NetIQ eDirectory 9.0 includes new features and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the eDirectory Community Support Forums, our community Web site that also includes product notifications, blogs, and product user groups.
For a full list of all issues resolved in NetIQ eDirectory 9.x, including all patches and service packs, refer to TID 7016794, “History of Issues Resolved in NetIQ eDirectory 9.x”.
For more information about this release and for the latest release notes, see the Documentation Web site. To download this product, see the Product Upgrade Web site.
eDirectory 9.0 provides the following key features, enhancements, and fixes in this release:
This release introduces the following new features:
This release introduces support for configuring the eDirectory components to use the cryptographic algorithms that Suite B mandates. The Suite B algorithms ensure the security of classified and unclassified information passed through public networks. For more information, see Configuring eDirectory in Suite B Mode in the NetIQ eDirectory Administration Guide.
IMPORTANT:Suite B standard is subject to change. Be aware that NSA (National Security Agency) may change their recommendations in future. Suite B support in eDirectory 9.0 is based on our interpretation of NSA recommendations.
This release introduces a standards-based background authentication mechanism called Enhanced Background Authentication (EBA) for single sign-on authentication with eDirectory. This mechanism enables you to overcome the limitations of proprietary background authentication material.
Using EBA, eDirectory issues users an X.509 certificate as the background authentication material and the background authentication protocol uses TLS version 1.2 for mutual authentication. EBA is disabled by default. To enable it, see Enabling Enhanced Background Authentication in the NetIQ eDirectory Administration Guide.
eDirectory 9.0 leverages the Federal Information Processing Standards (FIPS) 140-2 compliant features to meet the security requirements of U.S. Federal agencies and customers with highly secure environments. For more information, see Operating eDirectory in FIPS Mode in the NetIQ eDirectory Installation Guide.
eDirectory now provides you the flexibility for controlling proxy authorization through the LDAP protocol as specified in RFC 4370. The proxied authorization control allows a client to request that an operation be processed under a provided authorization identity instead of under the current authorization identity associated with the connection. The feature provides a mechanism for specifying an authorization identity on a per-operation basis, benefiting clients that need to perform operations efficiently on behalf of multiple users.
This release introduces an LDAP search method for retrieving the real time statistics for eDirectory subsystems and background processes such as Threadpool, Connection Table, Dclient, DS Agent, and LDAP Server. By using this common interface, you can monitor the status of eDirectory modules and operations. eDirectory supports this feature on LDAP protocol and only an LDAP client can place requests for monitoring data. For more information, see Monitoring eDirectory in the NetIQ eDirectory Administration Guide.
In past, if you searched for an eDirectory attribute whose automatic movement to Attribute Container was in progress, the LDAP search displayed a 6029 error for that attribute. While automatic containerization of attributes worked well for small deployments, it was time consuming for large deployments. eDirectory 9.0 provides you the flexibility of scheduling the attribute movement. You first view the attributes that are ready to be moved and then schedule their movement as per your convenience. For more information, see FLAIM Attribute Containerization in the NetIQ eDirectory Tuning Guide.
The Nested Groups feature is enhanced to allow a dynamic group or a nested group to be a member of another dynamic or a nested group to be nested to many levels. It is also possible to assign the ACL rights to the member objects of the nested groups.
This release introduces the following enhancements:
This release improves the performance of searching large number of nested groups that do not have any nested group members associated with them.
To communicate among various servers, eDirectory uses NetWare Core Protocol (NCP) as the communication protocol. In previous releases, NCP allowed maximum packet size of 64 KB, which limited the maximum throughput when data was transferred over NCP. This release improves the ability of NCP to handle packet size up to 1 MB, which enables eDirectory to synchronize up to 1 MB data in a single packet. eDirectory starts synchronizing with 64 KB packet size and increases the packet size based on the remaining data to be synchronized. This significantly improves the replication performance.
This release maximizes CPU utilization that significantly reduces the time taken by the change cache to rebuild.
In previous releases of eDirectory, eDirectory accumulated data changes for five minutes or longer before data synchronization was scheduled. With eDirectory 9.0, data synchronization has been enhanced to schedule immediately after the data transaction completes successfully.
In this release, the Janitor thread is enhanced to process the ACLs sequentially from the partitions. This enables the Janitor thread to immediately release the DIB lock after processing the ACLs from a partition. When the DIB is optimally locked, it remains available for other operations resulting in improved performance. For more information about inherited ACLs, see eDirectory Rights in the NetIQ eDirectory Administration Guide.
Nested Members Are Excluded From the Dynamic Group Member Attribute
SSL CertificateDNS Is Not Always Used for httpkeymaterialobject Attribute of the HTTP Server Object
Unable To Configure Or Start eDirectory On SLES and RHEL Platforms When IPV6 Is Disabled
Prolonged Member Search Time When baseDN Includes A Large Number Of Groups
Simple Bind With No password Is Considered As Anonymous Bind
Wrong Value of ldapConfigVersion Attribute Causes eDirectory Upgrade Failure
ndstrace Incorrectly Truncates Milliseconds in the Timestamp
Issue: After changing the rights on the user object, the user is not able to log in to iMonitor without restarting eDirectory.
Fix: This issue is resolved. Users can successfully log in to the iMonitor after rights are changed on the user objects.
Issue: After creating a dynamic group, if you query a nested group, the nested members are not listed in the Member attribute of the dynamic group except those who have direct memberships to the nested group.
Fix: This release updates eDirectory to include the nested members in the Member attribute of the dynamic group.
Issue: SSL Certificate DNS is used as a default certificate for the httpkeymaterialobject attribute of the HTTP server object. However, this certificate is not always selected for the httpkeymaterialobject attribute of the HTTP server object during eDirectory installation.
Fix: This release resolves this issue. This certificate is automatically selected for the httpkeymaterialobject attribute during eDirectory installation.
Issue: You cannot configure eDirectory or start an already configured eDirectory on SLES and RHEL platforms if IPV6 is disabled through sysctl.
Fix: This release updates eDirectory to resolve this issue.
Issue: Querying for members takes more time than usual when baseDN includes large number of groups.
Fix: This issue is fixed. eDirectory is optimized to improve the performance of the member query.
Issue: eDirectory treats simple bind with no password as anonymous bind.
Fix: This release resolves this issue. eDirectory now differentiates between simple bind with no password and anonymous bind.
Issue: eDirectory sets 32-bit limit on the length of the substring index and considers an underscore as a white space. When you query the substring index, the query does not return the desired result if an attribute has a value greater than 32-bit and has an underscore.
Fix: This release updates eDirectory to resolve this issue.
Issue: eDirectory crashes immediately after starting due to invalid entries in the nds.conf file.
Fix: This release updates eDirectory to start without crashing.
Issue: eDirectory upgrade fails due to the wrong value in the ldapConfigVersion attribute.
Fix: This release resolves this issue. The ldapConfigVersion attribute now includes the correct value and eDirectory upgrades successfully.
Issue: ndstrace truncates the milliseconds in the timestamp when the first digit of the milliseconds in the time stamp is a zero. It does not print the zero.
Fix: This issue is fixed. ndstrace no longer truncates milliseconds in the timestamp.
Issue: ndstrace with +LDAP displays non-critical messages when LDAP Trace options are set to display critical error messages.
Fix: This release resolves this issue. ndstrace is enhanced to display error messages according to the specified trace options.
Issue: XDAS auditing fails over SSLv3 with Sentinel 7.3.1.0. This issue occurs because this version of Sentinel no longer supports SSLv2 and SSLv3.
Fix: This issue is fixed. XDAS is updated to use SSLv23 to audits events to Sentinel 7.3.1.0.
For information about prerequisites, hardware requirements, and supported operating systems, see the NetIQ eDirectory Installation Guide.
IMPORTANT:eDirectory 9.0 does not support Identity Manager 4.5.x.
To upgrade to eDirectory 9.0, you need to be either on eDirectory 8.8 or higher. For more information on upgrading eDirectory, see the NetIQ eDirectory Installation Guide.
Log in to the NetIQ Downloads page and follow the link that allows you to download the software. The following files are available:
Table 1 Files Available for eDirectory 9.0
Filename |
Description |
---|---|
eDirectory_900_Linux_x86_64.tar.gz |
Contains the eDirectory tar file for Linux platforms. |
eDirectory_900_Windows_x86_64.exe |
Contains the eDirectory executable file for Windows platforms. |
eDir_IMANPlugins.npm |
Contains the iManager plug-in npm. Install the NPM as directed in the NetIQ iManager Installation Guide. |
The following sections provide information on known issues at the time of the product release.
eDirectory Dumps the Core on Loading xdasauditds When the Syslog Appender Is Disabled
Identity Manager Fails to Start When Updated with Non Root eDirectory 9.0
eDirectory Utilities Require Users to Authenticate Using NDS Password
SLPD Provided with SLES 12 and RHEL 7 Platforms Does Not Work
Executing the ndspath Script from a Directory Containing opt May Export Wrong Paths
Duplicate Files Are Created after Upgrading from eDirectory 8.8 SP8 to eDirectory 9.0
Uninstallation Fails if Installation Was Not Successfully Completed
Issue: ndsd dumps the core when it attempts to load the xdasconfig.properties file in which the layout definition for Syslog is not defined correctly.
Workaround: There is no workaround at this time.
Issue: This occurs because of an issue with the SNMP modules that RedHat provides.
Workaround: Install the latest RHEL patch from the Red Hat update service. For more information about this workaround, see TID 7011659.
Issue: The non-root installation of eDirectory 9.0 contains an empty <eDirectroy install path>/sbin/pre_ndsd_start. The paths for Identity Manager are not set and, therefore, the Identity Manager fails to start.
Workaround: For more information about this workaround, see TID 7016136.
Issue: eDirectory configuration fails if the configuration file path contains a hyphen.
Workaround: There is no workaround at this time.
Issue: eDirectory utilities require users to authenticate through NDS password.
Workaround: If Universal Password is being used, synced it with the NDS password for all eDirectory command line tools to authenticate.
Issue: RHEL 7 does not allow starting services for a non-root user. So eDirectory does not support a non-root user on this platform.
Workaround: There is no workaround at this time.
Issue: SLPD provided with SLES 12 and RHEL 7 platforms does not work after installing eDirectory on these platforms.
Workaround: To get the SLPD working, either build your own version of SLPD after downloading it from the OpenSLP website on your platform or contact NTS for further assistance.
Issue: If you run the ndspath script from a directory containing opt, sometimes the script does not export the correct paths.
Workaround: To export the correct paths, run the script from the binary location.
Issue: After upgrading eDirectory, the new configuration files have a .new extension.
Workaround: If there are any changes to the configuration files, merge them with the new files.
If you have a loopback address alias to the hostname of the system in an /etc/hosts entry, it must be changed to the hostname or IP address. That is, if you have an entry similar to the one below in your /etc/hosts file, it needs to be changed to the correct entry given in second example below.
The following example has problems when any utility tries to resolve to the ndsd server:
127.0.0.1 test-system localhost.localdomain localhost
The following is a correct example entry in /etc/hosts:
127.0.0.1 localhost.localdomain localhost
10.77.11.10 test-system
If any third-party tool or utility resolves through localhost, it needs to be changed to resolve through a hostname or IP address and not through the localhost address.
When the DIB is large, the DS takes time to come up and wrongly displays the following errors:
LDAP TCP Port is not listening
LDAP TLS Port is not listening
In this scenario, the ports are not disabled but eDirectory services are slow to come up. To check the status of LDAP, refer to the ndsd.log file or enter the following command and grep for the LDAP TCP/TLS ports:
netstat -na
Issue: If eDirectory installation fails, nds-uninstall cannot remove eDirectory.
Workaround: Install eDirectory again in the same location and then uninstall it.
In some cases, schema extensions do not synchronize fast enough to the lower levels of a tree where the first new eDirectory 9.0 server is being installed, so some features are not completely installed.
Workaround: Extend the schema manually in your tree before you install eDirectory 9.0, using the eDirectory 9.0 schema files located in the <Unzip Location>\Novell\NDS\x64 folder.
For more information on extending the schema, see “Extending the Schema on Windows” in the NetIQ eDirectory Administration Guide.
When eDirectory 9.0 is installed on a Windows computer already containing the Novell Client, eDirectory installs an SLP service, but sets the service to manual mode so that it does not run when the server is booted. eDirectory then uses the SLP service from the Novell Client. If the Novell Client is removed, leaving no SLP service for eDirectory to use, you must manually start the SLP service, or change it to start automatically when the server boots.
When specifying the eDirectory information during the installation, if an invalid Server object container type is specified, the installation does not detect the error until later, and the eDirectory installation fails with a -611 or -634 error.
The valid Server object container types are:
Organization (O)
Organizational Unit (OU)
Domain (DC)
This is observed for utilities such as DSRepair, DSMerge, and DSBrowse.
Workaround: To view the help files for these utilities, navigate to the folder where the files are located. Double-click the files to open the files. For example, C:/Novell/NDS/NLS/Nihongo for the Japanese help file.
If the login fails during the secondary server installation, click the Browse button next to the Administrator Login Name dialog box. After this, you might see an error message and a dialog box prompting you to enter an IP address. Enter the IP address of any server in the tree, preferably the Master server of the partition to which the server is being added.
If the server is running on a port number other than 524, enter the port number as well such as 1.2.3.4:1524. This connects to the server, displays the tree name, and prompts for a login name and password. Follow the dialog boxes to continue with the installation. Ensure that the time between the primary and secondary servers is synchronized.
eDirectory installation fails when the install files are run from a path that contains double-byte or extended ASCII characters.
The installer fails to find the correct path to load the rt.jar file.
Workaround: This issue does not occur if the eDirectory installation folder has a relatively short path. For example, eDirectory installation can fail if the length of the folder path is more than 115 characters.
SNMP stops working after installing eDirectory and displays the following error message:
SNMP subagent error -672
Workaround:
Install and configure SNMP service after eDirectory is installed.
Run the dssnmpsupport.exe on your eDirectory server.
NOTE:Apply dssnmpsupport.exe only if MpsSvc service is running on the eDirectory server.
Issue: While upgrading eDirectory, the installer displays the following error:
Admin user does not have enough rights to modify the tree schema.
Workaround:
From the Administrator Login page of eDirectory installation, browse to and select the admin user.
Specify the password, then click Next to continue.
Issue: When you invoke any of the eDirectory utilities except DSTrace and DSRepair, the Interactive dialog box appears.
To launch and continue using the invoked utility, click Show me the message in the Interactive dialog box.
Windows Server 2012 and Windows Server 2012 R2 do not allow interactive services by default.
Workaround: To allow interactive services, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows and change NoInteractiveServices from 1 to 0. Reboot the computer to start the interactive services detection service.
NOTE:When configuring the Directory Agent for eDirectory module (ds.dlm), ensure that you exit the ds.dlm dialog box to continue using the eDirectory services.
Issue: The NetIQ eDirectory Management Toolbox (eMBox) does not handle double-byte characters for setting a roll-forward directory through the eMBox client and iManager.
Workaround: Use DSBK for setting a roll-forward directory.
Issue: In a French localized Windows environment, if you try to run the utility for configuring eDirectory on a cluster (dsclusterconfig.exe), the localized O option does not work.
Workaround: Provide the corresponding English Y option to run the utility.
Issue: If you use the dsclusterconfig.exe utility in a Japanese localized Windows environment, the utility displays corrupted Japanese characters in the Windows terminal.
Workaround: Change the localization settings to English in the utility.
Issue: By default, eDirectory disables logging for a failed login event.
Workaround: Configure the Nsure Audit settings for eDirectory to log the Add Value events in the NCP server object. You also need to enable the intruder detection on containers where auditing of these events is required. For more information, see TID 7017208.
Issue: Symantec network threat protection conflicts with IPv6 addresses.
Workaround: If you want to use IPv6 addresses in iManager 3.0, and your computer is running Network Threat Protection process, you must disable this process.
Issue: If you upgrade an eDirectory server on which the eDirectory instrumentation is also installed, the eDirectory instrumentation files are not upgraded automatically.
Workaround: Upgrade the eDirectory instrumentation files manually.
NOTE:eDirectory instrumentation is automatically installed with Identity Manager 4.0.
For more information on upgrading the instrumentation, refer to the NetIQ eDirectory Installation Guide.
Issue: eDirectory listens on all interfaces configured on the computer for NCP, HTTP, HTTPS, LDAP and LDAPS by default.
Workaround: Adding a new network interface address to the computer, and restarting eDirectory will make it start listening on that address automatically and have referrals also added correspondingly.
Issue: When you try to add an eDirectory 9.0 server from a computer to an existing tree running on a different computer, it might fail if the firewall is enabled.
Workaround: There is no workaround at this time.
Issue: After upgrading eDirectory to version 9.0, the passwords stored in ndspassstore do not work.
Workaround: Execute the ndspassstore command for the specific user after upgrading eDirectory. This overwrites the passwords making them usable.
Issue: ndsindex, nmashotpconf, and krbLdapConfig utilities do not connect to LDAPS port over IPv6 after configuring with a certificate file.
Workaround: There is no workaround at this time.
Issue: Renaming a tree after installing eDirectory and configuring an EBA-enabled server on the tree leaves EBA non-functional. eDirectory displays the following error message:
Download of EBA CA certificate failed. Error: -2109(UAP_ERR_NMAS_API_INIT_FAILED)
Workaround: Rename the tree to its original name. This restores the EBA functionality.
Issue: By default, the EBA-enabled eDirectory servers use the traditional authentication method for encrypted replication.
Workaround: To use the EBA authentication, restart the servers. This establishes the EBA authentication.
Issue: If you switch between the Services and the Connections tab in the DHost console, the DLMs are not refreshed in the console. Switching the tabs eventually removes all the DLM’s from the console.
Workaround: There is no workaround at this time.
The eDirectory documentation has been revamped. Content from NMAS Administration Guide, Password Management Guide, and Certificate Server Guide is now part of the eDirectory Administration Guide. Use the following links to access these chapters in the eDirectory Administration Guide:
For iManager information, refer to the iManager online documentation.
The NICI Administration Guide is included in the eDirectory documentation page.
For more information on eDirectory issues on Open Enterprise Server (OES), see OES Readme.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2016 NetIQ Corporation, a Micro Focus company. All Rights Reserved.