iPlanet Meta-Directory 5.0SP1
Release Notes - April, 2002
These Release Notes contain important information regarding Meta-Directory
version 5.0SP1. Installation notes, known problems, and other late-breaking
issues are addressed in this document; you should read this document before
you install and use iPlanet Meta-Directory.
These release notes contain the following sections:
Platform Support
Meta-Directory is supported on the Solaris 8 and Windows NT 4.0SP6 platforms.
Your system may need to include additional
software before you can install Meta-Directory. For more information on the software requirements for your
operating system, see the iPlanet Meta-Directory Installation Guide.
Connector Platform Support
The following table lists the supported platforms for the join engine and each connector, and lists the additional software that
may be required:
| Connector |
Supported Platform |
Software Requirement |
| Join Engine |
Solaris 8
Win NT |
N/A |
| Universal Text Parser/Universal Text Connector |
Solaris 8
Win NT |
N/A |
| NT Domain Connector |
Win NT |
N/A |
| Oracle Database Connector |
Solaris 8
Win NT |
The Oracle Database Connector requires Oracle 8.1.5 or 8.1.7 (server and client).
The Oracle client software must be installed on the machine that is running the join engine.
The server (database) software can exist on a different machine. |
| Active Domain Connector |
Win NT |
The Active Domain Connector requires ADSI 2.5 on the machine that is running the Active Directory
Connector. It connects to a machine hosting the Active Directory (usually running the Windows 2000 platform). |
Problems Corrected
iPlanet Meta-Directory 5.0SP1 includes fixes to the
following known problems that occurred in earlier releases of
Meta-Directory:
Meta-Directory Tested with Directory Server 5.1.
iPlanet Meta-Directory 5.0SP1 has been tested with iPlanet Directory Server
version 5.1, as well as with iPlanet Directory Server version 5.0.
( #N/A )
Extra Spaces Trimmed from RDN Values
The join engine no longer trims off extraneous spaces when it conducts a search using
an RDN value.
( #4557355 )
Using Binary Attributes as Join Criteria
The join engine now accepts binary attributes as a selection criteria in join rules.
( #4555000 )
Removing a Universal Connector Instance
In the previous release, if you were to remove an instance of a Universal Connector
using the Meta-Directory console, the console would not prompt you to remove the
associated connector view and participating view. This problem has been corrected.
( #4551118 )
Universal Text Parser (UTP) Token Functionality
The Token functionality now operates properly when you customize the task.cfg
file for comma separated values.
( #4551051 )
Universal Text Connector (UTC) Attribute Flow Rules
In the previous release, if you were to delete an entry that is owned by a connector
view from its corresponding external data source (such as from NT SAM or from Active Directory),
the Universal connector would add the connector view-owned entry back to the external
data repository in the next synchronization cycle. The problem was that user-defined
attribute flow rules were not properly applied when the entry was added back. This
problem has been corrected.
( #4550842 )
"Triggers Created with Compilation Errors" Warning
In the previous release, there was a known sqlplus limitation that a single SQL
query could have a maximum of 500 lines of 80 characters each. If you were to attempt
to instrument an Oracle table with a large number of columns, you might have received
the "Triggers Created with Compilation Errors" warning message. This problem has been
corrected.
( #4560665 )
Oracle Mapping Failure
Under high stress conditions, the join engine might have created an entry in the
Oracle proxy view, even though the entry already existed. This problem has been
corrected.
( #4551080 )
Login ID Values Containing Spaces
Entries created in the Active Directory database can now contain login id values
with spaces.
( #4550920 )
Installation Notes
This section contains information regarding installation and uninstallation procedures
for this release. For more details on installing
iPlanet Meta-Directory version 5.0SP1, see the
iPlanet Meta-Directory Installation Guide.
Meta-Directory Installation Failure Scenarios
The following table lists the installation and upgrade failure scenarios for Meta-Directory and Directory Server
and the platforms on which they occur.
| iDS version |
iMD version |
Installation Scenarios |
Platform |
| 5.1 |
5.0 |
When iDS 5.1 and iMD 5.0 are installed in the same server root, the join engine will fail
to start. |
Solaris and NT |
| 5.0 to 5.1 |
5.0 |
When iDS 5.0 and iMD 5.0 are installed in the same server root, and iDS is upgraded to
version 5.1 without first uninstalling version 5.0, the join engine will fail to start. |
Solaris and NT |
| 5.0SP1 to 5.1 |
5.0 |
When iDS 5.0SP1 and iMD 5.0 are installed in the same server root, and iDS is
upgraded to version 5.1 without first uninstalling version 5.0SP1, installation will
be unsuccessful, and the join engine will fail to start. |
Solaris and NT |
| 5.0 to 5.0SP1 |
5.0SP1 |
When iDS 5.0 and iMD 5.0SP1 are installed in the same server root, and iDS is
upgraded to version 5.0SP1 without first uninuninstallingrsion 5.0, the installer will
fail to detect a previously installed version of the Administration server. The join engine will
fail to instanciate with a CGI error upon the first try, but will successfully instanciate upon the second try. |
NT |
| 5.0 to 5.1 |
5.0SP1 |
When iDS 5.0 and iMD 5.0SP1 are installed in the same server root, and iDS is
upgraded to version 5.1 without first uninstalling version 5.0, the Administration server
will fail to start. |
Solaris and NT |
| 5.0SP1 to 5.1 |
5.0SP1 |
When iDS 5.0SP1 and iMD 5.0SP1 are installed in the same server root, and iDS is
upgraded to version 5.1 without first uninstalling version 5.0SP1, the Administration server
will fail to start after the upgrade. |
Solaris and NT |
| 5.0 to 5.1 |
5.0 to 5.0SP1 |
If you upgrade iDS and iMD in the following order:
Upgrade iDS 5.0 to iDS 5.1, and thenupgradee iMD 5.0 to iMD 5.0SP, the Administration server
will fail to start. |
Solaris and NT |
5.0 to 5.1 |
5.0 to 5.0SP1 |
If you upgrade iDS and iMD in the following order:
Upgrade iMD 5.0 to iMD 5.0SP1, and thenupgradee iDS 5.0 to iDS 5.1, the Administration server
will fail to start. |
Solaris and NT |
Meta-Directory Uninstallation Failure Scenarios
The following table lists the uninstallation failure scenarios for Meta-Directory and Directory Server
and the platforms on which they occur.
|
iDS version |
iMD version |
Installation Scenario |
Platform |
| 5.0 |
5.0 |
If iDS 5.0 and iMD 5.0 are installed in the same server root, and iMD is then uninstalled,
iDS will fail to start. |
Solaris |
| 5.0SP1 |
5.0 |
If iDS 5.0 and iMD 5.0 are installed in the same server root, and iMD is then uninstalled,
iDS will fail to start. |
Solaris |
Known Problems and Limitations
This section lists and describes the known problems reported for the
release of iPlanet Meta-Directory, version 5.0SP1. The known problems are
arranged into the following sections:
Installation and Uninstallation Notes
iPlanet Console Displays Wrong Version Number After Upgrade
If you install Meta-Directory version 5.0SP1 over an existing installation of
Meta-Directory version 5.0, the iPlanet Meta-Directory console will incorrectly
show that the version number has not been updated.
( #4533757 )
Workaround
To ensure that the Meta-Directory upgrade has taken place, open any existing
instance of the join engine or a connector. The console window will display the
correct version number.
Incorrect Disk Size Information During Installation
During the installation of some Meta-Directory components, the installer
program might not immediately refresh the disk size information.
( #4543211 )
Uninstalling Meta-Directory with a Stopped Directory Server
You can not run the uninstall script after you have shut down the
Directory Server instance that hosts the Meta-Directory configuration. This
problem occurs only on Solaris.
( #4538209 )
Installer Miscalculates Disk Space Required
After you have downloaded
the product binaries and double clicked on the setup for installation, the
installer program has been known to miscalculate the disk space required to
install Meta-Directory on your system.
( #4541375 )
Installation Directories
Currently, you must install Meta-Directory into a directory tree whose
name is represented as seven-bit ASCII.
( #4538175 )
Specifying the Change Log Directory During Installation of Meta-Directory
If you specify a nonexistent directory for the change log during the Meta-Directory
installation process, the associated Directory Server will not be restarted by the
Meta-Directory installation process; you must manually restart the associated Directory
Server.
( #N/A )
Re-installing On Solaris Systems
If you need to reinstall Meta-Directory (or one of it's components) on a Solaris
system, you will need to reinstall all the currently-installed components. There
will be no loss of data or configuration settings when you reinstall the components.
( #4540304 )
Uninstalling Meta-Directory
Before you uninstall Meta-Directory, be sure to stop all Meta-Directory
components from the console and make sure they have finished
processing before you initiate the uninstall process. In particular, the
join engine takes time to shut down if it is processing a large volume of
data. Beginning the uninstall process while Meta-Directory components are
still processing will cause the uninstall to fail.
( #4539456 )
Uninstalling Individual Meta-Directory Components
On Solaris systems, if you uninstall a single Meta-Directory component from
a system, other installed components (such as the join engine and any
instances of Directory Server) will fail if those components are in the same
server root as the Meta-Directory component you are uninstalling.
( #N/A )
Workaround
The problem arises from the deletion of files used by the other services.
Reinstall the deleted files and restart any associated components. If you
unpacked the tar file into the directory <meta_dist>,
then issue the following command to replace the deleted files:
unzip -o <meta_dist>/join/join.zip
"lib/lib*.so" -d <NETSITE_ROOT>
General Notes
Suffix Cannot be in a Multi-Mastered Directory Database
As with Meta-Directory version 5.0, in this release, he suffix containing either a connector view or
meta view must be in a single mastered database in iPlanet Directory Server 5.0 and later. It
is not possible for the suffix to be in a multi-mastered directory database.
( #N/A )
Case Sensitivity Note
In LDAP, when you change the case of a Case Ignore String Value, the value is not changed,
but the representation of the value is. The LDAP protocol (RFC 2251 to RFC 2256) does not
mandate that the representation of the value is to be preserved. When a server maintains
the State Information for a Replica, it ensures that values are dealt with correctly.
It may not preserve the representations of the value.
For example, if you were to set up an instance of the Universal Text Connector using a
csv file, and change the values in the file from lower case to upper case,
the changes will not be detected.
( #4536190 )
User Interface May Not Display Hour Table
If you create an NT User in a meta view or connector view, and click on the ntuserlogonhours
button, the user interface may not display the hours table.
( #4654971 )
Workaround
Close the window and click on the ntuserlogonhours button several times. The hours table
will eventually display.
Query/Fix-it tool Incorrectly Passes a Link Error
The Query/Fix-It tool may report a link error when joining an entry from a meta view with a
new entry in an Oracle connector view. Ignore the error, as the new entry is still created and linked
successfully.
( #4644379)
Logon Hours of an NT UserObject Created by Console Does Not Take Time Zone into Account
The logon hours is represented in NT SAM as an array of 21 bytes with
each bit representing each hour within the week. If the time zone is GMT,
the left-most bit of this 21 bytes array represents Sunday 0:00. For other time
zones, the offset to GMT must be taken into account so that the left-most bit
will represent Sunday 0:00 GMT.
( #4536190 )
Workaround
Adjust the hours based on your own timezone so that the left-most bit represents
Sunday 0:00 GMT. For example, in US Pacific time zone, GMT-8, the top-left
corner square in the console.
Duplicate Email Values
In the Meta-Directory console, it is possible to inadvertently duplicate the
value of the email attribute. If you view an entry that is contained in
either a meta view or a connector view, then press the Advanced button to edit
the entry. The value of the E-Mail attribute will be duplicated when you close
the Edit Entry window. This only occurs when using Meta-Directory with Directory
Server version 5.0, or earlier.
( #4540642 )
Query/Fix-It Tool Fails to Find an Entry on the Second Attempt
It is possible that under certain circumstances, the Query/Fix-It tool will
fail to find an entry on the second attempt.
( #4535732 )
Workaround
If you notice this behavior, close the Query/Fix-It tool, restart it,
and perform the same operations.
Multiple Attributes Cannot be Passed to Event Scripts
In order to supply multiple attributes to an event script, you must specify a
space-separated list of these attributes in the console. However, Meta-Directory
expects each of these attributes to be stored as a separate attribute value pair
for the mdssupplyattributes attribute. Currently all these attributes are stored
as space-separated.
( #4621897631 )
Workaround
Remove the mdsupplyattributes from the entry in the configuration. All attributes
will be passed to the event script.
One Join Engine Instance Per Administration Domain
Currently, you can configure only a single join engine per administration
domain. This means that you can have only a single join engine for each
Meta-Directory setup.
( #4551631 )
Multi-Value "mail" Attribute Values Not Saved
If you are using Netscape Directory Server 4.1x, you will not be able to
enter multiple values into a "mail" attribute (actually, you can
enter multiple values, but only the first value is saved). This problem
is resolved with iPlanet Directory Server 5.0.
( #4561437 )
Configuration Data Server
The Meta-Directory configuration is hosted on an instance of Directory
Server. If the configuration Directory Server is unavailable, the
Meta-Directory console will not operate.
( #4536534 )
Automatic Console Refresh
Some committed actions (such as adding or deleting a participating connector
view, or adding or removing some rules or rule sets) do not automatically
trigger a Meta-Directory console refresh. You should always manually refresh the
console after performing a committed action.
( #4541622 )
LDAP Attribute Options
Directory Server allows attribute options such as ;binary and
;lang-en. Although Meta-Directory will flow attributes that
contain options, you cannot create join rules based on the names of
attribute with options.
( #4540791 )
"Out of Memory" Errors
It is a known problem that the Meta-Directory console can generate "Out of
Memory" errors if the console is left open for extended periods of time.
( #4538301 )
Workaround
It is advisable to shut down and reopen the Meta-Directory console once a day during the
time that you are synchronizing large amounts of data. This applies to Solaris systems
only.
Changing the Log File Directory
If you specify a log file directory from the Meta-Directory console, do not
end the directory specification with a slash ("/"); the join
engine will not write log files to this directory.
( #4550433 )
Invalid Log File Location on Remote Machines
When you create a new instance of a Meta-Directory component, you can specify
the location of its log directory. Currently, Meta-Directory cannot
validate log file directories that are located on remote machines. If you
enter an invalid log directory, Meta-Directory will be unable to create log files
for that component. A remote machine is any machine that is not the one hosting the
Meta-Directory console.
( #4561277 )
Workaround
Make sure the path you specify for the connector logs are
valid; both the drive and the directory structure of the specified path must
exist for logging to take place.
Connector View Name Size Limitation
Internally, Meta-Directory limits connector view names to five
characters. However, the current release of the Meta-Directory console
allows you to enter more than five characters when naming connector views.
Assigning view names with more than five characters will cause errors
when Meta-Directory writes to the log files. The input field for naming
connectors will be limited in future product releases.
( #4536820 )
Viewing Entries in a Connector or Meta View
Currently you will not be able to view entries in the meta view or a connector
view if the view contains more than 2,000 entries. In this case, you will need to
create a browsing index from the respective Directory Server instance.
( #4540743 )
Join Rule Names
Do not use trailing whitespace in your join rule names; the whitespace gets
truncated in conversion and you will not be able to test them using the
Join Rule Tester.
( #4536988 )
Flowing Attributes From the Meta View Outward
If you set up a system so that changes to all attributes are made only by
clients to the meta view, you must still enable the flow of attributes to
the meta view by checking Flow Attributes to Meta View. This checkbox is
not a switch to disallow modifications from connector views, instead the
flow of attributes is controlled by the join rules you write.
( #4539556 )
Multiple Directory Server Instances and Deleting Entries
You will not be able to delete an entry from a connector view from the Meta-Directory
console if the connector view is hosted by a different Directory Server instance
than the one that hosts the meta view. In this case, you must use the Directory Server
console to delete the entry from the connector view.
( #4536610 )
Log File Computations Incorrect for Large Values
It is a known problem that the log file size computations are incorrect
for values greater than 4 Gb due to a data type limitation. For
example, you might see something similar to the following:
[2001/03/30 15:25:31.44 -0800] 2357:387584 3 Log Free disk space
: 545.000000,
Min required : -193435.966797
There are three fields that are affected by this data type problem:
- Max. Log File Size
- Max. Reserved Free Space
- Max. Disk usage
( #4540858 )
Deployment Notes
Notes for Configurations With Multiple Directory Server Instances
If you use different Directory Server instances for you Meta-Directory configuration,
meta view, and connector views, Note the following:
- The Directory Server hosting the Meta-Directory configuration will be displayed
in the Meta-Directory console as a Data Server, although technically it does not host
user data.
- The Directory Server hosting the Meta-Directory configuration must have the
Retro Change Log enabled.
- A connector view or meta view cannot be split across multiple Directory Server
instances or multiple databases in a Directory Server.
( #N/A )
Meta-Directory Instance Creation: "Parent Not Found" Error
When creating an instance of a Meta-Directory component (such as a join
engine or connector), the view that is hosted by that component must be
placed under a directory suffix that contains a data node.
For example, suppose you create the new suffix
"o=MetaViews". If you then try to create an instance
of the join engine, and specify "ou=MV1, o=MetaViews",
the instance creation will fail. (The process fails because a search for
"o=MetaViews" returns no such object.)
( #4538640 )
Workaround
The workaround is to manually create the suffix "o=MetaViews".
Setting the All IDs Threshold
In the Meta-Directory Deployment Guide, it is recommended that
you adjust the All IDs Threshold from its default setting. For example, it's
recommended that you set the All IDs Threshold value to 250,001 if you are
synchronizing 250,000 entries.
However, configuring the All IDs Threshold before you bulk-load data into
a connector view can cause extremely slow load times. It might be faster to
first load the data, then adjust the All IDs Threshold value. However, note
that changing the All IDs Threshold will result in new indexes being built
for the DIT.
( #4536538 )
Windows NT Uninstallation Option: Clean Up Local Files
When uninstalling the Meta-Directory components on a Windows NT system, the
uninstallation UI will prompt for a username/password and it will ask if
you would like to clean up local files. Checking this option will cause the
installation to halt with the error message:
No value exists for the name <ConfigDirectoryLdapURL>
( #4536701 )
Join Engine Notes
Join Engine Coredump Failure
Typically, the join engine will perform a coredump if the connection is lost to
the Oracle server, or if you remove an Oracle connector view from the list of
participating views. Iftheh join engine fails to perform a coredump under such conditions,
the joinenginen will fail to respond to any new requests and modifications.
( #4650015 )
Workaround
When theconnectionn to the Oracle server is down, and you wish to remove the Oracle
Connector View from the list of participating views, shut down the join engine first,
then remove the Oracle connector view, and finally, restart the join engine.
Network or Directory Server Failures
Currently, if the network experiences a failure, or if you shut down and
restart the Directory Server, you must stop and restart the join engine.
Also, you must Disable and then Enable any views associated with the join
engine to ensure that the "Enable" of the view has been properly
registered with the join engine.
For example, if you restart the Directory Server instance that
hosts the Meta-Directory configuration (or any Directory Server instance
associated with a connector view), you must restart join engine and you
must re-enable any associated views. Note that the Directory Server instances
must be up and running before you restart the join engine.
( 4551334 )
"Unknown" Status in the Join Engine
It is sometimes possible for the join engine to show a status of "Unknown"
after you issue a refresh command. This is caused by the join engine being preoccupied
with processing entries before it can respond to the status request from the Meta-Directory
console.
( #4539049 )
Universal Text Connector Notes
Ignore Reported Error When Converting UTF8 to Native from ntuserlogonhours
The Universal Text Connector reports an error when entries are added to a connector
view without a value for ntuserlogonhours, and when Complete Attribute
Flow is set. Ignore this error, as the modifications to ntuserlogonhours are synchronized
successfully.
( #4654963 )
No Filter Check for Adding Back Entries
If entries are deleted from the non-owner side, the Universal Text Connector will add
back the entries. However, the add back logic does not go through a filter check if a
filter was usedoriginallyy to synch those entries.
( #4634294 )
Workaround
You can remove the entries from the owner side, wait for the next synch cycle to complete
so that the entries are deleted from both sides and then add them back.
Subtree Filter Behavior Note
If you are specifying a subtree filter for flow in only one direction, make sure
that for the opposite data flow, the default (AllSubtreesExcept) is selected
in the Meta-Directory console Configuration | Filters tab. This will ensure
that all entries will flow correctly.
If you select NoSubTreeExcept with no subtrees selected for the opposite data flow,
no entries will flow in that direction.
( #N/A )
For more information on Filters, see the Meta-Directory Configuration and
Administration Guide.
nsperlconn Crashes After Disk Space Runs Out
If no disk space is left on your drive, nsperlconn may crash.
( #4536041 )
Universal Text Connector (UTC) Synchronization Cycle Runs at a Minimum of 15 Seconds
When using the Advanced Schedule button in the Universal Connector configuration,
you can set the synchronization cycle to a minimum of 1 second, but the actual
synchronization operation will only perform at a minimum of every 15 seconds.
( #4536495 )
Universal Text Connector (UTC)-based Connectors Cannot be Started from the Windows NT Service Control Panel
The Universal Text Connector and any UTC-based connector (NT Domain Connector,
Active Directory Connector, Universal Text Parser) needs a specific file in
order to start from the NT service control panel. This file contains credentials
for binding to the configuration directory, and exposes these sensitive credentials
after its initial start. Because of this, the file is deleted after the contents
are read, so if the connector is stopped due to a manual shutdown or reboot,
the connector will not start from the NT service control panel.
( #4537747 )
Workaround
To start the connector after a shutdown or reboot, use the meta-admin command-line tool.
For more information on the meta-admin tool, see the Meta-Directory Configuration and
Administration Guide.
Universal Connector Status is Misrepresented in the Meta-Directory Console
Modifications made to entries in Universal-based connector views might not be
propagated to their associated external data sources for up to three
synchronization cycles. This problem may occur if synchronization cycles are
scheduled too closely together.
( #4540609 )
Problem with Connector Perl Script and next_record
A connector perl script's next_record function returns an entry which
contains a vrn field. The nsperlconn parser requires this
to be a string, so it does not allow the [B] base 64notationn to be used
in this field.
( #4622970 )
Workaround
Use \xx hexadecimal notation, as described in RFC 2253 to encode UTF-8
characters (that are not ASCII characters) when constructing the
vrn field to return from next_record.
EndOfFileMarker Not Working in Universal Text Parser (UTP)
In the Universal Text Parser, the EndOfFileMarker=^\.{3}\s*$ option is not recognized
for nvp and ldif type data. Entries following the EndOfFileMarker are read as one record.
( #4551299 )
Workaround
There must be a record separator following the end of the file marker.
Universal Text Parser JoinList Option Failure
The Universal Text Parser JoinList option does not work for multiple join characters. Only
the first join character will be used by the Universal Text Parser.
( #4628937 )
Entry Modification Delays
It is possible for the Meta-Directory console to misstate the UTC status as
down, when in fact the component is up and running. This condition is
normally caused by a timeout; the request by the Meta-Directory console
timed out before the UTC was able to respond. If such a condition occurs,
restart the Meta-Directory console.
( #4538321 )
Attribute Values Fail to Update
When synchronizing data between an external data source and a connector
view, the UTC does not propagate changes for a given attribute if the change
reduces the number of values contained in that attribute to zero. Even though,
changes to other attributes in the same modification operation will be
correctly synchronized by UTC.
For example, suppose you flow a group with three members from an
external data source to a connector view. Afterwards, a user modifies the
group entry in two ways: they remove all three values from the member
attribute and they change the group description. After processing the
change, the connector view will contain the new group description, but the
member attribute will remain unchanged (the group entry in the connector
view will still contain the original three values in the member attribute).
( 4538869 )
Workaround
In cases where this might be a problem, you can add a dummy value to the attributes
which might be removed through a modification operation. For example, a DN of
a nonexistent entry could be the dummy value of the uniqueMember
attribute.
Specifying Script Names for the Universal Text Parser
When creating a connector using the Universal Text Parser (UTP), you must specify
the name of the script that you will be using for the connector (normally, this is
template.pl). The Meta-Directory console does not validate either path or the script
name of the value you input. If an incorrect value is entered, the connector will not
function.
( #4538179 )
Universal Text Parser Options
The ValidateDataFile option in the task.cfg file is not
supported in the current release of the Universal Text Parser. If the
input data file is absent, the following error message will be logged:
Error opening input file <filename>
( #4536778 )
Stopping a Universal Text Connecter-based Connector
If you stop a connector, the process running the connector might take
a long time to terminate if the connector is busy processing entries. Only when all the
entries have been processed will the connector be stopped.
( #4538269 )
Database (Oracle) Connector Notes
Database (Oracle) Connector Reports "Error 0"
It is possible that when entries are being synchronized to the Oracle connector, the
join engine log may report an Error 0 error code. Error 0, however, is a normal
message, meaning that the entries are still synchronized to the Oracle connector
( #4629579 )
You Cannot Uninstrument an Oracle Data Server If a User Is Connected
If the join engine is running when you try to uninstrument your Oracle Data
Server, the SQL scripts will fail saying that it could not remove the user. This
means is that the change log user is already connected to the Oracle database and
is "active" or had a current login session to Oracle.
( #4563488 )
Workaround
Stop the join engine before removing the Oracle data server.
Removing an Oracle Data Server From a Meta-Directory Setup
If you plan to remove an Oracle data server from your Meta-Directory setup,
you should first disable the connector view and participating view that's
associated with the data server prior to removing the data server from the
setup. Once you remove the Oracle data server, you should shut down and
restart the Meta-Directory console.
( #4563488 )
Refreshing a Connector View With Many Modifications
If you are simultaneously refreshing two or more connector views with the
meta view and there are at least 30 percent simultaneous changes being made to
the data contained in the meta view, there is a possibility that the data
flowing to an Oracle connector view could get locked out. This behavior has
been observed with a load 150 Kb or more. Note that flows to other connector
views will continue unabated.
( #4551717 )
Workaround
If the Oracle connector view gets locked out, you should do the following:
- Refresh each connector view.
- Interweave simultaneous refresh operations so they occur a few minutes
apart from each other.
Active Directory Connector Notes
Search Tool Does Not Return Data in the ADSpecific Mode
When running a connector in the ADSpecific mode, the Search tool only returns the
users and groups with objectclass person,
organizationalunit, inetorgperson, etc.
The Search tool fails to return results for mdsADuser, msdADPerson, and so forth.
( #4539066 )
Active Directory Connector Failure in Top Level DN
The Active Directory Connector fails to add entries to the Active Directory
if there is a space in the top level DN value from which all Universal Text
Connector synchronization occurs.
There should be no spaces between the subcomponents of the DN. If spaces exist,
they would be removed and result in a different DN.
For example, ou=Active Directory, o=iplanet.com will become
ou=ActiveDirectory,o=iplanet.com.
( #4620213 )
Binary Data Fails to Synch in ADSpecific Mode
Existing entries in the Active Directory containing binary data but notpossessingg the
the binary attribute, or any new entry with binary data, will fail to synch from the connector
view to the Active Directory when the Active Directory Connector is running
in ADSpecific mode.
( #4640048 )
Domain Names for Active Directory Connectors
During the instance creation of an Active Directory connector, the
Meta-Directory console does not attempt to validate the domain name.
In addition, the console does not validate "Top Level Synch DN" names.
Even with the invalid names, the instance creation will complete, but the
instance will not be operational.
( #4538180 )
Workaround
Be sure to confirm the domain name and the Top Synch DN values before
creating instances of the Active Directory connector.
Deleting Group Members From the Connector View
If you flow a group of entries from Active Directory to its associated
connector view, and delete some of the group entries from the connector
view, the entries remain deleted in the view. Because Active Directory owns
the entries, they should be refreshed in the connector view during the
next synchronization cycle, but they are not.
( #5447576 )
Setting The Log Level
While configuring the Active Directory connector, be sure to set the log
level to a value of "0", "1", "2", or "3" in
the adc.ini file. Currently, there is no error checking here and
the connector accepts any character.
( #4538085 )
Windows NT Domain Connector Notes
Limitation of NT Domain Password Synch
The NT Domain Connector has no control of NT password policy. The current implementation
is to use the uid as the default password for all entries created through the connector view.
If the uid does not satisfy the password policy, the synchronization operation will fail.
( #4616105 )
NT SAM Limits NT User Names and Global Group Names to the Maximum of 20 Characters
The NT Domain Connector will still synch a global group with over 20 characters to NT SAM,
but the group is not editable from the User Manager.
( #4614890 )
Workaround
Delete the group from the iPlanet Console and use the NT Domain Connector to delete it from NT SAM.
Access Denied When Adding a User from a Trusted Primary Domain Controller
The Meta-Directory NT Domain Connector, which handles a particular domain, must be installed
on the Primary Domain Controller for that domain. It is not possible to synchronize
entries from another domain controller, as Windows NT will return the "Access Denied" error.
( #4626715 )
Domain Names for NT Domain Connectors
During the instance creation of an Active Directory connector, the
Meta-Directory console does not attempt to validate the domain name.
Even with the invalid name, the instance creation will complete, but the
instance will not be operational.
( #4538180 )
Workaround
Be sure to validate the domain name before you
create an instance of the NT Domain connector.
Need to Refresh Before Modifications Appear
When defining a new attribute flow rule using Windows NT Domain connector
(or other Universal Connector-based connectors), you will need to do a
refresh in Meta-Directory console in order to see the attribute rule name
appear from the drop-down box of the General tab.
( #4541602 )
Related Information
Useful iPlanet information can be found at the following Internet locations:
|