For the latest versions of the Novell® iManager readme and documentation, see the Novell Product Documentation Web site.
To access iManager, you must use a machine running Internet Explorer 6 SP1 or above, Netscape* 7.02 or above, or Mozilla 1.4 or above.
iManager plug-ins (modules) will be available for download on the Novell Product Downloads Web site. Search by "Category" and select "iManager Plug-ins."
The following issues might occur when using a Netscape or Mozilla browser:
Several tasks in iManager require supervisor rights to the container to perform the required tasks for that role. When assigning roles to users or groups, the administrator is prompted for a scope. The scope defines how far up (or down) the tree rights will be assigned. If, for instance, the iPrint role is assigned to a user and the scope is set at the top of the tree, the user that was assigned to that role will have supervisor Object Entry rights to the entire tree.
If you have the Assigned Rights box checked, the following roles contain tasks that will assign supervisor rights to the container specified in the scope to the user:
As new modules come available, they might have Supervisor rights. For more information, see the "Novell iManager: Planning Security for Delegated Administration" white paper.
During an iManager login, a -634 error could result if the IP address specified in the Tree field belongs to a server in the tree which has no replica or if the available advertising services (such as SAP or SLP) have no information about where to contact a replica server in the tree. To successfully log in, try specifying the IP address of a server which contains a replica in the tree.
Tasks under the Install and Upgrade Role generate an ActiveX security warning and will not run.
To prevent this warning from coming up, change the security settings in Internet Explorer by performing these steps:
In Internet Explorer, click Tools > Internet Options.
On the Security Tab, click Custom Level.
Change "Initialize and script ActiveX controls not marked as safe" to Enable (the default is Disable).
After you do this, the tasks will run properly.
WARNING:
Only enable this option when using the tasks under the Install and Upgrade role. When finished, we recommend returning to the disabled (default) setting.
The "Install and Upgrade Plug-in" for iManager only works in Internet Explorer.
If you rename your eDirectory tree with the DSMerge utility or iManager, you will need to reboot the server before you log in to the renamed tree.
Tomcat is the last item to load on the iManager server. After you restart Tomcat, it may take 60 seconds or longer before you can access iManager depending on the performance of your server.
If an Organization or OU container that holds User objects and has been designated as a Portal Container in Portal is moved (for example, under a Country container), the user might not be able to log in. To resolve this problem, you should refresh the Portal, following the steps below.
NOTE: Designating a container as a Portal Container allows a search of that container during the tree walking login method to find the user.
Log in to iManager as Admin, then select the Configure button from the View buttons across the top.
From the Configure View, click the iManager Configuration role, then click Portal.
Under the Configuration menu on the right, click Refresh Portal.
To resolve the Search Container issue, click Select All > Refresh.
If you want to rename the container where an administrator was created, you need to rename the container in the System.PortalConfigurationObjectDN file then restart exteNd Director. Otherwise, exteNd Director will no longer recognize that object.
If a user's password has been set to expire on the Password Restrictions page in iManager, and the Admin or Help Desk changes the password, the user will see the following message appear when they log in to iManager for the first time:
"The Secret Store is currently locked"
The Secret Store is a persistent store of name/password combinations stored on the User object. The information is encrypted using the user's password. Anytime a user changed their password, the secret store needs to be unencrypted with the old password and re-encrypted with the new password. This is done automatically if the user changes their password through the change password gadget or when prompted to change their password when logging in to the portal/iManager.
If the user changes their password using some other method, they will be prompted to unlock their Secret Store the next time they log in. In this case, the user should perform one of the following actions:
The Use SSL for LDAP setting in Portal > Configuration is a historical setting from iManager 1.5.x whose meaning has changed in iManager 2.0.x. This setting only applies to trees other than the tree where iManager 2.0.x is installed. LDAP connections made by iManager to servers in other trees will use this setting to determine whether or not to use SSL for communication to the LDAP server in another tree.
When setting iManager View Access, the Collection Owners/Portal Administrators are immune to the Hidden Flag on the Configure View (that is, Collection Owners will see the Configure View even if it is configured to be hidden).
If an eDirectory for UNIX server is configured to use SSL for LDAP communications, you will receive the following error when you select the option in iManager to set a Simple Password:
"Unable to determine universal password status"
To resolve this error, run the nmasinst utility on the eDirectory for UNIX server. The nmasinst utility lets you install login methods into eDirectory from a UNIX machine, and is required to run the Universal Password feature. The nmasinst utility is located in the \usr\bin\nmasinst directory.
The Dynamic Groups filter removes extended characters after saving if the Euro symbol is present. If the Euro symbol is not present, extended characters will display as hexadecimal values and the filter will function properly.
Problems exist with the eMBox Logger on the HP-UX platform. While the logger loads, errors might display.
iManager on HP-UX will install to the default directory of "/opt/hpws/" even if you requested a different path when installing the program.
Before starting Apache and Tomcat for iManager on HP-UX, you should export the following:
export SHLIB_PATH=/usr/lib:/usr/lib/nds-modules:$SHLIB_PATH
After iManager gets installed on HP-UX, the default Tomcat memory setting is JAVA_OPTS="-Xmx256m" in the /opt/hpws/tomcat/bin/setenv.sh file. You can change this value if you want to allow Tomcat to use more memory. See the Tomcat documentation for more information.
If want to change a user's password, and you are using Universal Password and NMAS Password Policies, you should use the Set Universal Password task in the Password Management role. This plug-in is installed if you are using Password Policies. It displays the Password Policy rules that you must comply with.
The Set Password task in the Help Desk role, and Modify User task in the Users role, don't display the Password Policy rules. If the password you create does not comply, you will receive errors, but no mention is made of the Password Policy.
The iManager installation program will not configure HTTP SSL if you already have an existing Apache or IIS Web server installed. If Apache is installed, the SSL connection is set up automatically. For more information on configuring IIS to use SSL, see the Microsoft Knowledge Base Web site.
If you change the server IP address after you've installed iManager, multiple problems could occur. We recommend re-installing iManager if the server IP address is changed.
When using an English-only JRE, you will receive errors when you attempt to read or modifying a login script or any other Stream type attribute in iManager. The servlet engine (Tomcat) will need to use an international version of the JRE or a JDK to solve this problem.
If you install iManager 2.0.1 on a server running eDirectory 8.6.2 (NetWare 6, for example), the file copy completes, then the install checks for the required eDirectory version (8.7.1). Since the required eDirectory version is not found, the configure portion of the iManager installation does not run. As a result, iManager does not function (i.e, you won't be able to log in to iManager).
If the task wizard won't redirect when you are creating a task, try the following:
From a browser, enter the URL to log in to iManager (for example, http://ip_address/nps/iManager.html).
On the wizard screen, click Next.
If the URL appears valid to the wizard, it will complete the following:
If no <form> tags are present in the HTML, the wizard will display the default page which will prompt you to manually enter the desired parameters.
If you receive a "Create request for DNS server failed" error, this may indicate that there are problems with eDirectory. Specifically, it is probably due to the fact that there aren't any NetWare servers in the tree, that the NetWare servers do not have the DNS/DHCP service installed, or that the DNS/DHCP service is unavailable.
iManager can lose its context when multiple log-ins are made simultaneously to different eDirectory servers. If you open a new browser window by launching Internet Explorer, they will not conflict and you can have two different instances. If you open a new window from inside the current browser, it will use the same java session, so they will share the connection (opening a new window this way is really not supported -- same session).
If you install iManager 2.0.1 on a server running eDirectory 8.6.2 (NetWare 6, for example), the file copy completes, then the install checks for the required eDirectory version (8.7.1). Since the required eDirectory version is not found, the configure portion does not run. As a result, iManager does not function (can't login).
An IP address is accepted for the eDirectory server to log in to when using the Login To a Different Tree feature of iManager. If the user is having SAP/SLP issues, use of a IP may be the only way that they will be able to login.
The following is a startup script for Solaris that will start Apache and Tomcat on a reboot:
#!/bin/sh
# Example startup file for Novell Apache and Tomcat
# Configuration for iManager
# file: imgr
case $1 in
'start')
echo "Starting Tomcat4 iManager..."
/var/opt/novell/tomcat4/bin/catalina.sh start
/usr/bin/sleep 10
echo "Starting Apache for iManager..."
/var/opt/novell/httpd/bin/apachectl startssl
;;
'stop')
echo "Stopping Apache for iManager..."
/var/opt/novell/httpd/bin/apachectl stop
echo "Stopping Tomcat4 for iManager..."
/var/opt/novell/tomcat4/bin/catalina.sh stop
;;
*)
echo
echo " Usage: imgr [start | stop ]"
echo
;;
esac
The following is a sample script for creating /dev/random on Solaris:
#!/usr/bin/ksh
# Set up Solaris random device from patch 112438 without reboot
# Moderate error checking only since this should be straightforward.
#
# (c) 2002 Andrew J. Caines. Permission to modify and distribute is
# granted on condition the copyright message is included and modifications
# are clearly identified.
#
# Incoporating suggestions and changes from these SunManager list members:
# Thomas Anders <anders@hmi.de>, Dan Astoorian <djast@cs.toronto.edu>,
# Prümm Gerd <gerd.pruemm@alcatel.ch>, Adam Mazza <adam@68e.com>.
# Script rewrite for functional changes and reliability improvement based
# on contribution from from Jeff Bledsoe.
PATH=/usr/bin:/usr/sbin
Patch=${Patch:-112438} # Just in case it ever changes
# Set up tempfile
TmpFile=/tmp/.$$.$RANDOM ; rm -f $TmpFile ; touch $TmpFile; chmod 600 $TmpFile
function bailout
{ echo "$*. Exiting" >&2 ; exit 1
}
# Check patch is installed
echo "Checking for patch $Patch...\c"
if showrev -p | egrep -s "^Patch: ${Patch}-"
then echo " installed."
else bailout " not installed. Install it and try again."
fi
# Activate random kernel module with workaround for module dependency problem
echo "Removing random device from name_to_major"
name_to_major=$(</etc/name_to_major)
echo "$name_to_major" | sed '/random/d' > /etc/name_to_major
# Add driver to create device nodes and load module
echo "Adding driver to system"
add_drv -m '* 0644 root sys' random || bailout "Driver random failed to add"
echo "Creating link to /dev/random from /kernel/drv/random"
ln -s /kernel/drv/random /dev/random
# Report results
echo "Finished. You now have the following random devices:"
ls -l /dev/*random /devices/pseudo/random@0:*random# Test
echo "Do you want to test the new device? (y/n) \c"
read yn
case $yn in
[Yy]*) echo "Running: dd if=/dev/random of=$TmpFile bs=512 count=1"
dd if=/dev/random of=$TmpFile bs=512 count=1
echo "Running: strings $TmpFile"
echo "You should see a few lines of random garbage:"
;;
[Nn]*) echo "Your blind faith will be rewarded in the next life."
echo "Your reward confiration code is:"
;;
esac
strings $TmpFile
rm -f $TmpFile
exit 0
################################################################################
# The remainder of this script never runs, but is left as refernce for use
# and locations of the relvant data and commands.
# Find device major
major=$(nawk '/^random/{print $2}' /etc/name_to_major)
# Make pseudodevices for both devices
echo "Making device nodes."
mknod /devices/pseudo/random@0:random c $major 0
mknod /devices/pseudo/random@0:urandom c $major 1
mode=$(nawk '/^random/{print $2}' /etc/minor_perm)
user=$(nawk '/^random/{print $3}' /etc/minor_perm)
group=$(nawk '/^random/{print $4}' /etc/minor_perm)
chown $user:$group /devices/pseudo/random@0:*random
chmod $mode /devices/pseudo/random@0:*random
# Make dev links
echo "Making device links."
cd /dev
ln -s ../devices/pseudo/random@0:random /dev/random
ln -s ../devices/pseudo/random@0:urandom /dev/urandom
# load the module
echo "Loading driver."
modload /kernel/drv/random
# Prime the pump with half-decent data source
echo "Priming entropy pool."
alias primepool='dd if=/dev/mem bs=512 count=16 2>&- | crypt $RANDOM'
primepool > /dev/random 2>&- # Gives "/dev/random: cannot create"
primepool > /dev/random # Runs fine
There is currently a problem in iManager when a call is made to SetPassword. After the call, eDirectory resets the Password Expiration Date back to January 1st, 1992. This causes problems with User objects that have "Force periodic password changes" enabled.
There are a couple of symptoms to this problem:
An incorrect password expiration date is set for users that are created from a Template or from another user. When "Force periodic password changes" is enabled.
After using the "Set Password" task in iManager, for users that have "Force periodic password changes" enabled, the user is required to change their password the first time that they login.
The way to prevent the problem is to manually set the Password Expiration Date in the "Restrictions->Password Restrictions" property page of the User object after creation (from a template) or after setting their password.
An "Unexpected end of part" error may be encountered during module package install when running iManager on a Windows IIS Web server with Tomcat. This is due to a known issue with uploading files through the Tomcat redirector for IIS. To successfully run a module package install, connect to iManager directly through Tomcat (for example, through port 8080).
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside.
Copyright © 2002-2003 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
U.S. Patent No. 5,157,663; 5,349,642; 5,455,932; 5,553,139; 5,553,143; 5,572,528; 5,594,863; 5,608,903; 5,633,931; 5,652,859; 5,671,414; 5,677,851; 5,692,129; 5,701,459; 5,717,912; 5,758,069; 5,758,344; 5,781,724; 5,781,733; 5,784,560; 5,787,439; 5,818,936; 5,828,882; 5,832,274; 5,832,275; 5,832,483; 5,832,487; 5,850,565; 5,859,978; 5,870,561; 5,870,739; 5,873,079; 5,878,415; 5,878,434; 5,884,304; 5,893,116; 5,893,118; 5,903,650; 5,903,720; 5,905,860; 5,910,803; 5,913,025; 5,913,209; 5,915,253; 5,925,108; 5,933,503; 5,933,826; 5,946,002; 5,946,467; 5,950,198; 5,956,718; 5,956,745; 5,964,872; 5,974,474; 5,983,223; 5,983,234; 5,987,471; 5,991,771; 5,991,810; 6,002,398; 6,014,667; 6,015,132; 6,016,499; 6,029,247; 6,047,289; 6,052,724; 6,061,743; 6,065,017; 6,094,672; 6,098,090; 6,105,062; 6,105,132; 6,115,039; 6,119,122; 6,144,959; 6,151,688; 6,157,925; 6,167,393; 6,173,289; 6,192,365; 6,216,123; 6,219,652; 6,229,809. Patents Pending.
Novell is a registered trademark of Novell, Inc. in the United States and other countries.
All third-party trademarks are the property of their respective owners.