Sun Java(TM) System Directory Server 5.2 Patch 6 Release Notes

Sun Java™ System Directory Server 5.2 Patch 6 Release Notes

Version 5.2 Patch 6

Part Number 820-3003

These Release Notes contain important information about the Compressed Archive (patchzip) and Native Package (patch) of Sun Java System Directory Server 5.2 Patch 6. Those two types of delivery are covered in this document. Bugs fixed, new features and enhancements, known issues and limitations, and other information are addressed here. Read this document before you begin to apply 5.2 Patch 6 on top of the installed Directory Server 5.2 product.

Directory Server 5.2 Patch 6 replaces Directory Server 5.2 Patch 5, which has been withdrawn. New enhancements and fixes are new with respect to Directory Server 5.2 2005Q4 (Patch 4).

IMPORTANT: If you have applied a hot fix to Directory Server 5.2 installed from native packages, make sure to use the workaround to reinstate symbolic links after a hot fix. Otherwise you do not benefit from the fixes made in the patch.


CAUTION: If you have applied the latest Network Security Services (NSS) 3.12 patch to your system, you must use the procedure described in Installation Information for Network Security Services 3.12 to ensure that your Directory Server 5.2 installation works properly.


CAUTION: Because of security issues in NSS and SASL components, the Sun Java(TM) System Directory Server 5.2 Patch 6 Security Patchzip 142806-01 must be applied on top of a Directory Server 5.2 Patch 6 ZIP installation. For directions see Installing Directory Server 5.2 Patch 6 Security Patchzip.


The most up-to-date version of these release notes can be found at the Sun Java System documentation web site: http://docs.sun.com/prod/sunone. Check the web site prior to installing and setting up your software. Then check the web site periodically thereafter to view the most up-to-date release notes and product documentation.

These release notes contain the following sections:

Third-party URLs are referenced in this document and provide additional, related information.



Note

Sun is not responsible for the availability of third-party Web sites mentioned in this document. Sun does not endorse and is not responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or resources. Sun will not be responsible or liable for any actual or alleged damage or loss caused by or in connection with the use of or reliance on any such content, goods, or services that are available on or through such sites or resources.



Release Notes Revision History

Table 1. Revision History 

Date

Description of Changes

September 2007

Initial Release

November 2007

Updated Release

October 2008

Updated Release

August 2009

Added procedure to function with NSS 3.12 patch

December 2009

Security Patchzip 142806-01

These release notes provide current information on the date they are published. However, if the English version of the release notes has a more recent publication date, it might be updated with more current information that is not provided in other versions. Consult the English version of the release notes for the most current information.


About Directory Server 5.2 Patch 6

This is a maintenance release for Compressed Archive and Native Package installations of Directory Server 5.2. This update can be performed on Directory Server 5.2 only. This update cannot be performed on versions of Directory Server prior to Directory Server 5.2.

This section includes:

What's New in This Release

Directory Server 5.2 Patch 6 is a maintenance release of Directory Server 5.2. For information about the bugs fixed, see "Bugs Fixed in This Release".

Enhancements in Directory Server 5.2 Patch 6

Scheduling of tombstone purging threads (6338797)
When replication is enabled, deleted entries are not removed by the delete operation but are kept as tombstones for some time (to help the resolution of some conflicts) . A thread is spawned every nsds5ReplicaTombstonePurgeInterval to delete old tombstone entries.

This activity may have an impact upon the server maximum response time. Some customers may want to be able to schedule this activity to limit the impact during the peak hours.

A new parameter nsds5ReplicaTombstonePurgeSchedule has been added in the cn=replica,cn="suffixName",cn=mapping tree,cn=config entry to control the time window in which the purging thread may run. Its value syntax is the same as the nsds5ReplicaUpdateSchedule parameter.

Note:

It is recommended to keep the default value unless there is a very strong requirement about the maximum response time of a request and this requirement is not met on a periodic basis. (The period is nsds5ReplicaTombstonePurgeInterval. The default value is 5 minutes.)

MMR: High performance degradation when purging tombstones (6175472)
When replication is enabled, deleted entries are not removed by the delete operation but are kept as tombstones for some time (to help the resolution of some conflicts). A thread is spawned every nsds5ReplicaTombstonePurgeInterval to delete old tombstone entries.

In previous versions, all the tombstones were searched, and then the old ones were removed.

These fixes implement new matching rules and a new index so that only the tombstone entries that should be deleted are searched.

(If the delete operation pattern is regular and uses the default tombstone purging parameters, the old tombstone entries represent only 0.5% of the tombstone entries.)

This fix is activated by default on instances created after having installed Directory Server 5.2 Patch 6.

To activate the fix on existing instances, use a script on both UNIX and Windows platforms:

Note: The reindexing may spend a long time on big databases, you can bypass the reindexing phase (with -q option) and reindex after applying either manually or by reimporting the database.



mmldif Needs to Be Able to Manage Huge Files - Need 64 bits Version (6386607)
To be able to manage ldif files bigger than 4 Gbytes, a 64-bit version of mmldif has been integrated in this release.

Need method/tool to determine progress of db recovery following a crash (6197516)
At the next restart after a disorderly shutdown, the recovery process is restarted. There are two phases that can take a considerable amount of time without indicating the state and progress.
With this fix there is progress information for:
DS5.2 Patch 6: integration of the ISW pre-operation plug-in (6469724)
Identity Synchronization for Windows (ISW) synchronizes the users/groups from Active Directory to Directory Server products and vice versa. Initially, ISW was designed to support only DSEE (Directory Server 6.0) and above. However, given that most of the customers are still using Directory Server 5.2, we support ISW on that release as well.

ISW requires a pre-operation plug-in for encrypting the passwords at Directory Server. This plugin is an integrated part of DS 6.0 and is enabled during ISW installation. To have the uniformity and ease of writing the new change, we recommend bundling this plug-in with the Directory Server 5.2 Patch 6.

This plug-in has been integrated for Solaris, Linux, and Windows platforms. It is not integrated in AIX and HP-UX platforms.

Slow performance of nsrole evaluation in DS5.2x compared to DS5.1x due to dn normalization (6445928)
The search operation of nsRoleDN attribute values of an entry that defines a list of Managed Role objects may have performed unsatisfactorily because of the number of Managed Role objects linked to this entry.

The Roles plug-in delivered in Directory Server 5.2 Patch 6 is now able to build and cache the list of nsRoleDN values of the candidate entry. The list is then used to check whether any Managed Role object matches one of a DN in this list. Before this release, the list was built each time a Managed Role object was being evaluated.

Allow "Administrators" to reset the password (481733)
This feature allows any administrator to reset user password. To enable this feature, the new configuration parameter passwordNonRootMayResetUserpwd must be set to "on" (and "off" to disable the feature)

This attribute is part of entry "cn=Password Policy,cn=config".

This feature became available as of Directory Server 5.2 Patch 4 but was not included in the documentation.

Supported Platforms

Directory Server 5.2 Patch 6 is available on the following platforms:

The original release of Directory Server 5.2 has not been validated on IBM AIX 5.2. However, this update is validated on IBM AIX 5.2. The original release of Directory Server 5.2 has been validated on IBM AIX 5.1, but IBM AIX 5.1 is no longer supported by IBM.

Directory Server 5.2 Patch 6 running in 32-bit mode has been validated on Red Hat Linux AS 3.0 U4 based on AMD64 hardware.

Specific operating system patches may need to be installed before Directory Server 5.2 Patch 6 can be installed. For further information, refer to the Directory Server Installation and Tuning Guide issued with the initial release of Directory Server 5.2. You can obtain Solaris patches from http://sunsolve.sun.com.


Bugs Fixed in This Release

Table 2. Bugs Fixed in This Release

ID Number

Description

4863706

slapd crashes in replicated operation

4884530

Database Becomes Unavailable if LDIF File Is Inaccessible During Import

4889077

The db2ldif -s Command Causes Errors on Suffixes With a Subtree

4925250

Incorrect Error Message When Exporting a Subtree by Using the db2ldif -s Option

5013318

The replication of the password term of validity is not carried out

5021269

Addition of Entries With objectClass=nsTomstone Can Cause Replication to Fail

5032637

Post Operation Plug-In Function Not Called When Search Operation on Non-Existent Base DN

5032956

ns-ldapagt doesn't start if attribute nsSNMPMasterHost == "localhost"

5037580

Modifications to Default Index Attributes Are Not Migrated From DS 5.1 to DS 5.2

5072212

MMR+SSL: Can't stop or use master after total update that failed

5097725

Replication problems when 2 consecutive MODs are executed on the same entry.

5101669

DB_INCOMPLETE during ns-slapd shutdown

5102180

passwordExpirationTime becomes out of sync at first password expiration warning (See the workaround for issue 5102180 in the Security section of Known Issues and Limitations.)

6175472

MMR: High performance degradation when purging tombstones

6193747

5.2x: nsDS5ReplicaChangesSentSinceStartup doesn't work correctly

6197516

Need method/tool to determine progress of db recovery following a crash.

6197647

ACI without target attr doesn't work correctly

6197650

ACI behaves inconsistency in search vs modify

6199890

MMR2: Data inconsistency after restarting masters under load (replica_check_for_data_reload)

6207013

migrate5xto52 Script Breaks Replicated Topologies

6218791

Execution failure of migrateInstance5 in DS52P2

6219006

Bad default value for nsslapd-maxbersize - does not match documented 2Mb

6225458

replication debug logging shows incorrect data

6231191

Inconsistent results between directory versions 5.1 Patch 3 and 5.2 Patch 2 for approximate searches with OR operator.

6238540

RUVs are not always in the correct order if unused RUVs are present

6250000

non-unique nsuniqueid can be added to MMR, breaking replication

6252422

Role doesn't work on consumer after online initialization

6272611

DS Can Crash If Backoff Timer Expires When Replication Agreement Detects an External Event

6276601

race condition in libdb32.dll (windows only) causing crash (Fixed in release 5.2 patch 4 but not included in the 5.2 patch 4 release notes.)

6283810

DS5.2p3: ldapmodify with MODRDN and other changes in attr in one statement break replication forever

6283871

restore fails after binary copy/backup if cn attribute mismatches on lower/upper-case characters

6287770

More verbose and meaningful message when server fails to replay schema changes to consumer

6291178

Partial replication get broken if there are several suppliers with changelog trimming

6292310

modrdn at the same time as modifying an attribute value of parent entry causes deadlock in DS 5.2 P3

6294113

DS5.2p3- after first empty replace op. on single-valued attribute no futher add possible - rpl. on

6295322

Memory leak in password policy

6295323

Memory leak in virtual attribut (with cos plugin)

6296390

Memory leak in 5.2 Patch 2. (and in DS6)

6296972

Incorrectly formatted DSML requests crash DS5.2 Patch3 on Solaris x86

6299664

Modify using replace on an attribute for the first time with a value of 0 results in a NULL value

6300470

If retro changelog is enabled and a glue entry has to be created, the server crashes

6300692

Deadlock between tombstone purging thread and ACL plug-in

6301695

DS 5.2 p3, crash in mutex_lock while searching for replication agreements

6303166

Adding Patch 115614-25 Fails (./directoryserver: test: unknown operator 0)

6305434

Server crash if encrypted attribute exists with no value

6309444

memory leak in plugin_get_pwd_storage_scheme_list()

6310373

DS5.2 P3 is getting segmentation fault (sig #11) when using bak2db; db2bak.pl works fine.

6310880

modRDN of entry with multi-valued attr causes data inconsistency when replacing those attr

6313027

Plug-in allowing uniqueness in a set of attribute server does not ensure uniqueness for add operation

6314338

Improve ACI performance when using substring matching in the target dn value

6316753

core dump during vlvindex

6317547

libdb32 is missing from patchzip package on non-Solaris platform

6319297

ns-ldapagt 5.2 fails to resolve ipv4 address when ipv6 is not configured

6320219

Fix for CR 6255780 not effective for all test-case scenarios

6321793

csnset insertion error

6324064

Potential memory leak when closing a replication connection

6324357

replication miss changes under load

6325572

CoS-defined attribute not found on entries after online initialization

6325574

directory server crashes at startup in changelog init

6325594

Indiv passwd policy specifies plaintext, but passwd in new entry is replicated in encrypted form

6325692

failure to open database file during backup

6332796

RFE: Replication repair tool

6333657

Avoid to walk all nscpentrydn index when purging the tombstone.

6338142

Full distribution zip files would need to be renamed

6338797

Need to be able to schedule tombstone purging threads

6340125

cl_cache_get and cl_cache_set on same changelog crashes DS

6341398

memory leak in cos

6342200

start-slapd may fail while ns-slapd is started rightly

6344220

db2ldif fails when run from a ds52p3 instance on top of sun cluster

6345005

Directory Server may crash when Referential integrity log file is truncated.

6347288

prevent possible LDAP SDK crash (bugid 6315802) on DS

6349613

File's ownership changed to the non-existent user "865:staff" when we upgrade to patch4 as root.

6350299

Code review shows that an error message is missing in start-slapd

6350924

DSML request fails if DS is installed on the path including a space on Windows

6352579

Classic CoS under sub-sub-org does not work as configured

6352920

DS6.x control 1.3.6.1.4.1.42.2.27.9.5.7 does not guarantee CSN existence

6353044

Directory server hangs when an error occurs during error log rotation info.

6354246

bak2db crashed with dumping core

6355718

inconsistent search results due to access controls

6356373

Indirect CoS doesn't use multiple templates as documented

6357602

Add a error log message to show DS is using one/multiple/no memory pools

6361850

SNMP: ns-ldapagt send start trap(7002) twice when DS gets started.

6362045

Encrypted attribute w/base64 encoded null as value causes crash

6362534

MMR: generated csn for an op. is not systematically higher than a previous op. csn

6363679

5.2 Patch 6: upgrade to the latest sleepycat db32 build to fix a db recovery failure

6365448

ldif2db may hang or crash

6368504

Merge of DB files during ldif2db skips keys due to incorrect cont. block prefix

6371707

Memory leak when index contains a continuation block

6372409

bak2db.pl does not remove the pid.recover file.

6372433

Insync shows err "Warning: CSN has not been initialized.  No updates?" when RUV's contained 65535

6375284

Replication loses changes with M1->M2->C1 replication scenario

6377250

Server crash when adding vlv index with incorrect vlvFilter

6377304

5.2patch4: possible memory leak in uid uniqueness plugin

6380313

Memory leak in aci group member evaluation

6381504

When nsslapd-db-transaction-batch-val is set, txn flush fails to enforce this limit

6382134

ldapcompare and COS don't work well together

6384310

Directory Server remote DOS due to large memory allocation

6386607

mmldif need to be able to manage huge files - need 64 bits version

6386671

ou=groups contains duplicate data

6387583

Customer installed incorrect ds version on Solaris (pkg vz patchzip)

6389593

adding an entry with attr usepassword in the RDN breaks replication

6390827

deadlock in connection handling between multiple internal ops by incomming replication operation

6403398

ns-slapd hangs on first shutdown after install, on T2000 (Niagra sun4v system)

6405736

Renaming corrupted child entry could crash the server

6406283

substring filter can be slow if they are changed into range index

6407726

import may mess up userpassword entry state

6410132

weird modrate behaviour in patch.

6411228

DS incorrectly hard sets max connection backlog q to 128 (this shows in listen hash as 193 fyi)

The fix for this issue includes a new attribute for configuring the maximum number of pending connections maintained by Directory Server, nsslapd-listenBacklog. The value of this configuration attribute is passed for example to the listen() function on Solaris systems.

For more information on this configuration attribute, see the reference manual page on docs.sun.com.

6413356

DS xerces release 2_0_0: integration of the fix for bugzilla 7698 (handle space in schemalocation)

6419908

Directory Server substring performance improvement

6421019

bak2db fails due to \n in DBBACKEND file

6421877

Add some additional info to help core analysis on optimized version

6422147

Directory crashes with nsrole negate search

6425835

Add cn=config attribute to control default initial ber buffer size

6427222

ldap_decode_control ber_scanf passed pointer to invalid type

6428474

Account availability Password Policy Control not properly encoded

6433783

Entry may be skipped while import an LDIF file generated with db2ldif.pl -r.

6434388

DS 5: Connections closed due to exceeding ioblocktimeout don't get properly logged (no T2 is logged)

6435180

db2bak error on Windows when changelogdb path has backslash

6439482

ACI problem that could enable users to guess correct values

6442106

Crash while enabling replication

6443806

DS5.2 Patch 6: upgrade to latest ldapcsdk 5.13

6444033

DS does not always enforce ioblocktimeout when writing result over secure connection

6445928

Slow performance of nsrole evaluation in DS5.2x compared to DS5.1x due to dn normalization

6453388

zero alloc error when retrocl and tmr-plugin enabled

6454312

uid uniqueness plugin can allow duplicate uids

6457114

Memory leak on consumer due to password policy

6457484

enabling trace crashes server during shutdown

6457767

vlv searches leak memory in DS 5.2

6458029

tag in access log is incorrect for replicated operations

6458842

Implementation of REPL_LATENCY_CONTROL in 5.2 Patch 6

6461526

dsrepair should tell that Replication Repair plugin is not enabled (instead of [no result])

6462036

DS 5.2 ns-slapd may not clean up correctly when handling failed queries

6466900

Security: empty MOD / replace behaviour differs when entry has attribute vs when attribute doesn't

6468242

Corrupted replication changelog on linux

6468376

Hardening Replication when nsuniqueid is missing from index but the entry exists

6469724

DS5.2P5: integration of the ISW pre-operation plug-in

6470185

Certain DSML requests crash our server

6471345

Crash on a master  (changelog trimming?)

6471357

DN could be reported invalid when spaces found after "+" in multivalued attributes.

6475750

In add operation, add operational attribute entrydn to the entry before caching this entry.

6476748

although master is in Referral on update mode the GUI does not show the "Accept new updtate" button

6479809

Changelog fully trimmed silently when configuring am invalid nsslapd-changelogmaxage

6480275

Memory leak during LDAP write operations when failing to update a matching rule index

6480276

At startup DS crashes if the changelog db is not readable

6480591

DS 5.2 p3/p4, delay of 1 sec in MOD sometimes

6481790

Memory leak during LDAP write operations when updating MAtching Rules Indexes

6482778

DS5.2P5: upgrade to NSS 3.11.3

6483913

5.2 Patch upgrade is not taking account new components as, for instance, psw-plugin.so

6484401

DS5.2P5: integration of the IDM plug-in

6484407

Patches synopsis need to be changed

6486779

Buffer overflow within DSML plugin w/Long (~80+ byte) DS version string

6487298

DS leaks memory when no connections are available within the conn. table

6489416

Regression: Performance/Error issue with substring filters such as (uid=123*).

6491030

slapd_nss_decrypt() leaks memory on every call

6496478

Patches are missing for SASL and LDAPCSDK

6498949

Crafted LDAP packet causes memory leak in DS5.2

6502488

pwdhash & getpwenc: Segmentation Fault(coredump).

6502522

Regression against 6305434 on DS 5.2 Patch 6

6504653

SchemaCSN.: error during the installation

6507242

Doc fix request: The result code 71 is omitted from the list of "not" returned by the ldap server

6507263

README for native patch: wrong informations

6509593

slapd doesn't start after backing out DS5.2 Patch 6 (115611-24, 115615-27)

6510175

can't backout patch if more than one instance created

6511689

core dump when searching index entry after the use of db2index

6516274

RPM: can not configure AS + DS

6516951

An anonymous modify request can crash the server

6520209

upgrade: mpsadmserver should not return err code 0 if using bad password

6520247

downgrade: postbackout should display a warning to use sync-cds when removing the patches

6520296

regression in dsmlfe acceptance testsuite: testcase 110_bind_6 is failing

6522342

HP-UX install: ZIP distribution refer to native PKGS

6523388

windows: ds_create: can not create a new instance in an existing serverroot

6524878

HP-UX upgrade: can not start a new instance

6530624

DS5.2P4: Unauthorized user may change some data in entries under specific conditions

6541494

regression : replication is broken : "numsubordinates assertion failure"

6587775

patch5 does not start - beta software has expired

6625224

5.2patch6 on Windows will not be able to start - beta software has expired

6732552

The ActivateFix6175472 command location for JES version is different from the one in 5.2p6 release notes.

6748701

The value of nsDS5ReplicaTombstonePurgeInterval stated in the Directory Server 5.2 Patch 6 release notes is incorrect.


The following bugs are fixed since Directory Server 5.2 Patch 4 but not mentioned in Sun Java(TM) System Directory Server 5.2 2005Q4 Release Notes.


Important Information

This section includes Installation Information for both Compressed Archive and Native Package deliveries.


Installation Information for Network Security Services 3.12

Network Security Services (NSS) release 3.12 (as of release 3.12.3) introduces a compatibility issue that prevents Directory Server 5.2 from restarting.

As a matter of technical background, the PKCS#11 cryptographic software interface standard used in many Sun server products requires every process that uses a PKCS#11 cryptographic library to initialize that library for itself. No process can rely on the initialization that might have been performed by the parent process to leave the cryptographic library in a usable state. Programs that do not conform to this requirement, but instead rely on the library being usable after it was initialized by a parent process, are not guaranteed to work with all hardware and software cryptographic modules that conform to that interface standard.

As of NSS release 3.12.3, NSS's cryptographic library requires programs that use it to conform to the requirement that every process must initialize the library for itself.

For Sun Java System Directory Server Enterprise Edition, only version 6.3.1 (and later versions) is compliant with this requirement. No release of Directory Server 5.2 complies, including its initial release through the 5.2 Patch 6 releases.

Directory Server 5.2 administrators might decide to upgrade to DSEE 6.3.1. For details, refer to the table titled "Upgrade Paths to Directory Server Enterprise Edition 6.3.1" in the Sun Java System Directory Server Enterprise Edition 6.3.1 Release Notes.

Otherwise, to disable the requirement, Directory Server 5.2 administrators who applied NSS 3.12.3 patch must set the following environment variable:

    export NSS_STRICT_NOFORK=DISABLED

After the NSS_STRICT_NOFORK=DISABLED environment variable is set, the Directory Server, Admin Server, and Console can be restarted.

Directory Server 5.2 administrators must also set symbolic links to the new libraries delivered in NSS 3.12.3 patch as shown here. Note that the default value of the SERVER_ROOT pathname is /var/opt/mps/serverroot.

    cd /lib
    cd /var/opt/mps/serverroot/lib
    ln -s /usr/lib/mps/secv1/libnssdbm3.so   libnssdbm3.so
    ln -s /usr/lib/mps/secv1/libnssutil3.so  libnssutil3.so
    ln -s /usr/lib/mps/secv1/libsqlite3.so   libsqlite3.so

    cd /var/opt/mps/serverroot/lib/sparcv9
    ln -s /usr/lib/mps/secv1/sparcv9/libnssdbm3.so   libnssdbm3.so
    ln -s /usr/lib/mps/secv1/sparcv9/libnssutil3.so  libnssutil3.so
    ln -s /usr/lib/mps/secv1/sparcv9/libsqlite3.so   libsqlite3.so

Installation Information for Compressed Archive patchzip


IMPORTANT: Directory Server 5.2 Patch 6 is not available as a full distribution. You must have a previous version of Directory Server 5.2 installed on your system to be able to upgrade to Directory Server 5.2 Patch 6 applying the compressed archive patchzip object.


CAUTION: Before upgrading to Directory Server 5.2 Patch 6, make sure you have an LDIF backup of the data of the current version of Directory Server 5.2 installed.

Once you apply patch 117665 to your compressed archive (zip) version of Directory Server 5.2, you cannot downgrade to the previously installed version of Directory Server 5.2. No automated backout mechanism exists.

Instead, to downgrade you must reinstall the previously installed version of Directory Server 5.2, and then reimport your data from backup.


Patch Requirements Information

This section lists the patches that correspond to this release. The patches are available at http://sunsolve.sun.com.

Table 3. Alignment Patches for the Compressed Archive of Directory Server 5.2 Patch 6

Platform

Required Patch

Description

AIX

117670-05

Sun Java(TM) System Directory Server 5.2 Patch 6: AIX patchzip

HP-UX

117669-05

Sun Java(TM) System Directory Server 5.2 Patch 6: HP-UX patchzip

Linux

117668-05

Sun Java(TM) System Directory Server 5.2 Patch 6: Linux patchzip

Solaris

117665-05

Sun Java(TM) System Directory Server 5.2 Patch 6: Solaris patchzip

Solaris_i86pc

117666-05

Sun Java(TM) System Directory Server 5.2 Patch 6: Solaris x86 patchzip

Windows

117667-06

Sun Java(TM) System Directory Server 5.2 Patch 6: Windows patchzip

All

142806-01

Sun Java(TM) System Directory Server 5.2 Patch 6 Security Patchzip

NOTE: No new localized patches have been released for Directory Server 5.2 Patch 6. To get a localized version of Directory Server 5.2 Patch 6, you need to apply the Directory Server 5.2 Patch 4 localized patches.

Localized patches are independent of the operating system that you use. The localized patch IDs are as follows:

Table 4. Localization Patches for the Compressed Archive of Directory Server 5.2 Patch 6

Language

Required Patch

Description

de

117798-04

Directory Server 5.2 P4 PatchZIP: German (DE) localization patch

es

117799-04

Directory Server 5.2 P4 PatchZIP: Spanish (ES) localization patch

fr

117800-04

Directory Server 5.2 P4 PatchZIP: French (FR) localization patch

ja

117801-04

Directory Server 5.2 P4 PatchZIP: Japanese (JA) localization patch

ko

117802-04

Directory Server 5.2 P4 PatchZIP: Korean (KO) localization patch

zh

117803-04

Directory Server 5.2 P4 PatchZIP: ZH localization patch

zh_TW

117804-04

Directory Server 5.2 P4 PatchZIP: ZH_TW localization patch




General Installation Information

For information about installation, see the following sections:

Installation Notes

Read the following notes before installing this patch:

Installation Instructions

The following instructions apply to a full installation of Directory Server and Administration Server on the target host. Instructions for other types of installation are in the README file of the compressed archive.

In this section, <SERVER ROOT> is the directory where the Directory Server product has been installed.

To Upgrade to the Compressed Archive of Directory Server 5.2 Patch 6 on Unix Platforms

  1. Close all console windows. If a console is open when the installation script is run, the script cannot upgrade the console binaries.
  2. Unpack the tar gzipped archive:
  3. # mkdir <MyDirectory>

    # cd <MyDirectory>

    # cp <package>.tar.gz .

    # gunzip <package>.tar.gz

    # tar xvf <package>.tar

  4. As the owner of <SERVER ROOT>, run the installation script by using one of the following commands:
    • Command 1: ./install.sh <SERVER ROOT> <ADMIN ID> <ADMIN PASSWORD>
    • The ID and password are provided with the command.

    • Command 2: ./install.sh <SERVER ROOT>
    • The ID and password are requested interactively.

    • Command 3: ./install.sh <SERVER ROOT> -f <CREDENTIAL FILE>
    • The ID and password are provided in the following lines of the file <CREDENTIAL FILE>:

      Admin Id: <ADMIN ID>
      Admin Password: <ADMIN PASSWORD>

    Alternatively, if the owner of <SERVER ROOT> is a non-root user, but the server uses a privileged port such as 389, run the installation script by using the following command as root:
    ./install.sh <SERVER ROOT> <ADMIN ID> <ADMIN PASSWORD> <SERVER UID> <SERVER GROUP>

    The Directory Server is restarted by the installation script.

To Upgrade to the Compressed Archive of Directory Server 5.2 Patch 6 on Windows Platforms

  1. Become the administrator or a member of the administrator group.
  2. Close all console windows. If a console is open when the installation script is run, the script cannot upgrade the console binaries.
  3. Close the event viewer.
  4. Unpack the zip archive:
  5. # mkdir <MyDirectory>

    # cd <MyDirectory>

    # cp <ZIP file> .

    # unzip <ZIP file>

  6. Stop any instances of Directory Server located in <SERVER ROOT>.
  7. Run the installation script in one of the following ways:
  8. - If <SERVER ROOT>, <ADMIN ID> or <ADMIN PASSWORD> do not contain special characters, use this command:

    # install.bat <SERVER ROOT> <ADMIN ID> <ADMIN PASSWORD>

    - If <SERVER ROOT>, <ADMIN ID> or <ADMIN PASSWORD> contain special characters, use this command:

    # lib\nsPerl5.005_03\bin\MSWin32-x86\perl.exe upgrade.pl /
    "
    <SERVER ROOT>" "<ADMIN ID>" "<ADMIN PASSWORD>"

    Values with special characters must be protected with double quotes (").

    Directory Server is restarted by the installation script.

Installing Directory Server 5.2 Patch 6 Security Patchzip


Caution: Because of security issues in NSS and SASL components, the Sun Java(TM) System Directory Server 5.2 Patch 6 Security Patchzip 142806-01 must be applied on top of a Directory Server 5.2 Patch 6 ZIP installation.


Note: This patch cannot be applied to versions of Directory Server 5.2 earlier than 5.2 Patch 6. For directions to upgrade to version 5.2 Patch 6, see Installation Instructions.

To install Directory Server 5.2 Patch 6 Security Patchzip 142806-01, download it from http://sunsolve.sun.com and follow the installation instructions provided in the README file.

Installation Information for Native Package


IMPORTANT: Directory Server 5.2 Patch 6 is not available as a full distribution. You must have a previous version of Directory Server 5.2 installed on your system to be able to upgrade to Directory Server 5.2 Patch 6.

Accessibility Features for People With Disabilities

To obtain accessibility features that have been released since the publishing of this media, consult Section 508 product assessments available from Sun upon request to determine which versions are best suited for deploying accessible solutions. Updated versions of applications can be found at: http://sun.com/software/javaenterprisesystem/get.html.

For information on Sun's commitment to accessibility, visit http://sun.com/access.

Patch Requirements Information

The following tables give the numbers and minimum versions for the alignment patches.

All patches referred to in this section are the minimum version number required for upgrade. It is possible that a new version of the patch has been issued since this document was published. A newer version is indicated by a different version number at the end of the patch. For example: 123456-04 is a newer version of 123456-02, but they are the same patch ID. Refer to the README file for each patch listed for special instructions.

To access the patches, go to http://sunsolve.sun.com.


Table 5. Directory Server 5.2 Patch 6 Alignment Patches Required For Solaris 8 (SPARC)

Patch Number

Patch Description

116103-06

International Components for Unicode Patch

119209-12

NSPR 4.6.6 / NSS 3.11.6 / JSS 4.2.4

115328-02

Simple Authentication and Security Layer (2.18)

115610-25

Sun Java(TM) System Administration Server 5.2 Patch 6

115614-28

Sun Java(TM) System Directory Server 5.2 Patch 6

117015-21

Patch for Directory Server localized Solaris packages


117047-24

Patch for Administration Server localized Solaris packages

116837-03

LDAP CSDK - SUNWldk, SUNWldkx

119725-04

LDAP JDK Patch




Table 6. Directory Server 5.2 Patch 6 Alignment Patches Required For Solaris 9 (SPARC)

Patch Number

Patch Description

114677-08

International Components for Unicode Patch

119211-12

NSPR 4.6.6 / NSS 3.11.6 / JSS 4.2.4

115342-02

Simple Authentication and Security Layer (2.18)

115610-25

Sun Java(TM) System Administration Server 5.2 Patch 6

115614-28

Sun Java(TM) System Directory Server 5.2 Patch 6

117015-21

Patch for Directory Server localized Solaris packages

117047-24

Patch for Administration Server localized Solaris packages

116837-03

LDAP CSDK - SUNWldk, SUNWldkx

119725-04

LDAP JDK Patch



Table 7. Directory Server 5.2 Patch 6 Alignment Patches Required For Solaris 9 (x86)

Patch Number

Patch Description

114678-08

International Components for Unicode Patch

119212-12

NSPR 4.6.6 / NSS 3.11.6 / JSS 4.2.4


115343-02

Simple Authentication and Security Layer (2.18)

115611-25

Sun Java(TM) System Administration Server 5.2 Patch 6

115615-28

Sun Java(TM) System Directory Server 5.2 Patch 6

117015-21

Patch for Directory Server localized Solaris packages


117047-24

Patch for Administration Server localized Solaris packages

116838-03

LDAP CSDK - SUNWldk

119725-04

LDAP JDK Patch



Table 8. Directory Server 5.2 Patch 6 Alignment Patches Required For Solaris 10 (SPARC)

Patch Number

Patch Description


119810-01

International Components for Unicode Patch

119213-12

NSPR 4.6.6 / NSS 3.11.6 / JSS 4.2.4

119345-01

Simple Authentication and Security Layer (2.18)

115610-25

Sun Java(TM) System Administration Server 5.2 Patch 6

115614-28

Sun Java(TM) System Directory Server 5.2 Patch 6

117015-21

Patch for Directory Server localized Solaris packages


117047-24

Patch for Administration Server localized Solaris package

116837-03

LDAP CSDK - SUNWldk, SUNWldkx

119725-04

LDAP JDK Patch



Table 9. Directory Server 5.2 Patch 6 Alignment Patches Required For Solaris 10 (x86)

Patch Number

Patch Description


119811-01

International Components for Unicode Patch

119214-12

NSPR 4.6.6 / NSS 3.11.6 / JSS 4.2.4

119346-01

Simple Authentication and Security Layer (2.18)

115611-25

Sun Java(TM) System Administration Server 5.2 Patch 6

115615-28

Sun Java(TM) System Directory Server 5.2 Patch 6

117015-21

Patch for Directory Server localized Solaris packages

117047-24 Patch for Administration Server localized Solaris package

116838-03

LDAP CSDK - SUNWldk

119725-04

LDAP JDK Patch




Table 10. Directory Server 5.2 Patch 6 Alignment Patches Required for Linux

Patch Number

Patch Description


No patch available.
Same level as Release 4.
 sun-icu-2.1-6.i386.rpm
121656-12 sun-nspr-4.6.6-1.i386.rpm
sun-nspr-devel-4.6.6-1.i386.rpm
sun-nss-3.11.6-1.i386.rpm
sun-nss-devel-3.11.6-1.i386.rpm
sun-jss-4.2.4-5.i386.rpm

No patch available.
Same level as Release 4.
sun-sasl-2.18-1.i386.rpm

118080-13

sun-directory-server-5.2-27.i386.rpm
sun-directory-server-man-5.2-10.i386.rpm

118079-12

sun-admin-server-5.2-20.i386.rpm
sun-server-console-5.2-20.i386.rpm
sun-admin-server-man-5.2-9.i386.rpm

118290-12 sun-directory-server-de-5.2-17.i386.rpm
sun-directory-server-es-5.2-17.i386.rpm
sun-directory-server-fr-5.2-17.i386.rpm
sun-directory-server-ja-5.2-17.i386.rpm
sun-directory-server-ko-5.2-17.i386.rpm
sun-directory-server-zh_CN-5.2-17.i386.rpm
sun-directory-server-zh_TW-5.2-17.i386.rpm
118289-13 sun-admin-server-de-5.2-19.i386.rpm
sun-admin-server-es-5.2-19.i386.rpm
sun-admin-server-fr-5.2-19.i386.rpm
sun-admin-server-ja-5.2-19.i386.rpm
sun-admin-server-ko-5.2-19.i386.rpm
sun-admin-server-zh_CN-5.2-19.i386.rpm
sun-admin-server-zh_TW-5.2-19.i386.rpm
sun-server-console-de-5.2-19.i386.rpm
sun-server-console-es-5.2-19.i386.rpm
sun-server-console-fr-5.2-19.i386.rpm
sun-server-console-ja-5.2-19.i386.rpm
sun-server-console-ko-5.2-19.i386.rpm
sun-server-console-zh_CN-5.2-19.i386.rpm
sun-server-console-zh_TW-5.2-19.i386.rpm

118353-03
 
sun-ldapcsdk-5.18-1.i386.rpm

120834-02

sun-ljdk-4.19-6.i386.rpm



Table 11. Directory Server 5.2 Patch 6 Alignment Patches Required For HP-UX

Patch Number

Patch Description

No patch available.
Same level as Release 4
LDAP CSDK sun-ldapcsdk, sun-ldapcsdkx depots

121494-01

Sun Java(TM) System LDAP Java Development Kit patch depots


121497-01

International Components for Unicode Patch

124379-03

NSPR 4.6.6 / NSS 3.11.6 / JSS 4.2.4


121493-01

Simple Authentication and Security Layer (2.18)

121515-03

Sun Java(TM) System Administration Server 5.2 Patch 6

121393-03

Sun Java(TM) System Directory Server 5.2 Patch 6

121931-01

Patch for Directory Server localized HP-UX depots


121933-01

Patch for Administration Server localized HP-UX depots




Table 12. Directory Server 5.2 Patch 6 Alignment Patches Required For Windows

Patch Number

Patch Description

121529-03

Sun Java(TM) System Administration Server 5.2 Patch 6: Windows (MSI)

121392-05

Sun Java(TM) System Directory Server 5.2 Patch 6: Windows (MSI)

125069-01

Installer 4.0 Windows 2000: core patch

124392-04

NSS_NSPR_JSS 3.11.7 Windows: NSPR 4.6.7 / NSS 3.11.7 / JSS 4.2.5 Maintenance Release



General Installation Information


Installation Notes

Installation Instructions

Upgrading Directory Server and Administration Server on Solaris

This section discusses considerations that impact the upgrade procedure for Directory Server and Administration Server, followed by a description of the procedure itself.

Upgrade Considerations (Solaris)

The upgrade of Directory Server and Administration Server software to Directory Server 5.2 Patch 6 takes into account the following considerations:

Upgrade Procedure (Solaris)

The procedure documented below applies to Directory Server and Administration Server instances residing locally on the computer where the upgrade is taking place.

The steps below make use of two commands: directoryserver(1m) and mpsadmserver(1m). For more information about these commands, see the Directory Server Man Page Reference and the Administration Server Man Page Reference.

  1. Obtain the required patches, based on Table 5, Table 6, Table 7, Table 8, or Table 9, depending on the OS version.
  2. Patches can be downloaded to /tmp from: http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access

  3. Log in as root or become superuser.
  4. su -

  5. Stop the Administration Console if it is running locally.
  6. Shut down all Java ES components dependent on the Directory Server instances that are to be upgraded. This step might depend on how these components are replicated within your deployment architecture.
  7. Components should be shut down in the following order:

    1. Directory Server clients: Access Manager, Communications Express, Messaging Server, Portal Server, and others
    2. Directory Proxy Server, if being used to access Directory Server
    3. Administration Server, if running locally
    4. Directory Server
    5. Configuration directory, if running locally as a separate Directory Server instance.
    6. For information about how to shut down a Java ES component, see its respective administration guide.

  8. Upgrade Administration Server.
  9. You need to perform this step even if Directory Server had originally been installed in standalone mode on the computer where the upgrade is taking place (some Administration Server code is installed even in standalone mode).

    1. Restart the Administration Server to be upgraded.
    2. Apply the Administration Server patches in Table 13.
    3. Be sure to apply the Administration Server localization patch (117047) before applying the Administration Server base patch.

      patchadd patch_ID

    4. Confirm that the patch upgrade was successful:
    5. showrev -p | grep patch_ID

      The output should return the versions of patch IDs applied in Step b.

    6. Ensure that the configuration directory is running.
    7. If it is local you might have to start it up. If it is remote, check to make sure it is running.

    8. Synchronize the upgraded settings with the configuration directory.
    9. /usr/sbin/mpsadmserver sync-cds

      You will be prompted for the admin username and password.

  10. Upgrade Directory Server.
    1. If you are running Directory Server in standalone mode, without Administration Server, perform the following procedure, otherwise proceed directly to Step 7b.
      1. Ensure that you have upgraded Administration Server, Step 6.
      2. Change directory to the serverroot directory.
      3. cd /var/opt/mps/serverroot

      4. Create a configuration directory:
      5. mkdir -p admin-serv/config

      6. Create an adm.config file:
      7. vi admin-serv/config/adm.conf

      8. Add the following text
      9. isie: cn=Administration Server, cn=Server Group, cn=hostname, ou=administration_domain, o=NetscapeRoot

        All on one line where hostname is the fully qualified Directory Server host name and administration_domain is typically the host’s domain name.

    2. Ensure that the Directory Server instance being upgraded is shut down.
    3. Apply the Directory Server patches in Table 13.
    4. Be sure to apply the Directory Server localization patch (117015) before applying the Directory Server base patch.

      patchadd patch_ID

    5. Confirm that the patch upgrade was successful:
    6. showrev -p | grep patch_ID

      The output should return the versions of patch IDs applied in Step c.

    7. Reset the default Directory Server version number:
    8. /usr/sbin/directoryserver -d 5.2

    9. Ensure that the configuration directory is running.
    10. If it is local you might have to start it up. If it is remote, check to make sure it is running.

    11. Synchronize the upgraded settings with the configuration directory.
    12. /usr/sbin/directoryserver -u 5.2 sync-cds

      You will be prompted for the admin username and password.

  11. Restart all Java ES components in the reverse order they were shut down in Step 4.
    1. Configuration directory, if local and running as a separate Directory Server instance
    2. Directory Server
    3. Administration Server, if running locally
    4. Directory Proxy Server, if being used to access Directory Server
    5. Directory Server clients: Access Manager, Communications Express, Messaging Server, Portal Server, and others
Verifying the Upgrade

You can verify a successful upgrade of Directory Server and Administration Server by running the following commands:

cd serverroot/bin/slapd/server
./ns-slapd -v

The current version is displayed, and it should appear as shown here:

Sun Java(TM) System Directory Server/5.2_Patch_6

Then check the startup messages in the Directory Server error log:

/var/opt/mps/<serverroot>/logs/errors

Upgrading Directory Server and Administration Server on Linux

This section discusses considerations that impact the upgrade procedure for Directory Server and Administration Server, followed by a description of the procedure itself.

Upgrade Considerations (Linux)

The upgrade of Directory Server and its associated components to Directory Server 5.2 Patch 6 on the Linux platform takes into account the same considerations as on the Solaris platform (see Upgrade Considerations (Solaris)), except that the Linux 5.2 Patch 6 upgrade patches differ from the Solaris patches.

The Release 5.2 Patch 6 Directory Server and Administration Server upgrade patches for Linux OS are shown in the following table:

Table 14  Patches1 to Upgrade Directory Server and Administration Server on Linux 

Description

Patch ID and RPM names

Directory Server

118080-13:

sun-directory-server-5.2-27.i386.rpm
sun-directory-server-man-5.2-10.i386.rpm

Directory Server localization

118290-12:

sun-directory-server-Locale-5.2-17.i386.rpm

Administration Server

118079-12:

sun-admin-server-5.2-20.i386.rpm
sun-server-console-5.2-20.i386.rpm
sun-admin-server-man-5.2-9.i386.rpm

Administration Server localization

118289-13:

sun-admin-server-Locale-5.2-19.i386.rpm
sun-server-console-
Locale-5.2-19.i386.rpm

1Patch revision numbers are the minimum required for upgrade to Directory Server 5.2 Patch 6. If newer revisions become available, use the newer ones instead of those shown in the table.

Upgrade Procedure (Linux)

The procedure documented below applies Directory Server and Administration Server instances residing locally on the computer where the upgrade is taking place.


Caution

An upgrade from any Java ES release to Directory Server 5.2 Patch 6 on Linux cannot be rolled back.


The steps below make use of two commands: directoryserver(1m) and mpsadmserver(1m). For more information about these commands, see the Directory Server Man Page Reference and the Administration Server Man Page Reference.

  1. Obtain the required patches using the patch numbers and RPM names from Table 10. Use this information to obtain the version numbers for the RPM.
  2. Patches can be downloaded to /tmp from: http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access

    In the following procedure oldVersion signifies the RPM for any Java ES version (RTM, Release 2, Release 3 or Release 4) before 5.2 Patch 6 of Directory Server and Administration Server.

  3. Log in as root or become superuser.
  4. su -

  5. Stop the Administration Console if it is running locally.
  6. Shut down all Java ES components dependent on the Directory Server instances that are to be upgraded. This step might depend on how these components are replicated within your deployment architecture.
  7. Components should be shut down in the following order:

    1. Directory Server clients: Access Manager, Communications Express, Messaging Server, Portal Server, and others
    2. Directory Proxy Server, if being used to access Directory Server
    3. Administration Server, if running locally
    4. Directory Server
    5. Configuration directory, if running locally as a separate Directory Server instance.
    6. For information about how to shut down a Java ES component, see its respective administration guide.

  8. Apply each of the RPMs for Administration Server.
    1. Apply the RPM for Administration Server: Product.
    2. You need to perform this step even if Directory Server had originally been installed in standalone mode on the computer where the upgrade is taking place.

      1. Apply the RPM as follows:
      2. Be sure to apply the Administration Server localization RPMs (118289) before applying the Administration Server base RPMs.

        rpm -Fvh sun-admin-server-Locale-5.2-19.i386.rpm
        rpm -Fvh sun-server-console-Locale-5.2-19.i386.rpm
        rpm -Fvh sun-admin-server-5.2-20.i386.rpm
        ...

        If your Administration Server was configured previously, the following error will be returned:

        error: execution of %preun scriptlet from sun-admin-server-5.2-oldVersion failed, exit status 1

        If this is the case, remove the old version of the RPM using the --noscripts option, as follows:

        rpm -e --noscripts sun-admin-server-5.2-oldVersion

      3. If your Administration Server was configured previously, ensure that the configuration directory is running.
      4. If it is local you might have to start it up. If it is remote, check to make sure it is running.

      5. Synchronize the upgraded settings with the configuration directory.
      6. /opt/sun/sbin/mpsadmserver sync-cds

        You will be prompted for the admin username and password.

      7. Confirm that the upgrade was successful:
      8. rpm -q sun-admin-server

        The new version number of the RPM should be returned.

    3. Apply the RPM for the Administration Server: Console.
    4. rpm -Fvh sun-server-console-5.2-20.i386.rpm

    5. Apply the RPM for the Administration Server: man pages.
    6. rpm -Uvh sun-admin-server-man-5.2-9.i386.rpm

  9. Apply each of the RPMs for Directory Server.
    1. If you are running Directory Server in standalone mode, without Administration Server, apply the Administration Server RPM.
    2. rpm -Fvh sun-admin-server-5.2-20.i386.rpm

      Otherwise proceed directly to Step 7b.

    3. Apply the RPM for the Directory Server: Product.
      1. Ensure that the Directory Server instance being upgraded is shut down.
      2. Apply the RPM as follows:
      3. Be sure to apply the Directory Server localization RPMs (118290) before applying the Directory Server RPMs.

        rpm -Fvh sun-directory-server-Locale-5.2-17.i386.rpm
        rpm -Fvh sun-directory-server-5.2-27.i386.rpm
        ...

        If your Directory Server was configured previously, the following error will be returned:

        error: execution of %preun scriptlet from sun-directory-server-5.2-oldVersion failed, exit status 1

        If this is the case, remove the old version of the RPM using the --noscripts option, as follows:

        rpm -e --noscripts sun-directory-server-5.2-oldVersion

      4. If your Directory Server was configured previously, ensure that the configuration directory is running
      5. If it is local you might have to start it up. If it is remote, check to make sure it is running.

      6. Synchronize the upgraded settings with the configuration directory.
      7. /opt/sun/sbin/directoryserver sync-cds

        You will be prompted for the admin username and password.

      8. Confirm that the upgrade was successful:
      9. rpm -q sun-directory-server

        The new version number of the RPM should be returned.

    4. Apply the RPM for the Directory Server: man pages.
    5. rpm -Uvh sun-directory-server-man-5.2-10.i386.rpm

  10. Restart all Java ES components in the reverse order they were shut down in Step 4.
    1. Configuration directory, if local and running as a separate Directory Server instance
    2. Directory Server
    3. Administration Server, if running locally
    4. Directory Proxy Server, if being used to access Directory Server
    5. Directory Server clients: Access Manager, Communications Express, Messaging Server, Portal Server, and others

Verifying the Upgrade

You can verify successful upgrade of Directory Server and Administration Server by running the following commands:

The current version is displayed, and it should appear as shown here:

Sun Java(TM) System Directory Server/5.2_Patch_6

and then checking the startup messages in the Directory Server error log:

Post-Upgrade Tasks

There are no post-upgrade tasks beyond the steps described in Upgrade Procedure (Solaris) and Upgrade Procedure (Linux).

Rolling Back the Upgrade (Solaris)

This section describes considerations that impact the upgrade rollback procedure for Directory Server and Administration Server, followed by the procedure itself.

Rollback Considerations (Solaris)

The procedure for rolling back the upgrade to Release 5.2 Patch 6 of Directory Server and Administration Server is pretty much the reverse of the procedure for upgrading to Release 5.2 Patch 6. The patches are removed and the configuration directory is re-synchronized.

One special consideration is that when you apply patches, you upgrade the SSL certificate database to a cert8 format. The patch backs up the cert7 data, and then converts it to cert8 format. If you subsequently decide to roll back the upgrade and have added new certificates to the certificate database, you should manually extract these certificates, back out the patches, and then add the certificates back to the previous cert7 format certificate database.

Note: This consideration applies when you have upgraded to Directory Server 5.2 Patch 6 from any DS 5.2 versions before 5.2 Patch 4. The SSL cert8 format has been introduced since Directory Server 5.2 Patch 4.

When you roll back an upgrade after having changed the SSL certificate database, you cannot start in SSL mode. To work around this problem, turn off SSL mode, restart Directory Server and Administration Server, reinstall the certificate, and then enable SSL mode.

Rollback Procedure (Solaris)
  1. Stop the Administration Console if it is running locally.
  2. Shut down all Java ES components dependent on the Directory Server instances that are to be rolled back. This step depends on how these components are replicated within your deployment architecture.
  3. Components should be shut down in the following order:

    1. Directory Server clients: Access Manager, Communications Express, Messaging Server, Portal Server, and others
    2. Directory Proxy Server, if being used to access Directory Server
    3. Administration Server, if running locally
    4. Directory Server
    5. Configuration directory, if running locally as a separate Directory Server instance.

    For information about how to shut down a Java ES component, see its respective administration guide.

  4. Roll back the Directory Server upgrade.
  5. If you are rolling back to Directory Server 5.2 2003Q4, follow these steps:

    1. Synchronize the rolled-back settings with the configuration directory.
    2. /usr/sbin/directoryserver -u 5.2 sync-cds 5.2

      You will be prompted for the admin username and password.

    3. Ensure that the Directory Server instance being rolled back is shut down.
    4. Remove the Directory Server patches in Table 13.
    5. patchrm patch_ID

    6. Ensure that the configuration directory is running.
    7. If it is local you might have to start it up. If it is remote, check to make sure it is running.

    8. If you are running Directory Server standalone, without Administration Server, you must roll back the partial Administration Server upgrade. Follow the instructions in Step 4.

    If you are rolling back to Directory Server 5.2 2004Q2, Directory Server 5.2 2005Q1, or Directory Server 5.2 2005Q4, then follow these steps :

    1. Ensure that the Directory Server instance being rolled back is shut down.
    2. Remove the Directory Server patches in Table 13.

      patchrm patch_ID

    3. Ensure that the configuration directory is running.

      If it is local you might have to start it up. If it is remote, check to make sure it is running.

    4. Synchronize the rolled-back settings with the configuration directory.

      /usr/sbin/directoryserver -u 5.2 sync-cds

      You will be prompted for the admin username and password.

    5. If you are running Directory Server standalone, without Administration Server, you must roll back the partial Administration Server upgrade. Follow the instructions in Step 4.

  6. Roll back the Administration Server upgrade.
  7. If you are rolling back to Directory Server 5.2 2003Q4, follow these steps:

    1. Synchronize the upgraded settings with the configuration directory.

      /usr/sbin/mpsadmserver -u 5.2 sync-cds 5.2

      You will be prompted for the admin username and password.

    2. Remove the Administration Server patches in Table 13.
    3. patchrm patch_ID

    4. Ensure that the configuration directory is running.
    5. If it is local you might have to start it up. If it is remote, check to make sure it is running.

    If you are rolling back to Directory Server 5.2 2004Q2, Directory Server 5.2 2005Q1, or Directory Server 5.2 2005Q4, follow these steps:

    1. Remove the Administration Server patches in Table 13.

      patchrm patch_ID

    2. Ensure that the configuration directory is running.

      If it is local you might have to start it up. If it is remote, check to make sure it is running.

    3. Synchronize the upgraded settings with the configuration directory:

      /usr/sbin/mpsadmserver sync-cds

      You will be prompted for the admin username and password.

  8. Roll back upgrades to any Java ES components upon which Directory Server and Administration Server have hard upgrade dependencies.
  9. Restart all Java ES components in the reverse order they were shut down in Step 2.
    1. Configuration directory, if local and running as a separate Directory Server instance
    2. Directory Server
    3. Administration Server, if running locally
    4. Directory Proxy Server, if being used to access Directory Server
    5. Directory Server clients: Access Manager, Communications Express, Messaging Server, Portal Server, and others

Multiple Instance Upgrades

The procedures in Upgrading Directory Server and Administration Server on Solaris do not explicitly deal with deployment architectures in which Directory Server is replicated for availability or scalability. These architectures might include Directory Server multi-master replication or the deployment of Directory Server as a data service in a Sun Cluster environment.

This section discusses Directory Server upgrades in these situations.

Rolling Upgrades of Multimaster Replicates

Multiple instances of Directory Server on different computer systems, as used in multimaster replication deployment architectures, can be sequentially upgraded one instance at a time. The upgrade of each instance on its respective host computer is performed while the other instances are left running. This rolling upgrade allows the directory service to remain online while the individual Directory Server instances that provide the service are being upgraded.

Upgrading Directory Server as a Data Service

This section describes how to upgrade and roll back Directory Server as a data service in a Sun Cluster environment. Consider the following points before you upgrade or back out Directory Server as a Sun Cluster data service:

Upgrading Directory Server as a Sun Cluster Data Service
  1. Stop each Directory Server instance and its associated Administration Server.
  2. serverroot/stop-admin
    serverroot/slapd-
    instanceName/stop-slapd

  3. Make the current cluster node the active node:
  4. scswitch -z -g ldap-group -h this-node-name

  5. Upgrade Directory Server on the current node as described in Upgrading Directory Server and Administration Server on Solaris.
  6. Make another cluster node the active node:
  7. scswitch -z -g ldap-group -h another-node-name

  8. Repeat Step 3 and Step 4 until all nodes in the cluster are upgraded.
Rolling Back Directory Server as a Sun Cluster Data Service
  1. Stop each Directory Server instance and its associated Administration Server.
  2. serverroot/stop-admin
    serverroot/slapd-
    instanceName/stop-slapd

  3. Make the current cluster node the active node:
  4. scswitch -z -g ldap-group -h this-node-name

  5. Roll back Directory Server on the current node as described in Rolling Back the Upgrade (Solaris).
  6. Make another cluster node the active node:
  7. scswitch -z -g ldap-group -h another-node-name

  8. Repeat Step 3 and Step 4 until Directory Server is rolled back on all nodes in the cluster.

Upgrading Directory Server and Administration Server on HP-UX

This section discusses considerations that impact the upgrade procedure for Directory Server and Administration Server followed by a description of the procedure itself.

Upgrade Considerations (HP-UX)

IMPORTANT:

You must have installed or upgraded to Java ES Release 4 on your system prior to applying Directory Server 5.2 Patch 6 HP-UX Native Package patch.


The upgrade of Directory Server and Administration Server software to Release 5.2 Patch 6 takes into account the following considerations:

Table 15  Patches1 to Upgrade Directory Server and Administration Server

Component

Patch ID

Directory Server

121393-03

Directory Server locale

121931-01

Administration Server

121515-03

Administration Server locale

121933-01

1Patch revision numbers are the minimum required for upgrade to Release 5.2 Patch 6. If newer revisions become available, use the newer ones instead of those shown in the table.


Upgrade Procedure (HP-UX)

The procedure documented below applies to Directory Server and Administration Server instances residing locally on the computer where the upgrade is taking place.

  1. Obtain the required patches, based on Table 11 for the shared components.
  2. Obtain the required patches, based on Table 15 for the Directory and Administration Server.
  3. Patches can be downloaded from:

    http://sunsolve.sun.com.

  4. Login as super user.
  5. Upgrade the Shared Components.
  6. Upgrade the Administration Server.
  7. swinstall -s <absolute-location>/<patch_ID  > <patch_ID>

    1. /opt/sun/sbin/mpsadmserver sync-cds 5.2
    2. You will be prompted for the admin username and password.

    3. /opt/sun/mps/serverroot/startadmin
  8. Upgrade the Directory Server.
    1. swinstall -s <absolute-location>/<patch_ID> <patch_ID>
    2. cd /opt/sun/mps/serverroot/shared/bin; ./sync-product-cds -r /opt/sun/mps/serverroot -v 5.2_Patch_6 -j ds524.jar -g ds524.jar -n 'Sun Java(TM) System Directory Server' -b '2007.221.1746' -i 'cn=Sun ONE Directory Server, cn=Server Group, cn=< server-instance>.red.iplanet.com, ou=red.iplanet.com, o=NetscapeRoot'
    3. You will be prompted for the admin username and password

Verifying the Upgrade

  1. You can verify successful upgrade of Directory Server and associated components by running the following commands:
  2. # cd <server_root>/bin/slapd/server

    # ./ns-slapd -v

    The current version is displayed, and it should appear as shown here:

    Sun Java(TM) System Directory Server/5.2_Patch_6

    and then checking the startup messages in the Directory Server error log:

    /opt/sun/mps/serverroot/slapd-< server-instance>/logs/errors

  3. You can verify successful upgrade of Administration Server using the command as shown here:
  4. # cd <server_root>/

    # ./startconsole

    1. You have to enter the appropriate user-id and password in the System Server Console Login panel.
    2. Click Administration Instance in System Server Console panel.
    3. You can see the version number as mentioned below:

      version :5.2.6

Post-Upgrade Tasks

There are no post-upgrade tasks beyond the steps described in Upgrade Procedure (HP-UX).

Rolling Back the Upgrade (HP-UX)

Rollback Considerations (HP-UX)
Rollback Procedure (HP-UX)
  1. Login as super user.
  2. Rollback the Directory Server using the following commands:
    1. swremove <patch_ID>
    2. cd /opt/sun/mps/serverroot/shared/bin; ./sync-product-cds -r /opt/sun/mps/serverroot -v 5.2_Patch_4 -j ds524.jar -g ds524.jar -n 'Sun Java(TM) System Directory Server' -b '2005.286.1827' -i 'cn=Sun ONE Directory Server, cn=Server Group, cn=< server-instance>.red.iplanet.com, ou=red.iplanet.com, o=NetscapeRoot'
    3. You will be prompted for the admin username and password.

  3. Verify the rollback of Directory Server by running the following commands:
  4. # cd <server_root>/bin/slapd/server

    # ./ns-slapd -v

    The current version is displayed, and it should appear as shown here:

    Sun Java(TM) System Directory Server/5.2_Patch_4

  5. Roll back the Shared Components.
  6. Roll back the Administration Server by using the following commands:
    1. swremove <patch_ID>
    2. /opt/sun/sbin/mpsadmserver sync-cds 5.2
    3. You will be prompted for the admin username and password.

  7. Verify the rollback of Administration Server.
  8. /opt/sun/mps/serverroot/startconsole

    1. You have to enter the appropriate user-id and password in the System Server Console Login panel
    2. Click Administration Instance in System Server Console panel
    3. You can see the version number as shown here:

      version :5.2.4


      Note

      When you try to authenticate using the ‘admin_pwd’, if you notice the Directory Server is not running, start the Directory Server using the following command:
      /opt/sun/mps/serverroot/slapd-<server-instance>/start-slapd


Upgrading Directory Server and Administration Server on Windows

This section discusses considerations that impact the upgrade procedure for Directory Server and Administration Server, followed by a description of the procedure itself.

Upgrade Considerations (Windows)

IMPORTANT:

You must have installed or upgraded to Java ES Release 4 on your system prior to applying Directory Server 5.2 Patch 6 Windows Native Package patch.


The upgrade of Directory Server and Administration Server software to Release 5.2 Patch 6 takes into account the following considerations:

Upgrade Procedure (Windows)

The procedure documented below applies to Directory Server and Administration Server instances residing locally on the computer where the upgrade is taking place.

  1. Obtain the required patches, based on Table 12.
  2. Patches can be downloaded from:

    http://sunsolve.sun.com

  3. Stop the Administration Console if it is running locally.
  4. Shut down all Java ES components dependent on the Directory Server and Administration Server instances that are to be upgraded. This step might depend on how these components are replicated within your deployment architecture.
  5. Components should be shut down in the following order:

    • Directory Server clients: Access Manager, Communications Express, Messaging Server, Portal Server, and others
    • Directory Proxy Server
    • For information about how to shut down a Java ES component, see its respective administration guide.

  6. Upgrade Administration Server.
  7. You need to perform this step even if Directory Server had originally been installed in standalone mode on the computer where the upgrade is taking place.

    Note: The perl.exe file can be found at <Server-Root>\lib\nsPerl5.005-03\bin\MSWin32-x86. <Server-Root> is the directory where the Java ES Release 4 product has been installed. It is usually C:\Sun\Server-Root.
    1. Run the prepatch.pl before executing the patch:
    2. perl prepatch.pl <Server-Root>

    3. Apply the patch by double-clicking the <Patch-id>.exe
    4. After applying the patch, run the following
    5. perl postpatch.pl <Server-Root> <Admin id> <Admin Password>

  8. Upgrade Directory Server.
    1. If you are running Directory Server in standalone mode, without Administration Server, perform the following procedure, otherwise proceed directly to Step 6b.
      1. Change directory to the serverroot directory.
      2. Create a configuration directory:
      3. admin-serv\config under <Server-Root>

      4. Create an adm.config file:
      5. Add the following text
      6. isie: cn=Administration Server, cn=Server Group, cn=hostname, ou=administration_domain, o=NetscapeRoot

        All on one line where hostname is the fully qualified Directory Server host name and administration_domain is typically the host’s domain name.

    2. Run the prepatch.pl before executing the patch:
    3. perl prepatch.pl <Server-Root>

    4. Apply the patch by double-clicking the <Patch-id>.exe.
    5. After applying the patch, run the following:
    6. perl postpatch.pl <Server-Root> <Admin id> <Admin Password>


    IMPORTANT:

    It is strongly recommended to change the access rights of C:\Sun\Server-Root\admin-serv\config\adm.conf file that contains the Admin Password.


  9. Restart all Java ES components in the reverse order they were shut down in Step 3.
    • Directory Proxy Server
    • Directory Server clients: Access Manager, Communications Express, Messaging Server, Portal Server, and others.

Verifying the Upgrade

You can verify successful upgrade of Directory Server and associated components by using these steps:

  1. Go to <Server-Root>\slapd-<hostname>
  2. Run restart-slapd.bat
  3. Check the startup messages in the Directory Server error log:
  4. <Server-Root>\slapd-<hostname>\logs\errors

  5. The current version is displayed, and it should appear as shown here:
  6. Sun Java(TM) System Directory Server/5.2_Patch_6_A

Post-Upgrade Tasks

There are no post-upgrade tasks beyond the steps described in Upgrade Procedure (Windows).

Rolling Back the Upgrade (Windows)

This section describes considerations that impact the upgrade rollback procedure for Directory Server and Administration Server followed by the procedure itself.

Rollback Considerations (Windows)

IMPORTANT:

Because of bugs 6625224 and 6587775, the rollback procedure of the Directory Server upgrade is supported only from 121392-05 to JES4.


The procedure for rolling back the upgrade to Release 5.2 Patch 6 of Directory Server and Administration Server is pretty much the reverse of the procedure for upgrading to Directory Server Release 5.2 Patch 6. The patches are removed and the configuration directory is re-synchronized.

One special consideration is that when you apply patches, you upgrade the SSL certificate database to a cert8 format. The patch backs up the cert7 data, and then converts it to cert8 format. If you subsequently decide to roll back the upgrade and have added new certificates to the certificate database, you should manually extract these certificates, back out the patches, and then add the certificates back to the previous cert7 format certificate database.

Note: This consideration applies when you have upgraded to Directory Server 5.2 Patch 6 from any DS 5.2 versions before 5.2 Patch 4. The SSL cert8 format has been introduced since Directory Server 5.2 Patch 4.

When you roll back an upgrade after having changed the SSL certificate database, you cannot start in SSL mode. To work around this problem, turn off SSL mode, restart Administration Server, Directory Server or Directory Proxy Server, reinstall the certificate, and then enable SSL mode.

Rollback Procedure (Windows)
  1. Stop the Administration Console if it is running locally.
  2. Shut down all Java ES components dependent on the Directory Server and Administration Server instances that are to be rolled back. This step depends on how these components are replicated within your deployment architecture.
  3. Components should be shut down in the following order:

    • Directory Server clients: Access Manager, Communications Express, Messaging Server, Portal Server, and others
    • Directory Proxy Server
  4. Roll back the Directory Server upgrade.
    1. Run prebackout.pl before uninstalling the patch
    2. perl prebackout.pl <Server-Root> <Admin-id> <Admin-Password>

    3. Remove the patch by running Uninstall_<Patch-id>.bat
    4. Run postbackout.pl after removing the patch
    5. perl postbackout.pl <Server-Root>

  5. Roll back the Administration Server upgrade.
    1. Run prebackout.pl before uninstalling the patch
    2. perl prebackout.pl <Server-Root>

    3. Remove the patch by running Uninstall_<Patch-id>.bat
    4. Run postbackout.pl after removing the patch
    5. perl postbackout.pl <Server-Root> <Admin id> <Admin Password>

  6. Roll back upgrades to any Java ES components upon which Directory Server and Administration Server have hard upgrade dependencies.
  7. Restart all Java ES components in the reverse order they were shut down in Step 2.
    • Directory Proxy Server
    • Directory Server clients: Access Manager, Communications Express, Messaging Server, Portal Server, and others

Compatibility Issues

Features Whose Implementation Might Change in a Future Release

The following features might change in a future release of Sun Java System software.

Administration Server and Console

Sun Java System Administration Server and the Java Swing-based Console used today for remote graphical administration of Directory Server and other software may be replaced. A new implementation might be implemented to allow full browser-based service management, with easier configuration for access through firewalls.

As a result, the following commands might not be included in a future release:

  • start-admin
  • stop-admin
  • startconsole

In addition, everything in o=NetscapeRoot might change. In particular, o=NetscapeRoot might no longer be present and the serverroot architecture might be replaced by a different one.

Command-Line Tools

The command-line tools for managing Directory Server instances might be improved in a future release. Such changes might affect the following commands:

  • bak2db
  • db2bak
  • db2index
  • db2ldif
  • directoryserver
  • ldif2db
  • monitor
  • restart-slapd
  • start-slapd
  • stop-slapd
  • suffix2instance
  • vlvindex

Other Compatibility Issues

The Sun Crypto Accelerator Board 1000 is supported by Directory Server 5.2 Patch 6 on 32-bit servers. Other versions of the Sun Crypto Accelerator Board are not supported.

The LDAP utility man pages on Sun Solaris platforms do not document the Sun Java System version of the LDAP utilities ldapsearch, ldapmodify, ldapdelete and ldapadd. For information about these utilities, refer to the Sun Java System Directory Server 5.2 2005Q1 Man Page Reference.

Documentation Notes

Man Pages

Directory Server commands and Administration Server commands are documented as man pages and delivered in the following formats:

For information about how to access the man pages, see the Java Enterprise System Installation Guide.

Product Version Number

In some parts of the Directory Server documentation and console, the version number of the product is referred to as 5.2. Directory Server 5.2 Patch 6 is a maintenance release of Directory Server 5.2.

Localized Documentation

Localized documentation is posted to http://docs.sun.com/ as it becomes available.



Known Issues and Limitations

This section describes the known issues and limitations with Directory Server 5.2 Patch 6. The issues are grouped into the following categories:

Installation, Uninstallation, and Migration

Installing Directory Proxy Server in the default startup order on Windows 2000 Advanced Server causes services to hang (4903795)

Workaround
To prevent services from hanging, avoid using the default startup order (Directory Proxy Server, Administration Server, and then Directory Server). Instead, install Directory Server, then Directory Proxy Server followed by Administration Server.

Installing Directory Server 5.2 on AIX 5.1 is successful but generates misleading errors (4911828)

Installing Directory Server 5.2 on a Windows machine running Directory Server 5.1 Service Pack 2 fails (4974775)

Workaround
Shut down the Directory Server 5.1 Service Pack 2 instance then rename or remove the nsldap32v50.dll file shown in the error log and attempt the 5.2 installation again.

The migrateinstance5 script fails on Windows if the default server root is in use (c:\Program Files\Sun\MPS) preventing users from migrating from a previous version to Directory Server 5.2 (4985979)

If either Administration Server or Directory Server is installed as root, uninstallation must also be run as root (5014882).

If you do not run the uninstallation as root, the product registry is not updated correctly.

On Linux Platforms the Unzip Utility Must be Installed Before Upgrading the Compressed Archive (5057611)

The unzip utility is not delivered with the compressed archive for Linux platforms. Before upgrading the compressed archive on Linux platforms, install the unzip utility. For other platforms the unzip utility is delivered with the compressed archive.

Installing this update on Windows platforms fails if Windows Event Viewer is open (5061260).

Close the Event Viewer before launching the update.

Multiple Options When You Create an Instance From the Console on Windows Platforms (6230829)

When you create a new instance by using the console, you are given multiple options.

This issue occurs when you upgrade from Directory Server 5.2 by using the compressed archives (patchzip) of Directory Server 5.2 2005Q1 and Directory Server 5.2 2004Q2.

Workaround
Choose any of the options. There is no difference between the options.

Cannot Open Console on Configuration Directory Server for Directory Server Only Installations on HP-UX Platforms (6234242)

On HP-UX platforms, when you install Directory Server only, you cannot open the console on the associated Configuration Directory Server unless the locale is specified as English.

Workaround
On the Configuration Directory Server, perform one of the following workarounds:

Upgrade of Compressed Archive Fails With Message "Can't create logfile" (6238257)

When you upgrade from Directory Server 5.2 to Directory Server 5.2 2005Q4 by using the compressed archive, the upgrade can fail and the following error message can be given:

sh ./install.sh <server_root> <admin_id> <admin_pwd>
Can't create logfile: Permission denied at upgrade.pl line 272.

Workaround
Delete the log file /var/tmp/sync-log before performing the upgrade.

If you have started the upgrade, delete the log file /var/tmp/sync-log and rerun the upgrade.

Cannot Install Directory Server When the Root Suffix Contains Spaces (4526501)

A root suffix cannot contain space characters.

Workaround
If your root suffix contains space characters, correct the suffix generated at installation time to remove the spaces:

  1. In the Sun Java System Server console, select the top directory entry in the left-hand navigation pane of the Servers and Applications tab.
  2. Click Edit and modify the suffix in the User directory subtree field.
  3. Click OK to save the change.

Error Message When Running migrateInstance5 Script (4529552)

When the migrateInstance5 script is run with the error logging feature disabled, a message indicates that the migration procedure is attempting to restart the server while the server is already running.

Workaround

Duplicate Value Error Logged in the Configuration Directory Server During Installation (4841576)

During configuration of Directory Server, an ACI on the server group entry for each new server installation is added. If the entry already exists and the ACI value already exists on the entry (which is the case when Administration Server is installed after Directory Server), then the following error is logged in the Configuration Directory Server:

[07/May/2004:16:52:29 +0200] - ERROR<5398> - Entry - conn=-1 op=-1msgId=-1 - Duplicate value addition in attribute "aci" of entry "cn=Server Groups, cn=sorgho.france.sun.com, ou=france.sun.com,o=NetscapeRoot"

Workaround
Ignore the error message.

Only use the restart-admin command on the active node in a cluster-enabled environment (4862968)

Cannot Use Multibyte Characters for Installation of Traditional Chinese (zh_TW) Version (4882801)

If multibyte characters are entered as the suffix name during installation of the traditional Chinese (zh_TW) version, the suffix name does not display correctly in the console. This issue is restricted to 32-bit and 64-bit installations from Solaris packages on SPARC processors.

Workaround

  1. Create a monobyte suffix at installation. Once installation is complete, create the desired multibyte suffix using the console.
  2. Upgrade your JRE to version 1.4.1 or later.

Cannot Use Multibyte Characters at Installation of AS and DS (4882927)

At installation, using multibyte characters for anything other than the suffix name causes Directory Server and Administration Server configuration to fail.

Workaround
Use monobyte characters for all fields other than the suffix name.

Loop Results From the Use of an Incorrect Password During Command Line Installation (4885580)

If you enter an incorrect password during command-line installation, you enter a loop.

Workaround
When you are prompted for the password again, type "<" to return to the previous input item, and then press return to keep the previous choice. When you are asked for the password again, enter the correct password.

Warning About Missing Character Sets During Uninstallation (4887423)

When you perform an uninstallation by using the console, you can dismiss the uninstallation logs by using the OK button. When you use this OK button, you might be warned about missing character sets.

Workaround
None. Ignore these warning messages.

pkgrm Command Does Not Remove All Directory Server Distribution Packages (4911028)

After running the pkgrm command, the /usr/ds directory and some files remain.

Workaround
After running the pkgrm command, manually remove the /usr/ds directory and its files.

Configuration of Directory Server Fails When Using a Remote Configuration Directory (4931503)

When configuring Directory Server by using a remote configuration directory, configuration fails if the administration domain of the remote directory does not match the administration domain in the setup procedure.

Workaround
When configuring Directory Server by using a remote configuration directory, use the same administration domain as defined in the remote configuration directory.

Some Plug-Ins Are Not Migrated From Directory Server 4.x to Directory Server 5.x (4942616)

During migration from Directory Server 4.x to Directory Server 5.x, not all plug-ins are migrated.

Workaround
In the 4.x slapd.ldbm.conf configuration file, insert quotation marks around the plug-in path for the plug-in to be migrated.

For example change the plug-in post-operation referential integrity from

to

Cannot Restart Administration Server From the Console on an x86 Cluster (4974780)

The Administration Server cannot be restarted from the console when using Solaris 9 on an x86 cluster.

Workaround
On the Administration Server console select Stop Server and then Restart Server.

pkgrm Command Fails if Directory Server Is Configured (4992818)

If Directory Server is configured the pkgrm command fails to remove the following packages:

Workaround
Before running the pkgrm command, unconfigure Directory Server by using the following command: /usr/sbin/directoryserver -u 5.2 unconfigure

If you did not unconfigure Directory Server before you ran the pkgrm command, perform the following steps:

Directory Server on Linux Has no RC Startup Script (5003993)

After installing Directory Server and Administration Server on Linux, and rebooting the system, there is no startup script (e.g. /etc/init.d/directory).

Workaround
Start the slapd process manually.

startconsole Command Fail to Start Servers When User Does Not Have Write Access to ServerRoot (5008600)

To access certain servers, the Server Console may have to download JAR files into the ServerRoot directory. If the user running the startconsole command does not have write access to the ServerRoot directory, the console cannot open the servers in question.

Workaround
Either run the startconsole command as the user who owns the ServerRoot directory, or install and configure the server packages on the host running Server Console.

patchrm Command on Patch 115614 in a Cluster Removes Patch From First Node Only (5035139)

When the patchrm command is used on patch ID 115614 in a cluster, it removes the patch from the first node only. When the patch is removed from the second and subsequent nodes, the following error message is displayed:

Workaround
When you have successfully removed the patch from the first node in your cluster, and if you have received the above error message, create a symbolic link in ServerRoot/shared/bin to point to the sync-directory binary as follows:

Then rerun the procedure to remove the patch.

SUNW.dsldap Pointer in Incorrect Location after Relocation of Packages (5035885)

If the SUNWds* packages are relocated to a directory other than the default installation directory, the SUNW.dsldap pointer is also relocated. Consequently, the SUNW.dsldap pointer will not be in the correct directory. To find the directory that contains the SUNW.dsldap pointer, run this command:

Workaround
Do not relocate SUNWds* packages.

If you have relocated the SUNWds* packages, correct the location of the SUNW.dsldap pointer as follows:

  1. Move the SUNW.dsldap pointer to this directory:
  2. /usr/cluster/lib/rgm/rtreg

  3. Set the destination of the SUNW.dsldap pointer to the location returned by this command:
    • For Directory Server 5.2 2005Q1 and Directory Server 5.2 2005Q4:

Installation Fails When the Base DN Contains a White Space (5040621)

During installation, if the base DN contains a white space (for example, o=example east), the directoryURL entry is incorrectly parsed for the UserDirectory global preferences. Consequently, all operations to the userDirectory fail to find the entries in user/groups in the console.

Workaround
Modify the base DN value in one of the following ways:

nsSchemaCSN Has Multiple Values After upgrade of AS and DS (5041885)

After upgrade of Administration Server or Directory Server, the nsSchemaCSN attribute has several values. This issue occurs because the 60iplanet-calendar.ldif file and the 99user.ldif file both contain the nsSchemaCSN attribute. The nsSchemaCSN attribute should be in the 99user.ldif file only.

Workaround

  1. Remove the nsSchemaCSN attribute from 99user.ldif file and the 60iplanet-calendar.ldif file.
  2. Rename the script from
  3. <server_root>/slapd-<instance>/schema_push.pl

    to

    <server_root>/slapd-<instance>/schema_push.pl.ref

  4. Copy the template file from
  5. <server_root>/bin/slapd/admin/scripts/template-schema_push.pl

    to

    <server_root>/slapd-<instance>/schema_push.pl

  6. Edit the new schema_push.pl file as follows:
    1. Replace {{PERL-EXEC}} by !/<server_root>/bin/slapd/admin/bin/perl
    2. Replace {{MY-DS-ROOT}} by <server_root>/slapd-<instance>
    3. Replace {{SEP}} by "/"
  7. Add the execute mode to the schema_push.pl file.
  8. Force the schema replication by running the script, as follows:
  9. <server_root>/schema_push.pl

  10. Confirm that the nsSchemaCSN attribute has been added to 99user.ldif file.

To backout, restore the original schema_push.pl file under <slapd-instance>.

slapd Does Not restart After patchadd 115614-10 Run on Cluster (5042440)

When patch 115614-10 is installed on a cluster by using the patchadd command, the slapd process does not restart.

Workaround

  1. Stop the slapd process and the Administration Server prior to applying patches on the cluster.
  2. Patch all nodes in the cluster irrespective of whether ns-slapd fails to start or not.
  3. When all nodes are patched, start the slapd process.
  4. Run the directoryserver sync-cds command for the Administration Server and slapd

Error During Upgrade of RPM for Directory Server (2122219/5071553)

Upgrade to the new version of the RPM for Directory Server fails with an exit status 1 because the previous RPM was not uninstalled. This issue applies to upgrade to the following RPM for Directory Server:

The new version of the RPM for Directory Server is installed correctly.

Workaround
After installing the new version of the RPM for Directory Server, uninstall the previous RPM manually by using the following command:

Backout Fails When the Previous Version Is Not Configured (6196574)

Backout fails in the following scenario:

The backout fails because the <ServerRoot>/admin-serv/upgrade/versions.conf file does not contain the correct information.

Workaround
Configure the previous version of Directory Server and Administration Server before installing the latest version of Directory Server and Administration Server.

Cannot Install Patch 117015 on Directory Server 5.2 RTM (6200636)

If you migrate from Directory Server 5.2 RTM to a later version of Directory Server, the localization patch 117015 cannot be installed. The pkginfo files in patch 117015 are inconsistent with those in Directory Server 5.2 RTM for the values ARCH and VERSION.

Workaround
Before applying the localization patch, perform the following steps:

  1. On the server running Directory Server 5.2 RTM, locate the pkginfo files for each installed localization package. For example, the Japanese localization package files could be here:
  2. /var/sadm/pkg/SUNWjdsvcp/pkginfo

    /var/sadm/pkg/SUNWjdsvu/pkginfo

  3. In the pkginfo file for each installed localization package, change the values of ARCH and VERSION to the following values:
  4. ARCH=all

    VERSION=5.2,REV=2003.05.23

If Directory Server Installed with umask 0027 Instances Cannot be Managed by Non-Root User (6206311)

If Directory Server is installed with the file mode creation umask 0027, a non-root user cannot configure or manage Directory Server instances.

Workaround
Before installation, change the umask to 0022. Otherwise, change the default permissions for any file created by the process.

migrate5xto52 Script Causes Incorrect CSN to be Generated after Migration (6206915)

When you use the migrate5xto52 script to migrate from Directory Server 5.1 to Directory Server 5.2, replication can halt some time after the migration. The error can occur weeks or months after the migration.

Workaround
Before running the migration script, perform the following steps:

Upgrade of a Standalone Instance of Directory Server Requires the sync-cds Command to be Run (6208268)

When a standalone instance of Directory Server 5.2 is upgraded, the upgrade procedure requires the data in the Configuration Directory Server to be synchronized. Before running the sync-cds command, Directory Server searches for the presence of the adm.conf file. When the Administration Server is not configured, the file is not present and the sync-cds command cannot run.

Workaround
Create a dummy adm.conf file so that the sync-cds command can run:

  1. Create a file called <ServerRoot>/admin-serv/config/adm.conf
  2. Edit the file to contain the following line only:

Where <hostname> is a fully qualified domain name for the host that the Directory Server is running on, and <administration_domain> is typically the host domain name.

For example:

Entries With Password Expiration Cannot be Replicated to Older Versions of Directory Server (6209543)

The pwdChangedTime attribute and usePwdChangedTime attribute are defined in Directory Server 5.2 2004Q2 and later versions. These attributes are not defined in Directory Server 5.2 2003Q4 or earlier versions.

When an entry is defined with password expiration in Directory Server 5.2 2004Q2 or later versions, the entry contains the pwdChangedTime attribute and usePwdChangedTime attribute. When that entry is replicated to a supplier running Directory Server 5.2 2003Q4 or an earlier version, the supplier cannot process any modifications to that entry. A schema violation error occurs because the supplier does not have the pwdChangedTime attribute in its schema.

Workaround
Define the pwdChangedTime attribute and usePwdChangedTime attribute in the 00core.ldif file for all servers in the replication topology that are running Directory Server 5.2 2003Q4 or an earlier version.

To define the attributes, add the following lines to the 00core.ldif file for each server:

SUNWnisu Is Not Installed By Default on Some Systems, Causing Directory Server Configuration to Fail (6273842)

On some systems, such as a hardened Solaris system, the SUNWnisu package might not be installed by default. In this case, the Directory Server configuration fails.

Workaround

If you're on such systems, check for the presence of the SUNWnisu package before proceeding with the installation.

If your configuration fails for this reason, install the SUNWnisu package and then restart the Directory Server configuration.

Documentation for error message 8318 is not adequate. (6288932)

Directory Server administrators have observed that performing a "Send Updates Now" operation from the Console on a replica that has been known to be up and running, but that stops on a known replication agreement with message 8318 in the errors log, gets replication started again.

The failure leading to message 8318, with the text "failed to bind to remote (900)," occurs for one of the following reasons: the supplier fails to retrieve the replication manager password; the supplier cannot open an LDAP connection to the consumer; the bind fails; or either issue 6198506, fixed in Patch 3, or issue 6494027, has caused the supplier to make a replication start request on a connection that has already been closed. If the supplier makes a replication start request on a closed connection, due to issue 6198506 or 6494027, then performing a "Send Updates Now" operation from the Console corrects the problem.

Otherwise the replication agreement is no doubt broken as stated in the Reference Manual. Check the error code and fix the replication agreement. You may need to restart the consumer as well.

typicalUninstall.ins and uninstall.ins Files Are Not Updated by Patches (6303699)

You cannot silently uninstall Directory Server after upgrading with patches for Directory Server 5 2005Q4 patches and Administration Server 5 2005Q4.

Workaround

Before performing the silent uninstallation, perform the following steps:

1) For Administration Server, find the typicalUninstall.ins file in the Administration Server patch and copy it to this directory:

2) For Directory Server, find the uninstall.ins file in the Directory Server patch and copy it to this directory:

Patch 115614-25 Cannot Be Added if serverroot Contains slapd-<id>.tar (6303821)

Patch 115614-25 cannot be added if the server root contains files called slapd-<id>.tar.

Workaround

Do not add files beginning with slapd-* into the server root.

Upgrade Fails If directoryserver sync-cds Command Is Used without -u 5.2 Option (6303836)

When you use the directoryserver sync-cds command during upgrade to Directory Server 5.2, you must use the -u 5.2 option if Directory Server 5.1 is also installed and the default is set to 5.1.

If you set the default version to 5.2 by using the following command, it is not necessary to use the -u 5.2 option:

Workaround

None

During installation of Directory Server With Access Manager the Index Is Corrupted (6305723)

During installation of Directory Server, the Access Manager adds indexes for the 'ou' attribute if they don't exist. When the tool comms_dssetup.pl is run, the index is corrupted.

Workaround

Reindex the Directory Server.

Documentation concerning replication retry algorithm does not account for fixes made regarding CR 5006198 (6574901)

Following fixes for CR 5006198 to reduce peaks in replication delay, the documentation about the Replication Retry Algorithm no longer reflects Directory Server behavior.

Prior to the fix when a supplier replica attempted to push updates to a consumer replica, but found that the consumer was already receiving updates from another supplier, the supplier would back off for progressively longer intervals.

After the fix a supplier in the same situation enters a REPLICA_BUSY loop in which the supplier sleeps, then again attempts to begin pushing updates to the consumer. The sleep interval is based on the time to start a replication session with the consumer.

When the time to start a session is less than 10 msec, the supplier sleeps first for 400 msec, then on further repetitions sleeps a random time between 400 and 1600 msec.

When the time to start a session is between 10 msec and 100 msec, the supplier sleeps first for 1 msec, then on further repetitions sleeps an additional 500 msec, up to 10 sec.

When the time to start a session is greater than 100 msec, the supplier sleeps first for 1 msec, then on further repetitions sleeps an additional 1 sec, up to 30 sec.

When the session fails to start because a connection cannot be opened or due to a protocol error, the supplier behaves as before although the maximum back off interval is 60 sec.

The fix for CR 5006198 also introduces the following monitoring attributes on the replication agreement: ds5MaxReplicaBusyDuration, whose value is the maximum time that the supplier has spent trying to acquire a consumer since the last server restart; ds5ReplicaBusyCounter, whose value is the number of times the supplier has been looping, waiting for a consumer.

Directory Server 5.2 Patch 6 shows a configuration error on restart. (6579057 and 6230410)

Directory Server 5.2 Patch 6 shows a configuration error such as the following on restart:

ERROR<38918> - Startup  - conn=-1 op=-1 msgId=-1 - Configuration error  Sasl initialization failed

Workaround

Stop the server.

Modify the dsSaslPluginsPath attribute in the dse.ldif file, changing the value from /usr/lib/sasl2 to /lib/sasl.

Start the server.

In Directory Server 5.2 Patch 6, db2ldif -s fails (6585523 and 6567491)

In Directory Server 5.2 Patch 6, db2ldif -s fails, leaving an message such as the following in the errors log:

[08/Jun/2007:11:45:19 +051800] - DEBUG  - conn=-1 op=-1 msgId=-1 -  ERROR 2: There is no backend instance to export from

Workaround 1

Use db2ldif -n instead of db2ldif -s.

Workaround 2

Stop the server, and then modify the dse.ldif file as follows.

Find the suffix entry in the mapping tree and remove the quotes around the CN attribute value. The following example shows part of the mapping tree entry for Example.com.

dn: cn="dc=example\,dc=com",cn=mapping tree,cn=config
objectClass: top
...
cn: "dc=example,dc=com" <-- Remove the quotes here.
...

Start the server again.

Unable to apply required patch 119725 (LDAP JDK Patch) if SUNWjldk is not installed yet (6585566)

You cannot patch the Directory LDAP SDK for Java package, SUNWjldk, unless the package itself has been installed.

Workaround

Apply patch 118615 if the package SUNWjldk is not yet installed. Then apply required patch 119725.

Must copy schema manually to use passwordNonRootMayResetUserpwd (6585584)

The patch installation program does not update the Directory Server schema definitions to allow use of the new passwordNonRootMayResetUserpwd password policy attribute.

Workaround

Stop the server. Copy the new 00core.ldif file from the bin/slapd/install/schema/ directory to the Directory Server config/schema/ directory manually in order to use this new feature. Start the server.

The Administration Reference document does not accurately describe server behavior when the passwordCheckSyntax attribute is used. (6589185)

The documentation incorrectly states that when passwordCheckSyntax attribute is used to activate password syntax checks, the server checks "that the password meets the password minimum length requirement and that the string does not contain any 'trivial' words."

Instead, the documentation should read, "that the password meets the password minimum length requirement and that the string does not equal any 'trivial' words."

Enhancements needed to documentation on result codes (6593064)

The documentation incorrectly states that Directory Server can return result code 76 (virtual list view error). Directory Server does not return this code.

Furthermore, the documentation fails to mention that Directory Server can return result code 60 (LDAP sort control missing). This result code indicates that Directory Server did not receive a required server side sort control.

Directory Server patch script does not correct links (6596485)

Directory Server hot fixes for native package installations can place updated binaries under the Server Root, rather than in the system wide installation location. Such hot fixes rename existing symbolic links that point to system wide binaries to take the extension .ref When you then patch the native package installation, the patch installation script does not change the name of such links. As a result the installation may still use hot fixed binaries after the patch is applied.

Workaround

IMPORTANT: This workaround applies only to native package installations. Furthermore, use this workaround only when applying the Directory Server patch.

Stop the server.

Apply the following workaround for each symbolic link named .ref.
Make a copy of the hot fix binary ending in .hotfix.
Make a copy of the binary in the system wide location ending in .orig.
Copy the hot fix binary over the binary in the system wide location.
Rename the symbolic link to remove the .ref extension.
At this point you can apply the Directory Server patch.

Start the server.

For example, the following sequence of commands performs this workaround for a Solaris native package installation of Directory Server 5.2 Patch 5 where only a hot fix for CR 6587775 has been applied.

cd <SERVER_ROOT>
./slapd-<SERVER_ID>/stop-slapd
cp /usr/ds/v5.2/bin/slapd/server/ns-slapd /usr/ds/v5.2/bin/slapd/server/ns-slapd.orig
cp bin/slapd/server/ns-slapd bin/slapd/server/ns-slapd.hotfix
cp bin/slapd/server/ns-slapd /usr/ds/v5.2/bin/slapd/server/ns-slapd
mv bin/slapd/server/ns-slapd.ref bin/slapd/server/ns-slapd
# Apply the Directory Server patch here.
./slapd-<SERVER_ID>/start-slapd

Unable to login console if '_' is specified in password during installation of DS5.2.x on Windows (6831883)

During installation on Windows, if the admin user's password or Directory Manager's password contains an underscore (_) character, those accounts are unable to login to the Admin Console.

Workaround
Do not specify the underscore (_) character in a password during GUI installation. If necessary, reset the password after installation.


Security


DS 5.2x, multiple targets in ACI gives error, invalid syntax (6337519)

The Administration Guide contains the following example in the explanation of the ACI syntax.

aci: (target)...(target)(version 3.0;acl "name"; permission bindRule; permission bindRule; ...; permission bindRule;)

This could be misunderstood to allow multiple target keywords, but the "(target)" here refers to "target=...", "targetfilter=...", "targetattr=...", "targattrfilters=..." not just the "target=..." keyword. Each keyword can only be used once in an ACI. For example:

aci: (target=...)...(targetattr=...)(version 3.0;acl "name"; permission bindRule; permission bindRule; ...; permission bindRule;)

Admin Guide Incorrectly Mentions Global Password Policy as Replicated. (6513673)


Sun ONE Directory Server Administration Guide - Chapter 7  "User Account Management" - Section "Password Policies in a Replicated Environment" wrongly mentioned that global password policies are replicated.
The global password policy configuration resides in "cn=config" which is not replicated.
To obtain a consistent behavior on a replicated topology, the global password policy configuration must be the same on all servers and set by administrators.

passwordExpirationTime Becomes Out of Sync at First Password Expiration Warning (5102180)

The passwordExpirationTime and passwordExpWarned attributes are reset internally when a password expiration warning first occurs on a consumer, and then these attributes are not synchronized between master and consumer. This problem is fixed in 5.2 Patch 6, but the fix requires that you apply the workaround described here.

Workaround
To prevent passwordExpirationTime from becoming unsynchronized between servers, disable password expiration warning (set passwordWarning:0). If you require the password expiration warning feature, and you require the passwordExpirationTime to be synchronized across your topology, your application must detect when the passwordExpirationTime becomes unsynchronized and must update the user password on a master (either through a bind or modify operation).

Bind with Zero-Length Password Is Treated as an Anonymous Bind (4703503)

If you use a zero-length password to bind to a directory, your bind is an anonymous bind; it is not a simple bind. Third party applications that authenticate users by performing a test bind might exhibit a security hole if they are not aware of this behavior.

Workaround
Ensure that your client applications are aware of this feature.

DNS Keyword in ACIs (4725671)

If the DNS keyword is used in an ACI, any DNS administrator can access the directory by modifying a PTR record and can thereby provide the privileges granted by the ACI.

Workaround
Use the IP keyword in the ACI to include all IP addresses in the domain.

LDAP Modify Operations through SSL Fail When Referred to Master Replica From Consumer Replica (4922620)

ldapmodify update operations over SSL fail when they are referred to a master replica from a consumer replica.

Error Message at Startup When passwordisglobalpolicy Is Enabled (4964523)

When the passwordisglobalpolicy attribute is enabled on both masters in a 2-master, multi-master replication topology, it works correctly but can generate the following incorrect error message:

Workaround
Ignore the incorrect error message.

Invalid Values Are Accepted for passwordMinLength in Individual Password Policies (4969034)

The passwordMinLength attribute in individual password policies is 2–512 characters. However, values outside of this range are accepted when an individual password policy is configured.

Workaround
Configure individual password policies with passwordMinLength attribute of 2–512 characters.

GSSAPI Crashes on Solaris 10 When Using Kerberos (6184559)

If Directory Server is configured for use with SASL authentication on Solaris 10 build 69 and if you perform an authentication by using Kerberos through GSSAPI, the directory core is dumped.

Workaround
For 64-bit servers on Solaris 10 machines, pre-load the smartheap library when you start the slapd daemon. To pre-load the smartheap library, modify the start-slapd script under an ldap instance, as follows:

For example:

ACIs with ipv6 addresses do not work as expected (6561024)

The Administration Guide contains the following incorrect definition and examples in the explanation of the ACI syntax.

This definition is incorrect because RFC 2732 does not apply to IPv6 addresses in an ACI definition. Instead, RFC 2373 defines legitimate IPv6 addresses.

MD5-signed certificates need to use the SHA-1 signature algorithm (6831959/6832498)

Because of a problem described in Vulnerability Note VU#836068, MD5 signature algorithm vulnerable to collision attacks (http://www.kb.cert.org/vuls/id/836068), Directory Server 5.2 (and later 5.2 patch releases) installations should avoid using the MD5 algorithm in signed certificates. The following procedure describes how to generate SHA-1-signed certificates using the NSS certutil command-line utility. For more information about the certutil command, see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

  1. Run the following command to display the list of certificates.

    $ certutil -L -d certdir -P dbprefix

  2. Run the following command on each defined certificate to determine whether the certificate is signed with the MD5 algorithm:

    $ certutil -L -n cert-name -d certdir -P dbprefix

    The following example shows typical output for a MD5-signed certificate:

    Certificate:
    Data:
    [...]
    Signature Algorithm: PKCS #1 MD5 With RSA Encryption
    [...]

  3. Run the following command to remove any MD5-signed certificates from the database:

    $ certutil -D -n cert-name -d certdir -P dbprefix

  4. Replace any MD5-signed certificates with SHA-1-signed certificates. Use one of the following procedures, depending on whether your installation uses a self-signed certificate or a certificate acquired from a Certificate Authority.

    To generate and store a self-signed certificate using the SHA-1 signing algorithm, run the following command as a Directory Server administrator:

    $ certutil -S -x -n cert-name -s subject -d certdir -P dbprefix \
      -t trustargs -Z SHA1

    where

    -S
    Specifies generation of an individual certificate and adding it to the database.

    -x
    Specifies generation of a self-signed certificate

    -n certName
    Specifies the certificate's alias name, for example, defaultCert

    -s "subject"
    Specifies the certificate owner for new certificates or certificate requests, for example, CN=...,OU=...

    -d instance-path/alias
    Specifies the database directory to contain the certificate and key database files.

    -P "slapd-"
    Specifies the certificate database prefix

    -t "CTu,u,u"
    Specifies the trust arguments

    -Z SHA1
    Specifies SHA-1 as the certificate signature algorithm

    Use the following steps to generate and store a certificate acquired from a Certificate Authority (CA):

    1. Run the following command to issue a CA-Signed Server Certificate request:

      $ certutil -R -s subject -d certdir -P dbprefix -a \
        -Z SHA1 -o output-file

      where

      -R
      Specifies to generate a CA-signed Server Certificate request

      -s "subject"
      Specifies the certificate owner for new certificates or certificate requests, for example, CN=...,OU=....

      -d instance-path
      Specifies the database directory to contain the certificate and key database files.

      -P "slapd-"
      Specifies the certificate database prefix

      -a
      Specifies that the certificate request be created in ASCII format instead of the default binary format

      -o output-file
      Specifies the output file for storing the certificate request

    2. Make sure that your Certificate Authority is no longer using the MD5 signature algorithm, and then send the certificate request to the Certificate Authority (either internal to your company or external, depending on your rules) to receive a CA-signed server certificate.

    3. When the Certificate Authority sends you the new certificate, run the following command to add the certificate to the certificates database:

      $ certutil -A -n cert-name -d certdir -P dbprefix \
        -i signed-cert-file

    For more details regarding those steps, see Implementing Security in the Sun ONE Directory Server Administration Guide

  5. Run the following command to verify the new certificate.

    $ certutil -L -n cert-name -d certdir -P dbprefix

    The following example shows typical output for a SHA-1-signed certificate:

    Certificate:
    Data:
    [...]
    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    [...]



Replication


Attempting to Enable Replication for the Retro changelog Backend (6243117)

Replication must not be enabled on the retro changelog suffix "cn=changelog". This suffix has not been designed to be replicated and enabling replication could lead to DS crashes like 6484498 or 6453388. The bug 6482442 will fix those two bugs.


Local Schema Modifications Can Be Overwritten When a Consumer Database Is Created (4537230)

The replication monitoring tools rely on read access to cn=config to obtain the replication status. This should be taken into account when replication is configured over SSL.

In Directory Server 5.2, the schema file 11rfc2307.ldif has been altered to conform to rfc2307. If replication is enabled between 5.2 servers and 5.1 servers, the rfc2307 schema MUST be corrected on the 5.1 servers, or replication will not work correctly.

Workaround
To ensure correct replication between Directory Server 5.2 and Directory Server 5.1, perform the following tasks:

  1. For zip installations, remove the 10rfc2307.ldif file from the 5.1 schema directory and copy the 5.2 11rfc2307.ldif file to the 5.1 schema directory.
  2. Copy the following files from the 5.2 schema directory into the 5.1 schema directory, overwriting the 5.1 copies of these files:
    11rfc2307.ldif, 50ns-msg.ldif, 30ns-common.ldif, 50ns-directory.ldif, 50ns-mail.ldif, 50ns-mlm.ldif, 50ns-admin.ldif, 50ns-certificate.ldif, 50ns-netshare.ldif, 50ns-legacy.ldif, and 20subscriber.ldif.
  3. Restart the Directory Server 5.1 server.
  4. In the Directory Server 5.2 server, set the nsslapd-schema-repl-useronly attribute under cn=config to on.
  5. Configure replication on both servers.
  6. Initialize the replicas.

Initially, certain schema attributes may be replicated between the servers as they synchronize other schema elements, but this will not cause any problems. See the General Installation Information for details on how the schema has changed.

Replication Monitoring Tools Do Not Support LDAP URLs That Contain Literal IPv6 Addresses (4702476)

The replication monitoring tools entrycmp, insync, and repldisc do not support LDAP URLs that contain literal IPv6 addresses.

Workaround
None

Multi-Master Replication over SSL with Certificate-Based Client Authentication Does Not Work If Preceded by SSL with Simple Authentication (4727672)

In a multi-master replication scenario, if replication is enabled over SSL by using simple authentication, it is not possible to enable replication between the same servers over SSL by using certificate-based client authentication.

Workaround
To enable replication over SSL using certificate-based client authentication, restart at least one of the servers.

After Aborting a Total Update Cannot Restart a Total Update or Re-enable Replication on the Suffix (4741320)

If a total update is aborted while in progress, it is not possible to launch another total update or to re-enable replication on the suffix.

Workaround
Do not abort a total update while it is in progress.

Reports of Replication Delays with the insync Command and Fractional Replication (4856286)

The insync command-line tool has no concept of fractional replication. If fractional replication is configured, false reports of replication delays can be produced.

Workaround
None

Schema Modifications Are Not Replicated in Incremental Updates (4868960)

If you modify the schema without making any other non schema-related modifications, your schema modifications will not be replicated immediately.

Workaround
Wait for five minutes for your schema modifications to be replicated, or force replication by using the Send Updates Now option in the Directory Server console.

Errors in Multi-Master Replication When nsslapd-lastmod Attribute Set to OFF (5010186)

The nsslapd-lastmod attribute specifies whether Directory Server maintains the modification attributes for Directory Server entries. When this attribute is set to OFF, errors occur in multi-master replication.

Workaround
When using multi-master replication, leave the nsslapd-lastmod attribute set to ON.

During Replication an Error Message Is Written Frequently to the Error Log (5029597)

During replication, the following error message can be written frequently to the error log:

[09/Apr/2004:06:47:45 +0200] - INFORMATION - conn=-1 op=-1 msgId=-1 -
csngen_adjust_time: remote offset now 33266 sec

This error message increases the size of the error log file.

Workaround
Ignore this error message.

Updates to the Retro Change Log on a Master Server Can be Lost (6178461)

When a master server crashes, changes made to the retro change log on that server can be lost.

Workaround
Do not to use the retro change log on a master server. Instead, use the retro change log on the consumer server. If you are implementing failover of the retro change log, ensure that you have at least two consumer servers with enabled retro change logs.


Conformance

DN Normalization Code Does Not Treat Case Sensitive Attributes Properly (4933500)

DN normalization code puts attribute names in lower case. The DN normalization code does not take into account the attribute syntax and the associated matching rule.

Workaround
None


Directory Server Console

Directory Server Console is Shown in English after Applying 117015-21(l10n patch for DS5.2patch4) (6348981)

Admin Server Console is Shown in English after Aapplying 117047-24(l10n patch for Admin Server 5.2.4) (6348984)


To be able to launch any localized version of Directory Server 5.2 Patch 6 Console, symbolic links of localized Directory Server and Admin Server jar files need to be manually created from <SERVER-ROOT>/java/jars to /usr/sadm/mps/admin/v5.2/java/jars pathname.


DS 5.2x, Console Wrongly Encodes Value Containing CRLF (6337446)

Directory Server 5.2 Console does not handle correctly attributes with values containing CRLF (base64-encoded).


Workaround

Do not modify such entries (which have base64-encoded attribute values containing CRLF) using the Console.

Admin server deliver java machine not compliant with new DST (Daylight Saving Time) for US/Australia (6513250)

The JVM delivered with Directory Server 5.2 product (and later version) is not compliant with the new DST definition (2007) and needs to be updated with the tzupdater tool.

Note: Only the Directory Server 5.2 Patch 6 patchzip distributions delivers and runs the tzupdater utility. The JVM running within the installed Directory Server 5.2 product is then up-to-dated.

The Directory Server 5.2 Patch 6 Native package distributions are not allowed to update the JVM installed and running in the system. The system administrator will have to follow the procedure described at link: http://java.sun.com/developer/technicalArticles/Intl/USDST/

In any case, it is strongly recommended to install the specific operating system patches as documented in page: http://www.sun.com/bigadmin/hubs/dst/software.


patchzip Does Not Upgrade Directory Server Version Number in Console (Except the CDS) (6516282)

The upgrade procedure requires the data in the Configuration Directory Server (CDS) to be synchronized. This is performed through the sync-product-cds command based on information located in adm.conf file. Unfortunately the upgrade procedure is not able to synchronize CDS data placed in another Server Group than "cn=Server Group".

Workaround

  1. Identify all Server Group entries running the command:

    cd <ServerRoot>/shared/bin
    ./ldapsearch -D"cn=Directory Manager" -w -p -b"o=NetscapeRoot" objectclass=nsAdminGroup dn

    that returns DN entries:

    dn: cn=Server Group, cn=<hostname>, ou=<administration_domain>, o=NetscapeRoot

    Where <hostname> is a fully qualified domain name for the host that the Directory Server is running on, and <administration_domain> is typically the host domain name.

    For example:

    dn: cn=Server Group, cn=starfish.Ireland.Sun.com, ou=Ireland.Sun.com, o=NetscapeRoot
    dn: cn=Server Group (2), cn=starfish.Ireland.Sun.com, ou=Ireland.Sun.com, o=NetscapeRoot

  2. Synchronize the CDS data placed in Server Group (2)

    ./sync-product-cds -r "<ServerRoot>" -i "cn=Sun ONE Directory Server, cn=Server Group (2), cn=<hostname>, ou=<administration_domain>, o=NetscapeRoot" -j ds524.jar -g ds524.jar -v 5.2_Patch_6 -n "Sun Java(TM) System Directory Server" -b "2007.093.0058"


PATCHZIP : sync-admin-cds and sync-product-cds hang when SSL is configured (6180346)

The patchzip installation script hangs on sync-admin-cds and sync-product-cds commands when SSL is configured between Admin Server and Directory Server 5.2 installed product.

Workaround

  1. Edit <ServerRoot>/shared/config/dbswitch.conf file so that it reads like so:

    directory default ldap://<hostname>:<non-secure port>/o=NetscapeRoot

    It should be "ldap" rather than "ldaps" and point to the non-secure port rather than the secure/SSL port.

  2. Run the sync-admin-cds and sync-product-cds commands manually
    1. Run the sync-admin-cds command

      cd <ServerRoot>
      ./stop-admin
      cd bin/admin
      ./sync-admin upgrade -r <ServerRoot>
      ./sync-admin-cds -r <ServerRoot>

    2. Run the sync-product-cds command.

      Follow the procedure described above in bugid 6516282.


On Windows 2000 Service Pack 4, it is impossible to remove a directory instance via the console if that instance is not running (4962625)

On Windows 2000 Service Pack 4 you cannot remove an instance using Directory Server Console unless it is running.

Workaround
Ensure that the instance is running before attempting to remove it using Directory Server Console.

Internal Search Causes Directory Server Console to Display a Yellow Warning Flag (2113362/4983539)

In some search contexts, a yellow warning flag is displayed. The yellow flag indicates that the Directory Server internal search mechanism has encountered an All IDs Threshold / Sorting issue. This flag does not represent a problem.

Workaround
Either ignore the flag or create a browsing index (VLV index) to prevent the flag from occurring.

Console Does Not Support Passwords That Contain a Colon ":" (4535932)

The console does not support passwords that contain a colon ":".

Workaround
Do not use a colon in a password.

Console Does Not Support the Management of External Security Devices (4795512)

The console does not support the management of external security devices, such as Sun Crypto Accelerator 1000 Board.

Workaround
Manage external security devices by using the command line.

German Entries Are Sorted Incorrectly in Directory Server Console (4889951)

In the Directory Server console some German characters are sorted incorrectly. See the following examples:

Workaround
None.

slapd Daemon Takes the Administration Server Port When Restarted From the Console (5002054)

When the slapd daemon is restarted from the console, it can take the Administration Server port and prevent Administration Server from being restarted by the console.

Workaround
Restart the slapd daemon from the command line.

Cannot Browse Access, Errors, and Audit Logs on Directory Server Console for Clustered Node (5044629)

On a Directory Server cluster node (active or not), the Browse buttons in the Directory Server console are grayed out.

Workaround
Ensure you are running the console on the active cluster node, and use the node name (as opposed to the logical host name) to connect to the Administration Server.

Path to Help File for Directory Server Login Dialog Box Is Incorrect for Non-English Languages (5046970)

The path to the help .htm file for the Directory Server Login dialog box in non-English languages is incorrect. For example, for the Korean language, the incorrect path is as follows: manual/ko/console/help/help/login.htm

Workaround
Change the path to the help .htm file as shown in the following example. This example uses the Korean locale:

  1. Close Directory Server Console.
  2. Change directory to the /usr/sadm/mps/console/v5.2/java directory.
  3. Extract the mcc52_ko.jar file using for the jar xvf mcc52_ko.jar command.
  4. Remove the mcc52_ko.jar file.
  5. Open the following file in a text editor: com/netscape/management/client/console/console_ko.properties
  6. Change the path from
  7. login-help=manual/ko/console/help/help/login.htm

    to

    login-help=manual/ko/console/help/login.htm

  8. Recreate the mcc52_ko.jar META-INF/* com/* jar file by using the
    jar cvf mcc52_ko.jar META-INF/* com/* command.
  9. Restart Directory Server Console.

LDIF Files Exported by Using the Tasks Tab on the Console Contain Additional Unnecessary Information for Backup (6197903)

This issue concerns LDIF files exported by using the Export to LDIF button in Tasks tab on the console. When a server is configured as a supplier or a hub, an exported LDIF file starts to collect replication information to initialize consumers. The exported LDIF file cannot be used with the Import from LDIF button in Tasks tab on the console.

Workaround
Select one of the following workarounds:

Server Console Help Index Search Does Not Work in Traditional Chinese (zh_TW) (6205531)

Cannot Add a New objectclass By Using the Console After Migrating From Directory Server 4 (6246753)

After migrating from Directory Server 4x to Directory Server 5x, you cannot add a new object classes by using the console. This condition occurs because migrated users contain ntUser attributes with the old NtSyncTool for Windows.

Workaround
Use the ldapmodify command to add object classes.

Core Server


HP-UX: application using NSPR threads dumps core after gdb quit (6506019)


On HP-UX systems, a running Directory Server 5.2 Patch 6 instance attached to a gdb program core dumps once it is detached by using the gdb quit command.

Workaround
None.




DS5.2 on Linux RHAS3.0u8 and RH4.0u3 is too large because of default stack size (6532754)
Before starting Directory Server, set the default stack size using the command: “ulimit -s 512”

Documentation Wrong: nsslapd-schemacheck DOES Apply to nsslapd-rootdn (Manager DN) (6283207)


The Sun ONE Directory Server 5.2 Reference Manual defines nsslapd-rootdn (Manager DN) parameter as follows: "Specifies the distinguished name of an entry that is not subject to access control restrictions, administrative limit restrictions for operations on the directory or resource limits in general. The attributes nsslapd-sizelimit, nsslapd-timelimit, and nsslapd-schemacheck do not apply to this DN either."

This description is incorrect. The nsslapd-schemacheck attribute applies to nsslapd-rootdn parameter.

 libdb PANIC in 5.2 When txn Log Files Are Moved to New Location and Backup/Restore Is Initiated (6422530)


When changing the database transaction log path, the user must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

More Detail Explanation Regarding Supported OID in Directory Server (6251126)


All supported LDAP Controls within Directory Server 5.2 are described in documentation. The LDAP control that corresponds to OID 1.3.6.1.4.1.42.2.27.9.5.6 is intended only for internal use within the Directory Server.

The db2ldif Command Fails on Windows If the Suffix to Be Exported Specified by the -s Option Contains a Subdomain (4952347)

bak2db Command Generates Unnecessary Error Messages (5068357)

When run on Windows platforms, the bak2db command can generate unnecessary errors 20741 and 20742. These errors are false errors.

Workaround
Ignore messages generated by errors 20741 and 20742.

Server Crashes When Stopped During Export, Backup, Restore, or Index Creation (4678334)

Stopping the server during export, backup, restore, or index creation can cause it to crash.

Backend Instances Called "Default" Do Not Work (2122630/4966365)

Backend instances, or databases, called "Default" do not work.

Workaround
Do not name a database "Default".

Database Becomes Unavailable if LDIF File Is Inaccessible During Import (2126979)

If a non-existent file is specified for an online import, the server still deletes the existing database.

Installing 64-bit packages locks out the 32-bit Directory Server databases (4786900)

When indexes are configured with nsMatchingRule, db2ldif and ldif2db issue an "unknown index rule" warning which means that the index created does not include the matching rule (4995127)

Workaround
Use db2ldif.pl and ldif2db.pl instead of db2ldif and ldif2db as they do not issue "unknown index rule" warnings and create the index with the matching rule.

Directory Server Plug-ins


Role doesn't work on consumer after online initialization (6252422)


This problem is fixed in Directory Server 5.2 Patch 6 for newly created instances. For existing instances, there are two possible workarounds for this problem.
Workaround 1: Restarting the consumer will solve the problem.
Workaround 2:
  1. Stop the Consumer
  2. Add the following lines in dse.ldif

    nsslapd-plugin-depends-on-named: Roles Plugin
    nsslapd-plugin-depends-on-named: Class of Service


    Location to add the above lines:

       nsslapd-plugin-depends-on-named: ldbm database
       nsslapd-plugin-depends-on-named: DES
       nsslapd-plugin-depends-on-named: ACL Plugin
       nsslapd-plugin-depends-on-named: Roles Plugin <---- Here
       nsslapd-plugin-depends-on-named: Class of Service <----Here


  3. Restart the consumer and do on-line initialization


When the Pass-Through Authentication Plug-In (PTA Plug-In) Detects that a Suffix Configured for Pass-Through Authentication is Local to the Machine, the Plug-In Is Not Automatically Disabled (4938821)

If the Plug-In Configuration Entry Attribute Values in the dse.ldif End with Extra Blank Spaces, Directory Server Will Either Fail to Start or Behave in Unexpected Ways (4986088)

Error Message When ACL Plug-In Unable to Normalize Attribute Value (5089207)

The ACL plug-in normalizes attribute values in order to compare them with DN provided in the ACL rules. If an attribute value is not a DN, an error message is logged.

Workaround
Ignore the error message.

If you have two Directory Server instances, DS1 and DS2, with your Configuration Directory Server installed on DS1, and you subsequently replicate the o=NetscapeRoot configuration information to DS2, as opposed to automatically disabling the PTA plug-in will continue to point to DS1for any o=NetscapeRoot relevant searches despite the fact that the information is now local.


Miscellaneous

nsslapd-cache-autosize-split does not work as documented (6243665)

The nsslapd-cache-autosize and nsslapd-cache-autosize-split attributes were documented by mistake. Do not use them.

Ambiguous Description regarding nsslapd-valuecheck (6218767)

The nsslapd-valuecheck attribute was never implemented but is mentioned in Sun ONE Directory Server 5.2 documentation. This is a mistake.

Maximum Size of Transaction Log File Cannot be Changed (4523783)

If you change the maximum size of the transaction log file when the database directory contains log files, the new size is not taken into account.

Workaround
None.

Statistics for SNMP Subagents (4529542)

On UNIX platforms, statistics are generated only for the last SNMP subagent that is started. This implies that you can monitor only one Directory Server instance at a time with SNMP.

International Substring Search on Unaccented Characters Returns Only Unaccented Characters (4955638)

Instead of returning the unaccented character and all of its possible accented variants, which would seem to be the logical approach, a search on an unaccented character only returns the unaccented character in question. Searching for an accented character however, returns not only that character but all other variants.

Certain error messages reference a database error guide which does not exist (4979319)

Missing chown/chgroup When an Instance Of Directory Server Is Created With Another User (4995286)

With Directory Server and Administration Server installed and configured to run as root, when the console is used to create another instance of Directory Server which you specify to run as a user other than root, that instance is successfully created, but many of the files pertaining to that instance are not owned by the same user.

Workaround
Change the ownership of the files and directories manually.

Cannot Create a Chained Suffix With an IPv6 Address by Using the Console (5019414)

When you create a new chained suffix with an IPv6 address by using the New Chained Suffix window of the console the Testing connection parameters popup window does not close automatically and the validity of the IPv6 address is not tested. Although the local configuration of the chained suffix is successful, the validity of the IPv6 address is not assured.

Workaround
Do not to use the Test connection option when you configure a chaining suffix with an IPv6 address.

When the ldapsearch sizelimit Option Is Hit on a Chained Suffix, an Error Message Is Issued and the Access Number of Entries Count Is Incorrect (5029026)

Default Number of File Descriptors Is 1024 for Directory Server on Linux RH3.0 (5101775)

For Directory Server on Linux RH3.0, the default number of file descriptors is 1024. The default number of file descriptors cannot be changed globally, but can be changed by the root user for a given session only.

To change the default number of file descriptors, become root user and change the value before starting the server.

Workaround
None

SNMP is not supported on IPv6 on HP-UX (4970378)


To Move a Directory Database Backend (2144828)

Workaround
Before You Start - Make a backup of your directory data before performing the following steps.

  1. Stop Directory Server.
  2. Change nsslapd-directory in the entry for the database backend you intend to move.
  3. Move or copy the entire database directory to the new absolute path specified as the value of nsslapd-directory.
  4. Restart Directory Server.


The Directory Server Administration Guide and directoryserver man page incorrectly state that groups of accounts can be activated and deactivated. Instead, only individual entries and *roles* can be activated and deactivated. (6189984)


When exporting to LDIF, Directory Server Console performs an LDAP search operation to retrieve entries to export. When the amount of directory data to export is large, this search operation can impact performance. (6190418)


The documentation incorrectly states that a browsing index can be changed by editing the corresponding vlvSearch or vlvIndex entry. Instead, you must delete the existing entry, and recreate a new entry with the appropriate modifications. (6230014)


SUNWhsvh and SUNWhsvhx must be installed on both Solaris 8 and Solaris 9 systems. (6233701)


The product documentation does not explain that /etc/init.d/directory, installed with the native package version of Directory Server, allows the system administrator centrally to start and stop Directory Server instances and their associated Administration Server instances. (6234977)


The Directory Server Administration Reference incorrectly states that the migrateInstance5 command does not migration configuration attribute nsslapd-accesslog-level. (6277789)


The Directory Server installation program requires a Fully Qualified Domain Name (FQDN) during the installation. The FQDN must resolve correctly for installation to complete. (6304475)

Workaround
On Windows systems, you must change the network configuration before installing Directory Server software to ensure the FQDN resolves correctly.

If host name resolution is handled by DNS, follow these steps.

1. Right click My Computer and select Properties.
2. Select the Computer Name tab in the System Properties window.
3. Click Change.
4. Click More to reveal the Primary DNS suffix of this computer field.
5. Enter the correct domain name, then save your work.

If host name resolution is handled using a hosts file, add the FQDN for the system in <System Drive>:\Windows\System32\drivers\etc\hosts. This approach can be used to fake the FQDN, such as myhost.example.com, so you can install Directory Server on systems without a legitimate FQDN.


How to move DB from the drive installed with DS5.2 to the other drive is missing from the documentation. (6353498)

Workaround
Use these steps to move the database to another drive:

  1. Make a file system backup beforehand. (or make a tar of the whole installation elsewhere while the server is stopped)
  2. Stop the server.
  3. Move the database directory to the new location.
  4. Update the value of nsslapd-directory in dse.ldif. Be careful when editing dse.ldif to modify the correct nsslapd-directory, because it can appear on more than one place.
  5. Restart the server.


When running Directory Server on HP-UX 11.11 and using a Veritas file systems, you must change the block size and apply the following patches (6354043):

Workaround
Change the block size and apply the following patches

   PHKL_32772": s700_800 11.11 VxFS 3.5-ga15 Kernel Cumulative Patch 11
   PHKL_32669": s700_800 11.11 VxFS cumulative patch

Change the blocksize to 8K from the default of 1K.


Directory Server 5 2005Q1 Release Notes incorrectly state that bug 2122386 (also 4925250) is fixed in that release. (6362958)


nsslapd-maxdescriptors, which sets the maximum number of file descriptors Directory Server tries to use, is not applicable on Windows platforms. (6371044)


When installing Directory Server, make sure you *record* whether you install from the native package or compressed archive (patchzip) version. If you ever apply patches, you will need this information to download the correct version of the patches. (6387560)


The Directory Server Administrative Reference incorrectly states that the valid ranges for nslapd-db-transaction-batch-val are 0 to 30. (6391343)

The actual range is from -231 + 1 to 231. In practice, values should be positive numbers. Values larger than 100 bring few benefits.


Although in some cases, you can change nsslapd-logbuf-size without reinitializing directory data, in other cases this may not work. Therefore you may be able to get by without performing an import from LDIF, but it is safer to perform an import after changing nsslapd-logbuf-size. (6391352)


The Administration Guide and the Administration Reference identify different default values for ds5ReferralDelayAfterInit. *Both* documents are wrong. (6397458)

By default ds5ReferralDelayAfterInit is not set, meaning the delay is not limited. -1 is not a valid value, and 0 means no delay.


Need to specify in docs if HPUX 11.23 is supported or not (6397962)

Directory Server 5.2 Patch 6 does not support HP-UX 11.23. Directory Server 5.2 Patch 6 does support HP-UX 11.1 (formerly 11.11).


Document password policy implications for admin-serv entry. (6396617)

If the server-wide password policy affecting the Configuration Directory Server (CDS) instance causes passwords to expire, administrative users with accounts stored in the CDS must also change their passwords before those passwords expire. To change this normal server behavior, either configure password expiration policy at a lower level, or override password expiration policy for users in the CDS (under o=NetscapeRoot).


Directory Server does not correctly parse ACI target entry DNs containing escaped quotes or a single escaped comma. (6416407)

The following example modifications cause syntax errors.

dn:o=mary\"red\"doe,o=example.com
changetype:modify
add:aci
aci:(target="ldap:///o=mary\"red\"doe,o=example.com")
(targetattr="*")(version 3.0; acl "testQuotes";
allow (all) userdn ="ldap:///self";)


dn:o=Example Company\, Inc.,dc=example,dc=com
changetype:modify
add:aci
aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com")
(targetattr="*")(version 3.0; acl "testComma";
allow (all) userdn ="ldap:///self";)


Examples with more than one escaped comma have been observed to parse correctly, however.


When running Directory Server on Sun Cluster and nsslapd-db-home-directory is set to use a directory that is not shared, after a failover the Directory Server instance on the new node uses its potentially outdated database cache files. (6431697)

Workaround
To work around this limitation, either use a directory for nsslapd-db-home-directory that is shared, or systematically remove the files under nsslapd-db-home-directory at Directory Server startup.


The documentation concerning the prerequisites for binary copy is too restrictive. The documentation indicates that, 'Both machines must use the same hardware and the same operating system, including any service packs or patches.' (6447418)

Workaround
The hardware prerequisites are as follows.


Replica demotion to consumer-only followed by re-promotion can break replication (6496956)

Workaround
Physically remove the changelog DB file AFTER the demotion to read-only consumer and BEFORE the re-promotion to hub.


Successful bind with incorrect password after setting a very specific value of userpassword (6509280)


Linux does not support pthread_attr_setstacksize, so it is not possible to reduce the stack size when creating a thread. For this reason, the process limit is taken (10Mb on RH3.0).

Workaround

Run this command on Linux installations:

   ulimit -s 256; start-slapd


Inconsistency in translation of "New password" (6462406)


5.2p4:win:ds: install.bat can't accept serverroot path that includes a space. (6356752)

Workaround

Enter this command:

   lib\nsPerl5.005_03\bin\MSWin32-x86\perl.exe upgrade.pl "<SERVER_ROOT>" "<ADMIN ID>" "<PASSWORD>"

where, for example, "<SERVER_ROOT>" can have a value such as "D:\Program Files\Sun\MPS", "<ADMIN ID>" can have a value such as "admin", and "<PASSWORD>" can have a value such as "password".


DS 5.2 Patch 6 on Windows, upgrade.pl "jre delivery has not been patched" if serverroot contains space (6569076)

When the SERVER_ROOT pathname contains a space character, the following command fails:

   lib\nsPerl5.005_03\bin\MSWin32-x86\perl.exe upgrade.pl "<SERVER_ROOT>" "<ADMIN ID>" "<PASSWORD>"

The failing command returns this error message:

   Warning: jre delivery has not been patched

This error reports that the tzupdater utility has not been successfully run and so the JVM delivered with Directory Server 5.2 is still not compliant with the new DST definition (2007).

Workaround

Run the following command manually:

   "<SERVER_ROOT>\bin\base\jre\bin\java" -jar <PATCHZIP_PATH>\tzupdater\tzupdater.jar -u

PATCHZIP_PATH is the pathname where the Directory Server 5.2 Patch 6 compressed archive patch (that is, 117667-04) has been downloaded.


5.2p4: Items in the Advanced search condition list are not localized (6356763)


snmp does not work on solaris 10 : ns-ldapagt returns "setup_static_info failure! Exiting." (6501477)


On Solaris 10 systems, the Directory Server 5.2 Patch 6 SNMP agents stops with error: "setup_static_info failure! Exiting."

Workaround

None.

Not able to do the sync-cds using user Directory Manager (6508496)

Workaround


  1. Create a credential file with these contents:

    Admin Id: cn=directory manager
    Admin Password: adminadmin

  2. Execute sync-cds* commands with option -f <credential file>.

In this way, you can bind as the directory manager user.


Doc Bug: a description of option T on vlvindex command is incorrect (6555169)

The DSEE 5.2 Administration Guide describes the -T option of the vlvindex command as follows:

This option specifies the naming attribute of the vlvIndex entry, not the vlvSearch entry.


DocRFE: UNIX vs Win different behavior on connection closure by idletimeout (6563245)

idletimeout check is not being done if there is no other activity (6533281)

Because of a known issue, nsslapd-idletimeout is not computed on Windows installations as documented under all conditions.

On Unix (including Solaris) nsslapd-idletimeout is computed when new connections are opened and when new data is received, as described in the documentation.

On Windows, nsslapd-idletimeout is computed the same way for secure connections or if ds-start-tls-enabled is true. However, for non-secure connections and if ds-start-tls-enabled is false, nsslapd-idletimeout is computed only when new connections are opened.


Release Notes : Incorrect information on fixed size memory pools (6362539)

The multiple fixed size memory pools feature introduced in Directory Server 5.2 2005Q4 and described in the Directory Server 5.2 2005Q4 Release Notes document needs clarification. The existing text reads as follows:

The corrected text should read as follows:


On Windows, db2index.pl returns "ldap search:Invalid DN syntax". (6596797)

Workaround
Windows requires double quotation marks (") to be used to delimit special characters, including blank spaces. The db2index.pl file uses single quotation marks (') to delimit blank spaces, which results in an error in Windows installations. In Windows installations, manually edit the db2index.pl file and the template file and replace instances of single quotation marks with double quotation marks.


The Administration Guide's description of confirming consumer initialization requires clarification. (6641793)

In "Initializing a Replica Using the Console," step 4 requires the following additional information about the results of the step: "Messages describing the selected replication are displayed in the text box below the list. To confirm the status of the consumer initialization (such as success and failure), see Monitoring Replication Status."

Also, the Description column in three rows of Table 8-1 requires additional information shown here:

Last initialization started

Indicates when the most recent initialization of the consumer replica started. When the most recent initialization succeeds, it indicates the start time of the initialization. When the most recent initialization fails, this field value is not meaningful.

Last initialization ended

Indicates when the most recent initialization of the consumer replica ended. When the most recent initialization succeeds, it indicates the end time of the initialization. When the most recent initialization fails, this field value is not meaningful.

Last initialization message

Provides status on the last initialization of the consumer. When the most recent initialization succeeds, the message Total Update Succeeded is displayed. When the most recent initialization fails, a message describing the failure is displayed.


Documentation should note that passwordExp should be enabled when usePwdChangedTime is enabled. (6669111)

When enabling usePwdChangedTime, also enable password expiration by setting the value of passwordExp to on.


The Administration Guide's description of indexing requires clarification. (6694125)

The following text clarifies the Administration Guide's explanation of reindexing a suffix: "When you reindex a suffix, the server examines all of the entries the suffix contains and rebuilds the index files. During reindexing, the contents of the suffix are read-only. Because the server must scan the entire suffix for every attribute that is reindexed, this process might take up to several hours for suffixes with millions of entries. The length of time also depends on the indexes you configure. In addition, while the suffix is being reindexed, indexes are not available and server performance is impacted."



Command Line Tools

Incorrect Error Message When Exporting a Subtree by Using the db2ldif -s Option (2122386)

When the db2ldif -s command is run on a suffix to export a subtree, the following incorrect error message can be generated:

Workaround
Ignore this error message.

Absolute Paths Must be Specified for the Following Commands: db2bak, db2bak.pl, bak2db, and bak2db.pl (4897068)

db2ldif Command Creates an Output File In an Incorrect Directory (5029598)

The db2ldif command creates output LDIF files in an incorrect default directory when the file name only is specified. The db2ldif command should create output LDIF files in this directory:

Workaround
Specify the absolute path to the file name of the output LDIF file.

mmldif Command Crashes (6205803)

The mmldif command crashes when used.

Workaround
None

createtimestamp and modifytimestamp Not Generated During ldif Import (6235452)

When an ldif file is imported to directory server by using the ldif2db.pl script, the createtimestamp and modifytimestamp are not generated. Note that this feature does not occur for online adds done by LDAP clients like ldapmodify.

Workaround 1

Edit the LDIF source file before import. This workaround works for LDIF input files that do not contain any entry with createtimestamp or modifytimestamp values.

Substitute ALL empty lines in the LDIF source file with the following 3 lines:

Then import the file into the Directory Server.

Workaround 2

Import the source file by using ldapmodify instead of ldif2db. This workaround is slower than Workaround 1, but it works for LDIF input files with entries with createtimestamp or modifytimestamp values.

  1. Export the contents of your Directory Server by using db2ldif:
  2. db2ldif -n $instance -a /tmp/exported.ldif

  3. Copy the first entry of /tmp/exported.ldif into a new file named
  4. /tmp/rootsuffix.ldif

  5. Re-import the database only with the root suffix:
  6. ldif2db -n $instance -i /tmp/rootsuffix.ldif

  7. Add all of the entries in /tmp/rootsuffix.ldif by using the ldapmodify command:
  8. ldapmodify -a -c -h <host> -p <port> -D "cn=Directory Manager" -w & lt;password> -f /tmp/exported.ldif

ldapdelete Command Hangs When NDS Plug-in Returns a Non-zero Value (6301267)

When the pre-operation plug-in for schema deletion returns a non-zero value, the ldapdelete command hangs.

Workaround

Ensure that the pre-operation plug-ins (except abandon and unbind) send back a result (by using slapi_send_ldap_result) before returning a non zero status.


Redistributable Files

Sun Java System Directory Server 5.2 Patch 6 does not contain any files which you can redistribute.


How to Report Problems and Provide Feedback

If you have problems with this update, contact Sun customer support using one of the following mechanisms:

So that we can best assist you in resolving problems, please have the following information available when you contact support:

You might also find it useful to subscribe to the following interest groups, where Sun Java System Directory Server topics are discussed:

Sun Welcomes Your Comments

Sun is interested in improving its documentation and welcomes your comments and suggestions. Use the web-based form to provide feedback to Sun:

Please provide the full document title and part number in the appropriate fields. The part number can be found on the title page of the book or at the top of the document, and is usually a seven or nine digit number. For example, the part number of these Directory Server 5.2 Release Notes is 819-4290-10.


Additional Sun Resources

Useful Sun Java System information can be found at the following Internet locations:


Copyright � 2007 Sun Microsystems, Inc. All rights reserved.

Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.sun.com/patents and one or more additional patents or pending patent applications in the U.S. and in other countries.

SUN PROPRIETARY/CONFIDENTIAL.

U.S. Government Rights - Commercial software. Government users are subject to the Sun Microsystems, Inc. standard license agreement and applicable provisions of the FAR and its supplements.

Use is subject to license terms.

This distribution may include materials developed by third parties.

Portions may be derived from Berkeley BSD systems, licensed from U. of CA.

Sun, Sun Microsystems, the Sun logo, Java and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries.


Copyright � 2007 Sun Microsystems, Inc. Tous droits r�serv�s.

Sun Microsystems, Inc. d�tient les droits de propri�t� intellectuels relatifs � la technologie incorpor�e dans le produit qui est d�crit dans ce document. En particulier, et ce sans limitation, ces droits de propri�t� intellectuelle peuvent inclure un ou plus des brevets am�ricains list�s � l'adresse http://www.sun.com/patents et un ou les brevets suppl�mentaires ou les applications de brevet en attente aux Etats - Unis et dans les autres pays.

Propri�t� de SUN/CONFIDENTIEL.

L'utilisation est soumise aux termes du contrat de licence.

Cette distribution peut comprendre des composants d�velopp�s par des tierces parties.

Des parties de ce produit pourront �tre d�riv�es des syst�mes Berkeley BSD licenci�s par l'Universit� de Californie.

Sun, Sun Microsystems, le logo Sun, Java et Solaris sont des marques de fabrique ou des marques d�pos�es de Sun Microsystems, Inc. aux Etats-Unis et dans d'autres pays.

Toutes les marques SPARC sont utilis�es sous licence et sont des marques de fabrique ou des marques d�pos�es de SPARC International, Inc. aux Etats-Unis et dans d'autres pays.