History of Issues Resolved in eDirectory 9.x

  • 7016794
  • 25-Aug-2015
  • 17-Aug-2021


NetIQ eDirectory 9


This TID documents all patches and fixes for eDirectory 9.x.

9.x Readme Addendum:

For a list of patches and issues resolved for iManager 3.x please refer to the following:

For a list of patches and issues resolved for eDirectory 8.8.x please refer to the following:

Additional Information

Issues resolved in eDirectory 9.2.5
August 2021
NDSD: 40206.00
NICI 3.20
OpenLDAP 2.4.58
OpenSSL 1.0.2y

- NCPCLIENT_REQ_TIMEOUT default raised to 300 seconds  (Bug 358085/363041)
- When oidpInstanceData's value size is > 16KB an event is generated  (Bug 349017/364008    )
- Identity Apps fails to log in if “Disallow anonymous simple bind” is set  (Bug 328322)
- Alerts are created for high valued attributes on DirXML-EntitlementResult > 5k values and oidpInstanceData > 5KB  (Bug 257205)
- NDSD_USE_GROUPMEMBERSHIP_OPTIMIZATION with nested groups is incorrectly handling NOT "!" operator  (Bug 329530)
- Env_custom file not being recognized by eDirectory systemd service file  (Bug 314445)
- Additional prompt when enabling EBA while adding a server to the tree  (Bug 316418)
- Ldif2dib is loading objects with errors if FIPS enabled  (Bug 337009)

- Cn=monitor LDAP statistics return different results than rootDSE  (Bug 235458)
- Ldap_listeners.txt file now updated on address change  (Bug 316400)
- Updated OpenLDAP to 2.4.58  (Bug 320094/327288)

- User is now prevented from changing their password if it violates more than 2 complexities  (Bug 235445)
- CEF Change password event, message field does not correctly report the perpetrator  (Bug 315087)
- OpenSSL updated to 1.0.2y  (Bug 320186)
- TLS read failure 5 causes workflows to terminate  (Bug 322019)
- NMAS methods are signed with stronger keys and bundled  (Bug 327751)
- GSSAPI and SAML login methods are now signed with the EC algorithm  (Bug 358076)

- Using Identity console 1.3 CRL file URL has wrong file name after recreating the CA  (Bug 288153/291037)

- Option "-zc" now takes an ip address for the tree name.  (Bug 237658)
- Dsrepair is creating NDO backup files when dib >1GB  (Bug 235425)

- Nici updated to 3.2.0  (Bug 322114)

- iMonitor contains invalid links in the errors index  (Bug 235439)
- Note added to not select the "By server" synchronization method in a single server tree  (Bug 312260/358032)
- High value report now shows EIDs in hex and are linkable  (Bug 314431)

- Documentation changes for new statistics available in cn=monitor LDAP statistics  (Bug 358001)
- Extracted Docker Image archive file should have a different name than the archive file name  (Bug 317251)
- Documented issues seen when upgrading a dib with EA using a DES key.
- Document re-encrypting the sASPolicyCredentials attribute after turning on FIPS mode  (Bug 360011)

Issues resolved in eDirectory                                                                     
May 2021

This hot patch contains LDAP extension changes to support new functionality in Identity Console 1.3.

Issues resolved in eDirectory                                                                      
April 2021
NICI 3.2
OpenSSL 1.0.2y

This version of eDirectory contains new versions of OpenSSL and NICI which have a different FIPS 140-2 validated cryptography library with an active certificate.

Issues resolved in eDirectory 9.2.4                                                                       
March 2021

Ndsrepair on Linux now has an authoritative switch (-za) for overwriting attributes from another tree  (236045/1154902)
Second OES server failing to join tree due to coring  (314424)

Operations are causing dhost crash when cefauditds.dlm is used  (269019)
iManager is crashing with JAVA cores  (273049)

cn=monitor causes crash on CompareJSONStrings  (267100)
Logging into Identity App causing a crash in eDirectory  (285337)
LDAP operation fails with -625 error  (235441/1150062)
On OES /var/opt/novell/eDirectory/data/ldap_listeners.txt is populated with listening addresses on init  (237660/1172505)

iMonitor cache statistics are incorrect if hit count exceeds 4GB  (236031/1114390)
Missing modules error messages seen when SNMP subagent is started  (236366/1008256)
Ndsmanage now only reports the error code and not grep output  (237341/1054445)

Documentation updated to reflect that TSANDS and SMS are not supported on non-OES eDirectory  (285196)
Novell-NDSserv package has broken dependencies  (234870/1115538)
SNMP Subagent Fails to Load when EBA is Enabled  (235415/1027831)
Upgrading to OES2018SP2 now adds "NDSD_NLDAP_IGNORE_CRITICALITY = True" to /etc/opt/novell/eDirectory/conf/env  (303057)
Zoomdb updated to  (313016)

Issues resolved in eDirectory 9.2.3                                                                           
August 2020                                                                                                           
OpenLDAP 2.4.50

- Windows: getting error while trying to access the log file options in DS Repair tool  (256195 - 1073312)
- NDSD stops responding - thread exhaustion due to missing lock in JournalHandler  (Bug 236250 - 1169280)
- NDSD quits responding to requests and 1000s of inbound connections (157076\236250 - 1154264)
- NDSD crash is observed in Windows when ldapsearches are run with CEF events enabled  (174269 - 1170087)
- NDSD startup fails on Red Hat 8.1 after reboot  (176689/258178 - 1170698 )
- NDS service crash is observed in Windows when cef module is enabled after cache file processing  (177623 - 1169290)
- NDSD coring due to LDAP monitoring request in CN=Monitor  (235452 - 1170019)
- LDAP: performance improvements in reading the values for the groupMembership on a user  (236047 - 1159490)
- LDAP: OES no longer ignores the criticality control when passed with VLV or a paged control  (236406 - 1171997)
- LDAP: upgraded OpenLDAP to 2.4.50  (258181)
- Upgrade: upgrading a secondary server with 922 results in -601 is only RSA certificates are used  (237053 - 1172051)
- Migration Wizard Transfer ID intermittently fails while restoring DIB - Error: -663  (237046 - 1156455)

- Audit: once the size limit is reached in CEF-S-cache.log a message is now printed in the ndsd.log  (237659 - 1171915)
- Methods: SAML metadata text import corrupts posted metadata.xml  (236790 - 1172065)
- iMonitor: provided Reset Botton to iMonitor 'Background Process Settings' page.  823023
- iMonitor: high valued attribute count now includes the EID in the report  (236293 - 1168917)
- iMonitor: reset button added to the 'Background Process Settings' under Agent Configuration  (236640 - 823023)
- DSBK: Dhostcon loadwait does not wait for dsbk backup to finish  (174245 - 1120834)
- DSBK: Unloading of modulesfails via dhostcon.exe  (174246 - 1106161)
- TSANDS: Micro Focus Data Protector incremental backup is not working as expected  (173239 - 1164110)
- Novell-eba includes an uncompressed man page for ebaclientinit  (237535 - 1077542)
- NDSGREPAIR: Unable to find JRE while running ndsgrepair on OES2018SP1  (236041 - 1139074)
- Module name for DS Browse in DHost iConsole is not displayed in eDirectory windows server  (176870 - 1099256)
- Docker logs show kill command usage error after eDirectory container restart  (239175)
- Docker: Opensuse/leap:15.2 consumed as BaseOS for eDirectory 923 container  (239210)
- Docker: eDirectory container does not come up automatically after a Docker service restart  (239229)
- Docker: additional error messages if imappropriate operations are performed  (257204)
- Docker: better recovery of eDirectory container after crash  (258185)
- Docker: better document jounal event disk caching in an eDirectory container  (264002)
- Do not display 'n4u.server.fips_edir' flag in nds.conf file by default (269087)

Issues resolved in eDirectory 9.2.2
May 2020
NDSD: 40203.00
OpenSSL 1.0.2u
OpenLDAP 2.4.49

- Default value for SKULK DELAY is now set to 5 seconds  (Bug 1164038/1166822)
- Ndsmanage now presents reason values are rejected during an instance creation  (Bug 1054565)
- Ndsd.log now reports on whether the LDAP proxy user has been disabled  (Bug 1138310)
- Env variable NDSD_NLDAP_IGNORE_CRITICALITY introduced to disable page control criticality  (Bug 1151712/1169877)
- Audit: NDSD unresponsive with many connections open when disk caching is enabled  (Bug 1154264)
- Audit: NDSD unresponsive with many connections open when disk caching is not enabled  (Bug 1169280)
- JClient support for Client Identification Verb  (Bug 1143840)

- ERROR: -16050 Failed set password returned after AES tree key upgrade on OES2018SP1  (Bug 1161784)
- If a user has a nspmPasswordKey value but no UP, diagpwd -t will delete it  (Bug 1162306)
-16050 error on a password change with new tree key if NDS syncs with Simple password  (Bug 1161784)

-635 and -625 errors seen during a paged result control ldap query  (Bug 1169416/1168976)
- 'Unwilling to perform' now returned on page control search with a subref present  (Bug 1168976)
- Object being returned multiple times due to multiple values  (Bug 1070796/1141279)
- Object being returned multiple times due to multiple OR conditions throwing -714  (Bug 1090523/1151712)
- OpenLDAP updated to 2.4.49  (Bug 1163067)

- Event process stops once the cdir directory builds up beyond 150 files  (Bug 1153649)
- CEF: Line breaks now handled properly in eDirectory logging\parsing  (Bug 1131400)
- CEFauditds and collector: new implementation of log levels and priority filtering  (Bug 1147048\1161543\1149927)

- Ndstrace: debug level information seen with severity filter set to INFO  (Bug 138946)
- Repair: -R will now set a object's release inhibit move and dead obits to purgeable  (Bug 1158220)
- OpenSSL updated to 1.0.2u  (Bug 1167361)
- Install: dHost process does not shutdown during upgrade  (Bug 1131355/1153810)
- Embox updated with the C++14 standard  (Bug 1168746/1169001)
- Dhostcon showed incorrect module status  (Bug 1052716)
- Partition information display in dsrepair on windows shows corrupted text  (Bug 1097368)
- Docker documentation updated  (Bug 1155855)

Issues resolved in eDirectory 9.2.1
February 2020
NDSD: 40202.00
OpenSSL 1.0.2t
OpenLDAP 2.4.47

- Alias dereferencing is not returning all the objects  (Bug 1157731)
- Added three new APIs to track causes of -6030 errors  (Bug 1097028)

- "-659" errors no longer seen when using the variables NDSD_CC_SKULK_DELAY > 5 & NDSD_RETRY_MODIFY=TRUE  (Bug 1161163/1153495)
- NDSD memory growth in the case of a BER decoding error  (Bug 1160370)

- ERROR: -1658 Failed to decrypt password when retrieving password due to key length difference  (Bug 1161609)
- Random -1649 errors (NMAS_E_NO_RESOLVE_DN) due to -659 errors in sync (Bug 1155649)

- CEF could overwrite events in some cases and now rolls back on failure  (Bug 1160838)
- When files in the cdir directory build beyond about 150-200, events process stops until audit module is unloaded  (Bug 1160511)
- Syslog tag of 'NetIQ' has been reverted back to 'eDirectory'  (Bug 1147056)
- Wrong taxonomy for some AUDIT CONFIG events  (Bug 1145124)
- CEFAuditds module not loading in IDM environment when log4cxx component is already loaded by another module  (Bug 1139251/1138656)

- Ndsconfig upgrade is not adding TasksMax=infinity to the unit file on upgrade  (Bug 1157025)

- Utilities: dsrepair.dlm and dstrace.dlm fails to launch for non English system locale  (Bug 1107101)
- REST: Unable to add a replica to a tree root partition  (Bug 1154326)
- REST: Unable to change the replica type from sparse-read, sparse-write to READWRITE  (Bug 1154310)
- REST: replica types get rearranged on change  (Bug 1154304)
- Ndsindex documentation updated to reflect the "-a" option to add a compound index  (Bug 1157236)
- Documented variables to increase LDAP bind performance: "NDSD_RETRY_MODIFY=true" if "NDSD_CC_SKULK_DELAY >= 5"  (Bug 1162305)
- Documented how to allow a non-root user to perform a SSH login prior to starting eDirectory  (Bug 1105216)

Issues resolved in eDirectory 9.2
November 2019
NDSD: 40201.14
OpenSSL 1.0.2r

- Enhancement: Red Hat 8 and Windows 2019 support added  (Bug 1150217/1134726/1145543 )
- Enhancement: PBKDF2 hash method to replace NW4 password hash  (Bug 1075027/1135032/1149687/1142304)
- Enhancement: pre_ndsd_start_factory updated to pre-populate cache on init  (Bug 1113298)
- Enhancement: docker containers now supported (Bug 1121059/1142580 -)
- Invalid entry in iterator table leading to a core  (Bug 1111235)
- Windows memory leak when IDM health driver is running  (Bug 1104248)
- Unresponsiveness and many connections to the server itself  (Bug 1122160)
- Environment variables are ignored if custom_env is in a non-default location  (Bug 1116471)

- Ldap search with VLV or paged controls reuses iterator leading to error: invalid iteration -642  (Bug 1141353/1129712)
- After exporting schema the import fails with: invalid request (-641)  (Bug 1098182)
- Random crashes found by QA LDAP  (Bug 1092677)
- Threads blocked by HandleBlockedSkt condition causing NDSD lockup  (Bug 1140553)
- Memory growth seen when using the VLV and SSS controls  (Bug 1115320)
- Small memory leak in nds_back_bind function  (Bug 1136604)

- Installing the challenge response method using nmasinst fails with error 5997  (Bug 1118083)

- RSA and ECDSA certificates not getting replaced  (Bug 978309)
- CRL not using correct ports when non-standard ports are defined  (Bug 1025816)
- Document disabling CRL services using the NDSD_DISABLE_CRL_CONFIG variable  (Bug 1145501/1077766)
- Unable to replace RootCA certificates using plugin  (Bug 1129593)
- With new docker support AG certificates no longer created by default  (Bug 1115390)
- PKIS was not creating server certificates properly in an Azure environment  (Bug 1123700)

- Enhancement: CEF auditing enabled for EBA related events  (Bug 1082745)
- Rename operation in LDAP using CEF results in a move object event  (Bug 1114432)
- Dhost crashing when XDAS is unloaded on Windows  (Bug 1111043)
- CEF: deviceVendor is incorrect for eDirectory events  (Bug 1147056)

- Enhancement: docker container image allows for non-root installs using prvivileged ports  (Bug 1145553)
- Windows installer now removes xdas dependencies  (Bug 1145548)
- Localization fixes (Bug 1080260/1080239/1075727/1113244/1124586)
- On OES servers FIPS will not be set regardless of option selected  (Bug 1107931)
- Windows installer no longer requires to confirm password on upgrade  (Bug 1131216)

- XDAS deprecation  (Bug 1134180)
- Ndsconfig: new switch -y added to read password from a file for container installs  (Bug 1143360)
- SecretStore cannot generate SAS:SecretStoreKey if 256bit tree keys are in use  (Bug 1140622)
- Removed code to update the LD_LIBRARY_PATH from ndspath so right OpenSSL is used  (Bug 1124275)
- iMonitor was not enforcing HSTS  (Bug 1085288)
- Jclient classes implementing different attribute types not returning attribute name in toString() method  (Bug 1042602)
- NCP: dhost crashing on Windows  (Bug 1099940)
- SLES 11 platform no longer supported  (Bug 1088510)
- Plugin: sasLoginClientMethodWinX64 and sasLoginServerMethodWinX64 now filtered from optionals  (Bug 1092988)
- Use GUID rather than IP address to identify EBACA  (Bug 1107417)
- eDirutil fails to load main class in a non-root configuration  (Bug 1115804)
- Revised usage of the -f switch in the nds-install script  (Bug 1124411)
- OSP 6.3.6 included on Identity Console  (Bug 1150974)
- Notice of the Platform Agent being deprecated in eDirectory 9.3  (Bug 1137918)

Issues resolved in eDirectory 9.1.4 HF1
June 2019
NDSD: 40105.09

- All compound indexes will be deleted and recreated due a key change made to prevent corruption issues.  (Bug 1138239)

Issues resolved in eDirectory 9.1.4
May 2019
NDSD: 40105.08

- NMAS memory leak due to a function not releasing allocated memory  (1119470)
- TCP Port buildup when querying for dynamic group membership  (Bug 1133654)
- Dynamic Group finds no members when using the NDSD_AGENT_CONTEXT_OPTIMIZATION variable  (Bug 1129227)

- Windows dhost crash when querying for IDM info via cn=monitor  (Bug 1123834)
- NDSD coring due to a non-thread safe function used in cn=monitor  (Bug 1123603)
- Updated OpenLDAP from 2.4.37 to 2.4.45 to address a number of security vulnerabilities  (Bug 1124288)

- Memory leak in NMAS refresh method code  (Bug 1116631)
- Additional memory leaks found in NMAS  (1134210)

- Potential Security Vulnerability:  upgrade OpenSSL to address potential security vulnerabilities  (Bug 1128304) (CVE-2019-1559)

- Memory leak in CEF module  (Bug 1134085)
- Ndsrepair: Compound indexes are no longer functional after running ndsrepair -R  (Bug 1133470)
- Upgrade: error: Unable to proceed with the DIB upgrade  (Bug 1128519)

Issues resolved in eDirectory 9.1.3 HF1
April 2019
NDSD: 40104.07

- FLAIM: 6030 6038 errors - compound indexes are no longer functional after running ndsrepair -R  (Bug 1097028/1129055)

- 6030 6038 errors - compound indexes are no longer functional after running ndsrepair -R  (Bug 1097028/1129055)

Issues resolved in eDirectory 9.1.3
March 2019
NDSD: 40104.05
OpenSSL: 1.0.2q-52
Zlib: 1.2.11

- Ndsrepair is now able to perform a rebuild and fix the database if the problem is a bad RFL  (Bug 1087022)
- SMI throwing -6038 and -6030 errors due to corruption in compound indexes  (Bug 1096993/1066297)
- Memory leak when running 'cn=monitor' searches in a loop  (Bug 1118272)

- NDSD crashing when performing repeated NMAS login policy refresh operations  (Bug 1026194)

- Dynamic groups with an invalid memberQueryURL causing thread buildup leading to unresponsiveness  (Bug 1088248)
- Ldapsearch query with paged results fails on large dibs  (Bug 1036408)

- Memory leak identified  (Bug 1118272)

-    XDAS NMAS events aren't logged with NDSD_EVENT_DISK_CACHE=1
- High utilization with XDAS and CEF auditing  (Bug 1097642)

- Ndsbackup reports 'Error while processing error messages'  (Bug 1123056)
- Update OpenSSL to 1.0.2q (Bug 1121596)
- Potential Security Vulnerability: multiple vulnerabilities resolved in OpenSSL, SNMP and zlib (Bug 1113274)
CVE-2016-7567, CVE-2016-4912, CVE-2018-1000116, CVE-2015-5621, CVE-2015-8100, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843

Issues resolved in eDirectory 9.1.2
December 2018
NDSD: 40103.01
Azule JDK 1.8.192

- Hybrid groups (enhanced nested group) have been depreciated  (Bug 1109004/1092825/1108738)
- Ephemeral port exhaustion caused by RRSD dynamic group evaluation revoking entitlements (Bug 1075000)
- NDSD_AGENT_CONTEXT_OPTIMIZATION for optimal locking of cls data for above issue  (Bug 1075000\1080544\1087869)
- eDirectory dhost core in NCPEngine  (Bug 1099654)
- New value added to the sssActiveServerList attribute on each restart  (Bug 1056025)
- Nested group attributes show different values depending on the utility used  (Bug 1075489)
- CIFS service crash while executing libndssdk.so API "DCConnectToAddress"  (Bug 1084181)
- Multiple CN are returned from ldapsearch for dynamic group object  (Bug 1076479)
- EBA: dhost crashes when NCP engine accesses last connection request  (Bug 1098991)
- NDSD crashes trying to release a non-acquired lock  (Bug 1098591)

- Searches with deference alias cause high utilization and slow performance  (Bug 1097995)
- Improved performance for VLV searches when counting is disabled  (Bug 1087759)

- NDSD cores if the NESCM method is expired  (Bug 1095624)
- SAML method: multiple coring issues resolved  (Bug 999386)

- Invalid ASN1 encoding causing Chrome browser t reject ECDSA self signed certificates  (Bug 1103686)
- CRL validation were failing when a Windows install used a custom location  (Bug 1077401)

- Enhancement: SLES 15 now supported as a platform  (Bug 1114611/1107598/1107577)
- Enhancement: new installer now only uninstalls rpms that are newer  (Bug 1113320)
- Enhancement: eDirutil now works with OpenJDK Zulu  (Bug 1103066)
- eDirectory rpms now set root,root permissions on its directories  (Bug 867691)
- Dsbrowse_res.dll and dsedit_res.dll are now packaged into the nls folder  (Bug 1109155/1097654)
- Ssscfg utility looks for the nds.conf file in the default location on custom install  (Bug 1083319)
- Install: truncation seen in the installer dialog when French or Japanese is selected  (Bug 1080210)
- Yum check is reporting error, novell-eba-x is obsoleted by novell-eba-x  (Bug 1108519)
- Install.dlm cannot be unloaded  (Bug 1099424)


- Plugins: Error -614 returned when modifying groupmember in iManager  (Bug 1072360)
- OpenSSL RPATH changes in utilities resolving their crashing and\or reporting "Signature file not found"  (Bug 1054606)
- Security Vulnerability: multiple XSS vulnerabilities in eDirectory plugins  (Bug 1089460\1088007\1088002) (CVE-2018-17949)
- Security Vulnerability: XSS vulnerability in iMonitor  (Bug 1076825) (CVE-2018-17952)
- Diagpwd utility now packaged along with eDirectory  (Bug 1104045/1110582)
- Diagpwd now accepts certificate both in .pem and .der format  (Bug 1107635)
- Ndsrepair not handling authentication correctly  (Bug 1094920)
- Ndsdetect now works on 888x  (Bug 1105862)
- RPATH for few libraries is set to wrong path of the OpenSSL libraries  (Bug 1107989)
- Ndsdibupg utility depreciated  (Bug 1106980)

Issues resolved in eDirectory 9.1.1 Hotfix 1
August 2018

- Potential Security Vulnerability: open unvalidated redirect vulnerability in iMonitor (Bug 1082040) (CVE-2018-7692)

Issues resolved in eDirectory 9.1.1
June 2018
NICI 3.1
OpenSSL 1.0.2n-29
Java 1.8.0_172 (tested)

NDS Server
- Deletion of a SYN_PATH type attribute value results in an error: -602  (Bug 1095950\1081109)
- IDM 4.7 Remote loader did not start when installed on RHEL 7.3  (Bug 1095492)
- Ldappasswd causing NDSD to crash  (Bug 1093530)
- NDSD is not starting while configuring a tree on some systemd platforms  (Bug 1093453)
- Treename can not be resolved via SLP  (Bug 1085605)
- LDAP syntax and attribute mapping changes for Designer (Bug 1083230)
- Random dhost crashes when adding second server  (Bug 1078207)
- Duplicate n4u.cluster.nodes lines getting added to nds.conf  (Bug 1070568)
- NDSD.log filling up with MmapSysAllocator failed errors  (Bug 1058201)
- NDSD cores when LDAP search includes wild card expanded search strings  (Bug 1049266)
- Jclient: cannot browse DFS junctions in iManager  (Bug 1037447)

- Performance improvements  (Bug 1086824/1076375)
- TLS port is disabled if a Trusted Root Containers is configured for the LDAP Server  (Bug 1084980)
- NDSD crash when an empty base class is returned  (Bug 1084314)
- Memory leak due to LDAP server's certificate objects misconfigured  (Bug 1078170)
- Potential Security Vulnerability: fixed checking of revoked cert  (Bug 1072855) (CVE-2018-12461)
- LDAP paging returns the same values for each page  (Bug 1071840)

- Plugin: now properly serves CRL files and uses HTTP first  (Bug 1070239/1077339)
- Plugin: removal of the option during certificate creation to not export private key  (Bug 1054826)
- Plugin: made field more uniform to take input and show output for CRL File Path  (Bug 1046125)
- Plugin: enhanced the equals method to compare the CRL DP input to avoid duplicates  (Bug 1046125)
- Error -602 returned unlinking CRL config DN from RootCA  (Bug 1081109)
- CRL reissue frequency changes to default value on restart  (Bug 1080529)
- NDSD cores when updating server certificates  (Bug 1077211)
- NPKI library crashing when trying to import a trusted root  (Bug 1076933)
- Missing certificate distribution points after creating a new CRL object  (Bug 1074471)
- Error: -603 when modifying CRL parameters  (Bug 1071209)
- Java HotSpot warnings written to the ndsd.log with IDM Soap driver running  (Bug 1053916)
- Disabling EBA causes SSL decryption failed errors for LDAPS  (Bug 1047029)

- Connection leak due to not freeing connections in case of an error return  (Bug 1064912)
- Crash due to continuous refreshes of the methods if invalid or an error is returned  (Bug 1091395/1087754)
- Resolves a crash due to using a context that has been freed  (Bug 1087754/1091003)

- Minor memory leak addressed  (Bug 1080749)

- High utilization due to ibxdasauditds.so  (Bug 1085431)
- XDAS fails to load if configured for UDP with cache enabled  (Bug 1082476)
- NDSD crash in libxdasauditds.so  (Bug 1079755)
- Potential high utilization issue addressed  (Bug 1054222)

- ICE Plugin failing on import and export operations  (Bug 924472)
- Installer now handles special characters in the admin's name  (Bug 1042576)
- Ndsconfig not running after upgrades so TasksMax=infinity missing on systemd container  (Bug 1069006)
- Enhancement: eDirectory 9 now approved for integration with FreeRadius 3 in SLES 12  (Bug 1073438)
- Installation on Windows causes a restart without user warning  (Bug 1082529)
- Jclient now built against Java 1.8  (Bug 1084983)
- ICE crashes when extending the schema with a Japanese locale setting  (Bug 1085622)
- Enhancement: installation now uses checksum not embedded version to compare old and new files  (Bug 1092095/1081974/1095961)
- ICE should not display or log password in verbose mode  (Bug 1094607)
- Documentation updated with information about moving the dib directory on systemd servers  (Bug 1085959)
- Documented new variable: NDSD_DISABLE_CRL_CONFIG  (Bug 1071821/1093637)
- Documented that NDSD_EVENT_DISK_CACHE=true must be set before changing the log level to debug  (Bug 1092537/1046746)
- Documented how to prevent CRL decode errors after moving the RootCA  (Bug 1092460)
- Documented new setting, NDSD_CC_SKULK_DELAY, to control immediate sync  (Bug 1089606/1089607)
- Instructions added on how to install Java  (Bug 1088957)
- Radius documentation updated  (Bug 1087285)
- Ndsconfig now gives a second password prompt  (Bug 1054566)

Issues resolved in eDirectory 9.1
March 2018
NDSD: 40101.29
NICI 3.1
OpenSSL 1.0.2n

NDS Server
- Enhancement: CEF audit format now supported  (Bug 1045674)
- Potential Security Vulnerability: limit the number of concurrent read operations on streams  (Bug 1057280)  (CVE-2018-1346)
- Compound indexes are no longer functional after running ndsrepair -R  (Bug 1063996)
- "cn=monitor" returns invalid times for the max ring delta of a partition  (Bug 1042513)
- Roles and Resource driver goes into endless loop -causes eDir to be killed by OOM  (Bug 1049089)
- Core dump while uploading 1 million objects  (Bug 738765)
- New gperftools to resolve a performance issues and a coring issue when IDM 4.6.x is on the server  (Bug 1038994)
- Ldap hangs when Auditing is loaded  (Bug 1046924)
- 'Equivalent to Me' attribute value inconsistancises when an object is moved and roles are assigned  (Bug 1062097)
- 625\626 errors synchronizing attributes with a large number of values such as nrfInheritedRoles,  memberUID, etc.  (Bug 901663)
- Jclient enhancement added to perform an equality search on a specific string in the Attribute of type Path Syntax  (Bug 1029506)
- Dclient: -625 Transport Failure while calculating effective rights for an attribute during Tomcat Startup  (Bug 1079339)
- Enabling selective synchronization returns Error -6094 and the xml file parsing fails  (Bug 1059951)
- NDSD crash when converting memberQueryURL for dynamic groups into ldap format  (Bug 1075961)

- Crash when searching with paged search control and complex filter  (Bug 1044264)
- Memory leak when the LDAP server is associated to an invalid certificate  (Bug 961722)
- Enhancement: "Extended DN format" LDAP search control added  (Bug 1061312)
- Using a base of "cn=status,cn=Agent,cn=Monitor" does not return status  (Bug 963412)
- NDSD restart on OES2015 SP1 server ( with DUMA installed ) is resulting a segfault  (Bug 979337)
- VLV count performance improvement  (Bug 1029294)
- Using the proxied authorization control results in incorrect results  (Bug 1001116)
- Enhancement: ndsindex option '-a' to add ancestorID to the attributes passed  (Bug 1025688)
- Data inconsistency between member count using different ldapsearch methods  (Bug 1043124)
- Dhost crashes in libtcmalloc on Windows 2012  (Bug 1078455)

- 1658 error setting the universal password when 'require unique passwords' and 'password history' are enabled  (Bug 1048966)
- NMAS server attempting to load the method for every login attempt  (Bug 1064255)

- Ndsrepair now has the ability to run a true rebuild (Bug 733350)
- Ndsrepair cannot remove a server from a ring if EBA is enabled  (Bug 1067513)

- Security Vulnerability: iMonitor auth buffer overflow  (Bug 1077502)  (Internally Found)
- iMonitor Validate Entry does not honour DS_NESTED_ACL. Error -702  (Bug 591128)
- Missing help for Attribute Moves and EBA  (Bug 965479)
- EBA and its related health attributes can now be disabled from the Agent Health check  (Bug 1059950)

- Potential Security Vulnerability: in RSA certificates - mitigated by updating to OpenSSL 1.0.2n (Bug 1067041)  (CVE-2017-3736)

- Enhancement: Can now mint certificates with a maximum keysize of 8192  (Bug 1030376)
- Enhancement: new variable to disable CRLs on the RootCA: NDSD_DISABLE_CRL_CONFIG  (Bug 1071821)
- Localization fixes  (Bug 960367/960374/960380/960396/960425/960324/960426/960430)

- Enhancement: new Windows installer  (Bug 1061729)
- Enhancement: OpenSSL moved to a Common-module location  (Bug 1055170)
- Ndsconfig fails to start NDSD on RedHat when the user has used sudo or su to become root  (Bug 1065510/1078957)
- Localization fixes  (Bug 1051496)
- eDirectory leaving an unowned ntls.conf in /etc/ld.so.conf.d after upgrade breaking curl, ruby, etc.  (Bug 1054152)
- Crash in MSVCR110.dll when upgrading on the Windows platform  (Bug 1069516)
- Upgrading to eDirectory 9.0.4 failing when dsdump is installed on the server  (Bug 1064293)

- Core in WNGetInt32 after changing the network address via Yast  (Bug 1056797)

- ICE plugin hanging after     importing more than 1000 users  (Bug 1031222)
- ICE import and export is failing when using port 636  (Bug 1020781)
- ICE crashes when extending the schema with Japanese locale setting  (Bug 1078243)
- Simple search in iMgr plugin for an object failing if the LDAP server is using a 4K certificate  (Bug 1017107)
- Ndsdetect inconsistencies in reporting due to identity used  (Bug 1060603)
- Radius documentation updates  (Bug 965767)
- Error returned when ddstrace logs are to be rotated  (Bug 1049047)
- Ldapsearch with sss control does not show result for encrypted attribute  (Bug 1060647)

Issues resolved in eDirectory 9.0.4
September 2017
NDSD: 40006.33

- Enhancement: stream files and NMAS methods are now updated atomically  (Bug 1055152/894911/946883)
- Enhancement: Windows 2016 has been added as a supported platform  (1006762)
- Enhancement: RHES 7.4 is now a certified platform  (Bug 1058328/1055410)
- Enhancement: non-root support has been added to the RHES 7.x platform  (Bug 1051591)
- Nds.conf settings are getting duplicated  (Bug 1033046)
- High utilization when performing searches for group members and dynamic groups  (Bug 971733)
- Potential Security Vulnerability: Secure Renegotiation disabled  (CVE-2009-3555)  (Bug 1032264)
- Concurrent reads and writes of stream attributes were resulting in error: -255  (Bug 1045468)
- EBA upgrade for server is successful when EBACA is not present in the replica ring  (Bug 992825)
- Crash during unloading of ebasrv.dlm  (Bug 1032013)
- Dhost.exe crashing while adding a server  (Bug 932625)
- Upgrading the R/W server to host EBACA fails with a -603  (Bug 1008754)
- Login restrictions not enforced when using the ebaclientinit utility  (Bug 1029077)
- When EBA is disabled the EBA modules are still being loaded  (Bug 1041865)
- Existing connection is being used even though server is upgraded to EBA  (Bug 1005473)
- Some auxiliary attributes are lost during an object move  (Bug 1045532)
- Indexes with duplicate names were being added  (Bug 1022980)
- Event loopback when writing Reciprocal attributes  (Bug 1030591)
- NDSD core in ReportAddOrModifyEntry when bulk load returns error -601  (Bug 1033639)
-    -610 error when querying for members in a nested group  (Bug 1044192)
- Jclient now supports MOT transactions  (Bug 1013202)
- Dclient: secretStore security object not created and UserAPP fails to install  (Bug 1026810)
- EBA: -702 is thrown on init then shuts down if TCP address is missing from replica attribute  (Bug 1034851)
- Muliple instances of NDSD getting loaded  (Bug 989026)

- Debug option "-d" in ldapsearch is only working for successful LDAP operations  (Bug 917767)
- Enhancement: FLAIM's current transaction id now returned via cn=monitor  (Bug 1023904)
- CN=monitor search returns "objectclass" along with the attribute specified in the request  (Bug 962545)
- "Dump to ndsd log file" logged to the ndsd.log on each cn=monitor search  (Bug 1010126)
- Looping when trying to read a nested group  (Bug 1044191)
- Valid search filter along with an invalid filter does not return any members for dynamic group with an OR choice  (Bug 1026621)
- SASL bind fails using P-256 user certificates and the LDAP server has P-384 certificates and a SuiteB 128 cipher level (Bug 977764)
- Set disablecount to 0 in the case of a paged control isLocalTree() failing due to no replica  (Bug 1044534)
- Monitor search returns the data for the parent object if the base object is not present  (Bug 962927)
-    Unable to unload DSLDRModule error when unloading nldap module  (Bug 1006512)
- LDAP Server trace does not list all the attributes in the SSS control sort key list  (Bug 1007482)
- Paged control is ignored for sub-ref server  (Bug 1009699)
-    New control to skip counting of entries causes paged result control to return just the first page  (Bug 1009947)
- Persistent searches not working correctly after patching to 9.0.2  (Bug 1030317)

- Prevent Suite B from being enabled if EC CA is not present  (Bug 961495)
- eDirectory CA pem file not created when deleted or modified in eDirectory.  (Bug 1019107)
- Exporting ECDSA 384 user certificate fails with error code -1232 when tree CA is a subordinate CA  (Bug 1026608)
- NDSD crash on Subordinate CA during upgrade if CA's certificate LDAP CRL DPs are not reachable  (Bug 1031235)

- Enhancement: dsbrowse and dsedit now work without requiring Windows interactive support  (Bug 942236)
- Windows 2016: prevent interactive service detection when selecting NDSConsole - DS - Configure  (Bug 1060846)
- Ndslogin "-n" switch now toggles between NMAS and NDS hash password methods  (Bug 961646)
- Windows repair now option to get de-fragmention stats  (Bug 936718)
- Windows: file not found seen when attempting to open the dsrepair log file  (Bug 1029426/1029253)
- Windows: unable to enable EBA option in dstrace  (Bug 963929)
- Old dstrace flags WANM, DRLD & DRLK removed  (Bug 990961)
- Ndscheck prints the date twice  (Bug 1008454)
-    Diagnostic Logger throws "invalid context" error (-670)  (Bug 1009481)
- RPATH added to OpenLDAP utilities  (Bug 1048381)
- RPATH added to the rbLdapConfig binary  (Bug 959921)
- Edirutil tool of embox should use JRE installed by customer  (Bug 1041920/1043974)
- eMBox: health check reports eMBox is down even if up  (Bug 138866)
- DSBK restore not creating a log file or logging information if there are invalid options given  (Bug 941719)
- Invalid -663 error logged in the ndsd.log the first time eDirectory is configured  (Bug 1006427)
- DSE_IMPERSONATE event added as a SNMP trap for LDAP proxy authentication  (Bug 957275)
- Ndsconfig now configures a new tree if a terminal is not allocated to the ssh session  (Bug 1057014)
- Ndsconfig fails to upgrade the server if the password used contains a double quote  (Bug 1013227)
- Installation now prevents a new installation on a BTRFS volume  (Bug 1049570/1037935)
- Install script now shows the "-b" option if the same version is detected  (Bug 959046)
- Installation: unable to configure an eDirectory server with a default configuration file path and non-default instance path  (Bug 982543)
- Installation: installation fails on a SLES 12 SP2 server running the ZENworks Agent  (Bug 1038018)
- Installation on Windows in a custom location would result in "Location error" if the dfault path is used  (Bug 929177)
- Installation pre-populating admin name and context on Windows  (Bug 1011146)
- Installation: NDSD should pre-parse the nds.conf and report if there are duplicate entries  (Bug 991995)
- Address is not printing correctly in inbound connection table  (Bug 956029)
- Ndsapth and LD_LBRARY_PATH have been removed from nds-install  (Bug 1049567)
- Only background process name should be present in a cn=monitor response  (Bug 959547)
- iMonitor: event statistics showing some handler flags as unknown  (Bug 1025608)
- iMonitor: timestamp of "Connection" event is incorrect in event trace  (Bug 1031835)
- iMonitor: showing unknown as the verb name for verb number -135  (Bug )
- iMonitor: showing IP address in hexadecimal format  (Bug 1030826)
- iMonitor: incorrect calculation of transaction id  (Bug 1023422)
- iMonitor: agent configuration displays wrong information when browser's language is French  (Bug 1039288)
- ICE now accepts password through an environment variable  (Bug 1029809)
- Now able to get/set the ldapsslconfig attribute through ldapconfig  (Bug 1006425)
- "DHost" and "ndsconfig set" options for setting sadmin password have been removed  (Bug 953008)
- Advanced options are not seen on Windows if dsrepair is loaded with the -a switch  (Bug 1029465)
- DHOST hconvserv: iConsole does not show all NCP engine interfaces  (Bug 445967)
- Set ndstrace=!M in ndstrace prompt makes cache size to 0 bytes in _ndsdb.ini file  (Bug 1044504)

- NDSD dumping core while loading/unloading XDAS module  (Bug 996268)
- XDAS: login events have correct initiator but wrong target  (Bug 1007178)
- XDAS: no events are generated for failed creation, modification and deletion  (Bug 1028696)
- XDAS events are not generated for object search operation through iManager  (Bug 1029030)
-    No event generated when XDAS auditing is stopped or unloaded.  (Bug 1029255)
- XDAS now correctly reports TargetUsername as name of object restored  (Bug 1029290/1036523)
- XDAS: trust access events now correctly generated for group added or removed from a trustee  (Bug 1030025)
- XDAS: IRF addition now generates a "Grant Trust Access" event  (Bug 1030035)
- XDAS: no target name when attribute modification failed with -672  (Bug 1031002/1031020)
- Now Authentication Event is thrown when NMAS performs a local authentication  (Bug 1008391)
- XDAS Enhancement: Exclusion Filter to suppress internal events  (Bug 1043974/894341/1037515)
- Not getting class information for delete failure events  (Bug 1031350)
- Getting a Create Data Item event for a DSE_REFERRAL event instead of Query event (Bug 1031350)
- Now getting target object as "Inherent MasK" for an IRF  (Bug 1031350)
- Now using the "Select All" button to select all the events: both DS and LDAP  (Bug 1030279)
- Xdasconfig.properties.template file in windows set to read only  (Bug 996165)
- Latest PA included: 2011.1r6  (Bug 1055934)
- IPv6 addresses not showing correctly in event data  (Bug 1031082)
- TCP connection created while XDAS auditing is not closed  (Bug 1027221)
- Caching now enabled by default in the "xdasconfig.properties" file  (Bug 1027358)
- Enabling XDAS caching as non-root user resets the permission for non-root user  (Bug 1032226)

-    Context leak in libhttpstk.so  (Bug 1048311)
- SAL Threads are not deallocating memory after the finish of thread  (Bug 989317)
- Some rpms had invalid execute bit  (Bug 959837)
- Merge in OES Vega fixes  (Bug 1038225/1049286)
- iManager plugin: blank page appears for 'Extend Schema'  (Bug 1050664)
- Plugin: not able to delete a user index in case of same name of user index is present.
- Plugin: ICE plugin is not working in iManager for Windows server version  (Bug 924604)
- Plugin: not able to set memberQueryURL with backslashes in filter through dynamic group plugin  (Bug 1004295)
- Plugin: text boxes added to input protocol and cipher string for ldapsslconfig attribute  (Bug 1006424)
- Plugin: can now add a value for Network Address Restrictions  (Bug 1030393)
- PLugin: plugin performing extra adds and deletes before adding a new value to Security Equals  (Bug 1030445)
- Plugin: "Upgrade XDAS Configuration" option is not working  (Bug 1031000)
- Plugin: now have an an option to disable anonymous unauthenticated LDAP binds  (Bug 1028615)
- Plugin: NMAS Plugin is not updating the SasAuthorizedLogins attribute when re-Authorizing a method     (Bug 1000038)
- Plugin: PKI plugin does not display an error enabling Suite B on a NPKI CA that does not have an EC certificate  (Bug 995696)
- Plugin: DoubleClick should be allowed when selecting attributes in XDAS filtering  (Bug 1033958)
- Non-root builds do not bundle libtcmalloc (Bug 1031648)
- NICI Suite B changes  (Bug 1042596)
- Clean up some dependancy issues  (Bug 955562)
- "--force --nodeps" added back to nds-install script for installing RPMs  (Bug 1051434)

Issues resolved in eDirectory 9.0.3 Patch 1 (
July 2017
NDSD: 40005.13
JRE: 1.8.0_131

- Error -610 when querying for members in a nested group  (Bug 1040160)

- Persistent searches work erratically  (Bug 1035972)
- Under some conditions eDirectory loops reading a nested group (1042344)

- Potential Security Vulnerability: eDirectory LDAP peer certificate validation issue  (Bug 977754)  (CVE-2017-9267)

- Updated JAVA to: 1.8.0_131  (bug 1043096)
- Potential Security Vulnerability: PKI Plugin web shell upload vulnerability  (Bug 1036392) (CVE-2017-7429)
Issues resolved in eDirectory 9.0.3
April 2017
NDSD: 40005.12
JRE: 1.8.0_112
OpenSSL: 1.0.2k
NICI: 3.0.2
PA: 2011.1r8

- NDSD crashes in DSRTraceString function due to buffer over flow.  (Bug 1016637)
- Memory leak on IDM server after upgrading to Patch 8.  (Bug 1026237)
- Dibclone is creating multiple active tree keys.  (Bug 998847/1019166)
- NDSD cores if there is an invalid filter in a dynamic group (cn=).  (Bug 1025231)
- Coring in NBiterator when an invalid LDAP paged search query is performed.  (Bug 1021625)
- Synchronization fails with error -608, object class values getting timestamped by ndsbackup.  (Bug 1022789)
- Windows crash while performing asynchronous writes in FLAIM.  (Bug 1022704)
- No results returned when the 33rd byte/character is a "space" or an "_".  (Bug 1016661)
- Maximum number of attributes allowed to be selected for compound indexes set to 5.  (Bug 1028635/1029265)
- Jclient memory leak when generating the association statistics for IDM drivers.  (Bug 1024013)
- Compound index management no longer supported via LDIF.  Plugin is used instead.  (Bug 1029811)
- Only the first match is returned when rights are assigned via a LDAP group.  (Bug 1020867)

- Group membership attribute not being returned properly on all objects during buffer overflow.  (Bug 1001505)
- Ldapsearch does not return ouput when querying LDAPSyntaxes  (Bug 1005859)
- Added certificate_authorities TLS 1.2 session negotiation.  (Bug 1016244)
- The ldapSSLConfig attribute has the same ASN1 ID as ldapPermissiveModify.  (Bug 1015184)
- Searches for subschemaSubentry fail with error: illegal ds name (-610).  (Bug 1018225)

- Nmasrefresh throws 1644 and does not update the method  (Bug 1020814)

- DNS name added in Subject Alternative Name for SSL CertificateDNS certificates.  (Bug 1025648)

- OpenSSL updated to 1.0.2k.  (Bug 1022481) (CVE-2017-3731, CVE-2017-3732 and CVE-2016-7055)

- NICI updated to 3.0.2.  (Bug 1022993)

- Auditds crashing on Windows in LogEventExt.  (Bug 1030590)
- NDSD crashing while performing LDAP searches and NAudit is enabled.  (Bug 1030705)
- PA updated to 2011.r5 (  (Bug 1027384)
- eDirectory XDAS mapping needs to be simplified  (Bug 1018982)
- XDAS will follow Sentinel taxonomy.  (Bug 1006845)
- LDAP events are merged into DS events.  (Bug 991735/992054/1018982/1007603)
- NMAS auditing is merged into eDirectory XDAS event auditing.  (Bug 1014188)
- Roles have been replaced by Trust Management events.  (Bug 983607)
- New XDAS events "Associate Trust" and "Deassociate Trust" for monitoring the "Group Membership" modification.  (Bug 984949)
- Object class and attribute filtering now available for data item events.  (Bug 857989)
- "Login Failure" event is missing the correct SourceHost/IP information.  (Bug 979399)
- Auditing plugin now indicates select or deselect all is not applicable for query events.  (Bug 1028267)
- Special attributes which already have meta events should not be shown in the filtering attribute list.  (Bug 1028462)
- XdasConfiguration attribute value on server put into basic configuration.  (Bug 1028038/1030403/1029467)
- "xdasversion" attribute on the server object updated with a value of 2.   (Bug 1028038/1029467)
- "xdasDSConfiguration" attribute is now removed.  (Bug 1029300)
- Map group Member attribute to ASSOCIATE and DEASSOCIATE TRUST.  (Bug 1028693/1029259/1029502)
- Removal of the DATA ITEM OR RESOURCE ELEMENT CONTENT ACCESS events to simplly XDAS auditing.  (Bug 990217)
- NMAS will now always throw the DSE_VERIFY_PASS event for password verification.  (Bug 1029759)
- Mapped "DSE_NMAS_LOG_CHECK_PWD_SYNTAX_POLICY" event to QUERY_ACCOUNT_SECURITY_TOKEN event for password policy check.  (Bug 1029759)
- DSE_MODIFY_ENTRY mapped to Modify Account.  Trust and Data Item to report modification failures.  (Bug 1029349)
- New events, "Intruder Lockout" and "Account Unlock" added.  (Bug 1026813)
- Class name for user not present performing a simple bind when eDir allows local binds.  (Bug 1029011)
- Added mapping for Denial cases in Severity mapping and taxonomy mapping.  (Bug 1029473)
- Mapped the Equivalent To Me attribute to Associate/Deassociate Trust.  (Bug 1029676)
- Now reports Associate and Deassociate events for both Equivalent To Me and Security Equals.  (Bug 1030029)
- Terminate Session event has Initiator name set to [Public] instead of the name of user who logged off.  (Bug 1029754)
- "MODIFY_SERVICE_CONFIG" event is now thrown whenever the xdasconfiguration is changed.  (Bug 1026813)
- Fixed the "Modify Data Item Attribute" event for special objects.  (Bug 1027652)
- XDAS: Role Management Events not creating a DSE_ADD_VALUE  (Bug 1013785)
- NMAS XDAS events merged with eDir Event System and plugin  (Bug 1018984)
- Logins through iMonitor not populating correct Source IP  (Bug 1023336)
- Grant and Revoke Access events should be thrown from the trustee's point of view  (Bug 1027199)
- "Account Unlock" event should be thrown when an account is unlocked  (Bug 1027382)
- New events, "DSE_AUTHENTICATE" and "DSE_LOGIN_EX", showing as unknown in iMonitor.  (Bug 1008291\971940)
- Added a new event "Audit Config" to monitor xdas configuration changes.  (Bug 1027385)
- The attribute name is now correctly populated with the rights being granted/revoked to the user.  (Bug 1027601)
- Null value were received from "Enable/Disable Service" events.  (Bug 1028695)
- There is no XDAS event for checking passwords against password policies.  (Bug 1029759)
- No Modify Data Item event with DSE_MOVE_SUBTREE vendor code.  (Bug 1029729)
- UI changes.  (Bug 1020560/1027005/1027006)
- Account Management Events filters and Account Data Events filters should be independent of each other  (Bug 1024434)
- Account filtering should map only User classes by default.  (Bug 1027004)
- "Account Data Events" renamed to "Data Item Management Events".  (Bug 1027015)
- "Account Security Events" in XDAS iManager plugin changed to "Security Events".  (Bug 1027017)
- Grant and Revoke events moved to Security Events Section.  (1027095)
- Attribute filtering was not working for Error -603 as attribute ID was Invalid.  (Bug 1028455)
- Plugin: new event "Audit Config" is provided.  (Bug 1027587)
- XDAS plugin help page updated.  (Bug 1027292)
- NMAS methods not loading if auditing was enabled on Windows.  (Bug 1031669)
- "MODIFY_ACCOUNT" can be now be used for monitoring events using "Class" filtering.  (Bug 858068)
- One bind is returning multiple redundant events.  (Bug 894373)
- XDAS: login failures can now be monitored through the "Create Session" event.  (Bug 978561/1006845)
- Option added for selecting/deselecting the NMAS events to be monitored through the iManager Auditing plug-in.  (Bug 982198)
- Attribute Value add/deletes now monitored via the "Create Data Item" or "Delete Data Item" events.  (Bug 984699)
- Source IP is not populated for a login made via the CertMutual login method.  (Bug 1008385)
- Connection ID information is missing for LDAP operations.  (Bug 1009314)
- Nested group creation no longer results in an ID_DYNAMIC_DN event.  (Bug 1029498)
- Updated mapping of NMAS events to XDAS events.  (Bug 978826/1027229)
- New DS event "DSE_CONNECTION" to track connections between components.  (Bug 1029335)
- Added group read to xdas-events.log.  (Bug 1023930)
- PA: the "Verify Password" authentication event from eDirectory is mislabelled as an account management.  (Bug 1020709)
- PA: observerHostName should have the name of the host eDirectory is running on.  (Bug 1029327)

- iMonitor shows attribute names multiple times for value indexes created on syn_path syntax.  (Bug 1022477)
- ICE plugin quits processing LDIF entries after approx 100 errors.  (Bug 989034)
- Install: upgrades from 8.8 SP8 fail if Sles first upgraded from 11 to 12.  (Bug 1024926)
- Dsrepair - "Synchonize the Replica on All servers" results in a dHost crash on Windows.  (Bug 1006991)
- EBAServerConfiguration attribute now correctly handled during a dibclone operation.  (Bug 994528)
- TSX lock elision seg fault from NICI resolved in ndsconfig.  (Bug 1012336/1022101)
- TSX lock elision seg fault resolved in ndsrepair.  (Bug 1024463/1022101)
- ICE now accepts password from environment variable.  (Bug 1005284)
- NDSD systemd service name shortened to ndsd.service.  (Bug 1013201)
- Index management plugin now allows for the creation and deletion of compund indexes.  (Bug 1017729/1029054)
- Ndsindex man page updated for compound indexes.  (Bug 1029814)
- Install: crash upgrading from 902 to 903.  Now install prompts to update PA if installed.   (Bug 1031891\1031856)

- Document the change in certifiate handling between OpenLDAP vs. CLDAPsdk

Issues resolved in eDirectory 9.0.2 Hotfix 2 (
February 2017

- Fixed parsing issue so that IDM also has the new eDir cn=monitor functionality.  (Bug 1010630)

- IDM 4.6 support  (Bug 1023537/1023139)

- Potential Security Vulnerability: Connections via an Audit Connector fail due to Java rejecting a certificate signed with MD5  (Bug 1019041) (CVE-2017-5186)
Auditing collectors, platform agents, instrumentation, etc. have been modified to use eDirectory certificates in order to connect to Sentinel servers versioned 7.4.2 and above.  The previously used embedded certificate can no longer be used with Java 1.8.  This certificate issue has required the modification of the following components.  The updated files can be found on the respective product's patch page.

1019041/987162  – eDir
1021637/1019789 – iMgr
999186/1019573 – PA
1019543\1011208 – IDM
1021391 – RBPM
1013758 - Naudit connector

Issues resolved in eDirectory 9.0.2 Hotfix 1
December 2016

-  If paged size is greater than the number of entries to be returned, then no results are returned  (Bug 1012208)

Issues resolved in eDirectory 9.0.2
November 2016
NDSD: 40004.44
JRE: 1.8.0_102
OpenSSL: 1.0.2j-fips
PA: 2011.1r3 (2.0.2-79)

- Old method of automatic attribute containerization is now enabled by default  (Bug 1005429/1005433)
- IDM engine Security Equals modification loops back on Subscriber channel  (Bug 988797)
- Repair switch -SXW now removes the attribute without timestamping object  (Bug 991993)
- NDSD now pre-parses the nds.conf and reports if there are duplicate entries  (Bug 991995)
- NDSD cores in FSGetDomain when performing heavy LDAP writes  (Bug 991996)
- Security vulnerability: Nessus scan shows potential Clickjacking vulnerability  (Bug 998565) (CVE-2016-9168)
- Security vulnerability: addresses potential access inconsistencies  (Bug 993219) (CVE-2016-9167)
- Socket leaks causing CIFS users to no longer access DFS junctions  (Bug 995731)
- Dynamic group memberQueryURL does not accept backslashes in filter  (Bug 1003313)
- DHost unable to shutdown when trace messages are being received in ndstrace  (Bug 985436)
- OES11SP3: NDSD crash when server is booting and in 'Unused' state afterward  (Bug 988802)
- EBA: Error: -2109(UAP_ERR_NMAS_API_INIT_FAILED) after tree rename  (Bug 961637)
- EBA: dlm's displaying all zeros for version
- EBA: Error -672 in iMonitor while accessing an EBA enabled server on Windows  (Bug 989476)
- Improved inherited ACL computation  (Bug 993219)
- Potential Security Vulnerability: non-secure traffic still seen even when EBA is anabled for all servers  (Bug 992377) (CVE-2016-9166)
- Upgrade no longer changes the value on the httpKeyMaterialObject attribute if 3rd party used (Bug 972602)
- Wrong environement variable listed at the end of the installation  (Bug 982741)
- Ndscheck now shows correct binary version  (Bug 982742)
- Installer no longer presents messages on overwrite  (Bug 985989)
- JRE: 1.8.0_102 included  (Bug 993491)
- Ldap search with both paged results and sort control returns no values  (Bug 998302)
- Ndsconfig now recommends to restart the service with "add" and "upgrade" options  (Bug 1006673)
- IDM 4.5.4 and 4.6 support  (Bug 1010889)

- Intermittent long delays for normal LDAP searches  (Bug 988798)
- NDSD crashes in LDAP with multiple naming attributes  (Bug 988800)
- Search will always fail from 9.0 (-635) if a partition is only present only on a 888 server  (Bug 1008711)
- Attempting to generate 512 byte keys when FIPS mode is enabled  (Bug 972268)
- Dynamic group searches are inconsistent and not going remote  (Bug 972598)
- Error: -601 returned when performing an LDAP search anonymously with server side sort control  (Bug 998575)
- Server Side Sorting of LDAP search results can now be based on multiple sort keys  (Bug 998714)
- Problems performing reverse order sorting with LDAP Server Side Sorting control  (Bug 998715)
- CN = monitor should be enhanced to properly handle JSON docs containing nested JSON objects  (Bug 1005307)
- New control OID introduced to disable count of entries in VLV/SSS ldapsearch  (Bug 1009457\1009684)

- Certificates now no longer have serial numbers greater thn 20 bytes  (Bug 993855)
- PKI: Server Certificate creation fails with error: -1232  (Bug 993452)
- Enhancement: more granular control now possible over TLS 1.2 in LDAPS  (Bug 981740)  (KB 7017644)
- Enhancement: Ability to reissue CRL a few days before expiry (for external storage of CRL)  (Bug 996875)
- Can now successfully move the CA and CRL databases to another server  (Bug 978564/996233)
- Error: -1221 (PKI_E_INVALID_OBJECT) returned if CRL had a typeless name passed into the DN  (Bug 917789)
- Sscert.der failed to be exported to file system when CA is replaced with an external one  (Bug 944721)
- Certificates revoked are now re-created when the option is set  (Bug 959826)
- PKI health check now exports RC certificates with correct private key header and footer  (Bug 959890)
- Security libraries now have consistent embedded version and build information  (Bug 960022)
- Default certificates are not created when in SuiteB mode using a container admin  (Bug 981698)

- The SysAddr field for eDirectory internal events should be populated with valid IP address  (Bug 988530)
- XDAS instrumentation truncates DNs at 68 bytes  (Bug 988570)
- DSE_ADD_ENTRY event is incorrectly mapped to the CREATE_ACCOUNT event  (Bug 992962)
- Filtering does not work properly  if both Audit and XDAS are loaded  (Bug 994788)
- Platform Agent 2011.1r3 (2.0.2-79) now included  (Bug 1004678)
- User gets multiple login events for a single Login  (Bug 1005771)

- OpenSSL 1.0.2j-fips now included  (Bug 1000445/1002615/1004203)
- Ntls.log had improper permissions  (Bug 930311/1003637)
- Multiple potential vulnerabilities in OpenSSL libraries shipped with NTLS  (Bug 1000445)
CVE-2016-6304   H
CVE-2016-6305   M
CVE-2016-2183   L
CVE-2016-6303   L
CVE-2016-6302   L
CVE-2016-2182   L
CVE-2016-2180   L
CVE-2016-2177   L
CVE-2016-2178   L
CVE-2016-2179   L
CVE-2016-2181   L
CVE-2016-6306   L
CVE-2016-6307   L
CVE-2016-6308   L

- Audit now has event for "Login Failed"  (Bug 996758)
- Fail to start SNMP subagent on RHEL6.8  (Bug 992053)
- Fail to start SNMP subagent on SLES11SP4  (Bug 1005600)
- Plugins: EBA plugin using old libraries resulted in iManager crashing  (Bug 990244)
- Plugins: Certificate server now has an option to extend the CRL validity time  (Bug 996454)
- HTTPSTK: Enhancement to disable the HTTPSTK module and ports  (Bug 872873)
- iMonitor: now uses high ciphers by default  (Bug 979830)
- Dibclone now strips the remaining two IDM attributes off the psudoserve  (Bug 876419)
- Execution of "ldapmodify.exe" fails with error  (Bug 1006172)

Issues resolved in eDirectory 9.0.1 Hot Fix 2
August 2016
NDSD: 40003.39

- Memory leak during synchronization.  (Bug 993898)

Issues resolved in eDirectory 9.0.1 Hot Fix 1
August 2016
NDSD: 40003.38

- Synchronization fails with error: End Update failed, no transaction is active (-770).  (Bug 989766)
- Enhancement: RHEL 6.8 is now supported.

Issues resolved in eDirectory 9.0.1
June 2016

NDSD: 40003.37
OpenSSL: 1.0.1t-fips
NICI: 3.0.1
JAVA: 1.8.0_92

- Security Vulnerability: Drown attack.  (CVE-2015-3197, CVE-2016-0800)  (Bug 973501\968046)
- Enhancement: added IDM support.  (Bug 971747)
- NTLS: OpenSSL updated to 1.0.1t-fips.  (Bug 979023)
- Java updated to 1.8.0_92.  (Bug 972455)
- Dibclone operation results in a change cache rebuild.  (Bug 972608)
- NDSD running out of file descriptors during a heavy write load.  (Bug 972600)
- System created index type inconsistent between servers.  (Bug 972601)
- Plugin: Importing schema with ICE fails due to bad parsing of multi-line attributes in a LDIF.  (Bug 976249)
- Dhost crash when adding a non-EBA server with Secret Store selected.  (Bug 932625)
- eDirectory cores when timestamp is not specified in JCReadReferenceFilter.  (Bug 972615)
- IRFs being incorrectly calculated over LDAP.  (Bug 972610)
- Invalid EIDs causing 618 errors are now cleaned up.  (Bug 972611)
- Ndsconfig not able to bind to an instance with a port higher than 32767.  (Bug 972604)
- Import schema from remote tree fails with error -699 if attributes have integer64 flag.  (Bug 972613)
- NDSD core in SizeOfReferral after immediately adding back a deleted server with same name.  (Bug 979277)
- NAM IDP:'Password expired' returned from LDAP when using a wrong but not expired password.  (Bug 972801)
- EBA not properly handling custom schema attributes with no OID defined.  (Bug 981216)
- NTLS: all anonymous ciphers are now disabled.  (Bug 978606)
- Modifies to EA were allowed in the clear.  (Bug 966658)
- Potential security vulnerability in cookie handling  (CVE-2016-5747) (Bug 972614)

- Performance improvement in LDAP operations.  (Bug 957930)
- Installation: Upgraded LDAP servers no longer default to using export grade ciphers.  (Bug 979276)
- Using ICE NDSD cores libnldap after DoLBURPOperation.  (Bug 972607)
- Performance improvement when using ICE to modify.  (Bug 976838)
- LDAP plugin: cipher change now warns to reload NLDAP.  (Bug 972605)
- LDAP plugin: no longer allows an incomplete certificate to be associated to the LDAP server.  (Bug 972606)

- LDAP pwd modify extended operation fails when uid is used as naming attribute.  (Bug 973136)
- Dhost.exe crashes in nmasLdap.dll when using NMASLDAP_CHANGE_PASSWORD_REQUEST.  (Bug 973147)
- NDSD cores after unloading an older SAML method and loading the new one.  (Bug 983271)

- Unable to revoke RSA certificates with a CRL DP after upgrade.  (Bug 962544)
- Cannot perform certificate revocation checks on eDirectory certificates using OpenSSL.  (Bug 973148)
- Plugin: import user certificate is failing with error message 'PKI-error-1214'.  (Bug 973149)

- Enhancement: two new DSfW events: Associate Trust and Disassociate Trust.  (Bug 976939/976974)
- Unnecessary events are being returned.  (Bug 972599)
- Too many events returned for Enable Acccount and Disable Account.  (Bug 967048)
- Instrumentation uses the wrong events for user-group association.  (Bug 972485)
- Add/Remove Value and Modify Object events are sometimes missing the TargetAttributeName field  (Bug 972618)
- XDAS auditing over secure channel does not work with Sentinel  (Bug 972620)
- NDSD sometimes cores while unloading XDAS on RHEL 7.2.  (Bug 968625)
- Installation: flag " -f "  will now authoritatively downgrade from one patch to another.  (Bug 972623)
- Installation: improved to prevent major and minor downgrades.  (Bug 972622)
- Installation: can now install without errors using a relative path.  (Bug 972627)
- Installation: health check on Windows sometimes incorrectly states there are errors.  (Bug 982260)
- SLP is looking in /usr/local/etc/ for the slp.conf file  (Bug 974112)
- Ndsbackup returns error that the API version is invalid.  (Bug 972624)
- Ndsbackup only allowed a remote server backup if the port was specified.  (Bug 972603)
- Nds-cluster-config modified to work with systemd.  (Bug 970661)
- Instrumentation files must now be manually upgraded  (Bug 976515)
- Environment variable NDSD_IGNORE_IDM_CHECK for change log module.  (Bug 977412)
Issues resolved in the original FCS version of eDirectory 9.0.0
January 2016

NDSD: 40002.79
OpenSSL: 1.0.1q
PKI Plugin: 8.887.20160114
COLLECTOR: 2011.r3
NICI: 3.0
PA: 2.0.2-77
JAVA: 1.8.0_66

- Enhancement: new platform support for Redhat 7.2.  (Bug 950323)
- Enhancement: attributes are marked but no longer automatically indexed when value >25 or > 2048.  (Bug 737743/894612)
- Enhancement: NCPEngine enhanced data payload from a maximum of 64K to 1MB.  (Bug 890561)
- Enhancement: Adjust packet queue length in async replication based on the packet size.  (Bug 891731)
- Enhancement: Async replication turned on by default.  (Bug 931608)
- Enhancement: Change cache rebuild is now mult-threaded.  (Bug 915907)
- Enhancement: Immediate Sync enhancement.  (Bug 903168/930004)
- Enhancement: janitor enhancement minimizes dib lock while calculating ACLs.  (Bug 373358)
- Enhancement: backups include a new option to clean up old RFL files.  (Bug 248631)
- Enhancement: the dsbk config now writes information about RFLs to the ndsd.log.  (Bug 248619)
- Enhancement: Hybrid Group support.  (Bug 637270)
- Enhancement: improvements for LDAP member searches when many nested groups exist under the basedn with no member.  (Bug 731164)
- eDirectory and plugins should bundle OpenLDAP SDK libraries.  (Bug 902195/920125)
- Fips mode variable "n4u.server.fips_tls" now set on by default in the nds.conf file.  (Bug 924615/920837)
- NDSD crashes due to parsing error when invalid entries exist in nds.conf.  (Bug 899708)
- eDirectory will not start is IPv6 is disabled using sysctl.  (Bug 878202)
- GUID value was improper at 9th and 10th byte.  (Bug 877031)
- Ndsrepair -T & ndstrace with VCLN tag hangs after exporting "SAL_LogLevels=LogAll".  (Bug 889744)
- Reference pointer not freed if getObjserverAddress returns error.  (Bug 868975)
- Random cores of NDSD when auditing is enabled for LDAP.  (Bug 851486)
- Unable to configure the maximum character limit for eDirectory indexes.  (Bug 864854)
- Cleanup to resolve potential flaim code issues.  (Bug 836948)
- Java updated to 1.8.0_66.  (Bug 919695)
- Platform Agent now bundled with eDirectory.  (Bug 932235)
- WAN Traffic Manager plugin removed from eDirectory plugins.  (Bug 916324)
- eDirectory plugins now allow for the management of nested groups.  (Bug 934486)

- Enhancement: Proxied Authorization Control (RFC 4370) support added.  (Bug 773042)
- Enhancement: new values in bind value to differentiate anonymous bind and simple bind with no password.  (Bug 815519)
- Enhancement: LDAP monitor interface for the gathering of eDirectory health statistics.  (Bug 942058)
- SUITEB128ONLY mode support added.  (Bug 911639)
- SUITEB192 mode support added.  (Bug 911657)
- Plugins: option to disable SSLv3 through LDAP Plugin to prevent Poodle risk (128).  (Bug 914052)
- New bind restrictions for cipher added to LDAP server object.  (Bug 901862/905232)
- Memory leak in NDSD when LDAP configuration code is executed.  (Bug 952522)
- LDAP server not correctly handling CLDAP requests when the UDP datagram size exceeds the BER length.  (Bujg 961099)
- RootDSE search now contains a more accurate chaining statistic.  (Bug 934250)
- BIO ctrl messages seen when trace level is set to crtitical.  (Bug 900559)
- Multiple issues identified: memory corruption and buildup.  (Bug 836936)
- LDAP plugins enhanced to allow Suite B cipher modes to be set.

- NDSD_TRY_NMASLOGIN_FIRST is now set to true on the Windows platform.  (Bug 935372)
- Enhancement: if an AES256 tree key has been created UP passwords and keys are re-encrypted using new AES password key.  (Bug 887494)
- Enhancement: AES session keys can now be used.  (Bug 877035/926779)
- XIS unchecked return value.  (Bug 836960)
- XIS Uninitialized scalar variable.  (Bug 836960)
- Unused pointer value.  (Bug 836960)
- Dead default in switch.  (Bug 836960)
- Possible buffer overflow and some error conditions not taken care of.  (Bug 836953)
- Secret Store: potential buffer overflow and resource leak identified.  (Bug 836941)
- Memory corruption issue identified.  (Bug 836938)
- Enhancement: NMAS server binaries are no longer bundled inside the novell-NDSbase rpm.  (Bug 817833)
- SAML method not included.  (Bug 931402)

- Utilties updated to disallow the use of RSA server certificates when Suite B is enabled.  (Bug 911555)
- Create the SSECCert.der file for EC certificates.  (Bug 914912)
- Issue Certificate task of the PKI plugin always displays signature algorithm "SHA1 with RSA" in summary.  (Bug 863308/954569)
- During new installs the SSL CertificateDNS was not always getting associated to to the http object.  (Bug 939629)
- Upgrade fails due to server having invalid data in the certificate's ip address extension.  (Bug 889896)
- "eDir-to-eDir Driver Certificates" plugin throws a NPKIAPI error when using the wrong plugin.  (Bug 883513)
- Modifying the CRL in the CA generates a System Error.  (Bug 883513)
- "Issue Certificate" task in PKI plugin displayed an incorrect algorithm in the last page.  (Bug 863308)
- SHA-2 is now the default signing algorithm for RSA certificates.  (Bug 919615/920844)
- Do not create EC certificate if there is no EC CA.  (Bug 916776)

- Enhancement: NICISDI health check added for key management and synchronization.  (Bug 84887)
- Enhancement: AES key support.  (Bug 494939)
- Enhancement: EC support.  (231607/175539)
- Enhancement: Now uses OpenSSL FIPS evaluated crypto library.  (Bug 266290)

- Enhancement: Now uses and checksum verifys the included OpenSSL 1.x crypto libraries.
- Updated to disallow export, low and medium ciphers when TLS 1.2 is used in Fips mode.  (Bug 911769)

- XDAS framework can now use TLS to connect to Sentinel and above.  (Bug 952602)
- Loss of an event when auditing (tcp) server is restarted.  (Bug 790885/803257)
- NDSD cores when an incomplete configuration is specified in xdasconfig.properties.  (Bug 895478)
- When deleting an attribute from a class an event was not thrown.  (Bug 857174)
- Multiple issues found: potential buffer overflow and unchecked returns.  (Bug 836952/836950)
- Enhancement to log EBA events.  (Bug 960199)

- Enhancement: dsrepair.dlm no longer requires interactive services detection.  (Bug 942232)
- Multiple issues identified: resource leaks, buffer overflow and error conditions.  (Bug 836940)

- Enhancement: iMonitor now shows EBA health on Agent Health screen.  (Bug 953749)
- After changing a user's rights they cannot login to imonitor unless NDSD is restarted.  (Bug 870938)
- Generating and running multiple reports at once cores NDSD.  (Bug 751470)

- While printing timestamp ndstrace truncates the milliseconds incorrectly.  (Bug 867978)

- Using ice with authsaml.sch the expected syntax for authsamlProviderID is SYN_CE_STRING.  (Bug 778773)
- 836954 - multiple crash and memory leak issues identified.  (Bug 836954)

- Multiple issues identified: resource leak, string overflow and uninitialized variables.  (Bug 836934)
- Langman: wrong pointer arithmatic.  (Bug 836933)

- Explicit null dereferenced.  (Bug 836959)
- Resource leak discovered.  (Bug 836959)
- Invalid Copy into a fixed size buffer.  (Bug 836959)
- Write to pointer after free.  (Bug 836959)

- Control flow issues.  (Bug 836955)
- Memory corruptions.  (Bug 836955)
- Buffer not null terminated.  (Bug 836955)
- Dereference after null check.  (Bug 836955)
- Missing break in switch.  (Bug 836955)

- Ebaclientinit utility now bundled with iManager so the uap.p12 certificate can be downloaded.  (Bug 920328)
- Instrumentation updated to report EBA events.  (Bug 935719)
- Utilities updated to prevent replica operations that would break EBA.  (Bug 915556)
- Ndslogin has a new switch "-n" to prevent a NMAS authentication.  (Bug 927004)
- Ndscheck updated to display EBACA validity information.  (Bug 956943/960654)
- Install: The attribute that is not found is now displayed during initial configuration.  (Bug 773827)
- Install: Registry entries left over after uninstalling NICI on Windows.  (Bug 622222)
- Install: New ndsconfig switch for EBA: CONFIGURE_EBA_NOW.  (Bug 927538)
- Backups should have the default of leaving the RFLs in place.  (Bug 248622/248621)
- Ndsconfig now checks for invalid log levels.  (Bug 139050)
- Diagpwd: new option "-t" to re-encrypt UP if AES256 tree key is present.  (Bug 961109\885851)
- CLDAP SDK moved to an OpenLDAP based SDK.    (Bug 919611\942904)
- Kerberos Password Agent (KPA) krbLdapConfig utility now uses the OpenLDAP libraries.  (Bug 924624)
- Plugins: Encrypted Attributes feature updated to support AES256 keys.  (Bug 955389)
- SDIdiag enhanced to provide information about the tree key.  (919615)
- NMAS_LDAPExt and Nldapextd updated to extend OpenLDAP C SDK.  (Bug 933447/852520)
- NDSSNMP updated to depend on the OpenLDAP SDK.  (Bug 867551)
- Proxy Authorization Control sample added to the OpenLDAP SDK.  (Bug 919612)
- Ndspassstore changes for Suite B support.  (Bug 877264)