Novell is now a part of Micro Focus

My Favorites

Close

Please to see your favorites.

History of Issues Resolved in eDirectory 9.x

This document (7016794) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ eDirectory 9

Situation

This TID documents all patches and fixes for eDirectory 9.x.

9.x Readme Addendum:
https://www.novell.com/support/kb/doc.php?id=7016790

For a list of patches and issues resolved for iManager 3.x please refer to the following:
https://www.novell.com/support/kb/doc.php?id=7016795

For a list of patches and issues resolved for eDirectory 8.8.x please refer to the following:
https://www.novell.com/support/kb/doc.php?id=3426981

Additional Information

_____________________________________________________________________________________________________________________
Issues resolved in eDirectory 9.0.4
September 2017
NDSD: 40006.33

NDSD
- Enhancement: stream files and NMAS methods are now updated atomically  (Bug 1055152/894911/946883)
- Enhancement: Windows 2016 has been added as a supported platform  (1006762)
- Enhancement: RHES 7.4 is now a certified platform  (Bug 1058328/1055410)
- Enhancement: non-root support has been added to the RHES 7.x platform  (Bug 1051591)
- Nds.conf settings are getting duplicated  (Bug 1033046)
- High utilization when performing searches for group members and dynamic groups  (Bug 971733)
- Secure Renegotiation disabled  (CVE-2009-3555)  (Bug 1032264)
- Concurrent reads and writes of stream attributes were resulting in error: -255  (Bug 1045468)
- EBA upgrade for server is successful when EBACA is not present in the replica ring  (Bug 992825)
- Crash during unloading of ebasrv.dlm  (Bug 1032013)
- Dhost.exe crashing while adding a server  (Bug 932625)
- Upgrading the R/W server to host EBACA fails with a -603  (Bug 1008754)
- Login restrictions not enforced when using the ebaclientinit utility  (Bug 1029077)
- When EBA is disabled the EBA modules are still being loaded  (Bug 1041865)
- Existing connection is being used even though server is upgraded to EBA  (Bug 1005473)
- Some auxiliary attributes are lost during an object move  (Bug 1045532)
- Indexes with duplicate names were being added  (Bug 1022980)
- Event loopback when writing Reciprocal attributes  (Bug 1030591)
- NDSD core in ReportAddOrModifyEntry when bulk load returns error -601  (Bug 1033639)
-    -610 error when querying for members in a nested group  (Bug 1044192)
- Jclient now supports MOT transactions  (Bug 1013202)
- Dclient: secretStore security object not created and UserAPP fails to install  (Bug 1026810)
- EBA: -702 is thrown on init then shuts down if TCP address is missing from replica attribute  (Bug 1034851)
- Muliple instances of NDSD getting loaded  (Bug 989026)

LDAP
- Debug option "-d" in ldapsearch is only working for successful LDAP operations  (Bug 917767)
- Enhancement: FLAIM's current transaction id now returned via cn=monitor  (Bug 1023904)
- CN=monitor search returns "objectclass" along with the attribute specified in the request  (Bug 962545)
- "Dump to ndsd log file" logged to the ndsd.log on each cn=monitor search  (Bug 1010126)
- Looping when trying to read a nested group  (Bug 1044191)
- Valid search filter along with an invalid filter does not return any members for dynamic group with an OR choice  (Bug 1026621)
- SASL bind fails using P-256 user certificates and the LDAP server has P-384 certificates and a SuiteB 128 cipher level (Bug 977764)
- Set disablecount to 0 in the case of a paged control isLocalTree() failing due to no replica  (Bug 1044534)
- Monitor search returns the data for the parent object if the base object is not present  (Bug 962927)
-    Unable to unload DSLDRModule error when unloading nldap module  (Bug 1006512)
- LDAP Server trace does not list all the attributes in the SSS control sort key list  (Bug 1007482)
- Paged control is ignored for sub-ref server  (Bug 1009699)
-    New control to skip counting of entries causes paged result control to return just the first page  (Bug 1009947)
- Persistent searches not working correctly after patching to 9.0.2  (Bug 1030317)

PKI
- Prevent Suite B from being enabled if EC CA is not present  (Bug 961495)
- eDirectory CA pem file not created when deleted or modified in eDirectory.  (Bug 1019107)
- Exporting ECDSA 384 user certificate fails with error code -1232 when tree CA is a subordinate CA  (Bug 1026608)
- NDSD crash on Subordinate CA during upgrade if CA's certificate LDAP CRL DPs are not reachable  (Bug 1031235)

UTILITIES
- Enhancement: dsbrowse and dsedit now work without requiring Windows interactive support  (Bug 942236)
- Windows 2016: prevent interactive service detection when selecting NDSConsole - DS - Configure  (Bug 1060846)
- Ndslogin "-n" switch now toggles between NMAS and NDS hash password methods  (Bug 961646)
- Windows repair now option to get de-fragmention stats  (Bug 936718)
- Windows: file not found seen when attempting to open the dsrepair log file  (Bug 1029426/1029253)
- Windows: unable to enable EBA option in dstrace  (Bug 963929)
- Old dstrace flags WANM, DRLD & DRLK removed  (Bug 990961)
- Ndscheck prints the date twice  (Bug 1008454)
-    Diagnostic Logger throws "invalid context" error (-670)  (Bug 1009481)
- RPATH added to OpenLDAP utilities  (Bug 1048381)
- RPATH added to the rbLdapConfig binary  (Bug 959921)
- Edirutil tool of embox should use JRE installed by customer  (Bug 1041920/1043974)
- eMBox: health check reports eMBox is down even if up  (Bug 138866)
- DSBK restore not creating a log file or logging information if there are invalid options given  (Bug 941719)
- Invalid -663 error logged in the ndsd.log the first time eDirectory is configured  (Bug 1006427)
- DSE_IMPERSONATE event added as a SNMP trap for LDAP proxy authentication  (Bug 957275)
- Ndsconfig now configures a new tree if a terminal is not allocated to the ssh session  (Bug 1057014)
- Ndsconfig fails to upgrade the server if the password used contains a double quote  (Bug 1013227)
- Installation now prevents a new installation on a BTRFS volume  (Bug 1049570/1037935)
- Install script now shows the "-b" option if the same version is detected  (Bug 959046)
- Installation: unable to configure an eDirectory server with a default configuration file path and non-default instance path  (Bug 982543)
- Installation: installation fails on a SLES 12 SP2 server running the ZENworks Agent  (Bug 1038018)
- Installation on Windows in a custom location would result in "Location error" if the dfault path is used  (Bug 929177)
- Installation pre-populating admin name and context on Windows  (Bug 1011146)
- Installation: NDSD should pre-parse the nds.conf and report if there are duplicate entries  (Bug 991995)
- Address is not printing correctly in inbound connection table  (Bug 956029)
- Ndsapth and LD_LBRARY_PATH have been removed from nds-install  (Bug 1049567)
- Only background process name should be present in a cn=monitor response  (Bug 959547)
- iMonitor: event statistics showing some handler flags as unknown  (Bug 1025608)
- iMonitor: timestamp of "Connection" event is incorrect in event trace  (Bug 1031835)
- iMonitor: showing unknown as the verb name for verb number -135  (Bug )
- iMonitor: showing IP address in hexadecimal format  (Bug 1030826)
- iMonitor: incorrect calculation of transaction id  (Bug 1023422)
- iMonitor: agent configuration displays wrong information when browser's language is French  (Bug 1039288)
- ICE now accepts password through an environment variable  (Bug 1029809)
- Now able to get/set the ldapsslconfig attribute through ldapconfig  (Bug 1006425)
- "DHost" and "ndsconfig set" options for setting sadmin password have been removed  (Bug 953008)
- Advanced options are not seen on Windows if dsrepair is loaded with the -a switch  (Bug 1029465)
- DHOST hconvserv: iConsole does not show all NCP engine interfaces  (Bug 445967)
- Set ndstrace=!M in ndstrace prompt makes cache size to 0 bytes in _ndsdb.ini file  (Bug 1044504)

AUDIT
- NDSD dumping core while loading/unloading XDAS module  (Bug 996268)
- XDAS: login events have correct initiator but wrong target  (Bug 1007178)
- XDAS: no events are generated for failed creation, modification and deletion  (Bug 1028696)
- XDAS events are not generated for object search operation through iManager  (Bug 1029030)
-    No event generated when XDAS auditing is stopped or unloaded.  (Bug 1029255)
- XDAS now correctly reports TargetUsername as name of object restored  (Bug 1029290/1036523)
- XDAS: trust access events now correctly generated for group added or removed from a trustee  (Bug 1030025)
- XDAS: IRF addition now generates a "Grant Trust Access" event  (Bug 1030035)
- XDAS: no target name when attribute modification failed with -672  (Bug 1031002/1031020)
- Now Authentication Event is thrown when NMAS performs a local authentication  (Bug 1008391)
- XDAS Enhancement: Exclusion Filter to suppress internal events  (Bug 1043974/894341/1037515)
- Not getting class information for delete failure events  (Bug 1031350)
- Getting a Create Data Item event for a DSE_REFERRAL event instead of Query event (Bug 1031350)
- Now getting target object as "Inherent MasK" for an IRF  (Bug 1031350)
- Now using the "Select All" button to select all the events: both DS and LDAP  (Bug 1030279)
- Xdasconfig.properties.template file in windows set to read only  (Bug 996165)
- Latest PA included: 2011.1r6  (Bug 1055934)
- IPv6 addresses not showing correctly in event data  (Bug 1031082)
- TCP connection created while XDAS auditing is not closed  (Bug 1027221)
- Caching now enabled by default in the "xdasconfig.properties" file  (Bug 1027358)
- Enabling XDAS caching as non-root user resets the permission for non-root user  (Bug 1032226)

OTHER
-    Context leak in libhttpstk.so  (Bug 1048311)
- SAL Threads are not deallocating memory after the finish of thread  (Bug 989317)
- Some rpms had invalid execute bit  (Bug 959837)
- Merge in OES Vega fixes  (Bug 1038225/1049286)
- iManager plugin: blank page appears for 'Extend Schema'  (Bug 1050664)
- Plugin: not able to delete a user index in case of same name of user index is present.
- Plugin: ICE plugin is not working in iManager for Windows server version  (Bug 924604)
- Plugin: not able to set memberQueryURL with backslashes in filter through dynamic group plugin  (Bug 1004295)
- Plugin: text boxes added to input protocol and cipher string for ldapsslconfig attribute  (Bug 1006424)
- Plugin: can now add a value for Network Address Restrictions  (Bug 1030393)
- PLugin: plugin performing extra adds and deletes before adding a new value to Security Equals  (Bug 1030445)
- Plugin: "Upgrade XDAS Configuration" option is not working  (Bug 1031000)
- Plugin: now have an an option to disable anonymous unauthenticated LDAP binds  (Bug 1028615)
- Plugin: NMAS Plugin is not updating the SasAuthorizedLogins attribute when re-Authorizing a method     (Bug 1000038)
- Plugin: PKI plugin does not display an error enabling Suite B on a NPKI CA that does not have an EC certificate  (Bug 995696)
- Plugin: DoubleClick should be allowed when selecting attributes in XDAS filtering  (Bug 1033958)
- Non-root builds do not bundle libtcmalloc (Bug 1031648)
- NICI Suite B changes  (Bug 1042596)
- Clean up some dependancy issues  (Bug 955562)
- "--force --nodeps" added back to nds-install script for installing RPMs  (Bug 1051434)

_____________________________________________________________________________________________________________________
Issues resolved in eDirectory 9.0.3 Patch 1 (9.0.3.1)
July 2017
NDSD: 40005.13
JRE: 1.8.0_131

NDSD
- Error -610 when querying for members in a nested group  (Bug 1040160)

LDAP
- Persistent searches work erratically  (Bug 1035972)
- Under some conditions eDirectory loops reading a nested group (1042344)

NTLS
- eDirectory LDAP peer certificate validation issue  (Bug 977754)  (CVE-2017-9267)

OTHER
- Updated JAVA to: 1.8.0_131  (bug 1043096)
- PKI Plugin web shell upload vulnerability  (Bug 1036392) (CVE-2017-7429)
 
_____________________________________________________________________________________________________________________
Issues resolved in eDirectory 9.0.3
April 2017
NDSD: 40005.12
JRE: 1.8.0_112
OpenSSL: 1.0.2k
NICI: 3.0.2
PA: 2011.1r8

NDSD
- NDSD crashes in DSRTraceString function due to buffer over flow.  (Bug 1016637)
- Memory leak on IDM server after upgrading to Patch 8.  (Bug 1026237)
- Dibclone is creating multiple active tree keys.  (Bug 998847/1019166)
- NDSD cores if there is an invalid filter in a dynamic group (cn=).  (Bug 1025231)
- Coring in NBiterator when an invalid LDAP paged search query is performed.  (Bug 1021625)
- Synchronization fails with error -608, object class values getting timestamped by ndsbackup.  (Bug 1022789)
- Windows crash while performing asynchronous writes in FLAIM.  (Bug 1022704)
- No results returned when the 33rd byte/character is a "space" or an "_".  (Bug 1016661)
- Maximum number of attributes allowed to be selected for compound indexes set to 5.  (Bug 1028635/1029265)
- Jclient memory leak when generating the association statistics for IDM drivers.  (Bug 1024013)
- Compound index management no longer supported via LDIF.  Plugin is used instead.  (Bug 1029811)
- Only the first match is returned when rights are assigned via a LDAP group.  (Bug 1020867)

LDAP
- Group membership attribute not being returned properly on all objects during buffer overflow.  (Bug 1001505)
- Ldapsearch does not return ouput when querying LDAPSyntaxes  (Bug 1005859)
- Added certificate_authorities TLS 1.2 session negotiation.  (Bug 1016244)
- The ldapSSLConfig attribute has the same ASN1 ID as ldapPermissiveModify.  (Bug 1015184)
- Searches for subschemaSubentry fail with error: illegal ds name (-610).  (Bug 1018225)

NMAS
- Nmasrefresh throws 1644 and does not update the method  (Bug 1020814)

PKI
- DNS name added in Subject Alternative Name for SSL CertificateDNS certificates.  (Bug 1025648)

NTLS\OPENSSL
- OpenSSL updated to 1.0.2k.  (Bug 1022481) (CVE-2017-3731, CVE-2017-3732 and CVE-2016-7055)

NICI
- NICI updated to 3.0.2.  (Bug 1022993)

AUDIT
- Auditds crashing on Windows in LogEventExt.  (Bug 1030590)
- NDSD crashing while performing LDAP searches and NAudit is enabled.  (Bug 1030705)
- PA updated to 2011.r5 (2.0.2.80).  (Bug 1027384)
- eDirectory XDAS mapping needs to be simplified  (Bug 1018982)
- XDAS will follow Sentinel taxonomy.  (Bug 1006845)
- LDAP events are merged into DS events.  (Bug 991735/992054/1018982/1007603)
- NMAS auditing is merged into eDirectory XDAS event auditing.  (Bug 1014188)
- Roles have been replaced by Trust Management events.  (Bug 983607)
- New XDAS events "Associate Trust" and "Deassociate Trust" for monitoring the "Group Membership" modification.  (Bug 984949)
- Object class and attribute filtering now available for data item events.  (Bug 857989)
- "Login Failure" event is missing the correct SourceHost/IP information.  (Bug 979399)
- Auditing plugin now indicates select or deselect all is not applicable for query events.  (Bug 1028267)
- Special attributes which already have meta events should not be shown in the filtering attribute list.  (Bug 1028462)
- XdasConfiguration attribute value on server put into basic configuration.  (Bug 1028038/1030403/1029467)
- "xdasversion" attribute on the server object updated with a value of 2.   (Bug 1028038/1029467)
- "xdasDSConfiguration" attribute is now removed.  (Bug 1029300)
- Map group Member attribute to ASSOCIATE and DEASSOCIATE TRUST.  (Bug 1028693/1029259/1029502)
- Removal of the DATA ITEM OR RESOURCE ELEMENT CONTENT ACCESS events to simplly XDAS auditing.  (Bug 990217)
- NMAS will now always throw the DSE_VERIFY_PASS event for password verification.  (Bug 1029759)
- Mapped "DSE_NMAS_LOG_CHECK_PWD_SYNTAX_POLICY" event to QUERY_ACCOUNT_SECURITY_TOKEN event for password policy check.  (Bug 1029759)
- DSE_MODIFY_ENTRY mapped to Modify Account.  Trust and Data Item to report modification failures.  (Bug 1029349)
- New events, "Intruder Lockout" and "Account Unlock" added.  (Bug 1026813)
- Class name for user not present performing a simple bind when eDir allows local binds.  (Bug 1029011)
- Added mapping for Denial cases in Severity mapping and taxonomy mapping.  (Bug 1029473)
- Mapped the Equivalent To Me attribute to Associate/Deassociate Trust.  (Bug 1029676)
- Now reports Associate and Deassociate events for both Equivalent To Me and Security Equals.  (Bug 1030029)
- Terminate Session event has Initiator name set to [Public] instead of the name of user who logged off.  (Bug 1029754)
- "MODIFY_SERVICE_CONFIG" event is now thrown whenever the xdasconfiguration is changed.  (Bug 1026813)
- Fixed the "Modify Data Item Attribute" event for special objects.  (Bug 1027652)
- XDAS: Role Management Events not creating a DSE_ADD_VALUE  (Bug 1013785)
- NMAS XDAS events merged with eDir Event System and plugin  (Bug 1018984)
- Logins through iMonitor not populating correct Source IP  (Bug 1023336)
- Grant and Revoke Access events should be thrown from the trustee's point of view  (Bug 1027199)
- "Account Unlock" event should be thrown when an account is unlocked  (Bug 1027382)
- New events, "DSE_AUTHENTICATE" and "DSE_LOGIN_EX", showing as unknown in iMonitor.  (Bug 1008291\971940)
- Added a new event "Audit Config" to monitor xdas configuration changes.  (Bug 1027385)
- The attribute name is now correctly populated with the rights being granted/revoked to the user.  (Bug 1027601)
- Null value were received from "Enable/Disable Service" events.  (Bug 1028695)
- There is no XDAS event for checking passwords against password policies.  (Bug 1029759)
- No Modify Data Item event with DSE_MOVE_SUBTREE vendor code.  (Bug 1029729)
- UI changes.  (Bug 1020560/1027005/1027006)
- Account Management Events filters and Account Data Events filters should be independent of each other  (Bug 1024434)
- Account filtering should map only User classes by default.  (Bug 1027004)
- "Account Data Events" renamed to "Data Item Management Events".  (Bug 1027015)
- "Account Security Events" in XDAS iManager plugin changed to "Security Events".  (Bug 1027017)
- Grant and Revoke events moved to Security Events Section.  (1027095)
- Attribute filtering was not working for Error -603 as attribute ID was Invalid.  (Bug 1028455)
- Plugin: new event "Audit Config" is provided.  (Bug 1027587)
- XDAS plugin help page updated.  (Bug 1027292)
- NMAS methods not loading if auditing was enabled on Windows.  (Bug 1031669)
- "MODIFY_ACCOUNT" can be now be used for monitoring events using "Class" filtering.  (Bug 858068)
- One bind is returning multiple redundant events.  (Bug 894373)
- XDAS: login failures can now be monitored through the "Create Session" event.  (Bug 978561/1006845)
- Option added for selecting/deselecting the NMAS events to be monitored through the iManager Auditing plug-in.  (Bug 982198)
- Attribute Value add/deletes now monitored via the "Create Data Item" or "Delete Data Item" events.  (Bug 984699)
- Source IP is not populated for a login made via the CertMutual login method.  (Bug 1008385)
- Connection ID information is missing for LDAP operations.  (Bug 1009314)
- Nested group creation no longer results in an ID_DYNAMIC_DN event.  (Bug 1029498)
- Updated mapping of NMAS events to XDAS events.  (Bug 978826/1027229)
- New DS event "DSE_CONNECTION" to track connections between components.  (Bug 1029335)
- Added group read to xdas-events.log.  (Bug 1023930)
- PA: the "Verify Password" authentication event from eDirectory is mislabelled as an account management.  (Bug 1020709)
- PA: observerHostName should have the name of the host eDirectory is running on.  (Bug 1029327)

UTILITIES
- iMonitor shows attribute names multiple times for value indexes created on syn_path syntax.  (Bug 1022477)
- ICE plugin quits processing LDIF entries after approx 100 errors.  (Bug 989034)
- Install: upgrades from 8.8 SP8 fail if Sles first upgraded from 11 to 12.  (Bug 1024926)
- Dsrepair - "Synchonize the Replica on All servers" results in a dHost crash on Windows.  (Bug 1006991)
- EBAServerConfiguration attribute now correctly handled during a dibclone operation.  (Bug 994528)
- TSX lock elision seg fault from NICI resolved in ndsconfig.  (Bug 1012336/1022101)
- TSX lock elision seg fault resolved in ndsrepair.  (Bug 1024463/1022101)
- ICE now accepts password from environment variable.  (Bug 1005284)
- NDSD systemd service name shortened to ndsd.service.  (Bug 1013201)
- Index management plugin now allows for the creation and deletion of compund indexes.  (Bug 1017729/1029054)
- Ndsindex man page updated for compound indexes.  (Bug 1029814)
- Install: crash upgrading from 902 to 903.  Now install prompts to update PA if installed.   (Bug 1031891\1031856)

OTHER
- Document the change in certifiate handling between OpenLDAP vs. CLDAPsdk

_____________________________________________________________________________________________________________________
Issues resolved in eDirectory 9.0.2 Hotfix 2 (9.0.2.2)
February 2017

LDAP
- Fixed parsing issue so that IDM also has the new eDir cn=monitor functionality.  (Bug 1010630)

OTHER
- IDM 4.6 support  (Bug 1023537/1023139)

NAUDIT\XDAS
- Connections via an Audit Connector fail due to Java rejecting a certificate signed with MD5  (Bug 1019041) (CVE-2017-5186)
Auditing collectors, platform agents, instrumentation, etc. have been modified to use eDirectory certificates in order to connect to Sentinel servers versioned 7.4.2 and above.  The previously used embedded certificate can no longer be used with Java 1.8.  This certificate issue has required the modification of the following components.  The updated files can be found on the respective product's patch page.

1019041/987162  – eDir
1021637/1019789 – iMgr
999186/1019573 – PA
1019543\1011208 – IDM
1021391 – RBPM
1013758 - Naudit connector

_____________________________________________________________________________________________________________________
Issues resolved in eDirectory 9.0.2 Hotfix 1
December 2016
novell-NDSserv-8.8.8.9-1/nldap.dlm

LDAP
-  If paged size is greater than the number of entries to be returned, then no results are returned  (Bug 1012208)

_____________________________________________________________________________________________________________________
Issues resolved in eDirectory 9.0.2
November 2016
NDSD: 40004.44
JRE: 1.8.0_102
OpenSSL: 1.0.2j-fips
PA: 2011.1r3 (2.0.2-79)

NDSD
- Old method of automatic attribute containerization is now enabled by default  (Bug 1005429/1005433)
- IDM engine Security Equals modification loops back on Subscriber channel  (Bug 988797)
- Repair switch -SXW now removes the attribute without timestamping object  (Bug 991993)
- NDSD now pre-parses the nds.conf and reports if there are duplicate entries  (Bug 991995)
- NDSD cores in FSGetDomain when performing heavy LDAP writes  (Bug 991996)
- Nessus scan shows potential Clickjacking vulnerability  (Bug 998565) (CVE-2016-9168)
- Includes a security fix to address potential access inconsistencies  (Bug 993219) (CVE-2016-9167)
- Socket leaks causing CIFS users to no longer access DFS junctions  (Bug 995731)
- Dynamic group memberQueryURL does not accept backslashes in filter  (Bug 1003313)
- DHost unable to shutdown when trace messages are being received in ndstrace  (Bug 985436)
- OES11SP3: NDSD crash when server is booting and in 'Unused' state afterward  (Bug 988802)
- EBA: Error: -2109(UAP_ERR_NMAS_API_INIT_FAILED) after tree rename  (Bug 961637)
- EBA: dlm's displaying all zeros for version
- EBA: Error -672 in iMonitor while accessing an EBA enabled server on Windows  (Bug 989476)
- Improved inherited ACL computation  (Bug 993219)
- Non-secure traffic still seen even when EBA is anabled for all servers  (Bug 992377)
- Upgrade no longer changes the value on the httpKeyMaterialObject attribute if 3rd party used (Bug 972602)
- Wrong environement variable listed at the end of the installation  (Bug 982741)
- Ndscheck now shows correct binary version  (Bug 982742)
- Installer no longer presents messages on overwrite  (Bug 985989)
- JRE: 1.8.0_102 included  (Bug 993491)
- Ldap search with both paged results and sort control returns no values  (Bug 998302)
- Ndsconfig now recommends to restart the service with "add" and "upgrade" options  (Bug 1006673)
- IDM 4.5.4 and 4.6 support  (Bug 1010889)

LDAP
- Intermittent long delays for normal LDAP searches  (Bug 988798)
- NDSD crashes in LDAP with multiple naming attributes  (Bug 988800)
- Search will always fail from 9.0 (-635) if a partition is only present only on a 888 server  (Bug 1008711)
- Attempting to generate 512 byte keys when FIPS mode is enabled  (Bug 972268)
- Dynamic group searches are inconsistent and not going remote  (Bug 972598)
- Error: -601 returned when performing an LDAP search anonymously with server side sort control  (Bug 998575)
- Server Side Sorting of LDAP search results can now be based on multiple sort keys  (Bug 998714)
- Problems performing reverse order sorting with LDAP Server Side Sorting control  (Bug 998715)
- CN = monitor should be enhanced to properly handle JSON docs containing nested JSON objects  (Bug 1005307)
- New control OID introduced to disable count of entries in VLV/SSS ldapsearch  (Bug 1009457\1009684)

PKI
- Certificates now no longer have serial numbers greater thn 20 bytes  (Bug 993855)
- PKI: Server Certificate creation fails with error: -1232  (Bug 993452)
- Enhancement: more granular control now possible over TLS 1.2 in LDAPS  (Bug 981740)  (TID 7017644)
- Enhancement: Ability to reissue CRL a few days before expiry (for external storage of CRL)  (Bug 996875)
- Can now successfully move the CA and CRL databases to another server  (Bug 978564/996233)
- Error: -1221 (PKI_E_INVALID_OBJECT) returned if CRL had a typeless name passed into the DN  (Bug 917789)
- Sscert.der failed to be exported to file system when CA is replaced with an external one  (Bug 944721)
- Certificates revoked are now re-created when the option is set  (Bug 959826)
- PKI health check now exports RC certificates with correct private key header and footer  (Bug 959890)
- Security libraries now have consistent embedded version and build information  (Bug 960022)
- Default certificates are not created when in SuiteB mode using a container admin  (Bug 981698)

XDAS
- The SysAddr field for eDirectory internal events should be populated with valid IP address  (Bug 988530)
- XDAS instrumentation truncates DNs at 68 bytes  (Bug 988570)
- DSE_ADD_ENTRY event is incorrectly mapped to the CREATE_ACCOUNT event  (Bug 992962)
- Filtering does not work properly  if both Audit and XDAS are loaded  (Bug 994788)
- Platform Agent 2011.1r3 (2.0.2-79) now included  (Bug 1004678)
- User gets multiple login events for a single Login  (Bug 1005771)

NTLS
- OpenSSL 1.0.2j-fips now included  (Bug 1000445/1002615/1004203)
- Ntls.log had improper permissions  (Bug 930311/1003637)
- Multiple potential vulnerabilities in OpenSSL libraries shipped with NTLS  (Bug 1000445)
CVE-2016-6304   H
CVE-2016-6305   M
CVE-2016-2183   L
CVE-2016-6303   L
CVE-2016-6302   L
CVE-2016-2182   L
CVE-2016-2180   L
CVE-2016-2177   L
CVE-2016-2178   L
CVE-2016-2179   L
CVE-2016-2181   L
CVE-2016-6306   L
CVE-2016-6307   L
CVE-2016-6308   L

OTHER
- Audit now has event for "Login Failed"  (Bug 996758)
- Fail to start SNMP subagent on RHEL6.8  (Bug 992053)
- Fail to start SNMP subagent on SLES11SP4  (Bug 1005600)
- Plugins: EBA plugin using old libraries resulted in iManager crashing  (Bug 990244)
- Plugins: Certificate server now has an option to extend the CRL validity time  (Bug 996454)
- HTTPSTK: Enhancement to disable the HTTPSTK module and ports  (Bug 872873)
- iMonitor: now uses high ciphers by default  (Bug 979830)
- Dibclone now strips the remaining two IDM attributes off the psudoserve  (Bug 876419)
- Execution of "ldapmodify.exe" fails with error  (Bug 1006172)

_____________________________________________________________________________________________________________________
Issues resolved in eDirectory 9.0.1 Hot Fix 2
August 2016
NDSD: 40003.39

NDSD
- Memory leak during synchronization.  (Bug 993898)

_____________________________________________________________________________________________________________________
Issues resolved in eDirectory 9.0.1 Hot Fix 1
August 2016
NDSD: 40003.38

NDSD
- Synchronization fails with error: End Update failed, no transaction is active (-770).  (Bug 989766)
- Enhancement: RHEL 6.8 is now supported.

_____________________________________________________________________________________________________________________
Issues resolved in eDirectory 9.0.1
June 2016

NDSD: 40003.37
OpenSSL: 1.0.1t-fips
NICI: 3.0.1
JAVA: 1.8.0_92

NDSD
- Security Vulnerability: Drown attack.  (CVE-2015-3197, CVE-2016-0800)  (Bug 973501\968046)
- Enhancement: added IDM support.  (Bug 971747)
- NTLS: OpenSSL updated to 1.0.1t-fips.  (Bug 979023)
- Java updated to 1.8.0_92.  (Bug 972455)
- Dibclone operation results in a change cache rebuild.  (Bug 972608)
- NDSD running out of file descriptors during a heavy write load.  (Bug 972600)
- System created index type inconsistent between servers.  (Bug 972601)
- Plugin: Importing schema with ICE fails due to bad parsing of multi-line attributes in a LDIF.  (Bug 976249)
- Dhost crash when adding a non-EBA server with Secret Store selected.  (Bug 932625)
- eDirectory cores when timestamp is not specified in JCReadReferenceFilter.  (Bug 972615)
- IRFs being incorrectly calculated over LDAP.  (Bug 972610)
- Invalid EIDs causing 618 errors are now cleaned up.  (Bug 972611)
- Ndsconfig not able to bind to an instance with a port higher than 32767.  (Bug 972604)
- Import schema from remote tree fails with error -699 if attributes have integer64 flag.  (Bug 972613)
- NDSD core in SizeOfReferral after immediately adding back a deleted server with same name.  (Bug 979277)
- NAM IDP:'Password expired' returned from LDAP when using a wrong but not expired password.  (Bug 972801)
- EBA not properly handling custom schema attributes with no OID defined.  (Bug 981216)
- NTLS: all anonymous ciphers are now disabled.  (Bug 978606)
- Modifies to EA were allowed in the clear.  (Bug 966658)
- Potential security vulnerability in cookie handling  (CVE-2016-5747) (Bug 972614)

LDAP
- Performance improvement in LDAP operations.  (Bug 957930)
- Installation: Upgraded LDAP servers no longer default to using export grade ciphers.  (Bug 979276)
- Using ICE NDSD cores libnldap after DoLBURPOperation.  (Bug 972607)
- Performance improvement when using ICE to modify.  (Bug 976838)
- LDAP plugin: cipher change now warns to reload NLDAP.  (Bug 972605)
- LDAP plugin: no longer allows an incomplete certificate to be associated to the LDAP server.  (Bug 972606)

NMAS
- LDAP pwd modify extended operation fails when uid is used as naming attribute.  (Bug 973136)
- Dhost.exe crashes in nmasLdap.dll when using NMASLDAP_CHANGE_PASSWORD_REQUEST.  (Bug 973147)
- NDSD cores after unloading an older SAML method and loading the new one.  (Bug 983271)

PKI
- Unable to revoke RSA certificates with a CRL DP after upgrade.  (Bug 962544)
- Cannot perform certificate revocation checks on eDirectory certificates using OpenSSL.  (Bug 973148)
- Plugin: import user certificate is failing with error message 'PKI-error-1214'.  (Bug 973149)

XDAS
- Enhancement: two new DSfW events: Associate Trust and Disassociate Trust.  (Bug 976939/976974)
- Unnecessary events are being returned.  (Bug 972599)
- Too many events returned for Enable Acccount and Disable Account.  (Bug 967048)
- Instrumentation uses the wrong events for user-group association.  (Bug 972485)
- Add/Remove Value and Modify Object events are sometimes missing the TargetAttributeName field  (Bug 972618)
- XDAS auditing over secure channel does not work with Sentinel 7.3.1.0  (Bug 972620)
- NDSD sometimes cores while unloading XDAS on RHEL 7.2.  (Bug 968625)
 
OTHER
- Installation: flag " -f "  will now authoritatively downgrade from one patch to another.  (Bug 972623)
- Installation: improved to prevent major and minor downgrades.  (Bug 972622)
- Installation: can now install without errors using a relative path.  (Bug 972627)
- Installation: health check on Windows sometimes incorrectly states there are errors.  (Bug 982260)
- SLP is looking in /usr/local/etc/ for the slp.conf file  (Bug 974112)   
- Ndsbackup returns error that the API version is invalid.  (Bug 972624)
- Ndsbackup only allowed a remote server backup if the port was specified.  (Bug 972603)
- Nds-cluster-config modified to work with systemd.  (Bug 970661)
- Instrumentation files must now be manually upgraded  (Bug 976515)
- Environment variable NDSD_IGNORE_IDM_CHECK for change log module.  (Bug 977412)
   
_____________________________________________________________________________________________________________________
Issues resolved in the original FCS version of eDirectory 9.0.0
January 2016

NDSD: 40002.79
OpenSSL: 1.0.1q
PKI Plugin: 8.887.20160114
COLLECTOR: 2011.r3
NICI: 3.0
PA: 2.0.2-77
JAVA: 1.8.0_66

NDSD
- Enhancement: new platform support for Redhat 7.2.  (Bug 950323)
- Enhancement: attributes are marked but no longer automatically indexed when value >25 or > 2048.  (Bug 737743/894612)
- Enhancement: NCPEngine enhanced data payload from a maximum of 64K to 1MB.  (Bug 890561)
- Enhancement: Adjust packet queue length in async replication based on the packet size.  (Bug 891731)
- Enhancement: Async replication turned on by default.  (Bug 931608)
- Enhancement: Change cache rebuild is now mult-threaded.  (Bug 915907)
- Enhancement: Immediate Sync enhancement.  (Bug 903168/930004)
- Enhancement: janitor enhancement minimizes dib lock while calculating ACLs.  (Bug 373358)
- Enhancement: backups include a new option to clean up old RFL files.  (Bug 248631)
- Enhancement: the dsbk config now writes information about RFLs to the ndsd.log.  (Bug 248619)
- Enhancement: Hybrid Group support.  (Bug 637270)
- Enhancement: improvements for LDAP member searches when many nested groups exist under the basedn with no member.  (Bug 731164)
- eDirectory and plugins should bundle OpenLDAP SDK libraries.  (Bug 902195/920125)
- Fips mode variable "n4u.server.fips_tls" now set on by default in the nds.conf file.  (Bug 924615/920837)
- NDSD crashes due to parsing error when invalid entries exist in nds.conf.  (Bug 899708)
- eDirectory will not start is IPv6 is disabled using sysctl.  (Bug 878202)
- GUID value was improper at 9th and 10th byte.  (Bug 877031)
- Ndsrepair -T & ndstrace with VCLN tag hangs after exporting "SAL_LogLevels=LogAll".  (Bug 889744)
- Reference pointer not freed if getObjserverAddress returns error.  (Bug 868975)
- Random cores of NDSD when auditing is enabled for LDAP.  (Bug 851486)
- Unable to configure the maximum character limit for eDirectory indexes.  (Bug 864854)
- Cleanup to resolve potential flaim code issues.  (Bug 836948)
- Java updated to 1.8.0_66.  (Bug 919695)
- Platform Agent now bundled with eDirectory.  (Bug 932235)
- WAN Traffic Manager plugin removed from eDirectory plugins.  (Bug 916324)
- eDirectory plugins now allow for the management of nested groups.  (Bug 934486)

LDAP
- Enhancement: Proxied Authorization Control (RFC 4370) support added.  (Bug 773042)
- Enhancement: new values in bind value to differentiate anonymous bind and simple bind with no password.  (Bug 815519)
- Enhancement: LDAP monitor interface for the gathering of eDirectory health statistics.  (Bug 942058)
- SUITEB128ONLY mode support added.  (Bug 911639)
- SUITEB192 mode support added.  (Bug 911657)
- Plugins: option to disable SSLv3 through LDAP Plugin to prevent Poodle risk (128).  (Bug 914052)
- New bind restrictions for cipher added to LDAP server object.  (Bug 901862/905232)
- Memory leak in NDSD when LDAP configuration code is executed.  (Bug 952522)
- LDAP server not correctly handling CLDAP requests when the UDP datagram size exceeds the BER length.  (Bujg 961099)
- RootDSE search now contains a more accurate chaining statistic.  (Bug 934250)
- BIO ctrl messages seen when trace level is set to crtitical.  (Bug 900559)
- Multiple issues identified: memory corruption and buildup.  (Bug 836936)
- LDAP plugins enhanced to allow Suite B cipher modes to be set.

NMAS
- NDSD_TRY_NMASLOGIN_FIRST is now set to true on the Windows platform.  (Bug 935372)
- Enhancement: if an AES256 tree key has been created UP passwords and keys are re-encrypted using new AES password key.  (Bug 887494)
- Enhancement: AES session keys can now be used.  (Bug 877035/926779)
- XIS unchecked return value.  (Bug 836960)
- XIS Uninitialized scalar variable.  (Bug 836960)
- Unused pointer value.  (Bug 836960)
- Dead default in switch.  (Bug 836960)
- Possible buffer overflow and some error conditions not taken care of.  (Bug 836953)
- Secret Store: potential buffer overflow and resource leak identified.  (Bug 836941)
- Memory corruption issue identified.  (Bug 836938)
- Enhancement: NMAS server binaries are no longer bundled inside the novell-NDSbase rpm.  (Bug 817833)
- SAML method not included.  (Bug 931402)

PKI
- Utilties updated to disallow the use of RSA server certificates when Suite B is enabled.  (Bug 911555)
- Create the SSECCert.der file for EC certificates.  (Bug 914912)
- Issue Certificate task of the PKI plugin always displays signature algorithm "SHA1 with RSA" in summary.  (Bug 863308/954569)
- During new installs the SSL CertificateDNS was not always getting associated to to the http object.  (Bug 939629)
- Upgrade fails due to server having invalid data in the certificate's ip address extension.  (Bug 889896)
- "eDir-to-eDir Driver Certificates" plugin throws a NPKIAPI error when using the wrong plugin.  (Bug 883513)
- Modifying the CRL in the CA generates a System Error.  (Bug 883513)
- "Issue Certificate" task in PKI plugin displayed an incorrect algorithm in the last page.  (Bug 863308)
- SHA-2 is now the default signing algorithm for RSA certificates.  (Bug 919615/920844)
- Do not create EC certificate if there is no EC CA.  (Bug 916776)

NICI
- Enhancement: NICISDI health check added for key management and synchronization.  (Bug 84887)
- Enhancement: AES key support.  (Bug 494939)
- Enhancement: EC support.  (231607/175539)
- Enhancement: Now uses OpenSSL FIPS evaluated crypto library.  (Bug 266290)

NTLS
- Enhancement: Now uses and checksum verifys the included OpenSSL 1.x crypto libraries.
- Updated to disallow export, low and medium ciphers when TLS 1.2 is used in Fips mode.  (Bug 911769)

XDAS
- XDAS framework can now use TLS to connect to Sentinel 7.3.1.0 and above.  (Bug 952602)
- Loss of an event when auditing (tcp) server is restarted.  (Bug 790885/803257)
- NDSD cores when an incomplete configuration is specified in xdasconfig.properties.  (Bug 895478)
- When deleting an attribute from a class an event was not thrown.  (Bug 857174)
- Multiple issues found: potential buffer overflow and unchecked returns.  (Bug 836952/836950)
- Enhancement to log EBA events.  (Bug 960199)

DSREPAIR
- Enhancement: dsrepair.dlm no longer requires interactive services detection.  (Bug 942232)
- Multiple issues identified: resource leaks, buffer overflow and error conditions.  (Bug 836940)

IMONITOR
- Enhancement: iMonitor now shows EBA health on Agent Health screen.  (Bug 953749)
- After changing a user's rights they cannot login to imonitor unless NDSD is restarted.  (Bug 870938)
- Generating and running multiple reports at once cores NDSD.  (Bug 751470)

NDSTRACE
- While printing timestamp ndstrace truncates the milliseconds incorrectly.  (Bug 867978)

ICE
- Using ice with authsaml.sch the expected syntax for authsamlProviderID is SYN_CE_STRING.  (Bug 778773)
- 836954 - multiple crash and memory leak issues identified.  (Bug 836954)

SNMP
- Multiple issues identified: resource leak, string overflow and uninitialized variables.  (Bug 836934)
- Langman: wrong pointer arithmatic.  (Bug 836933)

TSANDS
- Explicit null dereferenced.  (Bug 836959)
- Resource leak discovered.  (Bug 836959)
- Invalid Copy into a fixed size buffer.  (Bug 836959)
- Write to pointer after free.  (Bug 836959)

DSI
- Control flow issues.  (Bug 836955)
- Memory corruptions.  (Bug 836955)
- Buffer not null terminated.  (Bug 836955)
- Dereference after null check.  (Bug 836955)
- Missing break in switch.  (Bug 836955)

OTHER
- Ebaclientinit utility now bundled with iManager so the uap.p12 certificate can be downloaded.  (Bug 920328)
- Instrumentation updated to report EBA events.  (Bug 935719)
- Utilities updated to prevent replica operations that would break EBA.  (Bug 915556)
- Ndslogin has a new switch "-n" to prevent a NMAS authentication.  (Bug 927004)
- Ndscheck updated to display EBACA validity information.  (Bug 956943/960654)
- Install: The attribute that is not found is now displayed during initial configuration.  (Bug 773827)
- Install: Registry entries left over after uninstalling NICI on Windows.  (Bug 622222)
- Install: New ndsconfig switch for EBA: CONFIGURE_EBA_NOW.  (Bug 927538)
- Backups should have the default of leaving the RFLs in place.  (Bug 248622/248621)
- Ndsconfig now checks for invalid log levels.  (Bug 139050)
- Diagpwd: new option "-t" to re-encrypt UP if AES256 tree key is present.  (Bug 961109\885851)
- CLDAP SDK moved to an OpenLDAP based SDK.    (Bug 919611\942904)
- Kerberos Password Agent (KPA) krbLdapConfig utility now uses the OpenLDAP libraries.  (Bug 924624)
- Plugins: Encrypted Attributes feature updated to support AES256 keys.  (Bug 955389)
- SDIdiag enhanced to provide information about the tree key.  (919615)
- NMAS_LDAPExt and Nldapextd updated to extend OpenLDAP C SDK.  (Bug 933447/852520)
- NDSSNMP updated to depend on the OpenLDAP SDK.  (Bug 867551)
- Proxy Authorization Control sample added to the OpenLDAP SDK.  (Bug 919612)
- Ndspassstore changes for Suite B support.  (Bug 877264)
___________________________________________________________________________________________________________________

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7016794
  • Creation Date:25-AUG-15
  • Modified Date:02-OCT-17
    • NetIQeDirectory

Did this document solve your problem? Provide Feedback