Novell Home

My Favorites

Close

Please to see your favorites.

Novell Account Management 3.0 Release Notes

(Last modified: 30Jan2003)

This document (10074958) is provided subject to the disclaimer at the end of this document.

goal

Novell Account Management 3.0 Release Notes

fact

Account Management 3.0 Core Services

Account Management 3.0 Platform Services

fix

Release Notes

-------------

Novell SecretStore 3.0.2

========================

If AM 3.0 password replication is to be enabled, the server components

for Novell SecretStore 3.0.2 or later must be installed and running on any

eDirectory server that the Manager or Agent uses. Consult your

SecretStore documentation for instructions on installation.

SecretStore client components are provided with AM and need not be

installed separately. SecretStore 3.0.2 is available on the root of the AM 3.0 CD

or via Download at support.novell.com.

IMPORTANT NOTE: An eDirectory server can access a user's SecretStore via LDAP

only if the user is in a read/write replica stored on that server.

This will be resolved in a future release of SecretStore.

There is a known issue with SecretStore when a top-level Organization

container in the tree has the same name as the eDirectory tree. For

example, suppose an eDirectory tree named ACME has a top-level

Organization in ACME. If the user used for AM 3.0 operations

(typically ASAMMaster) is in ACME (or any subordinate container),

that user will not be able to access any other user's SecretStore.

To work around this issue, create a new top-level Organization and

place an admin-equivalent user in this container. This user can then

be used for AM 3.0 operations by modifying the Manager's and

all Agents' configuration files.

There is a SecretStore setting known as "Update timestamp on read secret"

that should be disabled. If enabled, it seems to cause the DirXML Event Listener

to "loop" on a single event. To disable this setting, follow these steps:

1. On a system with ConsoleOne installed, install the SecretStore snap-in

from the AM 3.0 CD. Unzip \SecretStore302\ConsoleOne\snapins\SSSnapin.zip to

C:\Novell\ConsoleOne\1.2, or the location where ConsoleOne is installed.

2. Locate the SecretStore object in the Security container, which is at the root

of your eDirectory tree. Open the Properties of the SecretStore object in

ConsoleOne.

3. Uncheck the box labeled "Update timestamp on read secret" and click OK.

4. Restart eDirectory on all servers in the tree, or restart SecretStore on all

servers. For Windows, restart SSLDP.DLM and SSS.DLM in the NDS Services Control

Panel. For NetWare, reload SSLDP.NLM and SSS.NLM at the console. For Linux and

Solaris servers, you must restart eDirectory.

Novell Account Management 3.0 Manager

-------------------------------------

 

I. IMPORTANT Installation Instructions

Novell Account Management relies heavily on GUIDs. See TID 10064771 for

information about a patch that is required to ensure that all future GUIDs

that are generated will be unique. As described in TID 10064771, if

duplicate GUIDs exist within your tree, the only way to fix these is to

delete all but one of the objects having the same GUID and re-create them.

Novell Account Management will detect and report problems due to duplicate

GUIDs by listing the objects in the Manager log file and by creating

exception objects with a collision type of "duplicate guid".

The following doc update applies to Account Management 3.0 Core Services

Administration Guide, page 32, Installing to a UNIX Server. After you run the

manager-config script, complete Manager Services installation beginning with

Step 6 on page 42. After completing the UNIX installation scripts, proceed

with the installation at Step 5 of the Account Management Installation Outline

on page 30.

II. Known issues

If timeout errors (error 85) occur during a trawl or event processing, you

may increase the timeout value by setting the ASAM-ldapTimeout attribute

on the Census container object using ConsoleOne or other means. The unit

of measure is seconds. If no ASAM-ldapTimeout is set the default is 120

seconds.

Do not run the manager on more than one server at a time. Different

managers initiating simultaneous trawls or processing events

simultaneously may result in inconsistent census objects or the same

UID/GID number assigned for more than one user or group. Also, reporting

functions may appear to work, but results may be wrong.

Be aware that each full sync requires memory on the Manager server. If

you run two or more simultaneous full syncs, you may run into memory

consumption issues on the Manager server. This memory requirement

will be reduced in a service pack.

Manager servers with incorrect time set (fast clocks) can cause certificates

to be minted with a start period not yet reached. This will affect

every component by denying secure connections, due to certificate rejections.

Web browsers must support HTTP 1.1 in order to correctly view certain pages and

download file distributions.

Perfomance may be slow when displaying Platforms from Component Status.

If the server the Manager is running on fails, you might need to manually

restart all Platform Receivers running in persistent mode. This will be

corrected in a service pack.

Novell Account Management 3.0 Agent

-----------------------------------

I. IMPORTANT Installation Instructions

If you are installing the Agent onto a UNIX server that is also the Manager

server, do not run the agent-config script. (It builds the asamcore.conf file,

which will have already been built on the Manager server.)

II. Known issues

Novell Account Management 3.0 DirXML Event Listener

---------------------------------------------------

I. Important Note

The Solaris version of the DirXML Event Listener is not currently available.

It will be provided in a future update to Novell Account Management.

II. Troubleshooting

The DirXML driver logs messages through the NDSTRACE facility. To view these

messages, run the NDSTRACE utility and make sure the "DirXML Drivers" (DVRS)

option is selected. Consult your Novell eDirectory documentation for more

information about NDSTRACE.

NDSTRACE is a good place to start looking if the Event Listener won't start.

Enable the "DirXML" (DXML) option to view DirXML error messages.

Here are some things to check if the Event Listener won't start:

* If you receive error -603, SecretStore is missing from your tree.

SecretStore is required for Novell Account Management password

replication. If you want to start the Listener without SecretStore,

edit the DirXML Subscriber filter and remove the attribute

"sssProxyStoreSecrets" from the User object. Otherwise, install

SecretStore to at least one server in the tree.

* Check that NICI 2.0 or higher is installed.

* Ensure that you have a valid DirXML activation. The activation is

a license-control mechanism that is obtained from Novell.

* Make sure you have followed all DirXML installation instructions.

* For UNIX systems, consult Novell TID 10070391 for an important

DirXML fix.

After the driver is installed, you should see (in NDSTRACE) "Success" messages

for events that succeeded, and "Warning" or "Error" messages for events that

fail. To determine why events are failing, examine your Manager logs. You can

also look at the documentation for the message code you are receiving for

further troubleshooting tips.

The Event Listener retries some events that fail if it thinks the event can be

processed at a later time. Sometimes an event can get "stuck" as the Listener

continues to retry it when there is no chance it will succeed. To discard such

events, edit the Driver object's "Driver Parameters XML" in ConsoleOne. Add the

following line inside the <driver-options> tags:

<discardEvents>yes</discardEvents>

Then restart the Listener. All events will be discarded (and reported as errors,

which can be ignored). Stop the Listener and remove the <discardEvents> tag to

return the Listener to normal operation.

Novell Account Management 3.0 Platform Receiver

-----------------------------------------------

 

I. IMPORTANT Installation Instructions

Windows NT 4.0

The ADSI Version 2.5 for WinNT 4.0 and Windows Script Host 5.6 for WinNT

4.0 must be installed before the Domain scripts will execute correctly.

These self extracting files can be downloaded from Microsoft's

msdn web site.

Windows

To run the receiver as a service without being logged on, you need to

change "Log On As" from LocalSystem to administrator. This is done by right

clicking on the service and changing the service's properties.

II. Known issues

Windows NT 4.0

When security patch Q299444 is installed, it causes scripts to get error 800004005,

which is an "Unspecified error". We are currently researching this problem and have

notified Microsoft of the problem. For the scripts to run, you will have to uninstall

the above patch.

Renaming Roles (Solaris RBAC environment) is broken, because SUN's rolemod

program is broken. Renaming roles corrupts /etc/user_attr. We

reported the problem to SUN, and they are preparing a patch to

rolemod.

There is no good way to disable/enable users on some platforms,

and scripts that should be able to disable/enable users (disableuser.sh,

enableuser.sh) do nothing on those platforms. Check the disableuser.sh

and enableuser.sh scripts for your platform for more information.

There is no good way to rename users and groups on AIX, so AIX

platforms shouldn't be added to platform sets where users and

groups are renamed.

There is a known problem with syncing the surname attribute to Windows platforms.

-----------------( Notes Specific To The OS/390 Platform Receiver )--------------

In the OS/390 Platform Receiver, the following messages appear in DDname SYSTERM:

LSCX048 Most recent C runtime library modules not available.

Use version 00197C70 ( 7.00C) or later to avoid problems.

This does not indicate a problem, but is an 'artifact' of the ASAM build process.

We hope to get rid of these messages in the near future.

The RACF scripts that are shipped with the OS/390 Platform Receiver treat userids

and groups that are not valid for RACF (more than 8 chars long, contains invalid

chars, etc) as invalid. The helper scripts AMQUSER, AMQGROUP and AMQCONN will

return "does not exist" to the Platform Receiver, while scripts that modify users

or groups will return "ignored".

 

Novell Account Management 3.0 Platform Services Process

-------------------------------------------------------

 

I. IMPORTANT Installation Instructions

Don't run the setup/am-install script on HPUX. Instead, install

using the procedure outlined in Platform Services Administration

Guide.

II. Known issues

A. The Platform Services Process does not do load balancing.

Novell Account Management 3.0 Platform Client

---------------------------------------------

 

I. IMPORTANT Installation Instructions

. If you are configuring the UNIX authentication modules to use ascauth,

you must install platform services to the default directory: /usr/local/ASAM.

 

II. Production Features not included

* tacacs - modification of an open source tacacs

* MVS, ACF2

Novell Account Management 3.0 Client 32 Password Intercept

----------------------------------------------------------

II. Known issues

. The file copy will not occur on Windows NT 4.0. Contact Novell

Support for a patch.

.

For more information, refer to the Account Management 3.0 Readme Addendum

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10074958
  • Solution ID: NOVL82571
  • Creation Date: 26Sep2002
  • Modified Date: 30Jan2003
    • NovellNetWare

      eDirectory

Did this document solve your problem? Provide Feedback