Novell eDirectory 8.8 SP2 for NetWare October 12, 2007 1.0 Installation 1.1 Prerequisites 1.2 Distributing Proper Versions of DSRepair to All Servers in the Tree 1.3 Upgrading from a Previous Version 1.4 Reinstalling eDirectory 1.5 Video Cards and Driver Settings 1.6 Manually Extending the Schema Before Installation 1.7 NMAS Version After Upgrading to eDirectory 8.8 SP2 1.8 DIB Upgrade Issues 1.9 eDirectory 8.8 SP2 on IPX Configured NetWare Server 1.10 Interoperability between eDirectory and Nsure Audit 1.0.x 1.11 iManager Plug-ins Installation 2.0 Known Issues 2.1 Universal Password Issue 2.2 Encrypted Attributes and Encrypted Replication Issues 2.3 iMonitor Issues 2.4 iManager Issues 2.5 SNMP Issues 2.6 eDirectory Service Manager Issues 2.7 Backup and Restore Issues 2.8 Netscape Schema Attributes 2.9 Emboxmgr.nlm Issue 3.0 Documentation 3.1 Viewing eDirectory Documentation 3.2 Additional Documentation and Readme Information 4.0 Legal Notices 1.0 Installation 1.1 Prerequisites Check the currently installed Novell and Third Party applications to determine if eDirectory 8.8 SP2 is supported before upgrading your existing eDirectory environment. You can find out the current status for Novell products in the TID - What products are supported with Novell eDirectory 8.8 SP2? (http://www.novell.com/support/search.do?cmd=disp layKC&docType=kc&externalId=3171434&sl iceId=SAL_Public&dialogID=44581712&stateId =0%200%2044585684). It is also highly recommended to backup eDirectory prior to any upgrades. - NetWare 6.5 SP6 or later. Note: Installing eDirectory 8.8 SP2 on NetWare 6.0 is not supported. - If you are using RCONSOLE, you need a ConsoleOne 1.3.6e administrator workstation with the following: - A 200 MHz or faster processor - A minimum of 128 MB RAM - Novell Client for Windows NT/2000/XP version 4.9 or later or Novell Client for Windows 95/98 version 3.4 or later 1.2 Distributing Proper Versions of DSRepair to All Servers in the Tree For information on preparing an existing tree for an eDirectory 8.8 SP2 installation, see "Updating the eDirectory Schema for NetWare" in the Novell eDirectory 8.8 Installation Guide (http://www.novell.com/documentation/edir88/ediri n88/data/afi2xit.html). 1.3 Upgrading from a Previous Version 1.3.1 Prerequisites Before you upgrade to eDirectory 8.8 SP2, make sure you have the latest eDirectory patches installed on all servers prior to eDirectory 8.8 SP2 in the tree. You can get eDirectory patches from the Novell Support Web site (http://support.novell.com). If you have eDirectory 8.5. or 8.6., you have to first upgrade to eDirectory 8.7. and then upgrade to eDirectory 8.8 SP2. 1.3.2 Upgrading to Novell eDirectory 8.8 SP2 on a Double-Byte System In previous releases of eDirectory, some index keys were built incorrectly in double-byte language (Japanese, Korean, or Chinese) systems. Because of the incorrect keys, some searches did not work correctly. This issue was resolved in Novell eDirectory 8.7. However, because existing eDirectory databases on these systems still have these incorrect keys, there might be times even after your upgrade to eDirectory 8.8 SP2 when eDirectory reports corruption errors because of incorrect keys. To resolve this issue, run dsrepair.nlm after the upgrade is complete and perform a physical rebuild of the database. This is only necessary if the database is a double-byte language database (Japanese, Korean, or Chinese). It is not necessary to run DSRepair after upgrading if you are not using one of these languages. 1.3.3 Upgrading from eDirectory 8.7. to eDirectory 8.8 SP2 Upgrading from eDirectory 8.7. to eDirectory 8.8 SP2 rebuilds the LDAP Mapping table and re-adds the inetOrgPerson --> User mapping, causing any new objects created via LDAP to be of the User base class instead of the inetOrgPerson base class. This is only an issue if you deleted the mapping for inetOrgPerson --> User and defined a real inetOrgperson Class in your previous version of eDirectory. To work around this problem, use iManager to remove the mapping from the Class Mappings page of the LDAP Group Object. 1.3.4 Upgrading to eDirectory 8.8 SP2 in System Running IDM During the upgrade from eDirectory 8.7.x to eDirectory 8.8.2, the location of the IDM files is changed requiring a reinstall of the IDM engine and drivers. Any third party jar files will not automatically be copied to the new location and will need to be manually placed prior to starting the drivers affected. It is recommended that all drivers be set to manual prior to upgrading to eDirectory 8.8 SP2. 1.3.5 Disk Space Check on Upgrading to eDirectory SP2 When eDirectory server is upgraded from previous versions to eDirectory 8.8 SP2, the disk space check for the DIB upgrade would be performed. The free disk space necessary in the file system, where the DIB resides would be equal to that of the DIB size. The messages of the disk space check would be updated in the ndscheck.log located in the instance's specific log directory. For default instance, sys:\system\dscheck.log. The disk space check is required only during the DIB upgrade process. For more information, refer to Upgrade Requirements of eDirectory 8.8 (http://www.novell.com/documentation/edir8 8/edirin88/data/b4u5fwl.html). 1.4 Reinstalling eDirectory If you use NWCONFIG to uninstall eDirectory, follow these steps to reinstall eDirectory: 1. Use the following command to remove the eDirectory entry from the products.dat file so you can reinstall eDirectory on the same server: uinstall edir 2. Edit the sys:system\schema\schema.cfg file and remove the comment markers from the ndps*.sch files. 3. From the NetWare console, run NWCONFIG. 4. Select Product Options. 5. Select Install a Product Not Listed. 6. Specify the location containing the Novell eDirectory 8.8 SP2 installation package. 1.5 Video Cards and Driver Settings The eDirectory, ConsoleOne, Novell iManager, and eGuide installs use Java 1.4. This means that a minimum color depth of 8 bits (256 colors) is required by your video card and driver setting to run the installations properly. On NetWare, the video card must also be VESA-compliant. 1.6 Manually Extending the Schema Before Installation 1.6.1 Synchronizing Schema Extensions In some cases, schema extensions do not synchronize fast enough to the lower levels of a tree where the first new eDirectory 8.8 SP2 server is being installed, so some features are not completely installed. This type of problem can be avoided by manually extending the schema in your tree before you install eDirectory 8.8 SP2, using the eDirectory 8.8 SP2 schema files located in the \nw\sys\system\schema directory. 1.6.2 Using NWConfig to Extend the Schema With eDirectory 8.7, enhancements were made to the DSI that added more flexibility in extending the schema. Many of the schema files located in the \nw\sys\system\schema directory, take advantage of this new functionality. If an older version of dsi.nlm or dsisch.nlm (anything older than version 10411.14, dated September 26, 2002) is used by nwconfig.nlm to extend the new schema, the following error will occur: Error: Parsing the NDS500.sch file while extending schema. To avoid this error: 1. Copy nw\sys\system\dsi.nlm and nw\sys\system\dsisch.nlm to the server that will do the schema extension. NOTE: This should be a server that holds a copy of the Root partition. 2. Copy the desired schema files to a temporary directory on the NetWare server. 3. Run nwconfig.nlm and use the Directory Services option to extend the schema. NOTE: There are some dependencies between the schema files in the nw\sys\system\schema directory. Because of these dependencies, we recommend that the schema files be extended in the order that is listed in the nw\sys\system\schema\schema.cfg file. 1.7 NMAS Version After Upgrading to eDirectory 8.8 SP2 When you install eDirectory 8.8 SP2, it comes with NMAS 3.2.0. However, when you do a post install of NetWare products, and if a lower NMAS version is selected, you should uncheck it. 1.8 DIB Upgrade Issues 1.8.1 DIB Upgrade Operation While Upgrading to eDirectory 8.8 SP2 When eDirectory is upgraded to eDirectory 8.8 SP2, the server is stopped and a DIB upgrade operation is performed before the server is started and the normal upgrade is performed. The time taken for this upgrade depends on the number of objects in the tree. For more details on the DIB upgrade refer to the Upgrade Requirements of eDirectory 8.8 SP2 of "Installation Guide" (http://www.novell.com/documentation/edir8 8/edirin88/data/b4u5fwl.html). 1.9 eDirectory 8.8 SP2 on IPX Configured NetWare Server Do not configure IPX while installing and configuring eDirectory 8.8 SP2 on NetWare servers. If you configure IPX, you might get some random issues. 1.10 Interoperability between eDirectory and Nsure Audit 1.0.x eDirectory 8.8 SP2 does not function properly with Nsure Audit 1.0.x. For full functionality with eDirectory 8.8 SP2, upgrade to Novell Audit 2.0. 1.11 iManager Plug-ins Installation - Download the following iManager Plugins from the Web (http://download.novell.com). - eDir_88_iMan26_Plugins.npm - eDir_88_iMan27_Plugins.npm - Install the NPMs as mentioned in the iManager 2.6 (http://www.novell.com/documentation/imanager2 6/imanager_install_26/data/bs3h82n.html) and iManager 2.7 (http://www.novell.com/documentation/imanager2 7/imanager_admin_27/data/b8qrq0l.html). 2.0 Known Issues 2.1 Universal Password Issue By default LDAP and other server-side utilities use NDS login first and if this fails, use the Simple Password login. For universal password to work, the login needs to happen through NMAS. Therefore, you need to set the environment variable NDSD_TRY_NMASLOGIN_FIRST to true before DS.NLM gets loaded. We recommend you to edit c:\nwserver\startup.ncf and set the environmental variable. You can set the NDSD_TRY_NMASLOGIN_FIRST environmental variable in the c:\nwserver\startup.ncf file in any of the following methods: 1. Set the environment variable by adding the following to the c:\nwserver\startup.ncf file and restart the server: env NDSD_TRY_NMASLOGIN_FIRST=true 2. Set the environmental variable through command line and reload DS.NLM as follows: UNLOAD DS.NLM env NDSD_TRY_NMASLOGIN_FIRST=true LOAD DS.NLM However, we recommend you to use the first option as you need to do it only once. In the second option, you need to export the environmental variable every time you reboot your server. 2.1.1 iManager Login to a Remote Tree Fails After you upgrade to eDirectory 8.8 SP2 on NetWare, you will not be able to login to a remote tree through iManager. To resolve this issue, you need to specify the NDSD_TRY_NMASLOGIN_FIRST environmental variable in the c:\nwserver\startup.ncf file. For more information, refer to the previous section (Section 2.2 2.1 Universal Password Issue). 2.1.2 LDAP Transaction OIDs In LDAP transaction support, supportedGroupingTypes OID and transactionGroupingType OIDs are same ( 2.16.840.1.113719.1.27.103.7). 2.2 Encrypted Attributes and Encrypted Replication Issues 2.2.1 Encrypted Replication Encryption on the wire is not supported on NetWare. - If you enable encrypted replication at the partition level or between replicas and there is a NetWare server in the replica ring, encrypted replication does not happen on that server. - The Always Require Secure option is disabled for NetWare. 2.2.2 Viewing or Modifying Encrypted Attributes Through iManager If an attribute of an object is encrypted, you will not be able to view or modify the object using iManager 2.5. To work around this issue, you can view or modify the encrypted attribute over a secure channel using any of the following methods: - LDAP: The LDAP request must be send over a secure channel. For that the trusted root certificate of the server need to be used. - ICE: LDIF scripts can be used to modify the object. ICE must come over secure channel in this case. - Use iManager 2.5 FP2, iManager 2.6 or later. We recommend using iManager 2.6 for viewing or modifying encrypted attributes. Alternatively, you can turn off the secure channel required option for viewing or modifying the encrypted attributes by disabling the requireSecure attribute in the EA policy. This makes the object and the encrypted attributes accessible by any client over clear text channel. After this, iManager will be able to access the object. 2.3 iMonitor Issues 2.3.1 Browsing for Objects Containing Double-Byte Characters in iMonitor When using iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not hyperlink to the object properties correctly. This issue will be resolved in a future release of iMonitor. 2.3.2 Agent Health Check on a Single Server Tree The Agent Health check feature in iMonitor shows a Warning icon in the Results column when run on a single server tree because of the Perishable Data status. This does not mean that the tree is not healthy or that the Agent Health check is not working as designed. Perishable Data indicates the amount of data that has not yet been synchronized to at least one replica. A single server tree, by its nature, means that the data is always at risk for catastrophic failure because there is no other place that the data is replicated. If you lose the hard disk, you lose the data. If you don't want to view health check warnings about Perishable Data or Readable Replica Counts on your single server tree, you can turn off these health checks by editing the ndsimonhealth.ini file to change the following entries: perishable_data-active: OFF and ring_readable-Min_Marginal: 1 or ring_readable-active: OFF This turns off the warnings for Readable Replica Count and Perishable Data. 2.3.3 iMonitor Report Does Not Save the Records for Each Hour The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor. 2.3.4 iMonitor Issues in the Older Versions of Mozilla Using Mozilla versions lower than 1.5 for iMonitor might have issues during DSTrace Flag selection. It may not support all the operations. 2.4 iManager Issues 2.4.1 LDAP Operations Fail After Creating a New LDAP Group Using Quick Create Quick Create only creates an LDAP group object with dummy attributes that you can later modify. It creates the LDAP Group object with version one instead of nine. Therefore, all the LDAP operations fail as it is not possible to associate any LDAP server due to version incompatibility. To work around this issue, after creating the LDAP group using Quick Create, change the LDAP Group object version number to nine. 2.5 SNMP Issues 2.5.1 Auto-Loading DSSNMPSA On NetWare, DSSNMPSA is not loaded by default. If you configure it to auto-load, save the credentials by selecting the Remember Password option when it is manually loaded. The INTERACTIVE option must be set to ON in the sys:\etc\dssnmp.cfg file in order for DSSNMPSA to read the remembered credentials. 2.6 eDirectory Service Manager Issues 2.6.1 Service Manager Dependencies Some Service Manager modules, such as httpstk, have dependencies. On NetWare, these dependencies are not displayed in the information frame as they are on Windows. 2.6.2 Using Service Manager to Stop eDirectory If you use the eDirectory Service Manager in Novell iManager to stop eDirectory, restarting it through Service Manager is not possible. At the NetWare server console, enter the following: load DS 2.7 Backup and Restore Issues 2.7.1 Changes to Server-Specific Information Backup of server-specific information has been implemented using the Backup eMTool. See "Changes to Server Specific Information Backup (Netware Only)" in the "Backing Up and Restoring Novell eDirectory" chapter in the "Novell eDirectory 8.8 Administration Guide" (http://www.novell.com/documentation/edir8 8/index.html) for more information. If you are creating server-specific information backups using filesystem TSA, be aware that the bigger backup file size might be too large for your sys: volume. A user-specified file location is implemented to allow the file to be placed in a larger, more convenient location. 2.7.2 Backup Issues Using Nbackup Nbackup doesn't support backing up eDirectory on a lower version of NetWare. 2.8 Netscape Schema Attributes The Netscape-related attributes have been removed from the default schema installed with LDAP in eDirectory 8.8 SP2. If you want to use those attributes, they are present in a tree that was installed prior to eDirectory 8.8, or you can add them to any new trees by using the Novell Import Conversion Export utility to run the netscape-mappings.ldif file in the schema directory. 2.9 Emboxmgr.nlm Issue Emboxmgr.nlm leaks memory when you use the eMBox Client to perform many simultaneous backups or local repairs. This issue will be fixed in an upcoming release of eDirectory. 3.0 Documentation 3.1 Viewing eDirectory Documentation Novell eDirectory 8.8 SP2 has the following documentation: - Novell eDirectory 8.8 What's New Guide - Novell eDirectory 8.8 Installation Guide - Novell eDirectory 8.8 Administration Guide - Novell eDirectory 8.8 Troubleshooting Guide These documents are available at the Novell eDirectory 8.8 online documentation Website (http://www.novell.com/documentation/edir88/index .html). 3.2 Additional Documentation and Readme Information 3.2.1 iManager - iManager 2.6 For iManager 2.6 information, refer to the iManager online documentation (http://www.novell.com/documentation/im anager26/index.html). - iManager 2.7 For iManager 2.7 information, refer to the iManager online documentation (http://www.novell.com/documentation/im anager27/index.html). 3.2.2 NMAS 3.2.0 For NMAS information, refer to the NMAS online documentation (http://www.novell.com/documentation/nmas3 2/index.html). 3.2.3 Certificate Server 3.3 For Certificate Server information, refer to the Certificate Server online documentation (http://www.novell.com/documentation/crt33 /index.html). 3.2.4 NICI 2.7.3 For NICI information, refer to the NICI online documentation (http://www.novell.com/documentation/nici2 7x/index.html). 4.0 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer Novell International Trade Services Web page (http://www.novell.com/company/policies/trade_services /) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright 2007 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries. For a list of Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/trademarks/tmlist .html) at http://www.novell.com/company/legal/trademarks/tmlist. html. All third-party products are the property of their respective owners. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org). Please refer to \documentation\english\license\license.txt for additional information and license terms.