Sun Java System Directory Server Enterprise Edition 6.1 Release Notes

Chapter 4 Directory Proxy Server Bugs Fixed and Known Problems

This chapter contains important, product-specific information available at the time of release of Directory Proxy Server.

This chapter includes the following sections:

Bugs Fixed in Directory Proxy Server

This section lists bugs fixed in Directory Proxy Server 6.1 and 6.0 releases.

Bugs Fixed in Directory Proxy Server 6.1

Following list contains only the selected bugs fixed in this release. For the complete list of the bugs fixed in this release, see the README.patchnumber file in your patch directory.

6445919: Directory Proxy Server cannot always resolve searches based on the virtual DNs.
6475156: The dpconf command erroneously claims a restart is required when you set some of the server's properties.
6475727: After using the dpconf delete-jdbc-object-class command, you must restart Directory Proxy Server for the change to take effect.
6475743: Directory Proxy Server has been seen to retrieve only one of two attributes mapped through JDBC with both attributes are mapped to the same database table column.
6479264: One level searches through JDBC data views have been seen to fail.
6486526: On Windows systems when you install Directory Proxy Server after Directory Server using the dsee_deploy command, the command returns an error suggesting that some common files could not be removed.
6492355: The JDBC database cannot handle the execution of partial LDAP transactions.
6494259: Directory Proxy Server does not recompute the alternate-search-base-dn property when you change the base-dn property of a data view.
6494400 6494405: On Windows systems when Directory Proxy Server is enabled as a service, do not use the dpadm cert-pwd-prompt=on command.
6494412: To enable email alerts from Directory Proxy Server to mail users on the local host, specify an email-alerts-message-from-address property before you enable email alerts.
6494513: Increasing the number of Directory Proxy Server worker threads can prevent the server from restarting. This problem manifests itself as a java.lang.OutOfMemoryError error when the server is started.
6500275: When used with the jvm-args flag to allocate extra memory for the Java virtual machine, the dpadm command has been seen to return exit status 0 even though memory allocation fails. Error messages appear on the command line, however.
6509148: By default, Directory Proxy Server disables SSLv2 as it is the oldest of the SSL/TLS family of security protocols and regarded as comparatively weak and obsolete. Now Directory Proxy Server enables only SSLv3 and TLSv1 security protocols.
6548377: LDAP response controls in searchResultDone dropped by Directory Proxy Server.

Bugs Fixed in Directory Proxy Server 6.0

4883696: Allow read and write requests to be chained separately.
4883701: Add alphabetic and hash based data distribution algorithms.
4951403: Directory Proxy Server cannot follow referrals in bind requests.
4975248: Directory Proxy Server log file cannot exceed 2 GB.
5014402: Directory Proxy Server file handles leak memory.

The following bugs were found during the beta program, and subsequently fixed.

6348105: Error arises when performing a search through Directory Proxy Server and password lockout occurs.
6445085: Directory Service Control Center does not allow you to create a certificate request.
6492361: LDAP searches through Directory Proxy Server are not abandoned by Directory Proxy Server after being abandoned by the client application.
6492368: Substring searches are not possible through a join data view.
6492371: Searching DB2 through Directory Proxy Server results in an SqlException.
6492375: When create a JDBC object class the secondary table is not optional.
6493640: Deleting an SQL database entry does not function properly.
6493643: Shared, multivalued attribute values in databases are ignored.

Known Problems and Limitations in Directory Proxy Server

This section lists known problems and limitations at the time of release.

Directory Proxy Server Limitations

This section lists product limitations.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.

To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.

Self-signed server certificates cannot be renewed.

When creating a self-signed server certificate, make sure you specify a validity long enough that you do not have to renew the certificate.

On Windows 2003 systems, do not use software installed with dsee_deploy from the zip distribution in the German locale.

Instead, when running on Windows 2003 in the German locale, install from native packages using the Java ES distribution.

Known Directory Proxy Server Issues in 6.1

This section lists the known issues that are found at the time of Directory Proxy Server 6.1 release. This list is additional to the list of the Known Directory Proxy Server Issues in 6.0.

6360059

Directory Proxy Server cannot resume the JDBC data source connection that is restored after the data source connection failure. Directory Proxy Server can resume the connection only after restarting the Directory Proxy Server instance.

6461510

In Directory Proxy Server, referral hop limit does not work.

6469154

On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.

As a workaround to this problem, set the class path using following command:

set CLASSPATH="C:\Program Files\Sun\JavaES5\DSEE\ds6\lib\slapwcli.jar;
C:\Program Files\Sun\JavaES5\DSEE\ds6\lib\slapy.jar;
C:\Program Files\Sun\JavaES5\DSEE\ds6\lib\slapycli.jar;
C:\Program Files\Sun\JavaES5\DSEE\ds6\lib\slapycli_l10n.jar;
C:\Program Files\Sun\JavaES5\DSEE\dsee6\lib\clip.jar;
C:\Program Files\Sun\JavaES5\DSEE\dsee6\lib\jar\common.jar;
C:\Program Files\Sun\JavaES5\DSEE\dsee6\lib\jar\common_cfg.jar;
C:\Program Files\Sun\JavaES5\DSEE\ds6\lib\slapwcli_l10n.jar;
C:\Program Files\Sun\JavaES5\DSEE\dsee6\lib\clip_l10n.jar;
C:\Program Files\Sun\JavaES5\DSEE\dsee6\lib\jar\common_cfg_l10n.jar;" 
java -Dsun.directory.clip.arg0=dsadm -Dsun.directory.dcc.path.slapx=dsadm 
-classpath %CLASSPATH% com.sun.directory.slapy.cli.SlapyMain --help

6490853

If you run a search using JDBC data view configured with DB2 database and there are large number of entries to be returned in the search result, an error might occur after returning 1344 entries.

To overcome this limitation, increase the number of large packages by setting the value of the CLI/ODBC configuration keyword CLIPkg to a value up to 30. Even then the search result is limited to maximum of 11712 Entries.

For more information, see DB2 documentation.

6527010

Directory Proxy Server cannot write JDBC attributes implying many-to-many (N:N) relationship between tables in the JDBC database.

6539650

Directory Proxy Server instances with multi-byte DN and created using DSCC, fail to start on Linux.

6542857

When you use Service Management Facility (SMF) in Solaris 10 to enable a server instance, the instance might not start when you reboot your system.

As a workaround, add the following lines which are marked with + to /opt/SUNWdsee/ds6/install/tmpl_smf.manifest.

...
restart_on="none" type="service"> 
<service_fmri value="svc:/network/initial:default"/> 
  </dependency> 
+ <dependency name="nameservice" grouping="require_all" \
+ restart_on="none" type="service"> 
+ <service_fmri value="svc:/milestone/name-services"/> 
+ </dependency> 
<exec_method type="method" name="start" 
exec="%%%INSTALL_PATH%%%/bin/dsadm start --exec %{sunds/path}"...

6547759

On HP-UX, if you access DSCC with multiple browser sessions set to different locales, DSCC might display some strings in a locale that is different from the locale set in the browser.

6551076

Console does not retrieve the backend status of the Directory Proxy Server instance if a machine has multiple host names.

6554303

When a join data view is configured using filter-join-rule, addition of the entries to join data view is not possible even after you set the transformation rule on the secondary data view.

Known Directory Proxy Server Issues in 6.0

This section lists the issues that are found at the time of Directory Proxy Server 6.0 release.

5042517

The modify DN operation is not supported for LDIF, JDBC, join and access control data views.

6255952

When local proxy ACIs are defined, operations using the get effective rights control may not return the correct information.

6356465

Directory Proxy Server has been seen to reject ACIs that specify subtypes to the target attribute, such as (targetattr = "locality;lang-fr-ca").

6357160

The dpconf command does not reject new line and line feed characters in property values. Avoid using new line and line feed characters when setting property values.

6359601

When ACIs are configured, Directory Proxy Server has been seen not to return the same results as a search directly on the LDAP data source.

6374344

Directory Proxy Server has been seen to return an operations error, stating that the server is unable to read the bind response, after a Directory Server data source is restarted.

6383532

Directory Proxy Server must be restarted when the authentication mode configuration is changed.

6386073

After a CA-Signed Certificate request is generated for Directory Proxy Server, you can refresh Directory Service Control Center. Directory Service Control Center then labels the certificate as self-signed.

6388022

You can configure to use SSL connections when the client application connects using SSL. If the SSL port used by Directory Proxy Server is incorrect, Directory Proxy Server has been seen to close all connections after a secure search.

6390118

Directory Proxy Server fails to count the number of referral hops properly when configured to use authentication based on the client application credentials rather than proxy authorization.

6390220

Directory Proxy Server allows you to set the base-dn property of a data view to the root DN, "", only when initially creating the data view.

6410741

Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.

An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.

6439055

Do not use the dollar sign, $, when defining attribute rules.

6439604

After configuring alerts, you must restart Directory Proxy Server for the change to take effect.

6445919

When you configure a virtual hierarchy with DN rules, Directory Proxy Server cannot always resolve searches based on the virtual DNs. For example, if the virtual DN is configured as uid=${entry.uid},cn=${entry.cn},dc=example,dc=com, searches with scope cn=some-cn,dc=example,dc=com fail.

6447554

Directory Proxy Server has been seen to fail to rename an entry moving to another data view when numeric or lexicographic data distribution is configured.

6458935

When working with join data views, Directory Proxy Server does not take data distribution algorithms in the views that make up the join.

To work around this issue, configure data distribution at the level of the join data view when using joins and data distribution together.

6463067

The dpadm autostart command does not work when you install software from native packages, and you relocate the native packages at installation time.

6469780

After configuring a JDBC data source, you must restart Directory Proxy Server for the change to take effect.

6475156

The dpconf command erroneously claims a restart is required when you set the bind-dn and num-write-init properties.

6475710

The modify RDN operation is not supported for entries in JDBC data views.

6475727

After using the dpconf delete-jdbc-object-class command, you must restart Directory Proxy Server for the change to take effect.

6475743

Directory Proxy Server has been seen to retrieve only one of two attributes mapped through JDBC with both attributes are mapped to the same database table column.

6477261

Directory Proxy Server incorrectly returns error 32, no such object, when accessing a JDBC attribute not specified in the configuration.

6479264

One level searches through JDBC data views have been seen to fail.

6479766

Directory Proxy Server does not allow you to manage schema over LDAP.

6486526

On Windows systems when you install Directory Proxy Server after Directory Server using the dsee_deploy command, the command returns an error suggesting that some common files could not be removed.

6486578

Directory Proxy Server should ignore the filter-join-rule property when it is used in a primary table.

6488197

After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.

To work around this issue, change the permissions on the installations and server instance folders.

6490763

Access Manager, when accessing Directory Server through Directory Proxy Server, has been seen to encounter caching problems related to persistent searches after Directory Server is restarted.

To work around this issue, restart either Access Manager or Directory Proxy Server after restarting Directory Server.

For further fine tuning, you can increase the number of and delay between Access Manager attempts to reestablish persistent search connections. You can increase these parameters by changing the following properties in the AMConfig.properties file.

Increase com.iplanet.am.event.connection.num.retries, which represents the number of attempts. The default is 3 attempts.
Increase com.iplanet.am.event.connection.delay.between.retries, which represents the number of milliseconds delay between attempts. The default is 3000 milliseconds.

6491133

When creating a self-signed certificate using Directory Service Control Center, do not use multi-byte characters for the certificate names.

6491845

The default LDAP controls allowed through Directory Proxy Server are not displayed by Directory Service Control Center.

6492355

Directory Proxy Server does not update JDBC data sources with transactions. Instead, Directory Proxy Server performs operations in stages. Therefore, part of an update operation against a relational database can succeed although another part of the operation fails.

6492376

After configuring JDBC syntax, you must restart Directory Proxy Server for the change to take effect.

6493349

Directory Service Control Center removes commas when changing the DN for an existing excluded subtree, or alternate search base.

6494259

Directory Proxy Server does not recompute the alternate-search-base-dn property when you change the base-dn property of a data view.

6494400 6494405

On Windows systems when Directory Proxy Server is enabled as a service, do not use the dpadm cert-pwd-prompt=on command.

6494412

To enable email alerts from Directory Proxy Server to mail users on the local host, specify an email-alerts-message-from-address property before you enable email alerts.

$ dpconf set-server-prop email-alerts-message-from-address:admin@localhost

6494513

Increasing the number of Directory Proxy Server worker threads can prevent the server from restarting. This problem manifests itself as a java.lang.OutOfMemoryError error when the server is started. This problem occurs when the memory available to the Java Virtual Machine is not sufficient to allocate space for all worker threads.

To work around this issue, either use the dpadm command to allow the server to use more memory, or replace the server configuration file, instance-path/config/conf.ldif, with instance-path/config/conf.ldif.startok to use the previous configuration settings.

6494540

After enabling or disabling non secure LDAP access for the first time, you must restart Directory Proxy Server for the change to take effect.

6495395

Virtual directory macros using split do not work properly.

6497547

Time limit and size limit settings work only with LDAP data sources.

6497992

After using the command dpadm set-flags cert-pwd-store=off, Directory Proxy Server cannot be restarted using Directory Service Control Center.

6500275

When used with the jvm-args flag to allocate extra memory for the Java virtual machine, the dpadm command has been seen to return exit status 0 even though memory allocation fails. Error messages appear on the command line, however.

6500298

When using the jvm-args flag of the dpadm command and restarting the server, you cannot successfully allocate more than 2 GB memory for the Java virtual machine.

To work around this issue, use dpadm stop and dpadm start instead of dpadm restart.

6501867

The dpadm start command has been seen to fail when used with a server instance name combining both ASCII and Japanese multiple-byte characters.

6505112

When setting the data-view-routing-custom-list property on an existing connection handler, an error occurs with data view names containing characters that must be escaped, such as commas.

To work around this issue, do not give data views names that contain characters that must be escaped. For example, do not use data view names containing DNs.

6510583

Unlike previous versions, as stated in the manual page allowed-ldap-controls(5dpconf), Directory Proxy Server does not allow the server side sort control by default.

You can enable Directory Proxy Server support for the server side sort control by adding server-side-sorting to the list of allowed LDAP controls specified by the allowed-ldap-controls property.

$ dpconf set-server-prop \
 allowed-ldap-controls:auth-request \
 allowed-ldap-controls:chaining-loop-detection \
 allowed-ldap-controls:manage-dsa \
 allowed-ldap-controls:persistent-search \
 allowed-ldap-controls:proxy-auth-v1 \
 allowed-ldap-controls:proxy-auth-v2 \
 allowed-ldap-controls:real-attributes-only \
 allowed-ldap-controls:server-side-sorting

Notice that you must repeat the existing settings. Otherwise, only the server side sort control is allowed.

6511264

When using the DN renaming feature of Directory Proxy Server, notice that repeating DN components are renamed to only one replacement component.

Consider for example that you want to rename DNs that end in o=myCompany.com to end in dc=com. For entries whose DN repeats the original component, such as uid=userid,ou=people,o=myCompany.com,o=myCompany.com, the resulting renamed DN is uid=userid,ou=people,dc=com, and not uid=userid,ou=people,o=myCompany.com,dc=com.

6516261

When used with German and Chinese locales, Directory Service Control Center has been seen to fail to create new Directory Proxy Server instances. The dsccreg add-server also has been seen to fail to register Directory Proxy Server instances.

To work around this issue on a Windows system, switch to the U.S. English locale before creating the instance.

6517615

The JDBC connection configuration to access Oracle 9 through Directory Proxy Server might not be as straightforward as shown in the documentation.

Consider the following configuration. You have an Oracle 9 server listening on host myhost, port 1537 with the instance having system identifier (SID) MYINST. The instance has a database MYNAME.MYTABLE.

Typically, to configure access through to MYTABLE, you would set the following properties.

On the JDBC data source, set db-name:MYINST.
On the JDBC data source, set db-url:jdbc:oracle:thin:myhost:1537:.
On the JDBC table, set sql-table:MYNAME.MYTABLE.

If these settings do not work for you, try configuring access through to MYTABLE with the following settings.

On the JDBC data source, set db-name:(CONNECT_DATA=(SERVICE_NAME=MYINST))).
On the JDBC data source, set db-url:jdbc:oracle:thin:@(DESCRIPTION= (ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost)(PORT=1537))).
On the JDBC table, set sql-table:MYNAME.MYTABLE.