Novell eDirectory 8.7 for Solaris, Linux, and AIX December 2, 2002 TABLE OF CONTENTS 1.0 Installation Issues 1.1 Prerequisites 1.2 Installing or Upgrading eDirectory 1.3 HTTP Server Port Configuration 1.4 Installing Novell iManager 1.5 1.5 Manually Extending the Schema Before Installation 1.6 Enabling Large File Support 1.7 Enabling the Linux, Solaris, or AIX Host for Multicast Routing 1.8 Using Dotted Container Names in a Server's Context 1.9 LDAP Server Was Not Configured (-603) During Install 1.10 Specifying eDirectory Information During the Installation 1.11 Core DS Component Installation 2.0 Known Issues 2.1 iMonitor Issues 2.2 Using the Latest LDAP Features 2.3 ConsoleOne Issues 2.4 Security Domain Keys Issues 2.5 SNMP Issues 2.6 Roll-Forward Logs Are Turned Off After Restoring eDirectory 2.7 Certificate Server Issues 2.8 Static Cache Limits on AIX 2.9 Increasing the Size of the eDirectory Log Files 2.10 Default Backup File Size 2.11 eMBox Client Commands: Don’t Use “-ns” or “ac” 3.0 Documentation Issues 3.1 Viewing Documentation on the Product CD 3.2 Additional Readme Files 3.3 Additional Readme Information 4.0 Legal Notices 4.1   Disclaimer, Export Notice, Copyright, and Patents 4.2   Novell Trademarks 4.3   Third-Party Trademarks 4.4 The Novell TLS Library 1.0 Installation Issues 1.1 Prerequisites 1.1.1 Solaris - Solaris 7 on Sun SPARC (with patch 106327-13 or later for 32-bit systems) - Solaris 7 on Sun SPARC (with patch 106300-07 or later for 64-bit systems) - Solaris 8 on Sun SPARC (with patch 108827-20 or later) - All latest recommended set of patches, available at the SunSolve Web page (http://sunsolve.sun.com) - A minimum of 128 MB RAM - 120 MB of disk space for the eDirectory server - 32 MB of disk space for the eDirectory administration utilities - 74 MB of disk space for every 50,000 users - ConsoleOne requirements: - ConsoleOne 1.3.4 - A minimum of 64 MB RAM (128 MB recommended) 1.1.2 Linux - Redhat Linux 7.2 or 7.3 Ensure that the latest glibc patches are applied from Redhat errata (http://www.redhat.com/apps/support/errata/) on Redhat systems. - A minimum of 128 MB RAM - 90 MB of disk space for the eDirectory server - 25 MB of disk space for the eDirectory administration utilities - 74 MB of disk space for every 50,000 users - Ensure that gettext is installed - ConsoleOne requirements: - ConsoleOne 1.3.4 - A minimum of 64 MB RAM (128 MB recommended) - 200 MHz processor (a faster one is recommended) 1.1.3 AIX - AIX 4.3.3 with Maintenance Level 10, JVM 1.3.1, and the latest AIX V5.0 Runtime Libraries, available from http://www-1.ibm.com/support/manager.wss?rt= 0&org=SW&doc=4001173 - AIX 5L with Maintenance Level 2, JVM 1.3.1, and the latest AIX V5.0 Runtime Libraries, available from http://www-1.ibm.com/support/manager.wss?rt= 0&org=SW&doc=4001467 - All recommended AIX OS patches, available at the IBM tech support site (http://techsupport.services.ibm.com/server/mlfixes/) - A minimum of 128 MB RAM - 190 MB of disk space for the eDirectory server - 12 MB of disk space for the eDirectory administration utilities - 74 MB of disk space for every 50,000 users 1.2 Installing or Upgrading eDirectory 1.2.1 Installing eDirectory If you are installing eDirectory from CD, use the nds-install command in the setup directory for installing eDirectory on UNIX. If you download Novell eDirectory 8.7 from http://download.novell.com, use gunzip to convert the downloaded file to a tar file. Then use tar xvf to get the eDirectory installation and uninstallation scripts. 1.2.2 Upgrading an Existing eDirectory Database Running this version of Novell eDirectory on an existing NDS or NDS eDirectory database will upgrade the database format and make it unable to be read by previous versions of NDS or NDS eDirectory. The larger the database, the longer this process might take. For millions of objects, this process could take a number of hours. Using any ndstrace facility shipped with eDirectory (such as ndsimonitor or ndstrace), you can see what storage manager or change cache operations are happening on the Directory. Turn on the storage Manager option (dstrace +RECM ) and the Change Cache option (dstrace +CHNG). The eDirectory storage manager will upgrade the database format, and then the DIB will be allowed to open. Thereafter, the synchronization process will rebuild the change cache for each replica it holds, and eDirectory will resume normal operation. 1.2.3 X.509 and CertMutual Login Methods The X.509 and CertMutual login methods that shipped with eDirectory 8.6.x are not compatible with eDirectory 8.7. When you upgrade from 8.6.x to 8.7, you must upgrade the X.509 and CertMutual login methods as well. 1.2.4 Interoperability of eDirectory with SLP Shipped on Solaris 8.0 (Native SLP, slpd) If Native SLP is already present and configured, the eDirectory installation on Solaris 8.0 detects the presence of the Native SLP package and does not install the NovellSLP package. Ensure that the slpd daemon is running before configuring a new eDirectory server, as eDirectory requires SLP in order to query for duplicate tree names, advertising, etc. To start the slpd daemon on Solaris 8.0: 1. Create the slp configuration file, either by copying /etc/inet/slp.conf.example to /etc/inet/slp.conf or by any alternative method. 2. Start the slpd daemon with the following command: /etc/init.d/slpd start. Note: The slpd daemon will not start if the /etc/inet/slp.conf file does not exist. The network administrator can change the slp configuration by editing the /etc/inet/slp.conf file and restarting the slpd daemon. You can use NovellSLP by installing the NovellSLP package, configuring the /etc/slpuasa.conf file as per the network requirements, and starting the slpuasa daemon. Make sure that the /etc/inet/slp.conf file does not exist (either by removing or taking a backup of this file) and stop the /etc/init.d/slpd daemon before using the NovellSLP package. 1.3 HTTP Server Port Configuration If eDirectory 8.7 is installed before Novell iManager, you might have port conflicts. You will need to change the ports used by the eDirectory HTTP stack if iManager fails to run after installation and an exception similar to the following appears in your Console/Terminal that you are running Tomcat from. java.lang.reflect.InvocationTargetException: org.apache.tomcat.core.TomcatException: Root cause - Address in use: JVM_Bind To resolve this problem, do the following: 1) Login to the tree and browse using ConsoleOne. 2) Open the HTTP server object for the server. 3) Set the httpDefaultClearPort and httpDefaultTLS port attributes. The default port numbers are: httpDefaultClearPort:80 httpDefaultTLS: 443 4) The server will be refreshed the next time limber runs, or you can initiate limber from ndstrace by using the set ndstrace = *L command. Note: The httpstk object can be recreated using iManager or ConsoleOne, or by running the following command: ndsconfig add –m http 5) Start Tomcat. This is true if any Web server, such as Apache in Linux, Solaris, or AIX, is installed in the system. 1.4 Installing Novell iManager 1.5 After you have installed eDirectory 8.7, make sure that you install Novell iManager 1.5 from the WebApps CD in order to take full advantages of the features and capabilities of eDirectory 8.7. For additional information on Novell iManager 1.5, see /readme/en/imanager_readme.html on the WebApps CD. 1.5 Manually Extending the Schema Before Installation In some cases, schema extensions do not synchronize fast enough to the lower levels of a tree where the first new eDirectory 8.7 server is being installed for some features to be completely installed properly. One instance of this is the httpServer object schema definition, which might not synchronize to the server where the object instance needs to be created before the install code attempts to create it. In this particular instance, the failure to create the httpServer object schema definition is not fatal, as it only contains optional configuration information. This type of problem can be avoided by manually extending the schema in your tree before you install eDirectory 8.7. Use ndssch to install the eDirectory 8.7 schema files located in the /usr/lib/nds-schema directory on the eDirectory 8.7 CD. 1.6 Enabling Large File Support Before installing eDirectory on UNIX, we recommend that you enable large file support on the file system where eDirectory files will reside. eDirectory requires the underlying file system to allow each DIB file (nds.db, nds.01, nds.02, etc.) to grow to a size of 4 gigabytes. If large file support has not been enabled, files are generally limited to 2 gigabytes by the file system, causing problems for an eDirectory installation with a large number of objects (typically, 500,000 or more). For other issues related to large files, see Solution #10073723, titled "Novell eDirectory 8.7.x Readme Addendum," in the Novell Knowledge Base (http://support.novell.com). 1.7 Enabling the Linux, Solaris, or AIX Host for Multicast Routing Multicasting needs to be enabled in order for the eDirectory installation and configuration to work properly. To check if the host is enabled for multicast routing: - On Linux systems, enter the following command: /bin/netstat -nr The following entry should be present in the routing table: 224.0.0.0 0.0.0.0 If the entry is not present, log in as root and enter the following command to enable multicast routing: route add -net 224.0.0.0 netmask 240.0.0.0 dev -interface - On Solaris systems, enter the following command: /usr/bin/netstat -nr The following entry should be present in the routing table: 224.0.0.0 host_IP_address If the entry is not present, log in as root and enter the following command to enable multicast routing: route add -net 224.0.0.0 netmask 240.0.0.0 hme0 - On AIX systems, see if the multicast routing daemon mrouted is running. If it is not running, configure and start the multicast daemon mrouted. See the "mrouted.conf File" section in the Files Reference book in the AIX 4.3 or 5 Reference Documentation Set (http://publibn.boulder.ibm.com/ doc_link/en_US/a_doc_lib/files/aixfiles/ mrouted.conf.htm) for an example configuration file. 1.8 Using Dotted Container Names in a Server's Context The Novell eDirectory 8.7 installation does not support dotted container names in the server's context (for example, OU=Eng.Sales.O=www.acme.com). To avoid errors, you should install new servers into a tree that does not contain dots in the server's context. Note: You cannot escape the dots (for example, OU=Eng\.Sales.O=www\.acme\.com will not work). 1.9 LDAP Server Was Not Configured (-603) During Install When installing eDirectory on Linux, Solaris, or AIX servers into a replica with many objects or with synchronization problems, you might experience an "LDAP Server was not configured (-603)" error at the end of the ndsconfig process. If the ndsd service is stopped at this point, you can restart it manually by entering the following at the console prompt: /etc/init.d/ndsd start (for Linux and Solaris) /etc/ndsd start (for AIX) At this point, you might also need to verify that the LDAP Server object for that server was configured with an SSL Certificate. In ConsoleOne, open the properties pages of the LDAP Server object for this server, select the SSL/TLS Configuration tab, then look at the Server Certificate field on that tab. If it has been populated with the name of an SSL Certificate (for example, "SSL CertificateDNS"), click Close to exit the properties pages. If this field is blank, click the browse button for that field and select a certificate from the list. The default is "SSL CertificateDNS." Then click Apply and Close. Finally, verify that the /var/nds/novell/nici/0 directory (if user 'root' ran the install) contains a 'nicisdi.key' file. If it doesn't, restart the server to synchronize the key file. 1.10 Specifying eDirectory Information During the Installation When specifying the eDirectory information during the installation, if an invalid Server object container type is specified, the installation will not detect the error until later, and the eDirectory installation will fail with a -611 or -634 error. The valid Server object container types are: - Organization (O) - Organizational Unit (OU) - Domain (DC) 1.11 Core DS Component Installation On rare occasions, the eDirectory installation will fail during its core DS component installation. If so, an error dialog like the following will be displayed: "The DS component of eDirectory failed to install correctly. The error received was: ''. Please view DSInstall.log for more detailed information. The eDirectory installation will now be terminated." If you receive this error, you should try to reinstall the product, or remove it and then reinstall it. If the reinstallation fails because of a partial installation already being on your system, or for any other reason, please visit the Novell Support Web site at http://support.novell.com for possible solutions. 2.0 Known Issues 2.1 iMonitor Issues 2.1.1 Browser Compatibility The iMonitor included with this release of eDirectory requires Internet Explorer 5.5 or later or Netscape 6.2 or later. 2.1.2 Browsing for Objects in iMonitor Containing Double-byte Characters When using iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not hyperlink to the object properties correctly. This issue will be resolved in a future release of iMonitor. 2.1.3 Automatic Refresh for Trace Live Doesn't Refresh After specifying the refresh rate and selecting Refresh On, the Trace window will update only once. To get more data added to the trace window, select the Update button as needed. 2.1.4 Logging in to iMonitor as an Administrative User iMonitor does not allow you to log in as an administrative user and then perform trace or repair operations if you are currently logged in as a normal user (a user without administrative rights). If you have logged in to iMonitor as a normal user, open another browser window, log in to the same server as an administrative user, then run Trace or DSRepair. 2.2 Using the Latest LDAP Features To use the latest LDAP features such as start TLS, stop TLS, SASL External, SASL Digest MD5, and SASL NMAS Methods, download the September 2002 or later version of the LDAP Libraries for C from the Novell Developer Web site at http://developer.novell.com. SDKs are available for NetWare, Windows, Solaris, Linux, and AIX. The LDAP Libraries for C available at http://developer.novell.com/ndk/cldap.htm is the latest released version of the LDAP libraries. 2.3 ConsoleOne Issues 2.3.1 ConsoleOne on AIX ConsoleOne is not supported on AIX. You can use other platforms, such as NetWare, Windows NT/2000, Linux or Solaris for ConsoleOne. 2.3.2 ConsoleOne on Linux You may receive the following message when installing ConsoleOne on Linux: unable to find c1-install script in Linux/ConsoleOne To install ConsoleOne, manually run the c1-install file located in the Linux/consoleone directory 2.3.3 ConsoleOne and Open SLP The NOVLc1 package does not get installed during the installation of ConsoleOne on a Linux machine with an Open SLP package. If an Open SLP package is detected on a Linux machine and you want to install ConsoleOne on that Linux machine, install the Novell SLP package first, then run the ConsoleOne install script. 2.3.4 Using ConsoleOne to Manage NetWare 4.x Servers In order to use ConsoleOne to manage a tree containing NetWare 4.x servers (DS v 6.17), IPX must be installed on the management client. Even if ConsoleOne is run from a NetWare box via a mapped drive on the client, the client machine on which ConsoleOne is running must be able to connect natively via IPX. 2.3.5 Creating Server Certificate Objects Creating Server Certificate objects (also known as Key Material objects) is not supported in ConsoleOne on the UNIX platforms. This function is supported through iManager or from ConsoleOne on the Windows platform. 2.3.6 New ConsoleOne Switch Using the -forceMaster switch when starting ConsoleOne will cause ConsoleOne to always talk to the master replica for the objects being accessed. We don't recommend this switch during normal use of ConsoleOne. Use this switch under direction from Novell Technical Support personnel. 2.4 Security Domain Keys Issues Each eDirectory server is normally installed with one or more Security Domain (SD) keys. SD keys are used to manage sensitive information shared between servers within a given tree. SD keys are normally setup automatically during the eDirectory installation process. Problems can surface when SD keys are out of sync between the servers, such as an inability to create user certificates or the inability to set user passwords. Usually the error that is reported in these cases is -1460. There are three ways in which the SD keys can be out of sync: 1) The W0 object is pointing to a server that is not installed with an SD key. 2) Various servers have SD keys not shared with other servers. 3) The W0 object does not contain a server entry. Note: The W0 object is located in the KAP.Security container. Use ConsoleOne to view the W0 object. To resolve problem 1: - Grant Write rights to [All Attributes Rights] on the W0 object to the server listed on the ‘NDSPKI:SD Key Server DN’ attribute. (Note: this attribute is located on the Other tab in the ConsoleOne view of the W0 object.) The server specified in this attribute will become the SD key server. - Install NICI 2.4.1 on this server, then reboot the server. This will create a new SD key. To resolve problem 2: - Identify all Windows-based eDirectory servers for this tree (i.e. all Windows NT and 2000 eDirectory servers). Add these servers as additional entries to the ‘NDSPKI:SD Key Server DN’ attribute on the W0 object (servers can be added using ConsoleOne). - Grant Read rights to [All Attributes Rights] on the W0 object to all servers added to the ‘NDSPKI:SD KEY Server DN’ attribute. To resolve problem 3: - Locate a server in the tree that has a copy of the SD key. You can determine if a server has a copy of the SD key by searching for the file named NICISDI.KEY. On a NetWare server, this file will be located in SYS:\SYSTEM\NICI. On a Windows server, this file will be located in %SYSTEMROOT%\WINNT\SYSTEM32\NOVELL\NICI. - Add the server to the ‘NDSPKI:SD Key Server DN’ attribute on the W0 object (servers can be added using ConsoleOne). - Grant Write rights to [All Attributes Rights] on the W0 object to this server. This server will become the SD key server. If you are unable to locate a server containing a copy of the SD key, delete the W0 object and restart the eDirectory installation. The next server you install will become the SD key server. 2.5 SNMP Issues 2.5.1 SNMP on Linux On Linux, ucd-snmp-4.2.1, ucd-4.2.2, or ucd-snmp-4.2.3 need to be installed. Links to the missing libraries need to be created. To find what libraries are missing, enter the following: # ldd /usr/bin/ndssnmpsa 2.5.2 Restarting ndssnmpsa When the master agent is restarted on Solaris, Linux, and AIX, ndssnmpsa needs to be restarted. 2.5.3 SNMP Master Agent Configuration on AIX For SNMP support on AIX, the /etc/snmpd.peers file should be manually modified with the following entry. This is not done automatically during the install. "ndssnmpsa" 1.3.6.1.4.1.23.2.98 "ndssnmpsa_password" This entry is expected to be done by the preinstall script during the package addition. 2.6 Roll-Forward Logs Are Turned Off After Restoring eDirectory As part of the process of restoring the eDirectory database, roll-forward logging on the server is always reset to the default settings. This means that after a restore, roll-forward logging is reset to Off, and the location of the roll-forward logs is reset to the default location. If you have been using roll-forward logging on a server, and you want to continue to use it on that server after a restore, you must do the following: 1. After a restore, re-create your configuration for roll-forward logging to make sure it is on and the logs are being saved in a fault-tolerant location. 2. After turning on the roll-forward logs, do a new full backup. The new full backup is necessary so that you are prepared for any failures that might occur before the next unattended full backup is scheduled to occur. For more information on the roll-forward logs and how to choose a fault-tolerant location, see "Using Roll-Forward Logs" in the "Backing Up and Restoring eDirectory" chapter in the eDirectory 8.7 Administration Guide. 2.7 Certificate Server Issues 2.7.1 Extractable Keys Support When creating the Organizational CA object or Server Certificate objects (also known as KMOs), extractable keys are supported only if the server you selected for the key pair generation is running eDirectory 8.6 or later on NetWare and NT platforms, or if running eDirectory 8.7 or later for Unix platforms. If you are attempting to make the keys extractable on an unsupported platform, you will receive a -1222 error. 2.7.2 Importing CRL Data Onto a CRL Object Importing CRL data onto a CRL object is not supported through iManager. You must use ConsoleOne for this feature. 2.8 Static Cache Limits on AIX Due to limitations of AIX version 4.3, eDirectory only supports static cache limits on AIX. By default, the cache size is limited to 16MB. This is adjustable at runtime, but must be done by the administrator, and it must be done for every server running AIX. The easiest way to adjust this is from iMonitor. Click Agent Configuration, then Database Cache. This will bring up a page that lets you adjust the amount of memory that eDirectory will use for cache. In the Database Cache Configuration table, make sure the Hard Limit radio button is selected, enter the new cache size in the Cache Maximum Size field, then click Submit. Refer to the eDirectory 8.7 Administration Guide for more information on changing database cache settings. 2.9 Increasing the Size of the eDirectory Log Files You can use Novell iManager to increase the maximum size of the eDirectory log files (in iManager, click eDirectory Maintenance Utilities > Log File > specify which server will perform the log file operation > authenticate to the server > Log File Options > enter a new maximum file size) to a large value (such as several meg). However, the size of the log files can become a problem and might cause eDirectory to stop responding. To solve this problem, increase the heap size allocated to the JVM for iManager by using an environment variable of the following form: TOMCAT_OPTS=-Xmx512m This increases the JVM heap size from the default of 64MB to 512MB. 2.10 Default Backup File Size The Backup tool on Linux, Solaris, and AIX cannot create a backup file larger then 2 gigabytes. If the database being backed up is larger than 2 gigabytes, you should specify a maximum backup file size of less than 2 gigabytes when performing a backup on these platforms. This will break the backup file into multiple smaller files. 2.11 eMBox Client Commands: Don’t Use “-ns” or “ac” When running the eMBox Client at the command line or in a batch file, do not use the –ns or ac options on Solaris, Linux, or AIX. The eMBox Client will return an error if you do. The –ns and ac options are used only for the NetWare platform (sometimes shown together in the documentation as “-nsac”). In the documentation, the general example of a batch file command included the –ns option, which is misleading. The example appears in "Doing Unattended Backups, Using a Batch File with the eMBox Client" in the "Backing Up and Restoring eDirectory" chapter in the eDirectory 8.7 Administration Guide. Here is the corrected general example, with “–ns” no longer included after “java”: java -cp path/eMBoxClient.jar embox -s server_name -p port_number -u username.context -w password -t backup.backup -b -f backup_filename_and_path -l backup_log_filename_and_path -u include_file_filename_and_path -e -t -w 3.0 Documentation Issues 3.1 Viewing Documentation on the Product CD This product CD contains documentation for the following products: - Novell eDirectory /documentation/english/edir87/edir87.pdf /documentation/english/edir87/qsedir87.pdf - Novell Client /documentation/english/noclienu/noclienu.pdf - Novell Certificate Server /documentation/english/certserv/certserv_admin.pdf - ConsoleOne 1.3.4 /documentation/english/consol13/c1_enu.pdf - Novell Modular Authentication Services (NMAS) /documentation/english/nmas/doc/nmas_admin.pdf For additional information on Novell iManager 1.5 and Novell eGuide 2.1, see the following sources on the WebApps CD: - Novell iManager 1.5 /documentation/english/imanager/imanager.pdf - Novell eGuide 2.1 /documentation/english/eguide/eguide.pdf 3.2 Additional Readme Files For additional information on Novell iManager 1.5 and Novell eGuide 2.1, see the following sources on the WebApps CD: - Novell iManager 1.5 /readme/en/imanager_readme.html - Novell eGuide 2.1 /readme/en/eguide_readme.html 3.3 Additional Readme Information For information on additional eDirectory issues for this release, refer to Solution #10073723, titled "Novell eDirectory 8.7.x Readme Addendum," in the Novell Knowledge Base (http://support.novell.com). 4.0 Legal Notices 4.1 Disclaimer, Export Notice, Copyright, and Patents Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. Copyright (C) 2002 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. U.S. Patent No. 5,608,903; 5,671,414; 5,677,851; 5,758,344; 5,784,560; 5,794,232; 5,818,936; 5,832,275; 5,832,483; 5,832,487; 5,870,739; 5,873,079; 5,878,415; 5,884,304; 5,913,025; 5,919,257; 5,933,826. U.S and Foreign Patents Pending. 4.2 Novell Trademarks Novell, NetWare, NDS, and ConsoleOne are registered trademarks of Novell, Inc. in the United States and other countries. eDirectory, Novell Client, Novell Certificate Server, and Novell Modular Authentication Service are trademarks of Novell, Inc. 4.3 Third-Party Trademarks All third-party trademarks are the property of their respective owners. 4.4 The Novell TLS Library This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org). Please refer to \documentation\english\license\ license.txt on the eDirectory CD for additional information and license terms.