Sun Java System Directory Server Enterprise Edition 6.2 Release Notes

Chapter 3 Directory Server Bugs Fixed and Known Problems

This chapter contains important, product-specific information available at the time of release of Directory Server.

This chapter includes the following sections:

Bugs Fixed in Directory Server 6.2

This section lists the bugs fixed since the last release of Directory Server.


After installing from the zip distribution on Solaris and Linux, Directory Server does not appear through SNMP after the Common Agent Container, cacao, is restarted.


When changing LDAP passwords by using the password change extended operation, the current password of the account is required even if pwdSafeModify is off.


On Windows 2003 systems, do not use software installed with dsee_deploy from the zip distribution in the German locale.


After running db2ldif or ldif2db, the new changelog is created but the old changelog is not removed.


When replication is enabled, ns-slapd crashes .


Migrating a Directory Server 5.1 master to 6.x displays an error.


Some of the jar files loaded in lockhart are not upgraded after applying 125310-02 and 125278-02 patches.


The dsconf create-plugin -Y pwdstoragescheme command adds the plug-in entry with incorrect DN

Known Problems and Limitations in Directory Server

This section lists known problems and limitations at the time of release.

Directory Server Limitations

This section lists product limitations.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.

To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.

Do not replicate the cn=changelog suffix.

Although nothing prevents you from setting up replication for the cn=changelog suffix, doing so can interfere with replication. Do not replicate the cn=changelog suffix. The cn=changelog suffix is created by the retro changelog plug-in.

Database cache may be outdated after failover on Sun Cluster.

When Directory Server runs on Sun Cluster, and nsslapd-db-home-directory is set to use a directory that is not shared, multiple instances share database cache files. After a failover, the Directory Server instance on the new node uses its potentially outdated database cache files.

To work around this limitation, either use a directory for nsslapd-db-home-directory that is shared, or systematically remove the files under nsslapd-db-home-directory at Directory Server startup.

The wrong SASL library is loaded when LD_LIBRARY_PATH contains /usr/lib.

When LD_LIBRARY_PATH contains /usr/lib, the wrong SASL library is used, causing the dsadm command to fail after installation.

Use the LDAP replace operation to change cn=config attributes.

An LDAP modify operation on cn=config can only use the replace sub-operation. Any attempt to add or delete an attribute will be rejected with DSA is unwilling to perform, error 53. While Directory Server 5 accepted adding or deleting an attribute or attribute value, the update was applied to the dse.ldif file without any value validation, and the DSA internal state was not updated until the DSA was stopped and started.

Note –

The cn=config configuration interface is deprecated. Where possible use the dsconf command instead.

To work around this limitation, the LDAP modify replace sub-operation can be substituted for the add or delete sub-operation. No loss in functionality occurs. Furthermore, the state of the DSA configuration is more predictable following the change.

On Windows systems, Directory Server does not allow Start TLS by default.

This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.

To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.

Replication update vectors may reference retired servers.

After you remove a replicated Directory Server instance from a replication topology, replication update vectors can continue to maintain references to the instance. As a result, you might encounter referrals to instances that no longer exist.

The Common Agent Container is not started at boot time.

To work around this issue when installing from native packages, use the cacaoadm enable command as root.

max-thread-per-connection-count is not useful on Windows systems.

The Directory Server configuration property max-thread-per-connection-count does not apply for Windows systems.

A Microsoft Windows bug shows service startup type as disabled.

A Microsoft Windows 2000 Standard Edition bug causes the Directory Server service to appear as disabled after the service has been deleted from Microsoft Management Console.

Console does not allow administrator login on Windows XP

Console does not allow administrator to logon to the server running Windows XP.

As a workaround to this problem, the guest account must be disabled and the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0.

Known Directory Server Issues in 6.2

This section lists the known issues that are found at the time of Directory Server 6.2 release.


Directory Server has been seen to crash when the server is stopped while performing online export, backup, restore, or index creation.


When entries are imported from LDIF, Directory Server does not generate createTimeStamp and modifyTimeStamp attributes.

LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.


Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Sun support.


When removing software, the dsee_deploy uninstall command does not stop or delete existing server instances.

To work around this limitation, follow the instructions in the Sun Java System Directory Server Enterprise Edition 6.2 Installation Guide.


Directory Server has been seen to retain pwdFailureTime values on a consumer replica, even after the attribute values have been cleared on the supplier replica. The values remain after the modification of userPassword has been replicated.


The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.

    To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.

  1. Export the certificate to a file.

    The following example shows how to perform the export for servers in /local/supplier and /local/consumer.

    $ dsadm show-cert -F der -o /tmp/supplier-cert.txt /local/supplier defaultCert
    $ dsadm show-cert -F der -o /tmp/consumer-cert.txt /local/consumer defaultCert
  2. Exchange the client and supplier certificates.

    The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.

    $ dsadm add-cert --ca /local/consumer supplierCert /tmp/supplier-cert.txt
    $ dsadm add-cert --ca /local/supplier consumerCert /tmp/consumer-cert.txt
  3. Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.

  4. Add the replication manager DN on the consumer.

    $ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN
  5. Update the rules in /local/consumer/alias/certmap.conf.

  6. Restart both servers with the dsadm start command.


The certificate names containing multi-byte characters are shown as dots in the output of the dsadm show-cert instance-path valid-multibyte-cert-name command.


Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.

An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.


Directory Server instance with multi-byte characters in its path may fail to be created in DSCC, to start or perform other regular tasks.

Some of these issues can be resolved by using the charset that was used to create the instance. Set the charset using the following commands:

# cacaoadm list-params | grep java-flags
  java-flags=-Xms4M -Xmx64M

# cacaoadm stop
# cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8"
# cacaoadm start

Use only the ASCII characters in the instance path to avoid these issues.


Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.

 (targetattr="*")(version 3.0; acl "testQuotes";
 allow (all) userdn ="ldap:///self";)
dn:o=Example Company\, Inc.,dc=example,dc=com
aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com")
 (targetattr="*")(version 3.0; acl "testComma";
 allow (all) userdn ="ldap:///self";)

Examples with more than one comma that has been escaped have been observed to parse correctly, however.


The dpconf command has been seen to display the Enter "cn=Directory Manager" password: prompt twice when used in interactive mode.


Directory Service Control Center does not allow you to manage PKCS#11 external security devices or tokens.


On Windows, SASL authentication fails due to the following two reasons:

  • SASL encryption is used.

    To workaround the issue caused by the SASL encryption, stop the server, edit dse.ldif, and reset SASL to the following.

    dn: cn=SASL, cn=security, cn=config
      dssaslminssf: 0
      dssaslmaxssf: 0
  • The installation is done using native packages.

    To workaround the issue caused by the native packages installation , set SASL_PATH to install-dir\share\lib.


Directory Service Control Center fails to generate a self-signed certificate when you specify the country.


Directory Service Control Center does not properly display userCertificate binary values.


The configuration attribute name, passwordRootdnMayBypassModsCheck, does not reflect that the server now allows any administrator to bypass password syntax checking when modifying another user's password when the attribute is set.


Do not set LD_LIBRARY_PATH before installing from the zip distribution or using the dsadm command.


On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.


The Directory Service Control Center feature that allows you to copy the configuration of an existing server does not allow you to copy the plug-in configuration.


On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.

To work around this issue, change the LDIF file name so that it does not contain double-byte characters.


The dsadm enable-service command does not work correctly with Sun Cluster.


The dsee_deploy command has been seen to hang while registering the Monitoring Framework component into the Common Agent Container.


The supportedSSLCiphers attribute on the root DSE lists NULL encryption ciphers not actually supported by the server.


Unless you start Directory Server at least once, the dsadm enable-service fails to restart Directory Server upon system reboot.


Neither Directory Service Control Center nor the dsconf command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.

To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.


Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.


After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.

To work around this issue, change the permissions on the installations and server instance folders.


When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.

To work around this issue, use a different browser such as Mozilla web browser.


After creating or adding a new certificate, Directory Server must be restarted for the change to take effect.


After upgrading replica, and moving servers to new systems, you must recreate replication agreements to use new host names. Directory Service Control Center lets you delete the existing replication agreements, but does not allow you to create new agreements.


On Red Hat systems, the dsadm autostart command does not always ensure that the server instances start at boot time.


The dsconf command does not prompt for the appropriate dsSearchBaseDN setting when configuring DSML.


On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds.


When installing from the zip distribution, the dsee_deploy command does not provide an option to configure SNMP and stream adaptor ports.

To workaround this issue,

  1. Enabled Monitoring Plug-in using the web console or dpconf.

  2. Using cacaoadm set-param, change snmp-adaptor-port, snmp-adaptor-trap-port and commandstream-adaptor-port.


The dsconf help-properties command is set to work properly only after instance creation. In addition, the correct list of values for the dsml-client-auth-mode command should be client-cert-first | http-basic-only | client-cert-only.


In order to use Directory Service Control Center on Windows XP systems, the guest account must be disabled. Additionally, the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0 in order for authentication to succeed.


In the Native patch delivery, the miniature calendar that is used to pick dates for filtering access logs is not properly localized in Traditional Chinese.


Output of the schema_push, repldisc, pwdhash, ns-inactivate, ns-activate, ns-accountstatus, mmldif, insync, fildif, entrycmp, dsrepair, dsee_deploy, dsadm show-cert, dsadm repack, and ldif commands are not localized.


Some output displayed by the dsccmon, dsccreg, dsccsetup, and dsccreg commands is not localized.


Changing the locale of the system and starting DSCC, does not display the pop-up window message in the locale that you selected.


When setting up Directory Service Control Center in a locale other than English, log messages concerning creation of the Directory Service Control Center Registry are not fully localized. Some log messages are shown in the locale used when setting up Directory Service Control Center.


On Solaris 10, the password verification fails for instances with multi-byte characters in their DN on English and Japanese locales.


Clicking Browse DSCC online help does not display the online help when you are using Internet Explorer.


The Directory Server plug-in API includes slapi_value_init()(), slapi_value_init_string()(), and slapi_value_init_berval()() functions.

These functions all require a "done" function to release internal elements. However, the public API is missing a slapi_value_done()() function.


Because of a known issue, nsslapd-idletimeout is not computed on Windows installations as documented under all conditions.

On Unix (including Solaris), nsslapd-idletimeout is computed when new connections are opened and when new data is received, as described in the documentation.

On Windows, nsslapd-idletimeout is computed the same way for secure connections or if ds-start-tls-enabled is true. However, for non-secure connections and if ds-start-tls-enabled is false, nsslapd-idletimeout is computed only when new connections are opened.


DSCC might not display long ACIs depending on the limit set by Internet Service Provider.


On Linux, If a Directory Server instance is started in a locale that is different from the locale in which the instance was created, the multi-byte characters do not display properly.


When you use Service Management Facility (SMF) in Solaris 10 to enable a server instance, the instance might not start when you reboot your system.

As a workaround, add the following lines which are marked with + to /opt/SUNWdsee/ds6/install/tmpl_smf.manifest.

restart_on="none" type="service"> 
<service_fmri value="svc:/network/initial:default"/> 
+ <dependency name="nameservice" grouping="require_all" \
+ restart_on="none" type="service"> 
+ <service_fmri value="svc:/milestone/name-services"/> 
+ </dependency> 
<exec_method type="method" name="start" 
exec="%%%INSTALL_PATH%%%/bin/dsadm start --exec %{sunds/path}"...

Directory Server Enterprise Edition Windows service fails to start more than one server instances when the system restarts.


You might encounter an error when DSCC is used with the combination of Tomcat 5.5 and JDK 1.6 .

As a workaround, use JDK 1.5 instead.


Sun Java System Application Server bundled with Solaris 10 cannot create SASL client connection for authenticated mechanism and does not communicate with common agent container.

As a workaround, change the JVM used by application server by editing the appserver-install-path/appserver/config/asenv.conf file and replace the AS_JAVA entry with AS_JAVA="/usr/java". Restart your Application Server domain.


The dsadm autostart can make native LDAP authentication to fail when you reboot the system.

As a workaround, reverse the order of reboot scripts. The default order is /etc/rc2.d/S71ldap.client and /etc/rc2.d/S72dsee_directory.


The DSCC Version window might display the html source code if it is configured by deploying the Web Archive (WAR) file with application server. As a workaround, add the following entries in domain-path/domain-name/config/default-web.xml.


On Linux, the localized server messages shown in the DSCC progress window might display the international characters garbled in non—English locales.


On Solaris 9 and Windows, when you access the online help from the console configured using Web archive file (WAR), it displays an error.


The idsktune command does not support SuSE Enterprise Linux.


If unzip is unavailable on the system, dsee_deploy does not install any product.


In the More View Options of an instance, the date shown under the Access Logs, Error Logs, and Audit Logs tabs is not localized.


If you configure the uniqueness plug-in to work across multiple attributes in Directory Server, an error is displayed during the Directory Server startup.


If you apply the Directory Server Enterprise Edition 6.2 patch without stopping the server instances, the dsadm info and dsadm stop will display that a server is down while the server is running.


The string err= is not translated in some of the Korean and Simplified Chinese messages.


On Solaris, the instances registered as a service might not start after restarting the system.

As a workaround to this problem, run the following commands:

# /usr/sbin/svccfg
svc:> select application/sun/ds
svc:/application/sun/ds> delpropvalue start/timeout_seconds 60
svc:/application/sun/ds> delpropvalue stop/timeout_seconds 60
svc:/application/sun/ds> addpropvalue start/timeout_seconds 600
svc:/application/sun/ds> addpropvalue stop/timeout_seconds 600
svc:/application/sun/ds> quit

In the dsconf help, Directory Server is sometimes incorrectly translated as répertoire instead of serveur d'annuaire in the French language.


In DSCC configured using Tomcat server, the title of the Help and Version pop-up windows displays the multi-byte strings garbled.


If you set the value of the configuration property, pwd-max-history-count, or the password policy attribute, pwdInHistory, to its maximum allowed value 24, the Directory Server instance might crash.

As a workaround, the value of pwd-max-history-count or pwdInHistory should not exceed 23.


In French, German, and Spanish languages, ROLE is translated in the dsconf enable-repl -? command's syntax but it is not translated later in the ROLE = master string.


In the command line interface help, the string INSTANCE_PATH is not translated in the German and Spanish languages.


On Linux, the Directory Server instances do not start at system restart if the maximum number of files are specified in the /etc/security/limits.conf file.

As a workaround, add the following in the etc/init.d/dsee_directory file.

# ulimit -Hn 65536
# ulimit -Sn 65536

The pop-up windows prompting the confirmation for stopping or unregistering servers display the doubled apostrophes in the French locale.