Sun Java System Directory Server Enterprise Edition 6.1 Release Notes

Chapter 3 Directory Server Bugs Fixed and Known Problems

This chapter contains important, product-specific information available at the time of release of Directory Server.

This chapter includes the following sections:

Bugs Fixed in Directory Server

This section lists bugs fixed in Directory Server 6.1 and 6.0 releases.

Bugs Fixed in Directory Server 6.1

Following list contains only the selected bugs fixed in this release. For the complete list of the bugs fixed in this release, see the README.patchnumber file in your patch directory.

2143525: Substring filters can be slow if they are changed into range index.
2143806: Adding a CoS Template entry that contains a single entry of " causes the system to crash.
2145935: The mutex_lock crashes while searching for replication agreements.
2145936: slapd_nss_decrypt() leaks memory on every call.
2145937 2145938: Server crashes if encrypted attribute exists with no value.
2145939: Incorrectly formatted DSML requests crashes the server on Solaris x86.
2145941: Deadlock in connection handling between multiple internal operations and incoming replication operation.
2147271: In Directory Server, users are able to perform MODRDN() anonymously, which enables the unauthorized users to change data in entries under specific conditions.
2148581: The ldapsearch command displays information about the existence of the attributes in an entry, which might enable unauthorized user to modify attributes in the entry.
6494027: Errors in replication agreement when doing total update or restarting a consumer.
6523245: Directory Server does not allow you to enable password quality checking alone without at least one other password policy feature.
6535366: Change in mutex locking for Directory Server can lead to slower search performance.
6539528: Directory Server skips merge of indexes if there are multiple import passes.
6542961: Setting a small value for the trimming of changelog may cause the server to crash.

Bugs Fixed in Directory Server 6.0

2065190: Issue with ;binary attributes and compliance with RFC 1274.
2073877: Console process grows when adding users.
2077615: Console cannot display an access log greater than 60 MB when a filter is used.
2078936: Log size settings over 2 GB do not work.
2081711: Directory Server crashes when a client sends a certificate without an issuer DN.
2096858: Adding an entry crashes Directory Server.
2096883: Directory Server dumps core due to an incorrect search performed by a plug-in.
2096891: Deadlock in access control plug-in.
2096903: Unable to configure pass-through authentication with URLs containing the same suffix.
2096910: DN checking operation is not properly carried out by Directory Server.
2096948: Regression related to ignoring referrals.
2096972: ldapsearch -A fails against a chained database.
2096974: During shutdown, referential integrity plug-in can crash Directory Server.
2097033: VLV indexes are broken.
2097063: Binding with certificate authentication and a simple bind can cause Directory Server to hang.
2097069: Replicated updates can stop replication.
2097104: Crash while deleting a browsing index.
2097113: Subtree plug-in logs superfluous postoperation warnings.
2097137: Referential Integrity plug-in does not allocate enough space for internal search.
2097199: Password expiration does not completely prevent users from binding.
2097204: Strange reverse DNS request issued at startup.
2097230: All attribute subtypes get deleted from index.
2097291: Directory Server dumps core in acl_access_allowed().
2097364: Wildcard searches work poorly with single character attribute values.
2097365: Some wildcard searches trigger problems.
2097370: ldif2db -n userRoot -i test.ldif causes a bus error.
2097382: ACIs and ACLs do not take extra white space into account.
2097440: Memory leak with persistent searches.
2097454: Directory Server dumps core when checking the history of a clear text password.
2097508: Persistent search returns tombstone purging events.
2097539: Start TLS is not thread safe.
2097566: bak2db fails with nested directory databases.
2097599: Buffer Overflow in re_comp().
2097622: Significant memory leak.
2097653: Directory Server core dumps in preop_modify() when the attribute uniqueness plug-in is active.
2097856: Directory Server crashes on receipt of an invalid PDU.
2098089: Substring index becomes corrupt if one of similar multiple values is deleted.
2099319: Installation fails on HP-UX.
2099405: Replication commands should have a timeout parameter.
2099420: Crash when trimming the retro changelog.
2099426: Duplicate uid attribute values arise when encryption is performed.
2099434: db2ldif -r removes the guardian file.
2101109: The audit log can fail to rotate as configured.
2101130: Access log rotation does not occur upon restart.
2101137: Some tombstone entries are not being purged.
2101144: Could not set referrals for replica errors.
2101156: Unable to release IDs on the consumer after the link is down for more than 5 minutes.
2101162: VLV search based on empty container returns err=1.
2101166: Memory leak in search on suffix containing referral subsuffix.
2101187: Adding entry with "*" chars in DN field incur full scan of tombstones.
2101191: repldisc does not properly work with multiple instances on the same host.
2101202: A modify or delete of more than five values deletes all values.
2101217: Crash when removing a RUV when using multiple Solaris 9 x86 masters.
2101232: DENY macro ACI applies to entries that should not be affected.
2101246: Log settings for minimum free disk space do not work as expected.
2101260: Directory Server stops responding when LDAP search with too many attributes is sent.
2101264: Search operation with "-" char in filter leads to failure.
2101312: Link loss longer than five minutes causes consumer not to sync after network recovery.
2101314: ADD not replicated, DEL cannot be replayed when using multi-master replication over SSL.
2101332: Expiration time unit does not take the right default value.
2101395: Schema deletions not propagated correctly.
2101399: Consumers hang when schema is pushed over replication.
2106623: Transaction logs are not always deleted.
2112994: Special DN with ; and , crashes Directory Server.
2113363: Internal search causes Console to display warning.
2115512: Directory Server crashes when changelog trimming is enabled.
2118489: Master and consumer expand superior object class differently.
2118767: Slow import with complex DIT.
2119156: Directory Server crashes at startup in ACI code.
2119159: Crash occurs when reading the replication agreement.
2119577: Chaining downcasts DNs.
2120295: ACL does not work as expected if nested group is specified as groupdn.
2120415: Directory Server exits after 4 GB realloc().
2120445: Directory Server crashes during a specific search when adding a subsuffix.
2120502: Crash at startup when nsslapd-binary-mode is set.
2120542: Unexpected password is expiring on consumer in %d seconds message reported.
2120918: Inconsistency in replicated data between master and consumer.
2120950: Multiple password changes can lead to clear-text password.
2120951: Directory Server connection is unexpectedly down.
2121080: Crash when checking access control during modify operation.
2121115: Crash on consumer during schema replication if legacy replication is enabled.
2121137: Updates to the retro changelog lost on master.
2121247: Excess warning messages about replay of operation already seen.
2121679: Race condition occurs when closing connections.
2121953: Online index task request and simultaneous access control search leads to hang.
2122537: Index corruption with very large number of matches.
2122698: Memory leak in individual password policies.
2123206: Crash in replication when difference between system clock is greater than 24 hours.
2123826: Data inconsistency after restarting masters under load.
2123827: Crash when shutting down server as changelog is being trimmed.
2124111: Huge memory leak topology using old protocol with mixed versions.
2124113: Crash with DSML PDU larger than 2 KB.
2124476: Need a tool to check database integrity.
2124477: fildif cannot handle files larger than 2GB.
2124722: Replication halts and restarts with send update now.
2124725: Clean RUV task does not remove RUV with read-only replica ID.
2124727: Deadlock between replica and connection locks.
2124730: Schema replication can miss changes.
2124731: Substring searches very slow.
2124740: mmldif delta files do not contain LDIF update statements.
2124975: Crash while processing modification with retro changelog plug-in turned on.
2125068: Memory leak when DN normalization fails.
2125161: db2ldif.pl -r can cause hang.
2125445: Adding and deleting an attribute in a single modify operation is not replicated correctly.
2125722: Crash if resource limit for number of file descriptors is dynamically increased.
2125809: Performance problems when doing searches with the en-US collation rule.
2125848: Exit when allocating 4 GB to handle access control for a group member.
2126520: Checkpoint forced even when no updates are performed.
2126571: CoS does not take effect for entries in nested organization.
2126669: Error during the creation of subsuffix or clone under a search workload.
2126886: Deadlock in database while evaluating the ACLs during a modify operation.
2127020: Replication may be slow to restart after a network outage.
2127266: A consumer does not detect there is pending operation and when closing an idle replication connection.
2127456: Modification lost when using ldapmodify.
2127545: Performance issue when deleting non existent attribute.
2127627: Deleting multivalued attributes results in high etime.
2127691: Adding and deleting the same entry on replica can lead to replication issues.
2127692: Performance degradation when purging tombstones in multi master environment.
2128056: Deletion operation is not flagged as dependent on a previous modification.
2128417: Retro Changelog plug-in fails to record changes if regular replication is disabled.
2129137: Duplicate unique IDs can be generated.
2129138: Allow administrators to reset passwords.
2129139: Cannot stop or use master after total update fails when using multi master replication over SSL.
2129140: Add the return code for errors that could not be logged in the changelog.
2129141: Hub not replicating due to bad hub replica ID, 65535, in hub RUV.
2129142: Lack of disk space causes looping in db2bak internal task.
2129143: ACI returns incorrect results when fix is applied.
2129145: Bad server side sort performance when data contains many identical values.
2129147: passwordRetryCount does not get incremented when passwordResetFailureCount is set to 0.
2129148: Performance degradation in substring searches.
2129149: Memory leak with virtual attributes.
2129152: Searches for subtype attributes does not work correctly with nsslapd-search-tune enabled.
2129154: Restart of a fractional consumer breaks replication with configuration error.
2129155: Crash within SASL bind check.
2129159: Hang when replication agreement is initialized from another master.
2129161: Infrequent updates on standby replica can cause replication to stop for prolonged periods.
2131372: Crash when referential integrity log file is truncated.
2131955: Hang when an error occurs during error log rotation.
2131982: No further adds possible after first empty replace operation on single-valued, replicated attribute.
2132137: Crash in replicated operation.
2132359: Log rotation does not work correctly after restart.
2132568: Generated CSN is not systematically higher than previous CSN.
2132654: Some CoS attributes not generated for entries under nested organizations.
2132657: Classic CoS under nested organization does not work as configured.
2132929: Bad default value for nsslapd-maxbersize.
2133109: Tools needed to monitor completeness, status, and availability of servers in large, multi master deployments.
2133110: Schema checking on hubs should be enabled by default.
2133155: Invalid values are accepted for minimum password length in individual password policies.
2133168: LDIF containing encrypted attribute values corrupts indexes during import.
2133351: ldif2db has been seen to hang.
2133355: Deadlock between tombstone purging thread and access control plug-in.
2133503: On Windows systems, DSML request fails when instance path contains a space.
2134041: Crash when adding VLV index with incorrect vlvFilter.
2134409: Remote denial of service attack possible with large memory allocation.
2134467: Partial replication can break when several suppliers are configured for changelog trimming.
2134470: Merge during ldif2db skips keys due to incorrect continuation block prefix.
2134480: Memory leak when index contains a continuation block.
2134648: The mmldif command should support huge files.
2134901: Individual password policy specifies plain text, but password in new entry is replicated in encrypted form.
2134918: CoS attribute not found on entries after online initialization.
2136223: Memory leak in ACI group member evaluation.
2136224: When nsslapd-db-transaction-batch-val is set, transaction flush fails to enforce the limit.
2136869: Import can corrupt state of entries having userPassword attributes.
2138073: Incorrect page size computation creates indexes with many overflow pages after a reindexing operation.
2138081: Substring performance requires improvement.
2138837: Entries can be skipped while importing an LDIF file generated with db2ldif.pl -r.
2139899: ioblocktimeout not always enforced when writing result over secure connection.
2139914: Potential crash when renaming corrupted child entry.
2140785: Memory leak when handling password histories.
2141919: Zero allocation error when retro changelog and TMR plug-in is enabled.
2142817: Memory leak during LDAP write operations upon failure to update a matching rule index.
2142904: Operational attribute entrydn added before the entry is cached.
2143075: VLV searches leak memory.
2143076: Restore fails following binary copy when CN attribute does not match case.
2143790: Memory leak in decryption code.
4537541: Retro changelog plug-in should be executed for selected backends.
4538988: Performance issues when searching for tombstone entries.
4541437: No feedback from import during delay processing large entries.
4541499: Allow more database configuration attributes to be set over LDAP.
4542920: Provide a changelog purge vector over LDAP.
4738244: Allow a grace login period after passwords expire.
4748577: Allow complete replication configuration and management on the command line.
4877553: Enable support for libwrap.
4881004: Set default changelog maximum age to seven days.
4882951: Provide frozen mode to allow file system snapshot backups.
4883062: Make it possible to import additional entries without initialization.
4925250: Incorrect error message when exporting a subtree with db2ldif -s.
4951154: Modify performance degrades until all entries are modified.
4966365: Backend instances called default do not work.
4972234: Allow account validation through an LDAP bind without the user password.
5021269: Adding entries with object class nsTombstone can cause replication to fail.
5045529: Support required for SASL/GSS encryption.
5063150: Make the SNMP agent work with the native operating system agents.
5095192: Stopping Directory Server is sometimes slow during poll for results in a replication session.
6197516: Need a way or a tool to monitor progress during recovery after a crash.
6224962: More control needed over cache sizes.
6249904: Changelog database and other databases do not shrink even after data is removed.
6252422: Role fails to work on consumer after online initialization.
6264095: Allow disabling of anonymous binds.
6272729: Need an attribute that shows the groups to which an entry belongs.
6290382: Crash on startup with message trying to allocate 0 or a negative number of bytes.
6292118: Add port number in access log when a client connection is created.
6296288: Need a non-intrusive way to count the number of active persistent searches.
6321407: Document plug-in execution order.
6333657: Avoid traversing nscpentrydn index when purging tombstones.
6341364: Log an error when using connection based access control and the client list is not specified.
6343255: Remove the time bomb.
6370656: Display connection number under cn=monitor in same format as access log.
6394412: Support a plug-in for password syntax checking.
6407613: changeNumber is not indexed by default.
6411228: Maximum connection backlog queue incorrectly hard coded as 128.
6442106: Crash while enabling replication.

The following bugs were found during the beta program, and subsequently fixed.

6330266: A disorderly shutdown was detected when memory allocation failed.
6340943: Output from the idsync command is misleading.
6340950: Error when using an option to create a replication agreement on the command line.
6342427: Memory allocation issue leads to no more space message.
6342905: Setting the directory administrator password on the command line is confusing.
6343490: Password reset and password lockout interact incorrectly.
6343505: Result code is misleading for a bind where the password must be reset.
6344889: Log rotation subcommand name is not clear.
6344890: Command line tools should use the --D bind-dn option to specify the administrator.
6345610: Command line usage should always list global options.
6345613: Output after starting replication on the command line is misleading.
6346406: Allow binary copy from a master replica to a dedicated consumer.
6348095: Make subcommands for replication configuration easier to understand.
6348096: Some subcommands names are misleading.
6348098: Password lockout not working properly after a number of failed attempts.
6348099: Fix syntax validation property online help.
6348101: Make unit sizes consistent when setting configuration property values.
6348103: Error in option when listing indexes from the command line.
6349174: Import through dsconf fails.
6355804: Issues arise when configuring replication using the command line.
6383106: Directory Service Control Center page to configure server groups leads to JSP not found error.
6405227: Adding approximate and substring indexes causes equality indexes to stop working.
6412227: The dsee_deploy command should work with install directory names only one character in length.
6415248: The uid attribute is not displayed correctly in the Entry Overview tab of DSCC for POSIX users.
6416455: Changing nsslapd-infolog-area does not change errors log contents.
6417038: Allow DSCC to create a server instance running as nobody.
6417541: Allow changes to client control settings in the Directory Server Configuration tab of DSCC.
6417617: Installation should not remove existing Java version.
6421070: Allow DSCC to delete replication agreements.
6424456: Clarify how to change the password with ldapmodify when pwdSafeModify is on.
6449394: Allow DSCC to register existing server instances.
6451067: Allow DSCC to edit a server location.
6451889: The path for the tool to register DSCC with Sun Java Web Console is not valid in the online help.
6451892: With a presence index configured, searches still appear unindexed in the access log.
6452544: Allow DSCC to work properly when creating servers on Solaris zones.
6459897: Fix errors after configuring a suffix through DSCC.
6459899: After a delete operation, the DSCC window does not close.
6460721: Deleting an index type leads to an Error null message.
6481268: Fix server instance registration issue that occurs when a DSCC session times out.

Known Problems and Limitations in Directory Server

This section lists known problems and limitations at the time of release.

Directory Server Limitations

This section lists product limitations.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.

To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.

Do not replicate the cn=changelog suffix.

Although nothing prevents you from setting up replication for the cn=changelog suffix, doing so can interfere with replication. Do not replication the cn=changelog suffix.

On Windows 2003 systems, do not use software installed with dsee_deploy from the zip distribution in the German locale.

Instead, when running on Windows 2003 in the German locale, install from native packages using the Java ES distribution.

Database cache may be outdated after failover on Sun Cluster.

When Directory Server runs on Sun Cluster, and nsslapd-db-home-directory is set to use a directory that is not shared, multiple instances share database cache files. After a failover, the Directory Server instance on the new node uses its potentially outdated database cache files.

To work around this limitation, either use a directory for nsslapd-db-home-directory that is shared, or systematically remove the files under nsslapd-db-home-directory at Directory Server startup.

The wrong SASL library is loaded when LD_LIBRARY_PATH contains /usr/lib.

When LD_LIBRARY_PATH contains /usr/lib, the wrong SASL library is used, causing the dsadm command to fail after installation.

Use the LDAP replace operation to change cn=config attributes.

An LDAP modify operation on cn=config can only use the replace sub-operation. Any attempt to add or delete an attribute will be rejected with DSA is unwilling to perform, error 53. While Directory Server 5 accepted adding or deleting an attribute or attribute value, the update was applied to the dse.ldif file without any value validation, and the DSA internal state was not updated until the DSA was stopped and started.

Note –

The cn=config configuration interface is deprecated. Where possible use the dsconf command instead.

To work around this limitation, the LDAP modify replace sub-operation can be substituted for the add or delete sub-operation. No loss in functionality occurs. Furthermore, the state of the DSA configuration is more predictable following the change.

On Windows systems, Directory Server does not allow Start TLS by default.

This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.

To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.

Replication update vectors may reference retired servers.

After you remove a replicated Directory Server instance from a replication topology, replication update vectors can continue to maintain references to the instance. As a result, you might encounter referrals to instances that no longer exist.

The Common Agent Container is not started at boot time.

To work around this issue when installing from native packages, use the cacaoadm enable command as root.

max-thread-per-connection-count is not useful on Windows systems.

The Directory Server configuration property max-thread-per-connection-count does not apply for Windows systems.

A Microsoft Windows bug shows service startup type as disabled.

A Microsoft Windows 2000 Standard Edition bug causes the Directory Server service to appear as disabled after the service has been deleted from Microsoft Management Console.

Console does not allow administrator login on Windows XP

Console does not allow administrator to logon to the server running Windows XP.

As a workaround to this problem, the guest account must be disabled and the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0.

Known Directory Server Issues in 6.1

This section lists the known issues that are found at the time of Directory Server 6.1 release. This list is additional to the list of the Known Directory Server Issues in 6.0.

6415184

Directory Server instance with multi-byte name can not be registered in DSCC. As a workaround, use the charset that was used to create the instance.

# cacaoadm list-params | grep java-flags
  java-flags=-Xms4M -Xmx64M

# cacaoadm stop
# cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8"
# cacaoadm start

6469154

On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.

As a workaround to this problem, set the class path using following command:

set CLASSPATH="C:\Program Files\Sun\JavaES5\DSEE\ds6\lib\slapwcli.jar;
C:\Program Files\Sun\JavaES5\DSEE\ds6\lib\slapy.jar;
C:\Program Files\Sun\JavaES5\DSEE\ds6\lib\slapycli.jar;
C:\Program Files\Sun\JavaES5\DSEE\ds6\lib\slapycli_l10n.jar;
C:\Program Files\Sun\JavaES5\DSEE\dsee6\lib\clip.jar;
C:\Program Files\Sun\JavaES5\DSEE\dsee6\lib\jar\common.jar;
C:\Program Files\Sun\JavaES5\DSEE\dsee6\lib\jar\common_cfg.jar;
C:\Program Files\Sun\JavaES5\DSEE\ds6\lib\slapwcli_l10n.jar;
C:\Program Files\Sun\JavaES5\DSEE\dsee6\lib\clip_l10n.jar;
C:\Program Files\Sun\JavaES5\DSEE\dsee6\lib\jar\common_cfg_l10n.jar;" 
java -Dsun.directory.clip.arg0=dsadm -Dsun.directory.dcc.path.slapx=dsadm 
-classpath %CLASSPATH% com.sun.directory.slapy.cli.SlapyMain --help

6488197

On Windows, the permissions on Directory Server and Directory Proxy Server are not set, which enables the non administrator user to remove the server instances and installation. As a workaround, change the permissions of instance and installation folders to avoid the unauthorized access.

6500936

In the Native patch delivery, the miniature calendar that is used to pick dates for filtering access logs is not properly localized in Traditional Chinese.

6501893

Output of the schema_push, repldisc, pwdhash, ns-inactivate, ns-activate, ns-accountstatus, mmldif, insync, fildif, entrycmp, dsrepair, dsee_deploy, dsadm show-cert, dsadm repack, and ldif commands are not localized.

6503546

Changing the locale of the system and starting DSCC, does not display the pop-up window message in the locale that you selected.

6509701

When changing LDAP passwords by using the password change extended operation, the current password of the account is required even if pwdSafeModify is off.

If you bind as the root dn, the current password of the account is not required. For example, cn=directory manager.

6516953

Migrating Directory Server 5.1 instance using dsmig migrate-all old-instance-path new-instance-path, might not successfully migrate the instance.

As a workaround to this problem, edit the new-instance-path/config/schema/11rfc2307.ldif file and replace the following line

objectClasses: ( 1.3.6.1.1.1.2.9 NAME 'automount' 
DESC 'Standard LDAP objectclass' 
SUP top STRUCTURAL MUST ( cn $ automountInformation ) 
MAY ( description ) X-ORIGIN 'RFC 2307' )

with the line given below.

objectClasses: ( automount-oid NAME 'automount' 
DESC 'Standard LDAP objectclass' 
SUP top STRUCTURAL MUST ( cn $ automountInformation ) 
MAY ( description ) X-ORIGIN 'RFC 2307' )

6516958

Migrating Directory Server 5.2 schema using the dsmig migrate-schema old-instance-path new-instance-path command fails, if the old Directory Server 5.2 99user.ldif file contains attributes defined in version 6.0.

As a workaround, remove all the Directory Server 6.0 attributes that are included in the old Directory Server 5.2 99user.ldif file and relaunch the migration from the beginning.

6520202

The dsadm import –help is not fully translated in French locale.

6520946

Clicking Browse DSCC online help does not display the online help when you are using Internet Explorer.

6522184

In the Filter drop-down menu under the Suffixes tab of Directory Servers, the Replicated menu item is not translated into Traditional and Simplified Chinese languages.

6522210

The Attribute label in suffix indexes in DSCC is not translated for non-Japanese locales.

6536770

DSCC might not display long ACIs depending on the limit set by Internet Service Provider.

6538726

On Linux, If a Directory Server instance is started in a locale that is different from the locale in which the instance was created, the multi-byte characters do not display properly.

6540316

In the optional replication settings of a Directory Server instance, the Referrals label is not translated for French locale.

6542857

When you use Service Management Facility (SMF) in Solaris 10 to enable a server instance, the instance might not start when you reboot your system.

As a workaround, add the following lines which are marked with + to /opt/SUNWdsee/ds6/install/tmpl_smf.manifest.

...
restart_on="none" type="service"> 
<service_fmri value="svc:/network/initial:default"/> 
  </dependency> 
+ <dependency name="nameservice" grouping="require_all" \
+ restart_on="none" type="service"> 
+ <service_fmri value="svc:/milestone/name-services"/> 
+ </dependency> 
<exec_method type="method" name="start" 
exec="%%%INSTALL_PATH%%%/bin/dsadm start --exec %{sunds/path}"...

6547923

Directory Server Enterprise Edition Windows service fails to start more than one server instances when the system restarts.

6547992

On HP-UX, the dsadm and dpadm commands might not find libicudata.sl.3 shared library.

As a workaround to this problem, set the SHLIB_PATH variable.

env SHLIB_PATH=${INSTALL_DIR}/dsee6/private/lib dsadm

6551672

Sun Java System Application Server bundled with Solaris 10 cannot create SASL client connection for authenticated mechanism and does not communicate with common agent container.

Change the JVM used by application server by editing the appserver-install-path/appserver/config/asenv.conf file and replace the AS_JAVA entry with AS_JAVA="/usr/java". Restart your Application Server domain.

6551685

The dsadm autostart can make native LDAP authentication to fail when you reboot the system.

As a workaround, reverse the order of reboot scripts. The default order is /etc/rc2.d/S71ldap.client and /etc/rc2.d/S72dsee_directory.

6554777

The DSCC Version window might display the html source code if it is configured by deploying the Web Archive (WAR) file with application server. As a workaround, add the following entries in domain-path/domain-name/config/default-web.xml.

<mime-mapping>
<extension>shtml</extension>
<mime-type>text/html</mime-type>
</mime-mapping>

6555861

The dsee_deploy command displays error messages even if the installation using zip distribution is successful.

6557410

The passwordStorageScheme.5dsat man page should include the following details.

The CRYPT password storage scheme now supports MD5, Blowfish, and other strong algorithms. To specify the algorithm used, give the format of the salt in the nsslapd-plugingarg() argument as follows:

nsslapd-pluginarg(): value

The value is in the form of a snprintf format string corresponding to specific salt formats. For example, some of the formats supported include the following:

%.2s

$1$%.8s

$2a$04$%.22s

$md5$%.8s$

If the string value maps to an algorithm that is not supported by the operating system, then a warning message is logged and the hash will be made using the default UNIX algorithm with a salt made of 31 random characters.

6560033

The dsee_deploy man page wrongly mentions installation and uninstallation of Directory Service Control Center, which is not directly installable using zip distribution. Though the WAR file is copied on your system during the installation using zip distribution, which can be further deployed with application server to configure Directory Service Control Center.

See Installing Directory Service Control Center Using the Zip Distribution in Sun Java System Directory Server Enterprise Edition 6.1 Installation Guide

6560641

On HP-UX systems, after the successful upgrade using Native patches, DSCC is unable to restart the Directory Server instances.

6561772

Some of the jar files loaded in lockhart are not upgraded after applying 125310-02 and 125278-02 patches.

As a workaround, run the following commands in the given sequence:

dsccsetup console-unreg
dsccsetup console-reg

Known Directory Server Issues in 6.0

This section lists the issues that are found at the time of Directory Server 6.0 release.

2113177

Directory Server has been seen to crash when the server is stopped while performing online export, backup, restore, or index creation.

2133169

When entries are imported from LDIF, Directory Server does not generate createTimeStamp and modifyTimeStamp attributes.

LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.

4979319

Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Sun support.

6358392

When removing software, the dsee_deploy uninstall command does not stop or delete existing server instances.

To work around this limitation, follow the instructions in the Sun Java System Directory Server Enterprise Edition 6.1 Installation Guide.

6366948

Directory Server has been seen to retain pwdFailureTime values on a consumer replica, even after the attribute values have been cleared on the supplier replica. The values remain after the modification of userPassword has been replicated.

6395603

When installing software from the zip distribution, do not use the -N (--no-cacao) option if you intend subsequently to manage servers with Directory Service Control Center. The Common Agent Container cannot be installed separately later.

6401484

The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.

To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.

Export the certificate to a file.

The following example shows how to perform the export for servers in /local/supplier and /local/consumer.

$ dsadm show-cert -F der -o /tmp/supplier-cert.txt /local/supplier defaultCert
$ dsadm show-cert -F der -o /tmp/consumer-cert.txt /local/consumer defaultCert

Exchange the client and supplier certificates.

The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.
$ dsadm add-cert --ca /local/consumer supplierCert /tmp/supplier-cert.txt $ dsadm add-cert --ca /local/supplier consumerCert /tmp/consumer-cert.txt
Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.

Add the replication manager DN on the consumer.

$ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN

Update the rules in /local/consumer/alias/certmap.conf.
Restart both servers with the dsadm start command.

6410741

Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.

An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.

6415184

Directory Server instances with multi-byte names can not be registered in Directory Service Control Center.

To work around this issue, configure the Common Agent Container as follows.

# cacaoadm stop
# cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8"
# cacaoadm start

6416407

Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.

dn:o=mary\"red\"doe,o=example.com
changetype:modify
add:aci
aci:(target="ldap:///o=mary\"red\"doe,o=example.com")
 (targetattr="*")(version 3.0; acl "testQuotes";
 allow (all) userdn ="ldap:///self";)

dn:o=Example Company\, Inc.,dc=example,dc=com
changetype:modify
add:aci
aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com")
 (targetattr="*")(version 3.0; acl "testComma";
 allow (all) userdn ="ldap:///self";)

Examples with more than one comma that has been escaped have been observed to parse correctly, however.

6428448

The dpconf command has been seen to display the Enter "cn=Directory Manager" password: prompt twice when used in interactive mode.

6435416

When running server management commands in the French locale, some messages displayed by the commands are missing apostrophes.

6443229

Directory Service Control Center does not allow you to manage PKCS#11 external security devices or tokens.

6446318

SASL authentication has been seen to fail on Windows systems when SASL encryption is used.

As a workaround to this issue, reset SASL to the following.

dn: cn=SASL, cn=security, cn=config
  dssaslminssf: 0
  dssaslmaxssf: 0

6448572

Directory Service Control Center fails to generate a self-signed certificate when you specify the country.

6449828

Directory Service Control Center does not properly display userCertificate binary values.

6468074

The configuration attribute name, passwordRootdnMayBypassModsCheck, does not reflect that the server now allows any administrator to bypass password syntax checking when modifying another user's password when the attribute is set.

6468096

Do not set LD_LIBRARY_PATH before installing from the zip distribution or using the dsadm command.

6469296

The Directory Service Control Center feature that allows you to copy the configuration of an existing server does not allow you to copy the plug-in configuration.

6469688

On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.

To work around this issue, change the LDIF file name so that it does not contain double-byte characters.

6475244

When using a browser running in Chinese, Japanese, or Korean locales, logs generated by Directory Service Control Center when creating a server instance contain garbage.

To work around this issue perform the following commands on the Common Agent Container where the new server instance is to be created.

cocaoadm stop
cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8"
cacaoadm start

6478568

The dsadm enable-service command does not work correctly with Sun Cluster.

6478586

When using a browser running in the French locale, duplicate apostrophes appear in Directory Service Control Center.

6480753

The dsee_deploy command has been seen to hang while registering the Monitoring Framework component into the Common Agent Container.

6482378

The supportedSSLCiphers attribute on the root DSE lists NULL encryption ciphers not actually supported by the server.

6482888

Unless you start Directory Server at least once, the dsadm enable-service fails to restart Directory Server upon system reboot.

6483290

Neither Directory Service Control Center nor the dsconf command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.

To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.

6485560

Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.

6488197

After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.

To work around this issue, change the permissions on the installations and server instance folders.

6488262

The dsadm autostart command fails when multiple instances are specified, and the command fails for one of the instances.

6488263

The dsadm autostart command does not support white space in the instance file name.

6488303

The dsmig command has been seen not to migrate values for some configuration attributes that are not identified in the upgrade and migration documentation.

The following configuration attributes are concerned:

nsslapd-db-durable-transaction
nsslapd-db-replication-batch-val
nsslapd-disk-low-threshold
nsslapd-disk-full-threshold

6489776

After a total update on master replica bearing significant write load, in some cases the generation ID for the master having undergone total update is not set properly. As a result, replication fails.

6490653

When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.

To work around this issue, use a different browser such as Mozilla web browser.

6490762

After creating or adding a new certificate, Directory Server must be restarted for the change to take effect.

6491849

After upgrading replica, and moving servers to new systems, you must recreate replication agreements to use new host names. Directory Service Control Center lets you delete the existing replication agreements, but does not allow you to create new agreements.

6492894

On Red Hat systems, the dsadm autostart command does not always ensure that the server instances start at boot time.

6492939

Directory Server does not properly handle Chinese multi-byte character in strings for database names, file names, and path names.

To work around this issue when creating a Directory Server suffix having Chinese multi-byte characters, specify a database name that has no multi-byte characters. When creating a suffix on the command line, for example, explicitly set the --db-name option of the dsconf create-suffix command.

$ dsconf create-suffix --db-name asciiDBName multibyteSuffixDN

Do not use the default database name for the suffix.

6493957 6493977

On Windows systems when Directory Server is enabled as a service, do not use the dsadm cert-pwd-prompt=on command.

6494027

The following replication error messages have been seen to persist on agreements with a consumer even after a total update is performed on the consumer.

Error sending replication updates. Error Message: Replication error
updating replica: Unable to start a replication session : transient
error - Failed to get supported proto. Error code 907.

Operational Status Error sending updates to server host:port. Error:
Replication error updating replica: Incremental update session abored :
fatal error - Send extended op failed. Error code: 824.

To eliminate the messages, disable the replication agreement, and then enable the replication agreement.

6494448

When stopping multiple master replica under heavy load in a multi master replication configuration, the servers may take several minutes to stop.

6494984

After an import operation is performed on a master where read-write-mode is set to read-only, Directory Server fails to restart.

6494997

The dsconf command does not prompt for the appropriate dsSearchBaseDN setting when configuring DSML.

6495004

On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds.

6495459

You must configure DSML before you can monitor DSML with Java ES Monitoring Framework.

6496916 6539849 6555637

The More on Server Groups, More on read/write mode, and More on this table links in Directory Service Control Center point to English online help on all the locales.

6497053

When installing from the zip distribution, the dsee_deploy command does not provide an option to configure SNMP and stream adaptor ports.

To workaround this issue,

Enabled Monitoring Plugin using the web console or dpconf.
Using cacaoadm set-param, change snmp-adaptor-port, snmp-adaptor-trap-port and commandstream-adaptor-port.

6497894

The dsconf help-properties command is set to work properly only after instance creation. In addition, the correct list of values for the dsml-client-auth-mode command should be client-cert-first | http-basic-only | client-cert-only.

6498537

In order to use Directory Service Control Center on Windows XP systems, the guest account must be disabled. Additionally, the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0 in order for authentication to succeed.

6500297 6500301

After installing from the zip distribution on Solaris and Red Hat systems, Directory Server does not appear through SNMP after the Common Agent Container, cacao, is restarted.

To work around this issue on Solaris systems, apply all recommended patches listed in Directory Server, Directory Proxy Server, and Directory Server Resource Kit Operating System Requirements.

6501900 6501902 6501904

Some output displayed by the dsccmon, dsccreg, dsccsetup, and dsccreg commands is not localized.

6503595

After accessing Directory Service Control Center for the first time and registering a Directory Server instance, a warning and an exception are written to the Sun Java Web Console logs.

You can ignore safely ignore the warning, failed to retreive "server-pid" from command ouptut, and the exception. The exception output appears as follows.

StandardWrapperValve[wizardWindowServlet]: Servlet.service() for servlet
 wizardWindowServlet threw exception
java.lang.IllegalStateException: Cannot forward after response has been
 committed

6503558

When setting up Directory Service Control Center in a locale other than English, log messages concerning creation of the Directory Service Control Center Registry are not fully localized. Some log messages are shown in the locale used when setting up Directory Service Control Center.

6506020

After manual reboot following installation on a Windows system with the Java ES installer, Directory Server is not running. However, Directory Server can appear to be running in the Task Manager. When this occurs, Directory Server cannot be restarted from the Task Manager.

To work around this issue, remove the process ID file from the logs folder.

6506043

The dsmig migrate-data -R -N command has been seen to fail when upgrading from Directory Server 5 2005Q1.

To work around failures in automatic data migration, migrate the data manually as described in Chapter 3, Migrating Directory Server Manually, in Sun Java System Directory Server Enterprise Edition 6.1 Migration Guide.

6507312

On HP-UX systems, applications using NSPR libraries crash and dump core after investigation with gdb. The problem occurs when you attach gdb to a running Directory Server instance, then use the gdb quit command.

6507803

When accessing Directory Service Control Center through Internet Explorer 6, saving index configuration changes for a suffix causes a null error to appear. The progress window for the operation appears to freeze.

To work around this issue, access Directory Service Control Center through a different browser, such as a Mozilla-based browser.

6507817

When you edit a directory entry through Directory Service Control Center, if the entry is simultaneously changed by some other method, refreshing the display does not show the changes.

6508042

Directory Service Control Center has been seen to show incorrect status for the User-Changeable field of Global Password Policy, pwd-user-change-enabled.

To work around this issue, use the dsconf(1M) command to read the pwd-user-change-enabled server property.

$ dsconf get-server-prop -w /tmp/ds.pwd pwd-user-change-enabled
pwd-user-change-enabled  :  off

6510594

When upgrading from Directory Server 5.2, if you have a certificate database that contains no trusted certificates, the dsmig migrate-config command fails. This problem can occur when you have created a certificate database, but never used the database, nor set up SSL.

To work around this issue, follow these steps.

Remove the new, empty Directory Server 6 instance.
Rename the ServerRoot/alias/slapd-serverID-cert8.db and ServerRoot/alias/slapd-serverID-key3.db files that the Directory Server 5.2 instance uses.
$ cd ServerRoot/alias $ mv slapd-serverID-cert8.db slapd-serverID-cert8.db.old $ mv slapd-serverID-key3.db slapd-serverID-key3.db.old
Perform the upgrade and migration process again.

6513644

On HP-UX systems, Directory Service Control Center has been seen to show a null pointer exception error message when starting and stopping a Directory Server instance. The error affects Directory Service Control Center, not the Directory Server instance.

6519263

When migrating a Directory Server configuration, the dsmig migrate-config command fails if the -R option is used but not all suffixes in the existing configuration are replicated.

To work around this issue, perform the following steps.

Stop the old server.
In the old server instance, dse.ldif configuration file entry with DN cn=changelog5,cn=config comment out the following attributes using hash marks, #.
```
#nsslapd-changelogmaxage: ...
#nsslapd-changelogmaxentries: ...
```
Make a note of the values for these attributes.
Migrate the server configuration using the dsmig migrate-config command.
On the new server instance, for every suffix that has a configuration entry with DN of the form cn=replica,cn=suffix-dn,cn=mapping tree,cn=config, run the following commands.
$ dsconf set-suffix-prop -p port suffix-dn repl-cl-max-age:old-value
Here old-value means the value of nsslapd-changelogmaxage in the old server instance.
$ dsconf set-suffix-prop -p port suffix-dn repl-cl-max-entry-count:old-value/nbr-suffixes
Here old-value means the value of nsslapd-changelogmaxentries in the old server instance. nbr-suffixes is the total number of replicated suffixes.