Last Updated April 12, 2006
If you plan to upgrade from eDirectory™ version 8.7.3 to 8.8, we recommend that you upgrade eDirectory before installing Identity Manager 3. If you upgrade eDirectory after installing Identity Manager, the eDirectory installation program states, “Identity Manager 3 is not supported. Install anyway?”
You can proceed with the eDirectory 8.8 installation, however, you will need to re-install Identity Manager after the upgrade.
This issue is fixed by upgrading to NMAS® 2.3.9.
If you want to use the NDS-to-NDS Driver Certificates Wizard, you must download and install the iManager plug-in for Certificate Server.
When editing a password policy and enabling forgotten password, the summary message indicates that the forgotten password is not enabled. The summary always states that forgotten password is not enabled, even when it is.
If your SMTP server is secured and requires authentication before sending e-mail, password self-service is unable to access the authentication information to connect to the SMTP server. If your SMTP server is secured, you must provide SMTP authentication information in policies. For more information, see “Providing SMTP Authentication Information in Driver Policies” in the Identity Manager Administration Guide.
In the user application, if you log in as User A using a Mozilla-family browser (Firefox*, Netscape*, or Mozilla*), then open another browser instance (of the same kind of browser) and log in as User B, you might see information for User B when going back to the first browser instance. This is because browser instances are sharing (and overwriting) the same cookie. This behavior is specific to Mozilla-family browsers; it does not occur with Internet Explorer.
Exceptions may occur in Firefox on Cut, Paste, Copy operations when using the HTMLEditor within Orgchart preferences. Mozilla doesn’t allow scripts to access the clipboard for security reasons. Therefore, the cut, copy, and paste buttons aren’t available in Firefox.
In Firefox, you can download an extension named Allow Clipboard Helper via tools > Extensions, which leads you to the extension download Web site
After the download, you will see Allow Clipboard Helper in Firefox > tool.
Open it, and enter the server address you want to grant the clipboard access, then click Allow. You can add as many Web sites as you like. Shut down all the Firefox browsers, restart Firefox, and cut/copy/paste should be working in Firefox.
When logging into the IDM User Application, there is a link on left menu to create a user. In order to create users, you must have the necessary eDirectory rights to add entries to the directory. Because the IDM User Application has existing eDirectory users, those users should already have the necessary rights.
In iManager, click View Objects.
Browse to the object that contains your user container (for example, MySample.novell.) and click Modify Trustees.
Add a trustee (for example, MySample.novell) and change the assigned rights.
Under [Entry Rights], select Create. Leave other fields with the default values, then click Save.
Now all of the users in the users.MySample.novell container can create users or groups within that MySample entity.
On your User Application Server (JBoss* server), when using the User Application login page, if you click the Forgotten Password link and enter the user name, the portal might return the following error message on the JBoss console and not redirect:
08:59:17,962 ERROR [EboPortletProxyHelper] The portlet entity does not exist com.novell.afw.portal.aggregation.EboPortletInfoBean: id [portal-general] iid [-1] timeout [-1] multithread [false]
The error results from the ldap-sslport preference in the ForgotPasswordPortlet portlet using the standard default TLS (ldaps) port of 636 instead of the port configured for your LDAP server’s secure connection. The eDirectory administrator has probably changed the default secure LDAP port on the eDirectory instance to a non-standard port. eDirectory administrators commonly change the LDAP ports when running eDirectory on the same physical hardware as other LDAP-enabled systems such as Active Directory*.
If your secure LDAP (TLS) configuration uses a port other than 636, change the ldap-sslport preference in the ForgotPasswordPortlet to the port configured for your secure ldap as follows:
Open the User Application.
Open Administration > Portlet Admin > ForgotPasswordPortlet > ForgotPasswordPortlet instance > Preferences.
Change the value of ldap-sslport from the default port of 636 to the port configured for your LDAP server’s secure LDAP connections.
In a provisioning workflow that uses parallel processing, the addressee for one approval activity should not refer to the addressee for another approval activity in the flow. The reason for this is that the workflow engine does not have any way to know which step will be executed first, because the activities are being processed in parallel. Furthermore, the iManager plug-in for Provisioning Request Configuration is not able to determine which addressees should be allowed at any point in time. To restrict the list of possible addressees, the plug-in would need to be able to analyze the flow to get the list of upstream activities that have already been completed. This capability is not supported in the plug-in at this time.
By default, JBoss allows directory browsing. Therefore, if you type the URL http://server:8080/IDMProv/resources/, the list of resources under this URL is displayed.
If you do not want directory browsing to be enabled, go to jboss-4.0.2\server\<IDM-Application Context>\deploy\jbossweb-tomcat55.sar\conf, and edit the listings entry in the web.xml file:
<servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> <init-param> <param-name>listings</param-name> <param-value>true</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet>
To suppress the display of resources, change the listings value from true to false.
By default, the session timeout for the server is 20 minutes. The session timeout should be tuned to match the server and usage environment in which the application will run. In general, it is advised that the session timeout be as small as practically possible. If business requirements can tolerate a 5 minute session timeout, this would allow the server to release unused resources sooner than the default, and make the server faster and more scalable.
The session timeout is set in the web.xml file.
If you run the User Application Configuration tool (for configuring LDAP settings) in a localized operating system environment, all the text input boxes are displayed correctly. For example, if there are any Chinese distinguished names in eDirectory, or you input any Chinese characters, these are displayed properly in a Chinese operating system environment. However, if you are in an English operating system environment, any Chinese characters entered or returned from eDirectory are displayed as non-readable characters (most likely squares). This is because the Locale is not properly set.
If you are in an English operating system environment and want to display localized characters, do the following:
- In a Windows 2000 environment, go to the Control Panel and select Regional Options. Under the General tab, set “Your Locale” to the local language (for example, Chinese (PRC)).
- In a Windows 2003 environment, go to the Control Panel and select Regional Options. Under the Regional Options tab, select “Chinese (PRC)” and apply the change.
- In a SUSE® Linux environment, set the environment variable LANG as follows: export LANG=zh_CN
The same basic procedure applies to all languages.
The services for various subsystems within the user application might contain outdated version numbers. You do not need to modify these files to correct the versions.
For example, IDMfw.jar contains the FrameworkService-conf\config.xml file, which has the following entry for the version number:
<property> <key>FrameworkService.version</key> <value>040712, Version 5.2.1</value> </property>
In the Provisioning Request Configuration plug-in to iManager, you can define an escalation policy that redirects a workflow activity to the manager of the original addressee.
If the original addressee is a task group that has more than one manager, the escalation fails. The Provisioning Request Configuration plug-in does not prevent you from defining this type of escalation, so you need to be careful to avoid this type of configuration.
On Linux*, the default open limit is not sufficient to support a large number of requests initiated through the SOAP Web Service. The User Application Driver may reach this limit when using the Web Service endpoints to trigger workflows in response to directory events
Linux has a default open file limit of 1024 for each process. If you start the JBoss server with the default setting, you might see errors when more than 40 or 45 requests are started sequentially through the SOAP Web Service interface. After reaching the limit, you may be unable to initiate any more requests for several minutes. In some cases, you might need to restart the JBoss server.
To work around this problem, you can increase the open file limit from 1024 to 4096.
If you’re using BASH, execute these commands to increase the open file limit:
su - root ulimit -n 4096 su - <user> start-jboss.sh
If you’re using C Shell, execute these commands to increase the open file limit:
su - root limit descriptors 4096 su - user start-jboss.sh
The User Application Driver stores various kinds of information (such as workflow configuration and cluster information) that is application-specific. Therefore, a single instance of the User Application Driver should be not shared among multiple applications.
The User Application stores application-specific data to control and configure the applications environment. This includes the JBoss Application Server cluster information and the workflow engine configuration. The only user applications that should share a single User Application Driver instance are those applications that are part of the same JBoss cluster. You should not configure a set of user applications to share a single driver unless they are part of the same JBoss cluster. Otherwise, your configuration could lead to ambiguity and misconfiguration for one or more of the components running inside the user application.
In the install program for the Identity User Application, you can specify the Root Container DN, User Container DN, and Group Container DN for the application. In this release, you cannot specify the treeRoot in eDirectory as the root container. Also, you cannot specify more than one search root for any particular object type (container, user, or group). Instead, you must specify a single search scope.
An organization (o) could be contained in a Country (c) or locality (l), as shown below: c=US o=novell-provo o=novell-waltham
This type of configuration works.
In the user application, it is not currently possible to request a resource for a list of users. The Team Resource Request page includes text indicating that this might be supported. The text says “Select a user (or users, if the resource you selected was marked Multiple Recipients Allowed) for whom you are requesting a resource.” This capability is not supported in this release.
In the user application, there may be times when the status bar message: “Transferring data from localhost...” does not go away or is not replaced with “Done.” This is a known problem with Internet Explorer and Mozilla-based browsers.
If two separate instances of the User Application Driver point to the same user container, the availability settings (on the Edit Availability page of the user application) show availability entries from both applications.
Suppose Server 1 is configured to use one driver (such as driver1,o=novell), and server 2 is configured to use another (such as driver2,o=novell). Both servers are configured to use the same containers for users, groups, and root container (such as ou=users,o=novell, etc). A user on server 1 creates a delegate definition for a user and provisioning request definition. The user is then marked as unavailable for that request definition. Server 2 shows the user as unavailable, but it is unable to resolve the friendly name for the request definition. If the user’s delegate definitions on server 2 are examined, the definition from server 1 is not seen.
The reason for this behavior is that delegation information (created when users mark themselves available/unavailable) is stored on user records. This information includes the delegate/delegator information along with the provisioning request definition and start/stop time for delegation. The delegate definition, from which delegation information is derived is stored in the driver, along with the provisioning request definition.
We recommend not configuring two separate driver instances to point to the same user container.
When you make changes to the logging configuration for a User Application server in a cluster, the changes are not propagated to the other servers in the cluster. For example, if you use the Logging administration page on a server in a cluster to set the logging level for com.novell.afw.portal.aggregation to Trace, this setting is not propagated to the other servers in the cluster. To work around this problem, you must individually configure the level of logging messages for each server in the cluster.
The User Application driver reads the list of workflow attributes when the driver is started. If you create a new provisioning request definition, and if you immediately try to create a Schema Mapping policy, the attributes for the new provisioning request definition do not appear in the list of application attributes after you refresh the application schema. This is because the User Application driver needs to be restarted before the provisioning request definition is made available. After creating the new provisioning request definition, stop the user application driver, then restart before attempting to use the provisioning request definition in policies. Alternatively, in the Schema Mapping policy editor, simply refresh the application schema twice.
The display label for the departmentNumber attribute is Department, not Department Number. To prevent any confusion, you can change the display label to Department Number using the directory abstraction layer editor. For more information, see the section on configuring the directory abstraction layer in the Identity Manager User Application: Administration Guide .
When you use the Provisioning Request Configuration plug-in to iManager to create a provisioning request definition, the workflow pattern selected (parallel/sequential) and timeout behavior (approve/deny) are not saved with the request definition.
Therefore, if you create many request definitions, and then need to modify them later, you might be confused about the design patterns used by the request definitions and not know which to edit.
To minimize confusion, you should always provide text in the Description for a new request definition that designates the template from which the request was created, or indicates the selected design pattern (such as “sequential approval timeout approves.”)
To see the workflow pattern and timeout behavior for an existing provisioning request definition:
Select View Objects from the iManager toolbar and navigate the eDirectory tree to your defined workflows (such as RequestDefs.AppConfig.UserApplication.myDriverSet.myCompany).
Select the workflow of interest, then select Modify object when the window menu appears.
Edit the Valued Attribute named XmlData.
Search for the <display-name> element. It should contain the original template name, such as Three Step Parallel Approval (Timeout Approves).
Cancel out of the editor without making changes to the XmlData attribute.
NOTE:Be sure not to modify the XmlData attribute in any way.
Novell provides a reporting utility that offers assistance for those who need to migrate EPM applications to Identity Manager 3. This utility is available on the Innerforge EPM Products page for download by consultants.
EPM customers should contact Novell Sales or Consulting for help in migrating their EPM applications.
When running workflows in a cluster, each server’s workflow engine must have a unique ID. The engine ID is identified by passing -Dcom.novell.afw.wf.engine-id to the Java* VM. On Linux, the user needs to edit the jboss/bin/run.conf file and pass that property in the JAVA_OPTS line. For example:
if [ "x$JAVA_OPTS" = "x" ]; then JAVA_OPTS="-server -Xms800m -Xmx800m -Dcom.novell.afw.wf.engine-id=echo"
The install program does not prompt you to specify the workflow engine ID. Therefore, you need to identify the engine by passing the JAVA_OPTS property, as shown above.
The Provisioning Request Configuration plug-in has been localized, but the provisioning request templates that are installed with the User Application Driver are not localized.
NOTE:When you create a new provisioning request from a template, you can localize display names and descriptions to suit your application requirements.
When using the GroupWise® WebAccess portlet and accessing a GroupWise 7.0 server, you receive an “Error on page” when you click the Calendar tab if you are using Internet Explorer 6.x. Firefox works without error. This error will be fixed in a future GroupWise release.
By default, MySQL* sets the maximum number of connections to 100. This number might be too small to handle the workflow request load in a cluster. If the number is too small, you might see the following exception:
(java.sql.SQLException: Data source rejected establishment of connection, message from server: “Too many connections.”)
To increase the maximum number of connections, you need to set the max_connections variable in my.cnf.
If you enable e-mail notification in your provisioning request definitions, but you do not configure any e-mail servers, e-mail notifications pile up on the server and never be sent. This eventually uses up available memory.
If you turn on e-mail notification, be sure to configure the e-mail server so that the e-mails are actually sent. To configure the e-mail server, select Email Server Options under Workflow Administration in iManager.
Background image locations you specify for themes (whether manually or by performing a browse operation) disappear from view immediately after you enter them.
Go to Administration >Themes > Customize Branding (from any theme).
Browse to a file for the Background Image Location or enter a file by typing the name.
Select a jpg.
The file will flicker and disappear from the screen. The new theme is saved, but the field is empty.
On Novell Linux Desktop (NLD), you might see a minor cosmetic problem when you first display an organization chart. The first time you do a lookup for a user, you might see that the left root node icon is in the middle of the screen by itself and is not aligned with the user. On subsequent viewings, the icon lines up properly.
If you change the way images are displayed in the Detail portlet header by specifying the $IMG: tag, you must flush the CompiledLayout cache for the changes to take effect. Follow these steps to flush the cache:
Go to the Administration tab of the user application.
Go to the Caching tab.
Select CompiledLayout from the Flush Cache drop-down list.
Click Flush Cache.
In the Directory Abstraction Layer Editor, the assignment of direct reports is not editable. However, you can turn this editing on. If you do, you need to be aware of two things:
This problem arises only when an administrator is logged in to the User Application. For other users, the directReport attribute is not viewable, and, therefore, does not show up on the Detail portlet in edit mode.
Steps to reproduce:
Log in as an administrator.
Select any manager and specify that you want to edit the information for that manager.
Add a user who has another manager as the first manager’s direct report. For example, you might add ablake as a direct report to jmiller, even though ablake already reports to mmackenzie.
Save your changes.
Go to the Organization Chart view, or search for ablake and try to present information for this employee.
The following error displays:
Error getting object: cn=ablake,ou=users,ou=idmsample-polina,o=novell. The definition for attribute key manager is single-valued, and multiple values exist.
Identity Manager prevents the creation of new Delegate and Proxy definitions with principals that are identical to an existing Delegate or Proxy definition. This includes expired Delegate and Proxy definitions, which are not displayed in the User Application, and are not automatically deleted from the system. This can lead to a user attempting to create a new Delegate or Proxy definition with the same principals as an expired definition, which creates an error. The error message displayed in the User Application is similar to the following:
Failed to submit proxy assignment with id = [apwaNewDetailId].security violation: com.sssw.fw.exception.EboSecurityException:Invalid proxy definition. Proxy Definition: name: cn=726dbba6d8a049ebbd4782973dd4f417,cn=ProxyDefs,cn=AppConfig,cn=afdriver,cn=driverset,ou=idmsample,o=novell assign from users: cn=UserAppAdmin,o=novell assign from containers: o=novell assign to users: cn=mmackenzie,ou=users,ou=idmsample,o=novell expiration: 20051206172200Z A duplicate definition exists.
We recommend that, in this release, you do not use the Proxy or Delegate Assignment expiration feature (in other words, when you create a Proxy or Delegate assignment, select the “No Expiration” option). If you do use the expiration feature, change the expiration date in Proxy or Delegate Assignment before the assignment expires. If your assignment expires before you are able to change it, you can work around the problem by using an LDAP editor to delete the Proxy or Delegate Assignment definition.
Navigate to your User Application driver object.
Navigate to the AppConfig object in the User Application driver object.
Navigate to the ProxyDefs or DelegateeDefs object in the AppConfig object.
Locate the definition that you want to delete in the ProxyDefs or DelegateeDefs object. For help in locating the definition, check the values of the srvprvAssignToUser, srvprvAssignFromUser, and srvprvAssignExpiration attributes. The srvprvAssignExpiration attribute stores the expiration date of the definition in UTC (Coordinated Universal Time) format.
Delete the Proxy or Delegate Assignment definition.
If you start the application server without first having a network connection, you might see a NoClassDefFoundError in the stack trace and be unable to connect to the eDirectory server. After establishing a network connection, you might still be unable to connect to eDirectory. In this case, you need to restart the application server.
If you have a network connection when the server starts, the application server runs without errors, and is able to recover if you subsequently lose the network connection.
If you want to use an existing database with the user application, you must select the Custom install set. After you have selected Custom and the IDM User Application, you are prompted to provide connection information about the existing database. See the section on installing the user application in the Identity Manager 3 Installation Guide.
When you perform a Custom installation of the user application, the database name is not updated in the database-ds.xml file. To work around this problem:
Shut down the JBoss server.
Open the file %APPLICATION_NAME%-ds.xml under %INSTALL_DIR%/jboss/server/%APPLICATION_NAME%/deploy.
In the <connection-url> tag, change the text "DatabaseName=IDM" to "DatabaseName=%your_database_name%".
Save your modification.
Start the JBoss server.
The following example shows the MyApp-ds.xml file. In this example, the database name is "mydatabase":
<datasources> <local-tx-datasource> <jndi-name>MyApp</jndi-name> <connection-url>jdbc:microsoft:sqlserver://Contusion:1433;DatabaseName=mydatabase</connection-url> <driver-class>com.microsoft.jdbc.sqlserver.SQLServerDriver</driver-class> <user-name>mydatabase</user-name> <password>mydatabase</password> </local-tx-datasource> </datasources>
There are some instances in the Identity Manager user application where the localization is not complete. Improvements in localization will continue over time, and will be made available in subsequent releases.
The Portal Data Import utility (Administration > Tools > Portal Data Import) uses the shared-pages.xml and container-pages.xml in the Portal Data Export ZIP file to generate container and shared pages, and portlets. If the <description/> element is blank then pages cannot be imported.
To workaround this, provide text for the <description/> element and perform the import again.
The Identity Manager User Application: Administration Guide contains some information on configuring JBoss. If you need further information on JBoss set up, look at the sources listed below:
If you installed IDM3 before January 24, 2006, you must update the IDM 3 Provisioning User Application Driver. For download and installation instructions, see TID #10100283.
To use the iManager Provisioning Request Configuration plug-in, you must have read rights and write rights to the attributes associated with the Provisioning Request Objects.
By default, the JBoss deployment scanner runs every five seconds. For a production server, this is typically not necessary and might impact performance. You should consider turning this off.
Please refer to the JBoss site for more information about tuning for production environments.
If you are completing a high volume of workflows each day, it is recommended that you adjust both the CPTIMEOUT and CLEANUP values in the AFENGINE table. (CPTIMEOUT is the number of days a completed entry is retained. CLEANUP is the interval (in milliseconds) that the CLEANUP task is run.)
The default setting for retaining completed workflow information for a request is 120 days. By default, a task to cleanup expired workflow information runs once every 12 hours. The cleanup task requires approximately 5k bytes per expired workflow that needs to be removed.
You need to use a tool provided by your database to update the AFENGINE settings. The SQL for each setting is:
update AFENGINE set CPTIMEOUT=<numberofdays> update AFENGINE set CLEANUP=<milliseconds>
By default, the user application character encoding filter is set to enabled in the user application's web.xml. This setting typically does not require any specific configuration, but it might require changes if you have configured Tomcat for URI encoding. There are two attributes in the configuration of Tomcat http/https connector that affect charset encoding and filter configuration.
This entry specifies the character encoding used to decode the URI bytes, after %xx decoding the URL. If not specified, ISO-8859-1 is used. The requirements for this include: Both http and https connectors have the same configuration. The Charest encoding filter should be modified to include uri-encoding init parameter. The value of this parameter should be the same as the value of the URIEncoding attribute in the tomcat connector configuration.
<filter> <filter-name>AggregationServletEncFilter</filter-name> <display-name>AggregationServletEncFilter</display-name>
<filter-class>com.novell.afw.portal.l18n.CharacterEncodingFilter</filter-class> <init-param> <param-name>uri-encoding</param-name> <param-value>UTF-8</param-value> </init-param> </filter>
This entry specifies whether the encoding specified in contentType should be used for URI query parameters instead of using the URIEncoding. This setting is present for compatibility with Tomcat 4.1.x, where the encoding is specified in the contentType, or explicitly set using Request.setCharacterEncoding method for the parameters from the URL. The default value is false.
If useBodyEncodingForURI is set to true the filter configuration should include the use-body-encoding init parameter, for example:
<filter> <filter-name>AggregationServletEncFilter</filter-name> <display-name>AggregationServletEncFilter</display-name> <filter-class>com.novell.afw.portal.l18n.CharacterEncodingFilter</filter-class> <init-param> <param-name>use-body-encoding</param-name> <param-value>true</param-value> </init-param> </filter>
For more details, see this Web site on Tomcat connector configuration information.
The User Application requires that you enable cookies in your browser settings.
You might encounter problems with Designer if you import an extremely large project. To work around this problem, increase Designer's heap size. The heap size is specied using the -Xmx parameter at startup.A heap size of 512m is recommended.
To set heap size on Windows: Open the Designer for Identity Manager shortcut properties. Look in the Target field for the -Xmx startup parameter. Increase this value to increase Designer's heap size.
To set heap size on Linux: Open the StartDesigner.sh file in an editor and search for -Xmx. Increase this value to increase the Designer's heap size.
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.
A trademark symbol (® , TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
You may not use, export, or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside.
Copyright © 2005 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.
eDirectory is a trademark of Novell, Inc.
GroupWise is a registered trademark of Novell, Inc., in the United States and other countries.
NMAS is a registered trademark of Novell, Inc., in the United States and other countries.
Novell is a registered trademark of Novell, Inc., in the United States and other countries.
NDS is a registered trademark of Novell, Inc., in the United States and other countries.
SUSE is a registered trademark of Novell, Inc. in the United States and other countries.
All third-party trademarks are the property of their respective owners.