Version 6.4
These Release Notes contain important information available at the time of release of Sun JavaTM System Delegated Administrator 6.4. New features and enhancements, known issues and limitations, and other information are addressed here. Read this document before you begin using Delegated Administrator 6.4.
These release notes contain the following sections:
Date |
Description of Changes |
---|---|
June 14, 2006 |
Added reviewer comments for the Beta release. |
February 24, 2006 |
Updated new features in this release, known issues, problems fixed in this release. |
September 2006 |
Beta release of these release notes. |
March 2007 |
Revenue Release of these release notes (Version 6.4). |
Delegated Administrator 6.4 enables you to provision organizations (domains), users, groups, and resources in an LDAP directory used by Communications Suite applications such as Messaging Server and Calendar Server.
The Delegated Administrator tool has two interfaces:
A utility (a set of command-line tools) invoked with the commadmin command.
A console (a graphical user interface) accessible through a Web browser.
Online help in the Delegated Administrator console describes how administrators can use the GUI to provision users in an LDAP directory.
With Delegated Administrator 6.4, you can provision users in an LDAP Schema 2 directory only. To provision Messaging Server users in an LDAP Schema 1 directory, you must use iPlanet Delegated Administrator, a deprecated tool.
For information about configuring and managing Delegated Administrator, see the Sun Java System Delegated Administrator 6.4 Administration Guide. For a description of the Delegated Administrator commadmin command-line tools, see Chapter 5, Command Line Utilities, in Sun Java System Delegated Administrator 6.4 Administration Guide.
Delegated Administrator 6.4 includes the following changes and new features:
Delegated Administrator supports provisioning of calendar groups.
You can use Delegated Administrator to assign calendar service to a group. When the group is first invited to an event, Calendar Server creates a group calendar shared by the users who are members of the group. Invitations to the group appear on the group calendar and on the calendars of the individual members.
The following features implement support for calendar groups:
In the console, you can assign service packages with calendar service to groups. In the Create Group wizard, a Calendar Service Details panel allows you to specify Calendar attributes for the group. Calendar service details can be modified in the group properties page.
In the command-line utility, the commadmin group create and commadmin group modify commands have been enhanced to support calendar groups.
Delegated Administrator can be deployed to Sun Java System Web Server 7.x.
When you run the configuration program, config-commda, you can configure the Delegated Administrator server and console to be deployed to Web Server 7.x.
Users created in Delegated Administrator will have access to Instant Messaging (IM) service if IM is deployed on your site. Users are automatically assigned basic IM service during user creation.
You must use the Access Manager console to set and manage IM user-access levels. In this release of Delegated Administrator, the Delegated Administrator console does not provide access to IM service and does not provide an interface for managing IM user-access levels.
In the command-line utility, the commadmin debug log command creates a Delegated Administrator server log that contains debug statements generated by the Delegated Administrator servlets installed on the Web container.
With the commadmin debug logcommand, you must create the log in the /tmp/ or /var/tmp/ directory.
The commadmin debug log command supersedes the use of the url to enable logging for the Delegated Administrator server. The url used in previous releases can no longer be used for this purpose.
iPlanet Delegated Administrator has been deprecated in favor of the Communications Suite Delegated Administrator console and utility. Sun Microsystems, Inc. will announce an end-of-life time line for iPlanet Delegated Administrator at a future date.
Although iPlanet Delegated Administrator has been deprecated, the iPlanet Delegated Administrator imadmin user purge command has been updated to be compatible with Messaging Server 6.3. For more information about the updated command, see Purging Users with iPlanet Delegated Administrator and Messaging Server 6.3.
This section describes the following platform, client product, and additional software requirements for this release of Delegated Administrator:
At the time of general release of the Sun Java Communications Suite 5, the following Delegated Administrator 6.4 upgrade patches are available:
Platform |
Patch Number (English) |
---|---|
Solaris, SPARC |
121581–12 |
x86 |
121582–12 |
Linux |
121583–12 |
This release supports the same platforms supported by Messaging Server, Calendar Server, and other Java Enterprise System components.
Specifically, this release supports the following platforms:
Solaris 10 Operating System (SPARCTM and x86 Platform Editions) including Zones Support
Solaris 9 Operating System Update 2 (SPARC and x86 Platform Editions)
Red Hat Enterprise Linux 3.0 or any RHEL 3 Update
Red Hat Enterprise Linux 4.0 or any RHEL 4 Update
Delegated Administrator is no longer supported on HP-UX or Windows platforms.
For detailed information about Solaris and Linux requirements, including required upgrade patches and kernel versions, see the Sun Java Enterprise System Installation Guide and Sun Java Enterprise System Release Notes .
The following Java Enterprise System components, tools, and LDAP schema version are required for this release of Delegated Administrator:
Directory Server 5.x or 6
To enforce unique values for mail attributes, you must install one of these releases:
Directory Server 6
Directory Server 5.2.5 or later
Directory Server 5.2.4, and you must apply patch 5.2_Patch_4_6313027
Access Manager 6.2 or later
Either Messaging Server 6 or Calendar Server 6, or both
For information about requirements for Messaging Server, see Chapter 3, Sun Java System Messaging Server 6.3 Release Notes
For information about requirements for Calendar Server, see Chapter 2, Sun Java System Calendar Server 6.3 Release Notes
Java Enterprise System Web container. You must deploy Delegated Administrator to one of the following Web containers:
Sun Java System Web Server 6.1 or higher
Sun Java System Web Server 7 or higher
Sun Java System Application Server 7.x
Sun Java System Application Server 8.x
Directory Server Preparation Tool (Setup script): comm_dssetup.pl version 6.4–0.03
This version of comm_dssetup.pl is provided when you use the Java Enterprise System Installer to install Directory Server.
LDAP Schema 2
This release of Communications Suite Delegated Administrator is designed for provisioning users in an LDAP Schema 2 directory.
For information about requirements for Directory Server, Access Manager, Web Server, and Application Server, see the current release notes for these products.
For installation instructions for the Java Enterprise System components listed in this section, see the Sun Java Enterprise System Installation Guide.
The memory and disk space requirements for Delegated Administrator are the same as those of the Web container to which Delegated Administrator is deployed.
For information about the Web container’s hardware requirements, see the current release notes for this Java Enterprise System component.
The Delegated Administrator console requires a JavaScript-enabled browser. For optimal performance, Sun recommends the browsers listed in Messaging Server Client Software Requirements.
Table 5–2 Delegated Administrator Console Browser Recommendations
Browser |
Windows XP |
Windows 2000 |
Solaris |
---|---|---|---|
NetscapeTM Navigator |
7.2 or later |
7.2 or later |
7.2 |
Microsoft Internet Explorer |
6.0 SP1 and 7.0 |
6.0 SP1 and 7.0 |
NA |
MozillaTM |
1.4 or later |
1.4 or later |
1.4 or later |
Firefox |
2.0 |
2.0 |
2.0 |
For a general summary of the steps required to install and configure Delegated Administrator, see “Chapter 2: Planning for Installation and Configuration” in the Sun Java System Delegated Administrator 6.4 Administration Guide.
For large-scale installations with Access Manager, Messaging Server, and an LDAP Schema 2 directory, you might want to consolidate the Access Control Instructions (ACIs) in your directory.
When you install Access Manager with Messaging Server, a large number of ACIs initially are installed in the directory. Many default ACIs are not needed or used by Messaging Server. You can improve the performance of Directory Server and, consequently, of Messaging Server look-ups, by consolidating and reducing the number of default ACIs in the directory.
For information about how to consolidate and discard unused ACIs, see Appendix F, Consolidating ACIs for Directory Server Performance, in Sun Java System Delegated Administrator 6.4 Administration Guide.
The following table lists the known incompatibilities between Communications Suite Delegated Administrator 6.4 and earlier versions.
Incompatibility |
Impact |
Comments |
---|---|---|
Access Manager has two install types: Realm Mode (version 7.x style) and Legacy Mode (version 6.x style). Legacy Mode is the default. |
At installation, you must choose Legacy Mode as the install type on the following panel: Access Manager: Administration (1 of 6) |
If the Realm Mode install type of Access Manager is installed, you will not be able to run Delegated Administrator. |
Upgrading Access Manager from version 6.x to 7.0 (Java ES Release 5) without upgrading Delegated Administrator to version 6.4. NOTE: This incompatibility occurs only if you are running Delegated Administrator version 6 2005Q1 (Java ES Release 3) or earlier. If you are running version 6 2005Q4 (Java ES Release 4), this incompatibility does not occur. |
In the Delegated Administrator console or utility, user creation with mail or calendar service will fail. |
A workaround is available. For details, see Delegated Administrator Installation, Upgrade, and Configuration Issues. (Issue 6376896) |
Running Directory Server releases earlier than 5.2.4. |
The Directory Server feature that enforces unique values for mail attributes is not available with versions earlier than 5.2.4. |
Solution: Upgrade to Directory Server 5.2.5 or later. You also can install Directory Server 5.2.4, but you must apply patch 5.2_Patch_4_6313027. For detailed instructions, see Enforce Unique Values for Mail Attributes in Sun Java System Delegated Administrator 6.4 Administration Guide |
There are no documentation updates for this release of Delegated Administrator.
This list describes the issues fixed in Delegated Administrator.
The commadmin domain purge command cannot perform purge operations because Access Manager cannot locate the Delegated Administrator callback class.
The calmaster user entry cannot be edited in the Delegated Administrator console.
The Domain Disk Quota value is lost if you change the Domain status or Mail Service status of a full organization.
If you make the root suffix a domain, Delegated Administrator functions do not work.
When you upgrade from Application Server 7.x (Java ES Release 2) to Application Server 8.x (Java ES Release 4) and then upgrade to Delegated Administrator 6 2005Q4 (Java ES Release 4), Delegated Administrator fails to redeploy to the upgraded Application Server.
When you create a group with no services using the command-line utility (commadmin group create) and then assign a service package to the group in the Delegated Administrator console, you are not prompted to enter any Mail Service details.
The Delegated Administrator console writes icsAllowRights values to the directory that are different than the values documented in the Schema Reference.
Available Languages list in the User Properties page is not described in the Delegated Administrator console online help.
In the localized Delegated Administrator GUI configuration program, config-commda, the default page size may be too small to display all input fields and field labels properly.
When you use commadmin group create to create a group, you can add only one dynamic membership filter (LDAP URL) with the -f option.
For a shared organization, Calendar Service Details do not appear in the Create New Organization wizard; this information is not explained in the online help.
The number of service packages assigned to groups in an organization can exceed the number allocated to that organization.
You cannot create users in a domain that includes an underscore in its name.
Searching for organizations by service name, service package name, and mail host does not work.
You cannot create an organization with a comma in the organization name. (You still cannot put a comma in an organization name because that violates LDAP DN syntax. The former issue was this: you could go through the entire Create Organization wizard with an invalid comma in the organization name. Now you must correct the error immediately.)
If you delete a domain with the commadmin domain delete command, you cannot use commadmin to purge the domain.
You cannot create a domain with a language-tagged welcome message.
The Delegated Administrator configuration program (config-commda) can be slow if a very large number of organizations are deployed in the directory.
The commadmin user modify command fails if you assign both the sunpresenceuser and sunimuser object classes to a user entry.
A newly created user does not inherit the domain’s time zone (TZ).
An error message, “The organization already exists,” is not localized.
New non-ascii organizations cause an error because the default administrator’s email address cannot be specified.
You cannot edit a user’s login ID in this release of Delegated Administrator.
This section describes known issues in Communications Suite Delegated Administrator. The section includes the following topics:
Delegated Administrator Installation, Upgrade, and Configuration Issues
Delegated Administrator Localization and Globalization Issues
You cannot upgrade Delegated Administrator from version 2004Q2 to version 6.4 (the current release) when Access Manager is deployed to an Application Server node agent.
This issue occurs when Delegated Administrator is deployed to Application Server and you upgrade Application Server from version 7 to version 8.x. The asupgrade utility migrates the Application Server 7 server1 instance into the Application Server 8.x server1 target running under a nodeagent. However, asupgrade changes the value of the virtual server from server1 in Application Server 7 to server in Application Server 8.x.
Workaround:
When you run the Delegated Administrator configuration program, config-commda , in the Application Server Preferences panel, specify these values for the target and virtual server:
Target: server1
Virtual Server: server
Upgrading to Access Manager 7.0 without upgrading Delegated Administrator to version 6.4 (the current release) will cause user creation to fail.
This issue occurs only if you are currently running Delegated Administrator 6 2005Q1 (Java ES Release 3) or earlier. If you have installed Delegated Administrator version 6 2005Q4 (Java ES Release 4) or have already upgraded Delegated Administrator to version 6.4, this issue does not occur.
When you upgrade to Java Enterprise System Release 5, if you upgrade Access Manager from version 6.x to 7.0 but do not upgrade Delegated Administrator to version 6.4, user creation with mail or calendar service will fail.
The recommended way to solve this issue is to upgrade Delegated Administrator to version 6.4. If you have a compelling reason not to upgrade Delegated Administrator, take the steps described in the following workaround.
Workaround:
Update the UserCalendarService.xml file, located by default in the following directory:
/opt/SUNWcomm/lib/services/UserCalendarService.xml |
In the UserCalendarService.xml file, mark the mail , icssubscribed, and icsfirstday attributes as optional instead of required.
In Access Manager, remove the existing xml file by running the amadmin command, as in the following example:
amadmin -u amadmin -w netscape -r UserCalendarService |
In Access Manager, add the updated xml file, as in the following example:
amadmin -u amadmin -w netscape -s /opt/SUNWcomm/lib/services/UserCalendarService.xml |
Restart the Web container.
The Delegated Administrator configuration program allows you to enter invalid values in the Domain Separator field.
In the configuration program, config-commda, you can enter invalid characters such as ^ in the Domain Separator field. You cannot log into the Delegated Administrator console using a login ID with the invalid domain-separator character.
Workaround: Edit the value of the commadminserver.domainseparator property in the daconfig.properties file, located in the following default path:
/var/opt/SUNWcomm/da/WEB-INF/classes/ com/sun/comm/da/resources/daconfig.properties |
Use a valid value such as @, -, or _.
Redeploy the edited daconfig.properties file to the Web container used by the Delegated Administrator console.
Before the change can take effect, you must run the script that deploys the customized daconfig.properties file to your Web container.
For instructions on how to deploy a customized properties file to a particular Web container, see To Deploy a Customized Configuration File in Sun Java System Delegated Administrator 6.4 Administration Guide.
Values in the resource.properties files are overwritten when Delegated Administrator is reconfigured with the config-commda program.
If you configure an existing, configured installation of Delegated Administrator by running the config-commda program again, the properties in the resource.properties file are reset to their default values.
For example, suppose you previously set the following properties to these values:
jdapi-wildusersearchmaxresults=50
jdapi-wildorgsearchmaxresults=10
And then you ran config-commda. These properties would be reset to their default values, as follows:
jdapi-wildusersearchmaxresults=-1
jdapi-wildorgsearchmaxresults=-1
This issue is of concern only if you have changed the Delegated Administrator configuration (if you have enabled plug-ins or modified the values of any properties in the resource.properties file).
Workaround: If you need to upgrade Delegated Administrator, or if you need to rerun the config-commda program for any other reason, you can preserve your existing configuration by taking the following steps:
Back up the resource.properties file.
The resource.properties file is located in the following default path:
da_base/data/WEB-INF/classes/sun/comm/cli/server/servlet/ resource.properties |
Run the config-commda program.
Edit the new resource.properties file created by the config-commda program. Follow these steps.
(The new file is located in the default path shown in 1. Back up the resource.properties file, above.)
Open the new resource.properties file.
Be sure to edit the resource.properties file in the original (standard) location in the Delegated Administrator installation directory, not the file deployed to the Web container used by the Delegated Administrator server.
Open your back-up copy of the resource.properties file.
Locate the properties that were customized in the back-up copy. Apply the customized values to the corresponding properties in the new resource.properties file.
Do not simply overwrite the new resource.properties file with the entire back-up copy. The new file may contain new properties created to support this release of Delegated Administrator.
Redeploy the edited resource.properties file to the Web container used by the Delegated Administrator server.
Before the change can take effect, you must run the script that deploys the customized resource.properties file to your Web container.
For instructions on how to deploy a customized properties file to a particular Web container, see To Deploy a Customized Configuration File in Sun Java System Delegated Administrator 6.4 Administration Guide.
If the first part of the default organization name created in the Delegated Administrator configuration program (config-commda) matches the root suffix name, the organization cannot be created.
When you run the config-commda program, if you specify a default organization DN whose first characters are same as the root suffix, a Name Collision error occurs. For example, if you create an organization named o=ispsesta.com and the root suffix is o=isp, this error occurs.
Workaround: Run the config-commda program in silent install mode with a state file. In silent install mode, the configuration program does not validate the organization DN value, so the organization can be created.
Alternatively, make sure that the default organization DN does not start with the same string as the root suffix name.
The default postmaster created by the Messaging Server configure program cannot be modified.
If you try to modify fields in the User Properties page of the default postmaster created during the Messaging Server configuration, the change operation fails.
Note that, in this situation, the Delegated Administrator console was not used to allocate service packages to the postmaster's organization, and the postmaster user was not assigned a service package.
Workaround: Use either of the following methods to solve this issue:
In the Delegated Administrator console, allocate mail service packages to the organization; then assign a mail service package to the user.
Use the Delegated Administrator utility (the commadmin command) with the -S mail option to add mail service to the organization and the user.
When a service package has IMAPS enabled but IMAP access is disabled, the Delegated Administrator console displays it as having IMAP access disabled.
Assume there is a service package that provides access to IMAPS but not IMAP. For example:
mailuserallowedservice: +imaps:ALL$+smpts:ALL$+http:ALL
In the Delegated Administrator console, the Service Package page shows this service package with IMAP Access disabled.
A service package that has IMAP access enabled (such as the bronze service package) is displayed with IMAP enabled.
In the Create Group wizard in the Delegated Administrator console, an incorrect message appears instead of the Back to Top message.
When you search for users in the Create Group wizard—for example, when you are adding an internal member or owner—and you move the mouse over the “Back to Top” link, the tooltip message “Jump to xxx section” appears instead of “Back to Top.”
Attributes passed with the –A option of the commadmin command are ignored if the command also calls an input file containing attributes passed with –A.
This issue occurs if you run a commadmin command such as this one:
./commadmin user create -D tla -w pass -d <domain> -F test -L User -W pass -i /tmp/comm.in -A preferredlanguage:es |
And the input file, comm.in, contains attributes passed with the -A option. The result is that the -A option in the command line is ignored. In the example shown above, the preferredlanguage:es is not added.
Workaround: If any attributes are passed in the input file with the -A option, pass all values of -A in the input file. Do not also use -A in the command line.
An Organization Administrator (OA) can remove himself as an OA by modifying the organization Properties page.
If you log into the Delegated Administrator console as an OA, you can go to the organization's Properties page and remove yourself from the list of users with OA rights. No error occurs, and you can continue using the console. You should either be unable to remove yourself as an OA or be logged out as soon as you remove yourself.
Workaround: None.
An inappropriate error message is displayed when you use a domain name that conflicts with the name of a deleted domain.
This issue occurs if you create an organization with a domain name that is the same as the name of a deleted domain. (The organization name is different than the name of the deleted organization.) The following error message appears: Attribute uniqueness violated.
Workaround: Specify a new domain name.
When you add Dynamic members to a group In the Delegated Administrator console, you cannot test a manually constructed LDAP URL.
When you create a new group and add dynamic members to the group, you can either manually construct an LDAP URL or use the fields available in the drop-down menus to construct the LDAP URL. If you use the drop-down menus, you can click the Test LDAP URL button. If you manually construct the LDAP URL, this feature is disabled.
Using the browser or system controls in the Delegated Administrator console can generate unexpected results.
Workaround: Navigate only by using the built-in Delegated Administrator controls, such as the tabs, buttons, and navigation links provided on the page itself. Do not use browser or system controls, such as your browser's Back button or the Close icon on dialog windows.
An incorrect error message is displayed when you create a new user with a Login ID that is already in use.
When you create a new user with a unique email address but a login ID that is already used, the user is not created (which is the correct behavior), but the following error message is displayed: “Cannot create user — mail address already used.” The error message should say that the login ID is already used.
Workaround: None.
No indication when a User, Organization, or Group list page has finished loading.
If you click a button while a list page is loading, an error occurs.
Workaround: While the page is loading, a message asks you to wait. Do not click any buttons or links until the page is ready.
The advanced search feature does not return correct results for organizations.
This issue occurs if you perform the following steps:
Select the Advanced Search feature.
Select “Organizations” from the drop-down list.
Click the Match All or Match Any radio button.
Select an organization name from the drop-down list.
Enter valid values in the text field.
Click Search.
Instead of returning only the organizations that match the search criteria, Delegated Administrator displays all organizations.
Workaround: None.
Cannot modify non-ASCII groups.
If a group is created with a group name that contains non-ASCII characters, it cannot be modified with the commadmin group modify command.
For example, if a group with the non-ASCII characters XYZ is specified with the -G option in the commadmin group create command, an email address of XYZ is automatically added to the group’s LDAP entry. Since non-ASCII characters are not allowed in email addresses, modifying the group with commadmin group modify fails.
Workaround: Use the -E email option when creating a group. This option will specify the group’s email address. For example: commadmin group create -D admin -w password -d siroe.com -G XYZ -S mail -E testgroup@siroe.com .
This section describes Delegated Administrator localization problems. No localization issue exist for this release.
This section describes errors or incomplete information in the Delegated Administrator books and online help.
The Delegated Administrator online help displays the current version as Communications Suite 5 Delegated Administrator instead of Delegated Administrator 6.4.
The Delegated Administrator online help for the Editing Group Properties page incorrectly documents the following UI fields: Add Header Field and Remove Header Field.
These UI fields are not implemented in Delegated Administrator. The LDAP attributes, mgrpAddHeader and mgrpAddHeader, are not provisioned through the Delegated Administrator console.
The Delegated Administrator online help incorrectly describes the Message Prefix Text field in the Create New Group wizard and Group Properties page.
The correct description is as follows:
Enter the text to be added to the beginning of the message text sent to the group. You must supply the formatting. That is, you must supply the CRLF where they belong in the text.
The Delegated Administrator online help incorrectly defines the Attachment Quota value in the Create New Organization wizard and Organization Properties page.
The online help describing the Mail Service Details panel in the Create New Organization wizard and the Mail Service section of the Organization Properties page states that the Attachment Quota field displays the “attachment size per message.” The online help tells the user to enter a maximum attachment quota size in kilobytes. This is incorrect.
The Attachment Quota sets the maximum number of attachments for each email message. For example, setting a value of 2 would allow users to attach no more than two files to a message. The size of each attachment is not affected by this attribute.
Delegated Administrator online help erroneously states that you can use “>” and “<” signs when searching for organizations.
The “Searching Organizations” online help topic contains the following erroneous statement: “You can also search for organizations with values greater than or less than the value entered in the text box by entering a > or < sign before the value.”
You cannot search for greater-than or less-than values when searching for organizations.
Delegated Administrator online help does not explain that the Login ID must be in ASCII characters.
When you enter a Login ID when creating a new user or editing user properties in the Delegated Administrator console, the online help should read as follows:
Login ID. Enter the user's login ID. Values entered in this field are limited to ASCII characters.
Access Manager online help does not explain that unselecting the Compliance User Deletion option causes problems when deleting mail and calendar users with the Delegated Administrator delete commands.
The Access Manager Administration Console option, Compliance User Deletion, must be selected to enable the Delegated Administrator console delete and commadmin delete operations to successfully delete users, groups, and resources.
The Access Manager Compliance User Deletion option should be documented as follows:
Specifies whether a user's entry will be deleted, or just marked as deleted, from the directory. This attribute is only applicable when Access Manager is installed in legacy mode.
When a user's entry is deleted and this option is selected (true), the user's entry will still exist in the directory, but will be marked as deleted. After the user entry is marked for deletion, you can permanently remove it from the directory by using the Communications Suite Delegated Administrator commadmin domain purge command.
Messaging Server and Calendar Server require this option to be selected to properly maintain the integrity of their databases with respect to the user data in the directory.
User entries that are marked for deletion are not returned during Access Manager searches of the Directory Server.
If this option is not selected, the user's entry will be deleted from the directory. Deleting a Messaging Server or Calendar Server user's entry when this option is not selected can cause the user's mailbox or calendar to be orphaned.