Novell eDirectory 8.8 SP2 for Linux, Solaris, and AIX October 12, 2007 1.0 Installation 1.1 Prerequisites 1.1.1 Linux 1.1.2 Solaris 1.1.3 AIX 1.2 Installing eDirectory 1.2.1 Installing eDirectory on Linux, Solaris, and AIX 1.3 Interoperability Between eDirectory and Nsure Audit 1.0.x 1.4 iManager Plug-ins Installation 2.0 Known Issues 2.1 Installation and Configuration Issues 2.1.1 No Port Conflict Checks for the Same Instance 2.1.2 Error While Loading Shared Libraries: libstdc++.so.6 2.1.3 Uninstallation Fails if Installation Was Not Successfully Completed 2.1.4 SLP Interoperability Issues on OES Linux 2.1.5 Ldif2dib Fails to Open Error Log File when DIB Directory is in Custom Path 2.1.6 eDirectory 8.8 SP2 Fails to Add on SLES10 with Firewall Enabled 2.1.7 Ndsconfig Does Not Verify Invalid Configuration File Path Appropriately 2.1.8 Older ConsoleOne Versions Break Nds Utilities 2.1.9 NDS Server Does Not Start Automatically in the Virtual SLES 10 2.1.10 Ndsd Does Not Start After System Crash 2.1.11 Ndsd Dumps Core while Accessing the NDS Server 2.1.12 Ndsd may Fail to Start after Upgrading from eDirectory 8.7.3 SP7 to eDirectory 8.8.2 in OES 1.0 SP2 2.1.13 Upgrading OES1 / SLES9 Servers from eDirectory 8.7.3.x to eDirectory 8.8.x Fails When IDM 3.x is Installed 2.1.14 Icons Do Not Load in iMonitor after Restarting Ndsd 2.1.15 eDirectory Configuration Fails with Incorrect Install Compat Library in RHEL 5.0 2.1.16 Ndsd may Dump Core while Restarting after Multiple Operations on RHEL 5.0 2.1.17 LDAP may Not Start in the Read/Write Server when the Master Server is Down 2.2 Multiple Instances Issues 2.2.1 Default Instance Path 2.2.2 Troubleshooting Ports with Custom eDirectory 8.8 Instances 2.2.3 Rebooting the Host 2.2.4 Ndsd Not Listening at Loopback Address on a given NCP Port 2.3 ldif2dib Limitations 2.3.1 Schema 2.3.2 ACL Templates 2.3.3 Signal Handler 2.3.4 Options 2.3.5 Ldif2dib may Fail to Upload Objects Beyond Several Millions on RHEL 5.0 2.4 Viewing French and Japanese Manpages 2.5 ndsconfig get Outputs Junk Characters for Non-English Characters 2.6 Catalog Services with eDirectory 8.8 SP2 2.7 Localhost Issues in /etc/hosts 2.8 LDAP TCP and TLS Ports Issue With Large DIBs 2.8.1 LDAP Transaction OIDs 2.9 iMonitor Issues 2.9.1 Browsing for Objects Containing Double-Byte Characters in iMonitor 2.9.2 Agent Health Check on a Single Server Tree 2.9.3 iMonitor Report Does Not Save the Records for Each Hour 2.9.4 Creation and Modification Time Stamps 2.9.5 iMonitor Issues in older versions of Mozilla 2.10 SNMP Issues 2.10.1 Errors While Starting the NDS Subagent 2.10.2 Restarting ndssnmpsa 2.10.3 Errors While Starting ndssnmpsa 2.10.4 Errors While Stopping ndssnmpsa 2.11 Encrypted Attributes and Encrypted Replication Issues 2.11.1 Configuring Encrypted Replication Through iManager 2.11.2 Viewing or Modifying Encrypted Attributes Through iManager 2.11.3 Merging Trees With Encrypted Replication Enabled Fails 2.11.4 Limber Displays -603 Error 2.12 iManager Issues 2.12.1 LDAP Operations Fail After Creating a New LDAP Group Using Quick Create 2.12.2 Issues While Backing Up on Red Hat EUC in Japanese Locale 2.13 ndsrepair Issues 2.13.1 Running ndsrepair on an NFS Mounted DIB on Linux 2.13.2 Running Ndsrepair with -R Option Hangs 2.14 SASL-GSSAPI Issues 2.14.1 GSSAPI With Multiple User Objects 2.14.2 Authorization ID 2.15 Viewing SLP Man Pages 2.16 Clone DIB Issues 2.16.1 Clone DIB Fails With -601 and -603 Errors 2.16.2 Clone DIB Can Fail Immediately After Offline Bulkload 2.16.3 Issue in Cloning with Enabled Encrypted Replication Feature 2.17 dsbk Issues Configuration File Location 2.17.1 Dsbk Configuration File Location 2.17.2 Dsbk Usability Issue 2.18 Deletion of a Moved Object Fails (error -637) 3.0 Documentation 3.1 Viewing eDirectory Documentation 3.2 Additional Documentation and Readme Information 3.2.1 iManager 3.2.2 NMAS 3.2.0 3.2.3 Certificate Server 3.3 3.2.4 NICI 2.7.3 4.0 Documentation Conventions 5.0 Legal Notices 1.0 Installation 1.1 Prerequisites Check the currently installed Novell and Third Party applications to determine if eDirectory 8.8 SP2 is supported before upgrading your existing eDirectory environment. You can find out the current status for Novell products in the TID - What products are supported with Novell eDirectory 8.8 SP2? (http://support.novell.com/techcenter/search/sear ch.do?cmd=displayKC&docType=kc&externalId= 10099872html&sliceId=&dialogID=2677130) It is also highly recommended to backup eDirectory prior to any upgrades. 1.1.1 Linux - One of the following: - OES Linux 2.0 - SUSE Linux Enterprise Server 9 32 bit (SP1, SP2 & SP3) and 64-bit (SP3) or later - SUSE Linux Enterprise Server 10 32 bit (SP1) and 64-bit eDirectory 8.8 SP2 is supported on SLES 10 XEN virtualization service that runs the SLES 10 guest OS. The updates are available at https://update.novell.com. To determine the version of SUSE Linux you are running, see the /etc/SuSE-release file. - Red Hat Enterprise Linux AS 4.0 32 and 64-bit Ensure that the latest glibc patches are applied from Red Hat Errata (http://rhn.redhat.com/errata) on Red Hat systems.The minimum required version of the glibc library is version 2.1. - Red Hat Enterprise Linux 5.0 32 and 64-bit - 256 MB RAM minimum - 90 MB of disk space for the eDirectory server - 25 MB of disk space for the eDirectory administration utilities - 74 MB of disk space for every 50,000 users - Ensure that gettext is installed. To install gettext, search the rpmfind (http://rpmfind.net) Web site for gettext. net-snmp-32-bit RPM should be installed on 64-bit SLES or OES Linux. - For OES1 servers, apply hotpatch ZLM6.6.2 HP4 before upgrading to eDirectory 8.8 SP2. On servers running SLES10 or SLES10 SP1, client package 'rcd' and rcd-devel (if not present earlier) should be upgraded to the latest patch level using YaST online update. 1.1.2 Solaris - Any one of the following: - Solaris 9 & 10 on Sun SPARC - All latest recommended patches available on the SunSolve Web page (http://sunsolve.sun.com). If you do not update your system with the latest patches before installing eDirectory, you may get issues while installing and configuring eDirectory. - A minimum of 128 MB RAM - 120 MB of disk space for the eDirectory server - 32 MB of disk space for the eDirectory administration utilities - 74 MB of disk space for every 50,000 users 1.1.3 AIX - AIX 5L Version 5.2, 5.3 - All recommended AIX OS patches, available at the IBM Tech Support (https://techsupport.services.ibm.com/s erver/fixes) Web site - 128 MB RAM minimum - 190 MB of disk space for the eDirectory server - 12 MB of disk space for the eDirectory administration utilities - 74 MB of disk space for every 50,000 users 1.2 Installing eDirectory 1.2.1 Installing eDirectory on Linux, Solaris, and AIX Use the nds-install command in the setup directory for installing eDirectory: ./nds-install If you download Novell eDirectory 8.8 SP2 from http://download.novell.com, use gunzip to extract the downloaded file to a tar file. Then use tar xvf to get packages and RPMs with the eDirectory installation and uninstallation scripts. For more information on installing eDirectory, refer to the Novell eDirectory 8.8 SP2 Installation Guide (http://www.novell.com/documentation/edir8 8/edirin88/data/a2iii88.html). 1.3 Interoperability Between eDirectory and Nsure Audit 1.0.x eDirectory 8.8 SP2 does not function properly with Nsure Audit 1.0.x. For full functionality with eDirectory 8.8 SP2, upgrade to Nsure Audit 2.0. 1.4 iManager Plug-ins Installation - Download the following iManager Plugins from the Web (http://download.novell.com). - eDir_88_iMan26_Plugins.npm - eDir_88_iMan27_Plugins.npm - Install the NPMs as mentioned in the iManager 2.6 (http://www.novell.com/documentation/imanager2 6/imanager_install_26/data/bs3h82n.html) and iManager 2.7 (http://www.novell.com/documentation/imanager2 7/imanager_admin_27/data/b8qrq0l.html). 2.0 Known Issues 2.1 Installation and Configuration Issues 2.1.1 No Port Conflict Checks for the Same Instance With ndsconfig, during eDirectory configuration, if same port number is passed for different interfaces of the instance that is being configured, port conflict checking is not performed. For example, # ndsconfig new -o 1234 -L 1234 --config-file /home/user1/eDir/etc/nds.conf In this command '1234' is passed as the port number for HTTP (-o) and LDAP TCP (-L) interfaces. ndsconfig does not check this conflict. 2.1.2 Error While Loading Shared Libraries: libstdc++.so.6 eDirectory installation fails if libstdc++.so.6 library is not installed on SLES 9. To resolve this issue, download this library from Recommended update for LSB (http://support.novell.com/techcenter/psdb /b930f84c977850d18678838ff3400cdc.html). 2.1.3 Uninstallation Fails if Installation Was Not Successfully Completed If eDirectory installation fails, nds-uninstall can't remove eDirectory. To resolve this, install eDirectory again in the same location and then uninstall it. 2.1.4 SLP Interoperability Issues on OES Linux OpenSLP implements SLPv2, but Novell SLP (NDSslp) on Unix and Windows platforms implements SLPv1. SLPv1 UAs does not receive replies from SLPv2 SAs and SLPv2 UAs does not receive replies from SLPv1 SAs. That is, the clients with OpenSLP cannot see trees with NDSslp. Similarly, the clients with NDSslp cannot see trees with OpenSLP. For SLPv1 and SLPv2 to interact, we need to configure a DA which is running SLPv2.OES Linux ships OpenSLP with it. However, eDirectory installed in other Unix platforms like Solaris and RedHat Linux, may use NDSslp which is shipped with eDirectory. Due to interoperability issues of the two versions of SLP, a tree advertised via OpenSLP multicast may not be visible to NDSslp and vice versa. To overcome this problem, we need to configure a DA which runs OpenSLP. 2.1.5 Ldif2dib Fails to Open Error Log File when DIB Directory is in Custom Path ldif2dib fails to open the default log file, i.e, ldif2dib.log when dib directory is relocated to a custom location. To workaround this issue, explicitly provide the log file location using the '-b' switch. 2.1.6 eDirectory 8.8 SP2 Fails to Add on SLES10 with Firewall Enabled While adding eDirectory 8.8 SP2 server from SLES10 host (as well as to SLES10) to existing tree running on different host, it may fail to add the server if the firewall is enabled. Enable SLP services and NCP port (default 524) in the firewall to allow the secondary server addition. 2.1.7 Ndsconfig Does Not Verify Invalid Configuration File Path Appropriately To create the necessary configuration file, ndsconfig requires the full path and the configuration file name. When the same path name is passed for both configuration file and the instance directory, ndsconfig cannot create the configuration file and aborts the operation. 2.1.8 Older ConsoleOne Versions Break Nds Utilities If you install any version of ConsoleOne prior to ConsoleOne 1.3.6h on an OES2 server, many utilities do not function properly. For example, the following error message displays for ndsrepair: ndsrepair: symbol lookup error: ndsrepair: undefined symbol: compute_paths To resolve this issue, uninstall the older versions of ConsoleOne and install ConsoleOne 1.3.6h or above. 2.1.9 NDS Server Does Not Start Automatically in the Virtual SLES 10 After adding packages if you do not configure eDirectory using YaST, you need to run the following command in the commandline. chkconfig -a ndsd 2.1.10 Ndsd Does Not Start After System Crash In some situations, eDirectory services (ndsd) doesn't start after a system crash or a power failure. To start the eDirectory again, do the following: and then . 1. Delete /var/opt/novell/eDirectory/data/ndsd.p id file. 2. Enter /etc/init.d/ndsd start command. 2.1.11 Ndsd Dumps Core while Accessing the NDS Server Ndsd dumps core in the dib directory of eDirectory over a failed install while shutting down the server. This can be ignored because it does not corrupt data or disrupt services. 2.1.12 Ndsd may Fail to Start after Upgrading from eDirectory 8.7.3 SP7 to eDirectory 8.8.2 in OES 1.0 SP2 After the eDirectory upgrade, ndsd might fail to start automatically while rebooting the system. To workaround this issue, start ndsd manually. 2.1.13 Upgrading OES1 / SLES9 Servers from eDirectory 8.7.3.x to eDirectory 8.8.x Fails When IDM 3.x is Installed When you run ndsconfig upgrade, the following error message displays: n4u_send_command failed. To work around this issue: Ensure you reinstall IDM before executing ndsconfig upgrade. For more information on upgrading to eDirectory 8.8.2, refer to the Upgrading to eDirectory 8.8.2 (http://support.novell.com/Platform/Publis hing/484/3484188_f.1.html). 2.1.14 Icons Do Not Load in iMonitor after Restarting Ndsd Some junk characters are added while loading the iMonitor module. It does not find the correct path when it tries to load image files. To workaround this issue: 1. Restart the ndsd daemon. 2. Unload and then reload the iMonitor module using commands ndsimonitor -u and ndsimonitor -l. 2.1.15 eDirectory Configuration Fails with Incorrect Install Compat Library in RHEL 5.0 When you configure eDirectory on RHEL 5.0, it fails because libstdc++6.0 gets automatically installed with RHEL 5.0. As embox, pkiinst, and pkiserver modules are linked to libstdc++5, improper compat library causes eDirectory configuration to fail. To work around this issue: Install compat-libstdc++-33-3.2.3-61.i386.rpm library manually. 2.1.16 Ndsd may Dump Core while Restarting after Multiple Operations on RHEL 5.0 When you perform Add, Modify and Delete operations on eDirectory for some hours from numerous clients and then restart ndsd, it might dump core and LDAP ports may not listen. 2.1.17 LDAP may Not Start in the Read/Write Server when the Master Server is Down Ensure that LDAP is running on the master replica before restarting LDAP on the read/write replica. 2.2 Multiple Instances Issues 2.2.1 Default Instance Path While configuring the second instance of eDirectory on your host, you are prompted to configure in the default path. Select a different path and proceed. 2.2.2 Troubleshooting Ports with Custom eDirectory 8.8 Instances In eDirectory 8.8 if you configure a new instance in a custom location when the default instance server is down, it takes the default instance ports.The default instance does not come up as the ports of default instance are alloted to the custom location instance. You should follow the procedure mentioned at Troubleshooting Ports with Custom eDirectory 8.8 Instances (http://www.novell.com/coolsolutions/featu re/17933.html) before rebooting the host. 2.2.3 Rebooting the Host Only the default instance created using the default instance binaries is started after reboot. You can set the paths and use ndsmanage to start the other instances. 2.2.4 Ndsd Not Listening at Loopback Address on a given NCP Port When you have more than one eDirectory instance, the second instance onwards tries to listen at the default 524 port instead of given NCP port on the loopback address. To workaround this issue, set the 'n4u.server.tcp-port' parameter of the second instance to the port that it is supposed to listen on. 'n4u.server.tcp-port' parameter is located in nds.conf file. 2.3 ldif2dib Limitations 2.3.1 Schema The LDIF file should mention all the object classes that an entry belongs to. You should also include the classes that an entry belongs to because of inheritance of classes. For example, an entry of type inetOrgPerson has following syntax in the LDIF file: - objectclass: inetorgperson - objectclass: organizationalPerson - objectclass: person - objectclass: top 2.3.2 ACL Templates Objects bulkloaded using the ldif2dib utility are not added with ACLs that are specified in the ACL templates for the object class of the object. 2.3.3 Signal Handler You can temporarily suspend the offline bulkload operation by pressing the s or S key. You can use Escape key (Esc) to stop the bulkload operation. 2.3.4 Options On Linux, if the -b option is used, the statistics display menu disappears after the bulkload is complete. 2.3.5 Ldif2dib may Fail to Upload Objects Beyond Several Millions on RHEL 5.0 When you attempt uploading millions of objects to eDirectory using ldif2dib, and the checkpoint interval is explicitly specified, the operation may halt with an error stating that the directory is full. To work around this issue: Skip the checkpoint interval (<-i> option with ldif2dib command). 2.4 Viewing French and Japanese Manpages - On Red Hat Linux To view the French manpage, export the following: export MANPATH=/opt/novell/man/frutf8:/opt/novell/eDi rectory/man/frutf8 - On AIX To view the manpages, use English locale. 2.5 ndsconfig get Outputs Junk Characters for Non-English Characters "ndsconfig get" outputs junk characters (on Linux and AIX) or nothing (on Solaris) for some parameters that contain non-English characters. To work around this, enter the specify parameter name you want to get as follows: ndsconfig get For a list of parameters, refer to the nds.conf manpage. 2.6 Catalog Services with eDirectory 8.8 SP2 Catalog services running with eDirectory 8.8 SP2 are not supported. This is an old technology and has been largely replaced by the contextless login feature in the 4.9 Client. 2.7 Localhost Issues in /etc/hosts If you have a loopback address alias to the hostname of the system in /etc/hosts entry, then that needs to be changed to host name or IP address. That is, if you have an entry similar to the one below in /etc/hosts file, it needs to be changed to correct entry as mentioned in correct example entry below. The following example has problems when any utility tries to resolve to ndsd server: 127.0.0.1 test-system localhost.localdomain localhost The following is a correct example entry in /etc/hosts: 127.0.0.1 localhost.localdomain localhost 10.77.11.10 test-system Note: If any third-party tool or utility resolves through localhost, then it needs to be changed to resolve through a hostname or IP address and not through the localhost address. 2.8 LDAP TCP and TLS Ports Issue With Large DIBs When the DIB is large, the DS takes time to come up and wrongly displays the following errors: LDAP TCP Port is not listening LDAP TLS Port is not listening In this scenario, the ports are not disabled but eDirectory services are slow to come up. To check the status of LDAP, refer to the ndsd.log file or enter the following command and grep for the LDAP TCP/TLS ports: netstat -na 2.8.1 LDAP Transaction OIDs In LDAP transaction support, supportedGroupingTypes OID and transactionGroupingType OIDs are same ( 2.16.840.1.113719.1.27.103.7). 2.9 iMonitor Issues 2.9.1 Browsing for Objects Containing Double-Byte Characters in iMonitor When using iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not hyperlink to the object properties correctly. This issue will be resolved in a future release of iMonitor. 2.9.2 Agent Health Check on a Single Server Tree The Agent Health check feature in iMonitor shows a Warning icon in the Results column when run on a single server tree because of the Perishable Data status. This does not mean that the tree is not healthy or that the Agent Health check is not working as designed. Perishable Data indicates the amount of data that has not yet been synchronized to at least one replica. A single server tree, by its nature, means that the data is always at risk for catastrophic failure because there is no other place that the data is replicated. If you lose the hard disk, you lose the data. If you don't want to view health check warnings about Perishable Data or Readable Replica Counts on your single server tree, you can turn off these health checks by editing the /etc/opt/novell/eDi rectory/conf/ndsimonhealth.conf file to change the following entries: perishable_data-active: OFF and ring_readable-Min_Marginal: 1 or ring_readable-active: OFF This turns off the warnings for Readable Replica Count and Perishable Data. 2.9.3 iMonitor Report Does Not Save the Records for Each Hour The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor. 2.9.4 Creation and Modification Time Stamps Because UNIX platforms do not maintain the creation time of a file, iMonitor shows both the creation and modification times to be the same. 2.9.5 iMonitor Issues in older versions of Mozilla Using Mozilla versions lower than 1.5 for iMonitor might have issues during DSTrace Flag selection. It may not support all the operations. 2.10 SNMP Issues 2.10.1 Errors While Starting the NDS Subagent The subagent can fail with the following message: Unable to load library: libnetsnmp.so To resolve this, export the environment variable SNMP_MAJOR_VERSION with the net-snmp library's (libnetsnmp.so) major version number. For example, export SNMP_MAJOR_VERSION=10 2.10.2 Restarting ndssnmpsa When the master agent is restarted on Solaris, and Linux, ndssnmpsa needs to be restarted. To restart ndssnmpsa, stop ndssnmpsa and then start it again. To stop ndssnmpsa, enter the following: - Solaris: /etc/rc.d/init.d/ndssnmpsa stop - Linux: /etc/init.d/ndssnmpsa stop To start ndssnmpsa, enter the following: - Solaris: /etc/rc.d/init.d/ndssnmpsa start - Linux: /etc/init.d/ndssnmpsa start 2.10.3 Errors While Starting ndssnmpsa When you start ndssnmpsa on UNIX, you might get the following errors: Error: eDirectory SNMP Initialization component. Error code: -168 Error: eDirectory SNMP Initialization component. Error code: 9 To resolve this: 1. Unload and load ndssnmp as follows: /opt/novell/eDirectory/bin/ndssnmp -u /opt/novell/eDirectory/bin/ndssnmp -l 2.10.4 Errors While Stopping ndssnmpsa When ndssnmpsa is stopped on SLES 9, an error message similar to "*** glibc detected *** double free or corruption (!prev): 0x0819cdd0 *** " is displayed on the screen. It is recommended to ignore these messages. 2.11 Encrypted Attributes and Encrypted Replication Issues 2.11.1 Configuring Encrypted Replication Through iManager You cannot configure encrypted replication through iManager if any server in the replica ring is down. 2.11.2 Viewing or Modifying Encrypted Attributes Through iManager If an attribute of an object is encrypted, you will not be able to view or modify the object using iManager 2.5. To work around this issue, you can view or modify the encrypted attribute over a secure channel using any of the following methods: - LDAP: The LDAP request must be send over a secure channel. For that the trusted root certificate of the server need to be used. - ICE: LDIF scripts can be used to modify the object. ICE must come over secure channel in this case. - Use iManager 2.5 FP2. iManager 2.6 or later. We recommend using iManager 2.6 or later for viewing or modifying encrypted attributes. Alternatively, you can turn off the secure channel required option for viewing or modifying the encrypted attributes by disabling the requireSecure attribute in the EA policy. This makes the object and the encrypted attributes accessible by any client over clear text channel. After this, iManager will be able to access the object. 2.11.3 Merging Trees With Encrypted Replication Enabled Fails When encrypted replication is enabled, merging trees fails. Disable secure replication on each tree before doing a merge. 2.11.4 Limber Displays -603 Error Limber displays the -603 error if the server has only sub-ref replica of the encrypted attribute policy partition. To work around this issue, do any one of the following: - Give read access to the NCP server object. You can do this through iManager as follows: Add a trustee at the tree root and give read access to NCP server object. In the attributes specify attrEncryptionDefinition and attrEncryptionRequiresSecure. - Give Public Read access to the following attributes through LDAP or ndssch: - attrEncryptionDefinition - attrEncryptionRequiresSecure 2.12 iManager Issues 2.12.1 LDAP Operations Fail After Creating a New LDAP Group Using Quick Create Quick Create only creates an LDAP group object with dummy attributes that you can later modify. It creates the LDAP Group object with version one instead of nine. Therefore, all the LDAP operations fail as it is not possible to associate any LDAP server due to version incompatibility. To work around this issue, after creating the LDAP group using Quick Create, change the LDAP Group object version number to nine. 2.12.2 Issues While Backing Up on Red Hat EUC in Japanese Locale You might get issues while backing up using iManager on Red Hat EUC in the Japanese locale. The fix for this issue will be available with iManager 2.6. 2.13 ndsrepair Issues 2.13.1 Running ndsrepair on an NFS Mounted DIB on Linux You might get -732 or -6009 errors while trying to run the ndsrepair operations on an NFS mounted DIB on Linux systems. 2.13.2 Running Ndsrepair with -R Option Hangs After enabling encrypted attributes on indexed attributes, if you run ndsrepair with -R option, it hangs. 2.14 SASL-GSSAPI Issues 2.14.1 GSSAPI With Multiple User Objects If multiple user objects are associated with the same Kerberos principal name, the user or client must specify the bind DN. 2.14.2 Authorization ID RFC2222 specifies support for an authorization ID sent by the user and client. This is not supported by the SASL GSSAPI method. 2.15 Viewing SLP Man Pages To view the man pages for SLP, you need to set the paths for the man pages. For example, on AIX, you need to set the manpath to /usr/share/man apart from /opt/novell/man. 2.16 Clone DIB Issues 2.16.1 Clone DIB Fails With -601 and -603 Errors When encrypted attributes and encrypted replication is enabled at the tree level, clone DIB fails with the following errors: - Clone DIB on target server fails with the -601 error while configuring SAS - After Clone DIB, the newly created clone object fails with the -603 error To work around these issues, disable encrypted attributes and encrypted replication. 2.16.2 Clone DIB Can Fail Immediately After Offline Bulkload If you try taking the clone of a server immediately after an offline bulkload, it might result in a failure, if the bulkload has been done with "disable indices" option. However, there won't be any such issue if the dibclone is initiated a few hours after the bulkload completion. 2.16.3 Issue in Cloning with Enabled Encrypted Replication Feature While cloning with enabled Encrypted Replication feature in the source server, modify the ER policy to temporarily exclude the cloned server. This can be withdrawn after the configuration of the cloned server is complete. 2.17 dsbk Issues Configuration File Location 2.17.1 Dsbk Configuration File Location The dsbk.conf file is located in /etc instead of the location relative to the specific instance of eDirectory. 2.17.2 Dsbk Usability Issue When you use dsbk from the command line, if the temporary file location is not mentioned in /etc/dsbk.conf file, it gives script errors. 2.18 Deletion of a Moved Object Fails (error -637) Deletion of a moved object can fail in a tree with two or more servers. 3.0 Documentation 3.1 Viewing eDirectory Documentation Novell eDirectory 8.8 SP2 has the following documentation: - Novell eDirectory 8.8 What's New Guide - Novell eDirectory 8.8 Installation Guide - Novell eDirectory 8.8 Administration Guide - Novell eDirectory 8.8 Troubleshooting Guide These documents are available at the Novell eDirectory 8.8 online documentation Website (http://www.novell.com/documentation/edir88/index .html). 3.2 Additional Documentation and Readme Information 3.2.1 iManager - iManager 2.6 For iManager 2.6 information, refer to the iManager online documentation (http://www.novell.com/documentation/im anager26/index.html). - iManager 2.7 For iManager 2.7 information, refer to the iManager online documentation (http://www.novell.com/documentation/im anager27/index.html). 3.2.2 NMAS 3.2.0 For NMAS information, refer to the NMAS online documentation (http://www.novell.com/documentation/nmas3 2/index.html). 3.2.3 Certificate Server 3.3 For Certificate Server information, refer to the Certificate Server online documentation (http://www.novell.com/documentation/crt33 /index.html). 3.2.4 NICI 2.7.3 For NICI information, refer to the NICI online documentation (http://www.novell.com/documentation/nici2 7x/index.html). 4.0 Documentation Conventions In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. 5.0 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer Novell International Trade Services Web page (http://www.novell.com/company/policies/trade_services /) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright 2007 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries. For a list of Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/trademarks/tmlist .html) at http://www.novell.com/company/legal/trademarks/tmlist. html. All third-party trademarks are the property of their respective owners.