Novell eDirectory 8.8 SP7 has the following documentation:
Novell eDirectory 8.8 SP7 What's New Guide
Novell eDirectory 8.8 SP7 Installation Guide
Novell eDirectory 8.8 SP7 Administration Guide
Novell eDirectory 8.8 SP7 Troubleshooting Guide
Novell eDirectory 8.8 SP7 Tuning Guide for UNIX Platforms
Novell XDASv2 Administration Guide for eDirectory, Identity Manager, and NMAS v1
These documents are available at the Novell eDirectory online documentation Web site.
The latest version of this Readme is available at the Novell eDirectory online documentation Web site.
For a full list of all issues resolved in Novell eDirectory 8.8, including all patches and service packs, refer to TID 3426981, “History of Issues Resolved in eDirectory 8.8.x.”.
For iManager information, refer to the iManager online documentation.
For NMAS information, refer to the NMAS online documentation.
For Password Management information, refer to the Password Management online documentation.
For Certificate Server information, refer to the Certificate Server online documentation.
For NICI information, refer to the NICI online documentation.
For more information on eDirectory issues on Open Enterprise Server (OES), refer to the OES Readme.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2012 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.