Novell eDirectory 8.7.3 SP9 for Solaris, Linux, HP-UX, and AIX November 7, 2006 1.0 Overview 2.0 Installation 2.1 Prerequisites 2.2 Component Versions With this Patch 2.3 Installing or Upgrading eDirectory 3.0 Known Issues 3.1 Installation and Configuration Issues 3.2 iMonitor Issues 3.3 ConsoleOne Issues 3.4 SNMP Issues 3.5 Increasing the Size of the eDirectory Log Files 3.6 Faxparameters Issue with NLDAP 3.7 Replacing an Attribute With a Zero Length Value Through ICE Deletes the Attribute 3.8 NetMail Version for Upgrading to eDirectory 8.7.3.x 3.9 Repair Issues 3.10 Missing IP Address Entry in the /etc/hosts File on Linux 3.11 Manpaths 3.12 Creating LDAP Server and Group Objects in iManager 3.13 ndsconfig cannot Set IP Address for n4u.server.interfaces 3.14 Novell Account Management Fails on a Solaris 8 Server Running a Kernel Patch Level of 108528-14 or Higher on Upgrading from eDirectory 8.7 to 8.7.3.x 3.15 Increasing the Speed of Bulkloads 3.16 Extended Characters Not Supported by LDAP Tools 3.17 Scaling eDirectory on HP-UX 3.18 SLP Issues 3.19 Non-English Characters as Password 3.20 Error While Starting ndsd with Locale Other Than English 3.21 DirXML Issues 3.22 Error while Configuring the LDAP Server with Default SSL CertificateDNS Certificate on a Multiple NIC Enabled Host on HP-UX 3.23 Hard Cache Considerations for Solaris 3.24 ICE Plug-in Won't Authenticate in iManager for Import on Linux 3.25 Errors When Running edirutil -i on Linux 3.26 File Descriptor Limitation on Solaris 4.0 Change Log 4.1 ds 4.2 nldap 4.3 ncpengine 4.4 install 4.5 dsrepair 4.6 snmp 4.7 eMBox 4.8 httpstk 4.9 ice 4.10 jclient 5.0 Documentation Issues 5.1 eDirectory 8.7.3 Documentation 5.2 Additional Readme Information 6.0 Legal Notices 1.0 Overview This patch is an update to the original release of Novell eDirectory 8.7.3. It contains all the fixes and updates since eDirectory 8.7.3 shipped. This update is for the Solaris, Linux, HP-UX, and AIX platforms only. 2.0 Installation 2.1 Prerequisites 2.1.1 Solaris - One of the following: - Solaris 8 on Sun SPARC (with patch 108827-20 or later) - Solaris 9 on Sun SPARC - All latest recommended set of patches available on the SunSolve Web page (http://sunsolve.sun.com). If you do not update your system with the latest patch before installing eDirectory, you will get the patchadd error. 2.1.2 Linux - One of the following: - OES Linux SP2 32 bit - SUSE Linux Enterprise Server 8.x 32 bit - SUSE Linux Enterprise Server 9 32 bit (SP1, SP2 & SP3) and 64 bit (SP3) or later - SUSE Linux Enterprise Server 10 32 bit and 64 bit To determine the version of SUSE Linux you are running, see the /etc/SuSE-release file. - SUSE Linux Enterprise Server 10 32 bit and 64 bit - Red Hat Enterprise Linux AS 2.1 32 bit - Red Hat Enterprise Linux ES & AS 3.0 32 bit - Red Hat Enterprise Linux AS 4.0 32 and 64-bit - Ensure that gettext is installed. To install gettext, search the rpmfind (http://rpmfind.net) Website for gettext. 2.1.3 HP-UX - PA-RISC 2.0 processor - HP-UX 11.11 operating system - Ensure that the OS is updated with the patch PHSS_26560. Download and install the patch PHSS_26560 from http://www.itrc.hp.com > maintenance and support for HP products. Note: If you have installed the patch PHSS_28436, we recommend you uninstall it and then install patch PHSS_26560. - Ensure that the HP-UX 11.11 Quality Pack (GOLDQPK11.11) is installed. Download and install it from http://www.software.hp.com/SUPPORT_PLUS /qpk.html#N0.110. - Ensure that gettext is installed. Download and install it from http://hpux.connect.org.uk/hppd/hpux/Gn u/. - Ensure that libiconv is installed. Download and install it from http://hpux.connect.org.uk/hppd/hpux/De velopment/Libraries/. 2.1.4 AIX - AIX 5L Version 5.2 - All recommended AIX OS patches, available at the IBM Tech Support (https://techsupport.services.ibm.com/s erver/fixes) Website 2.2 Component Versions With this Patch 2.2.1 Linux ice 10552.76 ndsd 10553.73 nldap 10555.40 ndssnmp 10550.91 ndstrace 10553.73 ndsconfig 10553.34 ndsimonitor 20210.97 2.2.2 Solaris ice 10552.76 ndsd 10553.73 nldap 10555.40 ndssnmp 10550.91 ndstrace 10553.73 ndsconfig 10553.34 ndsimonitor 20210.97 2.2.3 HP-UX ice 10552.76 ndsd 10553.72 nldap 10555.40 ndssnmp 10550.91 ndstrace 10553.73 ndsconfig 10553.34 ndsimonitor 20210.96 2.2.4 AIX ice 10552.76 ndsd 10553.72 nldap 10555.40 ndssnmp 10550.91 ndstrace 10553.73 ndsconfig 10553.34 ndsimonitor 20210.97 2.3 Installing or Upgrading eDirectory 2.3.1 Pre-Installation Notes - Install this on a full installation of eDirectory 8.7.3.x. - Don't install on DS 8.x.x or eDirectory 8.5.x, 8.6.x, 8.7.0. or 8.7.1. - This patch has only been tested using the latest support packs and on eDirectory 8.7.3.x supported platforms. This patch is also supported on RedHat Advanced Server 3.0 (RHAS3.0) and SUSE Linux Enterprise Server 9 and 10 (SLES9 & 10). - eDirectory 8.7.3 SP8 onwards, the security updates are no longer included with the eDirectory patch. You need to download the security separately from the http://download.novell.com. We highly recommend you to use SSP203 in combination with eDirectory 8.7.3 SP9. - HP-UX Patch Levels: Novell eDirectory for HP-UX has only been tested in combination with the patches listed in the original documentation for the product. These are: - PHSS_26560 - HP-UX 11.11 Quality Pack (GOLDQPK11.11) Any newer patches than the ones listed, have not been tested with this patch and are therefore not supported by Novell at this time. - Minimum patch requirements for Solaris 9: The patch requires that on Solaris 9 a set of patches from Sun must be installed before applying this patch. These patches are required to support Sun's 'libumem' memory allocator which improves performance on Solaris 9. 112874-13 (or newer) libc patch 114370-01 (or newer) libumem.so.1 114371-01 (or newer) libumem; mdb components patch 114373-01 (or newer) abi_libumem.so.1 patch 112233-11 (or newer) SunOS 5.9: Kernel patch - Extracting the patch on Solaris may fail with checksum errors. This occurs when using a version of the Solaris 'tar' that has not been updated. Using the GNU 'tar' will work. Sun has also fixed this issue in the following patches: SPARC Solaris 8: 110951 SPARC Solaris 9: 115336 - Single user mode (runlevel 1) on RedHat Linux: In order to successfully run in single user mode on Linux (ie: init 1) then you must remove the symbolic link /etc/rc.d/rc1.d/S54ndsd. You will only need to do this one time. If you do not do this then eDirectory will try to start during the initialization of the runlevel. - Installing this patch on Solaris without first configuring a tree may generate errors during installation. To install on Solaris in this situation follow this order: 1. Install eDirectory 8.7.3 2. Install NICI as required by the security patches contained in this release 3. Install NMAS server and security updates contained in this release 4. Install this eDirectory patch 5. Configure a tree as per normal using ndsconfig 2.3.2 Installing eDirectory This patch release is only for a server currently running eDirectory 8.7.3.x. It requires that eDirectory 8.7.3.x already be installed on the server. If the server is running an earlier version of eDirectory you must upgrade that server's version of eDirectory to 8.7.3.x before applying this patch. The full 8.7.3.x product can be found at http://download.novell.com. This patch can then be applied. For more information on installing eDirectory 8.7.3.x, refer to the "Novell eDirectory 8.7.3 Installation Guide" (http://www.novell.com/documentation/lg/ed ir873/index.html). Complete the following procedure to install eDirectory: 1. Download the tarred compressed file to your UNIX system. 2. Extract the file using the following command: gzip -dc edir8739.tgz | tar xvf - 3. Change to the ./edir8739 directory. 4. Ensure eDirectory has been completely stopped first by using the following command depending on the platform: Linux: /etc/init.d/ndsd stop Solaris: /etc/init.d/ndsd stop HP-UX: /sbin/init.d/ndsd stop AIX: /etc/ndsd stop 5. Type ./install.sh as the root user to proceed with the installation. If you wish to execute the eDirectory update directly then type ./install.sh [options] as the root user. -f --force Force the installation of the patch at all costs (continues on failure). -s --showall Display the package versions that are installed for Novell products. -i --showinstalled Display the installed package versions for the packages that are included in this patch. -n --noansi Disable the use of ANSI colours. If the terminal type is 'xterm' then colours will be disabled by default. -y --yesansi Enable the use of ANSI colours. -ne --noerrors Disable the display of expanded error messages that are shown when an error is generated. -u --unattended Allows the patch to be installed in unattended mode. Will stop if an error is encounted unless the --force switch is also used. -a --autostart Attempt to start the product after the installation process. -h --help Displays this command line help. 6. If you have Novell iManager installed then after the installation you will need to restart the Tomcat and Apache2 daemons. Use the following commands to do this: Linux: - Tomcat: /etc/init.d/novell-tomcat4 start - Apache: /etc/init.d/novell-httpd start Solaris: - Tomcat: /var/opt/novell/tomcat4/bin/ startup.sh - Apache: /var/opt/novell/httpd/bin/ap achectl startssl HP-UX: - Tomcat: /opt/hpws/tomcat/bin/startup .sh - Apache: /opt/hpws/apache/bin/apachct l startssl - Or if you are *not* using SSL: /opt/hpws/apache/bin/apachectl start 7. eDirectory 8.7.3 SP8 onwards, the Security updates (NMAS, PKI, NTLS, and NICI) are not included in the eDirectory patch. To get the latest Security Patches, visit http://download.novell.com (http://download.novell.com). Select Security Services | Search from the Product or Technology drop down menu. Download and install the platform specific patch and NMAS methods. Novell recommends you to use the SSP 203 security patch in combination with eDirectory 8.7.3 SP9. 2.3.3 More Information For additional information regarding this patch refer to the following Technical Information Documents on the Novell Support Knowledgebase at http://support.novell.com/search/kb_index. jsp: TID 10094651: The Linux NDS SNMP Subagent "ndssnmpsa" will not start TID 10096146: Connection lost to eDirectory 8.7.3, on Red Hat AS 3.0 Server, while bulk loading objects TID 10096145: eDirectory 8.7.3 runs out of memory, on Red Hat AS 3.0 Server, while running repeated LDAP operations TID 10097153: NDSD will not start after installing Solaris 9 patches TID 10097186: nds-uninstall fails to remove the NDSserv package on RedHatTID 10097155: Can't run repair and rename tree operations, via embox, on RedHat TID 10097143: How to enable the FLAIM memory pre-allocation feature TID 10098714: How to configure dsbk for Linux and Unix 3.0 Known Issues 3.1 Installation and Configuration Issues 3.1.1 X.509 and CertMutual Login Methods The X.509 and CertMutual login methods that shipped with eDirectory 8.6.x are not compatible with eDirectory 8.7.3.x. When you upgrade from 8.6.x to 8.7.3.x, you must upgrade the X.509 and CertMutual login methods as well. The Certificate-based NMAS methods in NMAS EE 2.0 are also incompatible with eDirectory 8.7.3.x. 3.1.2 Installing and Configuring eDirectory on SUSE Linux Fails When DHCP is Configured On SUSE Linux, when DHCP is configured, installing and/or configuring eDirectory fails with the following error: "Can't contact LDAP server. Error (-1): Installation aborting." To resolve this error, make sure that the following entry is present in /etc/hosts before configuring eDirectory: 127.0.0.1 localhost.localdomain localhost If the entry 127.0.0.2 <>.localdomain <> is present in the file, add 127.0.0.1 <>.localdomain <> before the entry to look similar to the following: 127.0.0.1 <>.localdomain <> 127.0.0.2 <>.localdomain <> This change might affect other network applications. You might want to revert this change once the eDirectory configuration is completed. Reverting back will not impact the eDirectory services. 3.1.3 Interoperability of eDirectory with SLP Shipped on Solaris 8.0 (Native SLP, slpd) If Native SLP is already present and configured, the eDirectory installation on Solaris 8.0 detects the presence of the Native SLP package and does not install the NovellSLP package. You should make sure that the slpd daemon is running before configuring a new eDirectory server, as eDirectory requires SLP in order to query for duplicate tree names, advertising, etc. To start the slpd daemon on Solaris 8.0: 1. Create the slp configuration file, either by copying /etc/inet/slp.conf.example to /etc/inet/slp.conf or by any alternative method. 2. Start the slpd daemon with the following command: /etc/init.d/slpd start. The slpd daemon will not start if the /etc/inet/slp.conf file does not exist. The network administrator can change the slp configuration by editing the /etc/inet/slp.conf file and restarting the slpd daemon. You can use NovellSLP by installing the NovellSLP package, configuring the /etc/slpuasa.conf file as per the network requirements, and starting the slpuasa daemon. Make sure that the /etc/inet/slp.conf file does not exist (either by removing or making a backup of this file) and stop the /etc/init.d/slpd daemon before using the NovellSLP package. 3.1.4 Upgrading from eDirectory 8.6.2, 8.7, or 8.7.1 to eDirectory 8.7.3.x Upgrading from eDirectory 8.6.2, 8.7, or 8.7.1 to eDirectory 8.7.3 or eDirectory 8.7.3.x rebuilds the LDAP Mapping table and re-adds the inetOrgPerson --> User mapping, causing any new objects created via LDAP to be of the User base class instead of the inetOrgPerson base class. This will only be an issue if you deleted the mapping for inetOrgPerson --> User and defined a real inetOrgperson Class in your previous version of eDirectory. The workaround for this problem is to use ConsoleOne to remove the mapping from the Class Mappings page of the LDAP Group Object. 3.1.5 ndsconfig Creates the nds.conf File and the DIB Directory Even When Configuration Fails If configuration fails, ndsconfig creates the /etc/nds.conf file and the /var/nds/dib directory. You might have to delete these files manually. 3.1.6 Unable to Configure the LDAP Server with Default SSL CertificateDNS Certificate. When configuring eDirectory on Linux or Solaris servers into a replica with many objects or with synchronization problems, you might experience an "Unable to configure LDAP server with default SSL CertificateDNS certificate. Use ConsoleOne/iManager to associate SSL CertificateDNS certificate with LDAP server." error at the end of the ndsconfig process. If the ndsd service is stopped at this point, you can restart it manually by entering the following at the console prompt: /etc/init.d/ndsd start At this point, you might also need to verify that the LDAP Server object for that server was configured with an SSL Certificate. In ConsoleOne/iManager, open the properties pages of the LDAP Server object for this server, select the SSL/TLS Configuration tab, then look at the Server Certificate field on that tab. If it has been populated with the name of an SSL Certificate (for example, "SSL CertificateDNS"), click Close to exit the properties pages. If this field is blank, click the browse button for that field and select a certificate from the list. The default is "SSL CertificateDNS." Then click Apply and Close. Finally, verify that the /var/novell/nici/0 directory (if user 'root' ran the install) contains a 'nicisdi.key' file. If it doesn't, restart the server to synchronize the key file. 3.1.7 Specifying eDirectory Information During the Configuration When specifying the eDirectory information during the configuration, if an invalid Server object container type is specified, the configuration will not detect the error until later, and the eDirectory configuration will fail with a -611 or -634 error which imply an incorrect base class. The valid Server object container types are: - Organization (O) - Organizational Unit (OU) - Domain (DC) 3.1.8 Core DS Component Installation On rare occasions, the eDirectory installation will fail during its core DS component installation. If so, an error message like the following will be displayed: "The DS component of eDirectory failed to install correctly. The error received was: ''. Please view ndsd.log for more detailed information. The eDirectory installation will now be terminated." If you receive this error, you should try to reinstall the product, or remove it and then reinstall it. If the reinstallation fails because of a partial installation already being on your system, or for any other reason, please visit the Novell Support (http://support.novell.com) Web site for possible solutions. 3.1.9 gettext Displays Errors if libiconv is Not Present in the Default Location on HP-UX During installation, eDirectory looks for libiconv in the default /usr/local/lib directory. If libiconv is not present in this location, gettext does not work. To resolve this, copy libiconv to the /usr/local/lib directory and proceed with the installation. 3.1.10 Installing eDirectory 8.7.3 SP9 on a SLES 9 Server Installing a Non-replica Server into an Existing Tree When installing a non-replica server into an existing tree (after the third server), you might get install failures. This is due to the fact that SLES 9 ships with a developer/unsupported version of OpenSLP (OpenSLP 1.1.5). To fix this problem, install the supported version of OpenSLP (OpenSLP 1.0.11, available from www.openslp.org) on your SLES 9 system before installing eDirectory 8.7.3 SP9. NOVLembox RPM Fails if X Isn't installed NOVLembox RPM fails if X isn't installed, due to the fact that the JRE libraries have a requirement on the X libraries. In the \embox\build\linux\pkg_embox_lin file, move the following lines from the %install section to the %post section so that there is no dependency checking on these files: cd \$RPM_BUILD_ROOT/$emb_path gunzip -c jre141-Linux.tar.gz | tar xf - rm -f jre141-Linux.tar.gz You should also delete RPM_BUILD_ROOT and recursively delete the JRE directory in the %preun section to clean up the files. There is also a dependency on libstdc++libc6.1-1.so.2. Install the compat package set in order to get this component. Additionally, if you install just the XFree86-libs package, you will get what you need to install NOVLembox. 3.1.11 SLP Issues on OES Linux OpenSLP implements SLPv2 while Novell SLP implements SLPv1. SLPv1 UAs will not receive replies from SLPv2 SAs and SLPv2 UAs will not receive replies from SLPv1 SAs. That is, the clients with OpenSLP will not be able to see trees with Novell SLP. Similarly, the clients with Novell SLP will not be able to see trees with OpenSLP. If both OpenSLP and Novell SLP are running in the network, then one of the OpenSLP (on OES Linux) should be configured as DA. 3.1.12 Multiple NIC Setup Issue on HP-UX In case of a multiple NIC setup on HP-UX, eDirectory 8.7.3. does not bind to all the IP addresses. To work around this issue and to get all the addresses to bind on eDirectory 8.7.3.x, do the following: 1. Create an nds.conf file before installing eDirectory 8.7.3.x and set the NDS_CONF env variable to that file. 2. Add the following in the nds.conf file: n4u.server.interfaces=lan0,lan1 3. Configure eDirectory using ndsconfig. 3.1.13 NICI Issue in Red Hat Linux Some Red Hat Linux systems, especially the Red Hat Advanced Servers, ship a prelink rpm, to help faster loading of applications. However, prelink modifies the image of binaries to achieve faster loading. Once prelink modifies the NICI libraries, the integrity check fails and makes the NICI binaries unusable. To prevent this, you have to explicitly disable the prelink from processing the NICI binaries by adding the following in the /etc/prelink.conf file:-b /usr/lib/libccs2.so.2.6.4 3.2 iMonitor Issues 3.2.1 Browser Compatibility The iMonitor included with this release of eDirectory requires Internet Explorer 5.5 or later or Netscape 7.02 or later. 3.2.2 Browsing for Objects in iMonitor Containing Double-byte Characters When using iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not hyperlink to the object properties correctly. This issue will be resolved in a future release of iMonitor. 3.2.3 Agent Health Check on a Single Server Tree The Agent Health check feature in iMonitor shows a Warning icon in the Results column when run on a single server tree because of the Perishable Data status. This does not mean that the tree is not healthy or that the Agent Health check is not working as designed. Perishable Data indicates the amount of data that has not yet been synchronized to at least one replica. A single server tree, by its nature, means that the data is always at risk for catastrophic failure because there is no other place that the data is replicated. If you lose the hard disk, you lose the data. If you don't want to view health check warnings about Perishable Data or Readable Replica Counts on your single server tree, you can turn off these health checks by editing the /etc/ndsimonhealth.conf file to change the following entries: perishable_data-active: OFF and ring_readable-Min_Marginal: 1 or ring_readable-active: OFF This will get turn off the warnings for Readable Replica Count and Perishable Data. 3.2.4 iMonitor Report Does Not Save the Records of Each Hour The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you will see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor. 3.2.5 Logging In to iMonitor The username in the iMonitor login page should be dotted and non-typed DN. For example, admin.novell. Other formats (such as dotted and typed, for example, cn=admin.o=novell; or LDAP format, for example, cn=admin,o=novell) are not accepted. An unsuccessful login in iMonitor returns to the login page without displaying any errors. 3.2.6 Creation and Modification Timestamps As UNIX platforms do not maintain the creation time of a file, iMonitor shows both the creation and modification times to be the same. 3.3 ConsoleOne Issues 3.3.1 ConsoleOne on HP-UX ConsoleOne is not supported on HP-UX. You can use other platforms, such as NetWare, Windows NT/2000, Linux, or Solaris for ConsoleOne. 3.3.2 ConsoleOne and Open SLP The NOVLc1 package does not get installed during the installation of ConsoleOne on a Linux machine with an Open SLP package. If an Open SLP package is detected on a Linux machine and you want to install ConsoleOne on that Linux machine, install the Novell SLP package first, then run the ConsoleOne install script. 3.3.3 Using ConsoleOne to Manage NetWare 4.x Servers In order to use ConsoleOne to manage a tree containing NetWare 4.x servers (DS v 6.17), IPX must be installed on the management client. Even if ConsoleOne is run from a NetWare box via a mapped drive on the client, the client machine on which ConsoleOne is running must be able to connect natively via IPX. 3.3.4 Creating Server Certificate Objects Creating Server Certificate objects (also known as Key Material objects) is not supported in ConsoleOne on the UNIX platforms. This function is supported through iManager or from ConsoleOne on the Windows platform. 3.3.5 "Operation Failed" Error The error "Operation Failed." The required dependencies were not found. Please refer to Novell documentation for the required prerequisites." indicates that a required SPM client library from the Universal Password feature in NMAS has not been installed or is not available, or that the server or workstation has incomplete or old versions of required eDirectory libraries. To get the most recent libraries, reinstall the Novell Client (Novell Client for Windows NT/2000/XP version 4.9 or later or Novell Client for Windows 95/98 version 3.4 or later on a Windows workstation) or reinstall the latest eDirectory libraries, available on the eDirectory 8.7.3 CD. 3.3.6 Using the Alt Key to Enter International Characters Using the Alt+number keys to enter international characters when naming objects in ConsoleOne causes the characters to display incorrectly. The workaround for this is to use an international keyboard or to copy the extended characters from Notepad or another Windows application into the ConsoleOne text field. Manually upgrading your JRE to version 1.4.1_02 will also fix this problem. 3.3.7 Novell Client Versions Required for ConsoleOne 1.3.6 ConsoleOne errors might be encountered during authentication and password modification operations when running on a Windows workstation with an older version of the Novell Client. ConsoleOne 1.3.6 on Windows requires one of the following: - Novell Client for Windows 95/98 version 3.4 or later - Novell Client for Windows NT/2000/XP version 4.9 or later 3.3.8 Installing ConsoleOne on UNIX With All Languages Selected When installing ConsoleOne on UNIX with all non-English languages selected, you will receive the following message: "One or more of the languages for the specified snap-ins are not available to install or have not been translated for installation.ConsoleOne will continue to install. However, when executing ConsoleOne, some of the snap-ins will display English where the specific language was not available." This issue will be resolved in a future release of eDirectory. 3.3.9 Adding an LDAP Server or LDAP Group Object Fails Due to Version Incompatibility The LDAP ConsoleOne snap-in gives an obsolete version error. To resolve this, do the following: 1. Create the LDAP Server object. 2. Create the LDAP Group object. 3. Add the LDAP Server to the LDAP Group object's Server List. 4. Set the NCP Server to the LDAP Server object's Host Server field. 5. Set SSL CertificateDNS to the LDAP Server object's Server Certificate field in the SSL/TLS Configuration tab. 6. Wait for 10 seconds. 3.4 SNMP Issues 3.4.1 SNMP on Linux On SLES9, net-snmp 5.1 master agent has a known issue. It prints the message "snmpd: send_trap: Unknown PDU type" and does not send the traps. To avoid this error, you need upgrading net-snmp to 5.1.2 or a later version. On SLES 10, before starting the subagent, export the variable SNMP_MAJOR_VERSION using the following command: export SNMP_MAJOR_VERSION=10 3.4.2 Errors While Starting the NDS Subagent On RedHat Advanced Server 3.0 32 bit, the subagent might fail with the following message: Unable to load library: libnetsnmp.so To resolve this, enter the following before starting the NDS subagent: export LD_PRELOAD=/usr/lib/libnetsnmp.so.5:/usr/l ib/libnetsnmphelpers.so.5:/usr/lib/libnetsn mpmibs.so.5 Even after the above mentioned workarounds, you may continue to get the following error while browsing the NDS MIB through the MIB browser: Connection from callback: 1 on fd 4 You will still get the statistics, and you can ignore the above error messages. 3.4.3 Restarting ndssnmpsa When the master agent is restarted on Solaris, Linux, and HP-UX, ndssnmpsa needs to be restarted. To restart ndssnmpsa, stop ndssnmpsa and then start it again. To stop ndssnmpsa, enter the following: - Solaris: /etc/init.d/ndssnmpsa stop - Linux: /etc/init.d/ndssnmpsa stop - HP-UX: /sbin/init.d/ndssnmpsa stop - AIX: /etc/ndssnmpsa stop To start ndssnmpsa, enter the following: - Solaris: /etc/init.d/ndssnmpsa start - Linux: /etc/init.d/ndssnmpsa start - HP-UX: /sbin/init.d/ndssnmpsa start - AIX: /etc/ndssnmpsa start 3.4.4 Multiple Trap Issue on HP-UX For each trap generated, the previously generated trap will also be generated. For example, if you have generated trap 50 and later generated trap 43, while trap 43 is being generated, you will get trap 50 as well. This problem is observed only on low-end servers (with a hardware configuration of 1 CPU, 256 MB RAM, 400 MHz) and works as expected on high-end servers (with a hardware configuration of 2 CPU, 1 GB RAM, 650 MHz). 3.4.5 Extra VarBind Issue on HP-UX Two extra varbinds are added for each trap generated, along with the list of eDirectory specific trap variables. These two extra varbinds are sysUpTime.0 and trapOID.0. You can ignore these extra variables. 3.4.6 Error While Starting ndssnmpsa When you start ndssnmpsa on UNIX, you might get the following errors: Error: eDirectory SNMP Initialization component. Error code: -168 Error: eDirectory SNMP Initialization component. Error code: 9 To resolve this, do the following: 1. Stop the SNMP subagent if it is running. 2. Unload and load ndssnmp as follows: /usr/bin/ndssnmp -u /usr/bin/ndssnmp -l 3. Start the SNMP subagent. 3.4.7 Issue with 64 Bit Version of Net-Snmp To resolve this, you should install net-snmp-32bit rpm on SLES 9 and 10 64 bit platform. This rpm is available on SLES install CDs. ndssnmpsa requires 32-bit netsnmp libraries on 64-bit Linux. 3.5 Increasing the Size of the eDirectory Log Files You can use Novell iManager to increase the maximum size of the eDirectory log files (in iManager, click eDirectory Maintenance Utilities > Log File > specify which server will perform the log file operation > authenticate to the server > Log File Options > enter a new maximum file size) to a large value (such as several MBs). However, the size of the log files can become a problem and might cause eDirectory to stop responding.To solve this problem, increase the heap size allocated to the JVM for iManager by using an environment variable of the following form: TOMCAT_OPTS=-Xmx512m This increases the JVM heap size from the default of 64MB to 512MB. 3.6 Faxparameters Issue with NLDAP NLDAP ignores the faxparameters part of the facsimile telephone number syntax and only allows the printable ASCII string, which is the telephone number. Refer to RFC 2252 for details of the facsimile telephone number syntax. The faxparameters correspond to the bit string component of the NDAP syntax - SYN FAX NUMBER. 3.7 Replacing an Attribute With a Zero Length Value Through ICE Deletes the Attribute Consider the following entry specified in an LDIF file: #Modify an entry : replace the fullName attribute with an empty value dn : cn=user,o=org changetype : modify replace : fullName fullName : Providing this LDIF entry to ICE will delete the fullName attribute. Use the ldapmodify tool to modify such LDIF entries. 3.8 NetMail Version for Upgrading to eDirectory 8.7.3.x Existing Novell NetMail 3.1 users running eDirectory 8.6.x on UNIX platforms and upgrading to eDirectory 8.7.3.x should apply the NetMail 3.10e patch to maintain compatibility with eDirectory. 3.9 Repair Issues 3.9.1 Running ndsrepair on An NFS Mounted DIB on Linux You might get -732 or -6009 errors while trying to run ndsrepair on an NFS-mounted DIB on Linux systems. 3.9.2 ndsrepair Fails When the dib Directory has a Large Number of Stream File Attributes On SLES 9, If the dib contains more than 1,00,000 stream files ndsrepair -R fails. To work around this issue, run ndsrepair as follows: ndsrepair -R -v no -Ad -av 3.9.3 Basic Repair Task in iManager In iManager 2.5, the eDirectory Maintenance > Basic Repair task has been renamed to eDirectory Maintenance > Repair eDirectory. The functionality remains the same, however. 3.10 Missing IP Address Entry in the /etc/hosts File on Linux On Linux, if the /etc/hosts file contains only the local host entry, the IP address entry should be added. In the /etc/hosts file, the local host entry would be displayed as follows: 127.0.0.1 localhost.localdomain localhost Add the IP address entry to the /etc/hosts file as follows: 3.11 Manpaths 3.11.1 Updating Manpath for SUSE On SUSE, the manpath /usr/man is not included in the list of paths specified in the /etc/manpath.config file. To read eDirectory man pages, add /etc/manpath to the list. Update the MANPATH variable by entering export MANPATH=/usr/ldaptools/man:/usr/man:$MANPA TH. 3.11.2 Updating Manpath UnitedLinux On UnitedLinux, the manpath /usr/man is not included in the list of paths specified in the /etc/manpath.config file. To read eDirectory man pages, add this path to the list. To update the MANPATH variable, type "export MANPATH=$MANPATH:/usr/man" and press Enter. 3.12 Creating LDAP Server and Group Objects in iManager If you use Novell iManager to create LDAP Server and Group objects, click LDAP > LDAP Overview, select the new LDAP Server object, and then click General > Information > Refresh after the LDAP objects have been created. 3.13 ndsconfig cannot Set IP Address for n4u.server.interfaces You can set the IP address to n4u.server.interfaces by editing the nds.conf file. 3.14 Novell Account Management Fails on a Solaris 8 Server Running a Kernel Patch Level of 108528-14 or Higher on Upgrading from eDirectory 8.7 to 8.7.3.x After an eDirectory 8.7 server on Solaris 8 running Novell Account Management is upgraded to eDirectory 8.7.3.x, the Novell Account Management authentication will fail. This will happen only when the Solaris 8 server is running a kernel patch level of 108528-14 or higher. This issue will be fixed in a future release of eDirectory. 3.15 Increasing the Speed of Bulkloads To increase the speed of bulkloads when creating new eDirectory trees, disable Universal Password until the load is complete. For more information, see the Universal Password Deployment Guide (http://www.novell.com/documentation/lg/nw65/univ ersal_password/data/front.html). 3.16 Extended Characters Not Supported by LDAP Tools Extended characters are currently not supported by LDAP tools. You can use ICE to perform operations like add, modify, and delete using appropriate LDIF files. 3.17 Scaling eDirectory on HP-UX To do memory intensive operations, you need to scale eDirectory. Execute the following command before configuring eDirectory: chatr +q3p enable +q4p enable /usr/sbin/ndsd 3.18 SLP Issues 3.18.1 OpenSLP on HP-UX Does Not Interoperate with Novell SLP OpenSLP on HP-UX does not interoperate with Novell SLP (version 1) on eDirectory servers on Windows, NetWare, Linux, and Solaris. For eDirectory on HP-UX to interoperate with eDirectory on other platforms, you need to have the following set up on the platforms: - Windows and NetWare: NDSslp - Linux: OpenSLP - Solaris: Native SLP 3.18.2 When Adding a Secondary Server to a Tree with HP-UX as the Master Server, SLP for Service Location Fails When you configure a tree with HP-UX as the master server and try to add a secondary server to it, use the static file hosts.nds instead of SLP for service location. 3.18.3 OpenSLP Does Not Work on 64 bit SLES 9 OpenSLP does not work on 64 bit SLES 9 as 64 bit SLES 9 ships the 64 bit version of SLP. However, eDirectory supports the 32 bit version of SLP. For eDirectory on SLES to work on OpenSLP, use the 32 bit versions of /usr/lib/libslp.so.1.0.0 and /usr/bin/slpd. 3.19 Non-English Characters as Password Before using non-English characters in a password on HP-UX systems, enter the following command: stty cs8 -istrip 3.20 Error While Starting ndsd with Locale Other Than English Starting the ndsd service with a locale other than English displays the error "Could not load Unicode tables." To bring up an eDirectory server in non-English locales, export /usr/local/lib as follows: export SHLIB_PATH=/usr/local/lib:$SHLIB_PATH 3.21 DirXML Issues 3.21.1 DirXML Fails to Start After Upgrading to eDirectory 8.7.3.x Upgrading to eDirectory 8.7.3.x with an existing DirXML installation will cause DirXML to fail on Solaris and Linux. To fix this problem, install the NDSdxevnt library on Solaris or the NDSdxevnt-1.1.1-1.i386.rpm package on Linux. These files can be found in the ./setup directory on the DirXML 1.1a installation CD. For more information, see Solution 10091030 (http://support.novell.com/cgi-bin/search/ searchtid.cgi?/10091030.htm), "DirXML 1.1a Fails to Start After Upgrade to eDirectory 8.7.3," in the Novell Knowledgebase. 3.21.2 Unable to Start ndsd After Installing DirXML 2.0 on Solaris When you create a DirXML driver set, or shortly after DirXML loads, the ndsd process shuts down unexpectedly without a core dump. The /var/nds/ndsd.log file will contain the following message: "Exception java.lang.OutOfMemoryError: requested -569704448 bytes for char in /export1/jdk/jdk1.4.2/hotspot/src/os/solar is/vm/os_solaris.cpp. Out of swap space?" (The exact number might vary.) To fix this problem, complete the following steps: 1. Open /etc/init.d/ndsd. 2. Set GS_FAST_MODE to 0 instead of 1. This issues has been fixed with eDirectory 8.7.3 IR3. 3.22 Error while Configuring the LDAP Server with Default SSL CertificateDNS Certificate on a Multiple NIC Enabled Host on HP-UX See the ldapconfig command to configure the LDAP server with default SSL CertificateDNS certificate on a multiple NIC enabled host on HP-UX. Example: ldapconfig -t -p -w -a -s "LDAP:keyMaterialName= SSL CertificateDNS" 3.23 Hard Cache Considerations for Solaris On Solaris systems with more than 2 GB RAM, setting the hard cache above 1 GB might lead to core dumps. This is because of memory allocation incompatibilities with the memory manager library on Solaris, in some scenarios. To limit the cache to 1 GB, edit the _ndsdb.ini (under the dib directory) as follows: cache=1024000000 You can also modify the cache settings through iMonitor using the Database Cache page under Agent Configuration. Select the Hard limit option and set the Maximum Cache Size in KB. Refer to the Novell eDirectory Performance Tuning Guide (http://www.novell.com/products/edirectory/whitep apers.html) for more information on the eDirectory cache and the default cache settings. 3.24 ICE Plug-in Won't Authenticate in iManager for Import on Linux When you use the Novell Import Convert Export iManager plug-in to import hundreds of users with an LDIF file, you might receive the following error toward the end of the Wizard when you click Start: "ldap_simple_bind failed: 49(Invalid credentials), dn: cn=admin,o=novell" This is a known issue in the iManager plug-in. You can import the same file using the ConsoleOne snap-in, or the following command at the system prompt: ice -S LDIF -f -D LDAP -s -p 389 -d -w 3.25 Errors When Running edirutil -i on Linux On SUSE LINUX Enterprise Server 9 and Red Hat Advanced Server 3.0, the path to Java might be incorrect in the edirutil program, so when you enter the edirutil -i command, you will get errors. First, check to see if Java is installed, using the java -version command. If it is installed, you should get a reply listing the version. If it is not installed, see if you can find Java using the following command: which java Try entering the full path to run it as /usr/lib/java/jre/bin/java -version. If that doesn't work, download and install Java. After Java is working, find out where the eDirectory eMBox tools are located (probably in /usr/lib/nds-modules/embox/eMBoxClient.jar). If they are not in /usr/lib/nds-modules/embox/eMBoxClient.jar, search for the tools using the following command: find / -name eMBoxClient.jar Run java and execute the eMBox command line client. You can leave out the full path specification if the required directory is your current working directory or if the path has been set to the java directory. The full path request looks similar to the following: /usr/lib/java/jre/bin/java -cp /usr/lib/nds-modules/eMBoxClient.jar embox -i 3.26 File Descriptor Limitation on Solaris On Solaris, the ndsd process has a limitation of having a maximum of 256 file descriptors open. To work around this constraint, set the value of the NDSD_USE_STDIO environment variable to 1. 4.0 Change Log This section lists the defects that were fixed with this patch and additionally, the modifications made. 4.1 ds Resolved: Issue on startup ndsd cores due to memory corruption and a double release of resources. (83020). Resolved: Issue of duplicate password check ignored with "Require Unique Passwords" checked (97104). Resolved: Objects continually synch after partition merge due to ds not putting latest timestamp in inactive child TV replica number (155652). Resolved: ndsd shuts down if an error is returned during ndsconfig add -m (156428). Resolved: Man page created for ndsautotrace utility (158565). Resolved: Dumping core in windows while upgrading from 873 SP8 to 8.8 SP1 during broadcast to stations (164396). Resolved: Nessus scan of Linux server causes ndsd high utilization (192595). Resolved: Heap overflow security vulnerability - (197627&195511\197631&195508). Resolved: Invalid free security vulnerability - (197629/195523). Resolved: DoS security vulnerability - (197711\195510). Resolved: Ndsd cores on object name resolve - (203180). 4.2 nldap Resolved: Added messages in ldap search trace when LDAP skips a "duplicate" attribute (IE., App:Path vs. appPath) (94515). Resolved: SSLv2 disabled in LDAP (156683 & 182127). Resolved: Search now ignores any search predicates which could cause a syntax violation (RFC2251) (155554). Resolved: LDAP Server failing if certificate is unassociated unless der file is exported as trusted root (162974). Resolved: LDAP returning null (EID) on DN syntax instead of converting it to DN (Example: value returned when adding user to a group) (169806/155097). Resolved: LDAP returning non-present values (170841)). Resolved: Log elapsed time for all LDAP operations (177174). 4.3 ncpengine Resolved: ndsd cores when ncpengine destroys a NCP connection session. (191182). 4.4 install Resolved: Edir8738ftf_1 install removes ldapsdk & ldapx from ndsmodules.conf (200329). Now ndsmodules.conf file si backed up and restored. 4.5 dsrepair Resolved: Dsrepair speed enhancements, especially on non-Netware platforms (83042). Resolved: Destroy selected replica now updates the ndsStatusRepair attribute of the pseudoserver (168102). Resolved: Incorrect port was added to ncpserver and referal list after repair network address (186311). Resolved: Fixed the -at switch (207153\207151). Resolved: Messages now show the progress of object repairs (122521). 4.6 snmp Resolved: Subagent stops after a random amount of time (142769). Resolved: Restarting the SNMP subagent fails with -255 when other locales are used (151067) Resolved: Subagent crashes with a segmentation fault (205042). Resolved: Trap and statistics messages would no longer be displayed if the defs file was not in default location (208663). Resolved: Ndssnmpsa not starting in HP-UX after applying 8738 (208964). 4.7 eMBox Resolved: Issue where user password is displayed in clear text using embox through iManager (93995). 4.8 httpstk Resolved: Issue of remote code execution vulnerability in httpstk (205313). 4.9 ice Resolved: Issue that ICE would not work in French locale (156011). 4.10 jclient Resolved: Issue where incorrect privileges were assigned when there was no password suppiled (83008). 5.0 Documentation Issues 5.1 eDirectory 8.7.3 Documentation The latest eDirectory 8.7.3 documentation is present at the Novell eDirectory 8.7.3 Documentation site (http://www.novell.com/documentation/edir873/inde x.html). The latest version of this readme is available at the Novell eDirectory 8.7.3 Documentation Site (http://www.novell.com/documentation/edir873/inde x.html). 5.2 Additional Readme Information 5.2.1 Novell eDirectory 8.7.x Readme Addendum For information on additional eDirectory issues for this release, refer to Solution #10073723, titled "Novell eDirectory 8.7.x Readme Addendum," in the Novell Knowledge Base (http://support.novell.com). 5.2.2 NMAS Issues For NMAS information, refer to the Security Services Readme (http://www.novell.com/documentation/nmas3 11/index.html) located with the NMAS 3.1.1 online documentation (http://www.novell.com/documentation/nmas3 11/index.html). 5.2.3 Certificate Server Issues For Certificate Server information, refer to the Security Services Readme (http://www.novell.com/documentation/nmas2 3/readme/security_readme5.html) located with the Novell Certificate Server 2.7 online documentation (http://www.novell.com/documentation/lg/cr t27). 5.2.4 NICI Issues For NICI information, refer to the Security Services Readme (http://www.novell.com/documentation/nici2 7x/readme/security_readme.html) located with the NICI 2.7.x online documentation (http://www.novell.com/documentation/nici2 7x). 6.0 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to http://www.novell.com/info/exports/ (http://www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright 2003-2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents (http://www.novell.com/company/legal/patents) and one or more additional patents or pending patent applications in the U.S. and in other countries. For a list of Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/trademarks/tmlist .html) at http://www.novell.com/company/legal/trademarks/tmlist. html. All third-party products are the property of their respective owners. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org).