Novell Identity Manager 3.6.1 Readme

December 13, 2011

This document contains the known issues for Novell Identity Manager version 3.6.1.

1.0 Documentation
2.0 Known Issues
2.1 Installation
Identity Manager 3.6.1 Patch Installer is supported only on Identity Manager 3.6.1 engine and drivers
Identity Manager 3.6.1 Patch Installer is not localized
Identity Manager 3.6.1 installation issues
Identity Manager 3.6.1 installation fails with an error on some French locales, on Solaris
Maintenance level 5300-09 required when installing on AIX 5L version 5.3
When you install the engine on AIX with the Top Secret driver selected, the installation fails with an invalid package error
Upgrading Identity Manager requires the correct Administrator account to avoid losing Challenge Response answers
Upgrading Identity Manager from 3.5.1 to 3.6.1 on Windows does not remove Novell Identity Manager Connected System of Identity Manager 3.5.1 entry from the Add or Remove Programs
After installing Identity Manager 3.6.1 with eDirectory 8.8.5 64-bit on Solaris 10, Role Service driver does not work
Linux/UNIX Bidirectional driver cannot be installed on a Solaris zone that contains a read-only /usr partition
Novell Audit PA is not Supported for Windows 2003 64 bit, Windows 2008 (32 and 64-bit) and Solaris 64-bit
iManager plug-ins for Identity Manager cannot be properly installed if iManager is not properly installed
On Windows, Identity Manager is installed with errors if eDirectory is installed in a non-default location with a non-default location of DIBFiles
Identity Manager 3.6.1 might not work with eDirectory 8.8.5 FTF1 on Linux, Solaris, and AIX platforms
Installing IDM 3.6.1 on Windows 2008 R2 Standard Edition by using VMware fails
Upgrading from eDirectory 8.8 SP5 64-bit to eDirectory to 8.8 SP6 creates multiple ndsd processes
2.2 Remote Loader
Remote Loader console help page is not displayed on Windows 2008 Server Core
While starting a Remote Loader instance from the Remote Loader console on Windows, an error might be displayed
Remote Loader does not start immediately after upgrading from Identity Manager 3.5.1 to 64-bit Identity Manager 3.6.1 on UNIX platforms
Remote Loader installation might complete with errors on Windows 2K8R2 standard edition
2.3 Drivers
SAP HR driver does not work on Windows Server 2008
JDBC driver upgrade from a version earlier than 3.5.1, to the version 3.5.1 or later fails
Core dump while running LDAP driver
The build and version dates are incorrect for the Fan-Out driver
Apply IDM 3.6.1 FP2 patch to use AD driver on Windows 2008 R2
2.4 Engine
Identity Manager 3.6.1 performance is degraded if Active Directory Domain Controller and File Services are configured on the disk on which eDirectory is installed
Password sync fails with Identity Manager 3.5.1 Remote Loader on 64-bit Windows
Identity Manager 3.6.1 might sporadically report the unsatisfied link error on Solaris 10
64-Bit Engine and 32-Bit Remote Loader cannot coexist in a single machine on UNIX platforms and vice versa
2.5 iManager
Internet Explorer 7 prompts continually for access to the Clipboard
iManager plug-in dependency for the NDS-to-NDS Driver Certificates Wizard
2.6 eDirectory
Larger eDirectory stack size required on AIX systems
NICI segfault when installing on 64-bit AMD quad core processors
Identity Manager query finds multiple matches in eDirectory
2.7 Uninstallation
Identity Manager 3.6.1 uninstallation does not remove DXMLnotes.pkg on Solaris
Identity Manager 3.6.1 uninstallation fails without removing any installed files
3.0 Documentation Conventions
4.0 Legal Notices

1.0 Documentation

This Readme contains the known issues for Identity Manager version 3.6.1. In addition to this Readme, separate Readmes are available for Designer 3.5 and the User Application Roles Based Provisioning Module:

Additional documentation resources are also available for the following:

2.0 Known Issues

The following sections provide information for known issues at the time of the product release.

2.1 Installation

The following sections describe issues you might encounter during installation of the Identity Manager Metadirectory engine and drivers.

Identity Manager 3.6.1 Patch Installer is supported only on Identity Manager 3.6.1 engine and drivers

If you are using a previous version of Identity Manager, manually copy the files.

Identity Manager 3.6.1 Patch Installer is not localized

You should ignore the given options to install in other languages.

Identity Manager 3.6.1 installation issues

Identity Manager 3.6.1 installation fails on Red Hat 5.0 and SUSE Linux Enterprise Server (SLES) 11

When you install Identity Manager 3.6.1 on Red Hat 5.0 and SLES 11, the installation program might exit without finishing, and give the following console message:

/tmp/install.dir.3693/Linux/resource/jre/bin/java: symbol lookup
error: /tmp/lib/libspmclnt.so: undefined symbol: DDCDuplicateContext

Work around: This is one-time error. Re-run the installation program.

Identity Manager 3.6.1 installation fails on SUSE Linux Enterprise Server (SLES) 11

During the installation of the metadirectory engine, drivers, and utilities, Identity Manager 3.6.1 installation stops and does not display any errors.

Work around: Re-run the installation program.

Identity Manager 3.6.1 installation fails on Windows Server 2003 SP2

Because the user variables such as %USERPROFILE%\Local Settings\Temp and %USERPROFILE%\Local Settings\Temp are not available in the environment variables on the server, the Identity Manager 3.6.1 installer cannot find any files in the tmp/temp directory.

Work around: Define the user variables and ensure that the temp/tmp directory resides in the C: drive.

Identity Manager 3.6.1 installation fails with an error on some French locales, on Solaris

When you install Identity Manager 3.6.1 on Solaris, on some French locales, the installation fails displaying the following error:

JClient introuvable/version de JClient non prise en charge 
Installez la version appropriée de JClient avant d'installer le serveur méta-annuaire IDM.

The following is a list of French locales on which the Identity Manager installation fails:

  • fr
  • fr.UTF-8
  • fr_BE.ISO8859-1
  • fr_BE.ISO8859-15
  • fr_BE.UTF-8
  • fr_CA.ISO8859-1
  • fr_CH.ISO8859-1
  • fr_FR.ISO8859-1
  • fr_FR.ISO8859-15
  • fr_FR.UTF-8

Work around: In the installation terminal session, change the existing locale to a working locale:

  1. Set locale in the terminal.

    1. In the terminal, run the following command to get a list of available locales:

      locale -a

    2. Select the desired locale and run the following commands:

      LANG=<your_selected_locale>

      LC_ALL=<your_selected_locale>

      export LANG LC_ALL

  2. Run the following command to start the Identity Manager installation:

    ./install.bin

  3. Select French from the drop down list in the splash screen.

Maintenance level 5300-09 required when installing on AIX 5L version 5.3

When installing to AIX 5L version 5.3 with eDirectory 8.8.5, the only supported AIX maintenance level is 5300-09. Newer or older maintenance levels are not supported.

When you install the engine on AIX with the Top Secret driver selected, the installation fails with an invalid package error

Upgrading Identity Manager requires the correct Administrator account to avoid losing Challenge Response answers

When upgrading from an earlier version of Identity Manager on the Windows* platform, you should use the same Administrator account that was used to install eDirectory. For example, if a domain Administrator account was used to install eDirectory, you should use the domain Administrator account again when installing Identity Manager and not use a local Administrator account.

If you do not use the same Administrator account, users’ answers for their Challenge Response questions are no longer accessible. This occurs because the tree key is re-created during the installation (because of the different Administrator account) and the new tree key does not provide the correct access to the stored answers. Users are prompted for new Challenge Response answers when they log in.

Upgrading Identity Manager from 3.5.1 to 3.6.1 on Windows does not remove Novell Identity Manager Connected System of Identity Manager 3.5.1 entry from the Add or Remove Programs

After installing Identity Manager 3.6.1 with eDirectory 8.8.5 64-bit on Solaris 10, Role Service driver does not work

Work around: For successful installation of Identity Manager, do the following:

  1. Create the following symbolic links:

    • /var/sadm/pkg/NDSserv that points to /var/sadm/pkg/NDSservx

    • /%path to%/eDirectory/setup/NDSserv.pkg that points to /%path to%/eDirectory/setup/NDSservx.pkg

      For example: /export/home/installs/eDirectory/setup/NDSserv.pkg that points to /export/home/installs/eDirectory/setup/NDSservx.pkg

  2. Run the following commands to make sure that the symbolic links, which you have created in Step 1, work:

    • pkgparam -v NDSserv | grep "^VERSION=" |awk -F"=" '{print $2}'
    • pkgparam -v NDSservx | grep "^VERSION=" |awk -F"=" '{print $2}'

    The commands return the eDirectory version if valid.

  3. Re-install Identity Manager.

Linux/UNIX Bidirectional driver cannot be installed on a Solaris zone that contains a read-only /usr partition

You cannot install the Linux/UNIX Bidirectional driver on a Solaris zone that contains a read-only /usr partition. If you select the driver for installation, IDM installer reports an error.

Novell Audit PA is not Supported for Windows 2003 64 bit, Windows 2008 (32 and 64-bit) and Solaris 64-bit

iManager plug-ins for Identity Manager cannot be properly installed if iManager is not properly installed

On Windows, Identity Manager is installed with errors if eDirectory is installed in a non-default location with a non-default location of DIBFiles

On Windows, if you have installed eDirectory in a non-default location with a non-default location of dib files, and install Identity Manager, the installation completes with errors. The errors occur because of the schema extension failure.

Work around: You must manually extend the schema as follows:

  1. After installing Identity Manager, stop eDirectory.

  2. Run the following command to extend the schema:

    <eDirLocation>\schemaStart.bat <eDirLocation> yes <admin name with tree> <password> yes 6 " " " <schemafileName>" "<serverName>" <dibPathLocation>

    NOTE:<dibPathLocation> must contain the DIBFiles folder.

    Sample Command:

    C:\eDir\NDS\schemaStart.bat "C:\eDir\NDS" yes ".cn=admin.o=n.T=IDM-INSTALLISSUE." "n" yes 6 " " "C:\eDir\NDS\sch_nt.cfg" ".CN=WIN2008-64-NDS.O=n.T=IDM-INSTALLISSUE." "C:\DIB\NDS\DIBFiles"

  3. Start eDirectory.

  4. Extend the Role-Based schema files srvprv.sch and nrf-extensions.sch. For this, you should use the eDirectory NDS console.

    1. From the NDS console, start the Novell eDirectory Install Utility (install.dlm service) and click Next.

    2. Select Install additional schema files and click Next.

    3. Specify the Administrative User Name, Context, and Password in the corresponding fields and click OK.

    4. Browse for the schema file srvprv.sch from eDirectory installation location (for example, C:\novell\nds) and Click Finish.

    5. Extend the nrf-extensions.sch schema file by following the steps 1 through 4.

Identity Manager 3.6.1 might not work with eDirectory 8.8.5 FTF1 on Linux, Solaris, and AIX platforms

Work around: Install eDirectory and IDM in the following sequence:

  1. Install eDirectory 8.8.5.

  2. Install IDM 3.6.1.

  3. Install eDirectory 8.8.5 FTF1.

  4. Configure a driver and start it.

Installing IDM 3.6.1 on Windows 2008 R2 Standard Edition by using VMware fails

Upgrading from eDirectory 8.8 SP5 64-bit to eDirectory to 8.8 SP6 creates multiple ndsd processes

While upgrading from eDirectory 8.8 SP5 64-bit to eDirectory to 8.8 SP6, the new Platform Agent RPM is not automatically installed. You must install the new Platform Agent to avoid the creation of multiple ndsd processes:

  1. Remove the previously installed Platform Agent.

  2. Manually add the new Platform Agent.

2.2 Remote Loader

The following section describes issues you might encounter as you use the Remote Loader.

Remote Loader console help page is not displayed on Windows 2008 Server Core

On Windows 2008 Server Core, in the Remote Loader console, when you click Help, the corresponding help page is not displayed.

Work around: Install a browser (for example, Internet Explorer) on your machine and click Help in the Remote Loader console.

While starting a Remote Loader instance from the Remote Loader console on Windows, an error might be displayed

Sometimes while starting a Remote Loader instance from the Remote Loader console, the following error message is displayed:

Socket Error: Permission Denied

Work around: Do one of the following:

  • Restart the machine.

  • Change the Remote Loader instance command port.

Remote Loader does not start immediately after upgrading from Identity Manager 3.5.1 to 64-bit Identity Manager 3.6.1 on UNIX platforms

Work around: Run the following commands:

  1. Stop the Remote Loader if it is running.

  2. Stop the LCache process.

    kill -9 ‘pgrep lcache‘

  3. Start the Remote Loader.

Remote Loader installation might complete with errors on Windows 2K8R2 standard edition

The errors occur because the Roles Service driver is not installed. However, Roles Service driver cannot work with Remote Loader.

2.3 Drivers

The following section describes issues you might encounter as you use the Identity Manager drivers.

SAP HR driver does not work on Windows Server 2008

The currently supported version of JCO for SAP HR driver is 2.1.8. SAP HR driver does not work on Windows Server 2008 because JCO 2.1.8 does not support Windows Server 2008.

JDBC driver upgrade from a version earlier than 3.5.1, to the version 3.5.1 or later fails

The upgrade operation fails when you upgrade JDBC driver from a version earlier than 3.5.1, to the version 3.5.1 or later.

The operation fails because of one of the following reasons:

  • The driver could not read the metadata of tables by using the mysql-connector-java-3.1.11-bin.jar driver classes.

  • You could not get the information from state files because the serialVersionUID of the class JDBMKeyComparator has changed after the upgrade.

Work around: The following are the work arounds which are based on the reasons for the upgrade failure:

  • Upgrade the third party driver class from mysql-connector-java-3.1.11-bin.jar to mysql-connector-java-5.1.6-bin.jar.

  • Delete the state files and restart the driver.

Core dump while running LDAP driver

While running the LDAP driver, core dump is caused by java during compilation by the Just In Time (JIT) compiler, with the following error in hs_err_<pid> file.

C2:952  !   com.novell.nds.dirxml.driver.ldap.LDAPPublisher.processModifyValue

Sample core stack:

#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7b8c8d0 in raise () from /lib/libc.so.6
#2  0xb7b8dff3 in abort () from /lib/libc.so.6
#3  0x064fa73b in os::abort () from //opt/novell/eDirectory/lib/nds-modules/jre/lib/i386/server/libjvm.so
#4  0x065ed0d1 in VMError::report_and_die () from //opt/novell/eDirectory/lib/nds-modules/jre/lib/i386/server/libjvm.so
#5  0x064ff659 in JVM_handle_linux_signal () from //opt/novell/eDirectory/lib/nds-modules/jre/lib/i386/server/libjvm.so
#6  0x064fc648 in signalHandler () from //opt/novell/eDirectory/lib/nds-modules/jre/lib/i386/server/libjvm.so
#7  <signal handler called>
#8  0x0625665c in PhaseChaitin::gather_lrg_masks () from //opt/novell/eDirectory/lib/nds-modules/jre/lib/i386/server/libjvm.so
#9  0x06255bb5 in PhaseChaitin::Register_Allocate () from //opt/novell/eDirectory/lib/nds-modules/jre/lib/i386/server/libjvm.so
#10 0x062a2acd in Compile::Code_Gen () from //opt/novell/eDirectory/lib/nds-modules/jre/lib/i386/server/libjvm.so
#11 0x0629f950 in Compile::Compile ()

Work around: Disable the JIT compiler by using the following methods:

By using iManager

  1. Log in to iManager.

  2. Click to display the Identity Manager Administration page.

  3. In the Administration list, click Identity Manager Overview.

  4. Under the Driver Sets tab, click the driver set to open the Driver Set Overview Page.

  5. Click the Driver Set menu, then click Edit Driver Set properties.

  6. Click Misc to display the property page that contains the Java environment parameters.

  7. Set JVM Options: under Java Environment Parameters to contain the following:

    -XX:CompileCommand=exclude,com/novell/nds/dirxml/driver/ldap/LDAPPublisher,processModifyValue

  8. Restart eDirectory for the environment parameters to take effect.

By using Designer

  1. Open your project in the Modeler.

  2. Right-click the driver set icon , then click Properties.

  3. Select Java from the list.

  4. Set JVM Options: under Java Environment Parameters to contain the following:

    -XX:CompileCommand=exclude,com/novell/nds/dirxml/driver/ldap/LDAPPublisher,processModifyValue

  5. Right-click the driver set icon , then click Live submenu > Deploy to update the changes.

  6. Restart eDirectory for the environment parameters to take effect.

The build and version dates are incorrect for the Fan-Out driver

Apply IDM 3.6.1 FP2 patch to use AD driver on Windows 2008 R2

2.4 Engine

The following sections describe issues you might encounter as you use the Identity Manager:

Identity Manager 3.6.1 performance is degraded if Active Directory Domain Controller and File Services are configured on the disk on which eDirectory is installed

Work around: For better performance of Identity Manager on Windows, enable Write Caching on the disk as follows:

  1. Right-click My Computer > Properties > Hardware > Device Manager > Disk drives

  2. Right-click the drive, on which eDirectory/Identity Manager is installed, and click Properties > Policies.

  3. Select Enable write caching on the disk.

Password sync fails with Identity Manager 3.5.1 Remote Loader on 64-bit Windows

If password sync filter is installed on a 64-bit machine having Remote Loader 3.5.1, the password sync fails. It returns the error that password sync is not installed on the domain.

Work around: Add Host Names value to the HKEY_LOCAL_MACHINE\SOFTWARE\NOVELL\Pwfilter file.

Identity Manager 3.6.1 might sporadically report the unsatisfied link error on Solaris 10

When you start Identity Manager 3.6.1 on Solaris 10, you might sporadically encounter the unsatisfied link error.

Work around: From /opt/novell/eDirectory/lib/, manually delete the following zero-size files:

  • libjclnt.so

  • libjclnt.so.0

64-Bit Engine and 32-Bit Remote Loader cannot coexist in a single machine on UNIX platforms and vice versa

2.5 iManager

The following sections describe issues you might encounter as you use iManager.

Internet Explorer 7 prompts continually for access to the Clipboard

When you are in iManager, particularly the Policy Builder, Internet Explorer* 7 continually prompts you for access to the Clipboard. To disable prompting:

  1. Click Tools > Internet Options.

  2. Click the Security tab, then click Custom Level.

  3. Click Scripting > Allow programmatic clipboard access, then select Enable.

    After you restart Internet Explorer, the prompting stops.

iManager plug-in dependency for the NDS-to-NDS Driver Certificates Wizard

If you want to use the NDS-to-NDS Driver Certificates Wizard, you must download and install the iManager plug-in for Novell Certificate Server.

2.6 eDirectory

The following sections describe issues you might encounter related to eDirectory:

Larger eDirectory stack size required on AIX systems

When running Identity Manager on AIX with eDirectory 8.8.5, you need to increase the eDirectory stack size.

  1. Stop ndsd.

  2. Increase the stack size:

    ldedit -b maxstack=0x10000000 /opt/novell/eDirectory/sbin/ndsd

  3. Restart ndsd.

NICI segfault when installing on 64-bit AMD quad core processors

When installing 32-bit eDirectory 8.8.5 on servers that use AMD Opteron* (X86_64) processors, the installation generates a segmentation fault during installation of NICI (Novell International Cryptographic Infrastructure) and NICI is not installed properly.

Novell Support can provide a patch to fix this issue. For information, see Technical Information Document 7000979.

Identity Manager query finds multiple matches in eDirectory

This issue occurs if the query performed uses an index that has been created with eDirectory versions 8.8.5 patch6 or 8.8.6 patch2. These eDirectory versions create indexes with AncestorsID information.

There are two possible workarounds for this issue:

  • Modify the query that uses a sub-tree search to use base container for the search if your requirements can be fulfilled with a base search.

  • Upgrade eDirectory to 8.8.6 patch3 or a patch later than eDirectory 8.8.5 patch6. If the index has been created with eDirectory 8.8.5 patch6 or 8.8.6 patch2, delete the index that the query is using, then create it again. By creating index with 8.8.6 patch3, the AncestorsID is not automatically added. This holds true for later patches of eDirectory 8.8.5 as well.

The issue does not occur if the query uses an index that has been created with an older version of eDirectory, even if the query is performed against a server running eDirectory 8.8.5 patch6 or 8.8.6 patch2.

2.7 Uninstallation

You might encounter the following issues during uninstallation of the Identity Manager Metadirectory engine and drivers.

Identity Manager 3.6.1 uninstallation does not remove DXMLnotes.pkg on Solaris

Identity Manager 3.6.1 uninstallation fails without removing any installed files

Identity Manager 3.6.1 uninstallation fails without removing any installed files. A Null Pointer exception is reported. The issue occurs if:

  • You haven’t properly installed iManager.

  • You have partially installed iManager plug-ins for Identity Manager.

3.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (®, ™, etc.) denotes a Novell® trademark; an asterisk (*) denotes a third-party trademark.

4.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.

For Novell trademarks, see the Novell Trademark and Service Mark list.

All third-party trademarks are the property of their respective owners.