Novell eDirectory 8.6.1 for NetWare December 3, 2001 TABLE OF CONTENTS 1.0 Installation Issues 1.1 Distributing Proper Versions of DSREPAIR to All Servers in the Tree 1.2 Upgrading an Existing eDirectory Database 1.3 Upgrading an eDirectory 8.6.1 Server from NetWare 5.1 to NetWare 6 1.4 Uninstall Issues 1.5 NICI Issues 1.6 Reinstalling NMAS 1.7 Installing a NetWare 6 Server into an eDirectory 8.6.1 Server Tree 1.8 Upgrading from eDirectory 8.0 1.9 Upgrading to JVM 1.2.2 1.10 Installing eDirectory on a NetWare 5.1 SP2 Server 2.0 Known Issues 2.1 Persistent Search Operations 2.2 ConsoleOne Issues 2.3 iMonitor Issues 2.4 Dynamic Group Issues 2.5 Novell Certificate Server Issues 2.6 Updating NMAS Clients 2.7 Deleting Old Schema Definitions 3.0 Documentation Issues 3.1 Viewing Documentation on the Product CD 3.2 Additional Readme Files 3.3 Additional Information 4.0 Legal Notices 4.1   Disclaimer, Patents, and Copyright 4.2   Novell Trademarks 4.3   Third-Party Trademarks 1.0 Known Issues 1.1 Distributing Proper Versions of DSREPAIR to All Servers in the Tree For information on preparing an existing tree for an eDirectory 8.6.1 installation, see Updating the eDirectory Schema for NetWare in the Novell eDirectory Administration Guide (http://www.novell.com/documentation). 1.2 Upgrading an Existing eDirectory Database Running this version of Novell eDirectory on an existing NDS or NDS eDirectory database will upgrade the database format and make it unable to be read by previous versions of NDS or NDS eDirectory. The larger the database, the longer this process may take. For millions of objects, this process could take a number of hours. Using any NDS Trace facility that ships with eDirectory (NDS iMonitor, DSTrace executables, or "set DSTRACE" on NetWare), you can get a feel for the progress of this step. Turn on the "Storage Manager" option (+RECMAN for "set DSTrace") and the "Change Cache" option (+CHANGE for "set DSTrace"). The NDS storage manager will upgrade the database format, then the DIB will be allowed to open. Thereafter, the synchronization process will rebuild the change cache for each replica it holds, and eDirectory will resume normal operation. 1.3 Upgrading an eDirectory 8.6.1 Server from NetWare 5.1 to NetWare 6 When upgrading a NetWare 5.1 server with Novell eDirectory 8.6.1 to NetWare 6, the NetWare 6 installation will ask you if you want to overwrite existing eDirectory files. Do not overwrite the existing eDirectory files. NetWare 6 contains a earlier version of eDirectory, and if you choose to overwrite the files, you will replace the server's eDirectory 8.6.1 files with files from an earlier version of eDirectory. 1.4 Uninstall Issues 1.4.1 Removing Novell eDirectory If you use NWCONFIG to uninstall eDirectory, follow these steps to reinstall eDirectory: 1) Uninstall Novell eDirectory 8.6.1 using the following command: uinstall edir 2) Edit the SYS:SYSTEM\SCHEMA\SCHEMA.CFG file and remove the comment markers. 3) From the NetWare console, run NWCONFIG. 4) Select Product Options. 5) Select Install a product not listed. 6) Specify the location containing the Novell eDirectory 8.6.1 installation package. If you use NWConfig to uninstall eDirectory then reinstall eDirectory or install a DNS Federated tree, you should edit the SYS:SYSTEM\SCHEMA\SCHEMA.CFG file by uncommenting the following entries: - ndps100.sch - ndps200.sch - ndps201.sch 1.4.2 NMAS 2.0 Enterprise Edition Umbrella Install Affects the Uninstall of Certain Novell Products There is a problem with the NMAS 2.0 Enterprise Edition installation program for servers. If it is installed after certain other Novell products (such as eDirectory and ConsoleOne), you will find that you cannot uninstall those other products. This problem has been fixed in all later releases of the NMAS installation program. If you experience this problem, you can work around it by simply re-installing that Novell product from the eDirectory 8.6.x CD. You can then, if desired, uninstall it. If it is eDirectory that you cannot uninstall, the re-install (upgrade) work-around from the Novell eDirectory 8.6.x CD will maintain all previously stored data in eDirectory. For those who have purchased NMAS 2.0 Enterprise Edition, we recommend that you run the NMAS server install directly by executing the program INSTALL.EXE located in the NMASSERVER directory on the NMAS 2.0 Enterprise Edition CD. If you have already installed NMAS 2.0 Enterprise Edition, you will need to upgrade the NMAS version after installing eDirectory 8.6.x. Perform this upgrade by executing the program INSTALL.EXE from the NMAS directory on the eDirectory 8.6.x CD. 1.5 NICI Issues 1.5.1 Uninstalling NICI 2.0.2 You should uninstall NICI 2.0.2 before attempting to install a version of eDirectory earlier than eDirectory 8.5.1. Otherwise, the installation on these older versions of eDirectory will fail when attempting to install their version of NICI. 1.5.2 NICI Doesn't Fully Uninstall When you uninstall NICI, it may fail to uninstall completely. To fix this problem, restart the server and the uninstall will complete correctly. If NICI fails to fully uninstall, delete the /WINNT/SYSTEM32/CCSW32.DLL file. If you don't remove this file, you might experience problems when attempting to reinstall eDirectory. 1.5.3 Error -670 During PKI Install When installing a new server into an eDirectory tree, you may receive a -670 error when PKI components are being installed. This error is a symptom of a problem that has occurred on a different server already installed into the tree, not the server being installed when the error occurs. To work around the problem, you must reboot the server experiencing the problem. Do the following: 1. Using ConsoleOne, open the Security container > KAP object > W0 object. 2. Examine the W0 object properties to find the attribute labeled NDSPKI:SD Key Server DN. 3. The server identified by this attribute is experiencing a problem. This SD Key server needs to be rebooted. The problem may recur if Directory Services on the SD Key server is restarted without a reboot. In this case, attempts to install other servers in the tree will report the -670 error and the SD Key server will need to be rebooted again. This particular -670 error does not occur during normal operations once a server is installed. It only happens during installation. A future NICI upgrade will fix this problem. 1.6 Reinstalling NMAS If you have previously installed NMAS Enterprise Edition on NDS eDirectory 8.5 for the Windows NT/2000 platform, you will need to install the NMAS product provided with Novell eDirectory 8.6.1 after you have installed eDirectory 8.6.1. If you don't do this, NMAS will not work. This is because NICI has changed between the release of eDirectory 8.5 and eDirectory 8.6.1. 1.7 Installing a NetWare 6 Server into an eDirectory 8.6.1 Server Tree When installing a NetWare 6 server into an eDirectory 8.6.1 server tree, you might receive error -1416, NICI Data Invalid. This is because the master server (the TreeCA server, or the Tree Key server as listed in the .Security.KAP.W0 container), does not yet have the Tree Key to service the other servers installed into the tree. To resolve this error, restart the DHost running on the master server after it is installed and before you install any other server into the tree. You do not have to reboot the server. You only need to stop and then restart DHost. 1.8 Upgrading from eDirectory 8.0 When upgrading from eDirectory 8.0, you will need to upgrade the Certificate Authority (CA) server first, before any other servers are upgraded in this tree. To determine which server is acting as the CA, follow these steps: 1. In ConsoleOne, right-click the Organizational CA object > click Properties. The organizational CA object is located in the Security container at the root of the tree. 2. Select the General tab. The distinguished name of the server hosting the CA is listed in the Host Server field. 1.9 Upgrading to JVM 1.2.2 To install eDirectory 8.6.1 for NetWare, your NetWare server must be running NetWare 5.1 or NetWare 6 with JVM 1.2.2. JVM 1.2.2 is available in Consolidated Support Pack 2. You can also download it separately from http://download.novell.com. 1.10 Installing eDirectory on a NetWare 5.1 SP2 Server If you install eDirectory 8.6.1 on a NetWare 5.1 SP2 server, ConsoleOne will not update properly. To update ConsoleOne, remove the ConsoleOne reference in the PRODUCTS.DAT file on the NetWare server before installing eDirectory 8.6.1. 2.0 Known Issues 2.1 Persistent Search Operations A persistent search operation might not retrieve the updated information if entries in the eDirectory database change frequently. 2.2 ConsoleOne Issues 2.2.1 Displaying ConsoleOne in Multiple Monitor Mode If you are having display problems when running ConsoleOne in multiple monitor mode on Windows, use the following command line option: -JDsun.java2d.noddraw=true 2.2.2 ConsoleOne Support for the Hong Kong Supplementary Character Set This release of ConsoleOne does not support the Hong Kong Supplementary Character Set (HKSCS). We are currently working on a patch to allow HKSCS support in future releases of ConsoleOne. 2.2.3 PKIwrap Error If you update a server with NDS eDirectory 8.5 and ConsoleOne 1.2d to Novell eDirectory 8.6.1 without updating ConsoleOne 1.2d to 1.3.3, you will get a PKIwrap error in ConsoleOne 1.2d every time you click an object in the tree. This happens because Novell eDirectory 8.6.1 installs NICI 2.3.0 on the server, and ConsoleOne 1.2d with the PKI snap-in is looking for the version of NICI installed with eDirectory 8.5, which is no longer present. 2.3 iMonitor Issues 2.3.1 Browser Compatibility The iMonitor included with this release of eDirectory requires Internet Explorer 5.5 or later. 2.3.2 Browsing for Objects in iMonitor Containing Extended Characters When using iMonitor to browse an eDirectory tree for objects, an object with extended characters in the name might not hyperlink to the object properties correctly. This problem does not happen with any objects that contain double-byte characters. This issue will be resolved in a future release of iMonitor. 2.3.3 Running Custom Reports When running custom reports, enter the URL as follows: /nds/ 2.4 Dynamic Group Issues 2.4.1 Managing Dynamic Group Objects In this release of eDirectory, you should use LDAP utilities to manage Dynamic Group objects. There are no ConsoleOne snap-ins available with eDirectory 8.6.1 to manage dynamic groups. Also, third-party products such as Netscape's admin console cannot be used to manage Novell eDirectory dynamic groups because the schema and the functionality provided differs from Netscape's implementation. 2.4.2 Configuring the memberQueryURL Attribute The memberQueryURL attribute is defined as a multi-valued attribute to enable future enhancements, but in eDirectory 8.6.1, only the first value of the multi-valued attribute is used for the dynamic member expansion. To avoid confusion, set only one value for the memberQueryURL attribute, and use the "replace:" option instead of "add:" to specify a query URL value for the memberQueryURL attribute. 2.4.3   Configuring the dgIdentity Attribute A dgIdentity attribute on the Dynamic Group object can be set to the distinguished name of an entry whose credentials and rights should be used to expand the dynamic members of the group. The dgIdentity entry should always be chosen so that it is on the same partition as the Dynamic Group object. If it is not on the same partition, the dynamic members will not be visible. If no dgIdentity attribute is specified, the expansion of dynamic members will bind as public (anonymous). In that case, [Public] should at least have Read/Compare rights on all the attribute that occur in the search filter in the memberQueryURL, and also have Browse rights under the baseDN specified in the memberQueryURL. 2.4.4   Changing treeName or Search baseDN If a dynamic group object is created in a tree and the treeName or the search baseDN subsequently changes, the dynamic members will not be visible. This can be corrected  by reading the memberQueryURL attribute and correcting the treeName or the baseDN. The same thing applies for attribute names or class names that are in the search filter and subsequently removed. 2.4.5  Creating Dynamic Group Objects on a pre-eDirectory 8.6.1 server If Dynamic Group objects are created on a pre-eDirectory 8.6.1 server, either by extending the schema to the eDirectory 8.6.1 schema or by adding the server to a tree that contains eDirectory 8.6.1 servers, the Dynamic Group object will be created but its dynamic members will not be visible on the pre-eDirectory 8.6.1 server. If the server is subsequently upgraded to eDirectory 8.6.1, the dynamic members will still not be visible until the Dynamic Group objects are upgraded. This option to upgrade will be available in an upcoming release of DSRepair. 2.5 Novell Certificate Server Issues 2.5.1 Novell Certificate Server Dependencies The Certificate Server 2.21 ConsoleOne snap-in has the following dependencies: - NICI 2.0.2 or later for Windows - Novell LDAP SDK - Novell Client 4.8 or later for Windows NT/2000, or Novell Client 3.3 or later for Windows 95/98/ME If any of the above dependencies are not met, Certificate Server functionality will not be available and you will get one or both of the following error messages: "NICI 2.0.2 or later is not installed on this client. The Certificate Server snap-in will not function until NICI is installed." "The dynamic link library CCSW32.DLL could not be found in the specified path." These error messages will occur only once on the first object access. You will typically not have LDAP SDK in your ConsoleOne distribution if you obtained ConsoleOne directly from the Novell Web site. You should use the version of ConsoleOne provided with eDirectory. NICI 2.0.2 for Windows is provided with eDirectory and is available from the Novell Free Download Site (download.novell.com). 2.5.2 Browser Support You must use Internet Explorer 5 or later or Netscape Navigator 4 or later to use the certificates generated by Novell Certificate Server for SSL or LDAP connections. Older browsers are not supported. 2.5.3 Verisign Certificates and Creating a Server Certificate (KMO) With Certificate Server 2.2.1, if you use Verisign as the external Certificate Authority (CA) during the creation of a Server Certificate (KMO), you no longer need to obtain Verisign's trusted root to paste into the Trusted Root field. You can now select the option No Trusted Root Available, click Next, and then paste in the certificate you received from Verisign. When the certificate is installed, the server determines if the certificate you pasted chains to a Verisign embedded root. If it does, the certificate and the trusted root are added to the Server Certificate object in eDirectory. 2.5.4 Compatibility between Certificate Server 2.03 and 2.21 If you run the Certificate Server 2.21 snap-in while generating the Certificate Authority object or a Server Certificate (KMO) object on a server where Certificate Server 2.03 is running, in order to successfully create the object, you will need to use the custom path in the creation wizard. On the Key size screen, deselect the Allow Private Key to Be Exported check box. 2.6 Updating NMAS Clients If you install the NMAS server module that ships with this product, you must make sure you update the NMAS client on each workstation to 2.02 or higher. If you fail to do this, you will receive -1635 errors when you attempt to log in. The NMAS client 2.02 or higher is available at the Novell Free Download site (http://download.novell.com). 2.7 Deleting Old Schema Definitions Original schema definitions for the new Dynamic Group feature were added to the NDS500.SCH file during earlier beta versions of eDirectory 8.6. For this release, those definitions were transferred to the NDSCOMM.SCH file. An additional flag (Single-Value) was also added to an attribute definition during the beta versions of this product, and an additional super-class (ndsLoginProperties) was added to the new class definitions. Because the Dynamic Groups feature had not yet been included in the delivered beta products (so no code was using these schema definitions), the old schema definitions should be deleted, allowing the updated definitions to be properly installed. This is not an issue if you did not install NetWare 6 Beta 3. In order to properly update your schema for the correct definitions, the existing definitions for the attribute dgIdentity, the class dynamicGroup, and the class dynamicGroupAux need to be deleted. The proper definitions will be created when eDirectory 8.6 is installed. The attribute and two classes can be deleted using the Schema Manager tool in ConsoleOne. 1. Log in to your tree a user with Administrative rights to the root of the tree (so you can successfully modify the schema). 2. In ConsoleOne, select your Tree object > click the Tools menu > Schema Manager. 3. On the Classes tab, select the dynamicGroup definition > click Delete. 4. Select the dynamicGroupAux definition > click Delete. 5. Click the Attributes tab > select the dgIdentity definition > click Delete. 6. Click Close. 3.0 Documentation Issues 3.1 Viewing Documentation on the Product CD This product CD contains documentation for the following products: - Novell eDirectory \DOCUMENTATION\ENGLISH\EDIR86\EDIR86.PDF \DOCUMENTATION\ENGLISH\EDIR86\QSEDIR86.PDF - Novell Client \DOCUMENTATION\ENGLISH\NOCLIENU\NOCLIENU.PDF - Novell Certificate Server \DOCUMENTATION\ENGLISH\CERTSERV\CERTSERV_ADMIN.PDF - ConsoleOne 1.3 \DOCUMENTATION\ENGLISH\CONSOL13\C1_ENU.PDF - Novell Modular Authentication Services (NMAS) \DOCUMENTATION\ENGLISH\NMAS\DOC\NMAS_ADMIN.PDF \DOCUMENTATION\ENGLISH\NMAS\DOC\NMAS_INSTALL.PDF \DOCUMENTATION\ENGLISH\NMAS\DOC\RADIUS.PDF For the most current versions of these manuals, see the Novell Documentation Web site (http://www.novell.com/Documentation). 3.2 Additional Readme Files For additional information on the contents of this release, see the following sources on the Novell eDirectory CD: - Novell eDirectory for Windows NT/2000: \NT\I386\NDSONNT\README\EN\README.HTML - Novell eDirectory for Solaris: \SOLARIS\README.TXT - Novell eDirectory for Linux: \LINUX\README.TXT - NICI on Windows NT: \NT\I386\SERVERNICI\NI\HELP\EN\README.HTML - Novell Clients: \NT\I386\README.TXT International users of eDirectory 8.6.1 should refer to www.novell.com/documentation/lg/ndsedir86/index.html for translated versions of this readme readme file. 3.3 Additional Information For information on additional eDirectory issues for this release, refer to Solution #10066455 (http://support.novell.com) in the Novell Knowledge Base. 4.0 Legal Notices 4.1 Disclaimer, Patents, and Copyright Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. U.S. Patent Nos. 5,608,903; 5,671,414; 5,677,851; 5,758,344; 5,784,560; 5,794,232; 5,832,275; 5,832,483; 5,832,487; 5,864,865; 5,870,739; 5,873,079; 5,878,415; 5,884,304; 5,910,803; 5,913,025; 5,933,826; 5,946,467; 5,956,718; 5,956,745; 5,964,872; 5,983,234; 6,002,398; 6,016,499; 6,029,247. U.S. and Foreign Patents Pending. Copyright (C) 2001 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. 4.2 Novell Trademarks Novell, NetWare, and NDS are registered trademarks of Novell, Inc. in the United States and other countries. ConsoleOne, eDirectory, Novell Client, Novell Certificate Server, and Novell Modular Authentication Services are trademarks of Novell, Inc. 4.3 Third-Party Trademarks All third-party trademarks are the property of their respective owners.