NOVELL TECHNICAL INFORMATION DOCUMENT

TITLE:  Fix for userpassword upper and lower bounds
TID #:  2970608
README FOR:  userpfix2.exe

SUPERSEDES:
userpfix.exe

NOVELL PRODUCTS and VERSIONS:
NFS
NetWare 5.1
NetWare 6
NetWare 6.5
eDirectory 8.7.1
eDirectory 8.7.3

ABSTRACT:

In some trees, the attribute 'userpassword' was initially added with incorrect
upper and lower bounds of FFFFFFFF (-1), making it essentially unusable.  The
scripts in this download will remove the existing userpassword attribute
definition and replace it with the correct definition.

These scripts require a minimum eDirectory version of 8.7.1.

These scripts changed between "userpfix.exe" and "userpfix2.exe" in that they
were modified to account for schema classes that could be present if certain
Novell Zen products are installed.  Furthermore, the userpfix2.exe download was
altered April 26, 2005, only to modify this readme (Issue section).


-----------------------------------------------------------------
DISCLAIMER
THE ORIGIN OF THIS INFORMATION MAY BE INTERNAL OR EXTERNAL TO 
NOVELL.  NOVELL MAKES ALL REASONABLE EFFORTS TO VERIFY THIS 
INFORMATION.  HOWEVER, THE INFORMATION PROVIDED IN THIS DOCUMENT 
IS FOR YOUR INFORMATION ONLY.  NOVELL MAKES NO EXPLICIT OR IMPLIED 
CLAIMS TO THE VALIDITY OF THIS INFORMATION.
-----------------------------------------------------------------


INSTALLATION INSTRUCTIONS:

Perform the following on a NetWare Server which holds a read-write replica of
[root].  (Non-NetWare methods of implementing SCH files are acceptable as well,
but these instructions are written from a NetWare viewpoint).

1.  Verify the need for these scripts via DSBROWSE.
    a.  Schema Browse -> Schema Root -> Attribute definitions.
    b.  Find and select userPassword.
    c.  Continue to press [enter] until the 'Schema Attribute Definition" is
shown.
    d.  If the upper and lower bounds are FFFFFFFF, this fix is needed.

2.  Verify via DSBROWSE that no objects in the tree are using this attribute. 
In theory, if the attribute has the problem described in this document, it
should not be possible for any object to have this attribute.
     a.  Load DSBROWSE, select OBJECT SEARCH.
     b.  In Object Information, Name, type * and press <enter>.
     c.  In Attribute Information, Name, type userpassword and press <enter>.
     d.  Press F10 to execute the search.  NOTE that if <enter> was not pressed
as mentioned above, you may be searching on all attributes rather than the one
typed.
     e.  If any objects show up in the search, either the search was done wrong
or the userpassword attribute is in use.  Verify that any found objects hold
this attribute by selecting the object, then select "View Attributes."  Once
the list comes up, if you key in userpassword or just userp it will jump to
that item, if present.
     f.  If there are indeed objects with this attribute, they will need to be
deleted before this procedure can run successfully.  Be sure it is okay to
delete objects before doing so.  Be sure the can be replaced if necessary.

3.  Verify that only the known schema classes "may contain" this attribute.
     a.  Load Schema Manager (via ConsoleOne, Tools menu)
     b.  Select the ATTRIBUTE tab.
     c.  Find 'userpassword'.  These are not listed 100% alphabetically. 
Uppercase items will be listed before lowercase, and this attribute begins with
lowercase.  It is usually very near the end of the entire list.
     d.  Highlight userpassword and press "Info."
     e.  Check the list of "Classes using this attribute."  If more than the
following are listed, these scripts will not be successful.  The scripts could
be modified to deal with additional classes, but Novell does not recommend
altering these scripts or modifying schema without schema expertise and
familiarity with the classes being modified.  Classes handled by these scripts:
Group
User
zendmWakeUpPolicy
zendmWolService
zeninvRollUpPolicy
zeninvService

4.  Insure you are running eDirectory 8.7.1 or higher.

5.  Copy the enclosed *.SCH files to SYS:SYSTEM\SCHEMA\

6.  Load NWCONFIG.  Select "Directory Options."

7.  Select "Extend Schema" and login as admin (or someone with full rights to
the root of the tree.

8.  Press F3, and for the path of the file, specify
SYS:SYSTEM\SCHEMA\DELUSERP.SCH.  This script will alter the known classes that
"may contain" userpassword so they cannot contain it.  Then it will delete the
existing userpassword attribute.  If any errors occur, they will be logged at
the end of the SYS:SYSTEM\DSMISC.LOG file.  Errors regarding attempts to modify
the Zen classes are expected if you do not have these classes in your tree. 
This should not be a concern.  The main concern is whether the userpassword
attribute itself was successfully removed.

9.  Repeat steps 7 and 8, but for the path specify
SYS:SYSTEM\SCHEMA\NEWUSERP.SCH.  This will add the correct definition and then
replace the "may contain" definition in the known classes.  Again, errors about
the Zen classes are expected if these classes are not in your tree.

10.  Repeat step 1, to verify that the userpassword attribute now has upper and
lower bounds of 1 and 80(hex).

ISSUE: 

1.  In some trees, the "userpassword" attribute has been defined incorrectly,
with upper and lower bounds set to FFFFFFFF (-1).  As a result, applications
which attempt to user this attribute directly through eDirectory may not
function correctly.  Applications which use LDAP may still work, as LDAP
redirects this attribute as a special case.

The most common failure due to this attribute being defined incorrectly will be
complete inoperability of Novell's NetWare NFS products:  NetWare NFS 3.0,
Native File Access for Unix, NFS Gateway for NetWare 6, NFS Gateway for NetWare
6.5.

In the case of the above mentioned products, services may fail to initialize,
and typically NDSILIB.NLM will give errors when it loads:

Could not authenticate context handle.
Load schinst and try again. Exiting...

2.  Novell has received feedback that these userpassword schema modification
scripts also resolved a failure to install NFAP 1.0 on a NetWare 5.1 server,
which was giving the following error:

Error: "Driver Fatal:
(class:com/novell/application/install/nativefs/NativeFSLoginMethods, method:
addServerAsTrusteeToLoginMethod signature:
(Lcom/novell/admin/ns/nds/NDSNamespace;Lcom/novell/application/console/snapin/O
bjectEntry;Ljava/lang/String;)V) Incompatible object"

There is not a known connection between this error and the userpassword
attribute, and Novell has not confirmed any case of this download correcting
this error. For that, Novell recommends following TID 10073336.  However, if
the tree in question has this userpassword attribute problem, these scripts
should be run and it may help eliminate the above error.

Self-Extracting File Name: userpfix2.exe

Files Included          Size         Date          Time
..\
 USERPFIX2.TXT   (This file)
..\USERPFIX2\
  DELUSERP.SCH          1091    1-19-2005    1:52:48 pm
  NEWUSERP.SCH          1355    1-19-2005    1:32:04 pm



-----------------------------------------------------------------
Any trademarks referenced in this document are the property of their respective
owners.  Consult your product manuals for complete trademark information.
-----------------------------------------------------------------