Novell Nsure Identity Manager 2.0.1 Readme

Last updated October 27, 2004
1.0 Documentation
2.0 Known Issues
2.1 Unable to Continue the Identity Manager Installation Program: Authentication to the iManager Server Fails
2.2 Installing on NetWare 6.5 Requires NetWare 6.5 SP2 or CSP11
2.3 NetWare: "A fatal error has occurred...Tree not initialized yet"
2.4 NetWare 6.5: Events Not Being Processed Quickly When Using DSTrace
2.5 Upgrading on Linux: Installation Fails on libdxevent
2.6 eDirectory Shuts Down on Solaris
2.7 Unable to Start the Driver after Upgrading to eDirectory 8.7.1
2.8 Driver Does Not Load: "UniqueSPIException Error -783"
2.9 NMAS Simple Password Methods Not Installed on UNIX
2.10 Use NMAS 2.3.4 to Support Expiring New User Passwords
2.11 NMAS LDAP Transport Error
2.12 After Implementing Universal Passwords, Some Applications Might Fail to Load
2.13 NDS Password Settings are Replaced by New Password Policies
2.14 LDAP SSL Port for Password Self-Service
2.15 Use NMAS 2.3.4 to Avoid Case-Sensitivity Issues with Answers to Challenge Response Questions
2.16 Use NMAS 2.3.4 to Avoid Increased TCP Connections on Linux when Setting Universal Password
2.17 Set Universal Password Task Requires TLS for Simple Bind
2.18 Errors about Password Policy Not Assigned to a User
2.19 Check Password Status Task Doesn't Work for eDirectory Connected System if Using Only Universal Password
2.20 Check Password Status Works Differently Between eDirectory Trees
2.21 Check Password Status Task Doesn't Work for eDirectory Connected System if Using Only Universal Password
2.22 Errors Occur when Logging into Other Trees with iManager
2.23 Error Appears in the Tomcat Log File When Logging into iManager
2.24 eDirectory Driver Upgrade Issue with SSL Certificates
2.25 Using the E-Mail Notification on a UNIX Server Requires a Replica of the Security Container
2.26 Pop-Up Blocking Software Can Block iManager Browser Windows
2.27 Using Noncompliant Backward-Compatible Mode for XSLT
2.28 Nsure Audit Configuration Is Overwritten During Installation
2.29 Non-English Browsers Do Not Display Help Files
2.30 Role-Based Entitlements Might Require iManager Field Patch
2.31 Issue Adding a New Attribute to the Filter
2.32 Migration Events Dropped, Cache Error
2.33 iManager Performance Improved by Logging in to Server for Driver Set
2.34 Unable to Stop the Java Remote Loader on SUSE LINUX Enterprise Server 9
2.35 NMAS Does Not Support Filtered Replicas for Password Synchronization
3.0 Legal Notices

1.0 Documentation

For the latest information about Novell® NsureTM Identity Manager 2.0.1, refer to the documentation located at the Novell Product Documentation Web site.

You can view the documentation online in HTML or download a copy in PDF format.

The latest Readme file is also available online at the same location.


2.0 Known Issues


2.1 Unable to Continue the Identity Manager Installation Program: Authentication to the iManager Server Fails

If you choose to install the iManager plug-ins for Identity Manager, you must provide valid authentication credentials to your iManager server. If authentication fails, you can return to the previous screen, deselect the plug-ins, and continue the installation.

You might also see this error if your iManager server is not running properly. Ensure that you can log into the iManager server (http://<host-or-ip address>/nps/iManager.html). If you can log into iManager, try installing the plug-ins again.


2.2 Installing on NetWare 6.5 Requires NetWare 6.5 SP2 or CSP11

If you are installing Identity Manager on a NetWare® server with a CD mounted as an NSS volume, make sure that NetWare 6.5 SP2 or CSP11 is installed first.

If you install the NetWare upgrade after DR1, the older iManager plug-ins are installed. If the older plug-ins are installed, you might see errors about missing methods. If this occurs, re-install the iManager plug-ins from Identity Manager over the CSP installation.


2.3 NetWare: "A fatal error has occurred...Tree not initialized yet"

If you are installing Identity Manager on NetWare and do not have JVM* 1.4.2 installed, you might see an error stating, "A fatal error has occurred. This program will terminate. You may check sys:\ni\data\ni.log for more details after you dismiss this dialog. Tree not initialized yet..."

You should upgrade to JVM 1.4.2 to resolve this issue. The JVM is available from Novell Product Downloads.


2.4 NetWare 6.5: Events Not Being Processed Quickly When Using DSTrace

If you are using NetWare 6.5, ensure that you have the eDirectory 8.7.3.2 IR or later field patch from Novell Support. This release includes an updated dsloader.nlm that fixes this issue.


2.5 Upgrading on Linux: Installation Fails on libdxevent

When upgrading from eDirectoryTM 8.6.2 to 8.7.1, an older version of the dxevent package is installed. The installation begins to copy files, but fails with the following error:

"file /usr/lib/nds-modules/libdxevent.la from install of NDSdxevnt-1.1.1-1 conflicts with file from package novell-DXMLevent-2.0.0-14
file /usr/lib/nds-modules/libdxevent.so from install of NDSdxevnt-1.1.1-1 conflicts with file from package novell-DXMLevent-2.0.0-14
%% Unable to install NDSdxevnt, Exiting..."

To fix this problem, complete the following procedure:

  1. Before running the eDirectory 8.7.1 installer, go to the eDirectory Linux/Setup directory.

  2. Enter rpm -ivh --force NDSdxevnt-1.1.1-1.i386.rpm to do a forced install of the NDSdxevent package. Run the eDirectory nds-install script to remove or replace the eDirectory packages, and perform the upgrade from eDirectory 8.6.2 to 8.7.1.When the eDirectory installation is complete, reinstall Identity Manager 2.


2.6 eDirectory Shuts Down on Solaris

When you are creating a driver set or shortly after Identity Manager loads, the ndsd (eDirectory) process shuts down unexpectedly without a core dump. The /var/nds/ndsd.log contains the following message, "Exception java.lang.OutOfMemoryError: requested -569704448 bytes for char in /export1/jdk/jdk1.4.2/hotspot/src/os/solaris/vm/os_solaris.cpp. Out of swap space?" (The exact number might vary.)

To fix this issue, complete the following procedure.

  1. Open /etc/init.d/ndsd.

  2. Set GS_FAST_MODE to 0 instead of 1.

This error might also disappear if you add more memory to the computer hosting eDirectory.


2.7 Unable to Start the Driver after Upgrading to eDirectory 8.7.1

When upgrading from Novell eDirectory 8.6.2 to 8.7.1, an older version of dxevent.dll gets installed. When you try to start a driver, you encounter the following error, "Unable to start the driver. com.novell.admin.common.exceptions.UniqueSPIException: (Error -783) The DirXML Interface Module(VRDIM) is not currently loaded into NetWare or into DHost."

To fix this problem on Windows*, copy dxevent.dll from the NT\DirXML\Engine directory on the CD image to the c:\novell\nds directory on the server.

To fix this problem on NetWare, copy dxevent.nlm from the NW\DirXML\Engine\System directory on the Identity Manager CD image to the SYS:SYSTEM directory on the server.


2.8 Driver Does Not Load: "UniqueSPIException Error -783"

If you upgrade eDirectory on your Identity Manager server, you might see the following error: "UniqueSPIException error -783:" To resolve this issue, log into iManager; in the DirXML Overview, remove the server listed for the Driver object, then re-associate the server to the Driver object.


2.9 NMAS Simple Password Methods Not Installed on UNIX

If you are running Identity Manager on UNIX*, you need to install the Simple Password method. This is located on your eDirectory Installation media.

  1. Run nnmasinst.

  2. Type nmasinst -addmethod <admin.context> <treeName> </Download/eDir873/SimplePassword/config.txt> [-h hostname[:port]] [-w password]


2.10 Use NMAS 2.3.4 to Support Expiring New User Passwords

When an administrator creates a new user and password, it is preferable to have the password expire immediately, so that the users create their own passwords.

This feature has been provided in past versions of Novell eDirectoryTM for the NDS® Password. If a password expiration setting was in place, administrator-created passwords were automatically expired.

For Universal Password, you need NMASTM 2.3.4 to support this feature. As with NDS Password, use of this feature depends on the password expiration setting. If you have the password expiration setting enabled in the Password Policy (in Advanced Password Rules, named "Number of days before password expires (0-365)"), then administrator-created passwords are expired.


2.11 NMAS LDAP Transport Error

If you are installing Identity Manager in a multi-server environment, and use some of the Password Management plug-ins in iManager, you might see an error that begins with "NMAS LDAP Transport Error."

One common cause of this error is that the PortalServlet.properties file is pointing to an LDAP server that does not have the NMAS extensions that are needed for Identity Manager. Open the PortalServlet.properties file and make sure the address for the LDAP server is the same server where you installed Identity Manager.

Other possible causes:


2.12 After Implementing Universal Passwords, Some Applications Might Fail to Load

After implementing Universal Password, NDPS, ZEN, NILE (SSL connections), and SLPDA might not load. This is an application problem; the auto-generated passwords created by these applications might violate Password Policies.

The workaround is described in TID 10092957 and a patch will soon be available.


2.13 NDS Password Settings are Replaced by New Password Policies

If you create a Password Policy and enable Universal Password, the Advanced Password Rules are enforced instead of any existing password settings for NDS Password. The legacy password settings are ignored. No merging or copying of previous settings is done automatically when you create Password Policies.

For example, if you have a setting for the number of grace logins that you use with the NDS Password, when you enable Universal Password you need to re-create the grace logins setting in the Advanced Password Rules in the Password Policy.

If you later disabled Universal Password in the Password Policy, the existing password settings that you had are no longer ignored. They would be enforced for NDS Password.


2.14 LDAP SSL Port for Password Self-Service

In the initial release of Identity Manager 2, the Password Self-Service functionality assumed that the LDAP SSL port was port 636, unless a different port was specified in the PortalServlet.properties file in the keypair LDAPSSLPort=your_port_number.

In this release, the Password Self-Service functionality assumes that the LDAP SSL port is the one noted in the PortalServlet.properties file in the keypair System.DirectoryAddress, unless a different port is specified in the PortalServlet.properties file in the keypair LDAPSSLPort=your_port_number.

No action should be necessary to accommodate this change if you require TLS for simple bind (the default setting for the LDAP Group-Server object), because the LDAP SSL port should be the port noted in the PortalServlet.properties file in the System.DirectoryAddress setting.

The only case in which you should need to add the keypair LDAPSSLPort=your_port_number to the PortalServlet.properties file is if you choose not to require TLS for simple bind, and your LDAP SSL port is different from the port noted in the System.DirectoryAddress setting in the PortalServlet.properties file.


2.15 Use NMAS 2.3.4 to Avoid Case-Sensitivity Issues with Answers to Challenge Response Questions

Challenge Response questions require a user to provide answers to prove his or her identity. If you want NMAS to ignore case when validating Challenge Response answers, use NMAS 2.3.4 or later.


2.16 Use NMAS 2.3.4 to Avoid Increased TCP Connections on Linux when Setting Universal Password

When setting the Universal Password on Linux*, you might see an increased number of TCP connections, which could lead to an eDirectory shutdown. To correct this issue, download and install TID2969057 for NMAS 2.3.4.


2.17 Set Universal Password Task Requires TLS for Simple Bind

If you are encountering problems with the iManager Set Universal Password task, you need to make sure that the "TLS is required for Simple Bind" setting has been enabled. You set this option by editing the LDAP server object properties in iManager.

This is a requirement only for this task. The portal content builds this SSL connection upon request, but iManager requires it to be done at login.


2.18 Errors about Password Policy Not Assigned to a User

If you see an error saying that a Password Policy is not assigned to a user from the Set Universal Password task, and you know that the user does have a Password Policy assigned, SSL might be the issue. Make sure that SSL is configured correctly between the Web server running iManager and the primary tree. To help confirm that SSL configuration is the problem, use the View Policy Assignment task to check the policy for that user. If the View Policy Assignment task displays an NMAS Transport error, this also can be an indicator that SSL is not configured properly.


2.19 Check Password Status Task Doesn't Work for eDirectory Connected System if Using Only Universal Password

The Check Password Status task lets you see whether a user's password in Identity Manager is synchronized with the password on connected systems.

If you are using the eDirectory driver, and the Password Policy for a user specifies in the Configuration Options tab that the NDS Password should not be updated when the Universal Password is updated, then the Check Password Status task for that user always shows that the password is not synchronized. The password status is shown as not synchronized, even if the Identity Manager password and the password on the connected system are in fact the same.

This is because the eDirectory check password functionality is checking the NDS password at this time, instead of going through NMAS to refer to the Universal Password.

If you select the option to update the NDS Password when the Universal Password is updated in the Password Policy (this is the setting by default), then Check Password Status should be accurate for the eDirectory connected system.

This issue will be fixed in a future release of eDirectory.


2.20 Check Password Status Works Differently Between eDirectory Trees

The task in iManager used to check password synchronization (Password Synchronization > Check Password Status) is accurate when comparing two eDirectory trees only if the Password Policy has the following settings:

These settings are in Password Management > Manage Password Policies, in the Universal Password tab under Configuration Options. They are both checked by default.

Other drivers check the Distribution Password when comparing with the connected system. The eDirectory driver is an exception because, at this time, the eDirectory check password functionality is checking the NDS password, instead of going through NMAS to check the Distribution Password.

If NDS Password is not being synchronized with Universal Password and Distribution password, Check Password Status might report that the passwords are not synchronized, even though the Distribution Password and the password on the other tree are in fact the same.


2.21 Check Password Status Task Doesn't Work for eDirectory Connected System if Using Only Universal Password

The Check Password Status task lets you see whether a user's password in Identity Manager is synchronized with the password on connected systems.

If you are using the eDirectory driver, and the Password Policy for a user specifies in the Configuration Options tab that the NDS Password should not be updated when the Universal Password is updated, then the Check Password Status task for that user always shows that the password is not synchronized. The password status is shown as not synchronized, even if the Identity Manager password and the password on the connected system are in fact the same.

This is because the eDirectory check password functionality is checking the NDS password at this time, instead of going through NMAS to refer to the Universal Password.

If you select the option to update the NDS Password when the Universal Password is updated in the Password Policy (this is the setting by default), then Check Password Status should be accurate for the eDirectory connected system.

This issue will be fixed in a future release of eDirectory.


2.22 Errors Occur when Logging into Other Trees with iManager

If you manage remote Identity Manager trees, and use iManager to log in to the other trees, you might encounter errors if you use the server name instead of the IP address of the remote server.

Other considerations:


2.23 Error Appears in the Tomcat Log File When Logging into iManager

The following error appears in the Tomcat log file when you authenticate to iManager after installing Identity Manager:
com.novell.security.nmas.mgmt.NMASPwdException
at com.novell.security.nmas.mgmt.PwdLdapTransport.getPwdPolicyDN(Unknown Source)
at com.novell.security.nmas.mgmt.NMASPwdMgr.getPwdPolicyDN(Unknown Source)
at com.novell.forgotpassword.PostAuthentication.getPostAuthServiceDelegates
(PostAuthentication.java:65)
at com.novell.nps.authentication.AuthenticationManager.processPostAuthenticationServices
(AuthenticationManager.java:366)
at com.novell.nps.authentication.AuthenticationManager.beginPortalLogin
(AuthenticationManager.java:330)This error occurs if an NMAS policy has not been configured and assigned to the user.


2.24 eDirectory Driver Upgrade Issue with SSL Certificates

If you are upgrading Identity Manager and the eDirectory driver, you might encounter data synchronization errors if your certificates have expired (or if one of the two certificates has expired.)

If you create a user on the server holding a valid certificate, the user is not synchronized to the server containing the invalid certificate. You might also see the following error in DSTrace:

SSL handshake failed, X509_V_CERT_HAS_EXPIRED

If you create a user on the server holding an expired certificate, the user is still synchronized to the server containing a valid certificate. You might also see the following error in DSTrace:

SSL handshake failed, SSL_ERROR_ZERO_RETURN, 
Error: 14094415: SSL Routines: SSL_READ_BYTES: sslv3 alert certificate expired.

To fix this issue, create new certificates if the previous certificates expire.


2.25 Using the E-Mail Notification on a UNIX Server Requires a Replica of the Security Container

The DirXML script action DoSendEmailFromTemplate does not work on UNIX platforms unless a replica containing the e-mail templates is located on the same server where the DirXML engine is running. These e-mail templates are the ones used in the Notification Configuration task in iManager. The e-mail template objects are located in the Security container at the root of the tree.


2.26 Pop-Up Blocking Software Can Block iManager Browser Windows

Like other Web-based administration tools, iManager windows can be blocked by pop-up blocking software. You should set pop-up blockers to allow pop-ups from the iManager server.


2.27 Using Noncompliant Backward-Compatible Mode for XSLT

This control sets the XSLT processor used by the DirXML Engine to a backwards-compatible mode. The backwards-compatible mode causes the XSLT processor to use one or more behaviors that are not XPath 1.0 and/or XSLT 1.0 standards-compliant. This is done in the interest of backward compatibility with existing DirXML style sheets that depend on the non-standard behaviors. In particular the behavior of the XPath "!=" operator when one operand is a node-set and the other operand is other than a node-set is incorrect in DirXML releases up to and including Identity Manager 2.0. This behavior has been corrected; however, the corrected behavior is disabled by default through this control in favor of backwards compatibility with existing DirXML style sheets.


2.28 Nsure Audit Configuration Is Overwritten During Installation

If you have previously configured Nsure Audit on your server, and the loghost parameter in logevent.cfg is set to localhost, this configuration is overwritten during install and logging is turned off.

If you have specified an IP address in the loghost parameter, your logging configuration is unaffected.

To re-enable logging, open logevent.cfg and set the loghost parameter to the IP address of your logging server.

The following list contains the default location of logevent.cfg for each supported platform:

Operating System

Path

NetWare

sys:\etc\logevent.cfg

Windows

windows_directory\logevent.cfg

Linux\Solaris

/etc/logevent.conf


2.29 Non-English Browsers Do Not Display Help Files

To view help files, your browser language must be set to English. Otherwise, you might encounter an "HTTP Status 404" error.


2.30 Role-Based Entitlements Might Require iManager Field Patch

This issue is not important unless you are using the Dynamic Membership filter to include all or a large number of objects in the tree.

If you are, you will experience significant delays in accessing the Role-Based Entitlements interface after you specify the driver set. To fix this, you need to install the iManager field patch that supplies a fix to the issue.


2.31 Issue Adding a New Attribute to the Filter

When you add a new attribute to a class in the filter, you must save the new attribute before assigning a mapping relationship. If you assign the mapping relationship prior to clicking Apply or OK, the attribute mapping is not saved.


2.32 Migration Events Dropped, Cache Error

If you experience a -734 cache error, virus protection software might be corrupting Novell cache files. These are the symptoms:

To resolve the issue, make sure your virus protection software is excluding TAO files. In addition, exclude from virus protection the Novell\NDS folder and all the subfolders below it.

Make sure that your virus protection software supports the platform you are using it on.

When this issue was observed on Windows 2000 Server when using McAfee VirusScan 7.x, the resolution described above did not work. Instead, the resolution was to disable the virus scanning software.

This issue has not been observed when using McAfee VirusScan 8.0i or Symantec AntiVirus Corporate Edition software.


2.33 iManager Performance Improved by Logging in to Server for Driver Set

When using the iManager plug-ins to configure Identity Manager, consider logging in to the server associated with the driver set that you are going to work with the most. This step can sometimes yield a significant performance improvement for using the plug-ins.


2.34 Unable to Stop the Java Remote Loader on SUSE LINUX Enterprise Server 9

In the Novell SUSE LINUX Enterprise Server 9 (SLES9) network configuration, localhost in
/etc/hosts is by default mapped first to an IPv6 address. Java has difficulty with this setting.

To solve this issue, eliminate "localhost" from the line in /etc/hosts that mapped localhost to the IPv6 address. For example, in /etc/hosts change

::1 localhost ipv6-localhost ipv6-loopback

to

::1 ipv6-localhost ipv6-loopback

You might also need to place the following line in your /etc/hosts file:

127.0.0.1 localhost


2.35 NMAS Does Not Support Filtered Replicas for Password Synchronization

NMAS does not currently support filtered replicas. If you are using Identity Management Password Synchronization, you must use a read/write replica.


3.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside.

Copyright © 2003-2004 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.


U.S. Patent Nos. 5,349,642; 5,608,903; 5,671,414; 5,677,851; 5,758,344; 5,784,560; 5,818,936; 5,828,882; 5,832,275; 5,832,483; 5,832,487; 5,870,561; 5,870,739; 5,873,079; 5,878,415; 5,884,304; 5,919,257; 5,933,503; 5,933,826; 5,946,467; 5,956,718; 6,016,499; 6,065,017; 6,105,062; 6,105,132; 6,108,649; 6,167,393; 6,286,010; 6,308,181; 6,345,266; 6,424,976; 6,516,325; 6,519,610; 6,539,381; 6,578,035; 6,615,350; 6,629,132. Patents Pending.

DirXML, NDS, NetWare, and Novell are registered trademarks of Novell, Inc. in the United States and other countries.

eDirectory, NMAS, and Nsure are trademarks of Novell, Inc. in the United States and other countries.

All third-party trademarks are the property of their respective owners.