Novell eDirectory 8.8 SP5 for Linux, Solaris, and AIX

December 02, 2009

1.1.1 Linux
1.1.2 Solaris
1.1.3 AIX
2.6.1 Schema
2.6.4 Options
3.3.1 iManager

1.0 Installation

1.1 Prerequisites

NOTE:Check the currently installed Novell and third party applications to determine if eDirectory™ 8.8 SP5 is supported before upgrading your existing eDirectory environment. You can find out the current status for Novell products in the TID - What products are supported with Novell eDirectory 8.8 SP5. It is also highly recommended to backup eDirectory prior to any upgrades.

1.1.1 Linux

  • 32-bit eDirectory supported platform

    32-bit

    • SUSE® Linux Enterprise Server (SLES) 11

    • SLES 10 SP1 and SP2

    • SLES 10 SP1 and SP2 XEN

    • OES2 SP1 Linux

    • Red Hat Enterprise Linux (RHEL) 5**

    • RHEL 5** AP

    • RHEL 5** AP Virtualization

    **- Latest service pack

    64-bit

    • SLES 11

    • SLES 10 SP1 and SP2

    • SLES 10 SP1 and SP2 XEN

      IMPORTANT:eDirectory 8.8 SP5 is supported on the SLES 10 XEN* virtualization service that runs the SLES 10 guest OS. The updates are available at https://update.novell.com.

      To determine the version of SUSE Linux you are running, see the /etc/SuSE-release file.

    • RHEL 5**

    • RHEL 5** AP

    • RHEL 5** AP Virtualization

      Ensure that the latest glibc patches are applied from Red Hat Errata on Red Hat systems. The minimum required version of the glibc library is version 2.1.

    **- Latest service pack

  • 64-bit eDirectory Supported Platform

    • SLES 11 64-bit

    • SLES 10 SP1 64-bit

    • SLES 10 SP2 64-bit

    • OES2 SP1 Linux

    • RHEL 5**

    • RHEL 5** AP

    • RHEL 5** AP Virtualization

    **- Latest service pack

  • A minimum of 512 MB RAM for eDirectory

  • 162 MB of disk space for the eDirectory™ server

  • 30 MB of disk space for the eDirectory administration utilities

  • 150 MB of disk space for every 50,000 users

  • Ensure that gettext is installed. To install gettext, search the rpmfind Web site for gettext.

NOTE:The net-snmp-32-bit RPM should be installed on 64-bit SLES or OES Linux.

  • Ensure that the supported version of SSP is installed on eDirectory 873SPx before upgrading to eDirectory 8.8 SP5.

    • For eDirectory 873 SP9, ensure that SSP 203 is installed.

    • For eDirectory 873 SP10, ensure that SSP 206 is installed.

Usage of eDirectory 8.8 SP5 with Firewall Enabled

On a SLES platform : While adding eDirectory 8.8 SP5 server from a SLES host to an existing tree running on different host, the process might fail to add the server if the firewall is enabled.

Enable SLP services and an NCP™ port (the default is 524) in the firewall to allow the secondary server addition.

On a RHEL platform: On a RHEL system, while adding a secondary server to an eDirectory tree, ndsconfig hangs during schema synchronization. However, you can add it if you open the port 524 in the firewall.

1.1.2 Solaris

  • 32-bit eDirectory supported platform

    • Solaris* 9

    • Solaris* 10

  • 64-bit eDirectory supported platform

    • Solaris* 10

    • Solaris* 10 Zones (Small Zone and Big Zone)

  • All latest recommended patches available on the SunSolve* Web page. If you do not update your system with the latest patches before installing eDirectory, you might have problems while installing and configuring eDirectory.

  • A minimum of 512 MB RAM

  • 184 MB of disk space for the eDirectory server

  • 43 MB of disk space for the eDirectory administration utilities

  • 150 MB of disk space for every 50,000 users

1.1.3 AIX

  • AIX* 5L Version 5.3

  • All recommended AIX OS patches, available at the IBM* Tech Support Web site Web site

  • A minimum of 512 MB RAM

  • 215 MB of disk space for the eDirectory server

  • 38 MB of disk space for the eDirectory administration utilities

  • 150 MB of disk space for every 50,000 users

1.2 Installing eDirectory on Linux, Solaris, and AIX

Use the nds-install command in the setup directory for installing eDirectory:

./nds-install

If you download Novell® eDirectory 8.8 SP5 from http://download.novell.com, use gunzip downloaded file name to extract the downloaded file to a tar file. Then use tar xvf eDirectory file name.tar to get packages and RPMs with the eDirectory installation and uninstallation scripts.

For more information on installing eDirectory, refer to the Novell eDirectory 8.8 Installation Guide.

For more information on upgrading eDirectory 8.8 SP5 using OES patch channel, refer to the Novell eDirectory 8.8 Installation Guide.

1.3 iManager Plug-Ins Installation

2.0 Known Issues

2.1 Installation and Configuration Issues

IMPORTANT:Ensure that the supported version of SSP is installed on eDirectory 873SPx before upgrading to eDirectory 8.8 SP5. Refer to the Section 1.1, Prerequisites for more information.

2.1.1 eDirectory 8.8 SP5 Fails on RHEL 5.0

When you configure eDirectory on RHEL 5.0, it fails because libstdc++6.0 is automatically installed with Red Hat 5.0. Because the embox, pkiinst, and pkiserver modules are linked to libstdc++5, the incorrect compat library causes the eDirectory configuration to fail.

To work around this issue, install the compat-libstdc++-33-3.2.3-61.i386.rpm library manually.

2.1.2 eDirectory Packages Marked for Deletion while Upgrading from SLES9 to SLES10

The upgrade causes eDirectory packages to be marked for deletion. You can deselect this option to avoid eDircetory deletion.

If eDirectory is accidentally deleted, there is no data loss and it can be reinstalled.

2.1.3 ndsd Issue while Shutting Down the Server

After eDirectory is successfully configured and while shutting down the server, ndsd sometimes dumps the core in the dib directory of eDirectory. This can be ignored because it does not corrupt data or disrupt services.

2.1.4 nds-install Script Fails if eDirectory Installation is Aborted on AIX

If eDirectory installation is stopped midway, the fileset might be installed, but in an uncommitted state. This fileset must be removed completely to reinstall eDirectory.

Use the following command to clean the fileset:

installp -ug <fileset>

Example: installp -ug NDS.NDSserv

2.1.5 eMBox GUI Element Result Inconsistent with the Command Printed

When you select a radio button from the eMBox graphical interface, the command line window does not match with the result of the button selection. It shows it as selected, but if executed it works fine and the selected buttons get executed.

2.2 eDirectory Behavior on SElinux enabled Red Hat Systems

  • New Tree: When you add a server to a new eDirectory tree, the following error displays:

    ndsconfig: error while loading shared libraries: /opt/novell/lib/libccs2.so:
    cannot restore segment prot after reloc: Permission denied.
    
  • Existing Tree: When you add a server to an existing eDirectory tree, ndsconfig does not respond while synchronizing schema because SELinux is enabled on the system.

    To disable the SELinux for an application and continue the configuration, refer to the Redhat documentation.

2.3 Uninstallation Issues

2.3.1 Uninstallation Fails if Installation Was Not Successfully Completed

If eDirectory installation fails, nds-uninstall can't remove eDirectory.

To resolve this, install eDirectory again in the same location and then uninstall it.

2.3.2 nds-uninstall -s Option Fails to Retain Configuration and DIB Files

You must not use -s option to retain the nds.conf and the DIB. Ensure you backup them before performing nds-uninstall operation.

2.4 Upgrade Issues

2.4.1 Duplicate Files Created after Upgrading from eDirectory 8.8.2 to eDirectory 8.8.5

After upgrading eDirectory, the new configuration files get .new extension. If there are any changes to these files, they can be absorbed in your files.

2.4.2 Upgrading Simple Password Bind from an Older Version to 64-bit 8.8.5 Version

After upgrading eDirectory from 32-bit to 64-bit, ensure you update NMAS Simple Password method, for simple password binds to work.

2.4.3 Issue with IDM 3.x after Upgrading to eDirectory 8.8.x

When you upgrade from eDirectory 8.7.3.x to 8.8.x, the eDirectory files reside in a different path. The IDM engine and/or Remote Loader will still reside at the original install location from the eDirectory 8.7.3.x installation.

For IDM to work with eDirectory 8.8.x, you must reinstall any previously-installed IDM components on the system to have them relocated to the new paths as defined by eDirectory 8.8.x. installation.

2.4.4 Install Latest NICI Version before Upgrading from eDirectory 8.7.3 Versions prior to SP9

For a successful upgrade from eDirectory 8.7.3.x versions prior to eDirectory 8.7.3 SP9 to eDirectory 8.8 SP5, do the following:

  1. Uninstall NICI that is installed with eDirectory 8.7.3.x.

  2. Manually install NICI which is shipped with eDirectory 8.8 SP5.

  3. Start eDirectory upgrade by using the nds-install script.

For more information on the upgrade procedure, refer to the eDirectory 8.8.5 Troubleshooting Guide.

2.4.5 Instrumentation RPM Upgrade Issues While Upgrading eDirectory

If you upgrade an eDirectory server on which the eDirectory instrumentation RPM is installed, the eDirectory instrumentation RPM does not get upgraded automatically. Therefore, you must manually upgrade the eDirectory instrumentation RPM.

For more information on upgrading instrumentation, refer to the Novell eDirectory 8.8.5 Installation Guide.

2.5 Multiple Instances Issue- Default Instance Path

While configuring the second instance of eDirectory on your host, you are prompted for the default path. Select a different path and proceed.

2.6 ldif2dib Limitations

2.6.1 Schema

The LDIF file should mention all the object classes that an entry belongs to. You should also include the classes that an entry belongs to because of inheritance of classes. For example, an entry of type inetOrgPerson has following syntax in the LDIF file:

  • objectclass: inetorgperson

  • objectclass: organizationalPerson

  • objectclass: person

  • objectclass: top

2.6.2 ACL Templates

Objects that are bulkloaded with the ldif2dib utility are not added with ACLs that are specified in the ACL templates for the object class of the object.

2.6.3 Signal Handler

You can temporarily suspend the offline bulkload operation by pressing the s or S key. You can use Escape key (Esc) to stop the bulkload operation.

2.6.4 Options

On Linux, if the -b option is used, the statistics display menu disappears after the bulkload is complete.

2.6.5 Ldif2dib Might Fail to Upload Objects Beyond Several Millions on RHEL

When you attempt uploading millions of objects to eDirectory using ldif2dib, and the checkpoint interval is explicitly specified, the operation might halt with an error stating that the directory is full.

To work around this issue, skip the checkpoint interval (Use -i option with ldif2dib command).

2.7 Viewing French and Japanese Manpages

To view the French man page on Red Hat Linux, export the following:

export MANPATH=/opt/novell/man/frutf8:/opt/novell/eDirectory/man/frutf8

To view the man pages on AIX, use English locale.

2.8 Unable to Limit the Number of Concurrent Users on Non-NetWare Platforms

The concurrent connection limit behavior of non-NetWare platforms is changed to match that of Netware. To resort to the old behavior (strict port based checking), set following parameter in nds.conf file.

n4u.server.mask-port-number=0

2.9 Catalog Services with eDirectory 8.8 SP5

Catalog services running with eDirectory 8.8 SP5 are not supported. This is an old technology and has been largely replaced by the contextless login feature in the 4.9 Novell Client.

2.10 Localhost Issues in /etc/hosts

If you have a loopback address alias to the hostname of the system in /etc/hosts entry, that must be changed to the hostname or IP address. That is, if you have an entry similar to the one below in your /etc/hosts file, it needs to be changed to the correct entry given in second example below.

The following example has problems when any utility tries to resolve to ndsd server:

127.0.0.1 test-system localhost.localdomain localhost

The following is a correct example entry in /etc/hosts:

127.0.0.1 localhost.localdomain localhost

10.77.11.10 test-system

If any third-party tool or utility resolves through localhost, then it needs to be changed to resolve through a hostname or IP address and not through the localhost address.

2.11 LDAP TCP and TLS Ports Issue with Large DIBs

When the DIB is large, the DS takes time to come up and wrongly displays the following errors:

LDAP TCP Port is not listening
LDAP TLS Port is not listening

In this scenario, the ports are not disabled but eDirectory services are slow to come up. To check the status of LDAP, refer to the ndsd.log file or enter the following command and grep for the LDAP TCP/TLS ports:

netstat -na

2.12 LDAP SNMP Statistics do not Report when Anonymous Bind is Disabled

To resolve this issue, do the following steps:

  1. Allow anonymous bind.

  2. Start the subagent.

  3. Disable/disallow the anonymous bind.

2.13 Deletion of a Moved Object

Deletion of a moved object might fail (error -637) in a tree with two or more servers.

2.14 Issues with Running Identity Manager with eDirectory on AIX

For proper functioning of Identity Manager with eDirectory, increase the max stack size of the ndsd by using the following command:

ldedit -b maxstack=0x10000000 /opt/novell/eDirectory/sbin/ndsd

Ensure that ndsd is not running when you execute this command.

2.15 Issue in Generating Logout Event due to eDirectory Client Limitation

eDirectory will not generate Logout event when you log out from iManager. This is due to a technical limitation in the client part of eDirectory.

Auditing applications can use NWDS APIs to receive logout events. Applications that use LDAP can monitor logout with unbind events.

2.16 Issue when nldap Module is Unloaded and then Loaded Again

When nldap module is unloaded and then loaded again, using the nldap utility, the ldap ports would not be listening. Restart ndsd to enable the ports to listen.

2.17 Issues Generated by TERM while Running ndstrace

TIME and TAGS tags are displayed as enabled (underlined) though, not by default. When the TERM is set to VT100 or xterm from a Linux terminal, these tags are displayed as if they are enabled (underlined). This issue is not there for any other term such as dtterm.

2.18 eMBox Does Not Handle Double Byte Characters

eMBox does not handle double byte characters for setting roll forward directory through eMBox client and iManager. This can still be done using DSBK.

2.19 64-bit eDirectory 88 SP5 Performance on Solaris

On Solaris, a 64-bit eDirectory benefits by being able to grow beyond 4GB virtual address space. However, there may not be much peformance improvement with a 64-bit eDirectory. In some scenarios, a 64-bit eDirectory may not perform as much as a 32-bit eDirectory.

2.20 Issue while Installing NICI Manually

On Solaris 10 64-bit, when you try to install the NICI package manually the install throws the following error:

For 32-bit install: ln: cannot create /usr/lib/libccs2.so: File exists

For 64-bit install: ln: cannot create /usr/lib/sparcv9/libccs2.so: File exists

To resolve this issue, perform the following steps:

  1. Remove the links from the following directory:

    For 32-bit: /usr/lib/

    For 64-bit: /usr/lib/sparcv9/

  2. Install the NICI 32 and 64-bit packages using pkgadd.

Follow the same procedure for non-root install where NICI needs to be installed manually.

2.21 ConsoleOne Fails to Start after Upgrading to 8.8 SP5 on Linux/Solaris

On Linux/Solaris, ConsoleOne fails to start after upgrading from eDirectory 873 SPx / 88 SPx to 88 SP5.

To resolve this issue, while upgrading to a 32-bit eDirectory 88 SP5, perform the following steps after the upgrade:

  1. Edit the ConsoleOne script located at /usr/ConsoleOne/bin/ConsoleOne.

  2. To find the java environment, enter the following:

    export C1_JRE_HOME=/usr/lib/jre/
    
  3. Modify the LD_LIBRARY_PATH line to /usr/lib:/usr/ConsoleOne/bin:$LD_LIBRARY_PATH instead of /usr/lib:$LD_LIBRARY_PATH.

  4. Save the file.

While upgrading to 64-bit eDirectory 88 SP5, you have to uninstall and reinstall ConsoleOne.

2.22 Issue with Exporting the Correct ndspath for Root eDirectory

If both non-root and root eDirectory is configured on the same machine, you can not export the root eDirectory ndspath from a directory in which the non-root eDirectory is extracted.

For example, while exporting a path for a root eDirectory, if the non-root eDirectory path is /home/non-root/eDirectory/ and a user at /home/non-root/eDirectory/opt/ is exporting the path . /opt/novell/eDirectory/bin/ndspath, this ndspath script will export the path for the non-root eDirectory.

To resolve this issue, export the ndspath for root eDirectory from any directory other than the path extracted for the non-root eDirectory. For example, /home/non-root/eDirectory/opt/

2.23 Issue with Moving Dynamic Group

Moving Dynamic group object having "dynamicgroup" in the object class attribute to another container breaks the Dynamic Group functionality. After the move, queries and searches on dynamic members will not work.

2.24 Segmentation Fault Error while Accessing Subagent

On Linux 64-bit, when a user tries to start the subagent (ndssnmpsa) using an incorrect eDirectory password, a segmentation fault error occurs.

To avoid getting this error, ensure to use the correct eDirectory password while starting the subagent.

2.25 Issue while Running ndsrepair

If you run an unattended ndsrepair after an upgrade or migration from 873x server, an error message "Invalid Ancestor ID list for the entry" appears

This can be ignored because Ancestor ID upgrade will be done as part of background process, after the upgrade or migration of dib.

2.26 Interoperability Issues

2.26.1 IDP Cannot Create Shared Secrets in eDirectory 8.8 SP5 64-Bit

For eDirectory 8.8 SP5 64-bit configured as an external user store and an external SecretStore, if you create a Form Fill policy with a shared secret to speed up the iManager authentication, it returns data store error after authenticating to the Linux Access Gateway. eDirectory 8.8 SP5 64-bit is not supported as an external SecretStore with Access Manager.

2.26.2 Cannot Change the Passphrase after Unlocking Secretstore

SecretStore locks if you try to retrieve a forgotten password by logging in with user credentials and a wrong passphrase. You can unlock Secretstore with the administrator rights, and the Novell SecureLogin client allows you to log in without a passphrase. If you try changing the passphrase, the login fails and returns an error.

2.26.3 ZENworks WOL Service Cannot Start when eDirectory Is Upgraded to eDirectory 8.8 SP5 64-Bit

ZENworks Wake-on-LAN service does not start even after you attempt to start it manually.

2.26.4 User Credentials Modified through SecretStore Are Reset to Null

When you try saving the new credentials in the SecretStore by using the iManager plug-in, a blank credential column displays because iManager fails to save the changes.

You can change the credentials from the SecretStore iManager plug-in only by logging in as a user instead of an administrator.

2.26.5 Creating a Different Credential Set with the Same User Overwrites the Previous Credential Set

When you save the alternate credential set, SecretStore fails to retain the first set and only the latest credential set is visible.

You can change the credentials from the SecretStore iManager plug-in only by logging in as a user instead of an administrator.

2.26.6 ConsoleOne Fails to Start after Upgrading to eDirectory 8.8 SP5 64-Bit

ConsoleOne fails to start after eDirectory is upgraded to 8.8 SP5 64-bit because it cannot locate the class definition in the JClient.

Workaround: Reinstall ConsoleOne.

2.27 Issue while Repairing Network Addresses through eMBox

While repairing the network addresses through eMBox, it throws the following errors because eMBox is not updated with the recent fixes for repair:

ERROR: Could not find a net address for this server - Error : 11004

ERROR: Could not connect. Error : 11004

3.0 Documentation

3.1 Viewing eDirectory Documentation

Novell eDirectory 8.8 SP5 has the following documentation:

  • Novell eDirectory 8.8 What's New Guide

  • Novell eDirectory 8.8 Installation Guide

  • Novell eDirectory 8.8 Administration Guide

  • Novell eDirectory 8.8 Troubleshooting Guide

These documents are available at the Novell eDirectory 8.8 online documentation Web site.

3.2 Readme Information

The latest version of this readme is available at the Novell eDirectory 8.8 online documentation Web site.

3.3 Additional Documentation

3.3.1 iManager

3.3.2 NMAS 3.3.2

For NMAS information, refer to the NMAS online documentation.

3.3.3 Certificate Server 3.3.3

For Certificate Server information, refer to the Certificate Server online documentation.

3.3.4 NICI 2.7.6

For NICI information, refer to the NICI online documentation.

3.3.5 eDirectory Issues on Open Enterprise Server

For more information on eDirectory issues on Open Enterprise Server (OES), refer to the OES Readme.

4.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (® , TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark.

5.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.

For a list of Novell trademarks, see the Novell Trademark and Service Mark list at http://www.novell.com/company/legal/trademarks/tmlist.html.

All third-party trademarks are the property of their respective owners.