Novell eDirectory 8.7.3 for Solaris, Linux, AIX, and HP-UX December 5, 2003 Table of Contents 1.0 Installation Issues 1.1 Prerequisites 1.2 eDirectory 8.7.3 Eval License 1.3 Installing or Upgrading eDirectory 1.4 HTTP Server Port Configuration 1.5 Manually Extending the Schema Before Installation 1.6 Enabling Large File Support 1.7 Enabling the Linux, Solaris, AIX, or HP-UX Host for Multicast Routing 1.8 ndsconfig Creates the nds.conf File and the dib Directory even when Configuration Fails 1.9 Using Dotted Container Names in a Server's Context 1.10 Unable to Configure the LDAP Server with Default SSL CertificateDNS Certificate. 1.11 Specifying eDirectory Information During the Configuration 1.12 Core DS Component Installation 1.13 gettext Displays Errors if libiconv is Not Present in the Default Location on HP-UX 2.0 Known Issues 2.1 iMonitor Issues 2.2 ConsoleOne Issues 2.3 SNMP Issues 2.4 Static Cache Limits on AIX 2.5 Increasing the Size of the eDirectory Log Files 2.6 ICE Issues 2.7 NetMail Version for Upgrading to eDirectory 8.7.3 2.8 Running ndsrepair on An NFS Mounted DIB on Linux 2.9 Missing IP Address Entry in the /etc/hosts File on Linux 2.10 Manpath for SuSE/UnitedLinux 2.11 Creating LDAP Server and Group Objects in iManager 2.12 ndsconfig cannot Set IP Address for n4u.server.interfaces 2.13 ndsconfig add -m ldap Fails 2.14 Novell Account Management Fails on a Solaris 8 Server Running a Kernel Patch Level of 108528-14 or Higher on Upgrading from eDirectory 8.7 to 8.7.3 2.15 Increasing the Speed of Bulkloads 2.16 Extended Characters Not Supported by LDAP Tools 2.17 "Segmentation Fault" Error While Adding an Index 2.18 Scaling eDirectory on HP-UX 2.19 SLP Issues 2.20 Non-English Characters as Password 2.21 Error While Starting ndsd with Locale Other Than English 2.22 Error While Loading dxevent 2.23 Error while Configuring the LDAP Server with Default SSL CertificateDNS Certificate on a Multiple NIC Enabled Host on HP-UX 2.24 An Error Message is Displayed while Using the Attribute Map in the LDAP Group in iManager 3.0 Documentation Issues 3.1 Viewing Documentation on the Product CD 3.2 Additional Readme Information 4.0 Legal Notices 1.0 Installation Issues 1.1 Prerequisites 1.1.1 Solaris - One of the following: - Solaris 8 on Sun SPARC (with patch 108827-20 or later) - Solaris 9 on Sun SPARC - All latest recommended set of patches available on the SunSolve Web page (http://sunsolve.sun.com). If you do not update your system with the latest patch before installing eDirectory, you will get the patchadd error. - A minimum of 128 MB RAM - 120 MB of disk space for the eDirectory server - 32 MB of disk space for the eDirectory administration utilities - 74 MB of disk space for every 50,000 users - ConsoleOne requirements: - ConsoleOne 1.3.6 - A minimum of 64 MB RAM (128 MB recommended) 1.1.2 Linux - One of the following: - Red Hat Linux 7.3, 8.0, or Red Hat Enterprise Linux AS 2.1 Ensure that the latest glibc patches are applied from Red Hat errata (http://www.redhat.com/apps/support/ errata) on Red Hat systems. - SuSE Linux Enterprise Server 8 - A minimum of 128 MB RAM - 90 MB of disk space for the eDirectory server - 25 MB of disk space for the eDirectory administration utilities - 74 MB of disk space for every 50,000 users - Ensure that gettext is installed. To install gettext, search the rpmfind (http://rpmfind.net) Website for gettext. - ConsoleOne requirements: - ConsoleOne 1.3.6 - A minimum of 64 MB RAM (128 MB recommended) - 200 MHz processor (a faster one is recommended) 1.1.3 AIX - One of the following: - AIX 4.3.3 with Maintenance Level 10, JVM 1.3.1, and the latest AIX V5.0 Runtime Libraries, available from http://www-1.ibm.com/support/manager .wss?rt=0&org=SW&doc=4001173 Note: NMAS is not supported on AIX 4.3. - AIX 5L with Maintenance Level 2, JVM 1.3.1, and the latest AIX V5.0 Runtime Libraries, available from http://www-1.ibm.com/support/manager .wss?rt=0&org=SW&doc=4001467 - All recommended AIX OS patches, available at the IBM tech support (https://techsupport.services.ibm.com/s erver/fixes) site - A minimum of 128 MB RAM - 190 MB of disk space for the eDirectory server - 12 MB of disk space for the eDirectory administration utilities - 74 MB of disk space for every 50,000 users 1.1.4 HP-UX - PA-RISC 2.0 processor - HP-UX 11i operating system - 256 MB RAM minimum - 300 MB hard disk space - Ensure that the OS is updated with the patch PHSS_26560. Download and install the patch PHSS_26560 from http://www.itrc.hp.com > maintenance and support for HP products. Note: If you have installed the patch PHSS_28436, we recommend you uninstall it and then install patch PHSS_26560. - Ensure that the HP-UX 11i Quality Pack (GOLDQPK11i) is installed. Download and install it from http://www.software.hp.com/SUPPORT_PLUS /qpk.html#N0.110. - Ensure that gettext is installed. Download and install it from http://hpux.connect.org.uk/hppd/hpux/Gn u/. - Ensure that libiconv is installed. Download and install it from http://hpux.connect.org.uk/hppd/hpux/De velopment/Libraries/. Kernel Prerequisites for Scaling eDirectory You need to change the following parameters before performing memory intensive operations: 1. maxdsiz and maxdsiz_64bit to 4 GB or the maximum value possible 2. maxssiz and maxdsiz_64bit to a minimum of 256 MB 3. max_thread_proc to a minimum of 64 4. maxusers to a minimum of 256 users (If your eDirectory server would handle multiple client connections simultaneously.) The process for setting the values of all these kernel parameters value is given below: 1. Run sam from the command line. 2. Select Kernel Configuration > Configurable Parameters > Kernel Tunable. 3. Select Actions > Modify Configurable Parameter.Type the new value in Formula/Value, then click OK. 4. Select Actions > Process New Kernel. 5. Reboot the system when prompted. 1.2 eDirectory 8.7.3 Eval License In order to test eDirectory 8.7.3, you will need to request an Evaluation License at http://www.novell.com/licensing/eld/LRequest.jsp? ENCRYPTION=EVAL. Upon submittal, you will receive the license files via email almost immediately with the installation instructions included. 1.3 Installing or Upgrading eDirectory 1.3.1 Installing eDirectory If you are installing eDirectory from CD, use the nds-install command in the setup directory for installing eDirectory on UNIX: ./nds-install If you download Novell eDirectory 8.7.3 from http://download.novell.com, use gunzip to convert the downloaded file to a tar file. Then use tar xvf to get the eDirectory installation and uninstallation scripts. For more information on installing eDirectory, see the "Novell eDirectory 8.7.3 Installation Guide" (http://www.novell.com/documentation/beta/ edir873/index.html). 1.3.2 X.509 and CertMutual Login Methods The X.509 and CertMutual login methods that shipped with eDirectory 8.6.x are not compatible with eDirectory 8.7.3. When you upgrade from 8.6.x to 8.7.3, you must upgrade the X.509 and CertMutual login methods as well. The Certificate-based NMAS methods in NMAS EE 2.0 are also incompatible with eDirectory 8.7.3. 1.3.3 Interoperability of eDirectory with SLP Shipped on Solaris 8.0 (Native SLP, slpd) If Native SLP is already present and configured, the eDirectory installation on Solaris 8.0 detects the presence of the Native SLP package and does not install the NovellSLP package. You should make sure that the slpd daemon is running before configuring a new eDirectory server, as eDirectory requires SLP in order to query for duplicate tree names, advertising, etc. To start the slpd daemon on Solaris 8.0: 1. Create the slp configuration file, either by copying /etc/inet/slp.conf.example to /etc/inet/slp.conf or by any alternative method. 2. Start the slpd daemon with the following command: /etc/init.d/slpd start. The slpd daemon will not start if the /etc/inet/slp.conf file does not exist. The network administrator can change the slp configuration by editing the /etc/inet/slp.conf file and restarting the slpd daemon. You can use NovellSLP by installing the NovellSLP package, configuring the /etc/slpuasa.conf file as per the network requirements, and starting the slpuasa daemon. Make sure that the /etc/inet/slp.conf file does not exist (either by removing or making a backup of this file) and stop the /etc/init.d/slpd daemon before using the NovellSLP package. 1.3.4 Installing or Upgrading eDirectory on AIX The following message might display on the console during an install or upgrade on AIX: "NICI Package install failed." However, NICI is installed or upgraded successfully even though that message is displayed. To verify that NICI was installed successfully, enter the following command and verify that version 2.6.0.0 of Novell NICI U.S./Worldwide has been installed: lslpp -L | grep NOVLniu0 1.3.5 Upgrading from eDirectory 8.6.2, 8.7, or 8.7.1 to eDirectory 8.7.3 Upgrading from eDirectory 8.6.2, 8.7, or 8.7.1 to eDirectory 8.7.3 rebuilds the LDAP Mapping table and re-adds the inetOrgPerson --> User mapping, causing any new objects created via LDAP to be of the User base class instead of the inetOrgPerson base class. This will only be an issue if you deleted the mapping for inetOrgPerson --> User and defined a real inetOrgperson Class in your previous version of eDirectory. The workaround for this problem is to use ConsoleOne to remove the mapping from the Class Mappings page of the LDAP Group Object. 1.4 HTTP Server Port Configuration If eDirectory 8.7.3 is installed before Novell iManager, you might have port conflicts. You will need to change the ports used by the eDirectory HTTP stack if iManager fails to run after installation and an exception similar to the following appears in your Console/Terminal that you are running Tomcat from. java.lang.reflect.InvocationTargetException: org.apache.tomcat.core.TomcatException: Root cause - Address in use: JVM_Bind To resolve this problem, do the following: 1. Login to the tree and browse using ConsoleOne. 2. Open the HTTP server object for the server. 3. Set the httpDefaultClearPort and httpDefaultTLS port attributes to non default values. The default port numbers are: httpDefaultClearPort:80 httpDefaultTLS: 443 4. The server will be refreshed the next time limber runs, or you can initiate limber from ndstrace by using the set ndstrace = *L command. The httpstk object can be recreated using iManager or ConsoleOne, or by running the following command: ndsconfig add -m http 5. Start Tomcat. This is true if any Web server, such as Apache in Linux, Solaris, or AIX, is installed in the system. 1.5 Manually Extending the Schema Before Installation In some cases, schema extensions do not synchronize fast enough to the lower levels of a tree where the first new eDirectory 8.7.3 server is being installed for some features to be completely installed properly. One instance of this is the httpServer object schema definition, which might not synchronize to the server where the object instance needs to be created before the install code attempts to create it. In this particular instance, the failure to create the httpServer object schema definition is not fatal, as it only contains optional configuration information. This type of problem can be avoided by manually extending the schema in your tree before you install eDirectory 8.7.3. Use ndssch to install the eDirectory 8.7.3 schema files located in the /usr/lib/nds-schema directory. 1.6 Enabling Large File Support Before installing eDirectory on UNIX, we recommend that you enable large file support on the file system where eDirectory files will reside. eDirectory requires the underlying file system to allow each DIB file (nds.db, nds.01, nds.02, etc.) to grow to a size of 4 gigabytes. If large file support has not been enabled, files are generally limited to 2 gigabytes by the file system, causing problems for an eDirectory installation with a large number of objects (typically, 500,000 or more). For other issues related to large files, see Solution #10073723, titled "Novell eDirectory 8.7.x Readme Addendum," in the Novell Knowledge Base (http://support.novell.com). 1.7 Enabling the Linux, Solaris, AIX, or HP-UX Host for Multicast Routing Multicasting needs to be enabled in order for the eDirectory installation and configuration to work properly. To check if the host is enabled for multicast routing: - On Linux systems, enter the following command: /bin/netstat -nr The following entry should be present in the routing table: 224.0.0.0 0.0.0.0 If the entry is not present, log in as root and enter the following command to enable multicast routing: route add -net 224.0.0.0 netmask 240.0.0.0 dev <-interface> The <-interface> could be a value such as eth0, hme0, hme1, or hme2, depending on the NIC that is installed and used. - On Solaris systems, enter the following command: /usr/bin/netstat -nr The following entry should be present in the routing table: 224.0.0.0 host_IP_address If the entry is not present, log in as root and enter the following command to enable multicast routing: route add -net 224.0.0.0 netmask 240.0.0.0 The could be a value such as eth0, hme0, hme1, or hme2, depending on the NIC that is installed and used. - On AIX systems, see if the multicast routing daemon mrouted is running. If it is not running, configure and start the multicast daemon mrouted. See the "mrouted.conf File" section in the Files Reference book in the AIX 4.3 or 5 Reference Documentation Set (http://publibn.boulder.ibm.com/ doc_link/en_US/a_doc_lib/files/aixfiles/mroute d.conf.htm) for an example configuration file. - On HP-UX systems, enter the following command: /usr/bin/netstat -nr The following entry should be present in the routing table: 224.0.0.0 If the entry is not present, log in as root and enter the following command to enable multicast routing: route add -net 224.0.0.0 1.8 ndsconfig Creates the nds.conf File and the dib Directory even when Configuration Fails Though configuration fails, ndsconfig creates the /etc/nds.conf file and the /var/nds/dib directory. Manually remove these files before proceeding with the configuration. 1.9 Using Dotted Container Names in a Server's Context You can use ndsconfig to install a Linux, Solaris, or AIX server into an eDirectory tree that has containers using dotted names (for example, O=novell.com). Because ndsconfig is a command-line utility, using containers with dotted names requires that those dots be escaped out, and the parameters containing these contexts must be enclosed in double-quotes. For example, to install a new eDirectory tree on a UNIX server using "O=novell.com" as the name of the O, use the following command: ndsconfig new -a "admin.novell\.com" -t novell_tree -n "OU=servers.O=novell\.com" The Admin name and context and the server context parameters are enclosed in double-quotes, and only the dots ('.') in novell.com are escaped using the '\' (backslash) character. You can also use this format when installing a server into an existing tree. You should use this format when entering dotted admin name and context while using utilities such as ndsrepair, ndsbackup, ndsmerge, ndslogin, and ldapconfig. 1.10 Unable to Configure the LDAP Server with Default SSL CertificateDNS Certificate. When configuring eDirectory on Linux, Solaris, or AIX servers into a replica with many objects or with synchronization problems, you might experience an "Unable to configure LDAP server with default SSL CertificateDNS certificate. Use ConsoleOne/iManager to associate SSL CertificateDNS certificate with LDAP server." error at the end of the ndsconfig process. If the ndsd service is stopped at this point, you can restart it manually by entering the following at the console prompt: /etc/init.d/ndsd start (for Linux and Solaris) /etc/ndsd start (for AIX) At this point, you might also need to verify that the LDAP Server object for that server was configured with an SSL Certificate. In ConsoleOne/iManager, open the properties pages of the LDAP Server object for this server, select the SSL/TLS Configuration tab, then look at the Server Certificate field on that tab. If it has been populated with the name of an SSL Certificate (for example, "SSL CertificateDNS"), click Close to exit the properties pages. If this field is blank, click the browse button for that field and select a certificate from the list. The default is "SSL CertificateDNS." Then click Apply and Close. Finally, verify that the /var/novell/nici/0 directory (if user 'root' ran the install) contains a 'nicisdi.key' file. If it doesn't, restart the server to synchronize the key file. 1.11 Specifying eDirectory Information During the Configuration When specifying the eDirectory information during the configuration, if an invalid Server object container type is specified, the configuration will not detect the error until later, and the eDirectory configuration will fail with a -611 or -634 error which imply an incorrect base class. The valid Server object container types are: - Organization (O) - Organizational Unit (OU) - Domain (DC) 1.12 Core DS Component Installation On rare occasions, the eDirectory installation will fail during its core DS component installation. If so, an error message like the following will be displayed: "The DS component of eDirectory failed to install correctly. The error received was: ''. Please view ndsd.log for more detailed information. The eDirectory installation will now be terminated." If you receive this error, you should try to reinstall the product, or remove it and then reinstall it. If the reinstallation fails because of a partial installation already being on your system, or for any other reason, please visit the Novell Support (http://support.novell.com) Web site for possible solutions. 1.13 gettext Displays Errors if libiconv is Not Present in the Default Location on HP-UX During installation, eDirectory looks for libiconv in the default /usr/local/lib directory. If libiconv is not present in this location, gettext does not work. To resolve this, copy libiconv to the /usr/local/lib directory and proceed with the installation. 2.0 Known Issues 2.1 iMonitor Issues 2.1.1 Browser Compatibility The iMonitor included with this release of eDirectory requires Internet Explorer 5.5 or later or Netscape 7.02 or later. 2.1.2 Browsing for Objects in iMonitor Containing Double-byte Characters When using iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not hyperlink to the object properties correctly. This issue will be resolved in a future release of iMonitor. 2.1.3 Agent Health Check on a Single Server Tree The Agent Health check feature in iMonitor shows a Warning icon in the Results column when run on a single server tree because of the Perishable Data status. This does not mean that the tree is not healthy or that the Agent Health check is not working as designed. Perishable Data indicates the amount of data that has not yet been synchronized to at least one replica. A single server tree, by its nature, means that the data is always at risk for catastrophic failure because there is no other place that the data is replicated. If you lose the hard disk, you lose the data. If you don't want to view health check warnings about Perishable Data or Readable Replica Counts on your single server tree, you can turn off these health checks by editing the /etc/ndsimonhealth.conf file to change the following entries: perishable_data-active: OFF and ring_readable-Min_Marginal: 1 or ring_readable-active: OFF This will get turn off the warnings for Readable Replica Count and Perishable Data. 2.1.4 iMonitor Report Does Not Save the Records of Each Hour The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you will see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor. 2.1.5 Creation and Modification Timestamps As UNIX platforms do not maintain the creation time of a file, iMonitor shows both the creation and modification times to be the same. 2.2 ConsoleOne Issues 2.2.1 ConsoleOne on AIX and HP-UX ConsoleOne is not supported on AIX and HP-UX. You can use other platforms, such as NetWare, Windows NT/2000, Linux or Solaris for ConsoleOne. 2.2.2 ConsoleOne and Open SLP The NOVLc1 package does not get installed during the installation of ConsoleOne on a Linux machine with an Open SLP package. If an Open SLP package is detected on a Linux machine and you want to install ConsoleOne on that Linux machine, install the Novell SLP package first, then run the ConsoleOne install script. 2.2.3 Using ConsoleOne to Manage NetWare 4.x Servers In order to use ConsoleOne to manage a tree containing NetWare 4.x servers (DS v 6.17), IPX must be installed on the management client. Even if ConsoleOne is run from a NetWare box via a mapped drive on the client, the client machine on which ConsoleOne is running must be able to connect natively via IPX. 2.2.4 Creating Server Certificate Objects Creating Server Certificate objects (also known as Key Material objects) is not supported in ConsoleOne on the UNIX platforms. This function is supported through iManager or from ConsoleOne on the Windows platform. 2.2.5 "Operation Failed" Error The error "Operation Failed." The required dependencies were not found. Please refer to Novell documentation for the required prerequisites." indicates that a required SPM client library from the Universal Password feature in NMAS has not been installed or is not available, or that the server or workstation has incomplete or old versions of required eDirectory libraries. To get the most recent libraries, reinstall the Novell Client (Novell Client for Windows NT/2000/XP version 4.9 or later or Novell Client for Windows 95/98 version 3.4 or later on a Windows workstation) or reinstall the latest eDirectory libraries, available on the eDirectory 8.7.3 CD. 2.2.6 Using the Alt Key to Enter International Characters Using the Alt+number keys to enter international characters when naming objects in ConsoleOne causes the characters to display incorrectly. The workaround for this is to use an international keyboard or to copy the extended characters from Notepad or another Windows application into the ConsoleOne text field. Manually upgrading your JRE to version 1.4.1_02 will also fix this problem. 2.2.7 Novell Client Versions Required for ConsoleOne 1.3.6 ConsoleOne errors might be encountered during authentication and password modification operations when running on a Windows workstation with an older version of the Novell Client. ConsoleOne 1.3.6 on Windows requires one of the following: - Novell Client for Windows 95/98 version 3.4 or later - Novell Client for Windows NT/2000/XP version 4.9 or later 2.2.8 Installing ConsoleOne on UNIX With All Languages Selected When installing ConsoleOne on UNIX with all non-English languages selected, you will receive the following message: "One or more of the languages for the specified snap-ins are not available to install or have not been translated for installation.ConsoleOne will continue to install. However, when executing ConsoleOne, some of the snap-ins will display English where the specific language was not available." This issue will be resolved in a future release of eDirectory. 2.2.9 Adding an LDAP Server(s) or LDAP Group Object Fails Due to Version Incompatibility The LDAP ConsoleOne snap-in gives an obsolete version error. To resolve this, do the following: 1. Create the LDAP Server object. 2. Create the LDAP Group object. 3. Add the LDAP Server to the LDAP Group object's Server List. 4. Set the NCP Server to the LDAP Server object's Host Server field. 5. Set SSL CertificateDNS to the LDAP Server object's Server Certificate field in the SSL/TLS Configuration tab. 6. Wait for 10 seconds. 2.3 SNMP Issues 2.3.1 SNMP on Linux On Linux, ucd-snmp-4.2.1, ucd-4.2.2, or ucd-snmp-4.2.3 need to be installed. Links to the missing libraries need to be created. For example if your system had ucd version 4.2 then you should have following link to ucd version 4.2.1: ln -s /usr/lib/libucdagent.so.4.2 /usr/lib/libucdagent-0.4.2.1.so ln -s /usr/lib/libsnmp.so.4.2 /usr/lib/libsnmp-0.4.2.1.so ln -s /usr/lib/libucdmibs.so.0.4.2 /usr/lib/libucdmibs-0.4.2.1.so To find what libraries are missing, enter the following: # ldd /usr/bin/ndssnmpsa 2.3.2 Restarting ndssnmpsa When the master agent is restarted on Solaris, Linux, AIX, and HP-UX, ndssnmpsa needs to be restarted. To restart ndssnmpsa, you need to firstly stop ndssnmpsa and then start it again. To stop ndssnmpsa, enter the following: - Solaris: /etc/init.d/ndssnmpsa stop - Linux: etc/rc.d/init.d/ndssnmpsa stop - AIX: /etc/ndssnmpsa stop - HP-UX: /sbin/init.d/ndssnmpsa stop To start ndssnmpsa, enter the following: - Solaris: /etc/init.d/ndssnmpsa start - Linux: etc/rc.d/init.d/ndssnmpsa start - AIX: /etc/ndssnmpsa start - HP-UX: /sbin/init.d/ndssnmpsa start 2.3.3 SNMP Master Agent Configuration on AIX For SNMP support on AIX, the /etc/snmpd.peers file should be manually modified with the following entry. This is not done automatically during the install. "ndssnmpsa" 1.3.6.1.4.1.23.2.98 "ndssnmpsa_password" This entry is expected to be done by the preinstall script during the package addition. 2.3.4 Multiple Trap Issue on HP-UX For each trap generated, the previously generated trap will also be generated. For example, if you have generated trap 50 and later generated trap 43, while trap 43 is being generated you will get trap 50 as well. This problem is observed only on low-end servers (with a hardware configuration of 1 CPU, 256 MB RAM, 400 MHz) and works as expected on high-end servers (with a hardware configuration of 2 CPU, 1 GB RAM, 650 MHz). 2.3.5 Extra VarBind Issue on HP-UX Two extra varbinds get added for each trap generated, along with the list of eDirectory specific trap variables. These two extra varbinds are sysUpTime.0 and trapOID.0. You can ignore these extra variables. 2.4 Static Cache Limits on AIX Due to limitations of AIX version 4.3, eDirectory only supports static cache limits on AIX. By default, the cache size is limited to 16MB. This is adjustable at runtime, but must be done by the administrator, and it must be done for every server running AIX. The easiest way to adjust this is from iMonitor. Click Agent Configuration, then Database Cache. This will bring up a page that lets you adjust the amount of memory that eDirectory will use for cache. In the Database Cache Configuration table, make sure the Hard Limit radio button is selected, enter the new cache size in the Cache Maximum Size field, then click Submit. Refer to the eDirectory 8.7.3 Administration Guide for more information on changing database cache settings. 2.5 Increasing the Size of the eDirectory Log Files You can use Novell iManager to increase the maximum size of the eDirectory log files (in iManager, click eDirectory Maintenance Utilities > Log File > specify which server will perform the log file operation > authenticate to the server > Log File Options > enter a new maximum file size) to a large value (such as several meg). However, the size of the log files can become a problem and might cause eDirectory to stop responding.To solve this problem, increase the heap size allocated to the JVM for iManager by using an environment variable of the following form: TOMCAT_OPTS=-Xmx512m This increases the JVM heap size from the default of 64MB to 512MB. 2.6 ICE Issues 2.6.1 Adding a zero length attribute to an existing entry through ICE gives Invalid Syntax error Consider the following entry specified in an LDIF file #Modify an entry : add the fullName attribute with an empty value dn : cn=user,o=org changetype : modify add : fullName fullName : Adding this LDIF entry through ICE results in an "Invalid Syntax" error. Use the ldapmodify tool to add such LDIF entries. 2.6.2 Replacing an attribute with a zero length value through ICE deletes the attribute Consider the following entry specified in an LDIF file #Modify an entry : replace the fullName attribute with an empty value dn : cn=user,o=org changetype : modify replace : fullName fullName : Providing this LDIF entry to ICE will delete the fullName attribute. Use the ldapmodify tool to modify such LDIF entries. 2.7 NetMail Version for Upgrading to eDirectory 8.7.3 Existing Novell NetMail 3.1 users running eDirectory 8.6. on UNIX platforms and upgrading to eDirectory 8.7.3 should apply the NetMail 3.10e patch to maintain compatibility with eDirectory. 2.8 Running ndsrepair on An NFS Mounted DIB on Linux You might get the -732 or -6009 errors while trying to run the ndsrepair operations on an NFS mounted DIB on Linux systems. 2.9 Missing IP Address Entry in the /etc/hosts File on Linux On Linux, if the /etc/hosts file contains only the local host entry, the IP address entry should be added. In the /etc/hosts file, the local host entry would be displayed as follows: 127.0.0.1 localhost.localdomain localhost Add the IP address entry to the /etc/hosts file as follows: 2.10 Manpath for SuSE/UnitedLinux On SuSE/UnitedLinux, the manpath /usr/man is not included in the list of paths specified in the /etc/manpath.config file. To read eDirectory man pages, add this path to the list. To update the MANPATH variable, type "export MANPATH=$MANPATH:/usr/man" and press enter. 2.11 Creating LDAP Server and Group Objects in iManager If you use Novell iManager to create LDAP Server and Group objects, click LDAP > LDAP Overview > select the new LDAP Server object > General > Information > Refresh after the LDAP objects have been created. 2.12 ndsconfig cannot Set IP Address for n4u.server.interfaces You can set the IP address to n4u.server.interfaces by editing the nds.conf file. 2.13 ndsconfig add -m ldap Fails You can use ConsoleOne to create an LDAP server and LDAP group object as follows: 1. Create an LDAP group object under the container where the host server exists. 2. Create an LDAP server object under the container where the host server exists. 3. Associate the LDAP server object with the host server and the LDAP group object. To do this, right-click on the LDAP server object > Properties. Enter the Host server and LDAP group object. 2.14 Novell Account Management Fails on a Solaris 8 Server Running a Kernel Patch Level of 108528-14 or Higher on Upgrading from eDirectory 8.7 to 8.7.3 After an eDirectory 8.7 server on Solaris 8 running Novell Account Management is upgraded to eDirectory 8.7.3, the Novell Account Management authentication will fail. This will happen only when the Solaris 8 server is running a kernel patch level of 108528-14 or higher. This issue will be fixed in a future release of eDirectory. 2.15 Increasing the Speed of Bulkloads To increase the speed of bulkloads when creating new eDirectory trees, disable Universal Password until the load is complete. For more information, see the Universal Password Deployment Guide (http://www.novell.com/documentation/lg/nw65/univ ersal_password/data/front.html). 2.16 Extended Characters Not Supported by LDAP Tools Extended characters are currently not supported by LDAP tools. You can use ICE to perform operations like add, modify and delete using appropriate LDIF files. 2.17 "Segmentation Fault" Error While Adding an Index If there are additional leading spaces present in the attributename or indexname when you give the ndsindex add command, the "Segmentation Fault" error is reported. However, the index will be added accurately, without any fault. You can ignore this error message. 2.18 Scaling eDirectory on HP-UX To do memory intensive operations, you need to scale eDirectory. Execute the following command before configuring eDirectory: chatr +q3p enable +q4p enable /usr/sbin/ndsd 2.19 SLP Issues 2.19.1 OpenSLP on HP-UX Does Not Interoperate with Novell SLP OpenSLP on HP-UX does not interoperate with Novell SLP (version 1) on eDirectory servers on Windows, NetWare, Linux, Solaris, and AIX. For eDirectory on HP-UX to interoperate with eDirectory on other platforms, you need to have the following set up on the platforms: - Windows and NetWare: NDSslp - Linux: OpenSLP - Solaris: Native SLP - AIX: hosts.nds 2.19.2 While Adding a Secondary Server to a Tree with HP-UX as the Master Server, SLP for Service Location Fails When you configure a tree with HP-UX as the master server and try to add a secondary to it, you can use the static file hosts.nds instead of SLP for service location. 2.20 Non-English Characters as Password Before using non-English characters in a password on HP-UX systems, enter the following command: stty cs8 -istrip 2.21 Error While Starting ndsd with Locale Other Than English Starting the ndsd service with a locale other than English displays the error "Could not load Unicode tables." To bring up an eDirectory server in non-English locales, export /usr/local/lib as follows: export SHLIB_PATH=/usr/local/lib:$SHLIB_PATH 2.22 Error While Loading dxevent If DirXML is not installed, while loading dxevent, the error "Loader Failed:for dxevent,error ld.so.1: /usr/sbin/ndsd: fatal: dxevent: open failed: No such file or directory,errno 2" gets logged in your ndsd.log file. This is a warning and you can ignore it. This error will not appear once you install DirXML. 2.23 Error while Configuring the LDAP Server with Default SSL CertificateDNS Certificate on a Multiple NIC Enabled Host on HP-UX See the ldapconfig command to configure the LDAP server with default SSL CertificateDNS certificate on a multiple NIC enabled host on HP-UX. Example: ldapconfig -t -p -w -a -s "LDAP:keyMaterialName= SSL CertificateDNS" 2.24 An Error Message is Displayed while Using the Attribute Map in the LDAP Group in iManager To avoid this error message, delete all the non-schema mappings. 3.0 Documentation Issues 3.1 Viewing Documentation on the Product CD This product CD contains documentation for the following products: - Novell eDirectory /documentation/english/edir873/edir873.pdf /documentation/english/edir873/qsedir873.pdf - Novell Client /documentation/english/noclienu/noclienu.pdf - Novell Certificate Server /documentation/english/certserv/certserv_admin. pdf - ConsoleOne 1.3.6 /documentation/english/consol13/c1_enu.pdf - Novell Modular Authentication Services (NMAS) /documentation/english/nmas/doc/nmas_admin.pdf - Novell International Cryptography Infrastructure (NICI) /documentation/english/nici/nici admin guide.pdf 3.2 Additional Readme Information 3.2.1 Novell eDirectory 8.7.x Readme Addendum For information on additional eDirectory issues for this release, refer to Solution #10073723, titled "Novell eDirectory 8.7.x Readme Addendum," in the Novell Knowledge Base (http://support.novell.com). 3.2.2 NMAS Issues For NMAS information, refer to the Security Services Readme (http://www.novell.com/documentation/lg/nm as23/readme/security_readme.html) located with the NMAS 2.3 online documentation (http://www.novell.com/documentation/lg/nm as23). 3.2.3 Certificate Server Issues For Certificate Server information, refer to the Security Services Readme (http://www.novell.com/documentation/lg/nm as23/readme/security_readme.html) located with the Novell Certificate Server 2.6 online documentation (http://www.novell.com/documentation/lg/cr t26). 4.0 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. Copyright © 2003 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. U.S. Patent No. 5,608,903; 5,671,414; 5,677,851; 5,758,344; 5,784,560; 5,794,232; 5,818,936; 5,832,275; 5,832,483; 5,832,487; 5,870,739; 5,873,079; 5,878,415; 5,884,304; 5,913,025; 5,919,257; 5,933,826. U.S and Foreign Patents Pending. Novell, NetWare, and ConsoleOne are registered trademarks of Novell, Inc. in the United States and other countries. eDirectory, Novell Client, Novell Certificate Server, and Novell Modular Authentication Service are trademarks of Novell, Inc. All third-party products are the property of their respective owners. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org). Please refer to /documentation/english/license/license.txt on the eDirectory CD for additional information and license terms.