Skip Navigation Links | |
Exit Print View | |
Sun Java System Directory Server Enterprise Edition Bundle Patch 6.3.1.1.2 Release Notes |
3. Directory Server Bugs Fixed and Known Problems
4. Directory Proxy Server Bugs Fixed and Known Problems
Bugs Fixed in Directory Proxy Server in Bundle Patch 6.3.1.1.2
Known Problems and Limitations in Directory Proxy Server
Directory Proxy Server Limitations
Known Directory Proxy Server Issues in Bundle Patch 6.3.1.1.2
Known Problems and Limitations in Directory Proxy Server in Bundle Patch 6.3.1.1.2
Known Limitations in Directory Proxy Server Bundle Patch 6.3.1.1.2
Known Problems in Directory Proxy Server Bundle Patch 6.3.1.1.2
5. Identity Synchronization for Windows Bugs Fixed and Known Problems
6. Directory Editor Bugs Fixed and Known Problems
7. Directory Server Resource Kit Bugs Fixed and Known Problems
This section lists known problems and limitations at the time of Directory Server Enterprise Edition Bundle Patch 6.3.1.1.2 release.
This section lists product limitations.
Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.
To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.
When creating a self-signed server certificate, make sure you specify a validity long enough that you do not have to renew the certificate.
To ensure atomicity, do not use the join data view for write operations. If you perform write operations on join data view, use an external mechanism to prevent or detect inconsistencies. You can monitor inconsistencies by monitoring Directory Proxy Server error log.
The modify DN operation is not supported for LDIF, JDBC, join and access control data views.
Currently, getEffectiveRight control is supported only for LDAP data views and does not yet take into account ACIs local to the proxy.
After configuring alerts, you must restart Directory Proxy Server for the change to take effect.
This section lists the known issues that are found at the time of Directory Proxy Server Bundle Patch 6.3.1.1.2 release.
Directory Proxy Server cannot resume the JDBC data source connection that is restored after the data source connection failure. Directory Proxy Server can resume the connection only after restarting the Directory Proxy Server instance.
Directory Proxy Server must be restarted when the authentication mode configuration is changed.
After generation of a CA-Signed Certificate request, when you refresh, the certificate is displayed as a self-signed certificate.
If the SSL port used by Directory Proxy Server is incorrect, after a secure search request on that port Directory Proxy Server may close all connections.
Directory Proxy Server fails to count the number of referral hops properly when configured to use authentication based on the client application credentials rather than proxy authorization.
It is possible to specify the base-dn property when creating a data view. But it is not possible to set the base-dn property to "", the root DSE, after creating the data view.
The '"' character is removed by the shell. The workaround is to escape it typing base-dn:\"\"
The dpconf command has been seen to display the Enter "cn=Directory Manager" password: prompt twice when used in interactive mode.
Directory Proxy Server fails to rename an entry moving to another data view when numeric or lexicographic data distribution is configured.
When working with join data views, Directory Proxy Server does not take data distribution algorithms in the views that make up the join.
To work around this issue, configure data distribution at the level of the join data view when using joins and data distribution together.
In Directory Proxy Server, referral hop limit does not work.
On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.
Creation of JDBC data source entries is not dynamically detected. If you create a JDBC server before creating a JDBC data view, the data view is ignored until the next restart of the server. After configuring a JDBC data source, therefore, you must restart Directory Proxy Server for the change to be detected.
The workaround is to create the JDBC data view before creating the JDBC server
After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.
To work around this issue, change the permissions on the installations and server instance folders.
For the HP-UX platform, Directory Server Enterprise Edition, man pages for the man5dpconf section cannot be accessed from the command line:
To workaround this issue, access the man pages at Sun Java System Directory Server Enterprise Edition 6.3 Man Page Reference. From that location, you can download a PDF of all Directory Server Enterprise Edition man pages.
On Windows, DSCC initialization can only be performed by Administrator user.
Access Manager, when accessing Directory Server through Directory Proxy Server, has been seen to encounter caching problems related to persistent searches after Directory Server is restarted.
To work around this issue, restart either Access Manager or Directory Proxy Server after restarting Directory Server.
For further fine tuning, you can increase the number of and delay between Access Manager attempts to reestablish persistent search connections. You can increase these parameters by changing the following property in the AMConfig.properties file:
Increase com.iplanet.am.event.connection.delay.between.retries, which represents the number of milliseconds delay between attempts. The default is 3000 milliseconds.
If you run a search using JDBC data view configured with DB2 database and there are large number of entries to be returned in the search result, an error might occur after returning 1,344 entries.
To overcome this limitation, increase the number of large packages by setting the value of the CLI/ODBC configuration keyword CLIPkg to a value up to 30. Even then the search result is limited to maximum of 11,712 Entries.
For more information, see DB2 documentation.
When creating a self-signed certificate using Directory Service Control Center, do not use multi-byte characters for the certificate names.
The default LDAP controls allowed through Directory Proxy Server are not displayed by Directory Service Control Center.
Directory Service Control Center removes commas when changing the DN for an existing excluded subtree, or alternate search base.
After enabling or disabling non secure LDAP access for the first time, you must restart Directory Proxy Server for the change to take effect.
Time limit and size limit settings work only with LDAP data sources.
After using the command dpadm set-flags cert-pwd-store=off, Directory Proxy Server cannot be restarted using Directory Service Control Center.
The dpadm start command has been seen to fail when used with a server instance name combining both ASCII and multi-byte characters.
When setting the data-view-routing-custom-list property on an existing connection handler, an error occurs with data view names containing characters that must be escaped, such as commas.
To work around this issue, do not give data views names that contain characters that must be escaped. For example, do not use data view names containing DNs.
Unlike previous versions, as stated in the manual page Sun Java System Directory Server Enterprise Edition 6.3 Man Page Reference, Directory Proxy Server does not allow the server side sort control by default.
You can enable Directory Proxy Server support for the server side sort control by adding server-side-sorting to the list of allowed LDAP controls specified by the allowed-ldap-controls property.
$ dpconf set-server-prop \ allowed-ldap-controls:auth-request \ allowed-ldap-controls:chaining-loop-detection \ allowed-ldap-controls:manage-dsa \ allowed-ldap-controls:persistent-search \ allowed-ldap-controls:proxy-auth-v1 \ allowed-ldap-controls:proxy-auth-v2 \ allowed-ldap-controls:real-attributes-only \ allowed-ldap-controls:server-side-sorting
Notice that you must repeat the existing settings. Otherwise, only the server side sort control is allowed.
When using the DN renaming feature of Directory Proxy Server, notice that repeating DN components are renamed to only one replacement component.
Consider for example that you want to rename DNs that end in o=myCompany.com to end in dc=com. For entries whose DN repeats the original component, such as uid=userid,ou=people,o=myCompany.com,o=myCompany.com, the resulting renamed DN is uid=userid,ou=people,dc=com, and not uid=userid,ou=people,o=myCompany.com,dc=com.
The JDBC connection configuration to access Oracle 9 through Directory Proxy Server is not exactly as described in the documentation.
Consider the following configuration, with an Oracle 9 server listening on host myhost, port 1537 with the instance having system identifier (SID) MYINST. The instance has a database MYNAME.MYTABLE.
Typically, to configure access through to MYTABLE, set the following properties.
On the JDBC data source, set db-name:MYINST.
On the JDBC data source, set db-url:jdbc:oracle:thin:myhost:1537:.
On the JDBC table, set sql-table:MYNAME.MYTABLE
If these settings do not work, configure access through to MYTABLE with the following settings.
On the JDBC data source, set db-name:(CONNECT_DATA=(SERVICE_NAME=MYINST)))
On the JDBC data source, set db-url:jdbc:oracle:thin:@(DESCRIPTION= (ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost)(PORT=1537)))
On the JDBC table, set sql-table:MYNAME.MYTABLE
Directory Proxy Server cannot write JDBC attributes implying many-to-many (N:N) relationship between tables in the JDBC database.
Directory Proxy Server instances with multi-byte DN and created using DSCC, fail to start on Linux.
When you use the Service Management Facility (SMF) on Solaris 10 to enable a server instance, the instance might not start when you reboot the system and return the following error:
svcadm: Instance "svc:/instance_path" is in maintenance state.
To work around this problem, use a local user to create Directory Server and Directory Proxy Server servers.
Directory Proxy Server instance with multi-byte characters in its path may fail to be created in DSCC, to start or perform other regular tasks.
Some of these issues can be resolved by using the charset that was used to create the instance. Set the charset using the following commands:
# cacaoadm list-params | grep java-flags java-flags=-Xms4M -Xmx64M # cacaoadm stop # cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8" # cacaoadm start
Use only the ASCII characters in the instance path to avoid these issues.
On HP-UX, if you access DSCC with multiple browser sessions set to different locales, DSCC might display some strings in a locale that is different from the locale set in the browser.
Console does not retrieve the backend status of the Directory Proxy Server instance if a machine has multiple host names.
If duplicate entries are present in RDBMS table matching a DN pattern found in JDBC object class, then duplicate subtree (non-leaf) nodes would be returned by Directory Proxy Server when search is performed against the JDBC data view. For example, if there is a DN pattern ou in a JDBC object class and there are duplicate entries (say, sales) present in the RDBMS column mapped to JDBC attribute ou, then there would be duplicate nodes like ou=sales present in the search result.
To resolve this issue, do the following:
Create an RDBMS view by taking the values from the table that contains the column mapped to ou JDBC attribute in such a way that there are no duplicated entries.
Replace the RDBMS table name with the RDBMS view name in the JDBC object class with the DN pattern ou. The limitation of this approach is that since RDBMS views are read-only, no values for the JDBC attribute ou could be added through Directory Proxy Server.
DPS constructs illegal DB requests.
In DSCC, in the More View Options of an instance, the date shown under the Access Logs, Error Logs, and Audit Logs tabs is not localized.
In DSCC 6.0, useTCPNoDelay is set to false by default when creating a data source with DSCC, while the default value of use-tcp-no-delay is set to true when creating instance through the administrative command dpconf create-ldap-data-source.
In DSCC configured using Tomcat server, the title of the Help and Version pop-up windows displays the multi-byte strings garbled.
The string owner in the output of the dpadm show-cert dps-instance-path command is not translated in Simplified Chinese and Traditional Chinese.
When performing modifications using the modrate tool against a joint view, with both LDAP and JDBC, nullpointer exceptions occur when using more than 1 thread. The errors are similar to the following:
java.lang.NullPointerException com.sun.directory.proxy.server.JoinDataView. processModifyRequest(JoinDataView.java:916) com.sun.directory.proxy.server.JoinDataViewOpContext.processModifyRequest (JoinDataViewOpContext.java:243) com.sun.directory.proxy.server.ModifyOperation. processOperation(ModifyOperation.java:502 com.sun.directory.proxy.server .WorkerThread.runThread(WorkerThread.java:150) com.sun.directory.proxy.util.DistributionThread.run (DistributionThread.java:225)
If the Directory Proxy Server configuration property allow-bind-operations is set to false, it is not possible to connect on an SSL port using the dpconf command line argument with the -–secure-port option. Connection by Start TLS (default) or by clear connection (the -–unsecured option) are still possible.
Writing virtual transformations does not work for the remove-attr-value transformation model.
Writing virtual transformations does not work as expected when an entry is modified.
No warning is issued when you set a password of insufficient length for the certificate database. If the password is too short, it is accepted by the Directory Service Control Center. Issuing the dpadm command with cert subcommands can then result in the commands hanging.
Attempting to add an attribute value of smalldatetime SQL TYPE triggers the following exception:
ldap_modify: Operations error ldap_modify: additional info: java.lang.Exception: java.lang.Exception: com.microsoft.sqlserver.jdbc.SQLServerException: Conversion failed when converting datetime from character string.
This section lists the known problems and limitations that are found at the time of the Directory Proxy Server Bundle Patch 6.3.1.1.2 release.
Note - Known issues and limitations in Directory Proxy Server Bundle Patch 6.3.1.1.2 persist even after the patch for Directory Proxy Server Bundle Patch 6.3.1.1.2 is applied. Refer to Known Problems and Limitations in Directory Proxy Server for information about these issues.
This section lists the known limitation that is found at the time of the Directory Proxy Server Bundle Patch 6.3.1.1.2 release.
As described in “JDBC Object Classes” in Sun Java System Directory Server Enterprise Edition 6.3 Reference, defining JDBC tables uses primary and secondary tables. Directory Proxy Server does not allow a secondary table to be the primary table of a third table. That is, Directory Proxy Server does not support more than one level of join-rule.
This section lists the known problems that are found at the time of the Directory Proxy Server Bundle Patch 6.3.1.1.2 release.
In release 6.3, if an entry has more than two object classes, adding an entry through a join view (LDAP and JDBC) fails because of the fix for CR 6636463/12219995. To add such an entry, these object classes must be defined as a super-class in the jdbc-object-class configuration entry by the following ldapmodify, because dpconf set-jdbc-object-class-prop can add only one super-class.
This example adds the following entry:
dn: uid=test,ou=people,o=join sn: User cn: Test User objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson uid: test userpassword: password givenname: Test mail: test@example.com telephonenumber: 8888-8888 roomnumber: 8000
The JDBC view is defined as shown in the following example, which was functional before release 6.3.
dn: cn=person,cn=example-view,cn=data views,cn=config secondaryTable: country1 secondaryTable: phone1 primaryTable: employee1 objectClass: top objectClass: configEntry objectClass: jdbcObjectClassMapping dnPattern: uid cn: person superclass: top
Because objectClass:organizationalPerson and objectClass:inetOrgPerson both exist in the entry being added, it is necessary to specify both object classes as super classes, as demonstrated by following ldapmodify command.
$ ldapmodify -p dpsPort -D "cn=Proxy manager" -w password dn: cn=person,cn=example-view,cn=data views,cn=config changetype: modify add: superClass superClass: inetOrgPerson - add: superClass superClass: organizationalPerson
After this ldapmodify example runs, jdbc-object-class is defined as shown in the following example.
dn: cn=person,cn=example-view,cn=data views,cn=config secondaryTable: country1 secondaryTable: phone1 primaryTable: employee1 objectClass: top objectClass: configEntry objectClass: jdbcObjectClassMapping dnPattern: uid cn: person superclass: top superclass: inetOrgPerson Added superclass: organizationalPerson Added
Although the default setting for the log-level-data-sources-detailed property is documented as being none, the actual default value is all. However, setting log-level-data-sources-detailedto any value other than none impacts server performance and makes the access file grow quickly. For that reason, the value of the log-level-data-sources-detailed setting is automatically set to none when a DPS server instances is created. It is recommended that you not set this setting to some other value.
Because of a problem described in Vulnerability Note VU#836068, MD5 vulnerable to collision attacks, Directory Proxy Server should avoid using the MD5 algorithm in signed certificates.
Use the following steps to determine the signature algorithm of a certificate.
Run the following command to display the list of certificates defined in a specific Directory Proxy Server instance:
$ dpadm list-certs instance-path
Run the following commands on each defined certificate to determine whether the certificate is signed with the MD5 algorithm:
$ dpadm show-cert -F ascii -o cert-output-file \ dps-instance-path cert-alias $ dsadm add-cert ds-instance-path cert-alias \ cert-output-file $ dsadm show-cert ds-instance-path cert-alias
The following example shows typical output from the dsadm show-cert command for a certificate signed with the MD5 signature algorithm:
Certificate: Data: ... Signature Algorithm: PKCS #1 MD5 With RSA Encryption ...
Run the following command to remove any MD5–signed certificates from the database:
$ dsadm remove-cert instance-path cert-alias
Use the following steps to update the certificate database password. (The dpadm command generates a default certificate database password when creating a directory proxy server instance.)
Stop the Directory Proxy Server instance.
Run the following command:
$ dpadm set-flags instance-path cert-pwd-prompt=on
A message appears, prompting you for a password.
Enter a password that is at least eight characters long.
Restart the Directory Proxy Server instance and provide the Internal (Software) Token when prompted for it.
Replace any certificates using the MD5 function with certificates that use the SHA-1 signature algorithm. Use one of the following procedures, depending on whether your installation uses a self-signed certificate or a certificate acquired from a Certificate Authority.
Use the following steps to generate and store a self-signed certificate:
Run the following command:
$ dpadm add-selfsign-cert --sigalg SHA1withRSA \ dps-instance-path cert-alias
Note - The default signature algorithm is MD5withRSA.
The following prompt appears:
[Password or Pin for "NSS Certificate DB"]
Enter the new certificate database password.
Use the following steps to generate and store a certificate acquired from a Certificate Authority (CA):
Run the following command to issue a CA-Signed Server Certificate request:
$ dpadm request-cert --sigalg SHA1withRSA instance-path cert-alias
Make sure that your Certificate Authority is no longer using the MD5 signature algorithm, and then send the certificate request to the Certificate Authority (either internal to your company or external, depending on your rules) to receive a CA-signed server certificate as described in “To Request a CA-Signed Server Certificate” in the Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide.
When the Certificate Authority sends you the new certificate, run the following command to add the certificate to the certificates database:
$ dpadm add-cert instance-path cert-alias
This step is described in “Creating, Requesting and Installing Certificates for Directory Proxy Server” in the Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide.
If the trusted Certificate Authority certificate is not already stored in the certificate database, run the following command to add it:
$ dpadm add-cert --ca instance-path trusted-cert-alias
This step is described in “Creating, Requesting and Installing Certificates for Directory Proxy Server” in the Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide.
Run the following commands to verify that the new certificate is being used.
$ dpadm show-cert -F ascii -o cert-output-file \ dps-instance-path cert-alias $ dsadm add-cert ds-instance-path cert-alias \ cert-output-file $ dsadm show-cert ds-instance-path cert-alias
With a Microsoft SQL Server back end, when using smalldate fields, only the long version of dates are supported, or else a conversion error occurs, as shown in the following example.
ldap_modify: Operations error ldap_modify: additional info: java.lang.Exception: \ com.microsoft.sqlserver.jdbc.SQLServerException: \ Conversion failed when converting datetime from character string.
Note - The long version of a date uses the form YYYY-MM-DD HH:MM.