NetIQ eDirectory 9.0 SP1 Release Notes

June 2016

NetIQ eDirectory 9.0 SP1 includes new features and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the eDirectory Community Support Forums, our community Web site that also includes product notifications, blogs, and product user groups.

For a full list of all issues resolved in NetIQ eDirectory 9.x, including all patches and service packs, refer to TID 7016794, “History of Issues Resolved in NetIQ eDirectory 9.x”.

For more information about this release and for the latest release notes, see the Documentation Web site. To download this product, see the Product Upgrade Web site.

1.0 What’s New?

eDirectory 9.0 SP1 provides the following key features, enhancements, and fixes in this release:

1.1 Enhancements

This release introduces the following enhancements:

New XDAS Event for Trust Association

This release introduces support for trust association of a user or an identity with a group, or the trust association of two users in a domain-specific context for establishing a trust relationship. These events also relate to the association of identities within disparate authentication domains for federation purpose. There are two types of Trust Management events:

  • Associate Trust: This event is triggered when a new trust association is created.

  • De-Associate Trust: This event is triggered when an existing trust association is destroyed.

For more information, see Trust Management Events in the NetIQ eDirectory Administration Guide.

1.2 Updates for Dependent Components

In this release, the Java version has been updated to 1.8.0_92.

Upgrading the Java Version

There are no manual steps required to update your current version of Java on both Linux and Windows platforms. After updating the service pack, the Java version will be 1.8.0_92.

1.3 Fixed Issues

eDirectory 9.0 SP1 includes the following software fixes that resolve several previous issues:

Resolved CLDAP SDK Vulnerability CVE-2015-3195

This patch updates eDirectory to resolve the CLDAP SDK vulnerability CVE-2015-3195. The OpenSSL libraries are now bundled with CLDAP SDK for both Linux and Windows. (Bug 961635)

eDirectory Displays an Error Message While Restoring an Object

Issue: eDirectory displays an error message while restoring a recently backed up object. This occurs due to the DClient version mismatching between the backup and the restore.

Fix: This issue is fixed. Now eDirectory handles the DClient version correctly between the backup and the restore. (Bug 964463)

Importing the Schema From the Remote Tree Fails When Attributes Have INTEGER64 Flag

Issue: The advanced option of the ndsrepair utility does not handle the INTEGER64 flag while importing a schema from a remote tree.

Fix: This release updates eDirectory to check for the INTEGER64 flag and retain the syntax (octet string) of the imported attribute. (Bug 938888)

Search For a Dynamic Groups Returns Incomplete Result

Issue: When you search for a dynamic group, the search result does not return all the members of the dynamic group when the group members are distributed across multiple servers. This occurs because eDirectory does not store the referrals before returning the results to the LDAP server.

Fix: This release updates eDirectory to store and follow the referrals properly and correctly return all the members of a dynamic group when they are searched. (Bug 944373)

Using UID as a Naming Attribute Results in a Failed LDAP Password Modify Extended Operation

Issue: eDirectory crashes due to buffer overflow when the DN contains the UID attribute.

Fix: This release updates eDirectory to avoid the buffer overflow. (Bug 954030)

eDirectory Crashes in nldap During DoLBURPOperation

Issue: eDirectory crashes while converting the values of the LDAP attributes to the NDS attribute format due to buffer overflow.

Fix: This release updates eDirectory to handle the memory allocation more effectively to prevent crashing. (Bug 965036)

eDirectory Crashes During the LDAP Password Modify Extended Operation

Issue: eDirectory crashes while using the LDAP Password Modify Extended Operation due to buffer overflow.

Fix: This release updates eDirectory to avoid the buffer overflow. (Bug 967433)

Heavy Write Requests Cause LDAP Server Memory Issues

Issue: The LDAP servers become unresponsive under heavy load of write requests when eDirectory runs out of file descriptors. This occurs because the file descriptors are not closed after being removed from the file descriptor’s pool.

Fix: This release updates eDirectory to close the file descriptors after they are removed from the pool. This improves the performance of the LDAP servers. (Bug 961773)

eDirectory Upgrade Fails When Locale is Set to Japanese

Issue: Upgrading eDirectory to version 8.8 SP8 Patch 8 fails when the locale is set to Japanese. You will also not be prompted for authentication during upgrade.

Fix: This release updates eDirectory to resolve this issue. (Bug 955508)

Index Type Mismatch For ldapAttributeList Attribute

Issue: Index type for ldapAttributeList attribute does not match on different servers for the same index with the same set of data.

Fix: This release updates eDirectory to check for index type changes and update the changes in the index definition attribute. (Bug 932501)

The LDAP Server Plug-In Does Not Reload nldap When a Cipher Is Changed

Issue: LDAP server plug-in doesn’t refresh or prompts you to reload nldap module when a cipher is changed.

Fix: This release updates eDirectory to display a warning message that prompts you to reload the nldap module when a cipher is changed. (Bug 870756)

httpKeyMaterialObject Attribute is Changed to SSL CertificateDNS While Using a 3rd Party Certificate

Issue: The httpKeyMaterialObject attribute value is changed to SSL CertificateDNS after upgrading eDirectory. This occurs when a 3rd party certificate is set as the attribute value instead of the SSL CertificateDNS.

Fix: This release updates eDirectory to resolve this issue. (Bug 957819)

1.4 Supported Upgrade Paths

To upgrade to eDirectory 9.0 SP1, you need to be on eDirectory 8.8.8.x or above. For more information on upgrading eDirectory, see the NetIQ eDirecoty Installation Guide.

2.0 System Requirements

For information about prerequisites, hardware requirements, and supported operating systems, see the NetIQ eDirectory Installation Guide.

NOTE:This version of eDirectory supports Identity Manager 4.5 SP4. For more information, see NetIQ Identity Manager 4.5 Service Pack 4 Release Notes.

3.0 Installing or Upgrading

To upgrade to eDirectory 9.0 SP1, you need to be on eDirectory 8.8.8.x or 9.0. For more information on upgrading eDirectory, see the NetIQ eDirecoty Installation Guide.

4.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

For the list of the known issues in eDirectory 9.0, refer to the Known Issues section in the respective release notes.

4.1 iMonitor Allows Only Medium Strength Ciphers By Default

Issue: Most of the recent browsers support high strength ciphers but iMonitor still allows only medium strength ciphers by default.

Workaround: Configure HTTP service to allow high strength ciphers by default to provide you with more secured iMonitor experience.

4.2 nds-cluster-config Utility is Moving the eDirectory Configuration Files to a Shared Location

Issue: nds-cluster-config utility is moving the eDirectory configuration files to a shared location instead of the default directory (/etc/opt/novell/eDirectory/conf) resulting in an unstable eDirectory cluster configuration.

Workaround: Manually copy the configuration files to the default and to the all other directories where the configuration files are required to run the eDirectory cluster configuration successfully. To move the configuration files, perform the following steps:

  • Manually delete the /etc/opt/novell/eDirectory/conf directory.

  • Create the /etc/opt/novell/eDirectory/conf directory and copy the nds.conf file from the shared location and move to /etc/opt/novell/eDirectory/conf/ directory.

  • Change the value of parameter n4u.server.configdir to /etc/opt/novell/eDirectory/conf in the /etc/opt/novell/eDirectory/conf/nds.conf file.

  • Replace the content of /etc/opt/novell/eDirectory/conf/.eDir/instance.0 with eDir conf file path ie. /etc/opt/novell/eDirectory/conf/nds.conf.

  • (Conditional) On SLES 12 and later, perform the following steps:

    1. Navigate to /usr/lib/systemd/system and search for the ndsdtmpl-database-conf-nds.conf file in the directory.

    2. Move the service from ndsdtmpl-database-conf-nds.conf to ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf.

      In this command, database is the name of your shared folder.

  • Start eDirectory by using ndsmanage.

NOTE:You must follow the above steps to move the configuration files to the default path after executing the nds-cluster-config command on the second node as well.

4.3 eDirectory Crashes After Upgrading to the Latest Version With the 2836 SAML NMAS Method

Issue: eDirectory crashes after upgrading to the latest version using the 2836 SAML NMAS methods. This occurs due to the unloading of the older method by the NMAS server to load the new method.

Workaround: A new configuration option is provided with the new SAML NMAS method (2837) which allows the latest version of the nmasisnt utility to load the new method only after restarting the eDirectory server.

4.4 Restricted Functionality of XDAS Audit Events

Issue: The Modify Account, Modify Role and Create Role events are not fully functional in this release. If these three events are enabled, Modify Data Item Attribute event is not thrown for XDAS auditing.

Workaround: You must disable the Modify Account, Modify Role and Create Role events to audit the generic Add Value and Delete Value events. You can also interpret the data from the Modify Data Item Attribute event for the Modify Account, Modify Role and Create Role events.

5.0 Additional Documentation

5.1 Revamped Documentation

The eDirectory documentation has been revamped. Content from NMAS Administration Guide, Password Management Guide, and Certificate Server Guide is now part of the eDirectory Administration Guide. Use the following links to access these chapters in the eDirectory Administration Guide:

5.2 iManager

For iManager information, refer to the iManager online documentation.

5.3 Novell International Cryptographic Infrastructure (NICI)

The NICI Administration Guide is included in the eDirectory documentation page.

5.4 eDirectory Issues on Open Enterprise Server (UNIX only)

For more information on eDirectory issues on Open Enterprise Server (OES), see OES Readme.

6.0 Legal Notices

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.

Copyright © 2016 NetIQ Corporation, a Micro Focus company. All Rights Reserved.