These release notes contain important information on iPlanet Directory Server Access Management Edition (DSAME), version 5.0. Enhancements, installation notes, known problems, and late-breaking issues are addressed. Read this document before installing iPlanet DSAME.
These release notes contain the following sections:
This release of iPlanet Directory Server Access Management Edition (DSAME) now supports the Microsoft Windows 2000 platform. For instructions on installing DSAME on Windows 2000, see the DSAME Installation and Configuration Guide.
The installation script aminstall does not check for link validity or for the absolute path. If an invalid location is specified, the installation of a DSAME component may fail even though the installation process appears to have completed successfully. (4536926)
AMConfig.properties and Default Mode Installation
When DSAME is installed in default mode, the value of com.iplanet.am.domaincomponent in AMConfig.properties is not relevant and will remain DCTREE_SUFFIX. (4537023)
Install Log Message Irrelevant
The following message appears in the install log after installation. It has no relevance to the successful application of DSAME. (4536466)
Reconfigure failure: server not running
Web application deploy successful
For this release of DSAME, up to 50 services can be displayed in the DSAME console. (4536927)
Error Messages Display When Loading Sample Service
If you load the sample service into Directory, and then register that service to an organization, the following errors are found in the Directory Server error log:
The errors display because no service template has been created. Although annoying, the errors require no action. (4539108)
Do not use multi-byte characters (8 and 16 bit) in login IDs or email addresses. (4538007)
Configuring amUser.xml For Multiple Naming Attributes
In order to manage a user with multiple naming attributes, ensure that the naming attribute type in amUser.xml is changed to list from its default value of single. (4536186)
Configuring serverconfig.xml For SSL Port
Ensure that serverconfig.xml is configured correctly when listening to SSL port 636. The correct configuration is <Server name="server" host="host address" port="636" type="SSL"/> Setting the type to simple when the port is for SSL will cause DSAME to hang. (4536852)
Configuring serverconfig.xml For Connection Pools
DSAME uses an LDAP connection to request information from Directory Server. By default, the minimum number of LDAP connections allowed when DSAME is started is 1; the maximum number of connections is 10. If at any time more than 1 simultaneous request is being made from DSAME to Directory Server, additional connections will be dynamically added up to the maximum of 10. These default values can be increased, depending on the size of your organization, by modifying the serverconfig.xml file. This file is used by both amadmin and the DSAME SDK. The SDK needs to allow for 100-500 connections. amadmin needs only the default 1-10. Therefore, for optimum usage, it is recommended that you keep one serverconfig.xml file for each purpose, loading and reloading it depending upon your current need. (4536447)
setDefaultURL Fails in Customized Authentication Modules
The value of the setDefaultURL method will not override the user's default in authentication modules therefore not redirecting the user to the requested URL. (4536453)
When you create directory entries using amadmin, roles associated with that entry are also created. For example, when you create an Organization, an associated Organization Administrator role and an Organization Help Desk role are created. Roles contain ACIs which take longer to create than other types of objects. Creating objects that have associated roles can therefore significantly increase the time it takes to process the additions to your directory tree. (4536928,4538402) If your DIT is particularly large or complex, this can also significantly increase the time it takes to process deletions from your directory tree. (4536928,4538402) amadmin should not be used for large scale updates. (4537112)
Non-Root Users and amAdmin/amPassword
In order for a non-root user (default upon installation being amadmin) to run amAdmin and amPassword, the AMConfig.properties file must allow read and write permission to the user. Additionally, the trust database files of the iPlanet Web Server (located at DSAME_server_root/SUNWam/servers/alias) must allow read and write to the user running amAdmin. (4536067)
The proxy user, puser, can be modified to have proxy-only access if another user is created with unrestcted access, and the DN of that user is set in serverconfig.xml under the admin attribute. (4639683)
Portions of the Admin Console GUI May Not Display
Occasionally, when you log into the Admin Console and create some users, groups, etc., the top panel of the main page will not display correctly. Refreshing the screen will display the Admin Console correctly. This problem only occurs on the Windows 2000 platform. (4639370)
Setting User to Inactive in DSAME Does Not Set User to Inactive in Directory Server
When you use DSAME to deactivate a user, DSAME sets the attribute inetAccountStatus to inactive while Directory Server uses the attribute nsAccountLock to determine account status. By default, DSAME does not use nsAccountLock. This gives "inactive" DSAME users the ability to interact with infrastructures which do not pass through DSAME. The nsAccountLock attribute can be added to the amUser.xml file in DSAME. (If you want to use only one of these status attributes, you can remove inetAccountStatus.) Once you remove and reload the schema, the nsAccountLock attribute will display in the user's profile. A limitation of this workaround is that the nsAccountLock attribute cannot be added to a role. DSAME does not support operational attributes in roles at this time. (4537106)
User Properties Reset Button Works Visually Only
When a user logs in and modifies one of their properties, the Reset button will change the property back in the GUI only. When Submit is clicked, an error will be returned "Unable to update object." To workaround this error, enter the original value of the property again and click Submit. (4536455)
Double Quotes Are Not Supported
Do not use double quotes in user names or organization names; in Directory Server, the quotes will be stripped from the name. For example, if you create a username "User1" , the Directory Server creates the userID User1 without the quotes. (4539190)
If a user entry does not have read access to their userPassword attribute, they will not see a password when they log in. To correct this either remove the attribute from the user profile page or change the user's read access permission. (4537067)
Group Administrator Can Prevent Higher-level Administrators from Logging In
Administrators at the organization and people container level generally have a wider scope of access than do group administrators. But by default, when a user is added to a group administrator role, that user can change the password of any other user in the group. For example, in this structure, UserX could change the password of a People Container Administrator and an Organization Help Desk Administrator, preventing them from successfully logging in.
Group1
Organization Administrator
People Container Administrator
Organization Help Desk Administrator
UserA
Group Administrator Role
User X
The default ACIs are set this way by design. You can modify the ACIs to meet your own requirements. ACI documentation is provided. (4536857)
Error Message for Insufficient Administrator Privileges
If an administrator attempts to perform tasks outside their authorization, as defined by the ACIs for their role, the attempt fails. The resulting error message needs to indicate that the administrator does not have sufficient privileges for the task being attempted. (4536645)
Enabling the UID Uniqueness Plug-in
The UID Uniqueness plug-in in Directory Server should be enabled to prevent an administrator from creating users with duplicate IDs. (4536215)
Two Users in an Organization Can Have the Same Email Address
DSAME does not enforce uniqueness for attributes within user entries. For example, userA and userB are both created in the same organization. For both userA and userB, the email address attribute can be set jimb@madisonparc.com. As a workaround, you can configure the attribute uniqueness plug-in that comes with Directory Server. For more information, see "Using the Attribute Uniqueness Plug-In" the iPlanet Directory Server Administrator's Guide at http://docs.iplanet.com/docs/manuals/directory/51/html/ag/uid.htm#1043905. (Splat # 542485)
Organization Roles are Created By Default in New Organizations
When you create a new organization, the Organization Help Desk Administrator, People Container Administrator and Organization Administrator role are automatically created. This is by design. You can change the default names by modifying the creation templates. (4552950)
During installation, DSAME will not recognize European symbols. (4642005)
Filters Do Not Work with Japanese Version of Internet Explorer
DSAME filters do not work with the Japanese version of Microsoft Internet Explorer 5.5. If you create a multibyte organization, and use a filter with multibyte data, the browser will report the Page Expired error message. (4655777)
i18n Characters in the DSAME Log
I18n characters (example: uid=renée) are not displayed correctly in the DSAME log although the characters are displayed correctly in the DSAME console. The logs can be read correctly by running iconv from the command line using the input and output character sets and the log file name as arguments. (4536986)
Localized Properties Work According to the Locale of the Server
Because profiles are customized according to the locale where the server is running, individual localized properties will not show up when a user logs in to their profile. The locale of the DSAME server must be changed to view user customized profiles. (4536444)
DSAME Objects Collate Incorrectly Using Japanese Locale
DSAME objects created with the Japanese locale setting do not sort correctly in the DSAME console. (4536451)
To change the default user entry naming attribute for Membership authentications, the amMembership.xml needs to be modified. The value of the attribute iplanet-am-auth-membership-user-naming-attribute needs to be changed to that of the LDAP attribute to be used instead of the default, uid. In addition, the attribute chosen needs to be added to register.html, membership.properties and membership.html. (4536427)
DSAME does not support running the console against read-only replica servers unless no modifications are made. (4536456)
Plain text displays of passwords are displayed in the Web Server access logs. To hide these passwords, disable Web Server logging. (4536458)
SampleMailService Objectclass Violation
If an object class violation occurs after adding the sample mail service (included with DSAME) to your enterprise, be sure that the sampleMailservice schema was loaded correctly. (4536189)
Useful iPlanet information can be found at the following Internet locations:
Sun, Sun Microsystems, the Sun logo, Java, iPlanet, and all Sun, Java, and iPlanet based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.
Last Updated April 04, 2002