Novell eDirectory 8.8 SP6 for Linux, Solaris, and AIX

September 09, 2011
1.1.1 Linux
1.1.2 Solaris
1.1.3 AIX
2.7.1 Schema
2.7.4 Options
3.3.1 iManager

1.0 Installation

1.1 Prerequisites

NOTE:Check the currently installed Novell and third-party applications to determine if eDirectory 8.8 SP6 is supported before upgrading your existing eDirectory environment. It is also highly recommended that you back up eDirectory prior to any upgrades.

1.1.1 Linux

  • 32-bit eDirectory supported platform

    32-bit

    • SUSE Linux Enterprise Server (SLES) 11 and its Support Packs

    • SLES 10 and its Support Packs

    • Red Hat Enterprise Linux (RHEL) 5 AP and its Support Packs

    • RHEL 6.0 and its Support Packs

    64-bit

    • SLES 11 and its Support Packs

    • SLES 10 and its Support Packs

    • RHEL 5 AP and its Support Packs

    • RHEL 6.0 and its Support Packs

  • 64-bit eDirectory supported platform

    • SLES 11 64-bit and its Support Packs

    • SLES 10 and its Support Packs

    • RHEL 5 AP and its Support Packs

    • RHEL 6.0 and its Support Packs

  • You can run the above operating systems in a virtual mode on the following hypervisors:

    • Xen

    • VMware ESX

    • Windows Server 2008 R2 Virtualization with Hyper-V

  • A minimum of 512 MB RAM for eDirectory

  • 200 MB of disk space for the eDirectory installation (server and administration utilities)

  • 150 MB of disk space for every 50,000 users

  • Ensure that gettext is installed. To install gettext, search the rpmfind Web site for gettext.

NOTE:The net-snmp-32-bit RPM should be installed on 64-bit SLES or OES Linux.

  • Ensure that the supported version of SSP is installed on eDirectory 8.7.3 SPx before upgrading to eDirectory 8.8 SP6.

    • For eDirectory 8.7.3 SP9, ensure that SSP 203 is installed.

    • For eDirectory 8.7.3 SP10, ensure that SSP 206 is installed.

Using eDirectory 8.8 SP6 with a Firewall Enabled

On SLES, if you add an eDirectory 8.8 SP6 server from a SLES host to an existing tree running on different host, the process might fail if the firewall is enabled.

Enable SLP services and an NCP port (the default is 524) in the firewall to allow the secondary server addition.

On an RHEL system, if you add a secondary server to an eDirectory tree, ndsconfig hangs during schema synchronization. However, you can add it if you open port 524 in the firewall.

1.1.2 Solaris

  • 32-bit eDirectory supported platform

    • Solaris10

  • 64-bit eDirectory supported platform

    • Solaris 10

    • Solaris 10 Zones (Small Zone and Big Zone)

  • All latest recommended patches available on the SunSolve Web page. If you do not update your system with the latest patches before installing eDirectory, you might have problems while installing and configuring eDirectory.

  • A minimum of 512 MB RAM

  • 200 MB of disk space for the eDirectory installation (server and administration utilities)

  • 150 MB of disk space for every 50,000 users

1.1.3 AIX

  • AIX 5L Version 5.3

  • AIX V6.1

  • All recommended AIX OS patches, available at the IBM Tech Support Web site Web site

  • A minimum of 512 MB RAM

  • 200 MB of disk space for the eDirectory installation (server and administration utilities)

  • 150 MB of disk space for every 50,000 users

1.2 Installing eDirectory on Linux, Solaris, and AIX

Use the nds-install command in the setup directory for installing eDirectory:

./nds-install

If you download Novell eDirectory 8.8 SP6 from http://download.novell.com, use gunzip downloaded file name to extract the downloaded file to a tar file. Then use tar xvf eDirectory file name.tar to get packages and RPMs with the eDirectory installation and uninstallation scripts.

For more information on installing eDirectory, refer to the Novell eDirectory 8.8 Installation Guide.

1.3 iManager Plug-In Installation

  • Download the eDir_88_iMan27_Plugins.npm iManager plug-in from the Web.

  • Install the NPM as directed in the iManager 2.7 Administration Guide.

    NOTE:iManager plug-in is available at download.novell.com Web site.

2.0 Known Issues

2.1 Installation and Configuration Issues

IMPORTANT:Ensure that the supported version of SSP is installed on eDirectory 8.7.3 SPx before upgrading to eDirectory 8.8 SP6. Refer to Section 1.1, Prerequisites for more information.

2.1.1 eDirectory Dumps the Core on Loading Xdasauditds When the Syslog Appender Is Disabled

Install and configure eDirectory, then configure the xdasproperties file. Ensure that the the Syslog appender is enabled as follows:

log4j.appender.S=org.apache.log4j.net.SyslogAppender

Disable Layout definition for appender Syslog S as follows:

# Layout definition for appender Syslog S.
log4j.appender.S.layout=org.apache.log4j.PatternLayout
#log4j.appender.S.layout.ConversionPattern=%c : %p%m%n

When you attempt to load xdasauditds, eDirectory starts dumping the core and the program is terminated with signal 11.

This issue arises because log4cxx does not check for the existence of layout in the xdasproperties file before setting it up. It assumes that Layout definition for appender Syslog S is automatically enabled if Syslog appender is enabled in the xdasproperties file.

2.1.2 Auto Save Issues in iManager

The auto save feature of the iManager property page causes it to save the default object class when you visit XDAS roles or XDAS accounts page before moving to other pages. To make sure that the settings are appropriate for your requirement, check the xdasconfiguration attribute on the ncp server object after you are done with settings through iManager.

2.1.3 eDirectory 8.8 SP6 Fails on RHEL 5.0

When you configure eDirectory on RHEL 5.0, it fails because libstdc++6.0 is automatically installed with Red Hat 5.0. Because the embox, pkiinst, and pkiserver modules are linked to libstdc++5, the incorrect compat library causes the eDirectory configuration to fail.

To work around this issue, manually install the compat-libstdc++-33-3.2.3-61.i386.rpm library.

2.1.4 eDirectory Packages are Marked for Deletion while Upgrading from SLES 9 to SLES 10

The upgrade causes eDirectory packages to be marked for deletion. You can deselect this option to avoid eDirectory deletion.

If eDirectory is accidentally deleted, there is no data loss and it can be reinstalled.

2.1.5 ndsd Issue While Shutting Down the Server

While shutting down the server after eDirectory is successfully configured, ndsd sometimes dumps the core in the DIB directory of eDirectory. This can be ignored because it does not corrupt data or disrupt services.

2.1.6 nds-install Script Fails if eDirectory Installation Is Aborted on AIX

If eDirectory installation is stopped midway, the fileset might be installed, but in an uncommitted state. This fileset must be removed completely to reinstall eDirectory.

Use the following command to clean the fileset:

installp -ug <fileset>

Example: installp -ug NDS.NDSserv

2.1.7 nds-install Script Warning Says AIX 6.1 is a Not Supported Platform

The following warning is displayed:

%%% Warning: This is not a supported platform for eDirectory 8.8.6. Please
refer to NOVELL Documentation for information on supported platforms. Do you
want to Continue  '[y/n/q] ? 'y

It is safe to ignore this message. You can select 'Y' option to continue installation.

2.1.8 eMBox GUI Element Results Inconsistent with the Command

When you select a radio button from the eMBox graphical interface, the command line window does not match with the result of the button selection. It shows as selected, but if it is executed, it works as expected.

2.1.9 Using the CRON Scheduler

Because the environment of the dsbk script and the CRON scheduler differ, the dsbk script fails to run as a scheduled cron job. The workaround is to manually edit the dsbk script to point to the ndstrace binary path before scheduling it as a cron job.

2.1.10 The ndsd Service does not Start Automatically After Reboot

On a RHEL 6 machine, after reboot, the eDirectory service does not start automatically.

To resolve this, add ndsd to the system service using the chkconfig command.

chkconfig --add ndsd

2.2 Installing eDirectory on SELinux Enabled RHEL

After installing eDirectory on a SELinux enabled RHEL 6 machine, some of the system services might not work properly, because the SELinux permission of /etc folder changes to system_u:object_r:default_t:s0.

To resolve this issue, run the following commands in sequence in the terminal window after installing eDirectory:

restorecon -v /etc/ld.so.cache
restorecon -v /etc 
restorecon -v /etc/opt 
restorecon -v /etc/ld.so.conf.d 
restorecon -v /etc/profile.d 
restorecon -v /opt 

NOTE:On a RHEL 5.4 machine, when you run the ndsconfig command on a SELinux enabled system, the following error is displayed:

ndsconfig: error while loading shared libraries: /opt/novell/lib/libccs2.so: 
cannot restore segment prot after reloc: Permission denied.

To resolve this error, run the following additional commands before running the ndsconfig command:

find /opt/novell/lib -name '*.so*' -exec chcon -t texrel_shlib_t {} \; 
find /opt/novell/eDirectory/lib/  -name '*.so*' -exec chcon -t texrel_shlib_t {} \;

2.3 Issue with Configuring a Server

You cannot add a new server into a context if its fully qualified DN length is more than 256 characters. The length restriction applies to a fully qualified DN and not to the context length. The fully qualified DN of any object can have a maximum of 256 characters.

2.4 Uninstallation Issues

2.4.1 Uninstallation Fails if Installation Was Not Successfully Completed

If eDirectory installation fails, nds-uninstall can't remove eDirectory.

To resolve this, install eDirectory again in the same location and then uninstall it.

2.4.2 The nds-uninstall -s Option Fails to Retain Configuration and DIB Files

You must not use the -s option to retain the nds.conf and the DIB. Ensure that you back them up before performing the nds-uninstall operation.

2.5 Upgrade Issues

2.5.1 Duplicate Files Are Created after Upgrading from eDirectory 8.8.2 to eDirectory 8.8.6

After upgrading eDirectory, the new configuration files have a .new extension. If there are any changes to these files, they can be absorbed in your files.

2.5.2 Upgrading Simple Password Bind from an Older Version to a 64-Bit 8.8.6 Version

After upgrading eDirectory from 32-bit to 64-bit, ensure you update the NMAS Simple Password method for simple password binds to work.

2.5.3 Issue with Identity Manager 3.x after Upgrading to eDirectory 8.8.x

When you upgrade from eDirectory 8.7.3.x to 8.8.x, the eDirectory files reside in a different path. The Identity Manager engine and Remote Loader still reside at the original install location from the eDirectory 8.7.3.x installation.

For Identity Manager to work with eDirectory 8.8.x, you must reinstall any previously installed Identity Managercomponents on the system to have them relocated to the new paths as defined by the Directory 8.8.x. installation.

2.5.4 Install the Latest NICI Version before Upgrading from eDirectory 8.7.3 Versions Prior to SP9

For a successful upgrade from eDirectory 8.7.3.x versions prior to eDirectory 8.7.3 SP9 to eDirectory 8.8 SP5 or 8.8 SP6, do the following:

  1. Uninstall the NICI that is installed with eDirectory 8.7.3.x.

  2. Manually install the NICI that is shipped with eDirectory 8.8 SP5 or 8.8 SP6.

  3. Start the eDirectory upgrade by using the nds-install script.

For more information on the upgrade procedure, refer to the eDirectory 8.8.6 Troubleshooting Guide.

2.5.5 Instrumentation RPM Upgrade Issues While Upgrading eDirectory

If you upgrade an eDirectory server on which the eDirectory instrumentation RPM is installed, the eDirectory instrumentation RPM is not automatically upgraded. Therefore, you must manually upgrade the eDirectory instrumentation RPM.

NOTE:eDirectory instrumentation is automatically installed with Identity Manager 4.0.

For more information on upgrading the instrumentation, refer to the Novell eDirectory 8.8.6 Installation Guide.

2.6 Default Instance Path for Multiple Instances

While you configure the second instance of eDirectory on your host, you are prompted for the default path. Select a different path and proceed.

2.7 ldif2dib Limitations

2.7.1 Schema

The LDIF file should mention all the object classes that an entry belongs to. You should also include the classes that an entry belongs to because of inheritance of classes. For example, an entry of type inetOrgPerson has following syntax in the LDIF file:

  • objectclass: inetorgperson

  • objectclass: organizationalPerson

  • objectclass: person

  • objectclass: top

2.7.2 ACL Templates

Objects that are bulkloaded with the ldif2dib utility are not added with ACLs that are specified in the ACL templates for the object class of the object.

2.7.3 Signal Handler

You can temporarily suspend the offline bulkload operation by pressing the s or S key. You can use the Escape key (Esc) to stop the bulkload operation.

2.7.4 Options

On Linux, if the -b option is used, the statistics display menu disappears after the bulkload is complete.

2.7.5 Ldif2dib Might Fail to Upload Objects on RHEL

When you attempt to upload millions of objects to eDirectory by using ldif2dib, and the checkpoint interval is explicitly specified, the operation might halt with an error stating that the directory is full.

To work around this issue, skip the checkpoint interval (Use -i option with ldif2dib command).

2.8 Viewing French Man Pages

To view the French man page on Red Hat Linux, export the following:

export MANPATH=/opt/novell/man/frutf8:/opt/novell/eDirectory/man/frutf8

To view the man pages on AIX, use the English locale.

2.9 Unable to Limit the Number of Concurrent Users on Non-NetWare Platforms

The concurrent connection limit behavior of non-NetWare platforms is changed to match that of Netware. To resort to the old behavior (strict port-based checking), set following parameter in the nds.conf file.

n4u.server.mask-port-number=0

2.10 Catalog Services with eDirectory 8.8 SP6

Catalog services running with eDirectory 8.8 SP6 are not supported. This is an old technology and has been largely replaced by the contextless login feature in the 4.9 Novell Client.

2.11 Localhost Issues

2.11.1 Localhost Issues in /etc/hosts

If you have a loopback address alias to the hostname of the system in an /etc/hosts entry, it must be changed to the hostname or IP address. That is, if you have an entry similar to the one below in your /etc/hosts file, it needs to be changed to the correct entry given in second example below.

The following example has problems when any utility tries to resolve to ndsd server:

127.0.0.1 test-system localhost.localdomain localhost

The following is a correct example entry in /etc/hosts:

127.0.0.1 localhost.localdomain localhost
10.77.11.10 test-system

If any third-party tool or utility resolves through localhost, it needs to be changed to resolve through a hostname or IP address and not through the localhost address.

2.11.2 eDirectory Creates Certificates on the Loopback Interface on SLES 11

If the /etc/hosts file has an entry with 127.0.0.2 loopback address, the default IP certificate is created for 127.0.0.2 loopback address.

To work around this issue, edit the /etc/hosts file if the hosts file has an entry with 127.0.0.2 loopback address.

For example : 127.0.0.2 hostname.

Comment it and make sure that the real IP address entry is present in the file.

2.12 LDAP, TCP, and TLS Ports Issue with Large DIBs

When the DIB is large, the DS takes time to come up and wrongly displays the following errors:

LDAP TCP Port is not listening
LDAP TLS Port is not listening

In this scenario, the ports are not disabled but eDirectory services are slow to come up. To check the status of LDAP, refer to the ndsd.log file or enter the following command and grep for the LDAP TCP/TLS ports:

netstat -na

2.13 LDAP SNMP Statistics Do Not Report when Anonymous Bind Is Disabled

To resolve this issue:

  1. Allow anonymous bind.

  2. Start the subagent.

  3. Disable/disallow anonymous bind.

2.14 Deleting a Moved Object

Deletion of a moved object might fail (error -637) in a tree with two or more servers.

2.15 Issues with Running Identity Manager with eDirectory on AIX

For proper functioning of Identity Manager with eDirectory, increase the max stack size of the ndsd by using the following command:

ldedit -b maxstack=0x10000000 /opt/novell/eDirectory/sbin/ndsd

Ensure that ndsd is not running when you execute this command.

2.16 eDirectory Does Not Generate a Logout Event due to eDirectory Client Limitation

eDirectory does not generate a Logout event when you log out of iManager. This is because of a technical limitation in the client part of eDirectory.

Auditing applications can use NWDS APIs to receive logout events. Applications that use LDAP can monitor logout with unbind events.

2.17 Issues Generated by TERM While Running ndstrace

TIME and TAGS tags are displayed as enabled (underlined), but not by default. When the TERM is set to VT100 or xterm from a Linux terminal, these tags are displayed as if they are enabled (underlined). This issue does not occur for any other term such as dtterm.

2.18 eMBox Does Not Handle Double-Byte Characters

eMBox does not handle double-byte characters for setting a roll-forward directory through the eMBox client and iManager. This can still be done by using DSBK.

2.19 64-Bit eDirectory 8.8 SP6 Performance on Solaris

On Solaris, a 64-bit eDirectory benefits by being able to grow beyond a 4 GB virtual address space. However, there might not be much peformance improvement. In some scenarios, a 64-bit eDirectory might not perform as well as a 32-bit eDirectory.

2.20 Manually Installing NICI

On Solaris 10 64-bit, when you try to install the NICI package manually, the install throws the following error:

For 32-bit install: ln: cannot create /usr/lib/libccs2.so: File exists

For 64-bit install: ln: cannot create /usr/lib/sparcv9/libccs2.so: File exists

To resolve this issue,

  1. Remove the links from the following directory:

    For 32-bit: /usr/lib/

    For 64-bit: /usr/lib/sparcv9/

  2. Install the NICI 32-bit and 64-bit packages by using pkgadd.

Follow the same procedure for a non-root install where NICI needs to be installed manually.

2.21 Issue with Exporting the Correct ndspath for Root eDirectory

If both non-root and root eDirectory are configured on the same machine, you cannot export the root eDirectory ndspath from a directory in which the non-root eDirectory is extracted.

For example, while exporting a path for a root eDirectory, if the non-root eDirectory path is /home/non-root/eDirectory/ and a user at /home/non-root/eDirectory/opt/ is exporting the path . /opt/novell/eDirectory/bin/ndspath, this ndspath script exports the path for the non-root eDirectory.

To resolve this issue, export the ndspath for root eDirectory from any directory other than the path extracted for the non-root eDirectory. For example, /home/non-root/eDirectory/opt/.

2.22 Issue with Moving a Dynamic Group

Moving a Dynamic group object with "dynamicgroup" in the object class attribute to another container breaks the Dynamic Group functionality. After the move, queries and searches on dynamic members do not work.

2.23 Segmentation Fault Error while Accessing the Subagent

On Linux 64-bit, when a user tries to start the subagent (ndssnmpsa) by using an incorrect eDirectory password, a segmentation fault error occurs.

To avoid getting this error, ensure that you use the correct eDirectory password while starting the subagent.

2.24 Running ndsrepair

If you run an unattended ndsrepair after an upgrade or migration from 8.7.3.x server, an Invalid Ancestor ID list for the entry error message appears

This can be ignored because an Ancestor ID upgrade is done as part of the background process, after the DIB upgrade or migration.

2.25 Interoperability Issues

2.25.1 IDP Cannot Create Shared Secrets in eDirectory 8.8 SP6 64-Bit

For eDirectory 8.8 SP6 64-bit configured as an external user store and an external SecretStore, if you create a Form Fill policy with a shared secret to speed up the iManager authentication, it returns a data store error after authenticating to the Linux Access Gateway. eDirectory 8.8 SP6 64-bit is not supported as an external SecretStore with Access Manager.

2.25.2 Cannot Change the Passphrase after Unlocking SecretStore

SecretStore locks if you try to retrieve a forgotten password by logging in with user credentials and a wrong passphrase. You can unlock SecretStore with administrator rights, and the Novell SecureLogin client allows you to log in without a passphrase. If you try changing the passphrase, the login fails and returns an error.

2.25.3 ZENworks WOL Service Cannot Start when eDirectory Is Upgraded to eDirectory 8.8 SP6 64-Bit

The ZENworks Wake-on-LAN service does not start even after you attempt to start it manually.

2.25.4 User Credentials Modified through SecretStore Are Reset to Null

When you try saving new credentials in SecretStore by using the iManager plug-in, a blank credential column displays because iManager fails to save the changes.

You can change the credentials from the SecretStore iManager plug-in only by logging in as a user instead of an administrator.

2.25.5 Creating a Different Credential Set with the Same User Overwrites the Previous Credential Set

When you save an alternate credential set, SecretStore fails to retain the first set and only the latest credential set is visible.

You can change the credentials from the SecretStore iManager plug-in only by logging in as a user instead of an administrator.

2.26 Running the DSBK Script as a cron job Fails

Running the DSBK script as a cron job fails, because the complete path name of ndstrace is not mentioned in the DSBK script.

To resolve this issue, manually modify the DSBK script and replace all instances of ndstrace with the complete path to the ndstrace binary. For example, /opt/novell/eDirectory/bin/ndstrace.

2.27 NDS Schema Already Configured Message Appears

When you extend the ediraudit.sch file, the following message displays:

NDS schema already configured

It is an expected behavior. You don’t need to extend schema if the server is eDirectory 8.8 SP6.

3.0 Documentation

3.1 Viewing eDirectory Documentation

Novell eDirectory 8.8 SP6 has the following documentation:

  • Novell eDirectory 8.8 What's New Guide

  • Novell eDirectory 8.8 Installation Guide

  • Novell eDirectory 8.8 Administration Guide

  • Novell eDirectory 8.8 Troubleshooting Guide

These documents are available at the Novell eDirectory 8.8 online documentation Web site.

3.2 Readme Information

The latest version of this Readme is available at the Novell eDirectory 8.8 online documentation Web site.

3.3 Additional Documentation

3.3.1 iManager

3.3.2 NMAS 3.3.3

For NMAS information, refer to the NMAS online documentation.

3.3.3 Certificate Server 3.3.4

For Certificate Server information, refer to the Certificate Server online documentation.

3.3.4 NICI 2.7.6

For NICI information, refer to the NICI online documentation.

3.3.5 eDirectory Issues on Open Enterprise Server

For more information on eDirectory issues on Open Enterprise Server (OES), refer to the OES Readme.