Novell eDirectory 8.7.1 for Windows NT/2000
August 25, 2003

TABLE OF CONTENTS

1.0    Installation Issues
         1.1     Prerequisites
         1.2     eDirectory 8.7.1 Eval License
         1.3     Distributing Proper Versions of DSRepair to All Servers in the Tree
         1.4     Upgrading from a Previous Version
         1.5     Uninstalling eDirectory 8.7.1
         1.6     NICI Uninstall Issues
         1.7     Video Cards and Driver Settings
         1.8     HTTP Server Port Configuration
         1.9     SNMP Installation Notes
         1.10   IPX Configuration - Network Settings
         1.11   Manually Extending the Schema Before Installation
         1.12   Installing eDirectory on a Windows Server That Has a Jaz or Zip Drive
         1.13   Specifying eDirectory Information During the Installation
         1.14   Core DS Component Installation
         1.15   Installing eDirectory on a Windows 2000 Server with the Novell Client
2.0    Known Issues
         2.1     iMonitor Issues
         2.2     Running DHost With Windows 2000 Terminal Services
         2.3     ConsoleOne Issues
         2.4     SNMP Issues
         2.5     eDirectory Service Manager Issues
         2.6     Certificate Server Issues
         2.7     Accessing Encrypted Objects and Attributes
         2.8     NMAS Issues
         2.9     Increasing the Size of the eDirectory Log Files
         2.10   Upgrading eDirectory on a ZENworks for Desktops 4 Middle Tier Server
         2.11   Netscape Schema Attributes
         2.12   Increasing the Speed of Bulkloads
         2.13   Creating LDAP Server and Group Objects in iManager
3.0    Documentation Issues
         3.1     Viewing Documentation on the Product CD
         3.2     Additional Readme Information
4.0    Legal Notices

1.0    Installation Issues

1.1    Prerequisites

• Windows NT Server 4.0 with Service Pack 6 or later, or Windows 2000 Server with Service Pack 2 or later.

IMPORTANT: Windows XP is not a supported Novell eDirectory 8.7.1 platform.

Novell eDirectory 8.7.1 has not been tested on Microsoft Windows Server 2003. Full support for this platform is being considered for a future releases of eDirectory.

• In order for eDirectory 8.6 or 8.7.x running on Microsoft Windows NT or 2000 to successfully communicate with NDS 6.x running on NetWare 4.11 or NetWare 4.2, NDS 6.17 must be running on the NetWare 4.x server. In addition, the following line must be added to the end of the autoexec.ncf file on the NetWare 4.x server:

set dstrace = !ne

NOTE: If ds.nlm is unloaded and reloaded without rebooting the server, the above set command must be executed after ds.nlm is loaded.

For more information about this setting, see TID #2963473 in the Knowledgebase at http://support.novell.com.

1.2    eDirectory 8.7.1 Eval License

In order to test eDirectory 8.7.1, you will need to request an Evaluation License at http://www.novell.com/licensing/eld/LRequest.jsp?ENCRYPTION=EVAL. Upon submittal, you will receive the license files via email almost immediately with the installation instructions included.

1.3     Distributing Proper Versions of DSRepair to All Servers in the Tree

For information on preparing an existing tree for an eDirectory 8.7.1 installation, see Updating the eDirectory Schema for NT/2000 in the Novell eDirectory 8.7.1 Administration Guide.

1.4     Upgrading from a Previous Version

1.4.1 Prerequisites

Before you upgrade to eDirectory 8.7.1, make sure you have the latest NDS and eDirectory patches installed on all non-eDirectory 8.7.1 servers in the tree. You can get NDS and eDirectory patches from the Novell Support Web site.

You should also make sure that the latest Windows NT/2000 Service Packs are installed.

1.4.2  Upgrading to Novell eDirectory 8.7.1 on a Double-byte System

In previous releases of eDirectory, some index keys were built incorrectly in double-byte language (Japanese, Korean, or Chinese) systems. Because of the incorrect keys, some searches did not work correctly. This issue has been resolved in Novell eDirectory 8.7.1. However, because existing eDirectory databases on these systems still have these incorrect keys, there might be times even after your upgrade to eDirectory 8.7.1 when eDirectory will report corruption errors that are due to incorrect keys.

To resolve this issue, run dsrepair.dlm from NDS Services (in the Windows Control Panel, double-click NDS Services > select dsrepair.dlm > click Start) after the upgrade is complete and perform a physical rebuild of the database. This is only necessary if the database is a double-byte language database (Japanese, Korean, or Chinese). It is not necessary to run DSRepair after upgrading if you are not using one of these languages.

1.4.3 Certificate Server 2.0.1

Your CA server must be running Certificate Server 2.0.1 or later before installing a new server into the tree. You can determine which server is the CA by viewing the Certificate Authority object located in the Security container at the root of the tree.

To verify the version of the Certificate Server software, check the module version number on pki.nlm (NetWare) or pki.dlm (Windows).

If the Certificate Server software version on the CA server is out of date, install eDirectory 8.7.1 on the CA server first, then proceed to install eDirectory 8.7.1 on any additional servers.

 1.4.4 X.509 and CertMutual Login Methods

The X.509 and CertMutual login methods that shipped with eDirectory 8.6.x are not compatible with eDirectory 8.7.1. When you upgrade from 8.6.x to 8.7.1, you must upgrade the X.509 and CertMutual login methods as well.

The Certificate-based NMAS methods in NMAS EE 2.0 are also incompatible with eDirectory 8.7.1.

1.4.5  Upgrading from eDirectory 8.6.2 or 8.7 to eDirectory 8.7.1

Upgrading from eDirectory 8.6.2 or 8.7 to eDirectory 8.7.1 rebuilds the LDAP Mapping table and re-adds the inetOrgPerson --> User mapping, causing any new objects created via LDAP to be of the User base class instead of the inetOrgPerson base class. This will only be an issue if you deleted the mapping for inetOrgPerson --> User and defined a real inetOrgperson Class in your previous version of eDirectory.

The workaround for this problem is to use ConsoleOne to remove the mapping from the Class Mappings page of the LDAP Group Object.

1.5     Uninstalling eDirectory 8.7.1

When uninstalling eDirectory 8.7.1, you might receive the following error if the installation of eDirectory 8.7.1 was an upgrade from NDS eDirectory or NDS eDirectory 8.5:

Incompatible JClient/DClient Package
JClient Revision 1.0.19
JClient Revision 1.1.1095

This error occurs only when the previous eDirectory installation was performed on a date later than the dates of the eDirectory 8.7.1 files located in the \NT\I386\NDSONNT\NI\LIB directory on the Novell eDirectory 8.7.1 CD. If the previous installation was performed prior to those dates, this error will not occur.

To solve this issue, copy the .JAR files from the \NT\I386\NDSONNT\NI\LIB directory on the Novell eDirectory 8.7.1 CD to the \PROGRAM FILES\COMMON FILES\NOVELL\NI\LIB directory on the Windows server before performing the eDirectory 8.7.1 uninstall.

1.6     NICI Uninstall Issues

After uninstalling NICI, if you want to completely remove NICI from your system, delete the "%SYSTEMROOT%\WINNT\SYSTEM32\NOVELL\NICI" subdirectory. You might need to take ownership of some of the files and directories to delete them.

WARNING: Once the NICI subdirectory has been removed, any data or information that was previously encrypted with NICI will be lost.

1.7     Video Cards and Driver Settings

The eDirectory, ConsoleOne, Novell iManager, and eGuide installs use Java 1.3. This means that a minimum color depth of 8 bits (256 colors) is required by your video card and driver setting to run the installations properly. On NetWare, the video card must also be VESA-compliant.

With some video cards, and with some driver versions, you might notice some visual abnormalities in the installation screens. Examples include a pastel color scheme and a strange mottling effect that may look like the resolution is much lower than the actual setting. Some installation screens will not display at all. This makes it appear that the installation is hung up, or that it has aborted. If you see that the installation screens do not appear correctly, download a newer version of the driver for your video card. Otherwise, the installation may not complete successfully.

With some video cards, when 256 colors are set, the installation screen might seem to disappear after the SNMP portion of the installation even though install.exe and launch.exe are still running (as shown in the Windows Task Manager). If this happens, use Task Manager to terminate the launch.exe process, set your display to more than 256 colors, then re-run the installation. This will perform an upgrade installation over the top of the existing installation, and the upgrade should complete successfully.

1.8     HTTP Server Port Configuration

You should make sure that the HTTP stack ports you set during the eDirectory installation are different than the HTTP ports you have used or will be using for Novell iManager.

If eDirectory 8.7.1 is installed before Novell iManager, you might have port conflicts if an exception similar to the following is displayed in the console window when iManager is installed:

java.lang.reflect.InvocationTargetException: org.apache.tomcat.core.TomcatException: Root cause - Address in use: JVM_Bind

If Novell iManager does not load when you click the link in the Getting Started document (gettingstarted.html), check the following file:

<iManager installation path>\tomcat\logs\jvm.stderr

You will see exceptions at the bottom of the file similar to the following:

java.lang.reflect.InvocationTargetException: org.apache.tomcat.core.TomcatException: Root cause - Address in use: JVM_Bind

To resolve this problem, do the following:

1. In Windows Control Panel for NT and Administrative Tools for 2000, select Services.
2. Find the jakarta entry, then click Stop.
3. Start ConsoleOne and log in to your eDirectory 8.7 tree.
4. In the tree view, select the container where you installed the server object.
5. Open the properties of the HTTP Server - <servername> object and select the Other tab.
6. Change the httpDefaultClearPort and httpDefaultTLSPort attributes to port numbers other than your iManager web server (probably 80) and tomcat ports (8080, 8007, 8009). For example, change to 8008 for httpDefaultClearPort and 8009 for httpDefaultTLSPort.
7. Open NDS Services from the Windows Control Panel and select the Services tab.
8. Select ds.dlm service and click the Configure button.
9. In NDS Configuration, select the Triggers tab.
10. Click Limber to start the Limber process. The new Port assignments should be set.
11. In Windows Control Panel for NT and Administrative Tools for 2000, select Services.
12. Find the jakarta entry, then click Start.
13. Verify that your Web server is running. Test this by opening the Getting Started page (eMFrame\help\en\install\gettingstarted.html) and selecting the iManager link.

1.9     SNMP Installation Notes

Prior to the installation of eDirectory 8.7.1 on Windows NT/2000, make sure that the native Master Agent is installed.

If you have the Windows SNMP service installed and running on your system, the eDirectory installation will temporarily shut it down while it installs the Novell SNMP sub agent. After the Novell SNMP sub agent is installed, the Windows SNMP service will be restarted.

1.10   IPX Configuration - Network Settings

If your IPX configuration (in Network Settings in the Windows Control Panel) is configured with an Internal Network Number of 0, the eDirectory 8.7.1 installation might fail if the machine has multiple NICs. The Internal Network Number must be set to something other than 0 in order for the eDirectory installation to complete properly, and for eDirectory to run properly after installation.

If you choose to uninstall IPX, IPX should be completely uninstalled as a protocol, not merely disabled on some or all adapters.

If you use IPX, it must be configured correctly. That is, multiple adapters (LAN or WAN) must have a valid internal IPX net number set.

You cannot install, remove, enable, or disable a protocol on any adapter while eDirectory is running.

1.11   Manually Extending the Schema Before Installation

In some cases, schema extensions do not synchronize fast enough to the lower levels of a tree where the first new eDirectory 8.7.1 server is being installed for some features to be completed installed properly. One instance of this is the httpServer object schema definition, which might not synchronize to the server where the object instance needs to be created before the install code attempts to create it. In this particular instance, the failure to create the httpServer object schema definition is not fatal, as it only contains optional configuration information.

This type of problem can be avoided by manually extending the schema in your tree before you install eDirectory 8.7.1. This can be done by manually extending the schema using the eDirectory 8.7.1 schema files located in the \nt\i386\NDSonNT\ndsnt\nds directory on the eDirectory 8.7.1 CD.

1.12   Installing eDirectory on a Windows Server That Has a Jaz or Zip Drive

When installing eDirectory on a Windows server that has a Jaz or Zip drive, you might receive the following error:

"There is no disk in the drive. Please insert a disk into <drive_name>."

To resolve this issue, do one of the following:

• Click Continue several times.
• Insert a Jaz or Zip cartridge, then click Continue.
• Start the install with a Jaz or Zip cartridge in the drive.

1.13   Specifying eDirectory Information During the Installation

When specifying the eDirectory information during the installation, if an invalid Server object container type is specified, the installation will not detect the error until later, and the eDirectory installation will fail with a -611 or -634 error.

The valid Server object container types are:

• Organization (O)
• Organizational Unit (OU)
• Domain (DC)

1.14   Core DS Component Installation

On rare occasions, the eDirectory installation will fail during its core DS component installation. If so, an error dialog like the following will be displayed:

"The DS component of eDirectory failed to install correctly. The error received was: '<some error>'. Please view DSInstall.log for more detailed information. The eDirectory installation will now be terminated."

If you receive this error, you should try to reinstall the product, or remove it and then reinstall it. If the reinstallation fails because of a partial installation already being on your system, or for any other reason, please visit the Novell Support Web site for possible solutions.

1.15   Installing eDirectory on a Windows 2000 Server with the Novell Client

When eDirectory 8.7.1 is installed on a Windows 2000 already containing the Novell Client, eDirectory will install an SLP service, but set the service to manual mode so that it does not run when the server is booted. eDirectory will then use the SLP service from the Novell Client.

If the Novell Client is removed, leaving no SLP service for eDirectory to use, you will have to manually start the SLP service, or change it to start automatically when the server boots.

2.0    Known Issues

2.1     iMonitor Issues

2.1.1 Browser Compatibility

The iMonitor included with this release of eDirectory requires Internet Explorer 5.5 or later or Netscape 7.02 or later.

2.1.2  Browsing for Objects in iMonitor Containing Double-byte Characters

When using iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not hyperlink to the object properties correctly. This issue will be resolved in a future release of iMonitor.

2.1.3  Agent Health Check on a Single Server Tree

The Agent Health check feature in iMonitor shows a Warning icon in the Results column when run on a single server tree because of the Perishable Data status. This does not mean that the tree is not healthy or that the Agent Health check is not working as designed. Perishable Data indicates the amount of data that has not yet been synchronized to at least one replica. A single server tree, by its nature, means that the data is always at risk for catastrophic failure because there is no other place that the data is replicated. If you lose the hard disk, you lose the data.

If you don’t want to view health check warnings about Perishable Data or Readable Replica Counts on your single server tree, you can turn off these health checks by editing the ndsimonhealth.ini file to change the following entries:

perishable_data-active: OFF

and

ring_readable-Min_Marginal: 1
or
ring_readable-active: OFF

This will get turn off the warnings for Readable Replica Count and Perishable Data.

2.1.4  iMonitor Report Does Not Save the Records of Each Hour

The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you will see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor.

2.1.5  Clone DIB Set Error

You will receive error -626 (All Referrals Failed) when generating a clone DIB set from a server that holds a replica that is anything other than a master replica. You should only clone from a server holding the master replica.

2.2    Running DHost With Windows 2000 Terminal Services

When running eDirectory utilities such as dsbrowse.dlm and dsrepair.dlm on a Windows Terminal Server, the utility opens on the main desktop, not on the Terminal Services window. This is because Win32, for security reasons, will not allow a service to display a window on the Terminal screen.

2.3    ConsoleOne Issues

2.3.1  ConsoleOne Errors on Exporting Certificates

Sometimes during a certificate export using ConsoleOne, the following error message is displayed:

"ConsoleOne.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created."

At other times, there is no error message displayed, and ConsoleOne simply exits unannounced.

This problem occurs because of an incompatibility between NICI 2.01 or 2.02 and the Novell Client version 4.83 (Window NT/2000) or Novell Client version 3.32 (Windows 98). To resolve this problem, do one of the following:

• Install NICI 2.4.1 or later on the machine that you run ConsoleOne from. NICI 2.6.0 is available on the eDirectory 8.7.1 CD in the following location:

  \nt\i386\nici\wcniciu0.exe

• Run ConsoleOne on a Windows NT/2000 machine that has eDirectory 8.7.1 installed on it, which will also have NICI 2.6.0 installed.

2.3.2  Using ConsoleOne to Manage NetWare 4.x Servers

In order to use ConsoleOne to manage a tree containing NetWare 4.x servers (DS v 6.17), IPX must be installed on the management client. Even if ConsoleOne is run from a NetWare box via a mapped drive on the client, the client machine on which ConsoleOne is running must be able to connect natively via IPX.

2.3.2  “Operation Failed” Error

The error “Operation Failed. The required dependencies were not found. Please refer to Novell documentation for the required prerequisites.” indicates that the DSAPI libraries installed by the Novell Client or the NetWare Installation are not available, but ConsoleOne is the latest version with the NJCL libraries that are trying to use the new APIs.

To get the most recent libraries, reinstall the Novell Client (Novell Client for Windows NT/2000/XP version 4.9 or Novell Client for Windows 95/98 version 3.4 on a Windows server or workstation) or reinstall the latest eDirectory libraries, available on the eDirectory 8.7.1 CD.

2.3.4  Using the Alt Key to Enter International Characters

Using the Alt+number keys to enter international characters when naming objects in ConsoleOne causes the characters to display incorrectly. The workaround for this is to use an international keyboard or to copy the extended characters from Notepad or another Windows application into the ConsoleOne text field. Manually upgrading your JRE to version 1.4.1_02 will also fix this problem.

2.3.5  Novell Client Versions Required for ConsoleOne 1.3.6

ConsoleOne errors might be encountered during authentication and password modification operations when running on a Windows workstation with an older version of the Novell Client. ConsoleOne 1.3.6 on Windows requires one of the following:

• Novell Client for Windows 95/98 version 3.4 or later
• Novell Client for Windows NT/2000/XP version 4.9 or later

2.4     SNMP Issues

2.4.1  eDir.mib

The eDirectory MIB file (<eDirectoryInstallRootDir>\snmp\edir.mib) on Windows, compiles with a few errors and warnings on HP-OpenView. Please ignore these errors.

2.4.2  SNMP Log Files

If you have problems bringing up SNMP services, check the following log files, located in the c:\novell\nds\snmp\ directory by default, to get more information on possible errors:

• ndssnmpsa.log
• ndssnmpsrv.log

2.4.3  SNMP Configuration File

If LDAP is not configured to run in clear text mode, the name of the trusted root certificate file needs to be given in the SNMP configuration file (for example, SSLKEY sys:\etc\trust.der) before bringing up dssnmpsa.

ndssnmp.cfg can be found in <eDirectoryInstallRootDir>\snmp\ on Windows.

2.4.4  Sub Agent Login Screen

On Windows 2000, the SNMP Sub Agent login screen sometimes appears after a considerable delay.

2.4.5  Using SNMP After a New Tree Installation

When installing eDirectory 8.7.1 for the first time (creating a new tree), if the Windows SNMP Service is installed on the server, and the SNMP Service has one or more dependent services, eDirectory will not be able to shut down the SNMP Service. In this case, SNMP will not be ready to use after the eDirectory installation.

To use SNMP, follow these steps to restart the SNMP service:

1. Click Start > Settings > Control  Panel > Administrative Tools > Services.
2. Right-click SNMP Service in the Name list, then click Stop.
3. Click Yes to All.
4. Right-click SNMP Service in the Name list, then click Start.

2.4.6  Uninstalling eDirectory

If the Windows SNMP Service is installed on a server, and the SNMP Service has one or more dependent services, the eDirectory uninstall will not delete all the SNMP files in the \novell\nds directory. However, the other uninstallation processes will complete successfully, including the deletion of the SNMP registry entries, and the deconfiguration process that the Novell SNMP agent does with DS and the SNMP Service.

Follow these steps to complete the uninstallation:

1. Click Start > Settings > Control  Panel > Administrative Tools > Services.
2. Right-click SNMP Service in the Name list, then click Stop.
3. Click Yes to All.
4. Right-click SNMP Service in the Name list, then click Start.
5. Manually delete the remaining SNMP files in the \novell\nds directory.

2.5     eDirectory Service Manager Issues

If you use the eDirectory Service Manager in Novell iManager to stop eDirectory, restarting it through Service Manager is not possible. Use the NDSCons utility (c:\novell\NDS\NDSCons.exe) on the eDirectory server to restart eDirectory.

2.6    Certificate Server Issues

2.6.1  Extractable Keys Support

When creating the Organizational CA object or Server Certificate objects (also known as KMOs), extractable keys are supported only if the server you selected for the key pair generation is running eDirectory 8.6 or later on NetWare and NT platforms, or if running eDirectory 8.7 or later for UNIX platforms. If you are attempting to make the keys extractable on an unsupported platform, you will receive a -1222 error.

2.6.2  iManager CRL Creation

iManager CRL creation creates the CRL object but doesn't populate the object with the selected Certificate Revocation List . You must modify the CRL object after it has been created and import the Certificate Revocation List.

2.6.3  Using iManager to Create Certificates for Multiple Users

To create certificates for multiple users in iManager, use the Create User Certificate task under the Certificate Server role. This will allow the administrator to select a list of users and create a certificate for each selected user.

2.6.4  Removing a Server from eDirectory

When removing a server from eDirectory and then reinstalling it into the same context with the same name, a successful reinstallation occurs only if the SAS Service object representing the removed server is also deleted, if it existed.

For example, for a server named MYSERVER, a SAS object named SAS Service - MYSERVER could exist in the same container as the server. This SAS object must be manually deleted (using ConsoleOne) after the server is removed from the tree, but before the server is reinstalled into the tree.

IMPORTANT: If the server is the Organizational CA or the SD Key server, you must complete some additional steps. These steps are documented in TID 10056795 (entitled Certificate Server Issues: Removing a Server from a Tree). You can search for this TID in the Novell Knowledgebase.

The default server certificates created for the server should also be removed so that they will get recreated when the server is reinserted.

These certificates are SSL Certificate IP - MYSERVER and SSL Certificate DNS - MYSERVER. You should be careful when deleting these certificates. If data has been encrypted using either of these certificates, the data must be retrieved before the certificates are deleted.

2.6.5  Importing CRL Data onto CRL Object

The CRL file is not inserted into eDirectory when creating a CRL object. After creating the CRL object, modify the object and select import. Select the file again and it will be properly imported.

2.6.6  Long DNS Names and Long Server Names

Novell Certificate Server automatically creates server certificates for all the IP and DNS addresses configured on the box. You might receive the following error during the installation of Novell Certificate Server if the combination of the server name and the DNS name is 54 characters or greater due to the maximum object name length of 64 characters:

“The PKI install was unable to create the default IP and DNS certificates. Error -613. Do you want to retry?”

The -613 error is not a fatal error; however, Novell Certificate Server will not be able to create the auto-generated certificates which match the long DNS name.

To avoid this problem with future servers, make sure that the combined number of characters of the DNS name and the server name is fewer than 54 characters.

To fix this problem on an existing server, use ConsoleOne or iManager to manually create a server certificate using the DNS name or the IP address as the certificate subject name, depending on the needs of your applications.

See the Novell Certificate Server Administration Guide for instructions on how to create server certificates.

After the server certificate is created, the applications (Apache, Tomcat, etc.) on which you want to use the new server certificate will need to be configured to do so.

2.7     Accessing Encrypted Objects and Attributes

If you cannot access your Certificates, KMO objects, NMAS attributes, CA, or other encrypted objects and attributes hosted by a server after you have completed upgrading eDirectory from a version prior to 8.6, this might be due to NICI not fully migrating. This problem might be reported as error -1460 by the service.

To resolve this issue:

1. Shut down eDirectory.
2. Back up all folders in winnt\system32\nici, then delete these folders.

   Important: Delete only the sub-folders, DO NOT DELETE the NICI folder or other files in the NICI folder.

3. Restart eDirectory.

2.8     NMAS Issues

2.8.1  Installation Issue

You must have the NICI Client installed on each client that will run ConsoleOne and NMAS software.

2.8.2  Methods and Sequences Issues

• If a login method's snap-ins are already present and you try to install the same login method again, you will receive a failed status displayed in the login methods installation summary dialog. This occurs only when running ConsoleOne from the server.
• nmasinst does not have an option to remove NMAS methods. This must be done using ConsoleOne. See the NMAS Administration Guide for more information.
• For products to use NMAS login methods properly, at least one NetWare 6.5 server in the eDirectory partition needs to hold a R/W replica of the User objects that will be using NMAS.
• Snap-ins for managing the Enhanced Password login method can be installed into ConsoleOne by executing \nmas\consoleone\snapininstall.exe.
• If you do not restart the server after installing NMAS and you try to reset passwords, you will receive an error message.
• Two password methods, such as Simple and Enhanced, cannot be used in an AND sequence if the Novell Client is set to display the password field, which it is by default.
• If you use a login sequence that has a non-password method (for example, the X509 method) followed by a password method (for example, the simple password method), the user must enter the credential for the password method in the initial Novell Client Login Dialog Password field before providing the non-password credential. After entering the credential for the password method, the user will then be prompted to enter the password to unwrap the certificate, thus providing the credential for the non-password method.

2.8.3  Administration Issues

• Updating ConsoleOne from 1.2d to 1.3.6 does not update the products.dat file on the NetWare server.
• NMAS does not support AIX 4.3.3.
• The simple password is used for various authentication services in NetWare 6.5. This includes the authentication support for CIFS and ASP.

A problem might arise if you set or change a user’s simple password from the ConsoleOne administrative snap-ins using Force Password Change. If you experience problems setting an initial password, you might need to check the Force Password Change check box. If the user already has a password set, Force Password Change might not work unless you remove the current password and specify a new one.

• You must give explicit rights to users with graded authentication. Inherited rights do not work. For example, an administrator's Supervisor right is defined at the [Root] container. Rights for the administrator are not defined in the volume object. So if the administrator changes the volume's security label from Logged In to any other security label, the administrator cannot get the appropriate rights. The administrator must assign explicit rights to the volume, directories or files in the volume.
• When you disable a user's NDS password, the NDS password is set to an arbitrary value that is unknown to the user. When Universal Password is enabled, the Universal Password attribute is set with this same arbitrary value, causing the simple password and the enhanced password methods to become disabled. Disabling an NDS password on a fully-enabled Universal Password system will also disable other employed methods, including the simple password and enhanced password methods.
• Novell iManager provides a Universal Password task that allows you to enable and disable Universal Password. This page also displays the option for NMAS to automatically synchronize the Universal Password with the Simple password whenever a user performs a password update. If you are concerned about the security properties of Simple Password, you can choose not to synchronize the Universal Password with the simple password by unchecking this option. If you have NetWare 6.0 servers in the Tree that contain AFP/CIFS users, you should check the option to synchronize the Universal Password with the simple password.
• If you add an eDirectory 8.7.1 server to an existing Tree or upgrade eDirectory 8.7 that has NMAS and the simple password method installed to eDirectory 8.7.1, users authenticating through LDAP might find that the Universal Password did not synchronize with the simple password. Configuring NMAS and simple password method once again on eDirectory 8.7.1 will resolve the issue.
• The NDS password will not be migrated to the Universal Password when doing an LDAP bind.

2.8.4  NMAS Client Issue

When a user logs into a tree other than the preferred tree using the client, the client incorrectly queries the preferred tree to find the User object. If a User object with the same name exists in the preferred tree, the client will use that User object, which results in the login failing with a -601 error (No Such Object). This is because the wrong tree was used. This issue will be resolved in the next release of the client.

2.9     Increasing the Size of the eDirectory Log Files

You can use Novell iManager to increase the maximum size of the eDirectory log files (in iManager, click eDirectory Maintenance Utilities > Log File > specify which server will perform the log file operation > authenticate to the server > Log File Options > enter a new maximum file size) to a large value (such as several meg).

However, the size of the log files can become a problem and might cause eDirectory to stop responding on Windows NT. To solve this problem, increase the heap size allocated to the JVM for iManager by using an environment variable of the following form:

TOMCAT_OPTS=-Xmx512m

This increases the JVM heap size from the default of 64MB to 512MB.

2.10   Upgrading eDirectory on a ZENworks for Desktops 4 Middle Tier Server

When the ZENworks for Desktops 4 Middle Tier Server and ZENworks for Desktops "Back-end" Server exist on the same Windows 2000 server, and the server is upgraded to eDirectory 8.7.1, you should reinstall the ZENworks for Desktops Middle Tier portion on the server. Symptoms include the following:

• The inability of the ZENworks for Desktops Management Agent to connect to the ZENworks for Desktops Middle Tier.
• The repeated presentation of the credential dialog even though the appropriate credentials are entered when connecting via http://IP_address/oneNet/nsadmin.

If the Windows 2000 server is hosting only the ZENworks for Desktops Middle Tier Server and not the ZENworks for Desktops "Back-end" Server, and the server is upgraded to eDirectory 8.7.1, the reinstallation of the ZENworks for Desktops Middle Tier Server is NOT required.

2.11   Netscape Schema Attributes

The Netscape-related attributes have been removed from the default schema installed with LDAP in eDirectory 8.7.1. If you want to use those attributes, they will be present in a tree that was installed prior to eDirectory 8.7.1, or you can add them to any new trees by using the Novell Import Conversion Export utility to run the netscape-mappings.ldif file in the schema directory on the eDirectory 8.7.1 CD.

2.12   Increasing the Speed of Bulkloads

To increase the speed of bulkloads when creating new eDirectory trees, disable Universal Password until the load is complete.

For more information, see the Universal Password Deployment Guide.

2.13   Creating LDAP Server and Group Objects in iManager

If you use Novell iManager to create LDAP Server and Group objects, click LDAP > LDAP Overview > select the new LDAP Server object > General > Information > Refresh after the LDAP objects have been created.

3.0     Documentation Issues

3.1     Viewing Documentation on the Product CD

This product CD contains documentation for the following products:

• Novell eDirectory

  \documentation\english\edir87\edir871.pdf
  \documentation\english\edir87\qsedir871.pdf

• Novell Client

  \documentation\english\noclienu\noclienu.pdf

• Novell Certificate Server

  \documentation\english\certserv\certserv_admin.pdf

• ConsoleOne 1.3.6

  \documentation\english\consol13\c1_enu.pdf

• Novell Modular Authentication Services (NMAS)

   \documentation\english\nmas\doc\nmas_admin.pdf

• Novell International Cryptography Infrastructure (NICI)

  \documentation\english\nici\nici admin guide.pdf

3.2    Additional Readme Information

For information on additional eDirectory issues for this release, refer to Solution #10073723, titled "Novell eDirectory 8.7.x Readme Addendum," in the Novell Knowledge Base.

4.0     Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside.

Copyright (C) 2003 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

U.S. Patent No. 5,608,903; 5,671,414; 5,677,851; 5,758,344; 5,784,560; 5,794,232; 5,818,936; 5,832,275; 5,832,483; 5,832,487; 5,870,739; 5,873,079; 5,878,415; 5,884,304; 5,913,025; 5,919,257; 5,933,826. U.S and Foreign Patents Pending.

Novell, NetWare, NDS, and ConsoleOne are registered trademarks of Novell, Inc. in the United States and other countries.

eDirectory, Novell Client, Novell Certificate Server, Novell Modular Authentication Services, and NMAS are trademarks of Novell, Inc.

All third-party trademarks are the property of their respective owners.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.

Please refer to \documentation\english\license\license.txt on the eDirectory CD for additional information and license terms.