Novell Identity Manager 4.0.2 Readme

June 2012

This document contains the known issues for Novell Identity Manager 4.0.2.

1.0 Known Issues

The following sections provide information on known issues at the time of the product release.

1.1 Identity Manager 4.0.2 Framework Installer Issues

You might encounter the following issues during the installation of the Identity Manager framework installer:

1.1.1 On Windows, the Identity Manager 4.0.2 framework installer does not place the installation files in the specified location if the path contains spaces

Ensure that the specified path doesn’t contain any spaces.

1.1.2 The Linux/UNIX Bidirectional driver cannot be installed in a Solaris zone that contains a read-only/usr partition

You cannot install the Linux/UNIX Bidirectional driver in a Solaris zone that contains a read-only/usr partition. If you select the driver for installation, the Identity Manager 4.0.2 framework installer reports an error.

1.1.3 The Identity Manager installer downgrades the Platform Agent if the existing version of Platform Agent is higher than 2.02-62

If Platform Agent is already installed on a machine where you are installing Identity Manager 4.0.2, the Identity Manager installer will replace it. However, if the Platform Agent version installed in the system is higher than 2.02-62, it is downgraded to 2.02-62 version.

To workaround this issue, reinstall the latest version of Platform Agent after the Identity Manager installation is complete.

1.2 Identity Manager 4.0.2 Integrated Installer Issues

You might encounter the following issues when you use the Identity Manager integrated installer:

1.2.1 The Identity Manager 4.0.2 integrated installer fails to install on Windows when you use UNC paths

You cannot use UNC paths for installation and configuration when you use the Identity Manager 4.0.2 integrated installer (for example, \\myserver\share\Identity_Manager_4.0.2_Windows_Enterprise).

To workaround this issue, create an actual mapped drive.

1.2.2 No server health check before secondary server addition

The integrated installer does not perform a health check before the secondary server addition.

You must run ndscheck command if you are adding secondary server through the integrated installer. On Windows, run ndscheck command from the <install location>\NDS folder. On Linux/Solaris, run it from the /opt/novell/eDirectory/bin/ndscheck directory. Specify the mandatory parameters and run the command as follows:

ndscheck [-h <hostname port]>] [-a <admin FDN>] [[-w <password>]

NOTE:Running ndscheck command on Windows causes eMbox warnings to display on the screen. Don't treat these warnings as health check failure. It is safe to ignore them.

1.2.3 The RBPM and Identity Reporting Module configuration fails on RHEL 5.7 or later

The configuration fails with an exit value of 13. For a successful configuration of RBPM and Identity Reporting Module, ensure that the number of open connections for the server is increased from a default value of 1024 before configuration is started.

To increase the open connections upto 4096, execute the ulimit -n 4096 command in the terminal where configuration is invoked. Ensure that your console terminal shows open files (-n) 4096 when you run the ulimit -n command.

1.2.4 The authsamlProviderID attribute is not created for the SAML authorization object on Windows

This attribute is not listed under Valued Attributes in iManager. To workaround this issue, perform the following steps:

  1. Select authsamlProviderID in the Unvalued Attributes list and move it to the Valued Attributes list by clicking on the left arrow.

  2. In the input field, enter a value in the following format:

    cn=<Name of the SAML Object>

    For example:


This behavior occurs only on the Windows server platform when Access Manager creates the SAML authorization object.

1.2.5 A warning is displayed when installation, configuration, or uninstallation is invoked on Solaris

This warning is displayed only on Solaris. It is safe to ignore the warning and continue with the installation.

1.3 Remote Loader

You might encounter the following issues when you use the Remote Loader:

1.3.1 The audit events are not generated if 32-Bit and 64-Bit Remote Loaders coexist

If you choose to have both a 32-bit and a 64-bit Remote Loader on the same machine, the audit events are generated only with the 64-bit Remote Loader. Events are not logged to the lcache file with the 32-bit Remote Loader.

When 32-bit and 64-bit Remote Loaders are installed together, the events are logged to the 64-bit lcache and 32-bit Remote Loader fails to log audit events. It displays the "Agent already running error" error message.

However, if a 64-bit Remote Loader is installed before installing a 32-bit Remote Loader, the events are logged to the 32-bit lcache, which prevents 64-bit Remote Loader from logging events. The 32-bit and 64-bit lcaches don’t work on the same machine.

To workaround this issue, don't install both 32-bit and 64-bit Remote Loaders on the same machine.

1.3.2 When a 32-bit Remote Loader 4.0 is upgraded to 64-bit 4.0.2 Identity Manager, the upgrade process does not clean the 32-bit 4.0.0 packages

When a 32‐bit Remote Loader 4.0 is upgraded to 64‐bit 4.0.2 Remote Loader, the upgrade process does not clean the following 32‐bit 4.0.0 packages:

  • novell‐DXMLbase‐4.0.0‐20100929

  • novell‐DXMLedir‐4.0.0‐20100929

  • novell‐DXMLgw‐3.5.3‐20100405

  • novell‐DXMLrdxml‐4.0.0‐20100929

  • novell‐edirectory‐expat‐32bit‐8.8.6‐8

  • novell‐edirectory‐xdaslog‐32bit‐8.8.6‐8

  • novell‐NOVLjvml‐4.0.0‐20100929

1.4 Drivers

You might encounter the following issues as you use the Identity Manager drivers:

1.4.1 Cannot select options when creating or configuring a driver on Linux in Designer

At times, you cannot select drop-down options when creating or configuring a driver. To workaround this issue:

  1. Click the drop-down menu and continue to hold the left mouse button until the desired option is highlighted.

  2. Release the left mouse button to select the option.

1.5 Identity Reporting Module

You might encounter the following issues when you use the Identity Reporting Module:

1.5.1 Removal of extended attributes does not reflect in the extended attributes table

If you remove an attribute that was added to the Data Collection Service driver filter policy, the attribute is not removed from the extended attributes tables (idmrpt_ext_attr, which tracks the attributes) and no data is removed from the idmrpt_ext_item_attr table.

1.5.2 You cannot navigate to Today in the Calendar when the display option is set to 1 week

In Firefox, if the Display Options on the Calendar page are set to show 1 week, clicking Today displays a day one week ahead of today.

To see today’s schedule in the Calendar page, press the up-arrow to go back one week. This issue does not occur in Internet Explorer.

1.5.3 The Reporting Module installation sometimes overwrites the logevent.conf file

Under the following circumstances, the logevent.conf is overwritten without prompting during the installation of the reporting module:

  1. There is already a logevent.conf file in /etc/ directory.

  2. EAS is installed on the same machine.

  3. During the reporting installation, you replace the value of localhost and enter the machine's actual IP address for the EAS server.

To workaround this issue, manually update the /etc/logevent.conf file after the installation is complete.

1.5.4 The Reporting Module installation does not write the PostgreSQL JDBC JAR successfully when EAS is remotely installed

If EAS is remotely installed and you want to test the connection to EAS during the Identity Reporting Module installation, the parent directory of your chosen install directory must exist prior to running the installation. Without an existing parent directory, the installation directory cannot be created in order to write the JDBC JAR file used for testing the connection. For example, if you are installing the Identity Reporting Module to /opt/novell/IdentityReporting, ensure that the /opt/novell directory exists before beginning the installation.

1.5.5 A valid certificate is not converted when an application is added to the Reporting Module

This problem has only been observed on WebSphere.

When you add an application in the Reporting Module, you might notice that a valid certificate is not properly converted. The following actions might cause this problem to occur:

  1. Log in to the Identity Reporting Module with valid credentials.

  2. Navigate to the Applications page and click the Add Application button.

  3. Fill in all the mandatory fields and browse for the certificate by selecting the SSL check-box and clicking Test.

The certificate should be converted, but this does not occur.

To workaround this issue, copy and paste the content of the certificate into the text area on the form.

1.5.6 Frequency cannot be modified in a schedule

You cannot modify the frequency of a schedule. To change the frequency (from week to month, for example), delete the schedule and create a new one.

1.5.7 Downloading an RPZ file by using Internet Explorer might change the file extension to ZIP

In the Identity Reporting Module, if an .rpz file is downloaded by using the Internet Explorer browser, the file might change its extension from.rpz to .zip file format. This change does not cause any issues. The Reporting Module correctly handles the upload and import of the reports with the .zip file extension.This issue is not reported on Firefox.

1.5.8 Internet Explorer displays a warning when accessing reporting in HTTPS

If you use Internet Explorer browser in HTTPS to access the Reporting Module, the following pop-up message is displayed:

Do you want to view only the webpage content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.

If you select Yes, the login screen for the Reporting Module does not appear. You must select No. The behavior is observed because the download site for the new reports only supports the HTTP protocol. The link to that site is constructed if you use http://. This behavior is not observed with FireFox.

1.6 Roles Based Provisioning Module

You might encounter the following issues when you use the Roles Based Provisioning Module:

1.6.1 Copying text in the Detail portlet displays an error message

In Firefox or Dojo, if you attempt to copy text in the Detail portlet, an error message is displayed.

The following actions cause this message to appear:

  1. Log in to the User application as administrator and go to the Administration tab.

  2. Click Portlet Admin > Detail Portlet in Portlet Applications.

  3. Click Preferences > View/Edit custom Preferences > continue.

  4. Click the HTML Layout edit icon and enter some sample text, such as “TEST”.

  5. Select the text and click the Copy icon.

If you follow these steps, you see the following error message:

“Exception... "Access to XPConnect service
denied"  code: "1011" nsresult: "0x805303f3
Line: 531" ” when clicked on Copy button.

You might also see this message when performing cut and paste operations.

1.6.2 RBPM reports have been deprecated

The Roles Based Provisioning Module reports provided under Reports on the Roles and Resources tab have been deprecated from Identity Manager 4.0 onwards. These reports will be removed in a future release.

1.6.3 A newly created user with special characters in the name cannot log in to the User Application

On WebSphere, if you create a new user with special characters in the name, the user cannot log in to the User Application. For example, if you create a user as /Test// from the Create Users and Groups page, an error is displayed when the new user tries to log in to the User Application.

1.6.4 Content for the User Application driver is missing trustees for Attestation Reports

If you redeploy the User Application driver from Designer after running the integrated installer, the trustees for the Attestation Report provisioning request definitions are deleted and no one can execute the report. This is because the trustees are added to the Attestation Report provisioning request definitions when the User Application starts. Because Designer does not know about the trustees, an attempt to redeploy the User Application driver from Designer removes the trustees. Therefore, you need to import these objects from eDirectory after User Application startup to synchronize the trustees.

1.6.5 PostgreSQL does not support number format of Simplified Chinese

If you install PostgreSQL on a server that is set up with Simplified Chinese as the number format (by using Control Panel -> Clock, Language, and Region -> Region and Language -> Formats tab -> Format -> Chinese, Simplified,PRC), PostgreSQL does not install successfully. Ensure that the Simplified Chinese Number format is changed on the server where you are installing PostgresSQL.

1.6.6 Association Description is required for the default language when assigning resources to roles

When the User Application is accessed in a language other than the default language (for example, accessing in Spanish while the default language is set to English), if a resource is added to a role, ensure that a value is supplied for the default language in the Association Description field. To do this, press the Localization button after the Association Description field and enter a value in the language that is marked with the * (the default language). If a value is not entered for the default language, you get an error and you cannot add the resource to the role.

1.6.7 A role request can be approved or denied after the role has been deleted

If an administrator deletes a role that requires a workflow after a user has made a role request, the workflow addressee for the role request still sees the workflow in the Task List and be able to approve or deny the request.

1.6.8 Accessing a Web service links throw a null pointer exception on WebSphere 7

When the User Application is deployed on WebSphere 7, if you access a Web Service home page either directly or from the Administration page, you see a broken image on the page. It also throws a java.lang.NullPointerException in the SystemOut.log file. However, there is no loss of functionality. You can still download the WSDL file and use the Web Services.

1.6.9 Database schema is updated with every time User Application start up

If you create the tables for the User Application during installation, you might still see messages in the log that indicate that the database is being updated at start-up time when you start the User Application. This is caused by a limitation in Liquibase 2.0.1.

To workaround this issue, set the create-db-on-startup parameter to false in the web.xml file, as shown below:


1.6.10 Novell does not provide support for the components installed by the JBossPostgreSQL utility

Novell provides the JBossPostgreSQL utility as a convenience. If your company does not already provide an application server and a database server, you can use the JBossPostgreSQL utility to install an Open Source version of these components. By running this utility, you can install these components without having to download them separately. If you need support, go to the third party provider of the component. Novell does not provide updates for these components, or administration, configuration, or tuning information for these components, beyond what it is outlined in the RBPM documentation.

1.7 Role Mapping Administrator Module

You might encounter the following issue as you use Role Mapping Administrator.

1.7.1 Authorizations are lost when changes are made to the active profile

When you make changes to the active profile in the Role Mapping Administrator configuration page, all the cached authorizations are cleared from the database. You must reload the authorizations after changes are made to the active profile. For more information, see loading authorizations in the Identity Manager Role Mapping Administrator 4.0.2 User Guide.

1.8 iManager

You might encounter the following issues as you use iManager:

1.8.1 Internet Explorer 7 continually prompts for access to the Clipboard

When you are using iManager, particularly the Policy Builder, Internet Explorer 7 continually prompts you for access to the Clipboard. To disable prompting:

  1. Click Tools > Internet Options.

  2. Click the Security tab, then click Custom Level.

  3. Click Scripting > Allow programmatic clipboard access, then select Enable.

    After you restart Internet Explorer, the prompting stops.

1.8.2 iManager plug-in dependency for the NDS-to-NDS Driver Certificates Wizard

If you want to use the NDS-to-NDS Driver Certificates Wizard, you must download and install the iManager plug-in for Novell Certificate Server.

1.9 Identity Manager 4.0.2 Framework Uninstallation

You might encounter the following issues during uninstallation of the Identity Manager Metadirectory engine and drivers.

1.9.1 Identity Manager 4.0.2 framework uninstallation does not remove all the folders from the installation directory

On Windows, the jar files from the lib directory are not removed. On Solaris, the DXMLnotes.pkg is not removed. You need to remove them manually.

1.9.2 On Windows, Identity Manager 4.0.2 framework uninstallation log files are not created in the Uninstall folder

The uninstall log files are created in the temp directory.

1.10 Identity Manager 4.0.2 Integrated Uninstallation

1.10.1 On Windows, the Identity Vault uninstallation hangs in silent mode

The Identity Vault uninstallation hangs when you run the nds-uninstall command.

To successfully uninstall the Identity Vault:

  1. Stop the DHost from the Task Manager.

  2. Start the NDS service.

  3. Start the uninstallation program.

1.10.2 The integrated uninstaller does not remove JBoss and PostgreSQL

For more information on uninstalling the Roles Based Provisioning Module, refer to uninstallation details in the Identity Manager Roles Based Provisioning Module 4.0.2 User Application: Installation Guide.

1.10.3 On Windows, the integrated uninstaller does not completely clean the installation folder

The following command might fail with an exit value of 1:

cmd /c copy
"C:\Program Files (x86)\Novell\Identity

The uninstaller does not remove the <Install> and the <system drive>\Novell\conf folders.

To work around this issue, manually remove these folders.

1.11 Localization

1.11.1 On Windows, the Identity Manager 4.0.2 installers contain corrupt characters in the Console Mode

If you select Brazilian Portuguese, Danish, Dutch, English, French, German, Italian, Swedish, Spanish, or Russian as your choice of language for installing Identity Manager 4.0.2, the installer displays corrupt characters during installation.

If you select English, the installer contains a corrupt character on the Select Language page of the installation program. However, the characters display correctly for the Asian languages when the installer is run on Asian Windows.

For the characters to display correctly, ensure that you change the default font of your Windows machine to Lucida Console by using the following steps before installing Identity Manager:

  1. Go to Start > Run > Regedit > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage and change the OEMCP value from 850 to 1252.

    For Russian, change the OEMCP value from 866 to 1251 in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage directory.

  2. Go to Start > Run, type cmd in the Open text box, then press Enter to launch the command prompt.

  3. Right-click the title bar of the cmd window to open the pop-up menu.

  4. Scroll down in the pop-up menu and select the Defaults option to open the Console Windows Properties dialog box.

  5. Click the Font tab and change the default font from Raster to Lucida Console (TrueType).

  6. Click OK.

  7. Restart the machine.

1.11.2 Error message displays when Identity Manager is installed on Russian Windows 2008 SP2

A Microsoft Visual C++ 2005 Redistributable error message displays when Identity Manager is installed on Russian Windows 2008 SP2. When you click OK in the error message, the installation completes successfully.

To avoid this error, visit the Microsoft support site and run the steps specified in the Let me fix it myself section of the online page.

1.12 RHEL 6.0 Issues

1.12.1 Identity Manager installation fails on RHEL 6.0

Ensure that you install the following libraries before installing Identity Manager on RHEL 6.0:

  • For GUI Install: Before invoking the Identity Manager installer, manually install the dependant libraries.

    • For a 64-bit RHEL: Install the following libraries in the same order:

      1. libXau-1.0.5-1.el6.i686.rpm

      2. libxcb-1.5-1.el6.i686.rpm

      3. libX11-1.3-2.el6.i686.rpm

      4. libXext-1.1-3.el6.i686.rpm

      5. libXi-1.3-3.el6.i686.rpm

      6. libXtst-

      7. glibc-2.12-1.7.el6.i686.rpm

      8. libstdc++-4.4.4-13.el6.i686.rpm

      9. libgcc-4.4.4-13.el6.i686.rpm

      10. compat-libstdc++-33-3.2.3-69.el6.x86_64.rpm

      11. compat-libstdc++-33-3.2.3-69.el6.i686.rpm

    • For a 32-bit RHEL: Install the following library:

      • compat-libstdc++-33-3.2.3-69.el6.i686.rpm

  • For Package Install on RHEL 6.x: Before invoking the Identity Manager installer, you must manually setup a repository for the installation media.

    1. (Conditional) If you are copying the ISO to the server, run the following command:

      #mount-o loop <path to iso>/mnt/rhes62
    2. (Conditional) If you are copying to a CD or a DVD, and to the server, run the following command:

      #mount /dev/cdrom/mnt/rhes62
    3. (Conditional) If you have mounted the ISO, create a repository file in the /etc/yum.repos.d location and perform the following configuration steps:

        name=RedHat Enterprise  $releasever - $basearch
    4. (Optional) If you are using an installation server, configure the following in vi /etc/yum.repos.d/rhes.repo:

      name=RedHat Enterprise  $releasever - $basearch
      baseurl=<url to the installation source>
    5. Run the following commands after setting up the repository:

      # yum clean all
      # yum repolist
      # yum makecache
    6. To install the 32-bit packages, change “exactarch=1” to “exactarch=0” in the /etc/yum.conf file.

    7. Install the GPG key by using the rpm import <path / url> to RPM-GPG-KEY-redhat-release command:

      # rpm --import /mnt/rhes62/RPM-GPG-KEY-redhat-release 


      # rpm --import http://<url>/RPM-GPG-KEY-redhat-release
    8. (Optional) To install the required packages for Identity Manager 4.x, execute the following script:

      PKGS="libXau.i686 libxcb.i686 libX11.i686 libXext.i686  libXi.i686 libXtst.i686
      glibc.i686 libstdc++.i686 libgcc.i686  compat-libstdc++-33.i686
      for PKG in $PKGS ; do
          yum -y install "$PKG"

      NOTE:The script cannot locate compat-libstdc++-33.x86_64 library in the 32-bit repository unless you have modified the 64-bit repository and installed the RPM separately.

  • For Non-GUI Install: Before invoking the Identity Manager installer, manually install the dependant libraries.

    • For a 64-bit RHEL: Install the following libraries in the same order:

      1. glibc-2.12-1.7.el6.i686.rpm

      2. libstdc++-4.4.4-13.el6.i686.rpm

      3. libgcc-4.4.4-13.el6.i686.rpm

      4. compat-libstdc++-33-3.2.3-69.el6.x86_64.rpm

      5. compat-libstdc++-33-3.2.3-69.el6.i686.rpm

    • For a 32-bit RHEL: Install the following library:

      • compat-libstdc++-33-3.2.3-69.el6.i686.rpm

NOTE:Ensure that the unzip rpm is installed before installing Identity Manager. This is applicable for all Linux platforms.

1.12.2 After Identity Manager 4.0.2 installation, JBoss does not automatically start when the system is rebooted

To workaround this issue, manually start JBoss after system reboot.

1.12.3 After Identity Manager 4.0.2 installation, the Role Mapping Administrator service does not automatically start

To workaround this issue, manually start the Role Mapping Administrator service after completing the Identity Manager 4.0.2 installation.