Chapter 3 Directory Server Bugs Fixed and Known Problems

This chapter contains important, product-specific information available at the time of release of Directory Server.

This chapter includes the following sections:

• Bugs Fixed in Directory Server 6.3

• Known Problems and Limitations in Directory Server

Bugs Fixed in Directory Server 6.3

This section lists the bugs fixed since the last release of Directory Server.

6642430

Importing large ldif files using db2ldif results in corrupted index files. Database corruption is seen as zeroed pages within the Sleepycat database files.

This bug fix prevents new corruptions, but does not prevent corruptions that have already occurred. If you find corrupted index files, upgrade to the latest version of Directory Server and reinitialize your database to take advantage of this bug fix and to prevent future corruptions.

6547406

The output of dpconf help-properties is not localized.

6541523

The dsconf command in Directory Server allows you to set the repl-accept-client-update-enabled property to 'off'. If you use the dsconf command to configure an instance of Directory Server 6.0, the 'off' value is rejected and a message asks you to upgrade your version of Directory Server.

6533281

Idle connections are not closed until there is some network activity.

The idle timeout is now always correctly computed.

6634117

The Directory Server dumps core when the amadmin command (for Access Manager 6.3 with 119465-11 and 119466-11) is run to update the directory.

6627860

In a search operation where ACIs have userattr and userdn with common target attributes, crashes can occur.

6625993

In an internal search isMemberOf search, a comma included in the DN name is not masked.

6623504

A deadlock occurs when a changelog trimming operation removes several records with different IDs.

6604342

The Directory Server Retro Change Log may generate records with invalid changes.

6586770

The ns-slapd process produces a memory leak when acting on consumers during various operations such as SSL replication agreements.

6583362

The dsmig command fails to migrate nested suffixes.

6586724

Memory leak on a master with the retrochangelog enabled.

2153997

Replication metadata growth unacceptable over time.

2154845

Crash with dn cache/hashtable and dn normalization.

6568770

Memory leak when performing substring searches.

6574902

Error when you force a log rotation.

2149741

The CoS Fastlookup implementation can enter into an infinite loop when processing multiple specifiers.

2150672

The Directory Server crashes when a filter with 1006 filter elements is played.

6518034

The dsconf command does not properly handle suffix with escaped characters.

6575696

Wizard hangs when trying to create an instance using the zip web console on SuSE.

6618547

The Directory Server crashes while initializing a replication management agreement if there is a missing replica object in the configuration file.

6630297

On SuSE 64–bit installations, the dsadm create command fails.

6582831

On Solaris, the instances registered as a service might not start after restarting the system.

6590558

On Linux, the Directory Server instances do not start at system restart if the maximum number of files are specified in the /etc/security/limits.conf file.

6577314

If you apply the Directory Server Enterprise Edition 6.3 patch without stopping the server instances, the dsadm info and dsadm stop will display that a server is down while the server is running.

6573440

If you configure the uniqueness plug-in to work across multiple attributes in Directory Server, an error is displayed during the Directory Server startup.

6547923

Directory Server Enterprise Edition Windows service fails to start more than one server instances when the system restarts.

6490762

After creating or adding a new certificate, Directory Server must be restarted for the change to take effect.

6448572

Directory Service Control Center fails to generate a self-signed certificate when you specify the country.

6582716

create-repl-agmt fails if an IPv6 address is specified as repl-dest HOST.

This bug has been fixed, and you can now declare an IPv6 address. You can optionally use square brackets, []. Note that if you choose to use square brackets to declare the IPv6 address, add a backslash before each square bracket. Thus the following two commands are equivalent:

dsconf create-repl-agmt -p 5566 dc=com 1234:123d:aeff:9dc9:222:4fff:fe3a:5bb2:5389

dsconf create-repl-agmt -p 5566 dc=com \[1234:123d:aeff:9dc9:222:4fff:fe3a:5bb2\]:5389

Known Problems and Limitations in Directory Server

This section lists known problems and limitations at the time of release.

Directory Server Limitations

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.

To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.

Do not replicate the cn=changelog suffix.

Although nothing prevents you from setting up replication for the cn=changelog suffix, doing so can interfere with replication. Do not replicate the cn=changelog suffix. The cn=changelog suffix is created by the retro changelog plug-in.

Database cache may be outdated after failover on Sun Cluster.

The Directory Server supports Sun Cluster 3.2. When Directory Server runs on Sun Cluster, and nsslapd-db-home-directory is set to use a directory that is not shared, multiple instances share database cache files. After a failover, the Directory Server instance on the new node uses its potentially outdated database cache files.

To work around this limitation, either use a directory for nsslapd-db-home-directory that is shared, or systematically remove the files under nsslapd-db-home-directory at Directory Server startup.

The wrong SASL library is loaded when LD_LIBRARY_PATH contains /usr/lib.

When LD_LIBRARY_PATH contains /usr/lib, the wrong SASL library is used, causing the dsadm command to fail after installation.

Use the LDAP replace operation to change cn=config attributes.

An LDAP modify operation on cn=config can only use the replace sub-operation. Any attempt to add or delete an attribute will be rejected with DSA is unwilling to perform, error 53. While Directory Server 5 accepted adding or deleting an attribute or attribute value, the update was applied to the dse.ldif file without any value validation, and the DSA internal state was not updated until the DSA was stopped and started.

---

Note –

The cn=config configuration interface is deprecated. Where possible use the dsconf command instead.

---

To work around this limitation, the LDAP modify replace sub-operation can be substituted for the add or delete sub-operation. No loss in functionality occurs. Furthermore, the state of the DSA configuration is more predictable following the change.

On Windows systems, Directory Server does not allow Start TLS by default.

This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.

To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.

Replication update vectors may reference retired servers.

After you remove a replicated Directory Server instance from a replication topology, replication update vectors can continue to maintain references to the instance. As a result, you might encounter referrals to instances that no longer exist.

The Common Agent Container is not started at boot time.

To work around this issue when installing from native packages, use the cacaoadm enable command as root.

To work around this issue on Windows, choose Log On from the properties of Common Agent Container service, enter the password of the user running the service, and press Apply. If you have not already done this setting, you will receive a message stating that the account user name has been granted the Log On As A Service right.

max-thread-per-connection-count is not useful on Windows systems.

The Directory Server configuration property max-thread-per-connection-count does not apply for Windows systems.

A Microsoft Windows bug shows service startup type as disabled.

A Microsoft Windows 2000 Standard Edition bug causes the Directory Server service to appear as disabled after the service has been deleted from Microsoft Management Console.

Console does not allow administrator login on Windows XP

Console does not allow administrator to logon to the server running Windows XP.

As a workaround to this problem, the guest account must be disabled and the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0.

Changing Index Configurations on the Fly

If you change an index configuration for an attribute, all searches that include that attribute as a filter are treated as not indexed. To ensure that searches including that attribute are properly processed, use the dsadm reindex or dsconf reindex commands to regenerate existing indexes every time you change an index configuration for an attribute. See Chapter 13, Directory Server Indexing, in Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide for details.

Known Directory Server Issues in 6.3

This section lists the known issues that are found at the time of Directory Server 6.3 release.

6583131

The Directory Service Control Center is not patched correctly after applying the 6.3 patch releases.

To use a localized Directory Service Control Center, apply the Directory Server Enterprise Edition 6.3 patch before the Directory Server Enterprise Edition 6.3 localized patch, then run the following commands in the specified order.

# dsccsetup console-unreg

# dsccsetup console-reg

There is no need to run the dsccsetup console-unreg and console reg commands if you apply the Directory Server Enterprise Edition 6.3 localized patch before the Directory Server Enterprise Edition 6.3 patch.

For zip based installation, the Directory Server Enterprise Edition 6.3 localized patch is not automatically applied to the Directory Service Control Center. As a workaround, undeploy and then redeploy the WAR file.

6630897

The output of the dsadm show-*-log l command does not include the correct lines. It can include the last lines of a previously rotated log.

6630924

The output of the dsadm show-*-log command is not correct if some lines in the log contain more than 1024 characters.

2155981

Some ACI searches can expose the values of restricted attributes. This can enable some users to make incremental guesses at restricted values.

2156184

When performing a backup against a running Directory Server instance using db2ldif, if the db2ldif process is terminated prematurely by issuing 'Ctrl-C' the process may not release the locks held within the DB. If a subsequent MOD is attempted against a locked page it will block indefinitely and prevent the server from process any further MODs.

6637242

After deploying the WAR file, the View Topology button does not always work. A Java exception sometimes occurs, which is based on org.apache.jsp.jsp.ReplicationTopology_jsp._jspService

6640755

In Windows, in the Korean locale, the dsadm start command does not display the nsslapd error log when ns-slapd fails to start.

2157291

Following the instructions for "Setting the Sun Java System Directory Server to Use the DES Algorithm" when configuring "Digest Authentication" for Sun Web Proxy 4.0 may cause replication to fail upon first modification of the iplanetReversiblePassword attribute.

6648240

Changing or deleting an attribute in the Additional Indexes table of the Indexes tab in the Directory Service Control Center can lead to stale information being displayed until the browser is refreshed.

6650105

On the Windows 2000 zip distribution, with the Tomcat 5.5 Application Server and using Internet Explorer 6, in the "Step 3: Assign Access Rights" of the "New DS Access Control Instruction" wizard in Directory Service Control Center, clicking on the "Delete" button of the "Assign Rights to Specified Users: " listbox, can produce an exception similar to the following:

The following error has occurred:  
Handler method "handleAssignACIToDeleteButtonRequest" not implemented,
or has wrong method signature  
Show Details 
Hide Details 
com.iplanet.jato.command.CommandException: Handler method 
"handleAssignACIToDeleteButtonRequest" not implemented, or has wrong method signature
     com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute
(DefaultRequestHandlingCommand.java:167)
     com.iplanet.jato.view.RequestHandlingViewBase.handleRequest
(RequestHandlingViewBase.java:308)
     com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)

6660462

Before upgrading from Directory Server Enterprise Edition 6.2 to Directory Server Enterprise Edition 6.3, the ntservice for each instance of Directory Server or the Directory Proxy Server must be manually stopped, but the dsee_deploy command fails to identify running instances of Directory Server or the Directory Proxy Server on the Microsoft Windows 2000 platform.

On the zip distribution of Microsoft Windows 2000, when upgrading, the dsee_deploy command can fail. The error message is as follows:

error: cannot delete old C:/local/upg6263/./dsee6/lib/bin/dsee_ntservice.exe

This indicates that an instance of the Directory Server or the Directory Proxy Server is still running. To stop the instance or instances, in Microsoft Windows 2000, select on Start > Settings > Control Panel, and choose Adminstrative Tools, then Services. For each service of the Directory Server or the Directory Proxy Server displayed in the right column, right click the instance and select Stop.

6663685

In the Directory Service Control Center, the Copy Suffix Configuration operation can produce erroneous pop-up windows.

6559825

If you modify the port number using DSCC on a server that has replicated suffixes, problems arise when setting replication agreement between servers.

6634397

For servers registered in DSCC as listening on all interfaces (0.0.0.0), attempting to use dsconf to modify the listen-address of the servers results in DSCC errors.

To have SSL port only and secure-listen-address setup with Directory Server Enterprise Edition 6.3, use this workaround:

1. Unregister the server from DSCC:

   dsccreg remove-server /local/myserver

2. Disable the LDAP port:

   dsconf set-server-prop ldap-port:disabled

3. Set up a secure-listen-address:

   dsconf set-server-prop secure-listen-address:IPaddress

   dsadm restart /local/myserver

4. Register the server using DSCC. In the Register Server wizard, specify the server's IP address. This operation cannot be undone.

6654030

During a replication from a master running Directory Server 5.1 SP4 to a consumer running Directory Server 6.x, nsds50ruv is not updated properly on the consumer side. This results in a broken replication, with accompanying error messages in the access logs.

6653574

Replication does not work from a master running Directory Server 6.3 to a master running Directory Server 5.1.

6645742 / 2158692

If a known user attempts to log in with an incorrect password during a replication operation from Directory Server 5.2 to Directory Server 6.3, replication fails.

Error messages on the Directory Server 5.2 side are similar to the following:

[20/Dec/2007:11:49:55 -0800] - INFORMATION - NSMMReplicationPlugin - conn=-1 op=-1 msgId=-1 - ruv_init_from_bervals: malformed RUV element ({replica 1})

[20/Dec/2007:11:49:55 -0800] - ERROR<8221> - Incremental Protocol - conn=-1 op=-1 msgId=-1 - Failed and requires administrator action [280R:3891]

Error messages on the Directory Server 6.x side are similar to the following:

[20/Dec/2007:11:38:55 -0800] - INFORMATION - NSMMReplicationPlugin - conn=-1 op=-1 msgId=-1 - Replica (dc=bcbsm,dc=com) has been initialized by total protocol as full replica

[20/Dec/2007:11:45:02 -0800] - INFORMATION - NSMMReplicationPlugin - conn=-1 op=-1 msgId=-1 - csnplCommit: can't find csn 476ac63e000000010000

[20/Dec/2007:11:45:02 -0800] - INFORMATION - NSMMReplicationPlugin - conn=-1 op=-1 msgId=-1 - ruv_update_ruv: cannot commit csn 476ac63e000000010000

[20/Dec/2007:11:45:02 -0800] - INFORMATION - NSMMReplicationPlugin - conn=-1 op=-1 msgId=-1 - replica_update_ruv: unable to update RUV for replica dc=bcbsm,dc=com, csn = 476ac63 e000000010000

[20/Dec/2007:11:45:02 -0800] - ERROR<8221> - Incremental Protocol - conn=-1 op=-1 msgId=-1 - Failed and requires administrator action [280R:389]

6541040

When modifying the password policy using the Directory Service Control Center, attributes that have not changed may be unknowingly reset.

Using the Directory Service Control Center to manage the default password policy does not causes any error. However, using the Directory Service Control Center to manage specialized password policies can cause unchanged attributes to be reset.

6643813

In a topology containing 150 masters, an invalid RUV results, with occurrences of a missing ldap://host:port. The replication cannot be monitored using the Directory Service Control Center. All masters are reported as ”Not initialized".

6650749 / 2158694

Applying CLEANRUV in a Directory Server 6.3 topology where Directory Server 5.2 databases were used to initialize the Directory Server 6.3 masters causes the Directory Server 6.3 servers to improperly close the changelogs and forces database recovery on restart.

6643692

On Microsoft Windows native installations, during a patch upgrade from Directory Server Enterprise Edition 6.0 to 6.3, the Directory Service Control Center does not get upgraded.

As a workaround, if you have never applied patch 125311-05, apply it. If you have applied patch 125311-05, remove this patch first, and then apply patch 125311-06.

If you have already applied patch 125311-06 over patch 125311-05, remove both patches and then re-apply 125311-06 only.

6595805

For encoding other than UTF-8, and when the install path contains non-ASCII characters, then the dsee_deploy tool fails to set up the Java Enterprise System Monitoring Framework inside the common agent container.

6593775

Not all suffixes are displayed on the suffix usage page of DSCC.

In the Suffix Usage tab, if you select a suffix in 'index access database in cache' table and click refresh, only the selected appears. Other suffixes should also appear but do not.

6501320

When creating an index on custom schema, a suffix level change of the all-ids-threshold is not permeated completely by the DSCC.

6579286

The ds-repair tool does not execute successfully on zip installations on Microsoft Windows. Possible error messages delivered by the Microsoft Windows system include:

dsrepair.exe - Unable to Locate Component. This application has failed to start because NSLDAP32(version number).dll was not found. Re-installing the application may fix this problem.

6579820

On zip installations on Microsoft Windows, the replcheck.exe file does not locate the dsrepair.exe file, resulting in the failure of replcheck fix. Possible error messages delivered by the Microsoft Windows system include:

dsrepair tool not found...be sure to install it before starting replck

6504549

The discovery of an instance of the Directory Server by the Java Enterprise System Monitoring Framework is not successful if the ns-slapd process was started remotely using rsh.

6536770

The Directory Service Control Center is unable to display very long ACIs. Possible error messages in your browser as a result of this problem include:

• Your browser sent a message this server could not understand

• The requested URL could not be retrieved. While trying to retrieve the URL: [no URL] The following error was encountered: The request or reply is too large. If you are making a POST or PUT request, then your request body (the thing you are trying to upload) is too large. If you are making a GET request, then the reply body (what you are trying to download) is too large. These limits have been established by the Internet Service Provider who operates this cache. Please contact them directly if you feel this is an error.

2151022

If certificates contain localized names, the certificate cannot be deleted properly. They also cannot be listed properly.

2129151

The Directory Server hangs when running the stop-slapd command.

6461602

The dsrepair fix-entry does not work if the source is a tombstone and if the target is an entry (DEL not replicated).

Workaround: Use the dsrepair delete-entry command to explicitly delete the entry. Then use the dsrepair add-entry command to add the tombstone.

6594285

The Directory Service Control Center has no RBAC capability.

2113177

Directory Server has been seen to crash when the server is stopped while performing online export, backup, restore, or index creation.

2133169

When entries are imported from LDIF, Directory Server does not generate createTimeStamp and modifyTimeStamp attributes.

LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.

4979319

Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Sun support.

6488284

For the HP-UX platform, Directory Server Enterprise Edition man pages for the following sections cannot be accessed from the command line:

• man5dpconf.

• man5dsat.

• man5dsconf.

• man5dsoc.

• man5dssd.

To workaround this issue, access the man pages at Sun Java System Directory Server Enterprise Edition 6.3 Man Page Reference. From that location, you can download a PDF of all Directory Server Enterprise Edition man pages.

6358392

When removing software, the dsee_deploy uninstall command does not stop or delete existing server instances.

To work around this limitation, follow the instructions in the Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide.

6401484

The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.

To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.

1. Export the certificate to a file.

   The following example shows how to perform the export for servers in /local/supplier and /local/consumer.

   $ dsadm show-cert -F der -o /tmp/supplier-cert.txt /local/supplier defaultCert $ dsadm show-cert -F der -o /tmp/consumer-cert.txt /local/consumer defaultCert

2. Exchange the client and supplier certificates.

   The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.

   $ dsadm add-cert --ca /local/consumer supplierCert /tmp/supplier-cert.txt $ dsadm add-cert --ca /local/supplier consumerCert /tmp/consumer-cert.txt

3. Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.

4. Add the replication manager DN on the consumer.

   $ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN

5. Update the rules in /local/consumer/alias/certmap.conf.

6. Restart both servers with the dsadm start command.

6412131

The certificate names containing multi-byte characters are shown as dots in the output of the dsadm show-cert instance-path valid-multibyte-cert-name command.

6410741

Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.

An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.

6539650

Directory Server instance with multi-byte characters in its path may fail to be created in DSCC, to start or perform other regular tasks.

Some of these issues can be resolved by using the charset that was used to create the instance. Set the charset using the following commands:

# cacaoadm list-params | grep java-flags java-flags=-Xms4M -Xmx64M # cacaoadm stop # cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8" # cacaoadm start

Use only the ASCII characters in the instance path to avoid these issues.

6416407

Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.

dn:o=mary\"red\"doe,o=example.com
changetype:modify
add:aci
aci:(target="ldap:///o=mary\"red\"doe,o=example.com")
 (targetattr="*")(version 3.0; acl "testQuotes";
 allow (all) userdn ="ldap:///self";)

dn:o=Example Company\, Inc.,dc=example,dc=com
changetype:modify
add:aci
aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com")
 (targetattr="*")(version 3.0; acl "testComma";
 allow (all) userdn ="ldap:///self";)

Examples with more than one comma that has been escaped have been observed to parse correctly, however.

6428448

The dpconf command has been seen to display the Enter "cn=Directory Manager" password: prompt twice when used in interactive mode.

6446318

On Windows, SASL authentication fails due to the following two reasons:

• SASL encryption is used.

  To workaround the issue caused by the SASL encryption, stop the server, edit dse.ldif, and reset SASL to the following.

  dn: cn=SASL, cn=security, cn=config dssaslminssf: 0 dssaslmaxssf: 0

• The installation is done using native packages.

  To workaround the issue caused by the native packages installation , set SASL_PATH to install-dir\share\lib.

6449828

Directory Service Control Center does not properly display userCertificate binary values.

6587801

Directory Service Control Center and the dsadm command from versions 6.1 or later do not display built-in CA certificates of Directory Server instances that were created with the dsadm command from version 6.0.

To workaround this issue:

Add the 64-bit module with 64-bit version of modutil:

$ /usr/sfw/bin/64/modutil -add "Root Certs 64bit" -libfile /usr/lib/mps/64/libnssckbi.so -nocertdb -dbdir /instance-path/alias -dbprefix slapd- -secmod.db

6468074

It is not clear from the name of the passwordRootdnMayBypassModsCheck configuration attribute that the server now allows any administrator to bypass password syntax checking when modifying another user's password, when the attribute is set.

6469154

On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.

6469296

Although the Directory Service Control Center allows you to copy the configuration of an existing server, it does not allow you to copy the plug-in configuration.

6469688

On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.

To work around this issue, change the LDIF file name so that it does not contain double-byte characters.

6478568

The dsadm enable-service command does not work correctly with Sun Cluster.

6480753

The dsee_deploy command has been seen to hang while registering the Monitoring Framework component into the Common Agent Container.

6482378

The supported SSLCiphers attribute on the root DSE lists NULL encryption ciphers not actually supported by the server.

6483290

Neither Directory Service Control Center nor the dsconf command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.

To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.

6638990 / 6641357

The ldapmodify bulk import command can damage existing data. Specifying the option -B suffix causes all the existing data in the suffix to be removed.

The ldapmodify man page is therefore incorrect when it states that bulk import using the ldapmodify command does not erase entries that already exist.

6485560

Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.

6488197

After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.

To work around this issue, change the permissions on the installations and server instance folders.

6490653

When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.

To work around this issue, use a different browser such as Mozilla web browser.

6491849

After upgrading replica, and moving servers to new systems, you must recreate replication agreements to use new host names. Directory Service Control Center lets you delete the existing replication agreements, but does not allow you to create new agreements.

6492894

On Red Hat systems, the dsadm autostart command does not always ensure that the server instances start at boot time.

6494997

The dsconf command does not prompt for the appropriate dsSearchBaseDN setting when configuring DSML.

6495004

On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds.

6497053

When installing from the zip distribution, the dsee_deploy command does not provide an option to configure SNMP and stream adaptor ports.

To workaround this issue,

1. Enabled Monitoring Plug-in using the web console or dpconf.

2. Using cacaoadm set-param, change snmp-adaptor-port, snmp-adaptor-trap-port and commandstream-adaptor-port.

6497894

The dsconf help-properties command is set to work properly only after instance creation. In addition, the correct list of values for the dsml-client-auth-mode command should be client-cert-first | http-basic-only | client-cert-only.

6500936

In the Native patch delivery, the miniature calendar that is used to pick dates for filtering access logs is not properly localized in Traditional Chinese.

6503509

Some output displayed by the dsccmon, dsccreg, dsccsetup, and dsccrepair commands is not localized.

6503546

Changing the locale of the system and starting DSCC, does not display the pop-up window message in the locale that you selected.

6504180

On Solaris 10, the password verification fails for instances with multi-byte characters in their DN on English and Japanese locales.

6506019

On HP-UX, detaching the gdb from a running process of ns-slapd, kills the process and generates core dump.

6507312

On HP-UX systems, applications using NSPR libraries crash and dump core after investigation with gdb. The problem occurs when you attach gdb to a running Directory Server instance, then use the gdb quit command.

6520646

Clicking Browse DSCC online help does not display the online help when you are using Internet Explorer.

6527999

The Directory Server plug-in API includes slapi_value_init()(), slapi_value_init_string()(), and slapi_value_init_berval()() functions.

These functions all require a "done" function to release internal elements. However, the public API is missing a slapi_value_done()() function.

6542857

When you use Service Management Facility (SMF) in Solaris 10 to enable a server instance, the instance might not start when you reboot your system.

As a workaround, provided that the command dsadm enable service has never been called, add the following lines which are marked with + to /opt/SUNWdsee/ds6/install/tmpl_smf.manifest.

... restart_on="none" type="service"> <service_fmri value="svc:/network/initial:default"/> </dependency> + <dependency name="nameservice" grouping="require_all" \ + restart_on="none" type="service"> + <service_fmri value="svc:/milestone/name-services"/> + </dependency> <exec_method type="method" name="start" exec="%%%INSTALL_PATH%%%/bin/dsadm start --exec %{sunds/path}"...

If the dsadm enable service command has previously been called, the workaround is as follows:

1. Create a file containing the following content:

   select ds addpg nameservice dependency setprop nameservice/grouping = astring: require_all setprop nameservice/restart_on = astring: none setprop nameservice/type = astring: service setprop nameservice/entities = fmri: "svc:/milestone/name-services"

2. Execute the following command on the file:

   svccfg -f file

   If there are some instances in the maintenance state, run these commands:

   svcadm clear svc:-application-sun-ds:ds-{instancepath}

6547992

On HP-UX, the dsadm and dpadm commands might not find libicudata.sl.3 shared library.

As a workaround to this problem, set the SHLIB_PATH variable.

env SHLIB_PATH=${INSTALL_DIR}/dsee6/private/lib dsadm

6550543

You might encounter an error when DSCC is used with the combination of Tomcat 5.5 and JDK 1.6.

As a workaround, use JDK 1.5 instead.

6551672

Sun Java System Application Server bundled with Solaris 10 cannot create SASL client connection for authenticated mechanism and does not communicate with common agent container.

As a workaround, change the JVM used by application server by editing the appserver-install-path/appserver/config/asenv.conf file and replace the AS_JAVA entry with AS_JAVA="/usr/java". Restart your Application Server domain.

6551685

The dsadm autostart can make native LDAP authentication to fail when you reboot the system.

As a workaround, reverse the order of reboot scripts. The default order is /etc/rc2.d/S71ldap.client and /etc/rc2.d/S72dsee_directory.

6557480

On Solaris 9 and Windows, when you access the online help from the console configured using Web archive file (WAR), it displays an error.

6571672

If unzip is unavailable on the system, dsee_deploy does not install any product.

6658483

In traditional Chinese, in the Directory Service Control Center the translation of the string "Initialize Suffix with Data..." in the Replication Settings tab of a suffix is confusing.

6644161

In the Korean locale, clicking the Remove Attribute button in Encrypted Attributes Section of the Directory Service Control Center shows the following incomplete error message:

You have chosen to remove

The message should be as follows:

You have chosen to remove {0} from the list of encrypted attributes. In order for the database files to reflect the configuration and to work properly you must Initialize the Suffix. Do you want to continue?