Sun Java(TM) System Directory Server 5.2 2005Q1 Release Notes

Sun Java™ System Directory Server Release Notes

Version 5.2 2005Q1

Part Number 817-7611-10

These Release Notes contain important information available at the time of release of Sun Java System Directory Server 5.2 2005Q1. New features and enhancements, known issues and limitations, and other information are addressed here. Read this document before you begin using Directory Server 5.2.

The most up-to-date version of these release notes can be found at the Sun Java System documentation web site: http://docs.sun.com/prod/sunone. Check the web site prior to installing and setting up your software. Then check the web site periodically thereafter to view the most up-to-date release notes and product documentation.

These release notes contain the following sections:

Third-party URLs are referenced in this document and provide additional, related information.

Note

Sun is not responsible for the availability of third-party Web sites mentioned in this document. Sun does not endorse and is not responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or resources. Sun will not be responsible or liable for any actual or alleged damage or loss caused by or in connection with the use of or reliance on any such content, goods, or services that are available on or through such sites or resources.

Release Notes Revision History

Table 1 Revision History 

Date

Description of Changes

Feb. 2, 2005

Revenue release

Feb17, 2005

Updated patch version numbers in Table 6 through Table 9.

Feb 22, 2005

Updated Linux package numbers in Table 9 and added support for Solaris 10.

About Directory Server 5.2 2005Q1

Directory Server 5.2 2005Q1 is part of the Sun Java Enterprise System that delivers an integrated, core set of industry-leading enterprise network services that virtually all businesses need today.

This section includes:

What's New in This Release

Directory Server 5.2 2005Q1 is a maintenance release of Directory Server 5.2 2004Q2. The following new features have been introduced in Directory Server 5.2 2005Q1:

For information about the bugs fixed in Directory Server 5.2 2005Q1, see "Bugs Fixed in This Release" on page 5.

The Directory Server commands and Administration Server commands are now documented as man pages. For more information, see "Documentation Notes" on page 10.

The following feature was available in Directory Server 4.x but is not available in Directory Server 5.2:

Hardware and Software Requirements

The following software is required for Directory Server 5.2 2005Q1.

Caution

Before installing Directory Server on Solaris 8 Ultra SPARC® and Solaris 9 Ultra SPARC®, you must ensure that the required OS patches have been installed. These patches can be obtained in the form or a patch cluster or as individual patches from http://sunsolve.sun.com. The required OS patch cluster includes an installation script that installs the patches in the correct order. The clusters are updated periodically as new patch revisions are released. Select the "Patches" link on the SunSolve site and follow the links to obtain the required OS patch clusters.

Table 2 Solaris SPARC® Hardware and Software Requirements 

Component

Platform Requirement

Operating System

Solaris 8 Ultra SPARC Platform Edition with patches required for Java Enterprise System (Sun Cluster 3.1 Release 04/04 has been qualified to run on Solaris 8 02/02 (with the recommended patches installed) and Solaris 8 HW 05/03 (PSR 2))

Solaris 9 Ultra SPARC Platform Edition with patches required for Java Enterprise System (Sun Cluster 3.1 Release 04/04 has been qualified to run on Solaris 9 04/04)

Solaris 10 Ultra SPARC Platform Edition with patches required for Java Enterprise System

RAM

256 Mbytes for evaluation purposes and 1 Gbyte as a recommended minimum

Disk space

200 Mbytes of disk space for binaries. By default, most binaries are contained in /usr.

1.2 Gbytes of disk space for logs and databases for an evaluation configuration. By default, logs and databases are stored in /var/opt.

Entries that are stored in Directory Server use disk space. Consider adding 4 Gbytes for a sample production deployment with a maximum of 250000 entries and no binary attributes such as photos.

Java

Java Runtime Environment 1.5.

Table 3 Solaris x86 Hardware and Software Requirements 

Component

Platform Requirement

Operating System

Solaris 9 x86 Platform Edition (Sun Cluster 3.1 Release 04/04 has been qualified to run on Solaris 9 04/04 x86 Platform Edition)

Solaris 10 x86 Platform Edition

RAM

256 Mbytes for evaluation purposes and 1 Gbyte as a recommended minimum

Disk space

200 Mbytes of disk space for binaries. By default, most binaries are contained in /usr.

1.2 Gbytes of disk space for logs and databases for an evaluation configuration. By default, logs and databases are stored in /var/opt.

Entries that are stored in Directory Server use disk space. Consider adding 4 Gbytes for a sample production deployment with a maximum of 250000 entries and no binary attributes such as photos.

Java

Java Runtime Environment 1.5.

Table 4 Linux Hardware and Software Requirements 

Component

Platform Requirement

Operating System

RedHat Advanced Server 2.1 Update 2 or RedHat Advanced Server 3.0 Update 3

Patches or service packs

None

Additional software

None

Compatibility libraries

The following compatibility libraries:

  • compat-gcc-7.3-2.96.128.i386.rpm
  • compat-gcc-c++-7.3-2.96.128.i386.rpm
  • compat-libstdc++-7.3-2.96.128.i386.rpm

If you running 64-bit Linux, you must install the system libraries for 32-bit Linux.

Java

Java Runtime Environment 1.5.

Note

Directory Server 5.2 has been validated with Sun Cluster 3.1.

Specific operating system patches may need to be installed before Directory Server 5.2 can be installed. For further information, refer to the Directory Server Installation and Tuning Guide issued with the initial release of Directory Server 5.2. You can obtain Solaris patches from http://sunsolve.sun.com

Bugs Fixed in This Release

The following table describes the bugs fixed in Directory Server 5.22005Q1.

Table 5 Bugs Fixed in Directory Server 5.2 2005Q1 

Bug Number

Description

2069724
(4866642)

Searches based on a substring filter for the telephonenumber attribute fail if the filter contains a blank space directly after the `*' substring.

2078726/
(4973380)

Directory Server hangs when performing both a VLV browsing index update during add operations and a VLV search operation.

2078935
(4976129)

nsslapd-XXXXXXlog-logmaxdiskspace does not work over 2 GB

2081033
(5005446)

directoryserver monitor Command Does Not Work on Non-Active Nodes in a Cluster

2122385 (4889077)

db2ldif produces unexpected errors when sub-suffixes are given in the -s option

2122386 (4925250)

Incorrect Error Message When Exporting a Subtree by Using the db2ldif -s Option

4527623

Account Lockout Is Not Cleared When Password Is Changed

4529532

Trailing Spaces Are Not Preserved During Remote Console Import Operations

4755958

ldapsearch on Linux systems

4819710

Issues arose when both LDAP v2 and LDAPv3 applications use certificate related attributes

4861499

nsslapd-rewrite-rfc1274 Incorrectly Translates Attributes From LDAP v2 to LDAP v3

4869781

Running the db2ldif Command With the -r Option Causes a Disorderly Shutdown of the Database

4917152

Chained Suffixes Return Mixed Case DNs in Lower Case

4938877

Incorrect Error Message Produced if the txlog Directory Is Missing

4956596

Additional documentation required on using referential integrity plug-in with legacy replication

4971699

SSL does not start for a Directory Server with the instance name "test-cert"

4977320

Must Re-Initialize the Consumer Twice After Modifying Attributes Replicated by Fractional Replication

4987124

If two entries with duplicate UIDs are added to Directory Server simultaneously, then UID uniqueness is not enforced

4997578

Using the attribute encryption functionality may result in generating duplicate values for the UID attribute

5006198

Large Replication Delays in 4-way MMR

5025653

When certain multi-byte characters are entered into the text field of the Directory Server's Online Help Search Index, additional characters are prepended and an ArrayOutofBounds exception error is displayed.

5041885

nsSchemaCSN" has multiple values after upgrade of AS + DS from Patch1 => Patch2

5045854

Absence of Symbolic Links to the slapd Directory for On-Line Help

5046691

Copyright Date in On-Line Help Is Incorrect

5047194

Japanese On-Line Help Is Incomplete

5046714

On-Line Help in French And German Contains HTML Tags Instead of Rendered Characters

5067904

Console Cannot Display a Certificate With a Quote (") In the DN

6181119

Bad format for 00core.ldif after upgrading DS5.2Patch1 => Patch3

6181203

The upgrade does not update the schema: 'modDNEnabledSuffixes' attribute is missing

6194664

JES3 build07 - i18n - Error dialog without text for creating role members

Important Information

For information that is not contained in the core product documentation, see the following sections:

Installation Notes

For information about patch requirements and installation, see the following sections:

Patch Requirement Information

If you have Directory Server 5.2 installed from Solaris packages and wish to bring it in line with Directory Server delivered from Java Enterprise System 2005Q1, install the following patches with the given version number or higher. To access the patches, go to http://sunsolve.sun.com.

Caution

To avoid breaking product dependencies, it is mandatory to install the patches in the order provided in the following tables.

Table 6 Directory Server 5.2 2005Q1 Alignment Patches Required For Solaris 8 (SPARC)

Patch Number

Patch Description

116103-06

SunOS 5.8: International Components for Unicode Patch

117722-10

SunOS 5.8: NSPR 4.5.1 / NSS 3.9.5 / JSS 4.0

115328-01

SunOS 5.8: Simple Authentication and Security Layer (2.01)

115610-18

SunOS 5.9_sparc: Administration Server 5.2 patch

115614-20

SunOS 5.9: Directory Server 5.2 patch

117015-16

Patch for localized Solaris packages

116837-02

LDAP CSDK - SUNWldk, SUNWldkx

Table 7 Directory Server 5.2 2005Q1 Alignment Patches Required For Solaris 9 (SPARC)

Patch Number

Patch Description

114677-08

SunOS 5.9: International Components for Unicode Patch

117724-10

SunOS 5.8: NSPR 4.5.1 / NSS 3.9.5 / JSS 4.0

115342-01

SunOS 5.9: Simple Authentication and Security Layer (2.01)

115610-18

SunOS 5.9_sparc: Administration Server 5.2 patch

115614-20

SunOS 5.9: Directory Server 5.2 patch

117015-16

Patch for localized Solaris packages

116837-02

LDAP CSDK - SUNWldk, SUNWldkx

Table 8 Directory Server 5.2 2005Q1 Alignment Patches Required For Solaris 9 (x86)

Patch Number

Patch Description

114678-08

SunOS 5.9_x86: International Components for Unicode Patch

117725-10

SunOS 5.8: NSPR 4.5.1 / NSS 3.9.5 / JSS 4.0

115611-18

SunOS 5.9_x86: Administration Server 5.2 patch

115615-20

SunOS 5.9_x86: Directory Server 5.2 patch

117015-16

Patch for localized Solaris packages

116838-02

LDAP CSDK - SUNWldk

On Linux systems, the alignment patches include the Directory Server and Administration Server patches available on http://sunsolve.sun.com and shared component patches, which are provided on the distribution CD. See "Applying Linux Shared Component RPMs" in the Sun Java Enterprise System 2005Q1 Upgrade and Migration Guide for information on locating and installing the RPMs.

Table 9 Directory Server 5.2 2005Q1 Alignment Patches Required for Linux

Patch Number

Patch Description

118080-05

sun-directory-server-5.2-18.i386.rpm
sun-directory-server-man-5.2-3.i386.rpm

118079-05

sun-admin-server-5.2-13.i386.rpm
sun-server-console-5.2-13.i386.rpm
sun-admin-server-man-5.2-3.i386.rpm

 

sun-nspr-4.5.1-2.i386.rpm
sun-nss-3.9.5-1.i386.rpm
sun-jss-4.0-5.i386.rpm
sun-sasl-2.02-2.i386.rpm
sun-icu-2.1-9.i386.rpm
sun-ljdk-4.17-3.i386.rpm
sun-ldapcsdk-5.12-3.i386.rpm

For more information about the Sun Java Enterprise System, see http://wwws.sun.com/software/learnabout/enterprisesystem/index.html

General Installation Information

Compatibility Notes

Documentation Notes

Man Pages

Directory Server commands and Administration Server commands are now documented as man pages and delivered in the following formats:

To Access the Man Pages

  1. Ensure that the man pages packages are installed in the following default locations:

    2. For Solaris systems:

    SUNWdsman in /opt/SUNWdsman/man

    SUNWasman in /opt/SUNWasman/man

    For Linux systems:

    sun-directory-server-man-5.2-1.i386.rpm in /opt/sun/man

  2. Update your MANPATH environment variable:

    3. For Solaris systems, run the following commands:

    $ export MANPATH=${MANPATH}:/opt/SUNWdsman/man

    $ export MANPATH=${MANPATH}:/opt/SUNWasman/man

    For Linux systems, run the following command:

    $ export MANPATH=${MANPATH}:/opt/sun/man

Product Version Number

In some parts of the Directory Server documentation and console, the version number of the product is referred to as 5.2. Directory Server 5.2 2005Q1 is a maintenance release of Directory Server 5.2.

Localized Documentation

Localized documentation is posted to http://docs.sun.com/ as it becomes available.

Known Issues and Limitations

This section contains a list of the known issues and limitations with Directory Server 5.2 2005Q1. The issues are grouped into the following categories:

Installation, Uninstallation, and Migration

Error During Upgrade of RPM for Directory Server (#2122219 and 5071553)

Upgrade to the new version of the RPM for Directory Server fails with an exit status 1 because the previous RPM was not uninstalled. This issue applies to upgrade to the following RPM for Directory Server:

The new version of the RPM for Directory Server is installed correctly.

Workaround
After installing the new version of the RPM for Directory Server, uninstall the previous RPM manually by using the following command:

Cannot Install Directory Server When the Root Suffix Contains Spaces (#4526501)

A root suffix cannot contain space characters.

Workaround
If your root suffix contains space characters, correct the suffix generated at installation time to remove the spaces:

  1. In the Sun Java System Server console, select the top directory entry in the left-hand navigation pane of the Servers and Applications tab.
  2. Click Edit and modify the suffix in the User directory subtree field.
  3. Click OK to save the change.

Error Message When Running migrateInstance5 Script (#4529552)

When the migrateInstance5 script is run with the error logging feature disabled, a message indicates that the migration procedure is attempting to restart the server while the server is already running.

Workaround

Duplicate Value Error Logged in the Configuration Directory Server During Installation (#4841576)

During configuration of Directory Server, an ACI on the server group entry for each new server installation is added. If the entry already exists and the ACI value already exists on the entry (which is the case when Administration Server is installed after Directory Server), then the following error is logged in the Configuration Directory Server:

[07/May/2004:16:52:29 +0200] - ERROR<5398> - Entry - conn=-1 op=-1msgId=-1 - Duplicate value addition in attribute "aci" of entry "cn=Server Groups, cn=sorgho.france.sun.com, ou=france.sun.com,o=NetscapeRoot"

Workaround
Ignore the error message.

Only use the restart-admin command on the active node in a cluster-enabled environment (#4862968)

Cannot Use Multibyte Characters for Installation of Traditional Chinese (zh_TW) Version (#4882801)

If multibyte characters are entered as the suffix name during installation of the traditional Chinese (zh_TW) version, the suffix name does not display correctly in the console. This issue is restricted to 32-bit and 64-bit installations from Solaris packages on SPARC processors.

Workaround

  1. Create a monobyte suffix at installation. Once installation is complete, create the desired multibyte suffix using the console.
  2. Upgrade your JRE to version 1.4.1 or later.

Cannot Use Multibyte Characters at Installation of AS and DS (#4882927)

At installation, using multibyte characters for anything other than the suffix name causes Directory Server and Administration Server configuration to fail.

Workaround
Use monobyte characters for all fields other than the suffix name.

Loop Results From the Use of an Incorrect Password During Command Line Installation (#4885580)

If you enter an incorrect password during command-line installation, you enter a loop.

Workaround
When you are prompted for the password again, type "<"to return to the previous input item, and then press return to keep the previous choice. When you are asked for the password again, enter the correct password.

Warning About Missing Character Sets During Uninstallation (#4887423)

When you perform an uninstalltion by using the console, you can dismiss the uninstallation logs by using the OK button. When you use this OK button, you might be warned about missing character sets.

Workaround
None. Ignore these warning messages.

pkgrm Command Does Not Remove All Directory Server Distribution Packages (#4911028)

After running the pkgrm command, the /usr/ds directory and some files remain.

Workaround
After running the pkgrm command, manually remove the /usr/ds directory and its files.

Configuration of Directory Server Fails When Using a Remote Configuration Directory (#4931503)

When configuring Directory Server by using a remote configuration directory, configuration fails if the administration domain of the remote directory does not match the administration domain in the setup procedure.

Workaround
When configuring Directory Server by using a remote configuration directory, use the same administration domain as defined in the remote configuration directory.

Some Plug-Ins Are Not Migrated From Directory Server 4.x to Directory Server 5.x (#4942616)

During migration from Directory Server 4.x to Directory Server 5.x, not all plug-ins are migrated.

Workaround
In the 4.x slapd.ldbm.conf configuration file, insert quotation marks around the plug-in path for the plug-in to be migrated.

For example change the plug-in post-operation referential integrity from

to

Cannot Restart Administration Server From the Console on an x86 Cluster (#4974780)

The Administration Server cannot be restarted from the console when using Solaris 9 on an x86 cluster.

Workaround
On the Administration Server console select Stop Server and then Restart Server.

pkgrm Command Fails if Directory Server Is Configured (#4992818)

If Directory Server is configured the pkgrm command fails to remove the following packages:

Workaround
Before running the pkgrm command, unconfigure Directory Server by using the following command: /usr/sbin/directoryserver -u 5.2 unconfigure

If you did not unconfigure Directory Server before you ran the pkgrm command, perform the following steps:

startconsole Command Fail to Start Servers When User Does Not Have Write Access to ServerRoot (#5008600)

To access certain servers the Server Console may have to download JAR files into the ServerRoot directory. If the user running the startconsole command does not have write access to the ServerRoot directory, the console cannot open the servers in question.

Workaround
Either run the startconsole command as the user who owns the ServerRoot directory, or install and configure the server packages on the host running Server Console.

patchrm Command on Patch 115614-19 in a Cluster Removes Patch From First Node Only (#5035139)

When the patchrm command is used on patch ID 115614-19 in a cluster, it removes the patch from from the first node only. When the patch is removed from the second and subsequent nodes, the following error message is displayed:

Workaround
When you have successfully removed the patch from the first node in your cluster, and if you have received the above error message, create a symbolic link in ServerRoot/shared/bin to point to the sync-directory binary as follows:

Then rerun the procedure to remove the patch.

SUNW.dsldap Pointer in Incorrect Location After Relocation of Packages (#5035885)

If the SUNWds* packages are relocated to a directory other than the default installation directory, the SUNW.dsldap pointer is also relocated. Consequently, the SUNW.dsldap pointer will not be in the correct directory. To find the directory that contains the SUNW.dsldap pointer, run this command:

Workaround
Do not relocate SUNWds* packages.

If you have relocated the SUNWds* packages, correct the location of the SUNW.dsldap pointer as follows:

  1. Move the SUNW.dsldap pointer to this directory:

    2. /usr/cluster/lib/rgm/rtreg

  2. Set the destination of the SUNW.dsldap pointer to the location returned by this command:
    • For Administration Server 5.2 2005Q1:

Modifications to Default Index Attributes Are Not Migrated From DS 5.1 to DS 5.2 (#5037580)

Modifications to the default index attributes are not migrated when you migrate from Directory Server 5.1 to Directory Server 5.2.

Workaround
None

Installation Fails When the Base DN Contains a White Space (#5040621)

During installation, if the base DN contains a white space (for example, o=example east) the directoryURL entry is incorrectly parsed for the UserDirectory global preferences. Consequently, all operations to the userDirectory fail to find the entries in user/groups in the console.

Workaround
Modify the base DN value in one of the following ways:

slapd Does Not restart After patchadd 115614-10 Run on Cluster (#5042440)

When patch 115614-10 is installed on a cluster by using the patchadd command, the slapd process does not restart.

Workaround

  1. Stop the slapd process and the Administration Server prior to applying patches on cluster
  2. Patch all nodes in the cluster irrespective of whether ns-slapd fails to start or not
  3. When all nodes are patched start the slapd process
  4. Run the directoryserver sync-cds command for the Administration Server and slapd

Backout Fails When Previous Version Is Not Configured (#6196574)

Backout fails in the following scenario:

The backout fails because the <ServerRoot>/admin-serv/upgrade/versions.conf file does not contain the correct information to backout to Directory Server 5.2 2004Q2 and Administration Server 5.2 2004Q2.

Workaround
Configure Directory Server 5.2 2004Q2 and Administration Server 5.2 2004Q2 before installing Directory Server 5.2 2005Q1 and Administration Server 5.2 2005Q1.

Cannot Install Patch 117015-05 on Directory Server 5.2 RTM (#6200636)

The localization patch 117015-05 cannot be installed during migration from Directory Server 5.2 RTM to Directory Server 5.2 2004Q2. The pkginfo files in patch 117015-05 are inconsistent with those in Directory Server 5.2 RTM for the values ARCH and VERSION.

Workaround
Before apply the localization patch, perform the following steps:

  1. On the server running Directory Server 5.2 RTM, locate the pkginfo files for each installed localization package. For example, the Japanese localization package files could be here:

    2. /var/sadm/pkg/SUNWjdsvcp/pkginfo

    /var/sadm/pkg/SUNWjdsvu/pkginfo

  2. In the pkginfo file for each installed localization package, change the values of ARCH and VERSION to the following values:

    3. ARCH=all

    VERSION=5.2,REV=2003.05.23

If Directory Server Installed With umask 0027 Instances Cannot be Managed by Non-Root User (#6206311)

If Directory Server is installed with the file mode creation mask 0027, a non-root user cannot configure or manage Directory Server instances.

Workaround
Before installation, change the umask to 0022. Otherwise, change the default permissions for any file created by the process.

migrate5xto52 Script Causes Incorrect CSN to be Generated After Migration (#6206915)

When you use the migrate5xto52 script to migrate from Directory Server 5.1 to Directory Server 5.2, replication can halt some time after the migration. The error can occur weeks or months after the migration.

Workaround
Before running the migration script, perform the following steps:

migrate5xto52 Script Breaks Replicated Topologies (#6207013)

When you use the migrate5xto52 script to migrate a 32-bit Directory Server 5.x replica to 64-bit Directory Server 5.2 2005Q1, the script converts replica values for nsState incorrectly. Consequently, it can be necessary to re initialize the entire replicated topology.

Workaround
Before running the migrate5xto52 script, comment out the following two lines of the newLDIFReplica Perl subroutine in the <ServerRoot>/bin/slapd/admin/bin/migrate5xto52 file:

Upgrade of a Standalone Instance of Directory Server Requires the sync-cds Command to be Run (#6208268)

When a standalone instance of Directory Server 5.2 is upgraded from 2004Q2 to 2005Q1, the upgrade procedure requires the data in the Configuration Directory Server to be synchronized. Before running the sync-cds command, Directory Server searches for the presence of the adm.conf file. When the Administration Server is not configured, the file is not present and the sync-cds command cannot run.

Workaround
Create a dummy adm.conf file so that the sync-cds command can run:

  1. Create a file called <ServerRoot>/admin-serv/config/adm.conf
  2. Edit the file to contain the following line only:

Where <hostname> is a fully qualified domain name for the host that the Directory Server is running on, and <administration_domain> is typically the host domain name.

For example:

Entries With Password Expiration Cannot be Replicated to Older Versions of Directory Server (#6209543)

The pwdChangedTime attribute and usePwdChangedTime attribute are defined in Directory Server 5.2 2004Q2 and later versions. These attributes are not defined in Directory Server 5.2 2003Q4 or earlier versions.

When an entry is defined with password expiration in Directory Server 5.2 2004Q2 or later versions, the entry contains the pwdChangedTime attribute and usePwdChangedTime attribute. When that entry is replicated to a supplier running Directory Server 5.2 2003Q4 or an earlier version, the supplier cannot process any modifications to that entry. A schema violation error occurs because the supplier does not have the pwdChangedTime attribute in its schema.

Workaround
Define the pwdChangedTime attribute and usePwdChangedTime attribute in the 00core.ldif file for all servers in the replication topology that are running Directory Server 5.2 2003Q4 or an earlier version.

To define the attributes, add the following lines to the 00core.ldif file for each server:

Security

Bind With Zero-Length Password Is Treated as an Anonymous Bind (#4703503)

If you use a zero-length password to bind to a directory, your bind is an anonymous bind - it is not a simple bind. Third party applications that authenticate users by performing a test bind might exhibit a security hole if they are not aware of this behavior.

Workaround
Ensure that you client applications are aware of this feature.

DNS keyword in ACIs (#4725671)

If the DNS keyword is used in an ACI, any DNS administrator can access the directory by modifying a PTR record, and can thereby provide the privileges granted by the ACI.

Workaround
Use the IP keyword in the ACI, to include all IP addresses in the domain.

LDAP Modify Operations Through SSL Fail When Referred to Master Replica From Consumer Replica (#4922620)

ldapmodify update operations over SSL fail when they are referred to a master replica from a consumer replica.

Error Message At Startup When passwordisglobalpolicy Is Enabled (#4964523)

When the passwordisglobalpolicy attribute is enabled on both masters in a 2-master, multi-master replication topology it works correctly but can generate the following incorrect error message:

Workaround
Ignore the incorrect error message.

Invalid Values Are Accepted for passwordMinLength in Individual Password Policies (#4969034)

The passwordMinLength attribute in individual password policies is 2 - 512 characters. However, values outside of this range are accepted when an individual password policy is configured.

Workaround
Configure individual password policies with passwordMinLength attribute of 2 - 512 characters.

GSSAPI Crashes on Solaris 10 When Using Kerberos (#6184559)

When Directory Server is configured for use with SASL authentication on Solaris 10 build 69, when you perform an authentication by using Kerberos through GSSAPI the directory core is dumped.

Workaround
For 64-bit servers on Solaris 10 machines, pre-load the smartheap library when you start the slapd daemon. To pre-load the smartheap library, modify the start-slapd script under an ldap instance, as follows:

For example:

Replication

Updates to the Retro Change Log on a Master Server Can be Lost (#2121137/6178461)

When a master server crashes, changes made to the retro change log on that server can be lost.

Workaround
Do not to use the retro change log on a master server. Instead, use the retro change log on the consumer server. If you are implementing failover of the retro change log, ensure that you have at least two consumer servers with enabled retro change logs.

Addition of Entries With objectClass=nsTomstone Can Cause Replication to Fail (#2122375/5021269)

Adding an entry with objectClass=nstombstone can cause replication to fail.

Workaround
Do not add entries with objectClass=nstombstone

Local Schema Modifications Can Be Overwritten When a Consumer Database Is Created (#4537230)

The replication monitoring tools rely on read access to cn=config to obtain the replication status. This should be taken into account when replication is configured over SSL.

In Directory Server 5.2, the schema file 11rfc2307.ldif has been altered to conform to rfc2307. If replication is enabled between 5.2 servers and 5.1 servers, the rfc2307 schema MUST be corrected on the 5.1 servers, or replication will not work correctly.

Workaround
To ensure correct replication between Directory Server 5.2 and Directory Server 5.1, perform the following tasks:

Initially, certain schema attributes may be replicated between the servers as they synchronize other schema elements but this is benign and will not cause any problems. See the Installation Notes for details on how the schema has changed.

Replication Monitoring Tools Do Not Support LDAP URLs That Contain Literal IPv6 Addresses (#4702476)

The replication monitoring tools entrycmp, insync, and repldisc do not support LDAP URLs that contain literal IPv6 addresses.

Workaround
None

Multi-Master Replication Over SSL With Certificate-Based Client Authentication Does Not Work If Preceded by SSL With Simple Authentication (#4727672)

In a multi-master replication scenario, if replication is enabled over SSL by using simple authentication, it is not possible to enable replication between the same servers over SSL by using certificate-based client authentication.

Workaround
To enable replication over SSL using certificate-based client authentication, restart at least one of the servers.

After Aborting a Total Update Cannot Restart a Total Update or Re-enable Replication on the Suffix (#4741320)

If a total update is aborted while in progress, it is not possible to launch another total update, or to re-enable replication on the suffix.

Workaround
Do not abort a total update while it is in progress.

Reports of Replication Delays With the insync Command and Fractional Replication (#4856286)

The insync command-line tool has no concept of fractional replication. If fractional replication is configured, false reports of replication delays can be produced.

Workaround
None

Schema Modifications Are Not Replicated in Incremental Updates (#4868960)

If you modify the schema without making any other non-schema-related modifications, your schema modifications will not be replicated immediately.

Workaround
Wait for five minutes for your schema modifications to be replicated, or force replication by using the Send Updates Now option in the Directory Server Console.

Scheduled Replication Can Cause Erratic Replication Behavior (#4999132)

Scheduled replication can cause erratic replication behavior.

Workaround
Avoid using scheduled replication. Always configure replication to in sync.

Errors in Multi-Master Replication When nsslapd-lastmod Attribute Set to OFF (#5010186)

The nsslapd-lastmod attribute specifies whether Directory Server maintains the modification attributes for Directory Server entries. When this attribute is set to OFF errors occur in multi-master replication.

Workaround
When using multi-master replication, leave the nsslapd-lastmod attribute set to ON.

During Replication an Error Message Is Written Frequently to the Error Log (#5029597)

During replication the following error message can be written frequently to the error log:

[09/Apr/2004:06:47:45 +0200] - INFORMATION - conn=-1 op=-1 msgId=-1 -
csngen_adjust_time: remote offset now 33266 sec

This error message increases the size of the error log file.

Workaround
Ignore this error message.

passwordExpirationTime Attribute Is Unsynchronized After First Password Expiration Warning (#5102180)

The passwordExpirationTime attribute is reset on the master when the first password expiration warning is given to the consumer. This attributes is not reset on the consumer and is therefore out of sync after the first password expiration warning.

Workaround
None.

Conformance

DN Normalization Code Does Not Treat Case Sensitive Attributes Properly (#4933500)

DN normalization code puts attribute names in lower case. The DN normalization code does not take into account the attribute syntax and the associated matching rule.

Workaround
None

Directory Server Console

Internal Search Causes Directory Server Console to Display a Yellow Warning Flag (#2113362/4983539)

In some search contexts a yellow warning flag is displayed. The yellow flag indicates that the Directory Server internal search mechanism has encountered an All IDs Threshold / Sorting issue. This flag does not represent a problem.

Workaround
Either ignore the flag or create a browsing index (VLV index) to prevent the flag from occurring.

Console Does Not Support Passwords That Contain a Colon ":" (#4535932)

The console does not support passwords that contain a colon ":".

Workaround
Do not use a colon in a password.

Console Does Not Support the Management of External Security Devices (#4795512)

The console does not support the management of external security devices, such as Sun Crypto Accelerator 1000 Board.

Workaround
Manage external security devices by using the command line.

German Entries Are Sorted Incorrectly in Directory Server Console (#4889951)

In the Directory Server console some german characters are sorted incorrectly. See the following examples:

Workaround
None.

slapd Daemon Takes the Administration Server Port When Restarted From the Console (#5002054)

When the slapd daemon is restarted from the console, it can take the Administration Server port and prevent Administration Server from being restarted by the console.

Workaround
Restart the slapd daemon from the command line.

Cannot Browse Access, Errors, and Audit Logs on Directory Server Console for Clustered Node (#5044629)

On a Directory Server cluster node (active or not) the Browse buttons in the Directory Server console are grayed out.

Workaround
Ensure you are running the console on the active cluster node, and use the node name (as opposed to the logical host name) to connect to the Administration Server.

Path to Help File for Directory Server Login Dialog Box Is Incorrect for Non-English Languages (#5046970)

The path to the help .htm file for the Directory Server Login dialog box in non-English languages is incorrect. For example, for the Korean language, the incorrect path is as follows: manual/ko/console/help/help/login.htm

Workaround
Change the path to the help .htm file as shown in the following example. This example uses the Korean locale:

  1. Close Directory Server Console.
  2. Change directory to the /usr/sadm/mps/console/v5.2/java directory.
  3. Extract the mcc52_ko.jar file using for the jar xvf mcc52_ko.jar command.
  4. Remove the mcc52_ko.jar file.
  5. Open the following file in a text editor: com/netscape/management/client/console/console_ko.properties
  6. Change the path from

    7. login-help=manual/ko/console/help/help/login.htm

    to

    login-help=manual/ko/console/help/login.htm

  7. Recreate the mcc52_ko.jar META-INF/* com/* jar file by using the
    jar cvf mcc52_ko.jar META-INF/* com/* command.
  8. Restart Directory Server Console.

Console Error When Modifying Directory Manager Password if Password Policy Is Defined (#5109510)

To allow you to use the console as Directory Manager, the Configuration Directory Server holds a copy of the Directory Manager's password as the value of the userPassword attribute on the entry with the following DN:

If you define a password policy for o=NetscapeRoot that applies to this entry, and then modify the Directory Manager's password by using the console, the new password must respect the password policy that applies to the entry.

To give the Directory Manager access that does not require a password, create a completely permissive password policy and apply it to the entry where the copy of the Directory Manager's password is kept.

LDIF Files Exported by Using the Tasks Tab on the Console Contain Additional Unnecessary Information for Backup (#6197903)

This issue concerns LDIF files exported by using the Export to LDIF button in Tasks tab on the console. When a server is configured as a supplier or a hub, an exported LDIF file starts to collect replication information to initialize consumers. The exported LDIF file cannot be used with the Import from LDIF button in Tasks tab on the console.

Workaround
Select one of the following workarounds:

Server Console Help Index Search Does Not Work in Traditional Chinese (zh_TW) (#6205531)

Core Server

Server Crashes When Stopped During Export, Backup, Restore, or Index Creation (#2121645/4678334)

Stopping the server during export, backup, restore, or index creation can cause it to crash.

Backend Instances Called "Default" Do Not Work (#2122630/4966365)

Backend instances, or databases, called "Default" do not work.

Workaround
Do not name a database "Default".

Installing 64-bit packages locks out the 32-bit Directory Server databases (#4786900)

Database Becomes Unavailable if LDIF File Is Inaccessible During Import (#4884530)

If a non-existent file is specified for an online import, the server still deletes the existing database.

Deleting an attribute subtype value deletes all attribute values (#4914303)

If you create an entry with an attribute which has, for example, 3 values, one of which has a subtype tag on it, and you then delete the attribute with the subtype tag, every value of that attribute is deleted.

When indexes are configured with nsMatchingRule, db2ldif and ldif2db issue an "unknown index rule" warning which means that the index created does not include the matching rule (#4995127)

Workaround
Use db2ldif.pl and ldif2db.pl instead of db2ldif and ldif2db as they do not issue "unknown index rule" warnings and create the index with the matching rule.

tcp_keepalive_interval and tcp_ip_abort_interval Configuration Attributes Cannot be Used for Timeout(#5087249)

The tcp_keepalive_interval and tcp_ip_abort_interval configuration attributes cannot be used to close idle connections on Directory Server.

Workaround
Use the nsslapd-idletimeout configuration attribute to close idle connections.

Directory Server Plug-ins

When the Pass-Through Authentication plug-in (PTA plug-in) detects that a suffix configured for pass-through authentication is local to the machine, the plug-in is not automatically disabled (#4938821)

If the plug-in configuration entry attribute values in the dse.ldif end with extra blank spaces, Directory Server will either fail to start or behave in unexpected ways (#4986088)

Post Operation Plug-In Function Not Called When Search Operation on Non-Existent Base DNs (#5032637)

The post operation plug-in function for a search operation is not called if the search is performed on a non-existent base DN. This is inconsistent with the description of post-operation plug-ins in "Extending Client Request Handling" in the Directory Server Plug-in Developer's Guide.

Workaround
None

Error Message When ACL Plug-In Unable to Normalize Attribute Value (#5089207)

The ACL plug-in normalizes attribute values in order to compare them with DN provided in the ACL rules. If an attribute value is not a DN, an error message is logged.

Workaround
Ignore the error message.

If you have two Directory Server instances DS1 and DS2 with your Configuration Directory Server installed on DS1, and you subsequently replicate the o=NetscapeRoot configuration information to DS2, as opposed to automatically disabling the PTA plug-in will continue to point to DS1for any o=NetscapeRoot relevant searches despite the fact that the information is now local.

Miscellaneous

Maximum Size of Transaction Log File Cannot be Changed (#4523783)

If you change the maximum size of the transaction log file when the database directory contains log files, the new size is not taken into account.

Workaround
None.

Statistics for SNMP subagents (#4529542)

On UNIX platforms, statistics are generated only for the last SNMP subagent that is started. This implies that you can monitor only one Directory Server instance at a time with SNMP.

International substring search on unaccented characters returns only unaccented characters (#4955638)

Instead of returning the unaccented character and all of its possible accented variants, which would seem to be the logical approach, a search on an unaccented character only returns the unaccented character in question. Searching for an accented character however, returns not only that character but all other variants.

Certain error messages reference a database error guide which does not exist (#4979319)

Missing chown/chgroup When an Instance Of Directory Server Is Created With Another User (#4995286)

With Directory Server and Administration Server installed and configured to run as root, when the console is used to create another instance of Directory Server which you specify to run as a user other than root, that instance is successfully created but many of the files pertaining to that instance are not owned by the same user.

Workaround
Change the ownership of the files and directories manually.

Cannot Create a Chained Suffix With an IPv6 Address by Using the Console (#5019414)

When you create a new chained suffix with an IPv6 address by using the New Chained Suffix window of the console the Testing connection parameters popup window does not close automatically and the validity of the IPv6 address is not tested. Although the local configuration of the chained suffix is successful, the validity of the IPv6 address is not assured.

Workaround
Do not to use the Test connection option when you configure a chaining suffix with an IPv6 address.

Default Number of File Descriptors Is 1024 for Directory Server on Linux RH3.0 (#5101775)

For Directory Server on Linux RH3.0, the default number of file descriptors is 1024. The default number of file descriptors cannot be changed globally, but can be changed by the root user for a given session only.

To change the default number of file descriptors, become root user and change the value before starting the server.

Workaround
None

When the ldapsearch sizelimit option is hit on a chained suffix an error message is issued and the access number of entries count is incorrect (#5029026)

Command Line Tools

Absolute Paths Must be Specified for the Following Commands: db2bak, db2bak.pl, bak2db, and bak2db.pl (#4897068)

db2ldif Command Creates an Output File In an Incorrect Directory (#5029598)

The db2ldif command creates output LDIF files in an incorrect default directory when the file name only is specified. The db2ldif command should create output LDIF files in this directory:

Workaround
Specify the absolute path to the file name of the output LDIF file.

mmldif Command Crashes (#6205803)

The mmldif command crashes when used.

Workaround
None

Redistributable Files

Sun Java System Directory Server 5.2 2005Q1 does not contain any files which you can redistribute.

How to Report Problems and Provide Feedback

If you have problems with Sun Java System Directory Server, contact Sun customer support using one of the following mechanisms:

So that we can best assist you in resolving problems, please have the following information available when you contact support:

You might also find it useful to subscribe to the following interest groups, where Sun Java System Directory Server topics are discussed:

http://swforum.sun.com

Sun Welcomes Your Comments

Sun is interested in improving its documentation and welcomes your comments and suggestions. Use the web-based form to provide feedback to Sun:

http://www.sun.com/hwdocs/feedback

Please provide the full document title and part number in the appropriate fields. The part number can be found on the title page of the book or at the top of the document, and is usually a seven or nine digit number. For example, the part number of these Directory Server 5.2 Release Notes is 817-7611-10.

Additional Sun Resources

Useful Sun Java System information can be found at the following Internet locations:

Copyright © 2005 Sun Microsystems, Inc. All rights reserved.

Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.sun.com/patents and one or more additional patents or pending patent applications in the U.S. and in other countries.

SUN PROPRIETARY/CONFIDENTIAL.

U.S. Government Rights - Commercial software. Government users are subject to the Sun Microsystems, Inc. standard license agreement and applicable provisions of the FAR and its supplements.

Use is subject to license terms.

This distribution may include materials developed by third parties.

Portions may be derived from Berkeley BSD systems, licensed from U. of CA.

Sun, Sun Microsystems, the Sun logo, Java and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries.

Copyright © 2005 Sun Microsystems, Inc. Tous droits réservés.

Sun Microsystems, Inc. détient les droits de propriété intellectuels relatifs à la technologie incorporée dans le produit qui est décrit dans ce document. En particulier, et ce sans limitation, ces droits de propriété intellectuelle peuvent inclure un ou plus des brevets américains listés à l'adresse http://www.sun.com/patents et un ou les brevets supplémentaires ou les applications de brevet en attente aux Etats - Unis et dans les autres pays.

Propriété de SUN/CONFIDENTIEL.

L'utilisation est soumise aux termes du contrat de licence.

Cette distribution peut comprendre des composants développés par des tierces parties.

Des parties de ce produit pourront être dérivées des systèmes Berkeley BSD licenciés par l'Université de Californie.

Sun, Sun Microsystems, le logo Sun, Java et Solaris sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d'autres pays.

Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc. aux Etats-Unis et dans d'autres pays.