Novell eDirectory 8.7.3 for NetWare Readme November 21, 2003 Table of Contents 1.0 Installation Issues 1.1 Prerequisites 1.2 Distributing Proper Versions of DSRepair to All Servers in the Tree 1.3 Upgrading from a Previous Version 1.4 Uninstalling eDirectory 1.5 Installing a NetWare 5.1 Server into an eDirectory 8.7.3 Tree 1.6 Video Cards and Driver Settings 1.7 Upgrading to NetWare 6 from NetWare 5.1 after eDirectory 8.7.3 Has Been Installed 1.8 Manually Extending the Schema Before Installation 2.0 Known Issues 2.1 iMonitor Issues 2.2 Avoiding or Recovering from LDAP KMO Errors 2.3 ConsoleOne Issues 2.4 SNMP Issues 2.5 eDirectory Service Manager Issues 2.6 Backup Issues 2.7 Replica Operations in Mixed Replica Rings 2.8 Netscape Schema Attributes 2.9 Increasing the Speed of Bulkloads 2.10 emboxmgr.nlm Issue 2.11 Creating LDAP Server and Group Objects in iManager 3.0 Documentation Issues 3.1 Viewing Documentation on the Product CD 3.2 Additional Readme Information 4.0 Legal Notices 1.0 Installation Issues 1.1 Prerequisites - NetWare 5.1 SP6 or later with JVM 1.3.1, NetWare 6 SP3, or NetWare 6.5 Note: Installing eDirectory 8.7.3 on NetWare 5.0 is not supported. - If you are using RCONSOLE, you will need a ConsoleOne administrator workstation with the following: - A 200 MHz or faster processor - A minimum of 64 MB RAM (128MB recommended) - Novell Client for Windows NT/2000/XP version 4.9 or later or Novell Client for Windows 95/98 version 3.4 or later - In order for eDirectory 8.6.x or 8.7.x running on Microsoft Windows NT or 2000 to successfully communicate with NDS 6.x running on NetWare 4.11 or NetWare 4.2, NDS 6.17 or later must be running on the NetWare 4.x server. In addition, the following line must be added to the end of the autoexec.ncf file on the NetWare 4.x server: set dstrace = !ne Note: If DS.NLM is unloaded and reloaded without rebooting the server, the above set command must be executed after DS.NLM is loaded. For more information about this setting, see TID #2963473 in the Knowledgebase at http://support.novell.com. 1.2 Distributing Proper Versions of DSRepair to All Servers in the Tree For information on preparing an existing tree for an eDirectory 8.7.3 installation, see Updating the eDirectory Schema for NetWare in the Novell eDirectory 8.7.3 Installation Guide (http://www.novell.com/documentation/beta/edir873 /index.html). 1.3 Upgrading from a Previous Version 1.3.1 Prerequisites Before you upgrade to eDirectory 8.7.3, make sure you have the latest NDS and eDirectory patches installed on all non-eDirectory 8.7 servers in the tree. You can get NDS and eDirectory patches from the Novell Support Web site (http://support.novell.com). 1.3.2 Upgrading to Novell eDirectory 8.7.3 on a Double-byte System In previous releases of eDirectory, some index keys were built incorrectly in double-byte language (Japanese, Korean, or Chinese) systems. Because of the incorrect keys, some searches did not work correctly. This issue was resolved in Novell eDirectory 8.7. However, because existing eDirectory databases on these systems still have these incorrect keys, there might be times even after your upgrade to eDirectory 8.7.3 when eDirectory will report corruption errors that are due to incorrect keys. To resolve this issue, run dsrepair.nlm after the upgrade is complete and perform a physical rebuild of the database. This is only necessary if the database is a double-byte language database (Japanese, Korean, or Chinese). It is not necessary to run DSRepair after upgrading if you are not using one of these languages. 1.3.3 Certificate Server 2.0.1 Your CA server must be running Certificate Server 2.0.1 or later before installing a new server into the tree. You can determine which server is the CA by viewing the Certificate Authority object located in the Security container at the root of the tree. To verify the version of the Certificate Server software, check the module version number on pki.nlm (NetWare) or pki.dlm (Windows). If the Certificate Server software version on the CA server is out of date, install eDirectory 8.7.3 on the CA server first, then proceed to install eDirectory 8.7.3 on any additional servers. 1.3.4 X.509 and CertMutual Login Methods The X.509 and CertMutual login methods that shipped with eDirectory 8.6.x are not compatible with eDirectory 8.7.3. When you upgrade from 8.6.x to 8.7.3, you must upgrade the X.509 and CertMutual login methods as well. The Certificate-based NMAS methods in NMAS EE 2.0 are also incompatible with eDirectory 8.7.3. 1.3.5 Upgrading from eDirectory 8.6.2 or 8.7 to eDirectory 8.7.3 Upgrading from eDirectory 8.6.2 or 8.7 to eDirectory 8.7.3 rebuilds the LDAP Mapping table and re-adds the inetOrgPerson --> User mapping, causing any new objects created via LDAP to be of the User base class instead of the inetOrgPerson base class. This will only be an issue if you deleted the mapping for inetOrgPerson --> User and defined a real inetOrgperson Class in your previous version of eDirectory. The workaround for this problem is to use ConsoleOne to remove the mapping from the Class Mappings page of the LDAP Group Object. 1.4 Uninstalling eDirectory If you use NWCONFIG to uninstall eDirectory, follow these steps to reinstall eDirectory: 1. Use the following command to remove the eDirectory entry from the PRODUCTS.DAT file so you can reinstall eDirectory on the same server: uinstall edir 2. Edit the SYS:SYSTEM\SCHEMA\SCHEMA.CFG file and remove the comment markers from the NDPS*.SCH files. 3. From the NetWare console, run NWCONFIG. 4. Select Product Options. 5. Select Install a product not listed. 6. Specify the location containing the Novell eDirectory 8.7.3 installation package. 1.5 Installing a NetWare 5.1 Server into an eDirectory 8.7.3 Tree You must use the NetWare 5.1 SP6 Overlay install when installing a new NetWare 5.1 server into an existing eDirectory 8.7.3 tree. You can get the NetWare 5.1 SP6 Overlay from http://support.novell.com. 1.6 Video Cards and Driver Settings The eDirectory, ConsoleOne, Novell iManager, and eGuide installs use Java 1.3. This means that a minimum color depth of 8 bits (256 colors) is required by your video card and driver setting to run the installations properly. On NetWare, the video card must also be VESA-compliant. 1.7 Upgrading to NetWare 6 from NetWare 5.1 after eDirectory 8.7.3 Has Been Installed Follow these steps to upgrade a NetWare 5.1 server with eDirectory 8.7.3 to NetWare 6: 1. Use the NW6SP3 (or later) overlay, available from http://support.novell.com, to upgrade your server. 2. Prior to the upgrade, copy DSLOADER.NLM from C:\NWSERVER to C:\NWUPDATE. You might need to create C:\NWUPDATE. 3. Do not downgrade any files during the install. If you don't copy DSLOADER.NLM to C:\NWUPDATE, the following error message will occur: "The NetWare Loadable Module SYS:\SYSTEM\DIBMIG.NLM could not be loaded. (nwconfig-6-127). Press Enter to Continue." At this point, abort the install, copy C:\NWSERVER\DSLOADER.NLM to C:\NWUPDATE, and start the upgrade again. 1.8 Manually Extending the Schema Before Installation 1.8.1 Synchronizing Schema Extensions In some cases, schema extensions do not synchronize fast enough to the lower levels of a tree where the first new eDirectory 8.7.3 server is being installed for some features to be completely installed properly. One instance of this is the httpServer object schema definition, which might not synchronize to the server where the object instance needs to be created before the install code attempts to create it. In this particular instance, the failure to create the httpServer object schema definition is not fatal, as it only contains optional configuration information. This type of problem can be avoided by manually extending the schema in your tree before you install eDirectory 8.7.3, using the eDirectory 8.7.3 schema files located in the \nw\sys\system\schema directory on the eDirectory 8.7.3 CD. 1.8.2 Using NWConfig to Extend the Schema With the introduction of eDirectory 8.7, enhancements were made to the DSI that added more flexibility in extending the schema. Many of the schema files on the eDirectory 8.7.3 CD (located in the \nw\sys\system\schema directory) take advantage of this new functionality. If an older version of DSI.NLM or DSISCH.NLM (anything older than version 10411.14, dated September 26, 2002) is used by NWCONFIG.NLM to extend the new schema, the following error will occur: Error: Parsing the NDS500.sch file while extending schema. To avoid this error, do the following: 1. Copy NW\SYS\SYSTEM\DSI.NLM and NW\SYS\SYSTEM\DSISCH.NLM from the eDirectory 8.7.3 CD to the server that will do the schema extension. NOTE: This should be a server that holds a copy of the Root partition. 2. Copy the desired schema files from the eDirectory 8.7.3 CD to a temporary directory on the NetWare server. 3. Run NWCONFIG.NLM and use the Directory Services option to extend the schema. NOTE: There are some dependencies between the schema files in the NW\SYS\SYSTEM\SCHEMA directory. Due to these dependencies, we recommend that the schema files be extended in the order that is listed in the NW\SYS\SYSTEM\SCHEMA\SCHEMA.CFG file on the eDirectory 8.7.3 CD. When using NWConfig on a NetWare 5.1 server running NDS7, NDS8, eDirectory 8.5, or eDirectory 8.6.2, or on a NetWare 6 server running eDirectory 8.6.2, to extend the NDS500.sch file (or any other schema file in the NW\SYS\SYSTEM\SCHEMA directory on the eDirectory 8.7.3 CD), "Error: Parsing the NDS500.sch file while extending schema" is displayed. 2.0 Known Issues 2.1 iMonitor Issues 2.1.1 Browser Compatibility The iMonitor included with this release of eDirectory requires Internet Explorer 5.5 or later or Netscape 7.02 or later. 2.1.2 Browsing for Objects in iMonitor Containing Double-byte Characters When using iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not hyperlink to the object properties correctly. This issue will be resolved in a future release of iMonitor. 2.1.3 Agent Health Check on a Single Server Tree The Agent Health check feature in iMonitor shows a Warning icon in the Results column when run on a single server tree because of the Perishable Data status. This does not mean that the tree is not healthy or that the Agent Health check is not working as designed. Perishable Data indicates the amount of data that has not yet been synchronized to at least one replica. A single server tree, by its nature, means that the data is always at risk for catastrophic failure because there is no other place that the data is replicated. If you lose the hard disk, you lose the data. If you don't want to view health check warnings about Perishable Data or Readable Replica Counts on your single server tree, you can turn off these health checks by editing the ndsimonhealth.ini file to change the following entries: perishable_data-active: OFF and ring_readable-Min_Marginal: 1 or ring_readable-active: OFF This will turn off the warnings for Readable Replica Count and Perishable Data. 2.1.4 iMonitor Report Does Not Save the Records of Each Hour The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you will see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor. 2.2 Avoiding or Recovering from LDAP KMO Errors If you are upgrading from NetWare 5.1 SP5, you should download and upgrade to the latest NICI version (2.4.2 or later) after applying SP5. Failure to do so might result in LDAP errors. SP5 should have installed NICI 2.0.1 but some problems have been reported in systems running 56-bit cryptography products at the time SP5 was installed. Upgrading to NICI 2.4.2 should correct any previous problem, and is a recommended upgrade for anyone still running NICI 2.0.1 or earlier. The latest version of NICI is available from http://download.novell.com as product NOVELL International Cryptographic Infrastructure. If you have not upgraded NICI, LDAP might report errors such as "SSL_CTX_use_KMO failed KMO support routines: SSL_CTX_use_KMO:NICI wrap/unwrap key failed (err = -1418)." If you experience such errors, you will need to recreate the KMO. 2.3 ConsoleOne Issues 2.3.1 Using ConsoleOne to Manage NetWare 4.x Servers In order to use ConsoleOne to manage a tree containing NetWare 4.x servers (DS v 6.17), IPX must be installed on the management client. Even if ConsoleOne is run from a NetWare box via a mapped drive on the client, the client machine on which ConsoleOne is running must be able to connect natively via IPX. 2.3.2 "Operation Failed" Error The error "Operation Failed. The required dependencies were not found. Please refer to Novell documentation for the required prerequisites." indicates that the DSAPI libraries installed by the Novell Client or the NetWare Installation are not available, but ConsoleOne is the latest version with the NJCL libraries that are trying to use the new APIs. To get the most recent libraries, reinstall the Novell Client (Novell Client for Windows NT/2000/XP version 4.9 or Novell Client for Windows 95/98 version 3.4 on a Windows server or workstation) or reinstall the latest eDirectory libraries, available on the eDirectory 8.7.3 CD. 2.3.3 Passwords Created with Extended Characters in ConsoleOne Cannot Log In to iManager If a User object is created in ConsoleOne with a password that contains extended characters, the user will get error -669 (Failed Authentication) when logging in to iManager with that password. Likewise, if a User object is created in iManager and the password contains extended characters, the user cannot log in to ConsoleOne. The workaround is to cut and paste the extended characters into the password text fields. 2.3.4 Using the Alt Key to Enter International Characters Using the Alt+number keys to enter international characters when naming objects in ConsoleOne causes the characters to display incorrectly. The workaround for this is to use an international keyboard or to copy the extended characters from Notepad or another Windows application into the ConsoleOne text field. Manually upgrading your JRE to version 1.4.1_02 will also fix this problem. 2.3.5 Novell Client Versions Required for ConsoleOne 1.3.6 ConsoleOne errors might be encountered during authentication and password modification operations when running on a Windows workstation with an older version of the Novell Client. ConsoleOne 1.3.6 on Windows requires one of the following: - Novell Client for Windows 95/98 version 3.4 or later - Novell Client for Windows NT/2000/XP version 4.9 or later 2.4 SNMP Issues 2.4.1 SNMP Group Object If the installation of the SNMP Group object fails, you can rectify this problem by executing the following command on the server console: snmpinst -c For example: snmpinst -c admin.novell.test-tree novell nds-server.novell.test-tree 2.4.2 Auto-Loading DSSNMPSA On NetWare, DSSNMPSA is not loaded by default. If you configure it to auto-load, save the credentials by selecting the Remember Password option when it is manually loaded. The INTERACTIVE option must be set to ON in the SYS:\ETC\DSSNMP.CFG file in order for DSSNMPSA to read the remembered credentials. 2.5 eDirectory Service Manager Issues 2.5.1 Service Manager Dependencies Some Service Manager modules, such as httpstk, have dependencies. On NetWare, these dependencies are not displayed in the information frame as they are on Windows. 2.5.2 Using Service Manager to Stop eDirectory If you use the eDirectory Service Manager in Novell iManager to stop eDirectory, restarting it through Service Manager is not possible. At the NetWare server console, enter the following: load DS 2.6 Backup Issues 2.6.1 Changes to Server-Specific Information Backup of server-specific information has been implemented using the Backup eMTool. See "Changes to Server Specific Information Backup (Netware Only)" in the "Backing Up and Restoring Novell eDirectory" chapter in the "Novell eDirectory 8.7.3 Administration Guide" (http://www.novell.com/documentation/beta/ edir873/index.html) for more information. If you are creating server-specific information backups using filesystem TSA, be aware that the bigger backup file size might be too large for your sys: volume. A user-specified file location is implemented to allow the file to be placed in a larger, more convenient location. 2.6.2 Performing a Backup from the eMBox Client on NetWare 5.1 If you perform a backup from the eMBox Client on NetWare 5.1 and do not include the full path to the backup log file, you will get error -2, Unable to Open Log File. To fix this problem, use -l sys:/backup/dsbackup.log instead of -l dsbackup.log. 2.7 Replica Operations in Mixed Replica Rings Because NetWare 4.x servers can't speak to UNIX (IP) servers, replica operations in mixed (NetWare 4.x and UNIX) rings might never proceed to completion. Additionally, when NetWare 4.x is the master of that partition, certain operations will always fail to complete. NetWare 4.x should never hold the master replica of a partition, and including NetWare 4.x servers in a replica ring with UNIX or Windows servers could cause operations to hang or remain in a state of partial completion. We recommend upgrading from NetWare 4.x to an IP-capable version of NetWare. 2.8 Netscape Schema Attributes The Netscape-related attributes have been removed from the default schema installed with LDAP in eDirectory 8.7.3. If you want to use those attributes, they will be present in a tree that was installed prior to eDirectory 8.7.3, or you can add them to any new trees by using the Novell Import Conversion Export utility to run the netscape-mappings.ldif file in the schema directory on the eDirectory 8.7.3 CD. 2.9 Increasing the Speed of Bulkloads To increase the speed of bulkloads when creating new eDirectory trees, disable Universal Password until the load is complete. For more information, see the Universal Password Deployment Guide (http://www.novell.com/documentation/lg/nw65/univ ersal_password/data/front.html). 2.10 emboxmgr.nlm Issue emboxmgr.nlm leaks memory when you use the eMBox Client to perform many simultaneous backups or local repairs. This issue will be fixed in an upcoming release of eDirectory. 2.11 Creating LDAP Server and Group Objects in iManager If you use Novell iManager to create LDAP Server and Group objects, click LDAP > LDAP Overview > select the new LDAP Server object > General > Information > Refresh after the LDAP objects have been created. 3.0 Documentation Issues 3.1 Viewing Documentation on the Product CD This product CD contains documentation for the following products: - Novell eDirectory \documentation\english\edir873\edir873.pdf \documentation\english\edir873\qsedir873.pdf - Novell Client \documentation\english\noclienu\noclienu.pdf - Novell Certificate Server \documentation\english\certserv\certserv_admin. pdf - ConsoleOne 1.3.6 \documentation\english\consol13\c1_enu.pdf - Novell Modular Authentication Services (NMAS) \documentation\english\nmas\doc\nmas_admin.pdf - Novell International Cryptography Infrastructure (NICI) \documentation\english\nici\nici admin guide.pdf 3.2 Additional Readme Information 3.2.1 Novell eDirectory 8.7.x Readme Addendum For information on additional eDirectory issues for this release, refer to Solution #10073723, titled "Novell eDirectory 8.7.x Readme Addendum," in the Novell Knowledge Base (http://support.novell.com). 3.2.2 NMAS Issues For NMAS information, refer to the Security Services Readme (http://www.novell.com/documentation/lg/nm as23/readme/security_readme.html) located with the NMAS 2.3 online documentation (http://www.novell.com/documentation/lg/nm as23). 3.2.3 Certificate Server Issues For Certificate Server information, refer to the Security Services Readme (http://www.novell.com/documentation/lg/nm as23/readme/security_readme.html) located with the Novell Certificate Server 2.6 online documentation (http://www.novell.com/documentation/lg/cr t26). 4.0 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. Copyright © 2003 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. U.S. Patent No. 5,608,903; 5,671,414; 5,677,851; 5,758,344; 5,784,560; 5,794,232; 5,818,936; 5,832,275; 5,832,483; 5,832,487; 5,870,739; 5,873,079; 5,878,415; 5,884,304; 5,913,025; 5,919,257; 5,933,826. U.S and Foreign Patents Pending. Novell, NetWare, and ConsoleOne are registered trademarks of Novell, Inc. in the United States and other countries. eDirectory, Novell Client, Novell Certificate Server, and Novell Modular Authentication Service are trademarks of Novell, Inc. All third-party products are the property of their respective owners. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org). Please refer to \documentation\english\license\license.txt on the eDirectory CD for additional information and license terms.