eDirectory 8.8 SP7 Patch 2 for Linux & Unix

Stand alone eDirectory 838 SP7 Patch 2 has been released.  It can be found at Novell.com/downloads

Do not apply this patch on an OES server!

Issues resolved in eDirectory 8.8 SP7 Patch 2 (20703.00)
December 2012
NDSD
– FLAIM: when performing a LDAP search on a non-existent user using a complex filter err = no such entry (-601) is returned  (Bug 608436)
– NCP: NDSD cores allocating a connection slot  (OES Bug 710806)  (Non-OES Bug 692389)
– NDSD cores on PDC in DSFW environment iterating nested groups (Bug 719736/711799/750982)
– CIFS core during sub-tree search  (Bug 751962)
– Security Vulnerability: eDirectory DoS dhost request with certains characters  (Bug 772895) (CVE-2012-0429)
– Security Vulnerability: eDirectory Authorization Mechanism Bypass  (Bug 772898) (CVE-2012-0430)
– Security Vulnerability: eDirectory Cross Site Scripting exploit  (Bug 772899) (CVE-2012-0428)
– Nauditds.dlm fails to initialize completely during initial eDirectory startup  (Bug 773787)
– Special external references not getting purged when no longer in use  (Bug 775479)
– DSFW enhancement to support ‘ObjectSID=<SID>’ as a filter string to integrate XenDesktop 5.x  (Bug 780215)
– Security Vulnerability: Novell NCP Pre-Auth Remote Stack-Based Buffer Overflow  (Bug 785272) (CVE-2012-0432)

LDAP
– Referrals not correctly populated when ldapserver’s interface has a different address than the hosts file  (Bug 181124)
– LDAP SDK: CIFS terminates with a segmentation fault  (Bug 735840)
– NDSD goes to 100% utilization when ldapsearch is dereferencing aliases with the “-a” option  (Bug 770437)
– NDSD coring in DSAiterator  (Bug 787164)

NDSREPAIR
– Added a new switch (-NLD) to remove license objects after the last NetWare server is removed from tree  (Bug 681961)

DSFW:
– Kerberos authentication failing  (Bug 744792/756978)

IMONITOR
– Monitoring the DIB writer shows “Unregistered” for the verb\process  (Bug 767566)

NDSPASSSTORE
– Not able to create the password store for non-root installations  (Bug 619810/780223)

XDAS
– NDSD dumps core if only ip address (not port number) is specified for the syslog server  (Bug 680361)

NDSCHECK
– Ndscheck fails when only one interface is listning for ldap requests  (Bug 779019)

DOCUMENTATION
– Bug 760378

MD5SUM: ca5eb31e78cd3bc29b3a8ae4764bc578

details

1.0 Installation
1.1 Prerequisites
1.2 Pre-Installation
1.3 Installation

1.0 Installation

– Section 1.1 Prerequisites

– Section 1.2, Pre-installation Checklist

– Section 1.3, Installation

1.0 Installation

1.1 Prerequisites

The server must be running eDirectory 8.8 Support Pack 7. You can verify this by running ndsstat.

1.2 Pre-Installation Checklist

WARNING: Do not run this update on an Open Enterprise Server (OES) . To check whether the server is running OES, run ” cat /etc/novell-release “. This file will only exist on OES servers.

– Run a health check on the tree to ensure that there are no current problems with this or any other server in the tree.

– Make a backup of the server’s eDirectory database and NICI files.
Among other methods, this can be done by stopping NDSD, ” /etc/init.d/ndsd stop “, and creating a tarball archive of the eDirectory instance(s)’s database” ../dib” and “NICI” directory.

For instance, assuming that the default database location was selected during the original installation, run these commands:

1. Stop eDirectory services
Linux and Solaris: ” /etc/init.d/ndsd stop ”
For AIX: ” /etc/ndsd stop ”

2. Backup the eDirectory database
” cd /var/opt/novell/eDirectory/data ”
” tar -cvzf ndsbackup.tgz dib ”

3. Backup the NICI files
” cd /var/opt/novell ”
” tar -cvzf nici.tgz nici ”

NOTE: An eDirectory 8.8 Support Pack 7 database will not load without the original NICI files.

– You must take a copy of the following files:
“/etc/opt/novell/eDirectory/conf/nds.conf”
“/etc/opt/novell/eDirectory/conf/ndsimon.conf”
“/etc/opt/novell/eDirectory/conf/ndssnmp/nds snmp.cfg” (if it exists)
“/etc/opt/novell/eDirectory/conf/ndssnmp/nds trap.cfg” (if it exists)
“/var/opt/novell/eDirectory/data/dib/_ndsdb. ini” (if it exists)

– Ensure that this server has eDirectory 8.8 Support Pack 7 installed.

1.3 Installation

The patch installer updates NMAS, PKI, and NTLS security components, if required, along with the eDirectory RPMs/packages.

1. Copy the patch file into a temporary directory then extract the tarball. For example,
” tar -zxvf edir8872.tar.gz ”

2. Stop all the instances of eDirectory:
” ndsmanage stopall ”

3. Run the install.sh script.

NOTE: Ensure that you run this script from the directory the patch has been extracted to.
For example, ./install.sh.

The patch installer replaces the old packages with the new packages and skips packages that have the same version as that of the patch installer. For more information about the eDirectory patch installer, run ” ./install.sh –help “.

NOTE: when installing the patch you may see messages similar to those below:
“novell-edirectory-expat-32bit” is not installed. Do you want to install it now? [y/N]
“novell-edirectory-xdaslog-32bit” is not installed. Do you want to install it now? [y/N]
If this server is also running IDM it is recommended to respond yes to these prompts.

NOTE: A warning message may be displayed while installing installing novell-kerberos-base and novell-kerberos-ldap-extensions RPMs on RedHat platforms. It is safe to ignore this warning because the patch installer internally installs these RPMs.

NOTE: This patch installation may fail if it is applied to a 32 bit version of eDirectory 8.8 SP7 on the Solaris platform. The following sections of the patch’s install.conf need to be modified so that they appear as below:

SECURITY_PACKAGE=novell-nmas novell-npkiapi novell-npkit novell-ntls
novell-pkiserver NOVLepkiax NOVLepkisx NOVLepkitx NOVLnmasx NOVLntlsx NOVLepkia NOVLepkis NOVLepkit NOVLntls NOVLnmas NDS.NOVLnmas NDS.npkiapi
NDS.npkit NDS.pkiserver novell-kerberos-base novell-kerberos-ldap-extensions

IGNORE_PACKAGE_BASE_VERSION=google-perftools nici novell-ncpenc NOVLncp NOVLncpx
NDS.NOVLncp

4. Start NDSD:
” ndsmanage startall ”

5. Verify that the NDSD module reflects the new version. For example, the version displayed upon running the ndsstat command should return 20703.00.

6. Extend the nmas schema.

” ndssch admin context /opt/novell/eDirectory/libdir/nds-schema/nmas.sch ”

Replace the libdir variable as follows:
For 32-bit Linux, Solaris and AIX platforms: lib
For the 64-bit Linux platform: lib64
For the 64-bit Solaris platform: lib/sparcv9

7. (Optional) Check the log file.

By default, the patch installation log file is located in the ” /var/opt/novell/eDirectory/log/eDir_patch_install.log directory”.

For a list of fixes contained in this and previous patches for eDirectory 8.8 please refer to:
http://www.novell.com/support/viewContent.do?externalId=3426981

security fixes

CVE-2012-0428
CVE-2012-0429
CVE-2012-0430

file contents

Files Included Size Date
edir8872.tar.gz 480.4 MB (503795401) 2012-11-07 11:58:00
readme_5152711.html N/A 2012-12-03 17:33:46

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

Novell is a registered trademark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG, a Novell business. *All third-party trademarks are the property of their respective owners.

 

This document (5152711is provided subject to the disclaimer at the end of this document.

Comments are closed.

Categories