This patch is an update to the original release of Novell eDirectory 8.7.3. It contains all fixes and updates since eDirectory 8.7.3 shipped.
set dstrace = !ne
NOTE: If ds.nlm is unloaded and reloaded without rebooting the server, the above set command must be executed after ds.nlm is loaded.
For more information about this setting, see TID #2963473 in the Novell Knowledgebase.
DS.DLM 105.54.34.0
NLDAP.DLM 105.55.98.0
DSTRACE.DLM 105.54.34.0
DSREPAIR.DLM 105.51.81.0
NDSIMON.DLM 202.12.63.5
DCLIENT.DLL 105.54.34.0
DCONSERV.DLM 105.54.34.0
DSCLONE.DLM 105.54.34.0
DSI.DLL 105.53.71.0
DSLOADER.DLM 105.54.34.0
REPAIRTL.DLL 105.54.33.0
LANGMAN.DLL 103.10.56.0
HCONSERV.DLM 105.54.34.0
HTTPSTK.DLM 105.54.34.0
INSTALL.DLM 104.10.81.5
LBURP.DLL 105.52.76.5
NCPENGINE.DLM 105.54.34.0
SAL.DLL 203.50.89.0
SAPSERV.DLM 105.54.34.0
NTTSANDS.DLL 2.0.0.1
Before you upgrade to eDirectory 8.7.3, make sure you have the latest NDS and eDirectory patches installed on all non-eDirectory 8.7.3 servers in the tree. You can get NDS and eDirectory patches from the Novell Support Web site.
In previous releases of eDirectory, some index keys were built incorrectly in double-byte language (Japanese, Korean, or Chinese) systems. Because of the incorrect keys, some searches did not work correctly. This issue was resolved in Novell eDirectory 8.7.3. However, because existing eDirectory databases on these systems still have these incorrect keys, there might be times even after your upgrade to eDirectory 8.7.3 when eDirectory will report corruption errors that are due to incorrect keys.
To resolve this issue, run dsrepair.dlm from Novell eDirectory Services (in the Windows Control Panel, double-click Novell eDirectory Services > select dsrepair.dlm > click Start) after the upgrade is complete and perform a physical rebuild of the database. This is only necessary if the database is a double-byte language database (Japanese, Korean, or Chinese). It is not necessary to run DSRepair after upgrading if you are not using one of these languages.
Your CA server must be running Certificate Server 2.0.1 or later before installing a new server into the tree. You can determine which server is the CA by viewing the Certificate Authority object located in the Security container at the root of the tree.
To verify the version of the Certificate Server software, check the module version number on pki.dlm (Windows).
If the Certificate Server software version on the CA server is out of date, install eDirectory 8.7.3 on the CA server first, then proceed to install eDirectory 8.7.3 on any additional servers.
The X.509 and CertMutual login methods that shipped with eDirectory 8.6.x are not compatible with eDirectory 8.7.3. When you upgrade from 8.6.x to 8.7.3, you must upgrade the X.509 and CertMutual login methods as well.
The Certificate-based NMAS methods in NMAS EE 2.0 are also incompatible with eDirectory 8.7.3.
Upgrading from eDirectory 8.6.2 or 8.7 to eDirectory 8.7.3 rebuilds the LDAP Mapping table and re-adds the inetOrgPerson --> User mapping, causing any new objects created via LDAP to be of the User base class instead of the inetOrgPerson base class. This will only be an issue if you deleted the mapping for inetOrgPerson --> User and defined a real inetOrgperson Class in your previous version of eDirectory.
The workaround for this problem is to use ConsoleOne to remove the mapping from the Class Mappings page of the LDAP Group Object.
For additional information regarding this patch, refer to the following Technical Information Documents on the Novell Support Knowledgebase site.
TID 10097144: Is eDirectory 8.7.3 still supported on Microsoft NT Server 4.0?
TID 10097143: How to enable the FLAIM memory pre-allocation feature
TID 10098757: Running eDirectory repair task, in iManager, returns a "-503" error
NOTE: Novell recommends you to use the SSP 205 security patch in combination with eDirectory 8.7.3 SP10.
This patch is only for a server currently running eDirectory 8.7.3. It requires that eDirectory 8.7.3 already be installed on the server. If the server is running an earlier version of eDirectory you must upgrade that server's version of eDirectory to 8.7.3 before applying this patch. The full 8.7.3 product can be found at http://download.novell.com. This patch can then be applied.
For information regarding the deployment of this patch on Windows using ZENworks for Servers, refer to:
.\edir87310\Win32\eDir873x_Win32_Patch_ZFS.txt
When installing eDirectory on a Windows server that has a Jaz or Zip drive, you might receive the following error:
"There is no disk in the drive. Please insert a disk into <drive_name>."
To resolve this issue, do one of the following:
When specifying the eDirectory information during the installation, if an invalid Server object container type is specified, the installation will not detect the error until later, and the eDirectory installation will fail with a -611 or -634 error.
The valid Server object container types are:
On rare occasions, the eDirectory installation will fail during its core DS component installation. If so, an error dialog like the following will be displayed:
"The DS component of eDirectory failed to install correctly. The error received was: '<some error>'. Please view DSInstall.log for more detailed information. The eDirectory installation will now be terminated."
If you receive this error, you should try to reinstall the product, or remove it and then reinstall it. If the reinstallation fails because of a partial installation already being on your system, or for any other reason, please visit the Novell Support Web site for possible solutions.
When eDirectory 8.7.3 is installed on a Windows 2000 already containing the Novell Client, eDirectory will install an SLP service, but set the service to manual mode so that it does not run when the server is booted. eDirectory will then use the SLP service from the Novell Client.
If the Novell Client is removed, leaving no SLP service for eDirectory to use, you will have to manually start the SLP service, or change it to start automatically when the server boots.
If there is a long pause (maybe up to 5 minutes) when you select a license file from the diskette drive (A:), and then you receive a message that the file does not exist, it is likely that the installation could not read from the drive or the diskette media.
It appears that the low level calls to open the file fail after a long time of retying. You will probably see that the diskette drive light is on the whole time during the lower-level retrying effort. Accessing a file on the diskette drive through Java on Windows systems is much more sensitive to either the drive being out of alignment or the diskette being old than accessing the same file from native code such as Windows Explorer.
Sometimes, write-enabling the diskette will solve the problem. It seems to occur more often on older systems. Also, trying a new diskette will work. Accessing the files from a local hard drive seems to always work.
When uninstalling eDirectory 8.7.3, you might receive the following error if the installation of eDirectory 8.7.3 was an upgrade from NDS eDirectory or NDS eDirectory 8.5:
Incompatible JClient/DClient Package
JClient Revision 1.0.19
JClient Revision 1.1.1095
This error occurs only when the previous eDirectory installation was performed on a date later than the dates of the eDirectory 8.7.3 files located in the \nt\I386\NDSonNT\ni\lib directory on the Novell eDirectory 8.7.3 CD. If the previous installation was performed prior to those dates, this error will not occur.
To solve this issue, copy the .jar files from the \nt\I386\NDSonNT\ni\lib directory on the Novell eDirectory 8.7.3 CD to the \Program Files\Common Files\novell\ni\lib directory on the Windows server before performing the eDirectory 8.7.3 uninstall.
After uninstalling NICI, if you want to completely remove NICI from your server, delete the \WINNT\system32\Novell\NICI subdirectory. You might need to take ownership of some of the files and directories to delete them.
WARNING: Once the NICI subdirectory has been removed, any data or information that was previously encrypted with NICI will be lost.
The iMonitor included with this release of eDirectory requires Internet Explorer 5.5 or later or Netscape 7.02 or later.
When using iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not hyperlink to the object properties correctly. This issue will be resolved in a future release of iMonitor.
The Agent Health check feature in iMonitor shows a Warning icon in the Results column when run on a single server tree because of the Perishable Data status. This does not mean that the tree is not healthy or that the Agent Health check is not working as designed. Perishable Data indicates the amount of data that has not yet been synchronized to at least one replica. A single server tree, by its nature, means that the data is always at risk for catastrophic failure because there is no other place that the data is replicated. If you lose the hard disk, you lose the data.
If you don't want to view health check warnings about Perishable Data or Readable Replica Counts on your single server tree, you can turn off these health checks by editing the ndsimonhealth.ini file to change the following entries:
perishable_data-active: OFF
and
ring_readable-Min_Marginal: 1
or
ring_readable-active: OFF
This will turn off the warnings for Readable Replica Count and Perishable Data.
The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you will see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor.
The username in the iMonitor login page should be dotted and non-typed DN. For example, admin.novell. Other formats (such as dotted and typed, for example, cn=admin.o=novell; or LDAP format, for example, cn=admin,o=novell) are not accepted.
An unsuccessful login in iMonitor returns to the login page without displaying any errors.
Many buttons in iMonitor, including the Trace On/Off, Select All, Clear All, and Update buttons, depend on JavaScript being enabled. Internet Explorer 6.0.3790.0 has JavaScripting disabled by default.
To enable JavaScripting in Internet Explorer 6.0.3790.0:
When running eDirectory utilities such as dsbrowse.dlm and dsrepair.dlm on a Windows Terminal Server, the utility opens on the main desktop, not on the Terminal Services window. This is because Win32, for security reasons, will not allow a service to display a window on the Terminal screen.
ConsoleOne errors might be encountered during authentication and password modification operations when running on a Windows workstation with an older version of the Novell Client. ConsoleOne 1.3.6 on Windows requires one of the following:
In order to use ConsoleOne to manage a tree containing NetWare 4.x servers (DS v 6.17), IPX must be installed on the management client. Even if ConsoleOne is run from a NetWare box via a mapped drive on the client, the client machine on which ConsoleOne is running must be able to connect natively via IPX.
The error "Operation Failed. The required dependencies were not found. Please refer to Novell documentation for the required prerequisites." indicates that the DSAPI libraries installed by the Novell Client or the NetWare Installation are not available, but ConsoleOne is the latest version with the NJCL libraries that are trying to use the new APIs.
To get the most recent libraries, reinstall the Novell Client (Novell Client for Windows NT/2000/XP version 4.9 or Novell Client for Windows 95/98 version 3.4 on a Windows server or workstation) or reinstall the latest eDirectory libraries, available on the eDirectory 8.7.3 CD.
If a User object is created in ConsoleOne with a password that contains extended characters, the user will get error -669 (Failed Authentication) when logging in to iManager with that password.
Likewise, if a User object is created in iManager and the password contains extended characters, the user cannot log in to ConsoleOne.
The workaround is to cut and paste the extended characters into the password text fields.
Using the Alt+number keys to enter international characters when naming objects in ConsoleOne causes the characters to display incorrectly. The workaround for this is to use an international keyboard or to copy the extended characters from Notepad or another Windows application into the ConsoleOne text field. Manually upgrading your JRE to version 1.4.1_02 will also fix this problem.
The eDirectory MIB file (<eDirectoryInstallRootDir>\snmp\edir.mib) on Windows compiles with a few errors and warnings on HP-OpenView. You can ignore these errors.
If you have problems bringing up SNMP services, check the following log files, located in the C:\novell\nds\snmp directory by default, to get more information on possible errors:
If LDAP is not configured to run in clear text mode, the name of the trusted root certificate file needs to be given in the SNMP configuration file (for example, SSLKEY sys:\etc\trust.der) before bringing up dssnmpsa.
ndssnmp.cfg can be found in C:\novell\nds\snmp on Windows.
On Windows 2000, the SNMP Sub Agent login screen sometimes appears after a considerable delay.
When installing eDirectory 8.7.3 for the first time (creating a new tree), if the Windows SNMP Service is installed on the server, and the SNMP Service has one or more dependent services, eDirectory will not be able to shut down the SNMP Service. In this case, SNMP will not be ready to use after the eDirectory installation.
To use SNMP, follow these steps to restart the SNMP service:
If the Windows SNMP Service is installed on a server, and the SNMP Service has one or more dependent services, the eDirectory uninstall will not delete all the SNMP files in the C:\novell\nds directory. However, the other uninstallation processes will complete successfully, including the deletion of the SNMP registry entries, and the deconfiguration process that the Novell SNMP agent does with DS and the SNMP Service.
Follow these steps to complete the uninstallation:
NLDAP ignores the faxparameters part of the facsimile telephone number syntax and only allows the printable ASCII string, which is the telephone number. Refer to RFC 2252 for details of the facsimile telephone number syntax. The faxparameters correspond to the bit string component of the NDAP syntax - SYN FAX NUMBER.
If you use the eDirectory Service Manager in Novell iManager to stop eDirectory, restarting it through Service Manager is not possible. Use the Novell eDirectory Services utility (C:\novell\NDS\NDSCons.exe) on the eDirectory server to restart eDirectory.
If you cannot access your Certificates, KMO objects, NMAS attributes, CA, or other encrypted objects and attributes hosted by a server after you have completed upgrading eDirectory from a version prior to 8.6, this might be due to NICI not fully migrating. This problem might be reported as error -1460 by the service.
To resolve this issue:
You can use Novell iManager to increase the maximum size of the eDirectory log files (in iManager, click eDirectory Maintenance Utilities > Log File > specify which server will perform the log file operation > authenticate to the server > Log File Options > enter a new maximum file size) to a large value (such as several MBs).
However, the size of the log files can become a problem and might cause eDirectory to stop responding on Windows NT. To solve this problem, increase the heap size allocated to the JVM for iManager by using an environment variable of the following form:
TOMCAT_OPTS=-Xmx512m
This increases the JVM heap size from the default of 64MB to 512MB.
When the ZENworks for Desktops 4 Middle Tier Server and ZENworks for Desktops "Back-end" Server exist on the same Windows 2000 server, and the server is upgraded to eDirectory 8.7.3, you should reinstall the ZENworks for Desktops Middle Tier portion on the server. Symptoms include the following:
If the Windows 2000 server is hosting only the ZENworks for Desktops Middle Tier Server and not the ZENworks for Desktops "Back-end" Server, and the server is upgraded to eDirectory 8.7.3, the reinstallation of the ZENworks for Desktops Middle Tier Server is not required.
The Netscape-related attributes have been removed from the default schema installed with LDAP in eDirectory 8.7.3. If you want to use those attributes, they will be present in a tree that was installed prior to eDirectory 8.7.3, or you can add them to any new trees by using the Novell Import Conversion Export utility to run the \nt\I386\NDSonNT\ndsnt\nds\netscape-mappings.ldif file located on the eDirectory 8.7.3 CD.
To increase the speed of bulkloads when creating new eDirectory trees, disable Universal Password until the load is complete.
For more information, see the Universal Password Deployment Guide.
If you use Novell iManager to create LDAP Server and Group objects, click LDAP > LDAP Overview > select the new LDAP Server object > General > Information > Refresh after the LDAP objects have been created.
If the Novell Client is not installed on the Windows server that eDirectory 8.7.3 is installed on, w32smdr.exe will not load because of missing DLLs. The Novell Client is required for this functionality.
This section lists the defects that were fixed with this patch and additionally, the modifications made.
Resolved: Crash that could occur issue when an invalid number of RDNs in tuned name was specified (368835)Resolved: Prevent network addresses being added to objects that don't have it as a schema attribute (379917)Resolved: Issue where Advanced Referral Costing prevented Apache from starting (378880)Resolved: Disable Advanced Referral Costing by default
Resolved: Issue of duplicate password check ignored with "Require Unique Passwords" checked (97104).
Resolved: Objects continually synch after partition merge due to ds not putting latest timestamp in inactive child TV replica number (155652).
Resolved: Dumping core in windows while upgrading from 873 SP8 to 8.8 SP1 during broadcast to stations (164396).
Resolved: Nessus scan of Linux server causes ndsd high utilization (192595).
Resolved: Heap overflow security vulnerability (197627&195511\197631&195508).
Resolved: Invalid free security vulnerability (197629/195523).
Resolved: DoS security vulnerability (197711\195510).
Resolved: Change schema lock from a R/W to mutex to resolve memory consumption, especially in MidTier environment (155464).
Resolved: Shutting down eDirectory on the Win32 platform would sometimes result in a hang (189991).
Resolved: Added messages in ldap search trace when LDAP skips a "duplicate" attribute (IE., App:Path vs. appPath) (94515).
Resolved: SSLv2 disabled in LDAP (156683 & 182127).
Resolved: Search now ignores any search predicates which could cause a syntax violation (RFC2251) (155554).
Resolved: LDAP Server failing if certificate is unassociated unless der file is exported as trusted root (162974).
Resolved: LDAP returning null (EID) on DN syntax instead of converting it to DN (Example: value returned when adding user to a group) (169806/155097).
Resolved: LDAP returning non-present values (170841).
Resolved: Log elapsed time for all LDAP operations (177174).
Resolved: Issue where connections would be erroneously destroyed resulting in -625 errors when communicating to the server (378165).
Resolved: Issues with memory consumption, dhost unloading and concurrent connections and NCPengine in 8737 and 8738, especially in MidTier environments (155464).
Resolved: Issue where illegal attributes that violated class rules on entries were not being purged (379917)
Resolved: Dsrepair speed enhancements, especially on non-Netware platforms (83042).
Resolved: Destroy selected replica now updates the ndsStatusRepair attribute of the pseudoserver (168102).
Resolved: Incorrect port was added to ncpserver and referal list after repair network address (186311).
Resolved: Fixed the -at switch (207153\207151).
Resolved: Messages now show the progress of object repairs (122521).
Resolved: Authoritative schema import (131153).
Resolved: Issue where user password is displayed in clear text using embox through iManager (93995).
Resolved: Issue where services could be controlled without being authenticated (357369).
Resolved: ZFS SPKs to allow Zen install of the support pack (NetWare and Windows) (375988)
Changed the name of APPENDLOG.NLM to WRITELOG.NLM to account for long file name restrictions during remote installs (NetWare) (376911)
Resolved: Issue where database entry cache percentages were being incorrectly displayed (378905).
The latest eDirectory 8.7.3 documentation is present at the Novell eDirectory 8.7.3 Documentation site.
IMPORTANT: The latest version of this readme is available on the Novell eDirectory 8.7.3 Documentation site.
For information on additional eDirectory issues for this release, refer to Solution #10073723, titled "Novell eDirectory 8.7.x Readme Addendum," in the Novell Knowledge Base.
For NMAS information, refer to the Security Services Readme located with the NMAS 3.2 online documentation.
For Certificate Server information, refer to the Security Services Readme located with the Novell Certificate Server 2.7 online documentation.
For NICI information, refer to the Security Services Readme located with the NICI 2.7.x online documentation.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2003-2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents and one or more additional patents or pending patent applications in the U.S. and in other countries.
For a list of Novell trademarks, see the Novell Trademark and Service Mark list at http://www.novell.com/company/legal/trademarks/tmlist.html.
All third-party products are the property of their respective owners.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.