Novell eDirectory 8.7.1 for Solaris, Linux, and AIX August 25, 2003 Table of Contents 1.0 Installation Issues 1.1 Prerequisites 1.2 eDirectory 8.7.1 Eval License 1.3 Installing or Upgrading eDirectory 1.4 HTTP Server Port Configuration 1.5 Manually Extending the Schema Before Installation 1.6 Enabling Large File Support 1.7 Enabling the Linux, Solaris, or AIX Host for Multicast Routing 1.8 patchadd Error While Installing on Solaris 1.9 ndsconfig Creates the nds.conf File and the dib Directory even when Configuration Fails 1.10 Using Dotted Container Names in a Server's Context 1.11 Unable to Configure the LDAP Server with Default SSL CertificateDNS Certificate. 1.12 Specifying eDirectory Information During the Configuration 1.13 Core DS Component Installation 2.0 Known Issues 2.1 iMonitor Issues 2.2 ConsoleOne Issues 2.3 SNMP Issues 2.4 Certificate Server Issues 2.5 Static Cache Limits on AIX 2.6 Increasing the Size of the eDirectory Log Files 2.7 NMAS Issues 2.8 ICE Issues 2.9 NetMail Version for Upgrading to eDirectory 8.7.1 2.10 Running ndsrepair on An NFS Mounted DIB on Linux 2.11 Missing IP Address Entry in the /etc/hosts File on Linux 2.12 Manpath for SuSE/UnitedLinux 2.13 Creating LDAP Server and Group Objects in iManager 2.14 ndsconfig cannot Set IP Address for n4u.server.interfaces 2.15 ndsconfig add -m ldap Fails 2.16 Novell Account Management Fails on a Solaris 8 Server Running a Kernel Patch Level of 108528-14 or Higher on Upgrading from eDirectory 8.7 to 8.7.1 2.17 Bulkload Issues 2.18 Extended Characters are Currently Not Supported by LDAP Tools 2.19 "Segmentation Fault" Error While Adding an Index 3.0 Documentation Issues 3.1 Viewing Documentation on the Product CD 3.2 Additional Readme Information 4.0 Legal Notices 1.0 Installation Issues 1.1 Prerequisites 1.1.1 Solaris - One of the following: - Solaris 7 on Sun SPARC (with patch 106327-13 or later for 32-bit systems) - Solaris 7 on Sun SPARC (with patch 106300-07 or later for 64-bit systems) - Solaris 8 on Sun SPARC (with patch 108827-20 or later) - Solaris 9 on Sun SPARC - All latest recommended set of patches available on the SunSolve Web page (http://sunsolve.sun.com) - A minimum of 128 MB RAM - 120 MB of disk space for the eDirectory server - 32 MB of disk space for the eDirectory administration utilities - 74 MB of disk space for every 50,000 users - ConsoleOne requirements: - ConsoleOne 1.3.6 - A minimum of 64 MB RAM (128 MB recommended) 1.1.2 Linux - One of the following: - Red Hat Linux 7.2, 7.3, 8.0, or Red Hat Enterprise Linux AS 2.1 Ensure that the latest glibc patches are applied from Red Hat errata (http://www.redhat.com/apps/support/ errata) on Red Hat systems. - SuSE Linux Enterprise Server 8 NOTE: Novell eDirectory versions prior to 8.7.1 are not supported on SuSE. eDirectory upgrades on SuSE are not supported for this first release of eDirectory 8.7.1 on SuSE. - A minimum of 128 MB RAM - 90 MB of disk space for the eDirectory server - 25 MB of disk space for the eDirectory administration utilities - 74 MB of disk space for every 50,000 users - Ensure that gettext is installed. To install gettext, search the rpmfind (http://rpmfind.net) Website for gettext. - ConsoleOne requirements: - ConsoleOne 1.3.6 - A minimum of 64 MB RAM (128 MB recommended) - 200 MHz processor (a faster one is recommended) 1.1.3 AIX - One of the following: - AIX 4.3.3 with Maintenance Level 10, JVM 1.3.1, and the latest AIX V5.0 Runtime Libraries, available from http://www-1.ibm.com/support/manager .wss?rt=0&org=SW&doc=4001173 Note: NMAS is not supported on AIX 4.3. - AIX 5L with Maintenance Level 2, JVM 1.3.1, and the latest AIX V5.0 Runtime Libraries, available from http://www-1.ibm.com/support/manager .wss?rt=0&org=SW&doc=4001467 - All recommended AIX OS patches, available at the IBM tech support (https://techsupport.services.ibm.com/s erver/fixes) site - A minimum of 128 MB RAM - 190 MB of disk space for the eDirectory server - 12 MB of disk space for the eDirectory administration utilities - 74 MB of disk space for every 50,000 users 1.2 eDirectory 8.7.1 Eval License In order to test eDirectory 8.7.1, you will need to request an Evaluation License at http://www.novell.com/licensing/eld/LRequest.jsp? ENCRYPTION=EVAL. Upon submittal, you will receive the license files via email almost immediately with the installation instructions included. 1.3 Installing or Upgrading eDirectory 1.3.1 Installing eDirectory If you are installing eDirectory from CD, use the nds-install command in the setup directory for installing eDirectory on UNIX. If you download Novell eDirectory 8.7.1 from http://download.novell.com, use gunzip to convert the downloaded file to a tar file. Then use tar xvf to get the eDirectory installation and uninstallation scripts. The installation and uninstallation scripts would be present in the setup directory. 1.3.2 X.509 and CertMutual Login Methods The X.509 and CertMutual login methods that shipped with eDirectory 8.6.x are not compatible with eDirectory 8.7.1. When you upgrade from 8.6.x to 8.7.1, you must upgrade the X.509 and CertMutual login methods as well. The Certificate-based NMAS methods in NMAS EE 2.0 are also incompatible with eDirectory 8.7.1. 1.3.3 Interoperability of eDirectory with SLP Shipped on Solaris 8.0 (Native SLP, slpd) If Native SLP is already present and configured, the eDirectory installation on Solaris 8.0 detects the presence of the Native SLP package and does not install the NovellSLP package. You should make sure that the slpd daemon is running before configuring a new eDirectory server, as eDirectory requires SLP in order to query for duplicate tree names, advertising, etc. To start the slpd daemon on Solaris 8.0: 1. Create the slp configuration file, either by copying /etc/inet/slp.conf.example to /etc/inet/slp.conf or by any alternative method. 2. Start the slpd daemon with the following command: /etc/init.d/slpd start. The slpd daemon will not start if the /etc/inet/slp.conf file does not exist. The network administrator can change the slp configuration by editing the /etc/inet/slp.conf file and restarting the slpd daemon. You can use NovellSLP by installing the NovellSLP package, configuring the /etc/slpuasa.conf file as per the network requirements, and starting the slpuasa daemon. Make sure that the /etc/inet/slp.conf file does not exist (either by removing or making a backup of this file) and stop the /etc/init.d/slpd daemon before using the NovellSLP package. 1.3.4 Installing or Upgrading eDirectory on AIX The following message might display on the console during an install or upgrade on AIX: "NICI Package install failed." However, NICI is installed or upgraded successfully even though that message is displayed. To verify that NICI was installed successfully, enter the following command and verify that version 2.6.0.0 of Novell NICI U.S./Worldwide has been installed: lslpp -L | grep NOVLniu0 1.3.5 Upgrading from eDirectory 8.6.2 or 8.7 to eDirectory 8.7.1 Upgrading from eDirectory 8.6.2 or 8.7 to eDirectory 8.7.1 rebuilds the LDAP Mapping table and re-adds the inetOrgPerson --> User mapping, causing any new objects created via LDAP to be of the User base class instead of the inetOrgPerson base class. This will only be an issue if you deleted the mapping for inetOrgPerson --> User and defined a real inetOrgperson Class in your previous version of eDirectory. The workaround for this problem is to use ConsoleOne to remove the mapping from the Class Mappings page of the LDAP Group Object. 1.4 HTTP Server Port Configuration If eDirectory 8.7.1 is installed before Novell iManager, you might have port conflicts. You will need to change the ports used by the eDirectory HTTP stack if iManager fails to run after installation and an exception similar to the following appears in your Console/Terminal that you are running Tomcat from. java.lang.reflect.InvocationTargetException: org.apache.tomcat.core.TomcatException: Root cause - Address in use: JVM_Bind To resolve this problem, do the following: 1. Login to the tree and browse using ConsoleOne. 2. Open the HTTP server object for the server. 3. Set the httpDefaultClearPort and httpDefaultTLS port attributes to non default values. The default port numbers are: httpDefaultClearPort:80 httpDefaultTLS: 443 4. The server will be refreshed the next time limber runs, or you can initiate limber from ndstrace by using the set ndstrace = *L command. The httpstk object can be recreated using iManager or ConsoleOne, or by running the following command: ndsconfig add -m http 5. Start Tomcat. This is true if any Web server, such as Apache in Linux, Solaris, or AIX, is installed in the system. 1.5 Manually Extending the Schema Before Installation In some cases, schema extensions do not synchronize fast enough to the lower levels of a tree where the first new eDirectory 8.7.1 server is being installed for some features to be completely installed properly. One instance of this is the httpServer object schema definition, which might not synchronize to the server where the object instance needs to be created before the install code attempts to create it. In this particular instance, the failure to create the httpServer object schema definition is not fatal, as it only contains optional configuration information. This type of problem can be avoided by manually extending the schema in your tree before you install eDirectory 8.7.1. Use ndssch to install the eDirectory 8.7.1 schema files located in the /usr/lib/nds-schema directory. 1.6 Enabling Large File Support Before installing eDirectory on UNIX, we recommend that you enable large file support on the file system where eDirectory files will reside. eDirectory requires the underlying file system to allow each DIB file (nds.db, nds.01, nds.02, etc.) to grow to a size of 4 gigabytes. If large file support has not been enabled, files are generally limited to 2 gigabytes by the file system, causing problems for an eDirectory installation with a large number of objects (typically, 500,000 or more). For other issues related to large files, see Solution #10073723, titled "Novell eDirectory 8.7.x Readme Addendum," in the Novell Knowledge Base (http://support.novell.com). 1.7 Enabling the Linux, Solaris, or AIX Host for Multicast Routing Multicasting needs to be enabled in order for the eDirectory installation and configuration to work properly. To check if the host is enabled for multicast routing: - On Linux systems, enter the following command: /bin/netstat -nr The following entry should be present in the routing table: 224.0.0.0 0.0.0.0 If the entry is not present, log in as root and enter the following command to enable multicast routing: route add -net 224.0.0.0 netmask 240.0.0.0 dev -interface - On Solaris systems, enter the following command: /usr/bin/netstat -nr The following entry should be present in the routing table: 224.0.0.0 host_IP_address If the entry is not present, log in as root and enter the following command to enable multicast routing: route add -net 224.0.0.0 netmask 240.0.0.0 The could be a value such as eth0, hme0, hme1, or hme2, depending on the NIC that is installed and used. - On AIX systems, see if the multicast routing daemon mrouted is running. If it is not running, configure and start the multicast daemon mrouted. See the "mrouted.conf File" section in the Files Reference book in the AIX 4.3 or 5 Reference Documentation Set (http://publibn.boulder.ibm.com/ doc_link/en_US/a_doc_lib/files/aixfiles/mroute d.conf.htm) for an example configuration file. 1.8 patchadd Error While Installing on Solaris If you get the patchadd error while installing on Solaris, ensure that you update your machine with the latest recommended set of patches, available at the SunSolve (http://sunsolve.sun.com) Web page. 1.9 ndsconfig Creates the nds.conf File and the dib Directory even when Configuration Fails Though configuration fails, ndsconfig creates the /etc/nds.conf file and the /var/nds/dib directory. Manually remove these files before proceeding with the configuration. 1.10 Using Dotted Container Names in a Server's Context You can use ndsconfig to install a Linux, Solaris, or AIX server into an eDirectory tree that has containers using dotted names (for example, O=novell.com). Because ndsconfig is a command-line utility, using containers with dotted names requires that those dots be escaped out, and the parameters containing these contexts must be enclosed in double-quotes. For example, to install a new eDirectory tree on a UNIX server using "O=novell.com" as the name of the O, use the following command: ndsconfig new -a "admin.novell\.com" -t novell_tree -n "OU=servers.O=novell\.com" The Admin name and context and the server context parameters are enclosed in double-quotes, and only the dots ('.') in novell.com are escaped using the '\' (backslash) character. You can also use this format when installing a server into an existing tree. You should use this format when entering dotted admin name and context while using utilities such as ndsrepair, ndsbackup, ndsmerge, ndslogin, and ldapconfig. 1.11 Unable to Configure the LDAP Server with Default SSL CertificateDNS Certificate. When configuring eDirectory on Linux, Solaris, or AIX servers into a replica with many objects or with synchronization problems, you might experience an "Unable to configure LDAP server with default SSL CertificateDNS certificate. Use ConsoleOne/iManager to associate SSL CertificateDNS certificate with LDAP server." error at the end of the ndsconfig process. If the ndsd service is stopped at this point, you can restart it manually by entering the following at the console prompt: /etc/init.d/ndsd start (for Linux and Solaris) /etc/ndsd start (for AIX) At this point, you might also need to verify that the LDAP Server object for that server was configured with an SSL Certificate. In ConsoleOne/iManager, open the properties pages of the LDAP Server object for this server, select the SSL/TLS Configuration tab, then look at the Server Certificate field on that tab. If it has been populated with the name of an SSL Certificate (for example, "SSL CertificateDNS"), click Close to exit the properties pages. If this field is blank, click the browse button for that field and select a certificate from the list. The default is "SSL CertificateDNS." Then click Apply and Close. Finally, verify that the /var/novell/nici/0 directory (if user 'root' ran the install) contains a 'nicisdi.key' file. If it doesn't, restart the server to synchronize the key file. 1.12 Specifying eDirectory Information During the Configuration When specifying the eDirectory information during the configuration, if an invalid Server object container type is specified, the configuration will not detect the error until later, and the eDirectory configuration will fail with a -611 or -634 error which imply an incorrect base class. The valid Server object container types are: - Organization (O) - Organizational Unit (OU) - Domain (DC) 1.13 Core DS Component Installation On rare occasions, the eDirectory installation will fail during its core DS component installation. If so, an error message like the following will be displayed: "The DS component of eDirectory failed to install correctly. The error received was: ''. Please view ndsd.log for more detailed information. The eDirectory installation will now be terminated." If you receive this error, you should try to reinstall the product, or remove it and then reinstall it. If the reinstallation fails because of a partial installation already being on your system, or for any other reason, please visit the Novell Support (http://support.novell.com) Web site for possible solutions. 2.0 Known Issues 2.1 iMonitor Issues 2.1.1 Browser Compatibility The iMonitor included with this release of eDirectory requires Internet Explorer 5.5 or later or Netscape 7.02 or later. 2.1.2 Browsing for Objects in iMonitor Containing Double-byte Characters When using iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not hyperlink to the object properties correctly. This issue will be resolved in a future release of iMonitor. 2.1.3 Agent Health Check on a Single Server Tree The Agent Health check feature in iMonitor shows a Warning icon in the Results column when run on a single server tree because of the Perishable Data status. This does not mean that the tree is not healthy or that the Agent Health check is not working as designed. Perishable Data indicates the amount of data that has not yet been synchronized to at least one replica. A single server tree, by its nature, means that the data is always at risk for catastrophic failure because there is no other place that the data is replicated. If you lose the hard disk, you lose the data. If you don't want to view health check warnings about Perishable Data or Readable Replica Counts on your single server tree, you can turn off these health checks by editing the /etc/ndsimonhealth.conf file to change the following entries: perishable_data-active: OFF and ring_readable-Min_Marginal: 1 or ring_readable-active: OFF This will get turn off the warnings for Readable Replica Count and Perishable Data. 2.1.4 iMonitor Report Does Not Save the Records of Each Hour The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you will see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor. 2.1.5 Clone DIB Set Error You will receive error -626 (All Referrals Failed) when generating a clone DIB set from a server that holds a replica that is anything other than a master replica. You should only clone from a server holding the master replica. 2.1.6 Creation and Modification Timestamps As UNIX platforms do not maintain the creation time of a file, iMonitor shows both the creation and modification times to be the same. 2.2 ConsoleOne Issues 2.2.1 ConsoleOne on AIX ConsoleOne is not supported on AIX. You can use other platforms, such as NetWare, Windows NT/2000, Linux or Solaris for ConsoleOne. 2.2.2 ConsoleOne and Open SLP The NOVLc1 package does not get installed during the installation of ConsoleOne on a Linux machine with an Open SLP package. If an Open SLP package is detected on a Linux machine and you want to install ConsoleOne on that Linux machine, install the Novell SLP package first, then run the ConsoleOne install script. 2.2.3 Using ConsoleOne to Manage NetWare 4.x Servers In order to use ConsoleOne to manage a tree containing NetWare 4.x servers (DS v 6.17), IPX must be installed on the management client. Even if ConsoleOne is run from a NetWare box via a mapped drive on the client, the client machine on which ConsoleOne is running must be able to connect natively via IPX. 2.2.4 Creating Server Certificate Objects Creating Server Certificate objects (also known as Key Material objects) is not supported in ConsoleOne on the UNIX platforms. This function is supported through iManager or from ConsoleOne on the Windows platform. 2.2.5 "Operation Failed" Error The error "Operation Failed. The required dependencies were not found. Please refer to Novell documentation for the required prerequisites." indicates that a required SPM client library from the Universal Password feature in NMAS has not been installed or is not available, or that the server or workstation has incomplete or old versions of required eDirectory libraries. To get the most recent libraries, reinstall the Novell Client (Novell Client for Windows NT/2000/XP version 4.9 or later or Novell Client for Windows 95/98 version 3.4 or later on a Windows workstation) or reinstall the latest eDirectory libraries, available on the eDirectory 8.7.1 CD. 2.2.6 Using the Alt Key to Enter International Characters Using the Alt+number keys to enter international characters when naming objects in ConsoleOne causes the characters to display incorrectly. The workaround for this is to use an international keyboard or to copy the extended characters from Notepad or another Windows application into the ConsoleOne text field. Manually upgrading your JRE to version 1.4.1_02 will also fix this problem. 2.2.7 Novell Client Versions Required for ConsoleOne 1.3.6 ConsoleOne errors might be encountered during authentication and password modification operations when running on a Windows workstation with an older version of the Novell Client. ConsoleOne 1.3.6 on Windows requires one of the following: - Novell Client for Windows 95/98 version 3.4 or later - Novell Client for Windows NT/2000/XP version 4.9 or later 2.2.8 Installing ConsoleOne on UNIX With All Languages Selected When installing ConsoleOne on UNIX with all non-English languages selected, you will receive the following message: "One or more of the languages for the specified snap-ins are not available to install or have not been translated for installation.ConsoleOne will continue to install. However, when executing ConsoleOne, some of the snap-ins will display English where the specific language was not available." This issue will be resolved in a future release of eDirectory. 2.3 SNMP Issues 2.3.1 SNMP on Linux On Linux, ucd-snmp-4.2.1, ucd-4.2.2, or ucd-snmp-4.2.3 need to be installed. Links to the missing libraries need to be created. For example if your system had ucd version 4.2 then you should have following link to ucd version 4.2.1: ln -s /usr/lib/libucdagent.so.4.2 /usr/lib/libucdagent-0.4.2.1.so ln -s /usr/lib/libsnmp.so.4.2 /usr/lib/libsnmp-0.4.2.1.so ln -s /usr/lib/libucdmibs.so.0.4.2 /usr/lib/libucdmibs-0.4.2.1.so To find what libraries are missing, enter the following: # ldd /usr/bin/ndssnmpsa 2.3.2 Restarting ndssnmpsa When the master agent is restarted on Solaris, Linux, and AIX, ndssnmpsa needs to be restarted. To restart ndssnmpsa, you need to firstly stop ndssnmpsa and then start it again. To stop ndssnmpsa, enter the following: For Solaris: /etc/init.d/ndssnmpsa stop For Linux: etc/rc.d/init.d/ndssnmpsa stop For AIX: /etc/ndssnmpsa stop To start ndssnmpsa, enter the following: For Solaris: /etc/init.d/ndssnmpsa start For Linux: etc/rc.d/init.d/ndssnmpsa start For AIX: /etc/ndssnmpsa start 2.3.3 SNMP Master Agent Configuration on AIX For SNMP support on AIX, the /etc/snmpd.peers file should be manually modified with the following entry. This is not done automatically during the install. "ndssnmpsa" 1.3.6.1.4.1.23.2.98 "ndssnmpsa_password" This entry is expected to be done by the preinstall script during the package addition. 2.4 Certificate Server Issues 2.4.1 Extractable Keys Support When creating the Organizational CA object or Server Certificate objects (also known as KMOs), extractable keys are supported only if the server you selected for the key pair generation is running eDirectory 8.6 or later on NetWare and NT platforms, or if running eDirectory 8.7.1 or later for Unix platforms. If you are attempting to make the keys extractable on an unsupported platform, you will receive a -1222 error. 2.4.2 iManager CRL Creation iManager CRL creation creates the CRL object but doesn't populate the object with the selected Certificate Revocation List. You must modify the CRL object after it has been created and import the Certificate Revocation List. 2.4.3 Using iManager to Create Certificates for Multiple Users To create certificates for multiple users in iManager, use the Create User Certificate task under the Certificate Server role. This will allow the administrator to select a list of users and create a certificate for each selected user. 2.4.4 Removing a Server from eDirectory When removing a server from eDirectory and then reinstalling it into the same context with the same name, a successful reinstallation occurs only if the SAS Service object representing the removed server is also deleted, if it existed. For example, for a server named MYSERVER, a SAS object named SAS Service - MYSERVER could exist in the same container as the server. This SAS object must be manually deleted (using ConsoleOne) after the server is removed from the tree, but before the server is reinstalled into the tree. IMPORTANT: If the server is the Organizational CA or the SD Key server, you must complete some additional steps. These steps are documented in TID 10056795 (entitled Certificate Server Issues: Removing a Server from a Tree). You can search for this TID in the Novell Knowledgebase (http://support.novell.com). The default server certificates created for the server should also be removed so that they will get recreated when the server is reinserted. These certificates are SSL Certificate IP - MYSERVER and SSL Certificate DNS - MYSERVER. You should be careful when deleting these certificates. If data has been encrypted using either of these certificates, the data must be retrieved before the certificates are deleted. 2.4.5 Importing CRL Data onto CRL Object The CRL file is not inserted into eDirectory when creating a CRL object. After creating the CRL object, modify the object and select import. Select the file again and it will be properly imported. 2.4.6 Long DNS Names and Long Server Names Novell Certificate Server automatically creates server certificates for all the IP and DNS addresses configured on the box. You might receive the following error during the installation of Novell Certificate Server if the combination of the server name and the DNS name is 54 characters or greater due to the maximum object name length of 64 characters: "The PKI install was unable to create the default IP and DNS certificates. Error -613. Do you want to retry?"The -613 error is not a fatal error; however, Novell Certificate Server will not be able to create the auto-generated certificates which match the long DNS name. To avoid this problem with future servers, make sure that the combined number of characters of the DNS name and the server name is fewer than 54 characters. To fix this problem on an existing server, use ConsoleOne or iManager to manually create a server certificate using the DNS name or the IP address as the certificate subject name, depending on the needs of your applications. See the Novell Certificate Server Administration Guide (http://www.novell.com/documentation/lg/cr t252/index.html) for instructions on how to create server certificates. After the server certificate is created, the applications (Apache, Tomcat, etc.) on which you want to use the new server certificate will need to be configured to do so. 2.5 Static Cache Limits on AIX Due to limitations of AIX version 4.3, eDirectory only supports static cache limits on AIX. By default, the cache size is limited to 16MB. This is adjustable at runtime, but must be done by the administrator, and it must be done for every server running AIX. The easiest way to adjust this is from iMonitor. Click Agent Configuration, then Database Cache. This will bring up a page that lets you adjust the amount of memory that eDirectory will use for cache. In the Database Cache Configuration table, make sure the Hard Limit radio button is selected, enter the new cache size in the Cache Maximum Size field, then click Submit. Refer to the eDirectory 8.7.1 Administration Guide for more information on changing database cache settings. 2.6 Increasing the Size of the eDirectory Log Files You can use Novell iManager to increase the maximum size of the eDirectory log files (in iManager, click eDirectory Maintenance Utilities > Log File > specify which server will perform the log file operation > authenticate to the server > Log File Options > enter a new maximum file size) to a large value (such as several meg). However, the size of the log files can become a problem and might cause eDirectory to stop responding.To solve this problem, increase the heap size allocated to the JVM for iManager by using an environment variable of the following form: TOMCAT_OPTS=-Xmx512m This increases the JVM heap size from the default of 64MB to 512MB. 2.7 NMAS Issues 2.7.1 Installation Issue You must have the NICI Client installed on each client that will run ConsoleOne and NMAS software. 2.7.2 Methods and Sequences Issues - If a login method's snap-ins are already present and you try to install the same login method again, you will receive a failed status displayed in the login methods installation summary dialog. This occurs only when running ConsoleOne from the server. - nmasinst does not have an option to remove NMAS methods. This must be done using ConsoleOne. See the NMAS Administration Guide (http://www.novell.com/documentation/lg /nmas22) for more information. - For products to use NMAS login methods properly, at least one NetWare 6.5 server in the eDirectory partition needs to hold a R/W replica of the User objects that will be using NMAS. - Snap-ins for managing the Enhanced Password login method can be installed into ConsoleOne by executing \nmas\consoleone\snapininstall.exe. - Two password methods, such as Simple and Enhanced, cannot be used in an AND sequence if the Novell Client is set to display the password field, which it is by default. - If you use a login sequence that has a non-password method (for example, the X509 method) followed by a password method (for example, the simple password method), the user must enter the credential for the password method in the initial Novell Client Login Dialog Password field before providing the non-password credential. After entering the credential for the password method, the user will then be prompted to enter the password to unwrap the certificate, thus providing the credential for the non-password method. 2.7.3 Administration Issues - Updating ConsoleOne from 1.2d to 1.3.6 does not update the products.dat file on the NetWare server. - NMAS does not support AIX 4.3.3. - The simple password is used for various authentication services in NetWare 6.5. This includes the authentication support for CIFS and AFP. A problem might arise if you set or change a user's simple password from the ConsoleOne administrative snap-ins using Force Password Change. If you experience problems setting an initial password, you might need to check the Force Password Change check box. If the user already has a password set, Force Password Change might not work unless you remove the current password and specify a new one. - You must give explicit rights to users with graded authentication. Inherited rights do not work. For example, an administrator's Supervisor right is defined at the [Root] container. Rights for the administrator are not defined in the volume object. So if the administrator changes the volume's security label from Logged In to any other security label, the administrator cannot get the appropriate rights. The administrator must assign explicit rights to the volume, directories or files in the volume. - When you disable a user's NDS password, the NDS password is set to an arbitrary value that is unknown to the user. When Universal Password is enabled, the Universal Password attribute is set with this same arbitrary value, causing the simple password and the enhanced password methods to become disabled. Disabling an NDS password on a fully-enabled Universal Password system will also disable other employed methods, including the simple password and enhanced password methods. - Novell iManager provides a Universal Password task that allows you to enable and disable Universal Password. This page also displays the option for NMAS to automatically synchronize the Universal Password with the Simple password whenever a user performs a password update. If you are concerned about the security properties of Simple Password, you can choose not to synchronize the Universal Password with the simple password by unchecking this option. If you have NetWare 6.0 servers in the Tree that contain AFP/CIFS users, you should check the option to synchronize the Universal Password with the simple password. - If you add an eDirectory 8.7.1 server to an existing Tree or upgrade eDirectory 8.7 that has NMAS and the simple password method installed to eDirectory 8.7.1, users authenticating through LDAP might find that the Universal Password did not synchronize with the simple password. Configuring NMAS and simple password method once again on eDirectory 8.7.1 will resolve the issue. - The NDS password will not be migrated to the Universal Password when doing an LDAP bind. 2.7.4 NMAS Client Issue When a user logs into a tree other than the preferred tree using the client, the client incorrectly queries the preferred tree to find the User object. If a User object with the same name exists in the preferred tree, the client will use that User object, which results in the login failing with a -601 error (No Such Object). This is because the wrong tree was used. This issue will be resolved in the next release of the client. 2.7.5 Installing and Configuring NMAS on UNIX Platforms For information on installing and configuring NMAS on UNIX platforms, click "Using the nmasinst Utility to Configure NMAS" in the Novell eDirectory 8.7.1 Administration Guide (http://www.novell.com/documentation/lg/ed ir871/edir871/data/a7f7od5.html). 2.8 ICE Issues 2.8.1 Adding a zero length attribute to an existing entry through ICE gives Invalid Syntax error Consider the following entry specified in an LDIF file #Modify an entry : add the fullName attribute with an empty value dn : cn=user,o=org changetype : modify add : fullName fullName : Adding this LDIF entry through ICE results in an "Invalid Syntax" error. Use the ldapmodify tool to add such LDIF entries. 2.8.2 Replacing an attribute with a zero length value through ICE deletes the attribute Consider the following entry specified in an LDIF file #Modify an entry : replace the fullName attribute with an empty value dn : cn=user,o=org changetype : modify replace : fullName fullName : Providing this LDIF entry to ICE will delete the fullName attribute. Use the ldapmodify tool to modify such LDIF entries. 2.9 NetMail Version for Upgrading to eDirectory 8.7.1 Existing Novell NetMail 3.1 users running eDirectory 8.6. on UNIX platforms and upgrading to eDirectory 8.7.1 should apply the NetMail 3.10e patch to maintain compatibility with eDirectory. 2.10 Running ndsrepair on An NFS Mounted DIB on Linux You might get the -732 or -6009 errors while trying to run the ndsrepair operations on an NFS mounted DIB on Linux systems. 2.11 Missing IP Address Entry in the /etc/hosts File on Linux On Linux, if the /etc/hosts file contains only the local host entry, the IP address entry should be added. In the /etc/hosts file, the local host entry would be displayed as follows: 127.0.0.1 localhost.localdomain localhost Add the IP address entry to the /etc/hosts file as follows: 2.12 Manpath for SuSE/UnitedLinux On SuSE/UnitedLinux, the manpath /usr/man is not included in the list of paths specified in the /etc/manpath.config file. To read eDirectory man pages, add this path to the list. 2.13 Creating LDAP Server and Group Objects in iManager If you use Novell iManager to create LDAP Server and Group objects, click LDAP > LDAP Overview > select the new LDAP Server object > General > Information > Refresh after the LDAP objects have been created. 2.14 ndsconfig cannot Set IP Address for n4u.server.interfaces You can set the IP address to n4u.server.interfaces by editing the nds.conf file. 2.15 ndsconfig add -m ldap Fails You can use ConsoleOne to create an LDAP server and LDAP group object as follows: 1. Create an LDAP group object under the container where the host server exists. 2. Create an LDAP server object under the container where the host server exists. 3. Associate the LDAP server object with the host server and the LDAP group object. To do this, right-click on the LDAP server object > Properties. Enter the Host server and LDAP group object. 2.16 Novell Account Management Fails on a Solaris 8 Server Running a Kernel Patch Level of 108528-14 or Higher on Upgrading from eDirectory 8.7 to 8.7.1 After an eDirectory 8.7 server on Solaris 8 running Novell Account Management is upgraded to eDirectory 8.7.1, the Novell Account Management authentication will fail. This will happen only when the Solaris 8 server is running a kernel patch level of 108528-14 or higher. This issue will be fixed in a future release of eDirectory. 2.17 Bulkload Issues 2.17.1 Increasing the Speed of Bulkloads To increase the speed of bulkloads when creating new eDirectory trees, disable Universal Password until the load is complete. For more information, see the Universal Password Deployment Guide (http://www.novell.com/documentation/lg/nw 65/universal_password/data/front.html). 2.18 Extended Characters are Currently Not Supported by LDAP Tools Extended characters are currently not supported by LDAP tools. You can use ICE to perform operations like add, modify and delete using appropriate LDIF files. 2.19 "Segmentation Fault" Error While Adding an Index If there are additional leading spaces present in the attributename or indexname when you give the ndsindex add command, the "Segmentation Fault" error is reported. However, the index will be added accurately, without any fault. You can ignore this error message. 3.0 Documentation Issues 3.1 Viewing Documentation on the Product CD This product CD contains documentation for the following products: - Novell eDirectory /documentation/english/edir871/edir871.pdf /documentation/english/edir871/qsedir871.pdf - Novell Client /documentation/english/noclienu/noclienu.pdf - Novell Certificate Server /documentation/english/certserv/certserv_admin. pdf - ConsoleOne 1.3.6 /documentation/english/consol13/c1_enu.pdf - Novell Modular Authentication Services (NMAS) /documentation/english/nmas/doc/nmas_admin.pdf - Novell International Cryptography Infrastructure (NICI) /documentation/english/nici/nici admin guide.pdf 3.2 Additional Readme Information For information on additional eDirectory issues for this release, refer to Solution #10073723, titled "Novell eDirectory 8.7.x Readme Addendum," in the Novell Knowledge Base (http://support.novell.com). 4.0 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. Copyright © 2003 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. U.S. Patent No. 5,608,903; 5,671,414; 5,677,851; 5,758,344; 5,784,560; 5,794,232; 5,818,936; 5,832,275; 5,832,483; 5,832,487; 5,870,739; 5,873,079; 5,878,415; 5,884,304; 5,913,025; 5,919,257; 5,933,826. U.S and Foreign Patents Pending. Novell, NetWare, and ConsoleOne are registered trademarks of Novell, Inc. in the United States and other countries. eDirectory, Novell Client, Novell Certificate Server, and Novell Modular Authentication Service are trademarks of Novell, Inc. All third-party products are the property of their respective owners. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org). Please refer to /documentation/english/license/license.txt on the eDirectory CD for additional information and license terms.