Part Number 817-5036-10
These release notes contain important information available at the time of the release of Sun[tm] ONE Directory Server (formerly iPlanet Directory Server) 5.1 Service Pack 3. New features and enhancements, known limitations, and other late breaking issues are addressed here. Read this document before you begin using iPlanet Directory Server 5.1 Service Pack 3.
An electronic version of these release notes can be found at the iPlanet documentation web site:
http://docs.sun.com/coll/S1_ipDirectoryServer_51Check the web site prior to installing and setting up your software and then periodically thereafter to view the most up to date release notes and manuals.
These release notes contain the following sections:
- Revision History
- What's New in iPlanet Directory Server 5.1
- Supported Platforms for iPlanet Directory Server 5.1 Service Pack 3
- Installation Procedures for iPlanet Directory Server 5.1 Service Pack 3
- Problems Corrected in iPlanet Directory Server 5.1 Service Pack 3
- Enhancements and Problems Corrected in iPlanet Directory Server 5.1
- Known Limitations
- Accessing Online Help and Online Documentation
- How to Report Problems
- For More Information
- Third Party License Acknowledgments
For information on hardware and software requirements, refer to the iPlanet Directory Server Installation Guide.
Revision History
Date
Description of Changes
June 28, 2004
May 05, 2004
December 2, 2003
- For ease of reference, additions and changes in these Release Notes (as compared to the Directory 5.1 Service Pack 2 Release Notes) appear in blue.
- Certain known limitations that appeared in the previous Release Notes have been removed because they have been fixed in Directory Server 5.1 Service Pack 3.
These include :
- In section Security : 4529541, 4527617, 4527608, 4527623 and 4530739
- In section Replication : 4665571
What's New in iPlanet Directory Server 5.1iPlanet Directory Server 5.1 contains the following new features and enhancements:
Due to architectural changes made in iPlanet Directory Server, some features that were previously available are no longer included. These are:
- Updated and improved management console. The new Directory Server Console offers an improved dialog for configuring replication, and a new directory browser. In this release, the Directory tab has several layout options for navigating the directory tree: as before with leaf entries in the right-hand pane, as a single tree in a single pane, or with attributes for the selected entry displayed on the right. For details, refer to Chapter 1 of the iPlanet Directory Server Administrator's Guide.
- Performance Improvements over Directory Server 5.0. This new release of Directory Server offers increased performance over Directory Server 5.0 and 4.x.
- Support for IPv6. Directory Server 5.1 can accept incoming connections from IPv6 clients. Currently Directory Server cannot interpret IPv6 addresses in access control instructions, or use IPv6 connections for operations such as replication and chaining. The Administration Console cannot be used on networks supporting only IPv6.
- Improved scalability and performance of Roles and Class of Service. Roles and Class of Service, introduced in iPlanet Directory Server 5.0, have been enhanced in this release to increase scalability.
- Support for the plug-in API. If you need to create custom plug-in functions you can also contact the iPlanet Professional Services organization at: http://www.sun.com/service/sunps/sun one/index.html.
- Schema Documentation. A new document, iPlanet Directory Server Schema Reference, describes the schema provided with Directory Server 5.1. The document focuses on schema objects useful to support your directory information.
- NT Sync Service. You can no longer create Windows NT accounts through the directory console. When you right click an entry under the Directory tab in the directory console and select New>User to display the Create New User dialog box, you still see the NTUser tab in the left-hand column. Since the Windows NT Sync Service is no longer available, using the fields of the NT User tab will create an entry in the directory only. No new Windows NT account is created.
- Database Backend Plug-in Interface. The enhanced pre-operation interfaces may be used instead of the database backend plug-in interface, to implement plug-ins that are designed to provide access to alternative directory data stores.
- Directory Server Gateway. The Directory Server Gateway is no longer delivered with iPlanet Directory Server 5.1. We recommend that you investigate LDAP Tag Library, scheduled to be available as part of the iPlanet Directory Server Resource Kit 5.1, as a good Directory Server Gateway replacement. For further information see:
http://wwws.sun.com/software/download/
Supported Platforms for iPlanet Directory Server 5.1 Service Pack 3iPlanet Directory Server 5.1 Service Pack 3 is supported on the following platforms:
- Sun Solaris 9 for SPARC (32 and 64-bit)
- Sun Solaris 8 for UltraSPARC (32 and 64-bit)
- Sun Linux 5.0 for the Sun LX50 Server
- Microsoft Windows NT 4.0 Server, SP 6a (x86 only)
- Microsoft Windows 2000 Server and Advanced Server SP 4 (x86 only)
- Hewlett-Packard HP-UX 11.0/11i (PA-RISC 1.1 or 2.0)
- IBM AIX 4.3.3 (Power PC)
- Red Hat Linux 7.2 (IA-32)
This release of iPlanet Directory Server is not supported on Sun Solaris 2.6 or Sun Solaris 7. You must upgrade to Sun Solaris 8 before upgrading to or installing iPlanet Directory Server 5.1 Service Pack 3.iPlanet Directory Server 5.1 Service Pack 3 requires specific operating system patches or service packs to be installed before Directory Server can be installed. Installation of iPlanet Directory Server 5.1 Service Pack 3 may fail if the recommended patches or service packs are not present.
On operating systems other than Windows, you must run the idsktune utility prior to installing iPlanet Directory Server 5.1 Service Pack 3. After you expand the product package, you will find the idsktune utility in the same directory as the setup program. Install the patches recommended by the idsktune utility. For further information, refer to the iPlanet Directory Server Installation Guide.
You may obtain Sun Solaris patches from:
- http://sunsolve.sun.com
Installation Procedures for iPlanet Directory Server 5.1 Service Pack 3
Note If you run Administration Server as root, all commands initiated by the administration user will also be run as root. Therefore you must apply the same rules of confidentiality and security to the administration password as you would to the root password of your server.
- If you are performing a new installation, please refer to the iPlanet Directory Server Installation Guide.
- If you are upgrading from iPlanet Directory Server 5.1, 5.1 SP1, or 5.1 SP2:
Important: iPlanet Directory Server 5.1 is bundled with Solaris 9. If you are running the bundled version (if packages such as IPLTdscon, IPLTdsman, IPLTdsr, and IPLTdsu are installed,) do not install this Service Pack. Instead, install the appropriate patch for your system. The 5.1 Service Pack 3 Patch IDs for Solaris 9 are as follows:
- SPARC: 113859-03
- Intel: 114273-03
It is possible to install Service Pack 3 on top of an existing, unbundled Directory Server 5.1 installation by performing the following steps:
- Ensure that Administration Server is running.
- Ensure that Directory Server 5.1 is running.
- See the "Installation" section of the Known Limitations for instructions that apply to certain configurations. In particular, you must turn off the password history and disable the "check password history" features before installing Service Pack 3.
- Follow the "Typical Installation" procedures in Chapter 3, "Using Express and Typical Installation," of the iPlanet Directory Server Installation Guide.
NOTE: In step 10, be sure to use the full path to the location where you originally installed Directory Server 5.1.
- iPlanet Directory Server 5.1 Service Pack 3 can also be installed on top of a running, localized, version of Directory Server 5.1. The objects delivered in Service Pack 3 (binaries, java files, and so on) are not involved in the localization mechanism .
- On HP-UX 11.0/11 platforms, ensure that the number of file descriptors is less than or equal to 2048 before installing Directory Server 5.1 Service Pack 3. Refer to the "Installation" section of the "Known Limitations" for more information.
- If you are migrating from Netscape Directory Server 4.x (up to 4.16SP1) or iPlanet Directory Server 5.0, refer to Chapter 6, Migrating From Previous Versions in the iPlanet Directory Server Installation Guide. Also, see the relevant installation and migration paragraphs in the "Known Limitations" section of these Release Notes.
Problems Corrected in iPlanet Directory Server 5.1 Service Pack 3iPlanet Directory Server 5.1 Service Pack 3 includes fixes to the following known problems that occurred in earlier releases of Directory Server:
- Replication
- The delete operation was not propagated to consumers in cascading replication. (4550044)
- On Windows platforms, an optimization test aborted replication processing. (4616579)
nsTombstone
entries were not purged. (4617521)- Directory Server encountered many tombstone errors. (4633404)
- A replication supplier was disabled and could not restart when the RUV database was corrupt. (4533706)
- Replication became unsynchronized and stopped. (4617085)
- Changing case-sensitive attribute values failed in MMR. (4624693)
- A replication supplier crashed after deleting attributes. (4627443)
- Directory Server crashed or hung when replication was enabled. (4643122)
- Replication failed when migrating a consumer from Directory Server 5.0 and subsequent Service Packs. (4646392)
- Replication failed to restart from a supplier to a consumer. (4658810)
- Replication between 4.x and 5.1 servers stopped when updating operational attributes. (4665571)
- Directory Server crashed when certain replication agreement attributes were missing. (4672889)
- Turning system time backwards stopped replication. (4672960)
- A consumer chained database initialization requests when the distribution plug-in was enabled. (4684519)
- It was not possible to monitor the replication update vector in the replica object. (4691101)
- During data import the change log database could become corrupt and replication could fail. (4711201)
- Replication stalled for ten minutes and the server was inaccessible. (4711202)
- Referrals for modifying entries failed, due to the DN being trimmed at space characters. (4627760 and 4743633)
- Tombstone entries were not deleted if one master was never updated. (4639560)
- Accounts could not be unlocked on non-master 5.0 servers. (4527608)
- An invalid replication configuration caused the consumer to crash. (4742450)
- Disabling and re-enabling replication stopped replication on one master in a multi-master configuration. (4748399)
- In certain cases, a replication configuration in which a 5.1 consumer accepted updates from a legacy master, caused the server to crash. (4675387)
- Replication was unreliable with MODRDN operations from a 4.16 supplier. (4778334)
- The change log was not purged properly when a consumer was stopped before any changes were replicated. (4758387)
- Change log trimming did not take place in a multimaster environment. (4780230)
- Configuring
nsslapd-changelogmaxage
replaced thetop
object class of thecn=changelog5,cn=config
entry with an indecipherable binary value. (4704039)- During replication, modifications could be missing on a consumer. (4786475)
- Legacy replication failed when Password policy was enabled on 4.x servers. (4767182)
- The CSN value generating process has been improved to avoid a time skew. (4695152)
- Replication would not restart after restoring a database with the
bak2db
utility. (4689805)- Replication broke when initialization occurred from both supplier servers. (4797685)
- A deadlock occurred on the
ns-slapd
server due to a cross locking problem in the entry cache. (4786154)- Issuing two total updates on a server at the same time caused the first server to be unable to complete the operation. (4773823)
- Replication could crash when modifying an entry with a missing attribute name. (4813998)
- Directory Server could produce
nsuniqueid
s that were not unique. (4818005)- A modify-replace operation for a non-existent attribute caused the attribute to be present in searches. (4820037)
- A potential inconsistency between the replica update vector in the database and the change log has been fixed. (4836446)
- Directory Server could crash during the replication operation. (4863706)
- Password policy attributes were incorrectly handled in replication. (4930098)
- A consumer could crash if the syntax for an attribute was changed to "single value" and an entry with existing multi-valued data was changed. (4898449)
- In a multi-master replication configuration with one master serving as a backup server, when entries were modified and added on only one of the masters, replication consumed more and more time and CPU to propagate changes to the consumers. (4817676)
- After unconfiguring a master replica and reconfiguring it with another replica ID, errors regarding duplicate referrals occurred. (4863943)
- Several tombstone purging threads sometimes ran in parallel for the same replica. This generated errors messages because the threads were attempting to delete the same entries. It also caused useless resource usage (CPU and memory). (4920323)
- A deadlock in multi-master replication was possible during the conflict resolution process. (4925223)
- A useless (but harmless) error message regarding malloc 0 bytes was displayed during some VLV searches when an entry contained an attribute with an empty value. (4942664)
- On Linux platforms, Directory Server could crash when a replica agreement thread called
gethostbyname
. (4826863)- After an online initialization, the consumer perf counters were not returned. (4838624)
- Imported tombstone entries were not purged. (4856329)
- Replication sessions over SSL could time out within
slapd_poll(823)
. (4850722)- Replication sometimes stopped with a systematic "Replication Busy" message. This happened when the replication session was still running while the agreement was being deleted. (4863001)
- In a multi-master replication topology, a re-initialized master was unable to replicate any changes. (4881653)
- At start time, the RUV object was sometimes NULL, which caused the server to crash. (4911678)
- Replication was not properly replayed in case that repeated ModifyRequest is made on entry. (4846165)
- In a replicated environment a consumer could crash if the updates coming from the supplier contained a large amount of state information. (4904414)
- Console
- The replica ID was not displayed correctly on Windows platforms. (4589224)
- It was not possible to use special characters in the console administrator password. (4672914)
- User data could not be accessed in a remote directory server with SSL enabled. (4663658)
- Console modifications to the RDN caused exception violations when saved. (4668480)
- The Console did not display time correctly. (4615165)
- Bold Japanese characters were displayed as square boxes. (4645544)
- Removal of CA certificates failed. (4658787)
- The default install parameter for "Number of file descriptors" was out of range. (4592931)
- The Console could not display the user menu if there were more than 35 users. (4749234)
- It was not possible to set or clear the HUB radio button through the Console. (4538268)
- The Console failed to load the
jss
library on Linux platforms. (4704635)- The iPlanet Administration Express tool was unable to display data if the installation path was too long. (4738639)
- Console startup failed on Windows 2000 if the installation path contained spaces. (4789601)
- The Console did not allow the addition of a member to a group which contained a double quote in the DN. (4683476)
- The Console performed a
modrdn
operation if no change was made in the Console Property Editor window and the OK button was pressed. (4669525)- Directory Server hung when a backup task was issued from the Console. (4735919)
- The Indexes tab in Directory Server Console (Configuration Tab, data subtree, userRoot database, Indexes Tab) appeared as a blank screen. (4530509)
- The Console did not update modified/removed entry names. (4614559)
- Administration Express failed to display logs when a non default log directory was configured. (4911711)
- Directory Console on Windows rendered certain operations slowly. (4840960)
- The Console process grew when adding users. (4912539)
- Database
- Old data was sometimes written back into the current database. (4638816)
- The
ns-slapd
process crashed during import operations. (4623119)- The maximum number of object locks was not set to the correct scaled value and caused the error message "libdb: Lock table is out of available locks". (4651972)
- Issuing the command db2ldif.pl -s "suffix" could cause replication to stop and the server to hang due to a database lock that was never unlocked. (4802963)
- Within a multi-master replication configuration, the error : "_cl5GetNextEntry: failed to get entry; db error - 12 Not enough space" was possible. (4652031)
- Database indexes were inappropriately set to ALLIDS. (4705641)
- Directory Server now supports large files (larger than 2GB). (4716745)
- The performance problem on HP-UX platforms has been fixed. (4911023)
- Directory Server sometimes crashed if an entry was deleted and immediately added again. (4885686)
BVERSION
andancestorid.db3
files were left behind when deleting suffix. (4829894)- Attribute subtypes were deleted from an index if they had the same value. (4912664)
- A number of issues in the database component (cores dumped upon stress, store unavailable under certain conditions, errors messages) have been fixed. (4938445, 4921426, 4916248, 4751092, 4866060)
- Plug-ins
- In a replication configuration, when the retro changelog plug-in was enabled, change log trimming occurred every five minutes, regardless of the
nsslapd-changelogmaxage
value. (4652859 and 4809504)- Only the first modification in the attribute to be checked was taken into account by both the 7-bit checking plug-in and the uid uniqueness plug-in. (4754469)
- The 7-bit checking plug-in did not check the correct attribute. (4786547)
- The distribution plug-in did not handle internal operations correctly. (4684519)
- The certificate mapping plug-in was not loaded on Linux platforms. (4778128)
- Directory Server could crash when adding a large number of entries that used the Roles Plug-In. (4865859)
- The
ldapsearch -A
operation against a chained database failed on results. (4865525)- The Referential Integrity plug-in needed to be shutdown before the backend was shutdown. (4865653)
- Security
- The process of finding the password attribute has been changed. (4619976)
- Directory Server did not verify the SSL peer host name. (4615324)
- Password expiration was inconsistent. (4532757)
- A security problem concerning the retro changelog plug-in has been fixed. (4618824)
- The number of unsuccessful attempts was not reset after a successful bind. (4645887)
- An illegal SNMP PDU caused the Master agent to fail - CERT Advisory CA-2002-03. (4532320)
- The server failed to detect all the "empty string cases" for ACI definitions. This caused a core dump. (4719564)
- A security issue in 5.x Directory Administration Server (iWS 6.0SP1 and iWS 6.0SP2) has been fixed. (4707395)
- The ACI for 'Directory Administrators Group' has been fixed. (4713256)
- ACI evaluation was incorrectly performed for parent rules. (4753087)
- ACI evaluation was incorrectly applied to the recursive deletion of entries. (4795280)
- User passwords were still in clear after running the
ldif2db
command utility with thepasswordStorageScheme
set to SSHA. (4669879)- The Directory Server instance hung when the SSL bound application was suspended. (4786504)
- The delete operation based on an entry DN containing numerous commas crashed the server. (4735062)
- The Directory Server perl scripts exposed the user DN password. (4732352)
- The
passwordHistory
attribute did not work correctly. (4686213)- A possible denial of service attack in Windows 2000 and Windows NT connection handling has been fixed (that is, aborted connections may remain open). (4773920)
- Directory Server could crash in an ACI evaluation. (4809846)
- Under certain conditions, binding with certificate and simple authentication could cause Directory Server to hang. (4883250)
- The
passwordRetryCount
failed to increment correctly in Directory Server 5.x. (4856290)- It was possible to "ignore" password expiration. (4908443)
- Certain entries were incorrectly hidden or displayed if the ACL contained checks on attribute values or macro ACIs, and subtree or single-level searches were performed. (4913176 and 4918912)
- A vulnerability in SSL/TLS implementations of cipher suites that use block ciphers has been fixed. (4854898)
- ACI evaluation on database link servers failed to return only the DN attribute. (4913984)
- Local ACIs did not work correctly over a database link when specifying DNs. (4922595)
- Directory Server sometimes crashed when evaluating an ACL. (4830417)
- Directory Server hung when an ACL was modified and evaluated at the same time. (4840786)
- Directory Server now includes the fix for the security alert (referenced in bug ID 4945089). (4957279)
- The ASN1 Decoder could suffer Denial of service Attacks - CERT Advisory CA-2003-26 (4945089).
- A security issue in the Administration Express tool has been fixed. (4854827)
- An incorrect ACI syntax crashed Directory Server systematically. (4851870)
- Incorrect ACI syntax errors occurred after migration from Netscape Directory Server 4.x to Directory server 5.x. (4899320)
- Directory Server was prone to a root-dot-dot security attack due to a missing URL sanitation. (4929089)
- A MODIFY INTERNAL operation on the
passwordRetryCount
attribute could be chained to other servers. (4897873)
- Recovery
- A Directory Server instance did not restart after a system crash. (4620546)
- Directory Server crashed when a client abandoned a persistent search operation. (4640273)
- Connection
- Connections were sometimes closed even though they were not idle for the specified
idletimeout
. (4791877)- Persistent search operations were not removed properly from the connection. (4671360)
- Connections for persistent searches were not cleaned up on Windows NT. (4886421)
- Various issues (memory leaks, crashes, error messages displayed) occurred when initiating or abandoning persistent searches. (4824825 and 4834508)
- On Windows NT, Directory Server could crash while removing an operation (pointing to a NULL value) from the connection. (4953750)
- LDAP access
- Directory searches failed on replicas with a scope of "one". (4614741)
- Directory crashed (SIGBUS) during a search. (4639232)
- The "bind timeout" was ignored for an unresponsive host. (4639408)
- Directory Server responded incorrectly to an unbind request. (4623308)
- The
ldapmodify
command incorrectly interpreted base 64 encoded values. (4665564)- Directory Server crashed when binding to an entry that was being created. (4674387)
- Searches displayed incorrect results for specific order of search filters containing
not
operators. (4715955)- A range search for an empty range such as
(&(uid>=7)(uid<=9))
crashed the server. (4708296)- Issuing an
ldapdelete
command with a very large DN could cause Directory Server to crash. (4735062)- Substring searches did not work correctly on integer syntax attributes. (4717121)
- Directory Server accepted multiple additions of identical attribute-value pairs. (4722987)
- A "numsubordinates assertion failure" error occurred when adding a child entry to a parent entry on one master while simultaneously deleting the same parent entry from another master. (4709128)
- Directory Server crashed when filters were nested too deeply. (4621920)
- Directory Server could crash when performing an internal modification while attributes were being deleted. (4759670)
- Directory Server could crash when binding with an entry that had two or more virtual attribute values. (4787220)
- It was possible to create an entry with duplicate object class values. (4761010)
- Leading and trailing white spaces were ignored in substring searches. (4537169)
- Adding a value, then deleting another value in the same modify operation was badly handled by replication. (4780807)
- An
ldapmodify
operation on consumers with the managedsait control returned an "unwilling to perform" error instead of a referral. (4857614)- Search results were logged twice if there was no backend for the search base. (4943975)
- Search operations were performed even if a custom pre_search plug-in returned a non-zero status. (4838863)
- A search on
cn=config
returned the directory manager DN (nsslapd-rootdn
) in lowercase instead of maintaining the original case. (4880352)- The triviality check was skipped when more than one attribute was modified. (4867299)
- Directory Server could crash when performing triviality check with empty attribute value in a modification operation. (4948365)
- Directory Server would sometimes crash when importing large entries. (4935077)
- Directory Server did not manage spaces in substring search filters correctly. (4537169)
- Directory Server could crash on intensive use of persistent searches and abandon operations. (4826265)
- Directory Server could crash if nationalization matching rule searches occurred in parallel. (4865435)
- Special characters (such as "(") were not allowed in the
userPassword
attribute for the admin entry. (4819399)- DN normalization with double backslashes has been improved. (4848325)
- Directory Server sometimes crashed when importing a corrupted LDIF file. (4903397)
- Performance
- Enabling the retro changelog plug-in caused performance issues. (4639310)
- A looping thread increased CPU consumption. (4629441)
- A memory leak in the CoS plug-in has been fixed. (4630124)
- A memory leak in schema searches has been fixed. (4682961)
- The fix for bug ID 4705601 introduced a performance drawback :
ldif2db
hung during data import. (4738221)- An
ldif
import crashed if entries contained a large number (more than 128) of attributes. (4723630)ldif2db
crashed when importing an ldif file that contained entries with several values for an attribute, and these values were not continuous. (4737978)- If the server was in a tombstone purging loop it did not react to the stop signal until it had completed. Thus, the server could take a long time to stop. (4646350)
- A memory leak existed in replication synchronization of two replicas. (4756215)
- A memory leak existed in password modification. (4773751)
- A memory leak existed in persistent search. (4777358)
- A memory leak existed in the
ldapcompare
operation. (4765575)- Directory Server appeared to hang when an unindexed attribute in the referential integrity plug-in was present, and the plug-in was enabled during an update operation. This bug is fixed for all new instances using the
nsroledn
attribute. (4754595)- Directory Server sometimes crashed during the import of a database. (4742083)
- A memory leak in the connection handling on Windows NT has been fixed. (4649319)
- A memory leak in replication has been fixed. (4805734)
- A modify/replace operation with more than five values generated duplicate values and a memory leak. (4807803)
- A modify/replace operation with more than five values corrupted the present/deleted values and generated a memory leak. (4813355)
- A memory leak in the start replication operation has been fixed. (4821198)
- A performance problem existed when adding an entry with an asterisk ("*") in the dn due to substring search for tombstones. (4891116)
- A memory leak on consumers in a single master replication configuration has been fixed. (4805734)
- After a certain time, database performance dropped due to database cache trickling. (4850717)
- Searches on suffix that contained a subsuffix triggered a memory leak. (4881181)
- A memory leak doing a series of adds and then deletes has been fixed. (4945548)
- Conformance
- The default schema contained extra definitions not in RFC2307. (4629102)
- A DN that contained several escaped characters was incorrectly normalized. (4535845)
- A DN with white spaces did not conform to RFC2252. (4687038)
- Subtype attributes were not stored in the directory, as RFC2256 mandates. (4622371)
- There were issues when both LDAPv2 and LDAPv3 applications were using certificate related attributes. (4819710)
- SNMP
- SNMP could crash on the HP-UX platform. (4743796)
- Logs
- Directory Server did not rotate the log files correctly. (4628444)
- The detection of a large BER encoded operation was logged in the error log file if the replication log level was activated. (4778154)
- Replication error messages were logged on the supplier if the
passwordRetryCount
was updated. (4784168)- Aborting a backup (
db2bak
) prevented the removal of the transaction logs. (4815733)- Access log rotation did not occur on restarting
slapd
. (4846332)- The audit log files were not being rotated as configured. (4826843)
- The attribute
nsslapd-accesslog-logminfreediskspace
did not work as expected. (4928129)
- Miscellaneous
- The most recent version of
idsktune
was not shipped in Directory Server 5.1. (4623199)- Multiple attribute uniqueness plug-ins forced uniqueness between each other. (4649615)
- Time stamps in log files were stored incorrectly when Directory Server shut down. (4656846)
htmladmin.exe
crashed when a secured Administration Server was stopped. (4529402)- iPlanet Directory Access Router 5.0 was not able to share the same Administration Server <ServerRoot> as iPlanet Directory Server 5.1. (4692956) (This issue has been fixed on Solaris platforms only.)
- The
db2ldif -r
command created cache files as root and did not clean them up properly. (4656657 and 4653016)ns-slapd dbtest
tool was not working. (4781823)- Running the
ldapsearch
command with the sort option did not obtain the expected results. (4776001)- A 2-pass
ldif2db
operation did not merge the indexes correctly. (4783910)- VLV searches sometimes produced "Server reported sorting error". (4715065)
- Directory Server sometimes crashed while restoring the database. (4714196)
- The
restore
operation failed after server creation, until the server was restarted. (4714358)- Running
db2ldif -r
with the-s
or-n
options could causens-slapd
to crash. (4856331)ns-accountstatus.pl
failed if the suffix included a white space. (4932782)- Invalid warnings were displayed regarding index fragmentation. (4821289)
db2ldif
miscounted the number of processed entries. (4842620)- If the retro changelog plug-in was activated before a backup, the restore operation did not work. (4864622)
ldif2db
could crash if the dn component contained escaped trailing spaces. (4836491)bak2db
failed if the target database directories were missing. (4894995)
Enhancements and Problems Corrected in iPlanet Directory Server 5.1iPlanet Directory Server 5.1 includes enhancements and fixes to the following known problems that occurred in earlier releases of iPlanet Directory Server:
- A previous release of iPlanet Directory Server included a security vulnerability in iPlanet Web Server 4.1. (535057) iPlanet Directory Server 5.1 uses iPlanet Web Server 6, in which this vulnerability has been fixed.
- Server restart is no longer required after a change to the components allowed to chain. (528617)
- In a previous version of iPlanet Directory Server, the console supported smart referrals only when the DN in the referral matched the DN of the entry containing the referral. (490281) Updated functionality in the console has removed this limitation and enhanced smart referral support.
- In a previous release of iPlanet Directory Server, after changing the Directory Manager credentials, you were required to exit Directory Server Console and restart it for the change to be taken into account. (538549) This limitation has been removed.
- The behavior of multiple qualifiers with cosAttribute in a CoS definition is no longer undefined.
- In a previous release of iPlanet Directory Server, you were required to authorize client IP access to the Administration Server from the machine running Directory Server Console. This limitation has been removed.
- When a delete operation is performed, the audit log now displays the DN identity of the operator. The additional information appears in the audit log as modifiersName: DN, where DN is the identity used to perform the delete operation.
- The newrdn and newsuperior operations are now recorded in the access log and any errors are described in the error log. (547272)
- Schema is now replicated during a total update operation. (541599)
If you modify your schema on a server and then create a new replica, the initialization of this replica automatically updates the schema on the consumer server. Previously, the schema was not replicated when the replica was initialized, but instead with the first incremental update of the replica.
- In previous releases of Directory Server, changes to the
nsslapd-dbcachesize
attribute value undercn=config,
were not always correctly taken into account. (539845, 539847) This condition is corrected in iPlanet Directory Server 5.1. The server writes an error message into the error log if the new value you provide is not within the permitted boundaries.
- In previous releases of Directory Server, deleting a role did not update the
nsRoleDN
attribute for each role member (533695). In iPlanet Directory Server 5.1, the referential integrity plug-in is configured to manage thensRoleDN
attribute. However, you must enable the referential integrity plug-in. By default, this plug-in is disabled. Also, add an equality index onnsRoleDN
. Refer to the iPlanet Directory Server Administrator's Guide for details on creating indexes.
Known LimitationsThis section lists known limitations in iPlanet Directory Server 5.1 Service Pack 3 and their workarounds. The areas with known limitations are as follows:
- Installation
- Uninstallation
- Migration
- Windows NT / Windows 2000
- Security
- Schema
- Chaining
- Replication
- Directory Server Console
- Core Server
- Server Plug-ins
- Roles and Class of Service
- Indexing
- Tuning
- Conformance
- Compatibility
- Miscellaneous
Installation
Caution We strongly recommend that no other iPlanet product (such as iPlanet Web Server) be installed into the same UNIX directory path as the iPlanet Directory Server product, as this may disable critical functionality required for the correct operation of Directory Server.
In addition, on a Windows NT or Windows 2000 machine, Directory Server should be installed independently of any other iPlanet product to avoid conflicts with DLLs.
- Before upgrading from Directory Server 5.1 or 5.1 SP1, you must set your password policy to not check password syntax nor password history (4830364). Follow the procedures in the Administrator's Guide to turn off these two features.
- On performing an upgrade from Directory Server 5.1 to Directory Server 5.1 Service Pack 3 on UNIX, the administration port identifier will be changed. If restoration of the old administration port identifier value is required, the command admconfig can be used.
The port identifier can be found in:
% <ServerRoot>/admin-serv/config/adm.conf
The following example changes the port number to 63333 and restarts the Administration Server (note that the verbose level will be set to 5):
% <ServerRoot>/bin/admin/admconfig -server orange.iplanet.com:67891 -user chlee:password -verbose 5 -setPort 63333 -restart
- On performing an upgrade from Directory Server 5.1 (RTM version, 5.1 Service Pack 1, 5.1 SP1 HOTFIX2, 5.1 Service Pack 2, 5.1 SP2 HOTFIX3) to Directory Server 5.1 Service Pack 3, the following warning message will be logged : add value to attribute type aci in entry o=NetscapeRoot failed: duplicate value
This is a normal message since the aci value for entry o=NetscapeRoot is already set.
- iPlanet Directory Server cannot be installed properly through Microsoft Terminal Services.
- On Windows 2000, setup -f does not work without the -s option (4524708). If you perform installation using a configuration file on Windows 2000, it must be silent. For example:
setup -s -f filename
- On HP-UX platforms only, before installing iPlanet Directory Server 5.1 Service Pack 3 as a fresh installation or upgrading from a 5.1 version, you must verify that the number of file descriptors is less than or equal to 2048. If you do not check this, otherwise installation fails with the error :
[slapd-(hostname)]: starting up server ...
[slapd-(hostname)]: - iPlanet-Directory/5.1 Service Pack 3 20030103 B2002.161.2250 starting up
[slapd-(hostname)]: - slapd started. Listening on all interfaces port 29000 for LDAP requests
Your new directory server has been started.
error: can't bind to server:Unable to bind to server. (Can't contact LDAP server (81) returned from
ldap_simple_bind_s(cn=Directory Manager))
system_errno:9
ERROR. Failure installing iPlanet Directory Server. Do you want to continue [n]?
This problem is described in bug ID 4756839.
To prevent this failure during a Service Pack 3 installation, launch the command ulimit -n and, depending on the result (value<=2048) enter the command ulimit -n 2048.
- For Solaris (SPARC on Intel) package installations, if Directory Server 5.2 packages are detected when the patch containing Service Pack 3 is applied (patch 113859-03 or patch 114273-03) a WARNING message is displayed. However, the installation of Service Pack 3 will continue unless you actively stop the installation. (4884416)
- On Windows systems, after upgrading a Japanese localized Directory Server version 5.1 to Service Pack 3, you must modify the start script "iPlanet Console 5.1" to start the Console in Japanese. The script is located in:
C:\Documents and Settings\All Users\Start Menu\Programs\iPlanet Server Products
Select the shortcut TAB and add -l ja to thestartconsole.exe
script line. Click the Apply button to save your change.
- Due to bug ID 4917107 (the Administration Server in the Japanese localized bundled Directory Server is broken after applying patch 113859-02,) you must upgrade the SUNWj3rt package before applying patch 113859-x.
- On Solaris platforms, when a directory instance is created the number of file descriptors is set to a hardlimit (
rlim_max
).
This can be checked by entering the command ulimit -a -H. On Solaris 9, the default hardlimit is 65536, and on Solaris 8 it is 1024.- On Windows systems, the domain name for your host machine must be correctly configured prior to installing Directory Server 5.1 Service Pack 3. To configure the domain name for your host:
(On Windows NT)
(On Windows 2000)
- Open the Control Panel and run the Network utility.
- Select the Protocols tab.
- Select TCP/IP Protocol from the list.
- Open the Properties dialog box.
- Complete the fields under the DNS tab.
- Right-click on My Computer and select Properties.
- On the Network Identification tab, select Properties.
- Click More and complete the Primary DNS suffix of this computer field.
- If you are running Directory Server 5.1 Service Pack 3 on a 64-bit Sun Solaris 8 UltraSPARC machine, it will run as a 32-bit application.
- Do not install Directory Server 5.1 Service Pack 3 on top of an existing 4.x or 5.0 Directory Server installation. If Directory Server 4.x or 5.0 is already installed, install Directory Server 5.1 Service Pack 3 in a separate directory. After migrating your 4.x or 5.0 directory data to your 5.1 Service Pack 3 directory and testing the results, remove your 4.x or 5.0 Directory Server.
- On Windows systems, always use the latest version of DLL files. Do not overwrite the more recent DLL files with those delivered with iPlanet Directory Server 5.1 Service Pack 3.
- Use UTF-8 character set encoding when entering Distinguished Names during installation. Other encodings such as ISO-8859-1 are not supported. Installation operations do not convert data from local character set encoding to UTF-8 character set encoding. LDIF files used to import data must also use UTF-8 character set encoding. Import operations do not convert data from local character set encoding to UTF-8 character set encoding.
- Be aware of the DNS naming resolution issue on systems using NIS. (4526504) During installation,
setup
detects a default host and domain name. If your NIS domain is different from your DNS domain, the fully qualified host and domain name presented by the installer is incorrect. These values must be corrected to use the DNS domain name.
- (4527593) AIX fixes have moved from:
http://server.software.ibm.com/cgi-bin/support/rs6000.support/downloads
- On AIX, you must install the
X11.adt
package in order for the Console to function. This package is not part of the standard bundle.
- You will not receive a warning before proceeding with uninstallation of iPlanet Directory Server 5.1 Service Pack 3 containing your configuration information under the o=NetscapeRoot suffix. This is the first Directory Server you installed. We strongly recommend that it be the last one you uninstall.
- On Windows 2000, after uninstallation of directory components installed with silent installation (setup -s -f filename) reinstallation always places directory components in the original install folder. (4526014) You can avoid this problem by removing all *.inf filesin the \Documents and Settings\Administrator\Local Settings\Temp folder on the system disk drive after uninstallation.
- The Directory Server 4.x and 5.0 attributes accesslog-maxlogdiskspace, accesslog-maxlogsize, auditlog-maxlogdiskspace,auditlog-maxlogsize, errorlog-maxlogdiskspace, and errorlog-maxlogsize must be migrated manually. (4529536) Update these values for the Logs entries in the Directory Server Console under the Configuration tab. In each case, *log-maxlogsize values must remain smaller than *log-maxlogdiskspace values for the attributes to remain coherent. For further information, refer to the instructions on monitoring server and database activity in the iPlanet Directory Server Administrator's Guide.
- The migration procedure may attempt to restart the server while it is already running. (4529552) Ignore error messages concerning attempts to restart the server by migrateInstance5.
- On systems other than Windows, migration from iPlanet Directory Server 5.0 to 5.1 Service Pack 3 may fail if the PATH environment variable does not contain . (4529657) If necessary update your PATH appropriately. For example:
(ksh) $ export PATH=$PATH:.
(csh) % setenv PATH ${PATH}:.
- Avoid using stdin and stdout on Windows NT with the ldapmodify command-line utility, particularly with non-ASCII data. We strongly recommend that you always use the -f option to specify the file containing the LDIF update statements (-f new_file) as this prevents the statements being read from stdin.
- On Windows NT 4.0, the maximum address space an application can use is 2 GB. As iPlanet Directory Server 5.1 Service Pack 3 cannot use more than 2 GB of virtual memory, the sum of all caches configured for the server must be strictly less than 2 GB. If the size of the entry caches and of the database cache exceeds this limit, Directory Server will exit with an error message. For more information on cache limits on Windows NT, and on Windows 2000, refer to the iPlanet Directory Server Installation Guide.
- On Windows 2000, the default font used by the console does not allow you to input Japanese characters. To avoid this issue, change the font. You can change the console font by selecting Preferences from the Edit menu in the Directory Console, and then changing the font through the interface under the Fonts tab.
- On Windows systems, when managing the Directory Server SNMP subagent, all operations (start/stop/restart) return a failure (such as "An error occurred when...").
The requested operation actually succeeds but the result returned to the Console is incorrect.- On Windows NT / Windows 2000, stopping then starting Administration Server from Directory Server 5.1 Service Pack 3 will log an event stated as an error in the Application log (Settings > Control Panel > Administrative Tools > Event Viewer). The description of the event is the following :
The description for Event ID ( 0 ) in Source ( admin51-serv ) cannotThis is a warning message, since the Administration Server is correctly started. (4794690)
be found. The local computer may not have the necessary registry
information or message DLL files to display messages from a remote
computer. The following information is part of the event:
startup: server started successfully.
Security
- Deployments that use SSL for connection confidentiality across open networks that are subject to possible active attacks against the SSL connection should not use server certificates issued by one of the public Certification Authority (CA) organizations. (4615324)
- To receive a warning message every time before a password expires, the attribute
passwordExpireWithoutWarning
must be set to "off". (4532757)
- The correct procedure to change the administrator password in iPlanet Directory Server 5.x. (4708944) is as follows:
- Log in to the Console as "cn=Directory Manager".
- Under the Users & Groups tab, change the admin user password in LDAP.
- Open the Administration Server Console.
- Select Configuration, Access.
- Change the admin password.
(This password is stored in the admpw file.)- Return to the Users & Groups tab.
- Click the Directory button.
- Change the User Directory Subtree to "o=NetscapeRoot".
- Search for "admin" (this is the Configuration Administrator).
- Change the password.
- To ensure that an attacker with a certificate issued by a public CA cannot use that certificate to impersonate a Directory Server, the certificate databases of LDAP clients and of directory servers establishing outgoing SSL connections for replication or chaining must contain only the certificate of the non-public CA that issued the certificates to the servers which will be contacted. All other certificates from public CAs must be removed from the LDAP client or directory server's certificate database.
Deployments that are not subject to active attacks or deployments that use additional security mechanisms (such as a VPN when connections traverse the Internet) are not required to use a non-public Certification Authority to obtain a server certificate.
- As the server does not enforce read-only permissions on SSL-enabled servers for certificate database files, key database files and PIN files, check that the file permissions on UNIX and ACLs on Windows protect the sensitive information contained in these files.
- If you have enabled certificate-based authentication in Directory Server, do not map your certificate to a distinguished name under
cn=config
orcn=monitor
. (4529535) If you do so, bind attempts fail. Instead, map your certificate to an entry located elsewhere in the directory information tree.- On Windows NT and Windows 2000, a user on the console can shut down Directory Server. Care should be taken to restrict console access to computers running Directory Server.
- To explicitly deny
MODRDN
rights using ACIs, you must target the relevant entries but omit thetargetattr
keyword. (4529533) The following example ACI prevents thecn=helpDeskGroup,ou=groups,o=sun.com
group from renaming any entries in the set specified by the patterncn=*,ou=people,o=sun.com
:
aci:(target="ldap:///cn=*,ou=people,o=sun.com")
(version 3.0; acl "Deny modrdn rights to the helpDeskGroup";
deny(write)
groupdn="ldap:///cn=helpDeskGroup,ou=groups,o=sun.com";)
- Macro ACIs do not work if the subject is one of the constant types such as all or anyone. (4529529)
- The schema provided with iPlanet Directory Server 5.1 differs from that specified in RFC 2256 for the
groupOfNames
andgroupOfUniquenames
object classes. In the schema provided, themember
anduniquemember
attribute types are optional, while RFC 2256 specifies that at least one value for these types must be present in the respective object class.- The LDAP RFCs (and X.500 standards) allow for an object class to have more than one superior. This behavior is not currently supported by Directory Server.
- If you add more than 1,000 attributes to a single object class, the server displays configuration errors and fails to start.
- Note that the
aci
attribute is now an operational attribute. It is not returned in a search unless you explicitly request it.Chaining
- If chaining is configured between a 5.1 multiplexor and a 4.x farm server, add the
nsuniqueid
attribute to the 4.x farm server schema. If thensuniqueid
attribute is not added to the 4.x Directory Server schema, the 5.1 multiplexor does not find the entry it expects, so chaining fails. To add the attribute type to the 4.x schema add the following line to the 4.x farm serverslapd-user_at.conf
file under/usr/netscape/server4/slapd-serverID/config
:
attribute nsuniqueid nsuniqueid 2.16.840.1.113730.3.1.542 int single operational
- No explicit error message is sent to the user when an attempt to bind to a farm server during chaining fails because the password policy has expired. (4529539)
- If the first farm server fails and returns an operations error when using a failover server for database chaining, retry the operation to chain successfully. (4529537) Should the first farm server fail when using a failover server for database chaining, the client receives an operations error if it tries to read information from the multiplexor. The multiplexor does not process this operations error which prevents the next failover farm server from being contacted, and as a result, chaining fails. However, if you retry the exact same operation, chaining succeeds.
Replication
- If you change the port number on a supplier server, the changelog database is cleared and replication will halt. In this case all consumers, hubs and suppliers must be reinitialized before replication can continue.
- In the iPlanet Directory Server Administrator's Guide the section "Configuring Directory Server 5.1 as a Consumer of a Legacy Directory Server" incorrectly states that you do not need to specify a Supplier DN when configuring the consumer settings (step 7.) This is incorrect. When you configure the consumer settings, you must specify the Supplier DN that the legacy supplier server will use to bind. If you do not, you will not be able to save the consumer configuration.
- Multi-master replication (MMR) is supported in a single data-center deployment. Master Directory Servers must be connected via a high-speed, low-latency network, (with minimum connections speeds of 100Mb/second) to achieve full MMR support. MMR is not supported on a network where the bandwidth between Master Directory Servers is less then 1Mb/second and the latency is greater than 10ms, or on a network that might experience significant packet loss; which is the throughput and conditions that you might experience over a wide area network.
MMR support for wide area network (WAN) deployments is available in Directory Server version 5.2.
- When configuring a multi-master replication deployment, the referential integrity plug-in must be enabled with the same configuration on all masters. The Deployment and Administration Guides incorrectly state that only one of the masters requires this plug-in.
- Replication configured over SSL with certificate-based authentication will not work if the supplier's certificate is self-signed or if the supplier's certificate is only capable of behaving as an SSL server certificate, that is, unable to play the role of the client during an SSL handshake.
- To change a replica role, you must disable replication, change the replica role, and then reenable replication. (4527621)
- Local schema modifications may be overwritten when a consumer database is created. (4529530)
- Monitoring the replication update vector (RUV) for a replica object was adversely affected by a timing issue. It is now possible to monitor the RUV directly from the replica by doing the following search:
ldapsearch -h <hostname> -p <port number> -D <directory manager> -w <password> -b "cn=config" objectclass=nsds5Replica" nsds50ruv
- Trailing spaces are not preserved during a remote console import operation. Trailing spaces are preserved during both local console and
ldif2db
import operations. (4529532)- Creating a Directory Server instance using the console creates a server in a different time zone on HP-UX and IBM AIX. (4529531) To synchronize the instance for replication, restart the server using the
restart-slapd
command-line script. For more information concerningrestart-slapd
, refer to the iPlanet Directory Server Configuration, Command, and File Reference.- Users without read access to configuration information cannot see the directory suffix in the directory browser of the console. (4525360) To allow such users read access, add it through ACI. Refer to the iPlanet Directory Server Administrator's Guide for instructions.
- On Linux, an SNMP subagent cannot be started using the console (4738032). As a workaround, start the subagent from the command line as follows:
# cd ServerRoot/bin/slapd/serverid
# ./ns-ldapagt -d ServerRoot/slapd-serverIDNote: The SNMP master agent must be configured and working.
- On HP-UX, the
JAVA_FONTS
environment variable must be correctly set to enable use of Japanese characters in the console. For example:
JAVA_FONTS=/opt/asx/lib/X11/fonts/ttfjpn.st/typefaces
Adjust the path accordingly for your environment.
- Users and roles cannot be created through the console as inactivated. (4521017) Inactivate the user or role after you create it instead.
Core Server
- The
slapd
process does not start automatically when the system boots. On UNIX systems write anrc
script to start theslapd
process at boot time.- Stopping the server during export, backup, restore, or index creation causes it to crash.
- On Windows NT and AIX platforms, do not set
Memory available for Cache
in theDatabase Settings
to a value greater than 1073741824 bytes (1GB).- AIX applications have a restrictive memory model. The AIX
ns-slapd
executable is created with a value ofmaxdata=0x50000000
to permit both the entry cache size (nsslapd-cachesize
attribute) and database cachesize (nsslapd-dbcachesize
attribute) to be up to 1GB each. Raising themaxdata
value increases the maximum entry cache size but lowers the maximum database cache size by the same amount, and vice versa. Contact your iPlanet support representative if you need to adjust themaxdata
value.- Initializing the database with a file that is not accessible causes the server to crash. (4523595)
- iPlanet Directory Server 5.1 Service Pack 3 provides the UID Uniqueness plug-in. By default the plug-in is not activated. To ensure attribute uniqueness for specific attributes, create a new instance of the Attribute Uniqueness plug-in for each attribute. For more information on the Attribute Uniqueness plug-in, refer to the iPlanet Directory Server Administrator's Guide.
- The referential integrity plug-in is now off by default. Refer to "Maintaining Referential Integrity" in Chapter 2 of the iPlanet Directory Server Administrator's Guide for instructions on enabling and configuring the referential integrity plug-in.
However, the documentation incorrectly states that the referential integrity plug-in should be enabled only on one master server. In multi-master replication environments, you must enable the plug-in with an identical configuration on all master servers.
The previous version of these release notes also incorrectly stated that the referential integrity plug-in should be enabled only on one master replica.
- When enabling the referential integrity plug-in in Directory Server 5.1 Service Pack 3, if an unindexed attribute is present in the referential integrity plug-in attribute list, the server may encounter performance issues. (4754595)
- The Access Control plug-in does not use the value specified by the
nsslapd-groupevalnestlevel
attribute to specify the number of levels of nesting access control performs for group evaluation. Instead, levels of nesting is hard coded as 5. (4529540)- When disk space is filled, Directory Server crashes and does not restart. (4527611)
- When replicating from a 4.x master to a 5.x consumer, with referential integrity enabled, you must reconfigure the referential integrity plug-in on the 4.x master to write referential integrity changes to the 4.x changelog. This enables referential integrity changes to be replicated. If you do not reconfigure the plug-in, referential integrity will not work correctly.
To reconfigure the referential integrity plug-in in this environment:
- Stop the 4.x server.
- Open the slapd.ldbm.conf file located in ServerRoot/slapd-ServerID/config/.
- Locate the line that begins :
plugin postoperation on "referential integrity postoperation"
- Modify this line by changing the argument that appears just before the list of attributes from 0 to 1.
For example, change:
plugin postoperation on "referential integrity postoperation" "ServerRoot/lib/referint-plugin.dll" referint_postop_init 0 "ServerRoot/slapd-serverID/logs/referint" 0 "member" "uniquemember" "owner" "seeAlso"
to
plugin postoperation on "referential integrity postoperation" "ServerRoot/lib/referint-plugin.dll" referint_postop_init 0 "ServerRoot/slapd-serverID/logs/referint" 1 "member" "uniquemember" "owner" "seeAlso"
- Save the slapd.ldbm.conf file.
- Restart the server.
- Reinitialize the 5.x consumer from the 4.x supplier.
- The
nsRoleDN
attribute is used to define a role. It should not be used for evaluating role membership in a user's entry. When evaluating role membership, look at thensrole
attribute instead.- The behavior for negative CoS template priority values is not defined in the server. Do not enter negative values. Note that Indirect CoS does not support
cosPriority
.
- VLV indexes do not work correctly if they encompass more than one database.
- If extreme index key fragmentation occurs (which can be caused by frequent add and delete operations) and you have not adjusted the value of
ns-slapd-db-idl-divisor
, it is possible that extra entry IDs will be maintained in the index key (up to a maximun of 2029 extra entries). This can occur because Directory Server does not count all the entry IDs againstAllidsthreshold
until an index block becomes full. To remedy this, rundb2index
on an index. This will correct the index fragmentation and set the key toALLIDS
.
- The actual amount of memory allocated during the entry cache allocation is greater than the amount of memory requested. Therefore, more memory is allocated than specified with the nsslapd-cachememsize parameter. As a consequence the Directory Server process grows more than expected and can exceed the process size limit for 32-bit processes - which results in undesired behavior.
In order to handle modifications made to directory data in the same order on all replica servers (including suppliers and hubs), the directory needs to keep the change history of attributes. This is also called the entry state information. The history is purged after the purge delay - but only when the entry is modified again. So entries can grow large and use more room in the entry cache. This consequently reduces the number of entries in the cache. With large attributes or a high modification frequency, entries can grow larger than the entry cache itself.
This results in undesired behaviour. For single-valued attributes, the history is not kept.
The state information can be dumped using db2ldif -r - a normal LDAP search operation returns the current values.
Recommendations :
To avoid undesired behaviour, do the following:
- Do NOT use nsslapd-cachesize to set the entry cache limit. Set this parameter to -1. Use nsslapd-cachememsize instead.
- When migrating from 4.16SP1 to 5.x, use nsslapd-cachememsize rather than nsslapd-cachesize.
- The sum of all caches for a 32-bit version must not exceed 2 GB
- Make sure that ns-slapd (32-bit) never exceeds 3.0 GB in a fully primed but inactive state, or 3.2GB in an active state.
- Set the nsslapd-cachememsize parameter to 60 % of your desired entry cache maximum.
- Examine your schema definition. Set attributes to single-valued unless otherwise required.
- By default iPlanet Directory Server 5.1 Service Pack 3 does not conform to RFC2252 when handling:
- DNs with multiple white spaces. (4687038)
- DNs with multiple escaped characters. (4535845)
To enforce conformance with RFC2252, do the following:
- Create a file <ServerRoot>/slapd-<ServerInstance>/config/newnormdn.
- Restart the directory instance.
- Rebuild the index databases, either by doing a
db2ldif
andldif2db
, or by rebuilding any index with DN syntax (entryDN, for example) (see Chapter 10, Managing Indexes in the iPlanet Directory Server Administrator's Guide.)
- Issues may arise when both LDAPv2 and LDAPv3 applications use certificate related attributes. (4819710):
- The LDAPv2 protocol specifies that the attribute should be xxxxx (where xxxxx is one of:
UserCertificate
,CACertificate
,CertificateRevocationList
,AuthorityRevocationList
, orCrossCertificatePair
.)- The LDAPv3 protocol specifies that the attribute should be xxxxx;binary.
Directory Server considers the values associated with xxxxx;binary and xxxxx as two different values. In practice, this is not always what is required.
A new configuration parameter nsslapd-binary-mode has been created in
cn=config
to change this behavior. The value ofnsslapd-binary-mode
can be one of compat51, auto, or strict.
- compat51 is the default value and provides the original behavior. xxxxx and xxxxx;binary refer to distinct values (where xxxxx is one of:
UserCertificate
,CACertificate
,CertificateRevocationList
,AuthorityRevocationList
, orCrossCertificatePair
.)
- auto implies that the server considers xxxxx and xxxxx;binary as the same attribute. Searches return either the attribute specifically requested or xxxxx in LDAPv2 and xxxxx;binary in LDAPv3.
- strict is the same as auto except that requests that are not conformant are rejected with an INVALID PROTOCOL error (reject ;binary subtype in an LDAPv2 request or without subtype in an LDAPv3 request.)
- Some performance issues have been observed when 5.x retro changelog functionality is used (Meta Directory) (4639310). iPlanet Directory Server 5.1 Service Pack 3 fixes these performance issues by preventing internal attributes from being logged. To activate the fix, import the following LDIF file (through the console or using
ldapmodify
):
dn: cn=Retro Changelog plug-in,cn=plug-ins,cn=config
changetype: modify
add: nsslapd-plug-inarg0
nsslapd-plug-inarg0: -ignore_attributes
add: nsslapd-plug-inarg1
nsslapd-plug-inarg1: copyingFrom- On Windows platforms, iPlanet Directory Access Router 5.0 is not able to share the same Administration Server <ServerRoot> as iPlanet Directory Server 5.1. (4692956)
- If you launch a
db2back
operation, cancel it (using CTRL-C), and then import new data, the transactions logs are no longer deleted. (4815733)
You may encounter a situation that forces you to use CTRL-C whiledb2back
is in progress. We recommend that you use thedb2back.pl
script as a work-around. Note that this issue is solved in Directory server 5.2.- Do not set command path and library path variables for executing command line utilities and Perl scripts. Instead change to the directory in which they are stored. Although it is possible to set command path and library path variables to execute the utilities and scripts, this is not the recommended procedure because you run the risk, particularly when you have more than one server version installed, not only of disrupting the correct execution of other command utilities and scripts, but also of compromising the security of the system.
- On Sun Solaris only, the
idsktune
utility reports as missing any patches in the Sun recommended patch list that are not installed on the system, even if those patches relate to packages you have not installed.- Note the LDAP utility manpages on the Sun Solaris platforms do not document the iPlanet version of the LDAP utilities
ldapsearch
,ldapmodify
,ldapdelete
, andldapadd
. For information regarding these utilities, refer to the iPlanet Directory Server Configuration, Command, and File Reference.- On Sun Solaris, you can monitor only one Directory Server instance at a time with SNMP. (4529542)
- You cannot read logs through the Directory Server Console if the server is not running. Instead, browse the iPlanet Console page at:
http://hostname:administration_server_port_number
Select the iPlanet Administration Express link, and log in as
admin
.- For security reasons, many command line scripts written in Perl can now read the bind password interactively (
-w-
option). This functionality requires theTerm::ReadKey
Perl module, available separately. You can download this module from:
http://www.perl.com/CPAN/CPAN.html
All other script functionality remains available without this module. After installing the
Term::ReadKey
Perl module, enable the Perl scripts to read the bind password interactively by editing each script, uncommenting the appropriate lines.- Some of the script and command-line usage information is not up to date.
- Unsynchronized server configuration information can cause restores to fail. Immediately after changing the configuration, back up all files under the configuration directory,
install-dir/slapd-serverid/config
including thedse.ldif
file.- Changing the maximum size of the transaction log file has no effect if log files already exist in the database directory. (4523783) Instead, stop the server, modify
nsslapd-db-logfile-size
indse.ldif
manually, remove alllog.*
files from the database directory, and restart the server.- The iPlanet Directory Server Adminstrator's Guide incorrectly suggests stopping Directory Server and using
ldapmodify
to change the transaction log directory. (4525267) Instead, stop the server, modify thensslapd-db-logdirectory
attribute in thedse.ldif
file using a text editor, and restart the server.- The server does not support LDAP search requests containing a filter that references virtual attributes. (4527614)
bak2db
can restore a database only to the default location. (4522793) To work around this, create the database remotely and add it withldapmodify
. To create a database remotely:
- Create an LDIF file:
- Use the
ldapmodify
utility to add the database:
ldapmodify -D "cn=Directory Manager" -w password -f /path/to/databasename
To move an existing database to another file system location:
- Export the database to LDIF format using the
db2ldif
utility.- Follow the instructions provided in the iPlanet Directory Server Administrator's Guide to delete the database.
- Create the database at the new location.
- Use the
ldif2db
utility to restore the database you exported to LDIF format.Note that once the database has been relocated, backups made from the old locations with the
db2bak
utility are no longer valid. Attempts to restore them may render the server unusable.- The section entitled "Configuring the Directory Manager" in the iPlanet Directory Server Administrator's Guide states "The password for this user is defined in the nsslapd-rootdn attribute". This is incorrect. The password is actually defined in the nsslapd-rootpw attribute instead of the nsslapd-rootdn attribute.
Accessing Online Help and Online DocumentationThe online documentation files are installed with your Directory Server and can be found with your browser.
If you are working under Windows NT or have installed iPlanet Directory Server 5.1 Service Pack 3 in a location other than
/usr/iplanet/servers
, adapt the following URLs accordingly:Documentation Home Page:
file:///usr/iplanet/servers/manual/en/ slapd/dochome.htm
iPlanet Directory Server Installation Guide:
file:///usr/iplanet/servers/m anual/en/slapd/install/contents.htm
iPlanet Directory Server Deployment Guide :
file:///usr/iplanet/servers/ma nual/en/slapd/deploy/contents.htm
iPlanet Directory Server Administrator's Guide:
file:///usr/iplanet/servers/manual /en/slapd/ag/contents.htm
iPlanet Directory Server Configuration, Command, and File Reference:
file:///usr/iplanet/servers/manua l/en/slapd/cli/contents.htm
iPlanet Directory Server Schema Reference:
file:///usr/iplanet/servers/ma nual/en/slapd/schema/contents.htm
How to Report ProblemsFor general information on iPlanet Directory Server 5.1 Service Pack 3, refer to:
Sun ONE Support maintains an online Knowledge Base containing technical articles and technotes about common iPlanet product issues. Search SunSolve at:
http://wwws.su n.com/software/products/directory_srvr/home_directory.html
If you experience issues with iPlanet Directory Server 5.1 Service Pack 3, refer to iPlanet Technical Support:
http://sunsolve.Sun.COM/pub-cgi/sho w.pl?target=home
http://www.sun.com/service/sunone /software/index.html
For More InformationUseful iPlanet information can be found at the following URLs:
- iPlanet and Sun ONE release notes and other documentation
http://docs.sun.com/db/prod/s1dirsrv- Sun ONE product status
http://www.sun.com/service/sunone /software/index.html- Sun ONE Professional Services information
http://www.sun.com/service/sunps/sun one/index.html- Sun ONE developer information
http://developer.iplanet.com/- Sun ONE learning solutions
http://www.sun.com/supportraining/- Sun ONE product data sheets
http://wwws.sun.com/software- Sun Certified Engineer training
http://wwws.sun.com/ software/training/certification/directory.html
Third-Party License Acknowledgements
Copyright � 1989 The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- All advertising materials mentioning features or use of this software must display the following acknowledgements:
This product includes software developed by the University of California, Berkeley and its contributors.- Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
Copyright � 1987, 1988 Student Information Processing Board of the Massachusetts Institute of Technology.
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the names of M.I.T. and the M.I.T. S.I.P.B. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. and the M.I.T. S.I.P.B. make no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
This product contains the following software derived from RSA Data Security, Inc.
- MD5 Message-Digest Algorithm
The source code to the Standard Version of Perl can be obtained from CPAN sites, including http://www.perl.com/.
This product incorporates compression code by the Info-ZIP group. There are no extra charges or costs due to the use of this code; the original compression sources are freely available from:
ftp://ftp.cdrom.com/pub/infozip/
Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved.