Novell iManager 2.0.2 Readme

September 23, 2005
1.0 Documentation
2.0 Plug-in Download Page
3.0 Installation Prerequisities
4.0 Supported Web Browsers
5.0 Installation/Configuration Issues
5.1 Setting iManager View Access
5.2 Changing IP Address
5.3 IIS File Upload Error During Module Package Install
5.4 Apache is Not Necessary
6.0 Login Issues
6.1 Unable to Log In to Another Tree
6.2 Unable to Log In after Renaming Trees
6.3 Internal 500 Error After Reboot
6.4 User Cannot Log In After Partition is Moved (Subtree Move)
6.5 Unable to Edit Portal Admin after Container Rename
6.6 iManager Loses Context when Multiple Logins Are Made Simultaneously to Different eDirectory Servers
6.7 Unable to Login to Different Tree--IP Address of eDirectory Server Is Needed
6.8 Contextless Login
7.0 Security Issues
7.1 Supervisor Rights
7.2 ActiveX Security Warning
7.3 Use SSL for LDAP Setting
7.4 "Unable to Determine Universal Password Status" Error
7.5 Configuring IIS to Use SSL
7.6 SSL/TLS Connection to eDirectory
8.0 Platform Specific Issues
8.1 HP-UX
8.2 Solaris
9.0 Other Known Issues
9.1 Password Restrictions and Identity Management
9.2 Using Extended Characters with Dynamic Groups
9.3 Selecting a Base DN with a Space in the Container Name with Dynamic Groups
9.4 Set Password Task Doesn't Support Password Policies for Universal Password in Novell Nsure Identity Manager
9.5 Errors when Modifying a Login Script
9.6 "Create Request for DNS Server Failed" Error
9.7 Other Task Wizard Won't Redirect
9.8 Password Expiration Date with SetPassword
9.9 iManager Login failure if Server OU Container Is Renamed
9.10 Virtual Office Doesn't Work Properly if Server OU Container Is Renamed
10.0 Legal Notices


1.0 Documentation

For the latest versions of the Novell® iManager readme and documentation, see the Novell Product Documentation Web site.

For information on additional iManager issues for this release, refer to Solution #10089040, titled "Novell iManager 2.0.x Readme Addendum," in the Novell Knowledge Base.


2.0 Plug-in Download Page

iManager plug-ins are available for download on the Novell Product Downloads Web site.

Currently, plug-in installations are not replicated across Web servers with shared Portal Configuration objects (PCOs). You must install the plug-ins you want on each iManager server.

In order to re-install an existing plug-in, you must first delete the rbsModule object for that plug-in using the "Module Configuration->Delete RBS Module" task.


3.0 Installation Prerequisities

All iManager installation prerequsities are listed by platform in the "Installing iManager" section of the Novell iManager 2.0.x Administration Guide.


4.0 Supported Web Browsers

To access iManager, you must use a machine running Internet Explorer 6 SP1 or above, Netscape* 7.1 or above, or Mozilla 1.4 or above.

The following issues will occur when using Netscape and Mozilla browsers:


5.0 Installation/Configuration Issues


5.1 Setting iManager View Access

When setting iManager View Access, the Collection Owners/Portal Administrators are immune to the Hidden Flag on the Configure View (that is, Collection Owners will see the Configure View even if it is configured to be hidden).


5.2 Changing IP Address

If you change the server IP address after you've installed iManager, multiple problems could occur and all Web services on the server will be affected.


5.3 IIS File Upload Error During Module Package Install

An "Unexpected end of part" error may be encountered during module package install when running iManager on a Windows IIS Web server with Tomcat. This is due to a known issue with uploading files through the Tomcat redirector for IIS. To successfully run a module package install, connect to iManager directly through Tomcat (for example, through port 8080).


5.4 Apache is Not Necessary

iManager 2.0.2 no longer requires Apache. Unless you have a specific need for Apache, you can just install iManager and use the Tomcat that comes with it.


6.0 Login Issues


6.1 Unable to Log In to Another Tree

During an iManager login, a -634 error could result if the IP address specified in the Tree field belongs to a server in the tree which has no replica or if the available advertising services (such as SAP or SLP) have no information about where to contact a replica server in the tree. To successfully log in, try specifying the IP address of a server which contains a replica in the tree.


6.2 Unable to Log In after Renaming Trees

If you rename your eDirectory tree with the DSMerge utility or iManager, you will need to reboot the server before you log in to the renamed tree.


6.3 Internal 500 Error After Reboot

Because of supporting modules, Tomcat can often be the last item to load on the iManager server. After you restart Tomcat, it may take 60 seconds or longer before you can access iManager depending on the performance of your server.


6.4 User Cannot Log In After Partition is Moved (Subtree Move)

If an Organization or OU container that holds User objects and has been designated as a Portal Container in Portal is moved (for example, under a Country container), the user might not be able to log in. To resolve this problem, you should refresh the Portal, following the steps below.

NOTE:  Designating a container as a Portal Container allows a search of that container during the tree walking login method to find the user.

  1. Log in to iManager as Admin, then select the Configure button from the View buttons across the top.

  2. From the Configure View, click the iManager Configuration role, then click Portal.

  3. Under the Configuration menu on the right, click Refresh Portal.

  4. To resolve the Search Container issue, click Select All > Refresh.


6.5 Unable to Edit Portal Admin after Container Rename

If you want to rename the container where an administrator was created, you need to rename the container in the System.PortalConfigurationObjectDN file then restart exteNd Director. Otherwise, exteNd Director will no longer recognize that object.


6.6 iManager Loses Context when Multiple Logins Are Made Simultaneously to Different eDirectory Servers

iManager logins can fail when multiple log-ins are made simultaneously to different eDirectory servers. If you open a new window from inside the current browser, it will use the same Java session. These shared sessions are not supported.


6.7 Unable to Login to Different Tree--IP Address of eDirectory Server Is Needed

An IP address is accepted for the eDirectory server to log into when using the Login To a Different Tree feature of iManager. If the server is having SAP/SLP issues, use of an IP address may be the only way that users will be able to log in.


6.8 Contextless Login

In order for users to take advantage of the contextless login feature of iManager, the container of these users needs to be added to the Contextless Login search path. For more information on Contextless Login, see the "Configuring and Customizing iManager" section in the Novell iManager 2.0.x Administration Guide..


7.0 Security Issues


7.1 Supervisor Rights

Several tasks in iManager require supervisor rights to the container to perform the required tasks for that role. When assigning roles to users or groups, the administrator is prompted for a scope. The scope defines how far up (or down) the tree rights will be assigned. If, for instance, the iPrint role is assigned to a user and the scope is set at the top of the tree, the user that was assigned to that role will have supervisor Object Entry rights to the entire tree.

As new plug-ins are made available, the tasks the plug-ins contain might grant Supervisor rights. For more information, see the "Novell iManager: Planning Security for Delegated Administration" white paper.


7.2 ActiveX Security Warning

Tasks under the Install and Upgrade Role generate an ActiveX security warning and will not run.

To prevent this warning from coming up, change the security settings in Internet Explorer by performing these steps:

  1. In Internet Explorer, click Tools > Internet Options.

  2. On the Security Tab, click Custom Level.

  3. Change "Initialize and script ActiveX controls not marked as safe" to Enable (the default is Disable).

After you do this, the tasks will run properly.

WARNING:  Only enable this option when using the tasks under the Install and Upgrade role. When finished, we recommend returning to the disabled (default) setting.


7.3 Use SSL for LDAP Setting

The Use SSL for LDAP setting in Portal > Configuration is a historical setting from iManager 1.5.x whose meaning has changed in iManager 2.0.x. This setting only applies to trees other than the tree where iManager 2.0.x is installed. LDAP connections made by iManager to servers in other trees will use this setting to determine whether or not to use SSL for communication to the LDAP server in another tree.


7.4 "Unable to Determine Universal Password Status" Error

If an eDirectory for UNIX server is configured to use SSL for LDAP communications, you will receive the following error when you select the option in iManager to set a Simple Password:

"Unable to determine universal password status"

To resolve this error, run the nmasinst utility on the eDirectory for UNIX server. The nmasinst utility lets you install login methods into eDirectory from a UNIX machine, and is required to run the Universal Password feature. The nmasinst utility is located in the \usr\bin\nmasinst directory.


7.5 Configuring IIS to Use SSL

The iManager installation program will not configure HTTP SSL if you already have an existing Apache or IIS Web server installed. If Apache is installed, the SSL connection is set up automatically. For more information on configuring IIS to use SSL, see the Microsoft Knowledge Base Web site.

NOTE:  When configuring SSL on IIS, one of the optional settings is "Require Secure Channel (SSL)". If you select to require SSL, you will need to configure the iManager custom backend renderer location to a different port, like the Tomcat HTTP port (typically port 8080) This can be done by modifying the PortalServlet.properties file.

For example:

Custom_Backend_Renderer_Portal_Location=http\://151.155.159.29\:8080/nps

For more information, see the Portal Configuration Object Settings of the iManager 2.0.x Administration Guide.


7.6 SSL/TLS Connection to eDirectory

The Dynamic Groups role requires secure LDAP access to function properly. For more information, see the "Troubleshooting" section in the Novell iManager 2.0.x Administration Guide.


8.0 Platform Specific Issues


8.1 HP-UX


8.1.1 Using the eMBox Logger on HP-UX

Problems exist with the eMBox Logger on the HP-UX platform. While the logger loads, errors might display.


8.2 Solaris


8.2.1 Creating /dev/random on Solaris 8

The following is a sample script for creating /dev/random on Solaris 8.

#!/usr/bin/ksh
# Set up Solaris random device from patch 112438 without reboot
# Moderate error checking only since this should be straightforward.
#
# (c) 2002 Andrew J. Caines. Permission to modify and distribute is
# granted on condition the copyright message is included and modifications
# are clearly identified.
#
# Incoporating suggestions and changes from these SunManager list members:
# Thomas Anders <anders@hmi.de>, Dan Astoorian <djast@cs.toronto.edu>,
# Prümm Gerd <gerd.pruemm@alcatel.ch>, Adam Mazza <adam@68e.com>.
# Script rewrite for functional changes and reliability improvement based
# on contribution from from Jeff Bledsoe.

PATH=/usr/bin:/usr/sbin

Patch=${Patch:-112438} # Just in case it ever changes

# Set up tempfile
TmpFile=/tmp/.$$.$RANDOM ; rm -f $TmpFile ; touch $TmpFile; chmod 600 $TmpFile

function bailout
{ echo "$*. Exiting" >&2 ; exit 1
}

# Check patch is installed
echo "Checking for patch $Patch...\c"
if showrev -p | egrep -s "^Patch: ${Patch}-"
then echo " installed."
else bailout " not installed. Install it and try again."
fi

# Activate random kernel module with workaround for module dependency problem
echo "Removing random device from name_to_major"
name_to_major=$(</etc/name_to_major)
echo "$name_to_major" | sed '/random/d' > /etc/name_to_major

# Add driver to create device nodes and load module
echo "Adding driver to system"
add_drv -m '* 0644 root sys' random || bailout "Driver random failed to add"

echo "Creating link to /dev/random from /kernel/drv/random"
ln -s /kernel/drv/random /dev/random

# Report results
echo "Finished. You now have the following random devices:"
ls -l /dev/*random /devices/pseudo/random@0:*random# Test
echo "Do you want to test the new device? (y/n) \c"
read yn
case $yn in
[Yy]*) echo "Running: dd if=/dev/random of=$TmpFile bs=512 count=1"
dd if=/dev/random of=$TmpFile bs=512 count=1
echo "Running: strings $TmpFile"
echo "You should see a few lines of random garbage:"
;;
[Nn]*) echo "Your blind faith will be rewarded in the next life."
echo "Your reward confiration code is:"
;;
esac

strings $TmpFile
rm -f $TmpFile

exit 0
################################################################################
# The remainder of this script never runs, but is left as refernce for use
# and locations of the relvant data and commands.

# Find device major
major=$(nawk '/^random/{print $2}' /etc/name_to_major)

# Make pseudodevices for both devices
echo "Making device nodes."
mknod /devices/pseudo/random@0:random c $major 0
mknod /devices/pseudo/random@0:urandom c $major 1

mode=$(nawk '/^random/{print $2}' /etc/minor_perm)
user=$(nawk '/^random/{print $3}' /etc/minor_perm)
group=$(nawk '/^random/{print $4}' /etc/minor_perm)

chown $user:$group /devices/pseudo/random@0:*random
chmod $mode /devices/pseudo/random@0:*random

# Make dev links
echo "Making device links."
cd /dev
ln -s ../devices/pseudo/random@0:random /dev/random
ln -s ../devices/pseudo/random@0:urandom /dev/urandom

# load the module
echo "Loading driver."
modload /kernel/drv/random

# Prime the pump with half-decent data source
echo "Priming entropy pool."
alias primepool='dd if=/dev/mem bs=512 count=16 2>&- | crypt $RANDOM'
primepool > /dev/random 2>&- # Gives "/dev/random: cannot create"
primepool > /dev/random # Runs fine


9.0 Other Known Issues


9.1 Password Restrictions and Identity Management

If a user's password has been set to expire on the Password Restrictions page in iManager, and the Admin or Help Desk changes the password, the user will see the following message appear when they log in to iManager for the first time:

"The Secret Store is currently locked"

The Secret Store is a persistent store of name/password combinations stored on the User object. The information is encrypted using the user's password. Anytime a user changed their password, the secret store needs to be unencrypted with the old password and re-encrypted with the new password. This is done automatically if the user changes their password through the change password gadget or when prompted to change their password when logging in to the portal/iManager.

If the user changes their password using some other method, they will be prompted to unlock their Secret Store the next time they log in. In this case, the user should perform one of the following actions:

  • Type in the old password (if known) and the new password set for them. Once this is done, the Secret Store will be reset for the user and they will not see this message again.
  • Click Delete Secret Store (if the user cannot remember their old password). Once this is done, the Secret Store will be deleted and they will not see this message again. The only information lost is the stored name/password combinations.


9.2 Using Extended Characters with Dynamic Groups

The Dynamic Groups Member Query Filter or Base DN removes extended characters after saving if the Euro symbol is present in the filter. If the Euro symbol is not present, extended characters and spaces are displayed as hexadecimal values, and the filter or Base DN functions properly.

For example, suppose you use the following in the Dynamic Group Member Query Filter and save it:

(|(title=sécrétary)(sn=last name))

This is what you will see when you re-enter the properties for the Dynamic Group:

(|(title=s%5cc3%5ca9cr%5cc3%5ca9tary)(sn=last%20name))


9.3 Selecting a Base DN with a Space in the Container Name with Dynamic Groups

When a Dynamic Group that has extended characters or spaces in the container name for the Base DN is saved and modified again, the following occurs after you switch property book pages (for example, from the Member Query to the Members page): The Base DN is reset to the tree root instead of the container with extended characters or spaces that was originally selected.


9.4 Set Password Task Doesn't Support Password Policies for Universal Password in Novell Nsure Identity Manager

If want to change a user's password, and you are using Universal Password and NMAS Password Policies, you should use the Set Universal Password task in the Password Management role. This plug-in is installed if you are using Password Policies. It displays the Password Policy rules that you must comply with.

The Set Password task in the Help Desk role, and Modify User task in the Users role, don't display the Password Policy rules. If the password you create does not comply, you will receive errors.


9.5 Errors when Modifying a Login Script

When using an English-only JRE, you will receive errors when you attempt to read or modifying a login script or any other Stream type attribute in iManager. The servlet engine (Tomcat) will need to use an international version of the JRE or a JDK to solve this problem.


9.6 "Create Request for DNS Server Failed" Error

If you receive a "Create request for DNS server failed" error, this may indicate that there are problems with eDirectory. Specifically, it is probably due to the fact that there aren't any NetWare servers in the tree, that the NetWare servers do not have the DNS/DHCP service installed, or that the DNS/DHCP service is unavailable.


9.7 Other Task Wizard Won't Redirect

If the task wizard won't redirect when you are creating a task, try the following:

  1. From a browser, enter the URL to log into iManager.

  2. On the wizard screen click Next.

    If the URL appears valid to the wizard, it will complete the following:

    • Parsed HTML for <form> tags
    • Display <form> tags in the HTML

    If no <form> tags are present in the HTML, the wizard will display the default page which will prompt you to manually enter the desired parameters.


9.8 Password Expiration Date with SetPassword

There is currently a problem in iManager when a call is made to SetPassword. After the call, eDirectory resets the Password Expiration Date back to January 1st, 1992. This causes problems with User objects that have "Force periodic password changes" enabled.

There are a couple of symptoms to this problem:

  • Incorrect password expiration date is set for users created from a template

    An incorrect password expiration date is set for users that are created from a Template or from another user. When "Force periodic password changes" is enabled.

  • Forced password change after Set Password

    After using the "Set Password" task in iManager, for users that have "Force periodic password changes" enabled, the user is required to change their password the first time that they login.

The way to prevent the problem is to manually set the Password Expiration Date in the "Restrictions->Password Restrictions" property page of the User object after creation (from a template) or after setting their password.


9.9 iManager Login failure if Server OU Container Is Renamed

If the server's container is renamed, login to iManager will fail (HTTP Status 500 error). To resolve the error, edit the PortalServlet.properties file accordingly from ...\tomcat\4\webapps\nps\web-inf.


9.10 Virtual Office Doesn't Work Properly if Server OU Container Is Renamed

If the server's container is renamed, Virtual Office still doesn't work properly; user authentication works only with buttons missing except for two buttons. This problem occurs even if the PortalServlet.properties file is updated to reflect the new container name.


10.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside.

Copyright © 2002-2003 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

U.S. Patent No. 5,157,663; 5,349,642; 5,455,932; 5,553,139; 5,553,143; 5,572,528; 5,594,863; 5,608,903; 5,633,931; 5,652,859; 5,671,414; 5,677,851; 5,692,129; 5,701,459; 5,717,912; 5,758,069; 5,758,344; 5,781,724; 5,781,733; 5,784,560; 5,787,439; 5,818,936; 5,828,882; 5,832,274; 5,832,275; 5,832,483; 5,832,487; 5,850,565; 5,859,978; 5,870,561; 5,870,739; 5,873,079; 5,878,415; 5,878,434; 5,884,304; 5,893,116; 5,893,118; 5,903,650; 5,903,720; 5,905,860; 5,910,803; 5,913,025; 5,913,209; 5,915,253; 5,925,108; 5,933,503; 5,933,826; 5,946,002; 5,946,467; 5,950,198; 5,956,718; 5,956,745; 5,964,872; 5,974,474; 5,983,223; 5,983,234; 5,987,471; 5,991,771; 5,991,810; 6,002,398; 6,014,667; 6,015,132; 6,016,499; 6,029,247; 6,047,289; 6,052,724; 6,061,743; 6,065,017; 6,094,672; 6,098,090; 6,105,062; 6,105,132; 6,115,039; 6,119,122; 6,144,959; 6,151,688; 6,157,925; 6,167,393; 6,173,289; 6,192,365; 6,216,123; 6,219,652; 6,229,809. Patents Pending.

Novell is a registered trademark of Novell, Inc. in the United States and other countries.

All third-party trademarks are the property of their respective owners.