For the latest information about Novell® NsureTM Identity Manager 2.0.1, refer to the documentation located at the Novell Product Documentation Web site.
You can view the documentation online in HTML or download a copy in PDF format.
The latest Readme file is also available online at the same location.
If you choose to install the iManager plug-ins for Identity Manager, you must provide valid authentication credentials to your iManager server. If authentication fails, you can return to the previous screen, deselect the plug-ins, and continue the installation.
You might also see this error if your iManager server is not running properly. Ensure that you can log into the iManager server (http://<host-or-ip address>/nps/iManager.html). If you can log into iManager, try installing the plug-ins again.
If you are installing Identity Manager on a NetWare® server with a CD mounted as an NSS volume, make sure that NetWare 6.5 SP2 or CSP11 is installed first.
If you install the NetWare upgrade after DR1, the older iManager plug-ins are installed. If the older plug-ins are installed, you might see errors about missing methods. If this occurs, re-install the iManager plug-ins from Identity Manager over the CSP installation.
If you are installing Identity Manager on NetWare and do not have JVM* 1.4.2 installed, you might see an error stating, "A fatal error has occurred. This program will terminate. You may check sys:\ni\data\ni.log for more details after you dismiss this dialog. Tree not initialized yet..."
You should upgrade to JVM 1.4.2 to resolve this issue. The JVM is available from Novell Product Downloads.
If you are using NetWare 6.5, ensure that you have the eDirectory 8.7.3.2 IR or later field patch from Novell Support. This release includes an updated dsloader.nlm that fixes this issue.
When upgrading from eDirectoryTM 8.6.2 to 8.7.1, an older version of the dxevent package is installed. The installation begins to copy files, but fails with the following error:
"file /usr/lib/nds-modules/libdxevent.la from install of NDSdxevnt-1.1.1-1 conflicts with file from package novell-DXMLevent-2.0.0-14
file /usr/lib/nds-modules/libdxevent.so from install of NDSdxevnt-1.1.1-1 conflicts with file from package novell-DXMLevent-2.0.0-14
%% Unable to install NDSdxevnt, Exiting..."
To fix this problem, complete the following procedure:
Before running the eDirectory 8.7.1 installer, go to the eDirectory Linux/Setup directory.
Enter rpm -ivh --force NDSdxevnt-1.1.1-1.i386.rpm to do a forced install of the NDSdxevent package. Run the eDirectory nds-install script to remove or replace the eDirectory packages, and perform the upgrade from eDirectory 8.6.2 to 8.7.1.When the eDirectory installation is complete, reinstall Identity Manager 2.
When you are creating a driver set or shortly after Identity Manager loads, the ndsd (eDirectory) process shuts down unexpectedly without a core dump. The /var/nds/ndsd.log contains the following message, "Exception java.lang.OutOfMemoryError: requested -569704448 bytes for char in /export1/jdk/jdk1.4.2/hotspot/src/os/solaris/vm/os_solaris.cpp. Out of swap space?" (The exact number might vary.)
To fix this issue, complete the following procedure.
This error might also disappear if you add more memory to the computer hosting eDirectory.
When upgrading from Novell eDirectory 8.6.2 to 8.7.1, an older version of dxevent.dll gets installed. When you try to start a driver, you encounter the following error, "Unable to start the driver. com.novell.admin.common.exceptions.UniqueSPIException: (Error -783) The DirXML Interface Module(VRDIM) is not currently loaded into NetWare or into DHost."
To fix this problem on Windows*, copy dxevent.dll from the NT\DirXML\Engine directory on the CD image to the c:\novell\nds directory on the server.
To fix this problem on NetWare, copy dxevent.nlm from the NW\DirXML\Engine\System directory on the Identity Manager CD image to the SYS:SYSTEM directory on the server.
If you upgrade eDirectory on your Identity Manager server, you might see the following error: "UniqueSPIException error -783:" To resolve this issue, log into iManager; in the DirXML Overview, remove the server listed for the Driver object, then re-associate the server to the Driver object.
If you are running Identity Manager on UNIX*, you need to install the Simple Password method. This is located on your eDirectory Installation media.
Run nnmasinst.
Type nmasinst -addmethod <admin.context> <treeName> </Download/eDir873/SimplePassword/config.txt> [-h hostname[:port]] [-w password]
When an administrator creates a new user and password, it is preferable to have the password expire immediately, so that the users create their own passwords.
This feature has been provided in past versions of Novell eDirectoryTM for the NDS® Password. If a password expiration setting was in place, administrator-created passwords were automatically expired.
For Universal Password, you need NMASTM 2.3.4 to support this feature. As with NDS Password, use of this feature depends on the password expiration setting. If you have the password expiration setting enabled in the Password Policy (in Advanced Password Rules, named "Number of days before password expires (0-365)"), then administrator-created passwords are expired.
If you are installing Identity Manager in a multi-server environment, and use some of the Password Management plug-ins in iManager, you might see an error that begins with "NMAS LDAP Transport Error."
One common cause of this error is that the PortalServlet.properties file is pointing to an LDAP server that does not have the NMAS extensions that are needed for Identity Manager. Open the PortalServlet.properties file and make sure the address for the LDAP server is the same server where you installed Identity Manager.
Other possible causes:
After implementing Universal Password, NDPS, ZEN, NILE (SSL connections), and SLPDA might not load. This is an application problem; the auto-generated passwords created by these applications might violate Password Policies.
The workaround is described in TID 10092957 and a patch will soon be available.
If you create a Password Policy and enable Universal Password, the Advanced Password Rules are enforced instead of any existing password settings for NDS Password. The legacy password settings are ignored. No merging or copying of previous settings is done automatically when you create Password Policies.
For example, if you have a setting for the number of grace logins that you use with the NDS Password, when you enable Universal Password you need to re-create the grace logins setting in the Advanced Password Rules in the Password Policy.
If you later disabled Universal Password in the Password Policy, the existing password settings that you had are no longer ignored. They would be enforced for NDS Password.
In the initial release of Identity Manager 2, the Password Self-Service functionality assumed that the LDAP SSL port was port 636, unless a different port was specified in the PortalServlet.properties file in the keypair LDAPSSLPort=your_port_number.
In this release, the Password Self-Service functionality assumes that the LDAP SSL port is the one noted in the PortalServlet.properties file in the keypair System.DirectoryAddress, unless a different port is specified in the PortalServlet.properties file in the keypair LDAPSSLPort=your_port_number.
No action should be necessary to accommodate this change if you require TLS for simple bind (the default setting for the LDAP Group-Server object), because the LDAP SSL port should be the port noted in the PortalServlet.properties file in the System.DirectoryAddress setting.
The only case in which you should need to add the keypair LDAPSSLPort=your_port_number to the PortalServlet.properties file is if you choose not to require TLS for simple bind, and your LDAP SSL port is different from the port noted in the System.DirectoryAddress setting in the PortalServlet.properties file.
Challenge Response questions require a user to provide answers to prove his or her identity. If you want NMAS to ignore case when validating Challenge Response answers, use NMAS 2.3.4 or later.
When setting the Universal Password on Linux*, you might see an increased number of TCP connections, which could lead to an eDirectory shutdown. To correct this issue, download and install TID2969057 for NMAS 2.3.4.
If you are encountering problems with the iManager Set Universal Password task, you need to make sure that the "TLS is required for Simple Bind" setting has been enabled. You set this option by editing the LDAP server object properties in iManager.
This is a requirement only for this task. The portal content builds this SSL connection upon request, but iManager requires it to be done at login.
If you see an error saying that a Password Policy is not assigned to a user from the Set Universal Password task, and you know that the user does have a Password Policy assigned, SSL might be the issue. Make sure that SSL is configured correctly between the Web server running iManager and the primary tree. To help confirm that SSL configuration is the problem, use the View Policy Assignment task to check the policy for that user. If the View Policy Assignment task displays an NMAS Transport error, this also can be an indicator that SSL is not configured properly.
The Check Password Status task lets you see whether a user's password in Identity Manager is synchronized with the password on connected systems.
If you are using the eDirectory driver, and the Password Policy for a user specifies in the Configuration Options tab that the NDS Password should not be updated when the Universal Password is updated, then the Check Password Status task for that user always shows that the password is not synchronized. The password status is shown as not synchronized, even if the Identity Manager password and the password on the connected system are in fact the same.
This is because the eDirectory check password functionality is checking the NDS password at this time, instead of going through NMAS to refer to the Universal Password.
If you select the option to update the NDS Password when the Universal Password is updated in the Password Policy (this is the setting by default), then Check Password Status should be accurate for the eDirectory connected system.
This issue will be fixed in a future release of eDirectory.
The task in iManager used to check password synchronization (Password Synchronization > Check Password Status) is accurate when comparing two eDirectory trees only if the Password Policy has the following settings:
These settings are in Password Management > Manage Password Policies, in the Universal Password tab under Configuration Options. They are both checked by default.
Other drivers check the Distribution Password when comparing with the connected system. The eDirectory driver is an exception because, at this time, the eDirectory check password functionality is checking the NDS password, instead of going through NMAS to check the Distribution Password.
If NDS Password is not being synchronized with Universal Password and Distribution password, Check Password Status might report that the passwords are not synchronized, even though the Distribution Password and the password on the other tree are in fact the same.
The Check Password Status task lets you see whether a user's password in Identity Manager is synchronized with the password on connected systems.
If you are using the eDirectory driver, and the Password Policy for a user specifies in the Configuration Options tab that the NDS Password should not be updated when the Universal Password is updated, then the Check Password Status task for that user always shows that the password is not synchronized. The password status is shown as not synchronized, even if the Identity Manager password and the password on the connected system are in fact the same.
This is because the eDirectory check password functionality is checking the NDS password at this time, instead of going through NMAS to refer to the Universal Password.
If you select the option to update the NDS Password when the Universal Password is updated in the Password Policy (this is the setting by default), then Check Password Status should be accurate for the eDirectory connected system.
This issue will be fixed in a future release of eDirectory.
If you manage remote Identity Manager trees, and use iManager to log in to the other trees, you might encounter errors if you use the server name instead of the IP address of the remote server.
Other considerations:
The following error appears in the Tomcat log file when you authenticate to iManager after installing Identity Manager:
com.novell.security.nmas.mgmt.NMASPwdException
at com.novell.security.nmas.mgmt.PwdLdapTransport.getPwdPolicyDN(Unknown Source)
at com.novell.security.nmas.mgmt.NMASPwdMgr.getPwdPolicyDN(Unknown Source)
at com.novell.forgotpassword.PostAuthentication.getPostAuthServiceDelegates
(PostAuthentication.java:65)
at com.novell.nps.authentication.AuthenticationManager.processPostAuthenticationServices
(AuthenticationManager.java:366)
at com.novell.nps.authentication.AuthenticationManager.beginPortalLogin
(AuthenticationManager.java:330)This error occurs if an NMAS policy has not been configured and assigned to the user.
If you are upgrading Identity Manager and the eDirectory driver, you might encounter data synchronization errors if your certificates have expired (or if one of the two certificates has expired.)
If you create a user on the server holding a valid certificate, the user is not synchronized to the server containing the invalid certificate. You might also see the following error in DSTrace:
SSL handshake failed, X509_V_CERT_HAS_EXPIRED
If you create a user on the server holding an expired certificate, the user is still synchronized to the server containing a valid certificate. You might also see the following error in DSTrace:
SSL handshake failed, SSL_ERROR_ZERO_RETURN,
Error: 14094415: SSL Routines: SSL_READ_BYTES: sslv3 alert certificate expired.
To fix this issue, create new certificates if the previous certificates expire.
The DirXML script action DoSendEmailFromTemplate does not work on UNIX platforms unless a replica containing the e-mail templates is located on the same server where the DirXML engine is running. These e-mail templates are the ones used in the Notification Configuration task in iManager. The e-mail template objects are located in the Security container at the root of the tree.
Like other Web-based administration tools, iManager windows can be blocked by pop-up blocking software. You should set pop-up blockers to allow pop-ups from the iManager server.
This control sets the XSLT processor used by the DirXML Engine to a backwards-compatible mode. The backwards-compatible mode causes the XSLT processor to use one or more behaviors that are not XPath 1.0 and/or XSLT 1.0 standards-compliant. This is done in the interest of backward compatibility with existing DirXML style sheets that depend on the non-standard behaviors. In particular the behavior of the XPath "!=" operator when one operand is a node-set and the other operand is other than a node-set is incorrect in DirXML releases up to and including Identity Manager 2.0. This behavior has been corrected; however, the corrected behavior is disabled by default through this control in favor of backwards compatibility with existing DirXML style sheets.
If you have previously configured Nsure Audit on your server, and the loghost parameter in logevent.cfg is set to localhost, this configuration is overwritten during install and logging is turned off.
If you have specified an IP address in the loghost parameter, your logging configuration is unaffected.
To re-enable logging, open logevent.cfg and set the loghost parameter to the IP address of your logging server.
The following list contains the default location of logevent.cfg for each supported platform:
Operating System |
Path |
NetWare |
sys:\etc\logevent.cfg |
Windows |
windows_directory\logevent.cfg |
Linux\Solaris |
/etc/logevent.conf |
To view help files, your browser language must be set to English. Otherwise, you might encounter an "HTTP Status 404" error.
This issue is not important unless you are using the Dynamic Membership filter to include all or a large number of objects in the tree.
If you are, you will experience significant delays in accessing the Role-Based Entitlements interface after you specify the driver set. To fix this, you need to install the iManager field patch that supplies a fix to the issue.
When you add a new attribute to a class in the filter, you must save the new attribute before assigning a mapping relationship. If you assign the mapping relationship prior to clicking Apply or OK, the attribute mapping is not saved.
If you experience a -734 cache error, virus protection software might be corrupting Novell cache files. These are the symptoms:
To resolve the issue, make sure your virus protection software is excluding TAO files. In addition, exclude from virus protection the Novell\NDS folder and all the subfolders below it.
Make sure that your virus protection software supports the platform you are using it on.
When this issue was observed on Windows 2000 Server when using McAfee VirusScan 7.x, the resolution described above did not work. Instead, the resolution was to disable the virus scanning software.
This issue has not been observed when using McAfee VirusScan 8.0i or Symantec AntiVirus Corporate Edition software.
When using the iManager plug-ins to configure Identity Manager, consider logging in to the server associated with the driver set that you are going to work with the most. This step can sometimes yield a significant performance improvement for using the plug-ins.
In the Novell SUSE LINUX Enterprise Server 9 (SLES9) network configuration, localhost in
/etc/hosts is by default mapped first to an IPv6 address. Java has difficulty with this setting.
To solve this issue, eliminate "localhost" from the line in /etc/hosts that mapped localhost to the IPv6 address. For example, in /etc/hosts change
::1 localhost ipv6-localhost ipv6-loopback
to
::1 ipv6-localhost ipv6-loopback
You might also need to place the following line in your /etc/hosts file:
127.0.0.1 localhost
NMAS does not currently support filtered replicas. If you are using Identity Management Password Synchronization, you must use a read/write replica.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside.
Copyright © 2003-2004 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
U.S. Patent Nos. 5,349,642; 5,608,903; 5,671,414; 5,677,851; 5,758,344; 5,784,560; 5,818,936; 5,828,882; 5,832,275; 5,832,483; 5,832,487; 5,870,561; 5,870,739; 5,873,079; 5,878,415; 5,884,304; 5,919,257; 5,933,503; 5,933,826; 5,946,467; 5,956,718; 6,016,499; 6,065,017; 6,105,062; 6,105,132; 6,108,649; 6,167,393; 6,286,010; 6,308,181; 6,345,266; 6,424,976; 6,516,325; 6,519,610; 6,539,381; 6,578,035; 6,615,350; 6,629,132. Patents Pending.
DirXML, NDS, NetWare, and Novell are registered trademarks of Novell, Inc. in the United States and other countries.
eDirectory, NMAS, and Nsure are trademarks of Novell, Inc. in the United States and other countries.
All third-party trademarks are the property of their respective owners.