Sun Java(TM) System Directory Server 5.2 Patch 6 Release Notes |
Part Number 820-3003
These Release Notes contain important information about the Compressed Archive (patchzip) and Native Package (patch) of Sun Java System Directory Server 5.2 Patch 6. Those two types of delivery are covered in this document. Bugs fixed, new features and enhancements, known issues and limitations, and other information are addressed here. Read this document before you begin to apply 5.2 Patch 6 on top of the installed Directory Server 5.2 product.
Directory Server 5.2 Patch 6 replaces Directory Server 5.2 Patch 5, which has been withdrawn. New enhancements and fixes are new with respect to Directory Server 5.2 2005Q4 (Patch 4).
IMPORTANT: If you have applied a hot fix to Directory Server 5.2 installed from native packages, make sure to use the workaround to reinstate symbolic links after a hot fix. Otherwise you do not benefit from the fixes made in the patch.
CAUTION: If you have applied the latest Network Security Services (NSS) 3.12 patch to your system, you must use the procedure described in Installation Information for Network Security Services 3.12 to ensure that your Directory Server 5.2 installation works properly.
CAUTION: Because of security issues in NSS and SASL components, the Sun Java(TM) System Directory Server 5.2 Patch 6 Security Patchzip 142806-01 must be applied on top of a Directory Server 5.2 Patch 6 ZIP installation. For directions see Installing Directory Server 5.2 Patch 6 Security Patchzip.
The most up-to-date version of these release notes can be found at the Sun Java System documentation web site: http://docs.sun.com/prod/sunone. Check the web site prior to installing and setting up your software. Then check the web site periodically thereafter to view the most up-to-date release notes and product documentation.
These release notes contain the following sections:
Third-party URLs are referenced in this document and provide additional, related information.
These release notes provide current information on the date they are published. However, if the English version of the release notes has a more recent publication date, it might be updated with more current information that is not provided in other versions. Consult the English version of the release notes for the most current information.
This is a maintenance release for Compressed
Archive and Native Package installations of Directory Server 5.2. This
update can be
performed on Directory Server 5.2 only. This update cannot be performed
on versions of Directory Server prior to Directory Server 5.2.
This section includes:
This activity may have an impact upon the server maximum response time. Some customers may want to be able to schedule this activity to limit the impact during the peak hours.
A new parameter nsds5ReplicaTombstonePurgeSchedule
has been added in the
cn=replica,cn="suffixName",cn=mapping tree,cn=config entry to
control the time window in which the purging thread may run.
Its value syntax is the same as the nsds5ReplicaUpdateSchedule
parameter.
Note:
In previous versions, all the tombstones were searched, and then the old ones were removed.
These fixes implement new matching rules and a new index so that only the tombstone entries that should be deleted are searched.
(If the delete operation pattern is regular and uses the default
tombstone purging parameters, the old tombstone entries represent
only 0.5% of the tombstone entries.)
This fix is activated by
default on instances created after having installed Directory Server
5.2 Patch 6.
To activate the fix on existing instances, use a script on both UNIX and Windows platforms:
Note: The reindexing may spend a long time on big databases, you can bypass the reindexing phase (with -q option) and reindex after applying either manually or by reimporting the database.
This attribute is part of entry "cn=Password Policy,cn=config".
This feature became available as of Directory Server 5.2 Patch 4 but was not included in the documentation.
Directory Server 5.2 Patch 6 is available on the following platforms:
The original release of Directory Server 5.2
has not been validated on IBM AIX 5.2. However, this update is
validated on IBM AIX 5.2. The original release of Directory Server 5.2
has been validated on IBM AIX 5.1, but IBM AIX 5.1 is no longer
supported by IBM.
Directory Server 5.2 Patch 6 running in 32-bit mode has been validated on Red Hat Linux AS 3.0 U4 based on AMD64 hardware.
Specific operating system patches may need to be installed before Directory Server 5.2 Patch 6 can be installed. For further information, refer to the Directory Server Installation and Tuning Guide issued with the initial release of Directory Server 5.2. You can obtain Solaris patches from http://sunsolve.sun.com.
ID Number |
Description |
---|---|
4863706 |
slapd crashes in replicated operation |
4884530 |
Database Becomes Unavailable if LDIF File Is Inaccessible During Import |
4889077 |
The db2ldif -s Command Causes Errors on Suffixes With a Subtree |
4925250 |
Incorrect Error Message When Exporting a Subtree by Using the db2ldif -s Option |
5013318 |
The replication of the password term of validity is not carried out |
5021269 |
Addition of Entries With objectClass=nsTomstone Can Cause Replication to Fail |
5032637 |
Post Operation Plug-In Function Not Called When Search Operation on Non-Existent Base DN |
5032956 |
ns-ldapagt doesn't start if attribute nsSNMPMasterHost == "localhost" |
5037580 |
Modifications to Default Index Attributes Are Not Migrated From DS 5.1 to DS 5.2 |
5072212 |
MMR+SSL: Can't stop or use master after total update that failed |
5097725 |
Replication problems when 2 consecutive MODs are executed on the same entry. |
5101669 |
DB_INCOMPLETE during ns-slapd shutdown |
5102180 |
passwordExpirationTime becomes out of sync at first password expiration warning (See the workaround for issue 5102180 in the Security section of Known Issues and Limitations.) |
6175472 |
MMR: High performance degradation when purging tombstones |
6193747 |
5.2x: nsDS5ReplicaChangesSentSinceStartup doesn't work correctly |
6197516 |
Need method/tool to determine progress of db recovery following a crash. |
6197647 |
ACI without target attr doesn't work correctly |
6197650 |
ACI behaves inconsistency in search vs modify |
6199890 |
MMR2: Data inconsistency after restarting masters under load (replica_check_for_data_reload) |
6207013 |
migrate5xto52 Script Breaks Replicated Topologies |
6218791 |
Execution failure of migrateInstance5 in DS52P2 |
6219006 |
Bad default value for nsslapd-maxbersize - does not match documented 2Mb |
6225458 |
replication debug logging shows incorrect data |
6231191 |
Inconsistent results between directory versions 5.1 Patch 3 and 5.2 Patch 2 for approximate searches with OR operator. |
6238540 |
RUVs are not always in the correct order if unused RUVs are present |
6250000 |
non-unique nsuniqueid can be added to MMR, breaking replication |
6252422 |
Role doesn't work on consumer after online initialization |
6272611 |
DS Can Crash If Backoff Timer Expires When Replication Agreement Detects an External Event |
6276601 |
race condition in libdb32.dll (windows only) causing crash (Fixed in release 5.2 patch 4 but not included in the 5.2 patch 4 release notes.) |
6283810 |
DS5.2p3: ldapmodify with MODRDN and other changes in attr in one statement break replication forever |
6283871 |
restore fails after binary copy/backup if cn attribute mismatches on lower/upper-case characters |
6287770 |
More verbose and meaningful message when server fails to replay schema changes to consumer |
6291178 |
Partial replication get broken if there are several suppliers with changelog trimming |
6292310 |
modrdn at the same time as modifying an attribute value of parent entry causes deadlock in DS 5.2 P3 |
6294113 |
DS5.2p3- after first empty replace op. on single-valued attribute no futher add possible - rpl. on |
6295322 |
Memory leak in password policy |
6295323 |
Memory leak in virtual attribut (with cos plugin) |
6296390 |
Memory leak in 5.2 Patch 2. (and in DS6) |
6296972 |
Incorrectly formatted DSML requests crash DS5.2 Patch3 on Solaris x86 |
6299664 |
Modify using replace on an attribute for the first time with a value of 0 results in a NULL value |
6300470 |
If retro changelog is enabled and a glue entry has to be created, the server crashes |
6300692 |
Deadlock between tombstone purging thread and ACL plug-in |
6301695 |
DS 5.2 p3, crash in mutex_lock while searching for replication agreements |
6303166 |
Adding Patch 115614-25 Fails (./directoryserver: test: unknown operator 0) |
6305434 |
Server crash if encrypted attribute exists with no value |
6309444 |
memory leak in plugin_get_pwd_storage_scheme_list() |
6310373 |
DS5.2 P3 is getting segmentation fault (sig #11) when using bak2db; db2bak.pl works fine. |
6310880 |
modRDN of entry with multi-valued attr causes data inconsistency when replacing those attr |
6313027 |
Plug-in allowing uniqueness in a set of attribute server does not ensure uniqueness for add operation |
6314338 |
Improve ACI performance when using substring matching in the target dn value |
6316753 |
core dump during vlvindex |
6317547 |
libdb32 is missing from patchzip package on non-Solaris platform |
6319297 |
ns-ldapagt 5.2 fails to resolve ipv4 address when ipv6 is not configured |
6320219 |
Fix for CR 6255780 not effective for all test-case scenarios |
6321793 |
csnset insertion error |
6324064 |
Potential memory leak when closing a replication connection |
6324357 |
replication miss changes under load |
6325572 |
CoS-defined attribute not found on entries after online initialization |
6325574 |
directory server crashes at startup in changelog init |
6325594 |
Indiv passwd policy specifies plaintext, but passwd in new entry is replicated in encrypted form |
6325692 |
failure to open database file during backup |
6332796 |
RFE: Replication repair tool |
6333657 |
Avoid to walk all nscpentrydn index when purging the tombstone. |
6338142 |
Full distribution zip files would need to be renamed |
6338797 |
Need to be able to schedule tombstone purging threads |
6340125 |
cl_cache_get and cl_cache_set on same changelog crashes DS |
6341398 |
memory leak in cos |
6342200 |
start-slapd may fail while ns-slapd is started rightly |
6344220 |
db2ldif fails when run from a ds52p3 instance on top of sun cluster |
6345005 |
Directory Server may crash when Referential integrity log file is truncated. |
6347288 |
prevent possible LDAP SDK crash (bugid 6315802) on DS |
6349613 |
File's ownership changed to the non-existent user "865:staff" when we upgrade to patch4 as root. |
6350299 |
Code review shows that an error message is missing in start-slapd |
6350924 |
DSML request fails if DS is installed on the path including a space on Windows |
6352579 |
Classic CoS under sub-sub-org does not work as configured |
6352920 |
DS6.x control 1.3.6.1.4.1.42.2.27.9.5.7 does not guarantee CSN existence |
6353044 |
Directory server hangs when an error occurs during error log rotation info. |
6354246 |
bak2db crashed with dumping core |
6355718 |
inconsistent search results due to access controls |
6356373 |
Indirect CoS doesn't use multiple templates as documented |
6357602 |
Add a error log message to show DS is using one/multiple/no memory pools |
6361850 |
SNMP: ns-ldapagt send start trap(7002) twice when DS gets started. |
6362045 |
Encrypted attribute w/base64 encoded null as value causes crash |
6362534 |
MMR: generated csn for an op. is not systematically higher than a previous op. csn |
6363679 |
5.2 Patch 6: upgrade to the latest sleepycat db32 build to fix a db recovery failure |
6365448 |
ldif2db may hang or crash |
6368504 |
Merge of DB files during ldif2db skips keys due to incorrect cont. block prefix |
6371707 |
Memory leak when index contains a continuation block |
6372409 |
bak2db.pl does not remove the pid.recover file. |
6372433 |
Insync shows err "Warning: CSN has not been initialized. No updates?" when RUV's contained 65535 |
6375284 |
Replication loses changes with M1->M2->C1 replication scenario |
6377250 |
Server crash when adding vlv index with incorrect vlvFilter |
6377304 |
5.2patch4: possible memory leak in uid uniqueness plugin |
6380313 |
Memory leak in aci group member evaluation |
6381504 |
When nsslapd-db-transaction-batch-val is set, txn flush fails to enforce this limit |
6382134 |
ldapcompare and COS don't work well together |
6384310 |
Directory Server remote DOS due to large memory allocation |
6386607 |
mmldif need to be able to manage huge files - need 64 bits version |
6386671 |
ou=groups contains duplicate data |
6387583 |
Customer installed incorrect ds version on Solaris (pkg vz patchzip) |
6389593 |
adding an entry with attr usepassword in the RDN breaks replication |
6390827 |
deadlock in connection handling between multiple internal ops by incomming replication operation |
6403398 |
ns-slapd hangs on first shutdown after install, on T2000 (Niagra sun4v system) |
6405736 |
Renaming corrupted child entry could crash the server |
6406283 |
substring filter can be slow if they are changed into range index |
6407726 |
import may mess up userpassword entry state |
6410132 |
weird modrate behaviour in patch. |
6411228 |
DS incorrectly hard sets max connection backlog q to 128 (this shows in listen hash as 193 fyi) The fix for this issue includes a new attribute for configuring the maximum number of pending connections maintained by Directory Server, nsslapd-listenBacklog. The value of this configuration attribute is passed for example to the listen() function on Solaris systems. For more information on this configuration attribute, see the reference manual page on docs.sun.com. |
6413356 |
DS xerces release 2_0_0: integration of the fix for bugzilla 7698 (handle space in schemalocation) |
6419908 |
Directory Server substring performance improvement |
6421019 |
bak2db fails due to \n in DBBACKEND file |
6421877 |
Add some additional info to help core analysis on optimized version |
6422147 |
Directory crashes with nsrole negate search |
6425835 |
Add cn=config attribute to control default initial ber buffer size |
6427222 |
ldap_decode_control ber_scanf passed pointer to invalid type |
6428474 |
Account availability Password Policy Control not properly encoded |
6433783 |
Entry may be skipped while import an LDIF file generated with db2ldif.pl -r. |
6434388 |
DS 5: Connections closed due to exceeding ioblocktimeout don't get properly logged (no T2 is logged) |
6435180 |
db2bak error on Windows when changelogdb path has backslash |
6439482 |
ACI problem that could enable users to guess correct values |
6442106 |
Crash while enabling replication |
6443806 |
DS5.2 Patch 6: upgrade to latest ldapcsdk 5.13 |
6444033 |
DS does not always enforce ioblocktimeout when writing result over secure connection |
6445928 |
Slow performance of nsrole evaluation in DS5.2x compared to DS5.1x due to dn normalization |
6453388 |
zero alloc error when retrocl and tmr-plugin enabled |
6454312 |
uid uniqueness plugin can allow duplicate uids |
6457114 |
Memory leak on consumer due to password policy |
6457484 |
enabling trace crashes server during shutdown |
6457767 |
vlv searches leak memory in DS 5.2 |
6458029 |
tag in access log is incorrect for replicated operations |
6458842 |
Implementation of REPL_LATENCY_CONTROL in 5.2 Patch 6 |
6461526 |
dsrepair should tell that Replication Repair plugin is not enabled (instead of [no result]) |
6462036 |
DS 5.2 ns-slapd may not clean up correctly when handling failed queries |
6466900 |
Security: empty MOD / replace behaviour differs when entry has attribute vs when attribute doesn't |
6468242 |
Corrupted replication changelog on linux |
6468376 |
Hardening Replication when nsuniqueid is missing from index but the entry exists |
6469724 |
DS5.2P5: integration of the ISW pre-operation plug-in |
6470185 |
Certain DSML requests crash our server |
6471345 |
Crash on a master (changelog trimming?) |
6471357 |
DN could be reported invalid when spaces found after "+" in multivalued attributes. |
6475750 |
In add operation, add operational attribute entrydn to the entry before caching this entry. |
6476748 |
although master is in Referral on update mode the GUI does not show the "Accept new updtate" button |
6479809 |
Changelog fully trimmed silently when configuring am invalid nsslapd-changelogmaxage |
6480275 |
Memory leak during LDAP write operations when failing to update a matching rule index |
6480276 |
At startup DS crashes if the changelog db is not readable |
6480591 |
DS 5.2 p3/p4, delay of 1 sec in MOD sometimes |
6481790 |
Memory leak during LDAP write operations when updating MAtching Rules Indexes |
6482778 |
DS5.2P5: upgrade to NSS 3.11.3 |
6483913 |
5.2 Patch upgrade is not taking account new components as, for instance, psw-plugin.so |
6484401 |
DS5.2P5: integration of the IDM plug-in |
6484407 |
Patches synopsis need to be changed |
6486779 |
Buffer overflow within DSML plugin w/Long (~80+ byte) DS version string |
6487298 |
DS leaks memory when no connections are available within the conn. table |
6489416 |
Regression: Performance/Error issue with substring filters such as (uid=123*). |
6491030 |
slapd_nss_decrypt() leaks memory on every call |
6496478 |
Patches are missing for SASL and LDAPCSDK |
6498949 |
Crafted LDAP packet causes memory leak in DS5.2 |
6502488 |
pwdhash & getpwenc: Segmentation Fault(coredump). |
6502522 |
Regression against 6305434 on DS 5.2 Patch 6 |
6504653 |
SchemaCSN.: error during the installation |
6507242 |
Doc fix request: The result code 71 is omitted from the list of "not" returned by the ldap server |
6507263 |
README for native patch: wrong informations |
6509593 |
slapd doesn't start after backing out DS5.2 Patch 6 (115611-24, 115615-27) |
6510175 |
can't backout patch if more than one instance created |
6511689 |
core dump when searching index entry after the use of db2index |
6516274 |
RPM: can not configure AS + DS |
6516951 |
An anonymous modify request can crash the server |
6520209 |
upgrade: mpsadmserver should not return err code 0 if using bad password |
6520247 |
downgrade: postbackout should display a warning to use sync-cds when removing the patches |
6520296 |
regression in dsmlfe acceptance testsuite: testcase 110_bind_6 is failing |
6522342 |
HP-UX install: ZIP distribution refer to native PKGS |
6523388 |
windows: ds_create: can not create a new instance in an existing serverroot |
6524878 |
HP-UX upgrade: can not start a new instance |
6530624 |
DS5.2P4: Unauthorized user may change some data in entries under specific conditions |
6541494 |
regression : replication is broken : "numsubordinates assertion failure" |
6587775 |
patch5 does not start - beta software has expired |
6625224 |
5.2patch6 on Windows will not be able to start - beta software has expired |
6732552 |
The ActivateFix6175472 command location for JES version is different from the one in 5.2p6 release notes. |
6748701 |
The value of nsDS5ReplicaTombstonePurgeInterval stated in the Directory Server 5.2 Patch 6 release notes is incorrect. |
The following bugs are fixed since Directory
Server 5.2 Patch 4 but not mentioned in Sun Java(TM)
System Directory Server 5.2 2005Q4
Release Notes.
IMPORTANT: The full JES4 distribution and the JES4 upgrade patches 118080-11 (Linux), 121392-02 (Windows MSI), and 121393-01 (HP-UX) integrate the fix, but patchzip patches 117665-03, 117666-03, 117667-03, 117668-03, 117669-03, 117670-03 do not.
To get the fix for the patchzip, upgrade to 5.2 patch 6 applying the latest patchzip patches (117665, 117666, 117667, 117668, 117669, 117670).
This bug has been fixed since Directory Server 5.2 Patch 2.
This section includes Installation Information
for both Compressed Archive
and Native Package deliveries.
As a matter of technical background, the PKCS#11 cryptographic software interface standard used in many Sun server products requires every process that uses a PKCS#11 cryptographic library to initialize that library for itself. No process can rely on the initialization that might have been performed by the parent process to leave the cryptographic library in a usable state. Programs that do not conform to this requirement, but instead rely on the library being usable after it was initialized by a parent process, are not guaranteed to work with all hardware and software cryptographic modules that conform to that interface standard.
As of NSS release 3.12.3, NSS's cryptographic library requires programs that use it to conform to the requirement that every process must initialize the library for itself.
For Sun Java System Directory Server Enterprise Edition, only version 6.3.1 (and later versions) is compliant with this requirement. No release of Directory Server 5.2 complies, including its initial release through the 5.2 Patch 6 releases.
Directory Server 5.2 administrators might decide to upgrade to DSEE 6.3.1. For details, refer to the table titled "Upgrade Paths to Directory Server Enterprise Edition 6.3.1" in the Sun Java System Directory Server Enterprise Edition 6.3.1 Release Notes.
Otherwise, to disable the requirement, Directory Server 5.2 administrators who applied NSS 3.12.3 patch must set the following environment variable:
export NSS_STRICT_NOFORK=DISABLED
After the NSS_STRICT_NOFORK=DISABLED environment variable is set, the Directory Server, Admin Server, and Console can be restarted.
Directory Server 5.2 administrators must also set symbolic links to the new libraries delivered in NSS 3.12.3 patch as shown here. Note that the default value of the SERVER_ROOT pathname is /var/opt/mps/serverroot.
cd/lib cd /var/opt/mps/serverroot/lib ln -s /usr/lib/mps/secv1/libnssdbm3.so libnssdbm3.so ln -s /usr/lib/mps/secv1/libnssutil3.so libnssutil3.so ln -s /usr/lib/mps/secv1/libsqlite3.so libsqlite3.so cd /var/opt/mps/serverroot/lib/sparcv9 ln -s /usr/lib/mps/secv1/sparcv9/libnssdbm3.so libnssdbm3.so ln -s /usr/lib/mps/secv1/sparcv9/libnssutil3.so libnssutil3.so ln -s /usr/lib/mps/secv1/sparcv9/libsqlite3.so libsqlite3.so
IMPORTANT: Directory Server 5.2 Patch 6 is not available as a
full
distribution. You must have a previous version of Directory Server 5.2
installed on your
system to be able to upgrade to Directory Server 5.2 Patch 6 applying
the compressed archive patchzip object.
CAUTION: Before upgrading to Directory Server 5.2 Patch 6,
make sure you have an LDIF backup of the data of the current version
of Directory Server 5.2 installed.
Once you apply patch 117665
to your compressed archive (zip) version of Directory Server 5.2,
you cannot downgrade to the previously installed version of
Directory Server 5.2. No automated backout mechanism exists.
Instead, to downgrade you must reinstall the previously
installed version of Directory Server 5.2, and then
reimport your data from backup.
This section lists the patches that correspond to this release. The patches are available at http://sunsolve.sun.com.
NOTE: No new localized patches have been released for Directory Server 5.2 Patch 6. To get a localized version of Directory Server 5.2 Patch 6, you need to apply the Directory Server 5.2 Patch 4 localized patches.
Localized patches are independent of the operating system that you use. The localized patch IDs are as follows:
For information about installation, see the following sections:
Read the following notes before installing this patch:
The following instructions apply to a full installation of Directory Server and Administration Server on the target host. Instructions for other types of installation are in the README file of the compressed archive.
In this section, <SERVER ROOT> is the directory where the Directory Server product has been installed.
# mkdir <MyDirectory>
# cd <MyDirectory>
# cp <package>.tar.gz .
# gunzip <package>.tar.gz
# tar xvf <package>.tar
The ID and password are provided with the command.
The ID and password are requested interactively.
The ID and password are provided in the following lines of the file <CREDENTIAL FILE>:
Admin Id: <ADMIN
ID>
Admin Password: <ADMIN PASSWORD>
Alternatively, if the owner of <SERVER
ROOT> is a non-root user, but the server uses a privileged port such as 389,
run the installation script by using the following command as root:
./install.sh <SERVER ROOT> <ADMIN ID> <ADMIN PASSWORD> <SERVER UID> <SERVER GROUP>
The Directory Server is restarted by the installation script.
# mkdir <MyDirectory>
# cd <MyDirectory>
# cp <ZIP file> .
# unzip <ZIP file>
- If <SERVER ROOT>, <ADMIN ID> or <ADMIN PASSWORD> do not contain special characters, use this command:
# install.bat <SERVER ROOT> <ADMIN ID> <ADMIN PASSWORD>
- If <SERVER ROOT>, <ADMIN ID> or <ADMIN PASSWORD> contain special characters, use this command:
# lib\nsPerl5.005_03\bin\MSWin32-x86\perl.exe upgrade.pl
/
"<SERVER
ROOT>" "<ADMIN ID>" "<ADMIN PASSWORD>"
Values with special characters must be protected with double quotes (").
Directory Server is restarted by the installation script.
Caution: Because of security issues in NSS and SASL components, the Sun Java(TM) System Directory Server 5.2 Patch 6 Security Patchzip 142806-01 must be applied on top of a Directory Server 5.2 Patch 6 ZIP installation.
Note: This patch cannot be applied to versions of Directory Server 5.2 earlier than 5.2 Patch 6. For directions to upgrade to version 5.2 Patch 6, see Installation Instructions.
To install Directory Server 5.2 Patch 6 Security Patchzip 142806-01, download it from http://sunsolve.sun.com and follow the installation instructions provided in the README file.
IMPORTANT: Directory Server 5.2 Patch 6 is not available as a full
distribution. You must have a previous version of Directory Server 5.2
installed on your
system to be able to upgrade to Directory Server 5.2 Patch 6.
To obtain accessibility features that have been released since the publishing of this media, consult Section 508 product assessments available from Sun upon request to determine which versions are best suited for deploying accessible solutions. Updated versions of applications can be found at: http://sun.com/software/javaenterprisesystem/get.html.
For information on Sun's commitment to accessibility, visit http://sun.com/access.
The following tables give the numbers and minimum versions for the alignment patches.
All patches referred to in this section are the minimum version number required for upgrade. It is possible that a new version of the patch has been issued since this document was published. A newer version is indicated by a different version number at the end of the patch. For example: 123456-04 is a newer version of 123456-02, but they are the same patch ID. Refer to the README file for each patch listed for special instructions.
To access the patches, go to http://sunsolve.sun.com.
Patch Number |
Patch Description |
---|---|
International Components for Unicode Patch |
|
NSPR 4.6.6 / NSS 3.11.6 / JSS 4.2.4 |
|
Simple Authentication and Security Layer (2.18) |
|
Sun Java(TM) System Administration Server 5.2 Patch 6 |
|
Sun Java(TM) System Directory Server 5.2 Patch 6 |
|
Patch for Directory Server localized Solaris packages |
|
117047-24 |
Patch for Administration Server localized Solaris packages |
LDAP CSDK - SUNWldk, SUNWldkx |
|
LDAP JDK Patch |
Patch Number |
Patch Description |
---|---|
International Components for Unicode Patch |
|
NSPR 4.6.6 / NSS 3.11.6 / JSS 4.2.4 |
|
115343-02 |
Simple Authentication and Security Layer (2.18) |
Sun Java(TM) System Administration Server 5.2 Patch 6 |
|
Sun Java(TM) System Directory Server 5.2 Patch 6 |
|
Patch for Directory Server localized Solaris packages |
|
117047-24 |
Patch for Administration Server localized Solaris packages |
LDAP CSDK - SUNWldk |
|
LDAP JDK Patch |
Patch Number |
Patch Description |
---|---|
119810-01 |
International Components for Unicode Patch |
NSPR 4.6.6 / NSS 3.11.6 / JSS 4.2.4 |
|
Simple Authentication and Security Layer (2.18) |
|
Sun Java(TM) System Administration Server 5.2 Patch 6 |
|
Sun Java(TM) System Directory Server 5.2 Patch 6 |
|
Patch for Directory Server localized Solaris packages |
|
117047-24 |
Patch for Administration Server localized Solaris package |
LDAP CSDK - SUNWldk, SUNWldkx |
|
LDAP JDK Patch |
Patch Number |
Patch Description |
---|---|
119811-01 |
International Components for Unicode Patch |
NSPR 4.6.6 / NSS 3.11.6 / JSS 4.2.4 |
|
Simple Authentication and Security Layer (2.18) |
|
Sun Java(TM) System Administration Server 5.2 Patch 6 |
|
Sun Java(TM) System Directory Server 5.2 Patch 6 |
|
Patch for Directory Server localized Solaris packages |
|
117047-24 | Patch for Administration Server localized Solaris package |
LDAP CSDK - SUNWldk |
|
LDAP JDK Patch |
Patch Number |
Patch Description |
---|---|
No patch available. Same level as Release 4. |
sun-icu-2.1-6.i386.rpm |
121656-12 | sun-nspr-4.6.6-1.i386.rpm sun-nspr-devel-4.6.6-1.i386.rpm sun-nss-3.11.6-1.i386.rpm sun-nss-devel-3.11.6-1.i386.rpm sun-jss-4.2.4-5.i386.rpm |
No patch available. Same level as Release 4. |
sun-sasl-2.18-1.i386.rpm |
sun-directory-server-5.2-27.i386.rpm |
|
sun-admin-server-5.2-20.i386.rpm |
|
118290-12 | sun-directory-server-de-5.2-17.i386.rpm sun-directory-server-es-5.2-17.i386.rpm sun-directory-server-fr-5.2-17.i386.rpm sun-directory-server-ja-5.2-17.i386.rpm sun-directory-server-ko-5.2-17.i386.rpm sun-directory-server-zh_CN-5.2-17.i386.rpm sun-directory-server-zh_TW-5.2-17.i386.rpm |
118289-13 | sun-admin-server-de-5.2-19.i386.rpm sun-admin-server-es-5.2-19.i386.rpm sun-admin-server-fr-5.2-19.i386.rpm sun-admin-server-ja-5.2-19.i386.rpm sun-admin-server-ko-5.2-19.i386.rpm sun-admin-server-zh_CN-5.2-19.i386.rpm sun-admin-server-zh_TW-5.2-19.i386.rpm sun-server-console-de-5.2-19.i386.rpm sun-server-console-es-5.2-19.i386.rpm sun-server-console-fr-5.2-19.i386.rpm sun-server-console-ja-5.2-19.i386.rpm sun-server-console-ko-5.2-19.i386.rpm sun-server-console-zh_CN-5.2-19.i386.rpm sun-server-console-zh_TW-5.2-19.i386.rpm |
118353-03 |
sun-ldapcsdk-5.18-1.i386.rpm |
sun-ljdk-4.19-6.i386.rpm |
Patch Number |
Patch Description |
---|---|
No patch available.
Same level as Release 4 |
LDAP CSDK sun-ldapcsdk, sun-ldapcsdkx depots |
Sun Java(TM) System LDAP Java Development Kit patch depots |
|
121497-01 |
International Components for Unicode Patch |
NSPR 4.6.6 / NSS 3.11.6 / JSS 4.2.4 |
|
121493-01 |
Simple Authentication and Security Layer (2.18) |
Sun Java(TM) System Administration Server 5.2 Patch 6 |
|
Sun Java(TM) System Directory Server 5.2 Patch 6 |
|
Patch for Directory Server localized HP-UX depots |
|
121933-01 |
Patch for Administration Server localized HP-UX depots |
To prevent inconsistency between the schema and the database, the schema file is migrated during migration from Directory Server 5.1 to Directory Server 5.2. Before performing a migration, remove the schema file from your 5.1 schema if the following conditions are true:
Removing the schema file from your 5.1 schema will enable you to have a version of the file that conforms to rfc2307.
If you have customized this file or if your database refers to the schema contained within it, perform the following steps:
NOTE: This issue also impacts replication. See the Replication section for more information.
This section discusses considerations that impact the upgrade procedure for Directory Server and Administration Server, followed by a description of the procedure itself.
The upgrade of Directory Server and Administration Server software to Directory Server 5.2 Patch 6 takes into account the following considerations:
Description |
SPARC Solaris 8, 9, & 10 |
X86 Solaris 9 & 10 |
---|---|---|
Directory Server |
||
Directory Server localization |
||
Administration Server |
||
Administration Server localization |
1Patch revision numbers are the minimum required for upgrade to Directory Server 5.2 Patch 6. If newer revisions become available, use the newer ones instead of those shown in the table. |
The procedure documented below applies to Directory Server and Administration Server instances residing locally on the computer where the upgrade is taking place.
The steps below make use of two commands: directoryserver(1m) and mpsadmserver(1m). For more information about these commands, see the Directory Server Man Page Reference and the Administration Server Man Page Reference.
Patches can be downloaded to /tmp from: http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access
su -
Components should be shut down in the following order:
For information about how to shut down a Java ES component, see its respective administration guide.
You need to perform this step even if Directory Server had originally been installed in standalone mode on the computer where the upgrade is taking place (some Administration Server code is installed even in standalone mode).
Be sure to apply the Administration Server localization patch (117047) before applying the Administration Server base patch.
patchadd patch_ID
showrev -p | grep patch_ID
The output should return the versions of patch IDs applied in Step b.
If it is local you might have to start it up. If it is remote, check to make sure it is running.
/usr/sbin/mpsadmserver sync-cds
You will be prompted for the admin username and password.
cd /var/opt/mps/serverroot
mkdir -p admin-serv/config
vi admin-serv/config/adm.conf
isie: cn=Administration Server, cn=Server Group, cn=hostname, ou=administration_domain, o=NetscapeRoot
All on one line where hostname is the fully qualified Directory Server host name and administration_domain is typically the host’s domain name.
Be sure to apply the Directory Server localization patch (117015) before applying the Directory Server base patch.
patchadd patch_ID
showrev -p | grep patch_ID
The output should return the versions of patch IDs applied in Step c.
/usr/sbin/directoryserver -d 5.2
If it is local you might have to start it up. If it is remote, check to make sure it is running.
/usr/sbin/directoryserver -u 5.2 sync-cds
You will be prompted for the admin username and password.
You can verify a successful upgrade of Directory Server and Administration Server by running the following commands:
cd serverroot/bin/slapd/server
./ns-slapd -v
The current version is displayed, and it should appear as shown here:
Sun Java(TM) System Directory Server/5.2_Patch_6
Then check the startup messages in the Directory Server error log:
/var/opt/mps/<serverroot>/logs/errors
This section discusses considerations that impact the upgrade procedure for Directory Server and Administration Server, followed by a description of the procedure itself.
The upgrade of Directory Server and its associated components to Directory Server 5.2 Patch 6 on the Linux platform takes into account the same considerations as on the Solaris platform (see Upgrade Considerations (Solaris)), except that the Linux 5.2 Patch 6 upgrade patches differ from the Solaris patches.
The Release 5.2 Patch 6 Directory Server and Administration Server upgrade patches for Linux OS are shown in the following table:
Description |
Patch ID and RPM names |
---|---|
Directory Server |
sun-directory-server-5.2-27.i386.rpm |
Directory Server localization |
sun-directory-server-Locale-5.2-17.i386.rpm |
Administration Server |
sun-admin-server-5.2-20.i386.rpm |
Administration Server localization |
sun-admin-server-Locale-5.2-19.i386.rpm |
1Patch revision numbers are the minimum required for upgrade to Directory Server 5.2 Patch 6. If newer revisions become available, use the newer ones instead of those shown in the table. |
The procedure documented below applies Directory Server and Administration Server instances residing locally on the computer where the upgrade is taking place.
| |
Caution |
An upgrade from any Java ES release to Directory Server 5.2 Patch 6 on Linux cannot be rolled back. |
|
The steps below make use of two commands: directoryserver(1m) and mpsadmserver(1m). For more information about these commands, see the Directory Server Man Page Reference and the Administration Server Man Page Reference.
Patches can be downloaded to /tmp from: http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access
In the following procedure oldVersion signifies the RPM for any Java ES version (RTM, Release 2, Release 3 or Release 4) before 5.2 Patch 6 of Directory Server and Administration Server.
su -
Components should be shut down in the following order:
For information about how to shut down a Java ES component, see its respective administration guide.
You need to perform this step even if Directory Server had originally been installed in standalone mode on the computer where the upgrade is taking place.
Be sure to apply the Administration Server localization RPMs (118289) before applying the Administration Server base RPMs.
rpm -Fvh sun-admin-server-Locale-5.2-19.i386.rpm
rpm -Fvh sun-server-console-Locale-5.2-19.i386.rpm
rpm -Fvh sun-admin-server-5.2-20.i386.rpm
...
If your Administration Server was configured previously, the following error will be returned:
error: execution of %preun scriptlet from sun-admin-server-5.2-oldVersion failed, exit status 1
If this is the case, remove the old version of the RPM using the --noscripts option, as follows:
rpm -e --noscripts sun-admin-server-5.2-oldVersion
If it is local you might have to start it up. If it is remote, check to make sure it is running.
/opt/sun/sbin/mpsadmserver sync-cds
You will be prompted for the admin username and password.
rpm -q sun-admin-server
The new version number of the RPM should be returned.
rpm -Fvh sun-server-console-5.2-20.i386.rpm
rpm -Uvh sun-admin-server-man-5.2-9.i386.rpm
rpm -Fvh sun-admin-server-5.2-20.i386.rpm
Otherwise proceed directly to Step 7b.
Be sure to apply the Directory Server localization RPMs (118290) before applying the Directory Server RPMs.
rpm -Fvh sun-directory-server-Locale-5.2-17.i386.rpm
rpm -Fvh sun-directory-server-5.2-27.i386.rpm
...
If your Directory Server was configured previously, the following error will be returned:
error: execution of %preun scriptlet from sun-directory-server-5.2-oldVersion failed, exit status 1
If this is the case, remove the old version of the RPM using the --noscripts option, as follows:
rpm -e --noscripts sun-directory-server-5.2-oldVersion
If it is local you might have to start it up. If it is remote, check to make sure it is running.
/opt/sun/sbin/directoryserver sync-cds
You will be prompted for the admin username and password.
rpm -q sun-directory-server
The new version number of the RPM should be returned.
rpm -Uvh sun-directory-server-man-5.2-10.i386.rpm
You can verify successful upgrade of Directory Server and Administration Server by running the following commands:
The current version is displayed, and it should appear as shown here:
Sun Java(TM) System Directory Server/5.2_Patch_6
and then checking the startup messages in the Directory Server error log:
There are no post-upgrade tasks beyond the steps described in Upgrade Procedure (Solaris) and Upgrade Procedure (Linux).
This section describes considerations that impact the upgrade rollback procedure for Directory Server and Administration Server, followed by the procedure itself.
The procedure for rolling back the upgrade to Release 5.2 Patch 6 of Directory Server and Administration Server is pretty much the reverse of the procedure for upgrading to Release 5.2 Patch 6. The patches are removed and the configuration directory is re-synchronized.
One special consideration is that when you apply patches, you upgrade the SSL certificate database to a cert8 format. The patch backs up the cert7 data, and then converts it to cert8 format. If you subsequently decide to roll back the upgrade and have added new certificates to the certificate database, you should manually extract these certificates, back out the patches, and then add the certificates back to the previous cert7 format certificate database.
Note: This consideration applies when you have upgraded to Directory Server 5.2 Patch 6 from any DS 5.2 versions before 5.2 Patch 4. The SSL cert8 format has been introduced since Directory Server 5.2 Patch 4.
When you roll back an upgrade after having changed the SSL certificate database, you cannot start in SSL mode. To work around this problem, turn off SSL mode, restart Directory Server and Administration Server, reinstall the certificate, and then enable SSL mode.
Components should be shut down in the following order:
For information about how to shut down a Java ES component, see its respective administration guide.
If you are rolling back to Directory Server 5.2 2003Q4, follow these steps:
/usr/sbin/directoryserver -u 5.2 sync-cds 5.2
You will be prompted for the admin username and password.
patchrm patch_ID
If it is local you might have to start it up. If it is remote, check to make sure it is running.
If you are rolling back to Directory Server 5.2 2004Q2, Directory Server 5.2 2005Q1, or Directory Server 5.2 2005Q4, then follow these steps :
patchrm patch_ID
If it is local you might have to start it up. If it is remote, check to make sure it is running.
/usr/sbin/directoryserver -u 5.2 sync-cds
You will be prompted for the admin username and password.
If you are rolling back to Directory Server 5.2 2003Q4, follow these steps:
/usr/sbin/mpsadmserver -u 5.2 sync-cds 5.2
You will be prompted for the admin username and password.
patchrm patch_ID
If it is local you might have to start it up. If it is remote, check to make sure it is running.
If you are rolling back to Directory Server 5.2 2004Q2, Directory Server 5.2 2005Q1, or Directory Server 5.2 2005Q4, follow these steps:
patchrm patch_ID
If it is local you might have to start it up. If it is remote, check to make sure it is running.
/usr/sbin/mpsadmserver sync-cds
You will be prompted for the admin username and password.
The procedures in Upgrading Directory Server and Administration Server on Solaris do not explicitly deal with deployment architectures in which Directory Server is replicated for availability or scalability. These architectures might include Directory Server multi-master replication or the deployment of Directory Server as a data service in a Sun Cluster environment.
This section discusses Directory Server upgrades in these situations.
Multiple instances of Directory Server on different computer systems, as used in multimaster replication deployment architectures, can be sequentially upgraded one instance at a time. The upgrade of each instance on its respective host computer is performed while the other instances are left running. This rolling upgrade allows the directory service to remain online while the individual Directory Server instances that provide the service are being upgraded.
This section describes how to upgrade and roll back Directory Server as a data service in a Sun Cluster environment. Consider the following points before you upgrade or back out Directory Server as a Sun Cluster data service:
serverroot/stop-admin
serverroot/slapd-instanceName/stop-slapd
scswitch -z -g ldap-group -h this-node-name
scswitch -z -g ldap-group -h another-node-name
serverroot/stop-admin
serverroot/slapd-instanceName/stop-slapd
scswitch -z -g ldap-group -h this-node-name
scswitch -z -g ldap-group -h another-node-name
This section discusses considerations that impact the upgrade procedure for Directory Server and Administration Server followed by a description of the procedure itself.
| |
IMPORTANT: |
You must have installed or upgraded to Java ES Release 4 on your system prior to applying Directory Server 5.2 Patch 6 HP-UX Native Package patch. |
|
The upgrade of Directory Server and Administration Server software to Release 5.2 Patch 6 takes into account the following considerations:
Component |
Patch ID |
---|---|
Directory Server |
|
Directory Server locale |
|
Administration Server |
|
Administration Server locale |
1Patch revision numbers are the minimum required for upgrade to Release 5.2 Patch 6. If newer revisions become available, use the newer ones instead of those shown in the table. |
The procedure documented below applies to Directory Server and Administration Server instances residing locally on the computer where the upgrade is taking place.
Patches can be downloaded from:
swinstall -s <absolute-location>/<patch_ID > <patch_ID>
You will be prompted for the admin username and password
# cd <server_root>/bin/slapd/server
# ./ns-slapd -v
The current version is displayed, and it should appear as shown here:
Sun Java(TM) System Directory Server/5.2_Patch_6
and then checking the startup messages in the Directory Server error log:
/opt/sun/mps/serverroot/slapd-< server-instance>/logs/errors
# cd <server_root>/
# ./startconsole
There are no post-upgrade tasks beyond the steps described in Upgrade Procedure (HP-UX).
You will be prompted for the admin username and password.
# cd <server_root>/bin/slapd/server
# ./ns-slapd -v
The current version is displayed, and it should appear as shown here:
Sun Java(TM) System Directory Server/5.2_Patch_4
/opt/sun/mps/serverroot/startconsole
This section discusses considerations that impact the upgrade procedure for Directory Server and Administration Server, followed by a description of the procedure itself.
|
|
IMPORTANT: |
You must have installed or upgraded to Java ES Release 4 on your system prior to applying Directory Server 5.2 Patch 6 Windows Native Package patch. |
|
The upgrade of Directory Server and Administration Server software to Release 5.2 Patch 6 takes into account the following considerations:
The procedure documented below applies to Directory Server and Administration Server instances residing locally on the computer where the upgrade is taking place.
Patches can be downloaded from:
http://sunsolve.sun.com
Components should be shut down in the following order:
For information about how to shut down a Java ES component, see its respective administration guide.
You need to perform this step even if Directory Server had originally been installed in standalone mode on the computer where the upgrade is taking place.
Note: The perl.exe file can be found at <Server-Root>\lib\nsPerl5.005-03\bin\MSWin32-x86. <Server-Root> is the directory where the Java ES Release 4 product has been installed. It is usually C:\Sun\Server-Root.admin-serv\config under <Server-Root>
isie: cn=Administration Server, cn=Server Group, cn=hostname, ou=administration_domain, o=NetscapeRoot
All on one line where hostname is the fully qualified Directory Server host name and administration_domain is typically the host’s domain name.
perl prepatch.pl <Server-Root>
perl postpatch.pl <Server-Root> <Admin id> <Admin Password>
| |
IMPORTANT: |
It is strongly recommended to change the access rights of C:\Sun\Server-Root\admin-serv\config\adm.conf file that contains the Admin Password. |
|
You can verify successful upgrade of Directory Server and associated components by using these steps:
<Server-Root>\slapd-<hostname>\logs\errors
Sun Java(TM) System Directory Server/5.2_Patch_6_A
There are no post-upgrade tasks beyond the steps described in Upgrade Procedure (Windows).
This section describes considerations that impact the upgrade rollback procedure for Directory Server and Administration Server followed by the procedure itself.
|
|
IMPORTANT: |
Because of bugs 6625224 and 6587775, the rollback procedure of the Directory Server upgrade is supported only from 121392-05 to JES4. |
|
The procedure for rolling back the upgrade to Release 5.2 Patch 6 of Directory Server and Administration Server is pretty much the reverse of the procedure for upgrading to Directory Server Release 5.2 Patch 6. The patches are removed and the configuration directory is re-synchronized.
One special consideration is that when you apply patches, you upgrade the SSL certificate database to a cert8 format. The patch backs up the cert7 data, and then converts it to cert8 format. If you subsequently decide to roll back the upgrade and have added new certificates to the certificate database, you should manually extract these certificates, back out the patches, and then add the certificates back to the previous cert7 format certificate database.
Note: This consideration applies when you have upgraded to Directory Server 5.2 Patch 6 from any DS 5.2 versions before 5.2 Patch 4. The SSL cert8 format has been introduced since Directory Server 5.2 Patch 4.
When you roll back an upgrade after having changed the SSL certificate database, you cannot start in SSL mode. To work around this problem, turn off SSL mode, restart Administration Server, Directory Server or Directory Proxy Server, reinstall the certificate, and then enable SSL mode.
Components should be shut down in the following order:
The following features might change in a future release of Sun Java System software.
Sun Java System Administration Server and the Java Swing-based Console used today for remote graphical administration of Directory Server and other software may be replaced. A new implementation might be implemented to allow full browser-based service management, with easier configuration for access through firewalls.
As a result, the following commands might not be included in a future release:
In addition, everything in o=NetscapeRoot might change. In particular, o=NetscapeRoot might no longer be present and the serverroot architecture might be replaced by a different one.
The command-line tools for managing Directory Server instances might be improved in a future release. Such changes might affect the following commands:
The Sun Crypto Accelerator Board 1000 is supported by Directory Server 5.2 Patch 6 on 32-bit servers. Other versions of the Sun Crypto Accelerator Board are not supported.
The LDAP utility man pages on Sun Solaris platforms do not document the Sun Java System version of the LDAP utilities ldapsearch, ldapmodify, ldapdelete and ldapadd. For information about these utilities, refer to the Sun Java System Directory Server 5.2 2005Q1 Man Page Reference.
Directory Server commands and Administration Server commands are documented as man pages and delivered in the following formats:
For information about how to access the man pages, see the Java Enterprise System Installation Guide.
In some parts of the Directory Server documentation and console, the version number of the product is referred to as 5.2. Directory Server 5.2 Patch 6 is a maintenance release of Directory Server 5.2.
Localized documentation is posted to http://docs.sun.com/ as it becomes available.
This section describes the known issues and limitations with Directory Server 5.2 Patch 6. The issues are grouped into the following categories:
Workaround
To prevent services from hanging, avoid using the default
startup order (Directory Proxy Server, Administration Server, and then
Directory Server). Instead, install Directory Server, then Directory
Proxy Server followed by Administration Server.
Workaround
Shut down the Directory Server 5.1 Service Pack 2 instance then
rename or remove the nsldap32v50.dll file
shown in the error log and attempt the 5.2 installation again.
If you do not run the uninstallation as root, the product registry is not updated correctly.
The unzip utility is not delivered with the compressed archive for Linux platforms. Before upgrading the compressed archive on Linux platforms, install the unzip utility. For other platforms the unzip utility is delivered with the compressed archive.
Close the Event Viewer before launching the update.
When you create a new instance by using the console, you are given multiple options.
This issue occurs when you upgrade from Directory Server 5.2 by using the compressed archives (patchzip) of Directory Server 5.2 2005Q1 and Directory Server 5.2 2004Q2.
Workaround
Choose any of the options. There is no difference between the
options.
On HP-UX platforms, when you install Directory Server only, you cannot open the console on the associated Configuration Directory Server unless the locale is specified as English.
Workaround
On the Configuration Directory Server, perform one of the
following workarounds:
When you upgrade from Directory Server 5.2 to Directory Server 5.2 2005Q4 by using the compressed archive, the upgrade can fail and the following error message can be given:
sh ./install.sh <server_root>
<admin_id> <admin_pwd>
Can't create logfile: Permission denied at upgrade.pl line 272.
Workaround
Delete the log file /var/tmp/sync-log
before performing the upgrade.
If you have started the upgrade, delete the log file /var/tmp/sync-log and rerun the upgrade.
A root suffix cannot contain space characters.
Workaround
If your root suffix contains space characters, correct the
suffix generated at installation time to remove the spaces:
When the migrateInstance5 script is run with the error logging feature disabled, a message indicates that the migration procedure is attempting to restart the server while the server is already running.
Workaround
During configuration of Directory Server, an ACI on the server group entry for each new server installation is added. If the entry already exists and the ACI value already exists on the entry (which is the case when Administration Server is installed after Directory Server), then the following error is logged in the Configuration Directory Server:
[07/May/2004:16:52:29 +0200] - ERROR<5398> - Entry - conn=-1 op=-1msgId=-1 - Duplicate value addition in attribute "aci" of entry "cn=Server Groups, cn=sorgho.france.sun.com, ou=france.sun.com,o=NetscapeRoot"
Workaround
Ignore the error message.
If multibyte characters are entered as the suffix name during installation of the traditional Chinese (zh_TW) version, the suffix name does not display correctly in the console. This issue is restricted to 32-bit and 64-bit installations from Solaris packages on SPARC processors.
Workaround
At installation, using multibyte characters for anything other than the suffix name causes Directory Server and Administration Server configuration to fail.
Workaround
Use monobyte characters for all fields other than the suffix
name.
If you enter an incorrect password during command-line installation, you enter a loop.
Workaround
When you are prompted for the
password again, type "<" to return to the previous input item, and
then press return to keep the previous choice. When you are asked for
the password again, enter the correct password.
When you perform an uninstallation by using the console, you can dismiss the uninstallation logs by using the OK button. When you use this OK button, you might be warned about missing character sets.
Workaround
None. Ignore these warning messages.
After running the pkgrm command, the /usr/ds directory and some files remain.
Workaround
After running the pkgrm command,
manually remove the /usr/ds directory and
its files.
When configuring Directory Server by using a remote configuration directory, configuration fails if the administration domain of the remote directory does not match the administration domain in the setup procedure.
Workaround
When configuring Directory
Server by using a remote configuration directory, use the same
administration domain as defined in the remote configuration directory.
During migration from Directory Server 4.x to Directory Server 5.x, not all plug-ins are migrated.
Workaround
In the 4.x slapd.ldbm.conf
configuration file, insert quotation marks around the plug-in path for
the plug-in to be migrated.
For example change the plug-in post-operation referential integrity from
to
The Administration Server cannot be restarted from the console when using Solaris 9 on an x86 cluster.
Workaround
On the Administration Server console select Stop
Server and then Restart Server.
If Directory Server is configured the pkgrm command fails to remove the following packages:
Workaround
Before running the pkgrm command,
unconfigure Directory Server by using the following command: /usr/sbin/directoryserver -u 5.2 unconfigure
If you did not unconfigure Directory Server before you ran the pkgrm command, perform the following steps:
After installing Directory Server and Administration Server on Linux, and rebooting the system, there is no startup script (e.g. /etc/init.d/directory).
Workaround
Start the slapd process manually.
To access certain servers, the Server Console may have to download JAR files into the ServerRoot directory. If the user running the startconsole command does not have write access to the ServerRoot directory, the console cannot open the servers in question.
Workaround
Either run the startconsole
command as the user who owns the ServerRoot directory, or install and
configure the server packages on the host running Server Console.
When the patchrm command is used on patch ID 115614 in a cluster, it removes the patch from the first node only. When the patch is removed from the second and subsequent nodes, the following error message is displayed:
Workaround
When you have successfully
removed the patch from the first node in your cluster, and if you have
received the above error message, create a symbolic link in ServerRoot/shared/bin to point to the sync-directory binary as follows:
Then rerun the procedure to remove the patch.
If the SUNWds* packages are relocated to a directory other than the default installation directory, the SUNW.dsldap pointer is also relocated. Consequently, the SUNW.dsldap pointer will not be in the correct directory. To find the directory that contains the SUNW.dsldap pointer, run this command:
Workaround
Do not relocate SUNWds* packages.
If you have relocated the SUNWds* packages, correct the location of the SUNW.dsldap pointer as follows:
During installation, if the base DN contains a white space (for example, o=example east), the directoryURL entry is incorrectly parsed for the UserDirectory global preferences. Consequently, all operations to the userDirectory fail to find the entries in user/groups in the console.
Workaround
Modify the base DN value in one of the following ways:
After upgrade of Administration Server or Directory Server, the nsSchemaCSN attribute has several values. This issue occurs because the 60iplanet-calendar.ldif file and the 99user.ldif file both contain the nsSchemaCSN attribute. The nsSchemaCSN attribute should be in the 99user.ldif file only.
Workaround
<server_root>/slapd-<instance>/schema_push.pl
to
<server_root>/slapd-<instance>/schema_push.pl.ref
<server_root>/bin/slapd/admin/scripts/template-schema_push.pl
to
<server_root>/slapd-<instance>/schema_push.pl
<server_root>/schema_push.pl
To backout, restore the original schema_push.pl file under <slapd-instance>.
When patch 115614-10 is installed on a cluster by using the patchadd command, the slapd process does not restart.
Workaround
Upgrade to the new version of the RPM for Directory Server fails with an exit status 1 because the previous RPM was not uninstalled. This issue applies to upgrade to the following RPM for Directory Server:
The new version of the RPM for Directory Server is installed correctly.
Workaround
After installing the new
version of the RPM for Directory Server, uninstall the previous RPM
manually by using the following command:
Backout fails in the following scenario:
The backout fails because the <ServerRoot>/admin-serv/upgrade/versions.conf file does not contain the correct information.
Workaround
Configure the previous version
of Directory Server and Administration Server before installing the
latest version of Directory Server and Administration Server.
If you migrate from Directory Server 5.2 RTM to a later version of Directory Server, the localization patch 117015 cannot be installed. The pkginfo files in patch 117015 are inconsistent with those in Directory Server 5.2 RTM for the values ARCH and VERSION.
Workaround
Before applying the localization patch, perform the following
steps:
/var/sadm/pkg/SUNWjdsvcp/pkginfo
/var/sadm/pkg/SUNWjdsvu/pkginfo
ARCH=all
VERSION=5.2,REV=2003.05.23
If Directory Server is installed with the file mode creation umask 0027, a non-root user cannot configure or manage Directory Server instances.
Workaround
Before installation, change the umask to 0022. Otherwise, change
the default permissions for any file created by the process.
When you use the migrate5xto52 script to migrate from Directory Server 5.1 to Directory Server 5.2, replication can halt some time after the migration. The error can occur weeks or months after the migration.
Workaround
Before running the migration script, perform the following
steps:
When a standalone instance of Directory Server 5.2 is upgraded, the upgrade procedure requires the data in the Configuration Directory Server to be synchronized. Before running the sync-cds command, Directory Server searches for the presence of the adm.conf file. When the Administration Server is not configured, the file is not present and the sync-cds command cannot run.
Workaround
Create a dummy adm.conf file so that
the sync-cds command can run:
Where <hostname> is a fully qualified domain name for the host that the Directory Server is running on, and <administration_domain> is typically the host domain name.
For example:
The pwdChangedTime attribute and usePwdChangedTime attribute are defined in Directory Server 5.2 2004Q2 and later versions. These attributes are not defined in Directory Server 5.2 2003Q4 or earlier versions.
When an entry is defined with password expiration in Directory Server 5.2 2004Q2 or later versions, the entry contains the pwdChangedTime attribute and usePwdChangedTime attribute. When that entry is replicated to a supplier running Directory Server 5.2 2003Q4 or an earlier version, the supplier cannot process any modifications to that entry. A schema violation error occurs because the supplier does not have the pwdChangedTime attribute in its schema.
Workaround
Define the pwdChangedTime attribute
and usePwdChangedTime attribute in the 00core.ldif file for all servers in the
replication topology that are running Directory Server 5.2 2003Q4 or an
earlier version.
To define the attributes, add the following lines to the 00core.ldif file for each server:
attributeTypes: (
1.3.6.1.4.1.42.2.27.8.1.16 NAME 'pwdChangedTime' DESC 'Directory Server
defined password policy attribute type' SYNTAX
1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE USAGE directoryOperation
X-DS-USE 'internal' X-ORIGIN
'Sun Directory Server' )
attributeTypes: ( 1.3.6.1.4.1.42.2.27.9.1.597 NAME 'usePwdChangedTime'
DESC 'Directory Server defined attribute type' SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-DS-USE 'internal' X-ORIGIN
'Sun Directory Server' )
On some systems, such as a hardened Solaris system, the SUNWnisu package might not be installed by default. In this case, the Directory Server configuration fails.
Workaround
If you're on such systems, check for the presence of the SUNWnisu package before proceeding with the installation.
If your configuration fails for this reason, install the SUNWnisu package and then restart the Directory Server configuration.
Directory Server administrators have observed that performing a "Send Updates Now" operation from the Console on a replica that has been known to be up and running, but that stops on a known replication agreement with message 8318 in the errors log, gets replication started again.
The failure leading to message 8318, with the text "failed to bind to remote (900)," occurs for one of the following reasons: the supplier fails to retrieve the replication manager password; the supplier cannot open an LDAP connection to the consumer; the bind fails; or either issue 6198506, fixed in Patch 3, or issue 6494027, has caused the supplier to make a replication start request on a connection that has already been closed. If the supplier makes a replication start request on a closed connection, due to issue 6198506 or 6494027, then performing a "Send Updates Now" operation from the Console corrects the problem.
Otherwise the replication agreement is no doubt broken as stated in the Reference Manual. Check the error code and fix the replication agreement. You may need to restart the consumer as well.
You cannot silently uninstall Directory Server after upgrading with patches for Directory Server 5 2005Q4 patches and Administration Server 5 2005Q4.
Workaround
Before performing the silent uninstallation, perform the following steps:
1) For Administration Server, find the typicalUninstall.ins file in the Administration Server patch and copy it to this directory:
2) For Directory Server, find the uninstall.ins file in the Directory Server patch and copy it to this directory:
Patch 115614-25 cannot be added if the server root contains files called slapd-<id>.tar.
Workaround
Do not add files beginning with slapd-* into the server root.
When you use the directoryserver sync-cds command during upgrade to Directory Server 5.2, you must use the -u 5.2 option if Directory Server 5.1 is also installed and the default is set to 5.1.
If you set the default version to 5.2 by using the following command, it is not necessary to use the -u 5.2 option:
Workaround
None
During installation of Directory Server, the Access Manager adds indexes for the 'ou' attribute if they don't exist. When the tool comms_dssetup.pl is run, the index is corrupted.
Workaround
Reindex the Directory Server.
Following fixes for CR 5006198 to reduce peaks in replication delay, the documentation about the Replication Retry Algorithm no longer reflects Directory Server behavior.
Prior to the fix when a supplier replica attempted to push updates to a consumer replica, but found that the consumer was already receiving updates from another supplier, the supplier would back off for progressively longer intervals.
After the fix a supplier in the same situation enters a REPLICA_BUSY loop in which the supplier sleeps, then again attempts to begin pushing updates to the consumer. The sleep interval is based on the time to start a replication session with the consumer.
When the time to start a session is less than 10 msec, the supplier sleeps first for 400 msec, then on further repetitions sleeps a random time between 400 and 1600 msec.
When the time to start a session is between 10 msec and 100 msec, the supplier sleeps first for 1 msec, then on further repetitions sleeps an additional 500 msec, up to 10 sec.
When the time to start a session is greater than 100 msec, the supplier sleeps first for 1 msec, then on further repetitions sleeps an additional 1 sec, up to 30 sec.
When the session fails to start because a connection cannot be opened or due to a protocol error, the supplier behaves as before although the maximum back off interval is 60 sec.
The fix for CR 5006198 also introduces the following monitoring attributes on the replication agreement: ds5MaxReplicaBusyDuration, whose value is the maximum time that the supplier has spent trying to acquire a consumer since the last server restart; ds5ReplicaBusyCounter, whose value is the number of times the supplier has been looping, waiting for a consumer.
Directory Server 5.2 Patch 6 shows a configuration error such as the following on restart:
ERROR<38918> - Startup - conn=-1 op=-1 msgId=-1 - Configuration error Sasl initialization failed
Workaround
Stop the server.
Modify the dsSaslPluginsPath attribute in the dse.ldif file,
changing the value from /usr/lib/sasl2
to /lib/sasl
.
Start the server.
In Directory Server 5.2 Patch 6, db2ldif -s fails, leaving an message such as the following in the errors log:
[08/Jun/2007:11:45:19 +051800] - DEBUG - conn=-1 op=-1 msgId=-1 - ERROR 2: There is no backend instance to export from
Workaround 1
Use db2ldif -n instead of db2ldif -s.
Workaround 2
Stop the server, and then modify the dse.ldif file as follows.
Find the suffix entry in the mapping tree and remove the quotes around the CN attribute value. The following example shows part of the mapping tree entry for Example.com.
dn: cn="dc=example\,dc=com",cn=mapping tree,cn=config objectClass: top ... cn: "dc=example,dc=com" <-- Remove the quotes here. ...
Start the server again.
You cannot patch the Directory LDAP SDK for Java package, SUNWjldk, unless the package itself has been installed.
Workaround
Apply patch 118615 if the package SUNWjldk is not yet installed. Then apply required patch 119725.
The patch installation program does not update the Directory Server schema definitions to allow use of the new passwordNonRootMayResetUserpwd password policy attribute.
Workaround
Stop the server. Copy the new 00core.ldif file from the
bin/slapd/install/schema/
directory to the Directory Server
config/schema/
directory manually in order to use this new feature.
Start the server.
The documentation incorrectly states that when passwordCheckSyntax attribute is used to activate password syntax checks, the server checks "that the password meets the password minimum length requirement and that the string does not contain any 'trivial' words."
Instead, the documentation should read, "that the password meets the password minimum length requirement and that the string does not equal any 'trivial' words."
The documentation incorrectly states that Directory Server can return result code 76 (virtual list view error). Directory Server does not return this code.
Furthermore, the documentation fails to mention that Directory Server can return result code 60 (LDAP sort control missing). This result code indicates that Directory Server did not receive a required server side sort control.
Directory Server hot fixes for native package installations can place
updated binaries under the Server Root, rather than in the system wide installation location. Such
hot fixes rename existing symbolic links that point to system wide binaries to take the extension
.ref
When you then patch the native package installation, the patch installation script
does not change the name of such links. As a result the installation may still use hot fixed binaries
after the patch is applied.
Workaround
IMPORTANT: This workaround applies only to native package installations. Furthermore, use this workaround only when applying the Directory Server patch.
Stop the server.
Apply the following workaround for each symbolic link named .ref
.
Make a copy of the hot fix binary ending in .hotfix
.
Make a copy of the binary in the system wide location ending in .orig
.
Copy the hot fix binary over the binary in the system wide location.
Rename the symbolic link to remove the .ref
extension.
At this point you can apply the Directory Server patch.
Start the server.
For example, the following sequence of commands performs this workaround for a Solaris native package installation of Directory Server 5.2 Patch 5 where only a hot fix for CR 6587775 has been applied.
cd <SERVER_ROOT> ./slapd-<SERVER_ID>/stop-slapd cp /usr/ds/v5.2/bin/slapd/server/ns-slapd /usr/ds/v5.2/bin/slapd/server/ns-slapd.orig cp bin/slapd/server/ns-slapd bin/slapd/server/ns-slapd.hotfix cp bin/slapd/server/ns-slapd /usr/ds/v5.2/bin/slapd/server/ns-slapd mv bin/slapd/server/ns-slapd.ref bin/slapd/server/ns-slapd # Apply the Directory Server patch here. ./slapd-<SERVER_ID>/start-slapd
During installation on Windows, if the admin user's password or Directory Manager's password contains an underscore (_) character, those accounts are unable to login to the Admin Console.
Workaround
Do not specify the underscore (_) character in a password during GUI installation. If necessary, reset the password after installation.
The Administration Guide contains the following example in the explanation of the ACI syntax.
aci: (target)...(target)(version 3.0;acl "name"; permission bindRule; permission bindRule; ...; permission bindRule;)
This could be misunderstood to allow multiple target keywords, but the "(target)" here refers to "target=...", "targetfilter=...", "targetattr=...", "targattrfilters=..." not just the "target=..." keyword. Each keyword can only be used once in an ACI. For example:
aci: (target=...)...(targetattr=...)(version 3.0;acl "name"; permission bindRule; permission bindRule; ...; permission bindRule;)
The passwordExpirationTime and passwordExpWarned attributes are reset internally when a password expiration warning first occurs on a consumer, and then these attributes are not synchronized between master and consumer. This problem is fixed in 5.2 Patch 6, but the fix requires that you apply the workaround described here.
Workaround
To prevent passwordExpirationTime
from becoming unsynchronized between servers,
disable password expiration warning (set passwordWarning:0).
If you require the password expiration warning feature, and you require
the passwordExpirationTime
to be synchronized across your topology, your application must detect when
the passwordExpirationTime becomes unsynchronized
and must update the user password on a master (either through a bind or modify operation).
If you use a zero-length password to bind to a directory, your bind is an anonymous bind; it is not a simple bind. Third party applications that authenticate users by performing a test bind might exhibit a security hole if they are not aware of this behavior.
Workaround
Ensure that your client applications are aware of this feature.
If the DNS keyword is used in an ACI, any DNS administrator can access the directory by modifying a PTR record and can thereby provide the privileges granted by the ACI.
Workaround
Use the IP keyword in the ACI to
include all IP addresses in the domain.
ldapmodify update operations over SSL fail when they are referred to a master replica from a consumer replica.
When the passwordisglobalpolicy attribute is enabled on both masters in a 2-master, multi-master replication topology, it works correctly but can generate the following incorrect error message:
Workaround
Ignore the incorrect error message.
The passwordMinLength attribute in individual password policies is 2–512 characters. However, values outside of this range are accepted when an individual password policy is configured.
Workaround
Configure individual password policies with passwordMinLength
attribute of 2–512 characters.
If Directory Server is configured for use with SASL authentication on Solaris 10 build 69 and if you perform an authentication by using Kerberos through GSSAPI, the directory core is dumped.
Workaround
For 64-bit servers on Solaris 10 machines, pre-load the smartheap library when you start the slapd daemon. To pre-load the smartheap
library, modify the start-slapd script
under an ldap instance, as follows:
For example:
The Administration Guide contains the following incorrect definition and examples in the explanation of the ACI syntax.
This definition is incorrect because RFC 2732 does not apply to IPv6 addresses in an ACI definition. Instead, RFC 2373 defines legitimate IPv6 addresses.
Because of a problem described in Vulnerability Note VU#836068, MD5 signature algorithm vulnerable to collision attacks (http://www.kb.cert.org/vuls/id/836068), Directory Server 5.2 (and later 5.2 patch releases) installations should avoid using the MD5 algorithm in signed certificates. The following procedure describes how to generate SHA-1-signed certificates using the NSS certutil command-line utility. For more information about the certutil command, see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
$ certutil -L -d certdir -P dbprefix
Run the following command on each defined certificate to determine whether the certificate is signed with the MD5 algorithm:
$ certutil -L -n cert-name -d certdir -P dbprefix
The following example shows typical output for a MD5-signed certificate:
Certificate:
Data:
[...]
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
[...]
Run the following command to remove any MD5-signed certificates from the database:
$ certutil -D -n cert-name -d certdir -P dbprefix
Replace any MD5-signed certificates with SHA-1-signed certificates. Use one of the following procedures, depending on whether your installation uses a self-signed certificate or a certificate acquired from a Certificate Authority.
To generate and store a self-signed certificate using the SHA-1 signing algorithm, run the following command as a Directory Server administrator:
$ certutil -S -x -n cert-name -s subject -d certdir -P dbprefix \
-t trustargs -Z SHA1
where
Use the following steps to generate and store a certificate acquired from a Certificate Authority (CA):
Run the following command to issue a CA-Signed Server Certificate request:
$ certutil -R -s subject -d certdir -P dbprefix -a \
-Z SHA1 -o output-file
where
Make sure that your Certificate Authority is no longer using the MD5 signature algorithm, and then send the certificate request to the Certificate Authority (either internal to your company or external, depending on your rules) to receive a CA-signed server certificate.
When the Certificate Authority sends you the new certificate, run the following command to add the certificate to the certificates database:
$ certutil -A -n cert-name -d certdir -P dbprefix \
-i signed-cert-file
For more details regarding those steps, see Implementing Security in the Sun ONE Directory Server Administration Guide
Run the following command to verify the new certificate.
$ certutil -L -n cert-name -d certdir -P dbprefix
The following example shows typical output for a SHA-1-signed certificate:
Certificate:
Data:
[...]
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
[...]
Replication must not be enabled on the retro changelog suffix "cn=changelog". This suffix has not been designed to be replicated and enabling replication could lead to DS crashes like 6484498 or 6453388. The bug 6482442 will fix those two bugs.
The replication monitoring tools rely on read access to cn=config to obtain the replication status. This should be taken into account when replication is configured over SSL.
In Directory Server 5.2, the schema file 11rfc2307.ldif has been altered to conform to rfc2307. If replication is enabled between 5.2 servers and 5.1 servers, the rfc2307 schema MUST be corrected on the 5.1 servers, or replication will not work correctly.
Workaround
To ensure correct replication between Directory Server 5.2 and
Directory Server 5.1, perform the following tasks:
Initially, certain schema attributes may be replicated between the servers as they synchronize other schema elements, but this will not cause any problems. See the General Installation Information for details on how the schema has changed.
The replication monitoring tools entrycmp, insync, and repldisc do not support LDAP URLs that contain literal IPv6 addresses.
Workaround
None
In a multi-master replication scenario, if replication is enabled over SSL by using simple authentication, it is not possible to enable replication between the same servers over SSL by using certificate-based client authentication.
Workaround
To enable replication over SSL using certificate-based client
authentication, restart at least one of the servers.
If a total update is aborted while in progress, it is not possible to launch another total update or to re-enable replication on the suffix.
Workaround
Do not abort a total update while it is in progress.
The insync command-line tool has no concept of fractional replication. If fractional replication is configured, false reports of replication delays can be produced.
Workaround
None
If you modify the schema without making any other non schema-related modifications, your schema modifications will not be replicated immediately.
Workaround
Wait for five minutes for your schema modifications to be
replicated, or force replication by using the Send
Updates Now option in the Directory Server console.
The nsslapd-lastmod attribute specifies whether Directory Server maintains the modification attributes for Directory Server entries. When this attribute is set to OFF, errors occur in multi-master replication.
Workaround
When using multi-master replication, leave the nsslapd-lastmod attribute set to ON.
During replication, the following error message can be written frequently to the error log:
[09/Apr/2004:06:47:45 +0200] - INFORMATION -
conn=-1 op=-1 msgId=-1 -
csngen_adjust_time: remote offset now 33266 sec
This error message increases the size of the error log file.
Workaround
Ignore this error message.
When a master server crashes, changes made to the retro change log on that server can be lost.
Workaround
Do not to use the retro change
log on a master server. Instead, use the retro change log on the
consumer server. If you are implementing failover of the retro change
log, ensure that you have at least two consumer servers with enabled
retro change logs.
DN normalization code puts attribute names in lower case. The DN normalization code does not take into account the attribute syntax and the associated matching rule.
Workaround
None
Directory Server 5.2 Console does not handle correctly attributes with values containing CRLF (base64-encoded).
Workaround
Do not modify such
entries (which have base64-encoded attribute values containing CRLF)
using the Console.
The JVM delivered with Directory Server 5.2 product (and later version) is not compliant with the new DST definition (2007) and needs to be updated with the tzupdater tool.
Note: Only the Directory Server 5.2 Patch 6 patchzip distributions delivers and runs the tzupdater utility. The JVM running within the installed Directory Server 5.2 product is then up-to-dated.
The Directory Server 5.2 Patch 6 Native package distributions are not allowed to update the JVM installed and running in the system. The system administrator will have to follow the procedure described at link: http://java.sun.com/developer/technicalArticles/Intl/USDST/
In any case, it is strongly recommended to install the specific operating system patches as documented in page: http://www.sun.com/bigadmin/hubs/dst/software.
The upgrade procedure requires the data in the Configuration Directory Server (CDS) to be synchronized. This is performed through the sync-product-cds command based on information located in adm.conf file. Unfortunately the upgrade procedure is not able to synchronize CDS data placed in another Server Group than "cn=Server Group".
Workaround
cd <ServerRoot>/shared/bin
./ldapsearch -D"cn=Directory Manager" -w -p -b"o=NetscapeRoot" objectclass=nsAdminGroup dn
that returns DN entries:
dn: cn=Server Group, cn=<hostname>, ou=<administration_domain>, o=NetscapeRoot
Where <hostname> is a fully qualified domain name for the host that the Directory Server is running on, and <administration_domain> is typically the host domain name.For example:
dn: cn=Server Group, cn=starfish.Ireland.Sun.com, ou=Ireland.Sun.com, o=NetscapeRoot./sync-product-cds -r "<ServerRoot>" -i "cn=Sun ONE Directory Server, cn=Server Group (2), cn=<hostname>, ou=<administration_domain>, o=NetscapeRoot" -j ds524.jar -g ds524.jar -v 5.2_Patch_6 -n "Sun Java(TM) System Directory Server" -b "2007.093.0058"
The patchzip installation script hangs on sync-admin-cds and sync-product-cds commands when SSL is configured between Admin Server and Directory Server 5.2 installed product.
Workaround
directory default ldap://<hostname>:<non-secure port>/o=NetscapeRoot
It should be "ldap" rather than "ldaps" and point to the non-secure port rather than the secure/SSL port.
cd <ServerRoot>
./stop-admin
cd bin/admin
./sync-admin upgrade -r <ServerRoot>
./sync-admin-cds -r <ServerRoot>
Follow the procedure described above in bugid 6516282.
On Windows 2000 Service Pack 4 you cannot remove an instance using Directory Server Console unless it is running.
Workaround
Ensure that the instance is running before attempting to remove
it using Directory Server Console.
In some search contexts, a yellow warning flag is displayed. The yellow flag indicates that the Directory Server internal search mechanism has encountered an All IDs Threshold / Sorting issue. This flag does not represent a problem.
Workaround
Either ignore the flag or create a browsing index (VLV index) to
prevent the flag from occurring.
The console does not support passwords that contain a colon ":".
Workaround
Do not use a colon in a password.
The console does not support the management of external security devices, such as Sun Crypto Accelerator 1000 Board.
Workaround
Manage external security devices by using the command line.
In the Directory Server console some German characters are sorted incorrectly. See the following examples:
Workaround
None.
When the slapd daemon is restarted from the console, it can take the Administration Server port and prevent Administration Server from being restarted by the console.
Workaround
Restart the slapd daemon from the
command line.
On a Directory Server cluster node (active or not), the Browse buttons in the Directory Server console are grayed out.
Workaround
Ensure you are running the
console on the active cluster node, and use the node name (as opposed
to the logical host name) to connect to the Administration Server.
The path to the help .htm file for the Directory Server Login dialog box in non-English languages is incorrect. For example, for the Korean language, the incorrect path is as follows: manual/ko/console/help/help/login.htm
Workaround
Change the path to the help .htm
file as shown in the following example. This example uses the Korean
locale:
login-help=manual/ko/console/help/help/login.htm
to
login-help=manual/ko/console/help/login.htm
This issue concerns LDIF files exported by using the Export to LDIF button in Tasks tab on the console. When a server is configured as a supplier or a hub, an exported LDIF file starts to collect replication information to initialize consumers. The exported LDIF file cannot be used with the Import from LDIF button in Tasks tab on the console.
Workaround
Select one of the following workarounds:
After migrating from Directory Server 4x to Directory Server 5x, you cannot add a new object classes by using the console. This condition occurs because migrated users contain ntUser attributes with the old NtSyncTool for Windows.
Workaround
Use the ldapmodify command to add
object classes.
Workaround
None.
This description is incorrect.
The nsslapd-schemacheck attribute applies to nsslapd-rootdn
parameter.
When run on Windows platforms, the bak2db command can generate unnecessary errors 20741 and 20742. These errors are false errors.
Workaround
Ignore messages generated by errors 20741 and 20742.
Stopping the server during export, backup, restore, or index creation can cause it to crash.
Backend instances, or databases, called "Default" do not work.
Workaround
Do not name a database "Default".
If a non-existent file is specified for an online import, the server still deletes the existing database.
Workaround
Use db2ldif.pl and ldif2db.pl instead of db2ldif
and ldif2db as they do not issue "unknown
index rule" warnings and create the index with the matching rule.
The ACL plug-in normalizes attribute values in order to compare them with DN provided in the ACL rules. If an attribute value is not a DN, an error message is logged.
Workaround
Ignore the error message.
If you have two Directory Server instances, DS1 and DS2, with your Configuration Directory Server installed on DS1, and you subsequently replicate the o=NetscapeRoot configuration information to DS2, as opposed to automatically disabling the PTA plug-in will continue to point to DS1for any o=NetscapeRoot relevant searches despite the fact that the information is now local.
The
nsslapd-cache-autosize and nsslapd-cache-autosize-split
attributes
were documented by mistake. Do not use them.
The
nsslapd-valuecheck
attribute was never
implemented but is mentioned in Sun ONE Directory Server 5.2
documentation. This is a mistake.
If you change the maximum size of the transaction log file when the database directory contains log files, the new size is not taken into account.
Workaround
None.
On UNIX platforms, statistics are generated only for the last SNMP subagent that is started. This implies that you can monitor only one Directory Server instance at a time with SNMP.
Instead of returning the unaccented character and all of its possible accented variants, which would seem to be the logical approach, a search on an unaccented character only returns the unaccented character in question. Searching for an accented character however, returns not only that character but all other variants.
With Directory Server and Administration Server installed and configured to run as root, when the console is used to create another instance of Directory Server which you specify to run as a user other than root, that instance is successfully created, but many of the files pertaining to that instance are not owned by the same user.
Workaround
Change the ownership of the files and directories manually.
When you create a new chained suffix with an IPv6 address by using the New Chained Suffix window of the console the Testing connection parameters popup window does not close automatically and the validity of the IPv6 address is not tested. Although the local configuration of the chained suffix is successful, the validity of the IPv6 address is not assured.
Workaround
Do not to use the Test connection
option when you configure a chaining suffix with an IPv6 address.
For Directory Server on Linux RH3.0, the default number of file descriptors is 1024. The default number of file descriptors cannot be changed globally, but can be changed by the root user for a given session only.
To change the default number of file descriptors, become root user and change the value before starting the server.
Workaround
None
Workaround
Before You Start - Make a backup of your directory data before performing the following steps.
Workaround
On
Windows systems, you must change the network configuration before
installing Directory Server software to ensure the FQDN resolves
correctly.
If host name resolution is handled by DNS, follow these steps.
1. Right click My Computer and select Properties.
2. Select the Computer Name tab in the System Properties window.
3. Click Change.
4. Click More to reveal the Primary DNS suffix of this computer field.
5. Enter the correct domain name, then save your work.
If host name resolution is handled using a hosts file, add the FQDN
for the system in <System
Drive>:\Windows\System32\drivers\etc\hosts. This approach can be
used to fake the FQDN, such as myhost.example.com, so you can install
Directory Server on systems without a legitimate FQDN.
Workaround
Use these steps to move the database to another drive:
Workaround
Change the block size and apply the following patches
PHKL_32772": s700_800 11.11 VxFS 3.5-ga15 Kernel Cumulative Patch 11
PHKL_32669": s700_800 11.11 VxFS cumulative patch
Change the blocksize to 8K from the default of 1K.
The actual range is from -231 + 1 to 231. In practice, values should be positive numbers. Values larger than 100 bring few benefits.
By default ds5ReferralDelayAfterInit is not set, meaning the delay is not limited. -1 is not a valid value, and 0 means no delay.
Directory Server 5.2 Patch 6 does not support HP-UX 11.23. Directory Server 5.2 Patch 6 does support HP-UX 11.1 (formerly 11.11).
If the server-wide password policy affecting the Configuration Directory Server (CDS) instance causes passwords to expire, administrative users with accounts stored in the CDS must also change their passwords before those passwords expire. To change this normal server behavior, either configure password expiration policy at a lower level, or override password expiration policy for users in the CDS (under o=NetscapeRoot).
The following example modifications cause syntax errors.
dn:o=mary\"red\"doe,o=example.comWorkaround
To work
around this limitation, either use a directory for
nsslapd-db-home-directory that is shared, or systematically remove the
files under nsslapd-db-home-directory at Directory Server startup.
Workaround
The hardware prerequisites are as follows.
Workaround
Physically remove the changelog DB file AFTER the demotion to read-only consumer and BEFORE the re-promotion to hub.
Workaround
Run this command on Linux installations:
ulimit -s 256; start-slapd
Workaround
Enter this command:
lib\nsPerl5.005_03\bin\MSWin32-x86\perl.exe upgrade.pl "<SERVER_ROOT>" "<ADMIN ID>" "<PASSWORD>"
where, for example, "<SERVER_ROOT>" can have a value such as "D:\Program Files\Sun\MPS", "<ADMIN ID>" can have a value such as "admin", and "<PASSWORD>" can have a value such as "password".
When the SERVER_ROOT pathname contains a space character, the following command fails:
lib\nsPerl5.005_03\bin\MSWin32-x86\perl.exe upgrade.pl "<SERVER_ROOT>" "<ADMIN ID>" "<PASSWORD>"
The failing command returns this error message:Warning: jre delivery has not been patched
This error reports that the tzupdater utility has not been successfully run and so the JVM delivered with Directory Server 5.2 is still not compliant with the new DST definition (2007).
Workaround
Run the following command manually:
"<SERVER_ROOT>\bin\base\jre\bin\java" -jar <PATCHZIP_PATH>\tzupdater\tzupdater.jar -u
PATCHZIP_PATH is the pathname where the Directory Server 5.2 Patch 6 compressed archive patch (that is, 117667-04) has been downloaded.
Workaround
Workaround
Admin Id: cn=directory manager
Admin Password: adminadmin
In this way, you can bind as the directory manager user.
The DSEE 5.2 Administration Guide describes the -T option of the vlvindex command as follows:
This option specifies the naming attribute of the vlvIndex entry, not the vlvSearch entry.
Because of a known issue, nsslapd-idletimeout is not computed on Windows installations as documented under all conditions.
On Unix (including Solaris) nsslapd-idletimeout is computed when new connections are opened and when new data is received, as described in the documentation.
On Windows, nsslapd-idletimeout is computed the same way for secure connections or if ds-start-tls-enabled is true. However, for non-secure connections and if ds-start-tls-enabled is false, nsslapd-idletimeout is computed only when new connections are opened.
The multiple fixed size memory pools feature introduced in Directory Server 5.2 2005Q4 and described in the Directory Server 5.2 2005Q4 Release Notes document needs clarification. The existing text reads as follows:
The corrected text should read as follows:
Workaround
Windows requires double quotation marks (") to be used to delimit special characters, including blank spaces. The db2index.pl file uses single
quotation marks (') to delimit blank spaces, which results in an error in Windows installations.
In Windows installations, manually edit the db2index.pl file and the template file and replace instances of single quotation marks with double quotation marks.
In "Initializing a Replica Using the Console," step 4 requires the following additional information about the results of the step: "Messages describing the selected replication are displayed in the text box below the list. To confirm the status of the consumer initialization (such as success and failure), see Monitoring Replication Status."
Also, the Description column in three rows of Table 8-1 requires additional information shown here:
Last initialization started |
Indicates when the most recent initialization of the consumer replica started. When the most recent initialization succeeds, it indicates the start time of the initialization. When the most recent initialization fails, this field value is not meaningful. |
Last initialization ended |
Indicates when the most recent initialization of the consumer replica ended. When the most recent initialization succeeds, it indicates the end time of the initialization. When the most recent initialization fails, this field value is not meaningful. |
Last initialization message |
Provides status on the last initialization of the consumer. When the most recent initialization succeeds, the message Total Update Succeeded is displayed. When the most recent initialization fails, a message describing the failure is displayed. |
When enabling usePwdChangedTime, also enable password expiration by setting the value of passwordExp to on.
The following text clarifies the Administration Guide's explanation of reindexing a suffix: "When you reindex a suffix, the server examines all of the entries the suffix contains and rebuilds the index files. During reindexing, the contents of the suffix are read-only. Because the server must scan the entire suffix for every attribute that is reindexed, this process might take up to several hours for suffixes with millions of entries. The length of time also depends on the indexes you configure. In addition, while the suffix is being reindexed, indexes are not available and server performance is impacted."
When the db2ldif -s command is run on a suffix to export a subtree, the following incorrect error message can be generated:
Workaround
Ignore this error message.
The db2ldif command creates output LDIF files in an incorrect default directory when the file name only is specified. The db2ldif command should create output LDIF files in this directory:
Workaround
Specify the absolute path to the file name of the output LDIF
file.
The mmldif command crashes when used.
Workaround
None
When an ldif file is imported to directory server by using the ldif2db.pl script, the createtimestamp and modifytimestamp are not generated. Note that this feature does not occur for online adds done by LDAP clients like ldapmodify.
Workaround 1
Edit the LDIF source file before import. This workaround works for LDIF input files that do not contain any entry with createtimestamp or modifytimestamp values.
Substitute ALL empty lines in the LDIF source file with the following 3 lines:
Then import the file into the Directory Server.
Workaround 2
Import the source file by using ldapmodify instead of ldif2db. This workaround is slower than Workaround 1, but it works for LDIF input files with entries with createtimestamp or modifytimestamp values.
db2ldif -n $instance -a /tmp/exported.ldif
/tmp/rootsuffix.ldif
ldif2db -n $instance -i /tmp/rootsuffix.ldif
ldapmodify -a -c -h <host> -p <port> -D "cn=Directory Manager" -w & lt;password> -f /tmp/exported.ldif
When the pre-operation plug-in for schema deletion returns a non-zero value, the ldapdelete command hangs.
Workaround
Ensure that the pre-operation plug-ins (except abandon and unbind) send back a result (by using slapi_send_ldap_result) before returning a non zero status.
Sun Java System Directory Server 5.2 Patch 6 does not contain any files which you can redistribute.
If you have problems with this update, contact Sun customer support using one of the following mechanisms:
So that we can best assist you in resolving problems, please have the following information available when you contact support:
You might also find it useful to subscribe to the following interest groups, where Sun Java System Directory Server topics are discussed:
Sun is interested in improving its documentation and welcomes your comments and suggestions. Use the web-based form to provide feedback to Sun:
Please provide the full document title and part number in the appropriate fields. The part number can be found on the title page of the book or at the top of the document, and is usually a seven or nine digit number. For example, the part number of these Directory Server 5.2 Release Notes is 819-4290-10.
Useful Sun Java System information can be found at the following Internet locations:
Copyright � 2007 Sun Microsystems, Inc. All rights reserved.
Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.sun.com/patents and one or more additional patents or pending patent applications in the U.S. and in other countries.
SUN PROPRIETARY/CONFIDENTIAL.
U.S. Government Rights - Commercial software. Government users are subject to the Sun Microsystems, Inc. standard license agreement and applicable provisions of the FAR and its supplements.
Use is subject to license terms.
This distribution may include materials developed by third parties.
Portions may be derived from Berkeley BSD systems, licensed from U. of CA.
Sun, Sun Microsystems, the Sun logo, Java and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries.
Copyright � 2007 Sun Microsystems, Inc. Tous droits r�serv�s.
Sun Microsystems, Inc. d�tient les droits de propri�t� intellectuels relatifs � la technologie incorpor�e dans le produit qui est d�crit dans ce document. En particulier, et ce sans limitation, ces droits de propri�t� intellectuelle peuvent inclure un ou plus des brevets am�ricains list�s � l'adresse http://www.sun.com/patents et un ou les brevets suppl�mentaires ou les applications de brevet en attente aux Etats - Unis et dans les autres pays.
Propri�t� de SUN/CONFIDENTIEL.
L'utilisation est soumise aux termes du contrat de licence.
Cette distribution peut comprendre des composants d�velopp�s par des tierces parties.
Des parties de ce produit pourront �tre d�riv�es des syst�mes Berkeley BSD licenci�s par l'Universit� de Californie.
Sun, Sun Microsystems, le logo Sun, Java et Solaris sont des marques de fabrique ou des marques d�pos�es de Sun Microsystems, Inc. aux Etats-Unis et dans d'autres pays.
Toutes les marques SPARC sont utilis�es sous licence et sont des marques de fabrique ou des marques d�pos�es de SPARC International, Inc. aux Etats-Unis et dans d'autres pays.