Sun Directory Server Enterprise Edition 7.0 Release Notes

Chapter 4 Directory Server Bugs Fixed and Known Problems

This chapter contains important, product-specific information available at the time of release of Directory Server.

This chapter includes the following sections:

Bugs Fixed in Directory Server 7.0

This section lists the bugs fixed since the last release of Directory Server.

Table 4–1 Bugs Fixed in Directory Server 7.0

Bug ID 



UIDs for entries are not required to be unique. 


Network connections remain established regardless of the settings of the tcp_keepalive_interval and tcp_ip_abort_interval attributes.


The insync command cannot parse a host specification provided to it if the host specification contains an at sign (@).


Non-unique values of nsuniqueid can be added to a replication topology and cause replication to fail.


Using the ldapmodify command to delete an attribute can cause replication to fail.


Modifying an entry's RDN at the same time as modifying an attribute value of the entry's parent puts the directory server in deadlock. 


A memory leak occurs in searches that return virtual attributes. 


If a change log is created and read simultaneously, the directory server can fail. 


Read errors can occur when SASL security is enabled. 


The indirect Class of Service feature does not support multiple templates as documented. 


The ldapcompare command can fail if a Class of Service is configured.


ou=groups can contain duplicate data.


Replication can fail after SSL is configured as documented. 


The ldapsearch command can return inconsistent results.


On Windows installations, the dsadm info command can display the incorrect owner of ns-slapd.


On HP-UX installations, the dsadm stop and restart commands can behave inconsistently when the monitoring plug-in is enabled.


The warning message for an unregistered suffix contains extra characters. 


Certificates with names that contain localized characters cannot be listed or deleted correctly. 


The dsadm autostart command can return incorrect error messages.


On HP-UX installations, the directory server can fail when the GNU debugger (GDB) releases the ns-slapd process.


On UNIX installations, the JVM of the Sun Java System Application Server must be started with -Djava.awt.headless=true to enable replication topology rendering.


Multiple ZIP installations do not manage all CACAO ports correctly. 


The DSCC cannot be accessed through its URL when a previous connection is still open. 


DSCC can return errors when run with Java 1.6. 


The Sun Java System Application Server returns an Unable to create SASL client conn for auth mechanism message and cannot communicate with CACAO.


Registering and deploying JESMF creates defunct processes. 


DSCC parses dsinstancemain.confirmreadonly incorrectly.


Data passed to Windows service management must maintain the correct character case. 


The Class of Service statistics monitor reports results incorrectly. 


On Windows installations, the dsrepair command fails because of a missing directory in the PATH environment variable.


On Windows installations, the plcheck command fails.


DSCC cannot access the log files when the instance path contains multi-byte characters. 


A memory leak occurs in multi-master replication over SSL. 


DSCC does not display all suffixes. 


DSCC fails to support RBAC. 


When the repldisc command encounters an error connecting to a replica over SSL, its credentials are not properly handled.


The repldisc command in interactive mode should not request the host name and port number.


The repldisc command in interactive mode should not request replicas that cannot be connected.


External use of the reversible password plug-in can cause replication to fail. 


Re-indexing requires too much time to complete. 


The DSCC displays a message that describes the Replication Settings tab incorrectly. 


Some password policy updates appear in replicated audit logs but not in the local audit log. 


The DSCC displays a message that describes the Promote/Demote Suffix function incorrectly. 


The repldisc command fails to compare host names correctly.


Replication stops between servers of different versions after a failed login of a known user with an incorrect password. 


The DSCC ACI wizard produces invalid ACIs when multiple targetattr values are selected.


A replication master can fail when replication stops normally. 


Passwords cannot be changed through proxied authorization when pwdReset is set to true.


Performance can be degraded when the access log is enabled. 


The dsconf set-log-prop command does not change permissions on log files in a timely manner.


Extra spaces in an ACI string can cause incorrect ACI evaluations. 


The DSCC fails to display a long ACI. 


Complex Class-of Service deployments can cause the directory server to fail. 


Several text files require correction. 


Rotation can become deadlocked. 


A user password can become expired even if passwordMaxAge is set to a high value.


The DSCC can corrupt entries with binary attributes during modification. 


Under certain circumstances, the password policy attribute pwdMinLength is not enforced.


The DSCC displays some links incorrectly. 


The directory server can fail if the uniqueness-among-attribute-set plug-in is configured.


The directory server fails if a pre-op plug-in performs an access control check on an entry before deleting it. 


Changes to client authentication made with the DSCC do not become effective until the directory server is restarted. 


Pass-through authentication can prevent the directory server from stopping correctly. 


The audit log contains old passwords. 


DSCC can display incorrect message text when starting and stopping the directory server. 


Errors can occur if a database is restored and the backup has a very large change log. 


A server instance bound to a specific IP address can fail to become registered. 


The directory server can become deadlocked when accessing the change log. 


Replication operations require too much time. 


A multiple-pass LDIF import operation can produce an incorrect index. 


The Logging property rotation-time cannot be set to undefined even though it is listed as an allowed value


DSCC does not disable a referral completely. 


The DSCC does not handle subtype attributes correctly when editing entries. 


The directory server can fail when evaluating an ACI. 


A binary restore of the database recreates the replication change log. 


The DSCC cannot set the time-base log rotation and deletion policy to Do Not Automatically Rotate/Delete. 


The directory server fails when stopping the server when indexing is active. 


Backup and export files can become invalid if infrequently updated masters receive updates. 


The starttls command runs slowly.


The directory server fails when fetching values of a virtual attribute. 


The directory server can fail when creating a new suffix in the Top entry if the name of the suffix contains a back slash (\).


The repl-schedule property should be multivalued.


Enabling replication can incorrectly update VLV indexes 


The DSCC does not log all messages when restoring the database. 


The DSCC corrupts mailSieveRuleSource when it updates a user.


The change log is not always trimmed correctly. 


The number of simultaneous pass-through authentications cannot be limited. 


On Windows installations, the directory server can fail under load when encryption is disabled. 


The directory server can add the cACertificate and crossCertificatePair properties twice.


The directory server can fail under load during DN normalization. 


The retro change log can grow very large when managing large static groups. 


A memory leak can occur in the directory server when binding users whose password policy is assigned in a Class of Service. 


In Windows installations, the directory server does not stop during shutdown when registered as a service. 


The ldapsearch command can return incorrect results for a search of certificateRevocationList with non-existent subtypes.


When set to on, nsslapd-return-exact-case does not work correctly for certificateRevocationList.


The directory server can close a connection before idletimeout has elapsed.


In Windows installations, the first attempt of the directory server to restart after the system is rebooted can fail with System Event ID 7022. 

6750240 is not signed.


Prioritized replication does not work as designed. 


Replication stops and restarts when a send update now operation occurs. 


Identity Synchronization for Windows plug-in does not start. 


An exported LDIF can include an entry's Replica Update Vector. 


Upgrading a multi-master replication topology can fail. 


The directory server cannot be installed on some Japanese Windows systems. 


The directory server can fail because of polling issues. 


directory server can fail because of binding with SASL. 


DEL operations are replicated in a multi-master topology, modifiersname is logged incorrectly in the audit log of the consumer.


The password policy assigned to a user entry through a role is not effective until the directory server is restarted. 


Replication can fail if the suffix name contains a space. 


The dsconf command does not correctly handle a hyphen (-).


Replication can fail if a MOD CSN (Change Sequence Number) is smaller than the previous ADD CSN. 


The directory server can fail if it is stopped immediately after it is started. 


A consumer can become unsynchronized when ds-polling-thread-count is greater than 1.


The dsconf info command does not always detect the directory server's version number.


The dsconf export command does not log an error when it fails because the target file system is full.


The insync operation can fail.


The dsconf matching-rule property for indexes should be multi-valued.


The dsadm export command cannot index collation plug-in matching rules.


The searchrate command can fail when processing a complex filter.


An error can occur when the pwd-accept-hashed-pwd-enabled property is set.


ACI evaluation during unindexed searches can require too much time. 


The directory server can fail when the authrate command is running.


The directory server can fail when the DSML plug-in receives a corrupted DSML message. 


The directory server can fail when it is stopped if the memberof plug-in is not completely preloaded.


The dsadm add-selfsign-cert command adds self-inconsistent certificates to the database.


On Windows installations, the directory server can crash during search operations. 


In multi-master replication topologies, the directory server can fail to detect duplicate values for attributes with more than eight values. 


Recovery from a database failure can cause the heap to be corrupted. 


The dsconf command does not handle the dsml-min-parser-count and dsml-max-parser-count properties correctly.


On some Windows installations, the dsadm stop command does not stop the directory server.


The sequence of plug-in operation should be reordered. 


The DSCC can encounter an error when creating or modifying a specialized password policy. 


In multi-master replication topologies, replication can fail after importing a replica. 


The change log trimming thread can cause the directory server to fail at startup. 


ACI evaluation during a modify operation can corrupt the heap. 


The directory server can crash after importing new entries. 


ACIs with the ip keyword are not always evaluated correctly.


The server could crash during a DSML search if the bind password needed to be changed. 


Importing can fail to create a replica correctly. 


The ZIP distribution of the directory server should use non-default port numbers. 


Search requests should return binary attributes in accordance with RFC 4522. 


The directory server can crash during Class of Service operations. 


A memory leak can occur when importing an LDIF with replication meta-data. 


The dsmig migrate-config command logs a configuration warning for the Strong Password Check plug-in.

Known Problems and Limitations in Directory Server

This section lists known problems and limitations at the time of release.

Directory Server 7.0 Limitations

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.

To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.

Do not replicate the cn=changelog suffix.

Although nothing prevents you from setting up replication for the cn=changelog suffix, doing so can interfere with replication. Do not replicate the cn=changelog suffix. The cn=changelog suffix is created by the retro changelog plug-in.

The wrong SASL library is loaded when LD_LIBRARY_PATH contains /usr/lib.

When LD_LIBRARY_PATH contains /usr/lib, the wrong SASL library is used, causing the dsadm command to fail after installation.

Use the LDAP replace operation to change cn=config attributes.

An LDAP modify operation on cn=config can only use the replace sub-operation. Any attempt to add or delete an attribute will be rejected with DSA is unwilling to perform, error 53. While Directory Server 5 accepted adding or deleting an attribute or attribute value, the update was applied to the dse.ldif file without any value validation, and the DSA internal state was not updated until the DSA was stopped and started.

Note –

The cn=config configuration interface is deprecated. Where possible use the dsconf command instead.

To work around this limitation, the LDAP modify replace sub-operation can be substituted for the add or delete sub-operation. No loss in functionality occurs. Furthermore, the state of the DSA configuration is more predictable following the change.

On Windows systems, Directory Server does not allow Start TLS by default.

This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.

To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.

Replication update vectors may reference retired servers.

After you remove a replicated Directory Server instance from a replication topology, replication update vectors can continue to maintain references to the instance. As a result, you might encounter referrals to instances that no longer exist.

The Common Agent Container is not started at boot time.

To work around this issue when installing from native packages, use the cacaoadm enable command as root.

To work around this issue on Windows, choose Log On from the properties of Common Agent Container service, enter the password of the user running the service, and press Apply. If you have not already done this setting, you will receive a message stating that the account user name has been granted the Log On As A Service right.

max-thread-per-connection-count is not useful on Windows systems.

The Directory Server configuration properties max-thread-per-connection-count and ds-polling-thread-count do not apply for Windows systems.

Console does not allow administrator login on Windows XP

Console does not allow administrator to logon to the server running Windows XP.

As a workaround to this problem, the guest account must be disabled and the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0.

Changing Index Configurations on the Fly

If you change an index configuration for an attribute, all searches that include that attribute as a filter are treated as not indexed. To ensure that searches including that attribute are properly processed, use the dsadm reindex or dsconf reindex commands to regenerate existing indexes every time you change an index configuration for an attribute. See Chapter 12, Directory Server Indexing, in Sun Directory Server Enterprise Edition 7.0 Administration Guide for details.

Number of connections and operations are not enforced on PTA servers

The maximum number of connections (maxconns) and the maximum number of operations (maxops) are not enforced on PTA servers.

When installed with the ZIP distribution, Directory Server uses port 21162 as the default of the Common Agent Framework (CACAO).

The default port of the Common Agent Framework (CACAO) is 11162. When installed with the native distribution, Directory Server uses this default port. However, when installed with the ZIP distribution, Directory Server uses port 21162 by default. Be sure to specify the right port number when creating or registering a server instance with DSCC.

The console does not allow you to create a Directory Server or Directory Proxy Server instance if the Directory Manager's password contains a space character. (6830908)

If the Directory Manager's password contains a space character, the Directory Manager account cannot create a directory server or directory proxy server instance by using the console.

Due to the same issue, the command dsccsetup ads-create —w password-file fails if the password file contains a space character.

Known Directory Server Issues in 7.0

This section lists the known issues that are found at the time of Directory Server 7.0 release.


Directory Server has been seen to crash when the server is stopped while performing online export, backup, restore, or index creation.


The Directory Server hangs when running the stop-slapd command.


When entries are imported from LDIF, Directory Server does not generate createTimeStamp and modifyTimeStamp attributes.

LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.


Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Sun support.


The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.

    To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.

  1. Export the certificate to a file.

    The following example shows how to perform the export for servers in /local/supplier and /local/consumer.

    $ dsadm show-cert -F der -o /tmp/supplier-cert.txt \
      /local/supplier defaultCert
    $ dsadm show-cert -F der -o /tmp/consumer-cert.txt \
      /local/consumer defaultCert
  2. Exchange the client and supplier certificates.

    The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.

    $ dsadm add-cert --ca /local/consumer supplierCert \
    $ dsadm add-cert --ca /local/supplier consumerCert \
  3. Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.

  4. Add the replication manager DN on the consumer.

    $ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN
  5. Update the rules in /local/consumer/alias/certmap.conf.

  6. Restart both servers with the dsadm start command.


Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.

An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.


The certificate names containing multi-byte characters are shown as dots in the output of the dsadm show-cert instance-path valid-multibyte-cert-name command.


Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.

 (targetattr="*")(version 3.0; acl "testQuotes";
 allow (all) userdn ="ldap:///self";)
dn:o=Example Company\, Inc.,dc=example,dc=com
aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com")
 (targetattr="*")(version 3.0; acl "testComma";
 allow (all) userdn ="ldap:///self";)

Examples with more than one comma that has been escaped have been observed to parse correctly, however.


The dpconf command has been seen to display the Enter "cn=Directory Manager" password: prompt twice when used in interactive mode.


On Windows, SASL authentication fails due to the following two reasons:

  • SASL encryption is used.

    To workaround the issue caused by the SASL encryption, stop the server, edit dse.ldif, and reset SASL to the following.

    dn: cn=SASL, cn=security, cn=config
      dssaslminssf: 0
      dssaslmaxssf: 0
  • The installation is done using native packages.

    To workaround the issue caused by the native packages installation , set SASL_PATH to install-dir\share\lib.


Directory Service Control Center does not properly display userCertificate binary values.


The dsrepair fix-entry does not work if the source is a tombstone and if the target is an entry (DEL not replicated).

Workaround: Use the dsrepair delete-entry command to explicitly delete the entry. Then use the dsrepair add-entry command to add the tombstone.


It is not clear from the name of the passwordRootdnMayBypassModsCheck configuration attribute that the server now allows any administrator to bypass password syntax checking when modifying another user's password, when the attribute is set.


On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.


Although the Directory Service Control Center allows you to copy the configuration of an existing server, it does not allow you to copy the plug-in configuration.


On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.

To work around this issue, change the LDIF file name so that it does not contain double-byte characters.


Neither Directory Service Control Center nor the dsconf command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.

To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.


Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.


After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.

To work around this issue, change the permissions on the installations and server instance folders.


For the HP-UX platform, Directory Server Enterprise Edition man pages for the following sections cannot be accessed from the command line:

  • man5dpconf.

  • man5dsat.

  • man5dsconf.

  • man5dsoc.

  • man5dssd.

To workaround this issue, access the man pages at Sun Directory Server Enterprise Edition 7.0 Man Page Reference. From that location, you can download a PDF of all Directory Server Enterprise Edition man pages.


An attempt to enter an invalid CoS Template results in a crash in versions of Directory Server 6.


When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.

To work around this issue, use a different browser such as Mozilla web browser.


After upgrading replica, and moving servers to new systems, you must recreate replication agreements to use new host names. Directory Service Control Center lets you delete the existing replication agreements, but does not allow you to create new agreements.


On Red Hat systems, the dsadm autostart command does not always ensure that the server instances start at boot time.


The dsconf command does not prompt for the appropriate dsSearchBaseDN setting when configuring DSML.


On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds.


The dsconf help-properties command is set to work properly only after instance creation. In addition, the correct list of values for the dsml-client-auth-mode command should be client-cert-first | http-basic-only | client-cert-only.


In the Native patch delivery, the miniature calendar that is used to pick dates for filtering access logs is not properly localized in Traditional Chinese.


When creating an index on custom schema, a suffix level change of the all-ids-threshold is not permeated completely by the DSCC.


Some output displayed by the dsccmon, dsccreg, dsccsetup, and dsccrepair commands is not localized.


Changing the locale of the system and starting DSCC, does not display the pop-up window message in the locale that you selected.


On Solaris 10, the password verification fails for instances with multi-byte characters in their DN on English and Japanese locales.


The discovery of an instance of the Directory Server by the Java Enterprise System Monitoring Framework is not successful if the ns-slapd process was started remotely using rsh.


On HP-UX systems, applications using NSPR libraries crash and dump core after investigation with gdb. The problem occurs when you attach gdb to a running Directory Server instance, then use the gdb quit command.


Clicking Browse DSCC online help does not display the online help when you are using Internet Explorer.


The Directory Server plug-in API includes slapi_value_init()(), slapi_value_init_string()(), and slapi_value_init_berval()() functions.

These functions all require a “done” function to release internal elements. However, the public API is missing a slapi_value_done()() function.


When modifying the password policy using the Directory Service Control Center, attributes that have not changed may be unknowingly reset.

Using the Directory Service Control Center to manage the default password policy does not causes any error. However, using the Directory Service Control Center to manage specialized password policies can cause unchanged attributes to be reset.


When you use the Service Management Facility (SMF) on Solaris 10 to enable a server instance, the instance might not start when you reboot the system and return the following error:

svcadm: Instance "svc:/instance_path" is in maintenance state.

To work around this problem, use a local user to create Directory Server and Directory Proxy Server servers.


On HP-UX, the dsadm and dpadm commands might not find shared library.

As a workaround to this problem, set the SHLIB_PATH variable.

env SHLIB_PATH=${INSTALL_DIR}/dsee6/private/lib dsadm

The dsadm autostart can make native LDAP authentication to fail when you reboot the system.

As a workaround, reverse the order of reboot scripts. The default order is /etc/rc2.d/S71ldap.client and /etc/rc2.d/S72dsee_directory.


On Solaris 9 and Windows, when you access the online help from the console configured using Web archive file (WAR), it displays an error.


If you modify the port number using DSCC on a server that has replicated suffixes, problems arise when setting replication agreement between servers.


Directory Service Control Center and the dsadm command from versions 6.1 or later do not display built-in CA certificates of Directory Server instances that were created with the dsadm command from version 6.0.

To workaround this issue:

Add the 64-bit module with 64-bit version of modutil:

$ /usr/sfw/bin/64/modutil -add "Root Certs 64bit" \
-libfile  /usr/lib/mps/64/ -nocertdb \
-dbdir /instance-path/alias -dbprefix slapd- -secmod secmod.db

The output of the dsadm show-*-log l command does not include the correct lines. It can include the last lines of a previously rotated log.


The output of the dsadm show-*-log command is not correct if some lines in the log contain more than 1024 characters.


For servers registered in DSCC as listening on all interfaces (, attempting to use dsconf to modify the listen-address of the servers results in DSCC errors.

To have SSL port only and secure-listen-address setup with Directory Server Enterprise Edition 6.3, use this workaround:

  1. Unregister the server from DSCC:

    dsccreg remove-server /local/myserver
  2. Disable the LDAP port:

    dsconf set-server-prop ldap-port:disabled
  3. Set up a secure-listen-address:

    $ dsconf set-server-prop secure-listen-address:IPaddress

    $ dsadm restart /local/myserver
  4. Register the server using DSCC. In the Register Server wizard, specify the server's IP address. This operation cannot be undone.


After deploying the WAR file, the View Topology button does not always work. A Java exception sometimes occurs, which is based on org.apache.jsp.jsp.ReplicationTopology_jsp._jspService


In Windows, in the Korean locale, the dsadm start command does not display the nsslapd error log when ns-slapd fails to start.


Changing or deleting an attribute in the Additional Indexes table of the Indexes tab in the Directory Service Control Center can lead to stale information being displayed until the browser is refreshed.


The error message displayed after a failed try to set use-cert-subject-as-bind-dn to false contains wrong property names.


If a Directory Proxy Server instance has only secure-listen-socket/port enabled through DSCC and if server certificate is not default (for example, if it is a certificate-Authority-signed certificate), then DSCC cannot be used to manage the instance.

To work around this problem, unregister the DPS instance and then register it again. Another solution is to update the userCertificate information for the DPS instance in the DSCC registry using the server certificate.


On UNIX systems, an attempt to change the path of any log file with dsconf set-log-prop or DSCC fails if the new path of the log file does not already exist.


Database names can contain only ASCII (7-bit) alphanumeric characters, hyphens (-), and underscores (_). Directory Server does not accept multibyte characters (such as in Chinese or Japanese character sets) in strings for database names, file names, and path names. To work around this issue when creating a Directory Server suffix having multibyte characters, specify a database name that has no multibyte characters. When creating a suffix on the command line, for example, explicitly set the --db-name option of the dsconf create-suffix command.

$ dsconf create-suffix --db-name asciiDBName multibyteSuffixDN

Do not use the default database name for the suffix. Do not use multibyte characters for the database name.


Specification of network drives on Microsoft Windows is case-sensitive. Because of this, using both C:/ and c:/, for example, in DSEE administrative commands can cause replication to fail after the masters are restarted. As a workaround, use the 'DSEE_HOME/ds6/bin/dsconf accord-repl-agmt' to correct the replication agreement.


Specification of network drives on Microsoft Windows is case-sensitive. Because of this, using both C:/ and c:/, for example, in DSEE administrative commands can produce various error messages, such as the following:

WARNING<4227> - Plugins - conn=-1 op=-1 msgId=-1 -  
Detected plugin paths from another install, using current install

To avoid these warnings, be sure to use C:/ consistently.


Online help in DSCC might link to unknown web pages. In particular, some wizard menus might suggest the following:

For more information about data source configuration, 
see the "Sun Directory Server Enterprise Edition Reference."

Selecting the link to the DSEE Reference document produces an error message.

To work around this problem, select the link with the third mouse-button and choose the Open Link in New Window command from the pop-up menu. The selected document appears in the new browser window.


In a Multi-Master Replication configuration including 5.2 consumers, maximum of 4 version 7.0 servers are supported.


The DSCC Agent cannot be registered in CACAO on Solaris 9. If the SUNWxcu4 package is missing from the system, then the command DSEE_HOME/dscc6/bin/dsccsetup cacao-reg fails with the error, Failed to configure Cacao.

To fix this issue, install the missing SUNWxcu4 package on your system.


The -f option does not work with the ldapcompare command.


On Windows, CLI displays garbage characters.


DSCC does not support host synonyms. When replicating the DSCC suffix, the host name in the replication agreement must match the host name in the DSCC registry.


When logs are rotated according to rotation-time or rotation-interval, the exact time at which the rotation occurs depends on several variables, including the following:

  • the values of the rotation-time, rotation-interval, rotation-now, and rotation-size properties

  • scheduling of the housekeeping thread

  • the effective size of the log file when the rotation condition is satisfied

The timestamp in the rotated log file (for example, access.timestamp) can therefore not be guaranteed.


If the user running the dsmig command does not own the target directory server instance, the command fails because it does not have adequate permission to generate and access migrated files.

The dsmig command can run successfully if it is run by the user who owns the target directory server and has at least read access to the source directory server. If these conditions cannot be met, perform the migration by exporting the database and importing it to the new directory server.


The man page for hosts_access incorrectly states that IPv6 is not supported on Windows systems.


Some debug messages and Error #20502, Serious failure during database checkpointing, err=2 (No such file or directory), can sometimes be logged right before the import processing starts. Such messages can be ignored, as they refer to the old suffix data being deleted.


If you set the idle timeout to a very small value, for example, 2s on a server instance, DSCC might display connection errors and prevent some operations that take long time to complete (like rotating logs). Make sure you set the idle timeout to at least 10s or 20s, and adjust the idle timeout according to your network latency.


On Windows 2008, Common Agent Framework sometimes refuses to be started from Windows Service Manager.

As a workaround, start the CACAO service manually using the cacaoadm start command.


On Windows systems, running the dsccsetup dismantle command does not completely remove the CACAO Windows service.

Workaround. After you have run the dsccsetup dismantle command, run cacaoadm prepare-uninstall before you uninstall Directory Server Enterprise Edition. This removes the CACAO Windows service.