Novell eDirectory 8.7 for NetWare December 2, 2002 TABLE OF CONTENTS 1.0 Installation Issues 1.1 Prerequisites 1.2 Distributing Proper Versions of DSREPAIR to All Servers in the Tree 1.3 Upgrading from a Previous Version 1.4 Uninstalling eDirectory 1.5 Installing a NetWare 5.1 Server into an eDirectory 8.7 Tree 1.6 Video Cards and Driver Settings 1.7 Installing Novell iManager 1.5 1.8 Using Dotted Container Names in a Server's Context 1.9 Upgrading to NetWare 6 from NetWare 5.1 after eDirectory 8.7 Has Been Installed 1.10 Manually Extending the Schema Before Installation 1.11 Schema Extension in a Mixed Tree 1.12 Specifying eDirectory Information During the Installation 1.13 Core DS Component Installation 2.0 Known Issues 2.1 iMonitor Issues 2.2 Using the Latest LDAP Features 2.3 Security Domain Keys Issues 2.4 SNMP Issues 2.5 eDirectory Service Manager Issues 2.6 Using the NetWare Console to Unload eMBox 2.7 NICI Issues 2.8 Certificate Server Issues 2.9 Roll-Forward Logs Are Turned Off After Restoring eDirectory 2.10 ConsoleOne Issues 2.11 eMBox Client Commands 2.12 Replica Operations in Mixed Replica Rings 3.0 Documentation Issues 3.1 Viewing Documentation on the Product CD 3.2 Additional Readme Files 3.3 Additional Readme Information 4.0 Legal Notices 4.1   Disclaimer, Export Notice, Copyright, and Patents 4.2   Novell Trademarks 4.3   Third-Party Trademarks 4.4 The Novell TLS Library 1.0 Installation Issues 1.1 Prerequisites - NetWare 5.1 SP5 or later with JVM 1.3.1, or NetWare 6 SP2 Note: Installing eDirectory 8.7 on Netware 5.0 is not supported. - If you are using RCONSOLE, you will need a ConsoleOne administrator workstation with the following: * A 200 MHz or faster processor * A minimum of 64 MB RAM (128MB recommended) * Novell Client software that shipped with NetWare 5.1 SP5 or later - In order for eDirectory 8.6 or 8.7 running on Microsoft Windows NT or 2000 to successfully communicate with NDS 6.x running on NetWare 4.11 or NetWare 4.2, NDS 6.17 must be running on the NetWare 4.x server. In addition, the following line must be added to the end of the autoexec.ncf file on the NetWare 4.x server: set dstrace = !ne NOTE: If DS.NLM is unloaded and reloaded without rebooting the server, the above set command must be executed after DS.NLM is loaded. For more information about this setting, see TID #2963473 in the Knowledgebase at http://support.novell.com. 1.2 Distributing Proper Versions of DSREPAIR to All Servers in the Tree For information on preparing an existing tree for an eDirectory 8.7 installation, see Updating the eDirectory Schema for NetWare in the Novell eDirectory 8.7 Administration Guide (http://www.novell.com/documentation). 1.3 Upgrading from a Previous Version 1.3.1 Prerequisites Before you upgrade to eDirectory 8.7, make sure you have the latest NDS and eDirectory patches installed on all non-eDirectory 8.7 servers in the tree. You can get NDS and eDirectory patches from the Novell Support Web site (http://support.novell.com). 1.3.2 Upgrading to Novell eDirectory 8.7 on a Double-byte System In previous releases of eDirectory, some index keys were built incorrectly in double-byte language (Japanese, Korean, or Chinese) systems. Because of the incorrect keys, some searches did not work correctly. This issue has been resolved in Novell eDirectory 8.7. However, because existing eDirectory databases on these systems still have these incorrect keys, there might be times even after your upgrade to eDirectory 8.7 when eDirectory will report corruption errors that are due to incorrect keys. To resolve this issue, run DSREPAIR.NLM after the upgrade is complete and perform a physical rebuild of the database. This is only necessary if the database is a double-byte language database (Japanese, Korean, or Chinese). It is not necessary to run DSRepair after upgrading if you are not using one of these languages. 1.3.3 Certificate Server 2.0.1 Your CA server must be running Certificate Server 2.0.1 or later before installing a new server into the tree. You can determine which server is the CA by viewing the Certificate Authority object located in the Security container at the root of the tree. To verify the version of the Certificate Server software, check the module version number on PKI.NLM (NetWare) or pki.dlm (Windows). If the Certificate Server software version on the CA server is out of date, install eDirectory 8.7 on the CA server first, then proceed to install eDirectory 8.7 on any additional servers. 1.3.4 X.509 and CertMutual Login Methods The X.509 and CertMutual login methods that shipped with eDirectory 8.6.x are not compatible with eDirectory 8.7. When you upgrade from 8.6.x to 8.7, you must upgrade the X.509 and CertMutual login methods as well. 1.3.5 Upgrading Novell iManager 1.0 If you upgrade an eDirectory server to Novell eDirectory 8.7 and Novell iManager 1.5, all NetWare 6 servers in the tree should also be upgraded to Novell iManager 1.5. 1.4 Uninstalling eDirectory If you use NWCONFIG to uninstall eDirectory, follow these steps to reinstall eDirectory: 1) Use the following command to remove the eDirectory entry from the PRODUCTS.DAT file so you can reinstall eDirectory on the same server: uinstall edir 2) Edit the SYS:SYSTEM\SCHEMA\SCHEMA.CFG file and remove the comment markers from the NDPS*.SCH files. 3) From the NetWare console, run NWCONFIG. 4) Select Product Options. 5) Select Install a product not listed. 6) Specify the location containing the Novell eDirectory 8.7 installation package. 1.5 Installing a NetWare 5.1 Server into an eDirectory 8.7 Tree You must use the NetWare 5.1 SP5 Overlay install when installing a new NetWare 5.1 server into an existing eDirectory 8.7 tree. You can get the NetWare 5.1 SP5 Overlay from http://support.novell.com. 1.6 Video Cards and Driver Settings The eDirectory, ConsoleOne, Novell iManager, and eGuide installs use Java 1.3. This means that a minimum color depth of 8 bits (256 colors) is required by your video card and driver setting to run the installations properly. On NetWare, the video card must also be VESA-compliant. 1.7 Installing Novell iManager 1.5 After you have installed eDirectory 8.7, make sure that you install Novell iManager 1.5 from the WebApps CD. You cannot use the eDirectory 8.7 iManager plug-ins with the version of iManager installed with NetWare 6. To use the eDirectory 8.7 plug-ins, you must use the WebApps CD to install Novell iManager 1.5. For additional information on Novell iManager 1.5, see \readme\en\imanager_readme.html on the WebApps CD. 1.8 Using Dotted Container Names in a Server's Context The Novell eDirectory 8.7 installation does not support dotted container names in the server's context (for example, OU=Eng.Sales.O=www.acme.com). To avoid errors, you should install new servers into a tree that does not contain dots in the server's context. Note: You cannot escape the dots (for example, OU=Eng\.Sales.O=www\.acme\.com will not work). 1.9 Upgrading to NetWare 6 from NetWare 5.1 after eDirectory 8.7 Has Been Installed Follow these steps to upgrade a NetWare 5.1 server with eDirectory 8.7 to NetWare 6: 1) Use the NW6SP2 (or later) overlay, available from http://support.novell.com, to upgrade your server. 2) Prior to the upgrade, copy DSLOADER.NLM from C:\NWSERVER to C:\NWUPDATE. You might need to create C:\NWUPDATE. 3) Do not downgrade any files during the install. If you don't copy DSLOADER.NLM to C:\NWUPDATE, the following error message will occur: "The NetWare Loadable Module SYS:\SYSTEM\DIBMIG.NLM could not be loaded. (nwconfig-6-127). Press Enter to Continue." At this point, abort the install, copy C:\NWSERVER\DSLOADER.NLM to C:\NWUPDATE, and start the upgrade again. 1.10 Manually Extending the Schema Before Installation In some cases, schema extensions do not synchronize fast enough to the lower levels of a tree where the first new eDirectory 8.7 server is being installed for some features to be completed installed properly. One instance of this is the httpServer object schema definition, which might not synchronize to the server where the object instance needs to be created before the install code attempts to create it. In this particular instance, the failure to create the httpServer object schema definition is not fatal, as it only contains optional configuration information. This type of problem can be avoided by manually extending the schema in your tree before you install eDirectory 8.7, using the eDirectory 8.7 schema files located in the \nw\sys\system\schema directory on the eDirectory 8.7 CD. 1.11 Schema Extension in a Mixed Tree On NetWare, the schema for the native HTTP stack is not extended at the time of installation. On Windows NT and UNIX platforms, schema extension is done during the installation using the httpstk.sch file. If the tree contains NetWare servers and other platforms, use NWConfig on the NetWare server to extend the schema, using the \nt\I386\NDSonNT\ndsnt\nds\httpstk.sch file. 1.12 Specifying eDirectory Information During the Installation When specifying the eDirectory information during the installation, if an invalid Server object container type is specified, the installation will not detect the error until later, and the eDirectory installation will fail with a -611 or -634 error. The valid Server object container types are: - Organization (O) - Organizational Unit (OU) - Domain (DC) 1.13 Core DS Component Installation On rare occasions, the eDirectory installation will fail during its core DS component installation. If so, an error dialog like the following will be displayed: "The DS component of eDirectory failed to install correctly. The error received was: ''. Please view DSInstall.log for more detailed information. The eDirectory installation will now be terminated." If you receive this error, you should try to reinstall the product, or remove it and then reinstall it. If the reinstallation fails because of a partial installation already being on your system, or for any other reason, please visit the Novell Support Web site at http://support.novell.com for possible solutions. 2.0 Known Issues 2.1 iMonitor Issues 2.1.1 Browser Compatibility The iMonitor included with this release of eDirectory requires Internet Explorer 5.5 or later or Netscape 6.2 or later. 2.1.2 Browsing for Objects in iMonitor Containing Double-byte Characters When using iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not hyperlink to the object properties correctly. This issue will be resolved in a future release of iMonitor. 2.1.3 Automatic Refresh for Trace Live Doesn't Refresh After specifying the refresh rate and selecting Refresh On, the Trace window will update only once. To get more data added to the trace window, select the Update button as needed. 2.2 Using the Latest LDAP Features To use the latest LDAP features such as start TLS, stop TLS, SASL External, SASL Digest MD5, and SASL NMAS Methods, download the September 2002 or later version of LDAP Libraries for C from the Novell Developer Web site at http://developer.novell.com. SDKs are available for NetWare, Windows, Solaris, Linux, and AIX. The LDAP Libraries for C available at http://developer.novell.com/ndk/cldap.htm is the latest released version of the LDAP libraries. 2.3 Security Domain Keys Issues Each eDirectory server is normally installed with one or more Security Domain (SD) keys. SD keys are used to manage sensitive information shared between servers within a given tree. SD keys are normally setup automatically during the eDirectory installation process. Problems can surface when SD keys are out of sync between the servers, such as an inability to create user certificates or the inability to set user passwords. Usually the error that is reported in these cases is -1460. There are three ways in which the SD keys can be out of sync: 1) The W0 object is pointing to a server that is not installed with an SD key. 2) Various servers have SD keys not shared with other servers. 3) The W0 object does not contain a server entry. Note: The W0 object is located in the KAP.Security container. Use ConsoleOne to view the W0 object. To resolve problem 1: - Grant Write rights to [All Attributes Rights] on the W0 object to the server listed on the ‘NDSPKI:SD Key Server DN’ attribute. (Note: this attribute is located on the Other tab in the ConsoleOne view of the W0 object.) The server specified in this attribute will become the SD key server. - Install NICI 2.4.1 on this server, then reboot the server. This will create a new SD key. To resolve problem 2: - Identify all Windows-based eDirectory servers for this tree (i.e. all Windows NT and 2000 eDirectory servers). Add these servers as additional entries to the ‘NDSPKI:SD Key Server DN’ attribute on the W0 object (servers can be added using ConsoleOne). - Grant Read rights to [All Attributes Rights] on the W0 object to all servers added to the ‘NDSPKI:SD KEY Server DN’ attribute. To resolve problem 3: - Locate a server in the tree that has a copy of the SD key. You can determine if a server has a copy of the SD key by searching for the file named NICISDI.KEY. On a NetWare server, this file will be located in SYS:\SYSTEM\NICI. On a Windows server, this file will be located in %SYSTEMROOT%\WINNT\SYSTEM32\NOVELL\NICI. - Add the server to the ‘NDSPKI:SD Key Server DN’ attribute on the W0 object (servers can be added using ConsoleOne). - Grant Write rights to [All Attributes Rights] on the W0 object to this server. This server will become the SD key server. If you are unable to locate a server containing a copy of the SD key, delete the W0 object and restart the eDirectory installation. The next server you install will become the SD key server. 2.4 SNMP Issues 2.4.1 SNMP Group Object If the installation of the SNMP Group object fails, you can rectify this problem by executing the following command on the server console: snmpinst -c For example: snmpinst -c admin.novell.test-tree novell nds-server.novell.test-tree 2.4.2 Auto-Loading DSSNMPSA On NetWare, DSSNMPSA is not loaded by default. If you configure it to auto-load, save the credentials by selecting the Remember Password option when it is manually loaded. The INTERACTIVE option must be set to ON in the SYS:\ETC\DSSNMP.CFG file in order for DSSNMPSA to read the remembered credentials. 2.4.3 Stopping the SNMP Service from iManager The SNMP service can be started and stopped from Novell iManager, using eDirectory Service Manager. When started, a login screen is displayed on the server prompting for the user name and password. If an invalid user name and password is entered, and the service is stopped from iManager, the server will abend. However, if a valid login has happened, this problem does not occur and the service can be stopped from iManager. To avoid the problem, use the remember password option (on the login screen on the server when it is used for the first time) so that the next time the service is started, the login screen does not appear on the NetWare server, and there is no problem stopping the service from iManager 2.5 eDirectory Service Manager Issues 2.5.1 Service Manager Dependencies Some Service Manager modules, such as httpstk, have dependencies. On NetWare, these dependencies are not displayed in the information frame as they are on Windows. 2.5.2 Using Service Manager to stop eDirectory If you use the eDirectory Service Manager in Novell iManager to stop eDirectory, restarting it through Service Manager is not possible. At the NetWare server console, enter the following: load DS 2.6 Using the NetWare Console to Unload eMBox If you manually unload the eDirectory Management Toolbox (eMBox) from the NetWare console, you must first unload xi18n.nlm and xis11.nlm before you reload eMBox. 2.7 NICI Issues NICI 2.4.1 and later components, such as xengexp or xengusc, might abend under low memory conditions when running on Intel P4 or later processors. There is no workaround at this time. To avoid this condition, you should ensure that the NetWare server does not run out of memory. 2.8 Certificate Server Issues 2.8.1 Extractable Keys Support When creating the Organizational CA object or Server Certificate objects (also known as KMOs), extractable keys are supported only if the server you selected for the key pair generation is running eDirectory 8.6 or later on NetWare and NT platforms, or if running eDirectory 8.7 or later for Unix platforms. If you are attempting to make the keys extractable on an unsupported platform, you will receive a -1222 error. 2.8.2 Importing CRL Data Onto a CRL Object Importing CRL data onto a CRL object is not supported through iManager. You must use ConsoleOne for this feature. 2.9 Roll-Forward Logs Are Turned Off After Restoring eDirectory As part of the process of restoring the eDirectory database, roll-forward logging on the server is always reset to the default settings. This means that after a restore, roll-forward logging is reset to Off, and the location of the roll-forward logs is reset to the default location. If you have been using roll-forward logging on a server, and you want to continue to use it on that server after a restore, you must do the following: 1. After a restore, re-create your configuration for roll-forward logging to make sure it is on and the logs are being saved in a fault-tolerant location. 2. After turning on the roll-forward logs, do a new full backup. The new full backup is necessary so that you are prepared for any failures that might occur before the next unattended full backup is scheduled to occur. For more information on the roll-forward logs and how to choose a fault-tolerant location, see "Using Roll-Forward Logs" in the "Backing Up and Restoring eDirectory" chapter in the eDirectory 8.7 Administration Guide. 2.10 ConsoleOne Issues 2.10.1 Using ConsoleOne to Manage NetWare 4.x Servers In order to use ConsoleOne to manage a tree containing NetWare 4.x servers (DS v 6.17), IPX must be installed on the management client. Even if ConsoleOne is run from a NetWare box via a mapped drive on the client, the client machine on which ConsoleOne is running must be able to connect natively via IPX. 2.10.2 New ConsoleOne Switch Using the -forceMaster switch when starting ConsoleOne will cause ConsoleOne to always talk to the master replica for the objects being accessed. We don't recommend this switch during normal use of ConsoleOne. Use this switch under direction from Novell Technical Support personnel. 2.11 eMBox Client Commands On NetWare only, if you are using batch files to run the eMBox Client unattended, such as for eDirectory backups or other scheduled tasks, make sure you include the –ns and ac options in your command. You must always include –ns in the command when running the eMBox Client. This is necessary to avoid an abend. On NetWare, –ns is a java option meaning “new screen.” We recommend that you also use the ac option along with –ns. The ac option closes the new screen when the task is complete. If you don’t include the ac, each time the batch file runs unattended, it will open a new screen on the server and leave it open. The –ns and ac options are used together at the beginning of the command that runs the eMBox Client. Here is an example of a command including these options in a system batch file for NetWare: java -nsac -cp sys:\system\embox\eMBoxClient.jar embox -s 10.10.1.200 -p 8008 -u admin.mycontainer -w mypassword -n -t backup.backup -b -f sys:\system\backup\backup.bak -l sys:\system\backup\backup.log -e -t -w The documentation mistakenly omits the ac option in batch file command examples. If you are running the eMBox Client in interactive mode, use the edirutil.ncf file as a shortcut to running the eMBox Client. The edirutil.ncf file already contains the –ns option. 2.12 Replica Operations in Mixed Replica Rings Because NetWare 4.x servers can't speak to UNIX (IP) servers, replica operations in mixed (NetWare 4.x and UNIX) rings might never proceed to completion. Additionally, when NetWare 4.x is the master of that partition, certain operations will always fail to complete. NetWare 4.x should never hold the master replica of a partition, and including NetWare 4.x servers in a replica ring with UNIX or Windows servers could cause operations to hang or remain in a state of partial completion. We recommend upgrading from NetWare 4.x to an IP-capable version of NetWare. 3.0 Documentation Issues 3.1 Viewing Documentation on the Product CD This product CD contains documentation for the following products: - Novell eDirectory \DOCUMENTATION\ENGLISH\EDIR87\EDIR87.PDF \DOCUMENTATION\ENGLISH\EDIR87\QSEDIR87.PDF - Novell Client \DOCUMENTATION\ENGLISH\NOCLIENU\NOCLIENU.PDF - Novell Certificate Server \DOCUMENTATION\ENGLISH\CERTSERV\CERTSERV_ADMIN.PDF - ConsoleOne 1.3.4 \DOCUMENTATION\ENGLISH\CONSOL13\C1_ENU.PDF - Novell Modular Authentication Services (NMAS) \DOCUMENTATION\ENGLISH\NMAS\DOC\NMAS_ADMIN.PDF 3.2 Additional Readme Files For additional information on the contents of this release, see the following sources on the Novell eDirectory 8.7 CD: - Novell eDirectory for Windows NT/2000: \NT\I386\NDSONNT\README\EN\README.HTML - NICI on Windows NT: \NT\I386\SERVERNICI\NI\HELP\EN\README.HTML - Novell Clients: \NT\I386\README.TXT For additional information on Novell iManager 1.5 and Novell eGuide 2.1, see the following sources on the WebApps CD: - Novell iManager 1.5 \README\EN\IMANAGER_README.HTML - Novell eGuide 2.1 \README\EN\EGUIDE_README.HTML 3.3 Additional Readme Information For information on additional eDirectory issues for this release, refer to Solution #10073723, titled "Novell eDirectory 8.7.x Readme Addendum," in the Novell Knowledge Base (http://support.novell.com). 4.0 Legal Notices 4.1 Disclaimer, Export Notice, Copyright, and Patents Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. Copyright (C) 2002 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. U.S. Patent No. 5,608,903; 5,671,414; 5,677,851; 5,758,344; 5,784,560; 5,794,232; 5,818,936; 5,832,275; 5,832,483; 5,832,487; 5,870,739; 5,873,079; 5,878,415; 5,884,304; 5,913,025; 5,919,257; 5,933,826. U.S and Foreign Patents Pending. 4.2 Novell Trademarks Novell, NetWare, NDS, and ConsoleOne are registered trademarks of Novell, Inc. in the United States and other countries. eDirectory, Novell Client, Novell Certificate Server, and Novell Modular Authentication Service are trademarks of Novell, Inc. 4.3 Third-Party Trademarks All third-party trademarks are the property of their respective owners. 4.4 The Novell TLS Library This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org). Please refer to \documentation\english\license\ license.txt on the eDirectory CD for additional information and license terms.