December 2, 2002
IMPORTANT: For the most recent version of the Novell iManager 1.5 readme file (imanager_readme.html), see the readmes directory at the root of the eDirWebApps CD or see the Novell iManager documentation web site.
=====================================================================
3.0 Web Services Software Information
=====================================================================
Novell iManager is a Web-based application for managing, maintaining, and monitoring Novell eDirectory using wired and wireless devices.
iManager is based on the eDirectory Management Framework (eMFrame), which is a Web application you can use to easily build modular eDirectory management services called plug-ins. eMFrame plug-ins define management roles and implement tasks associated with those roles. eMFrame is implemented as a Java servlet and uses WebAccess technology developed for GroupWise. Its features are also accessible from a command prompt and through scripts.
For iManager product documentation, see the Novell documentation web site.
For information on additional eDirectory issues for this release, refer to Solution #10073723, titled "Novell eDirectory 8.7.x Readme Addendum," in the Novell Knowledge Base.
Novell iManager 1.5 has the following Web services software requirements:
Novell iManager can also be integrated with the following Web servers:
JVM 1.4 has not been tested with this product.
The iManager installation program handles the installation of Web services software for each platform as follows:
On NetWare 6, versions of Apache and Tomcat are already installed.
On Windows NT/2000 servers, the iManager installation program will install Apache 1.3.30, Tomcat 3.3a, and JVM 1.3.1 if they aren't already installed on the server or if IIS isn't installed and running.
On UNIX platforms, you must install the necessary Web services software components for your server before you can install iManager. For information, see the Apache web site, the Sun Java web site, and the IBM Java web site.
Additional information about Apache and Tomcat can be found on the following web sites:
A "patches" directory has been added to the root of the eDirWebApps CD. Refer to the readme file(s) in the patches directory for explanations on how to use the included patches.
If you installed iManager 1.5 on a NetWare server running BorderManager, you will need to re-install the iManager BorderManager plug-in. This is done by running the BMPlugin.ncf file located in patches directory. Refer to the readme.txt file in the patches directory for installation instructions.
The ZENworks for Servers Plug-ins are not supported with iManager 1.5. Support will be forthcoming. In the interim, use the 1.22 version of iManager for ZENworks for Servers 3.0. See also TID 10074950 on the Novell Support web site.
If eDirectory 8.7 is installed before iManager on the same Windows or UNIX server, you may have port conflicts.
For UNIX platforms, Novell does not allow the use of any port other than the designated ones below 1024. If a port conflict is detected when running ndsconfig, enter a new port above 1024. For example, 8010 and 8011 are valid ports.
If iManager does not load when you click on the link in the Getting Started document, check the following file on Windows replacing this path with the path where you installed iManager: C:\Program Files\novell\iManager\tomcat\logs\jvm.stderr. You will see exceptions at the bottom of the file similar to the following. On Solaris and Linux you will see these exceptions in your Console that you are running Tomcat from.
java.lang.reflect.InvocationTargetException:
org.apache.tomcat.core.TomcatException: Root cause - Address in use: JVM_Bind
To resolve this problem on Windows NT/2000 servers, do the following:
1) In Windows Control Panel for NT and Administrative Tools for 2000, select Services.
2) Find the jakarta entry and click Stop.
3) Stop IIS or Apache.
4) Start ConsoleOne and login to your eDirectory 8.7 tree.
5) In the tree view, select the container where you installed the server object.
6) Open the properties of the HTTP Server - [servername] object and select the Other tab.
7) Change the httpDefaultClearPort and httpDefaultTLSPort attributes to port numbers other than your iManager web server (probably 80) and tomcat ports (8080, 8007, 8009). For example, change to 8010 for httpDefaultClearPort and 8011 for httpDefaultTLSPort.
8) Open NDS Services from the Windows Control Panel and select the Services tab.
9) Select ds.dlm service and click the Configure button.
10) In NDS Configuration, select the Triggers tab.
11) Click the Limber button to start the Limber process. The new Port assignments should be set.
12) In Windows Control Panel for NT and Administrative Tools for 2000, select Services.
13) Find the jakarta entry and click Start.
14) Start IIS or Apache.
15) Verify that your web server is running. Test by opening the Getting Started page (eMFrame\help\en\install\gettingstarted.html) and select the iManager link.
To resolve this problem on Solaris, Linux, and AIX, do the following:
1) Stop Apache and Tomcat.
2) Start ConsoleOne and login to your eDirectory 8.7 tree.
3) In the tree view, select the container where you installed the server object.
4) Open the properties of the HTTP Server - [servername] object and select the Other tab.
5) Change the httpDefaultClearPort and httpDefaultTLSPort attributes to port numbers other than your iManager web server (probably 80) and tomcat ports (8080, 8007, 8009). For example, change to 8010 for httpDefaultClearPort and 8011 for httpDefaultTLSPort.
6) The server will be refreshed and the ports changed when limber runs next time or initiates the limber from ndstrace (set ndstrace = *L).
NOTE: Http Server object can be recreated using iManager, ConsoleOne or by running ndsconfig add –m http
7) Start Tomcat and Apache after the limber process has run.
8) Verify that your web server is running. Test by opening the Getting Started
page (eMFrame\help\en\install\gettingstarted.html) and select the iManager link.
During the iManager install on Windows, if a web server is not detected by the install or selected by the user, iManager will install the Apache HTTP server for the convenience of the user. This installation of Apache does not include the additional module installation and configuration required to support secure connections. The user has the responsibility to make sure that the server is configured properly to meet their specific needs.
On a Windows Server where IIS is installed, iManager will be installed to the Web Site that the install program determines is the default Web Site. If multiple IIS Web Sites are running on the server and iManager needs to be run from a Web Site other than the one selected by the install, it will need to be manually configured to use the ISAPI redirector to Tomcat. See the Tomcat documentation for more details: <TOMCAT_HOME>\doc\tomcat-iis-howto.html.
To set up Apache and Tomcat on Solaris:
1) Build and install Apache.
For more information, see the Apache web site, the Jakarta web site, and the Sun Java web site.
The following issues might occur when using a Netscape 6.2 browser:
When using iManager in simple mode in Internet Explorer 5.5, the scroll bar might not scroll down to the bottom of the screen.
NICI 2.4.x is automatically installed with eDirectory 8.7. On a machine without
eDirectory 8.7, you will need to install NICI 2.4.x manually. For NetWare, run
NWCONFIG and select the installs\nw\nici subdirectory from the eDirectory WebApps
CD. For Windows, the install (wcniciu0.exe) is located in the installs\win\nici
subdirectory on eDirectory WebApps CD.
If you intend to run iManager on a Windows machine that has NICI 1.3.x installed,
you must execute the batch file named runf2dc.bat before you install NICI 2.4.x.
This batch file will prepare your system such that NICI 2.4.x can be installed.
The batch file is located in installs\win\nici subdirectory on the eDirectory
WebApps CD.
You can quickly determine if you have NICI 1.3.x installed on your Windows machine by looking in the subdirectory %SYSTEMROOT%\system32\Novell\NICI. If you see files named
and you are missing one or more of the following files in this same directory
"Require TLS for Simple Binds with Password" was previously named
"Allow Clear Text Passwords." Selecting Require TLS for Simple Binds
with Password has the same effect as unselecting Allow Clear Text Passwords.
To access this option in Novell iManager, click the Roles and Tasks button >
LDAP Management > LDAP Overview > View LDAP Group Objects > click on
an LDAP Group object > click Information.
A dynamic group can use an LDAP search filter to populate its 'member' attribute. Traditional or static groups require the 'member' attribute to be populated manually. A dynamic group, on the other hand, can use an LDAP URL to assign all users with a Title attribute of "IS" to its membership list. Members can be specified by a Filter on a Dynamic Group object, in addition to explicit members.
You can use the Dynamic Group Management role in Novell iManager to create and modify Dynamic Group objects. Dynamic Groups are supported with eDirectory 8.6 and above. To make a dynamic group work properly after creation:
1) Setup SSL for LDAP connections. Refer to Appendix C "Configuring and Using SSL for LDAP Connections" in the iManager Administration Guide. Alternately, if you want to use clear text passwords for LDAP communication: Run iManager, click the Roles and Tasks button > LDAP Management > LDAP Overview > View LDAP Group Objects > click on an LDAP Group object > click Information. Uncheck "Require TLS for Simple Binds with Password". Do this for each LDAP Group object in the tree.
2) In Novell iManager, click the Roles and Tasks button.
3) Click Dynamic Group Management > Modify Dynamic Group.
4) Specify the name and context of the Dynamic Group object you want to modify.
5) Enter the appropriate information on the Modify Dynamic Group page.
There are default values for the Identity object, Base dn, and Filter fields:
Identity object = [Public]
Base dn = [root]
Filter = (objectClass=*)
If nothing is entered in these fields, these default values will automatically be used. You will not be able to see a default value for Base dn or Filter. Leaving everything set to the default values will add every object in your tree as a member of this dynamic group. You can verify this by selecting the Unique member list, which will show you the current members of the dynamic group based on the filter that is set and any members that were explicitly added.
6) Set the Base dn to the search base. The search base is the point at which you want to begin searching for dynamic group members based on the Filter you have entered.
7) Set the Identity object or accept the default.
NOTE: [Public] may not have sufficient rights to read and compare attributes. For example, if you set the Filter to (&(title=manager)), the [Public] identity might not be able to read or compare the title or many other attributes. To perform a search, the server has to use a specific identity so that the results will always be consistent. The Identity object should have a password set so that the server can authenticate as the Identity object. The Identity object must have sufficient rights to the Base dn level and below to determine dynamic group membership.
8) Specify a filter with the Advanced Selector or by typing one in.
For an overview of using dynamic groups with eDirectory, see the April 2002 edition of Novell App Notes.
A problem may occur if you delete a predefined role in iManager using the Delete Role task. If a predefined role, such as eDirectory Administration, Group Management, etc., is deleted using the Delete Role task and then recreated by re-installing the iManager plug-in using the Install plug-in task, the role is recreated but no tasks are assigned to the role.
This will be addressed in a future release.
If you run the Post NetWare5 Schema Update in the Schema Maintenance task in the eDirectory Maintenance Utilities role, it might not complete successfully.
The following tasks in the eDirectory Maintenance role can only be used on a server running eDirectory 8.7:
The iPrint plug-in for iManager is designed for NetWare 6 servers only. You will receive errors if you try to run the plug-in on any other type of server. iPrint also requires Internet Explorer 5.5 or later.
In addition to iPrint, the NLS and DNS/DHCP plug-ins will only run on NetWare 6 servers.
The SNMP Task in iManager requires eDirectory 8.7. If you try to use the task on servers that don't have version 8.7 installed, an error will display.
When iManager is running with JVM 1.3.1 for AIX, the file upload process is failing which causes the plug-in to get an empty file. Use JVM 1.3.0 on AIX if file upload/download operations are to be supported.
A random error on AIX might occur where you get an "unsatisified link" error with JClient when you start Tomcat. This may be a problem if iManager is installed before eDirectory. If you get this error, uninstall iManager, install eDirectory 8.7 first, then install iManager.
If you uninstall iManager on a Windows NT/2000 server using the Add/Remove Programs utility, a message will display at the end listing files that were not deleted. This is the expected behavior of the application. The iManager uninstallation program only removes the files that the iManager installation originally copied onto the server.
After running the iManager Configuration Wizard on a NetWare 6 server that has been upgraded to SP2, the objects for the following roles and their associated tasks have been created, but they have not been assigned to the creator of the collection:
In this situation, you will need to assign members to these roles in order to use them.
If iManager is installed on a Windows NT/2000 server that also has eDirectory 8.5 installed, many of the tasks in the Novell Certificate Server plug-in and other iManager plug-ins may fail due to conflicting versions of shared libraries.
It is strongly suggested that eDirectory on a Windows server be upgraded to a version later than 8.5 before iManager is installed. However, if iManager is to be installed without upgrading, then the Novell Certificate Server plugin will not function correctly until the following steps are taken:
When attempting to login to eDirectory through iManager, if you receive the error "ErrorError: System Error Could not find native libraries for com.novell.emframe.fw.NDSNamespaceAuthenticator," Linux may be having a problem locating the jClient libraries.
Do the following:
When Tomcat is starting, you should see in the terminal window that Novell JClient is found. There will be a line that looks something like this: "Novell JClient 1.1.1098-1.1.1098. Copyright 1999 Novell Inc. All Rights Reserved."
After the iManager Configuration Wizard is run on your tree and has upgraded the Role Based Services Collection it deletes a file called firstTime.properties located in $TOMCAT_HOME\webapps\eMFrame\WEB-INF\misc\. If you run iManager 1.5 from another web server where the iManager Configuration Wizard has never been run, you will need to delete that file on that web server or the wizard will display every time you login.
Do not use ConsoleOne to modify any of the Role-Based Services objects. Role-Based Services objects were designed to be modified in iManager only.
When deleting or moving more than 1118 objects at one time in iManager you may get an IE error. If you choose to continue by clicking No the objects will get added to the list, but it may take some time. If you say Yes, JavaScript will stop adding objects at about 1118.
Most administration operations on NetWare 4.x servers through iManager will fail. If NetWare 4.x is in the replica ring, perform all partition administration operations for that replica ring using ConsoleOne.
iManager always stays in secure mode, even if your receive an error from your browser software stating that "this page contains secure and non-secure items."
Under rare circumstances on servers running NetWare 6 SP2 with a minimum of 256K, the iManager installation program might hang at the end the install when it is trying to update the products.dat file. This also might cause two versions of Apache to run as well. Since all files have been copied, usually a manual re-boot of the server will take care of these issues.
During an iManager login, a -634 error could result if the IP address specified in the "Tree" field belongs to a server in the tree which has no replica or if the available advertising services (such as SAP or SLP) have no information about where to contact a replica server in the tree. To successfully log in, try specifying the IP address of a server in the tree which contains a replica.
Several roles in iManager require supervisor rights to the container to perform the required tasks of that role. When assigning roles to users or groups, the administrator is prompted for a scope. The scope defines how far up (or down) the tree rights will be assigned. If, for instance, the iPrint role is assigned to a user and the scope is set at the top of the tree, the user that was assigned to that role will have supervisor rights to the entire tree. The following roles will assign supervisor rights to the container specified in the scope to the user:
Under some circumstances, the iManager Role-Based Services installation wizard might show a "display error." This error appears to only display when running in a browser on the console where Tomcat and eDirectory are running. The wizard continues to work in the background even though the interface indicates that it has failed.
In order to use the Simple Password method in NMAS, you need to have SSL set up on your server. Refer to "Configuring and Using SSL for LDAP Connections" in the iManager Administration Guide.
Selecting an eGuide Self Management role and then selecting a regular iManager role will cause the data and UI of the Modify Role Associations page to display the UI from the previously selected Self Management role. Also, the Scope textfield will be hidden from view as it is for a Self-Management role.
In order to reset the values that are causing the data and UI problem do one of the following:
There are two Role-Based Services issues known to exist in eGuide 2.1 caused by the rbsCoreLDAP.jar file (see bullets below). These issues should be resolved by downloading a new rbsCoreLDAP.jar file that is available on the Novell Support web site and replacing it with the existing file located in the eGuide ...\WEB-INF\lib directory. Refer to Solution ID# NOVL82867.
In iManager, when you go into the property book of an Organizational Role and add a Role Occupant, that object is not being made "Security Equal To" to that Organizational Role as they should be. However, the object does get saved to the Role Occupant list indicating that the Security Equal To has been set properly. This works properly in ConsoleOne and will be addressed in a future release of iManager.
You can look up specific error codes and their meanings using Novell iMonitor. Go to the following URL for more information:
http://[eDirectory_server_IP_address]:[port_number]/nds/error
It is possible to see a problem where "NaN" will display in the validity and expiration fields of a custom certificate. The work around is to run iManager from a English based server.
An optional parameter has been added that will cause iManager to always talk to the master replica for the objects being accessed. When logging in to iManager, add "&forceMaster=true" to the end of the URL. For example:
http://127.0.0.1:8080/eMFrame/webacc?taskId=fw.AuthenticateForm&merge=fw.AuthForm&forceMaster=true
This is not recommended for regular use of iManager, but can be helpful in some troubleshooting situations.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside.
U.S. Patent Nos. 5,608,903; 5,671,414; 5,677,851; 5,758,344; 5,784,560; 5,794,232; 5,818,936; 5,832,275; 5,832,483; 5,832,487; 5,870,739; 5,873,079; 5,878,415; 5,884,304; 5,913,025; 5,919,257; 5,933,826. U.S. and Foreign Patents Pending.
Copyright © 2002 Novell, Inc. All rights reserved.
Novell, NetWare, GroupWise and ZENworks are registered trademarks of Novell, Inc. in the United States and other countries.
ConsoleOne, eDirectory and Novell Certificate Server are trademarks of Novell, Inc.
All third-party trademarks are the property of their respective owners.