Part Number 819-1814-10
These release notes contain important information available at the time of the release of Sun[tm] ONE Directory Server 5.1 Service Pack 4. This product was formerly called iPlanet Directory Server. New features and enhancements, known limitations, and other late breaking issues are addressed here. Read this document before you begin using iPlanet Directory Server 5.1 Service Pack 4.
An electronic version of these release notes can be found on Sun's documentation web site:
http://docs.sun.com/coll/S1_ipDirectoryServer_51
Check the web site prior to installing and setting up your software and then periodically thereafter to view the most up to date release notes and manuals.
These release notes contain the following sections:
Revision History
What's New in iPlanet Directory Server 5.1
Supported Platforms for iPlanet Directory Server 5.1 Service Pack 4
Installation Procedures for iPlanet Directory Server 5.1 Service Pack 4
Problems Corrected in iPlanet Directory Server 5.1 Service Pack 4
Enhancements and Problems Corrected in iPlanet Directory Server 5.1
Known Limitations
Accessing Online Help and Online Documentation
How to Report Problems
For More Information
Third Party License Acknowledgments
For information on hardware and software requirements, refer to the iPlanet Directory Server Installation Guide.
Date |
Description of Changes |
---|---|
February 24, 2005 |
Note on Solaris 10 support. |
February 10, 2005 | Publication of Directory Server
5.1 Service Pack 4 Release Notes. For ease of reference, additions and
changes to these Release Notes (as compared to the Directory
Server 5.1 Service Pack 3 Release Notes) appear in green.
|
June 28, 2004 | Note added on changing port
numbers.
|
May 05, 2004 | Note added on legacy replication.
|
December 2, 2003 | Publication of Directory
Server 5.1 Service Pack 3 Release Notes. Certain known limitations
that appeared in the previous Release Notes have been removed because
they have been fixed in Directory Server 5.1 Service Pack 3. These
include :
|
iPlanet Directory Server 5.1 contains the following new features and enhancements:
Updated and improved management console. The new Directory Server Console offers an improved dialog for configuring replication, and a new directory browser. In this release, the Directory tab has several layout options for navigating the directory tree: as before with leaf entries in the right-hand pane, as a single tree in a single pane, or with attributes for the selected entry displayed on the right. For details, refer to Chapter 1 of the iPlanet Directory Server Administrator's Guide.
Performance Improvements over Directory Server 5.0. This new release of Directory Server offers increased performance over Directory Server 5.0 and 4.x.
Support for IPv6. Directory Server 5.1 can accept incoming connections from IPv6 clients. Currently Directory Server cannot interpret IPv6 addresses in access control instructions, or use IPv6 connections for operations such as replication and chaining. The Administration Console cannot be used on networks supporting only IPv6.
Improved scalability and performance of Roles and Class of Service. Roles and Class of Service, introduced in iPlanet Directory Server 5.0, have been enhanced in this release to increase scalability.
Support for the plug-in API. If you need to create custom plug-in functions you can also contact the iPlanet Professional Services organization at: http://www.sun.com/service/sunps/sun one/index.html.
Schema Documentation. A new document, iPlanet Directory Server Schema Reference, describes the schema provided with Directory Server 5.1. The document focuses on schema objects useful to support your directory information.
Due to architectural changes made in iPlanet Directory Server, some features that were previously available are no longer included. These are:
NT Sync Service. You can no longer create Windows NT accounts through the directory console. When you right click an entry under the Directory tab in the directory console and select New>User to display the Create New User dialog box, you still see the NTUser tab in the left-hand column. Since the Windows NT Sync Service is no longer available, using the fields of the NT User tab will create an entry in the directory only. No new Windows NT account is created.
Database Backend Plug-in Interface. The enhanced pre-operation interfaces may be used instead of the database backend plug-in interface, to implement plug-ins that are designed to provide access to alternative directory data stores.
Directory Server Gateway. The Directory Server Gateway is no longer delivered with iPlanet Directory Server 5.1. We recommend that you investigate LDAP Tag Library, scheduled to be available as part of the iPlanet Directory Server Resource Kit 5.1, as a good Directory Server Gateway replacement. For further information see:
http://wwws.sun.com/software/download/
Directory Server 5.1 Service Pack 4 is supported on the following platforms:
Sun Solaris 10 for SPARC (64-bit) and x86
This release of Directory Server is supported on Solaris 10 with the Solaris native packages delivery (IPLTxxxx packages) only.
Sun Solaris 9 for SPARC and x86 (32 and 64-bit)
Sun Solaris 8 for UltraSPARC (32 and 64-bit)
Microsoft Windows NT 4.0 Server, SP 6a (x86 only)
Microsoft Windows 2000 Server and Advanced Server SP 4 (x86 only)
Hewlett-Packard HP-UX 11.0/11i (PA-RISC 1.1 or 2.0)
IBM AIX 4.3.3 (Power PC)
Red Hat Linux 7.2 (IA-32)
This release of Directory Server is not supported on Sun Solaris 2.6 or Sun Solaris 7. You must upgrade to Sun Solaris 8 before upgrading to or installing Directory Server 5.1 Service Pack 4.
Directory Server 5.1 Service Pack 4 requires specific operating system patches or service packs to be installed before Directory Server can be installed. Installation of Directory Server 5.1 Service Pack 4 may fail if the recommended patches or service packs are not present.
On operating systems other than Windows, you must run the idsktune utility prior to installing Directory Server 5.1 Service Pack 4. After you expand the product package, you will find the idsktune utility in the same directory as the setup program. Install the patches recommended by the idsktune utility. For more information, refer to the iPlanet Directory Server Installation Guide.
You can obtain Sun Solaris patches from:
Note |
If you run Administration Server as root, all commands initiated by the administration user will also be run as root. Therefore you must apply the same rules of confidentiality and security to the administration password as you would to the root password of your server. |
If you are performing a new installation, refer to the iPlanet Directory Server Installation Guide. If you are upgrading from Directory Server 5.1, 5.1 SP1, 5.1 SP2 or 5.1 SP3, perform your upgrade as follows:
Directory Server 5.1 SP4 and Directory Server 5.2.x both deliver a /usr/sbin/directoryserver command. (6176080).
- If you are running a ZIP installation, upgrade by using the patch ZIP provided with Directory Server 5.1 SP4
- If you are running IPLT packages, upgrade by installing the following packages:
SPARC: 113859-04
x86: 114273-04
Depending on the default version of Directory Server that is currently set, the/usr/sbin/directoryserver
command calls thedirectoryserver
command delivered with Directory Server 5.1 or that delivered with Directory Server 5.2.
The root administrator can set or get the default version of Directory Server by using thedirectoryserver
command.
Thedirectoryserver
command delivered with Directory Server 5.1 SP4 has the following, additional options compared to that delivered with previous versions of Directory Server 5.1:
Usage: directoryserver
-setdefaultversion | -d <version>
Usage: directoryserver
-getdefaultversion | -g
Usage: directoryserver
-listversions | -l
Usage: directoryserver
-useversion | -u <version> subcommand {options-and-arguments ...}
where options-and-arguments depend on the specific subcommand
Usage: directoryserver
subcommand {options-and-arguments ...}
where options-and-arguments depend on the specific subcommand
Important: The Directory Server 5.1 Service Pack 4 patches, 113859-04 and 114273-04, can be applied on a Solaris 10 system (SPARC and x86) only if this server has been upgraded from a Solaris 9 system.
It is possible to install Service Pack 4 on top of an existing, unbundled Directory Server 5.1 installation by performing the following steps:
NOTE: In step 10, be sure to use the full path to the location where you originally installed Directory Server 5.1.
- Ensure that Administration Server is running.
- Ensure that Directory Server 5.1 is running.
- See the "Installation" section of the Known Limitations for instructions that apply to certain configurations. In particular, you must turn off the password history and disable the "check password history" features before installing Service Pack 4.
- Follow the procedures under "Using Typical Installation" in Chapter 3, "Using Express and Typical Installation," of the iPlanet Directory Server Installation Guide.
Directory Server 5.1 Service Pack 4 can also be installed on top of a running, localized, version of Directory Server 5.1. The objects delivered in Service Pack 4 (binaries, Java files, and so on) are not involved in the localization mechanism.
On HP-UX 11.0/11i platforms, ensure that the number of file descriptors is less than or equal to 2048 before installing Directory Server 5.1 Service Pack 4. Refer to the "Installation" section of the "Known Limitations" for more information.
If you are migrating from Netscape Directory Server 4.x (up to 4.16 SP1) or iPlanet Directory Server 5.0, refer to Chapter 6, Migrating From Previous Versions in the iPlanet Directory Server Installation Guide. Also, see the relevant installation and migration paragraphs in the "Known Limitations" section of these Release Notes.
Directory Server 5.1 Service Pack 4 includes fixes to the following known problems that occurred in earlier releases of Directory Server. Fixes introduced in Service Pack 4 appear in green.
Replication
- The delete operation was not propagated to consumers in cascading replication. (4550044)
- On Windows platforms, an optimization test aborted replication processing. (4616579)
nsTombstone
entries were not purged. (4617521)- Directory Server encountered many tombstone errors. (4633404)
- A replication supplier was disabled and could not restart when the RUV database was corrupt. (4533706)
- Replication became unsynchronized and stopped. (4617085)
- Changing case-sensitive attribute values failed in MMR. (4624693)
- A replication supplier crashed after deleting attributes. (4627443)
- Directory Server crashed or hung when replication was enabled. (4643122)
- Replication failed when migrating a consumer from Directory Server 5.0 and subsequent Service Packs. (4646392)
- Replication failed to restart from a supplier to a consumer. (4658810)
- Replication between 4.x and 5.1 servers stopped when updating operational attributes. (4665571)
- Directory Server crashed when certain replication agreement attributes were missing. (4672889)
- Turning system time backwards stopped replication. (4672960)
- A consumer chained database initialization requests when the distribution plug-in was enabled. (4684519)
- It was not possible to monitor the replication update vector in the replica object. (4691101)
- During data import the change log database could become corrupt and replication could fail. (4711201)
- Replication stalled for ten minutes and the server was inaccessible. (4711202)
- Referrals for modifying entries failed, due to the DN being trimmed at space characters. (4627760 and 4743633)
- Tombstone entries were not deleted if one master was never updated. (4639560)
- Accounts could not be unlocked on non-master 5.0 servers. (4527608)
- An invalid replication configuration caused the consumer to crash. (4742450)
- Disabling and re-enabling replication stopped replication on one master in a multi-master configuration. (4748399)
- In certain cases, a replication configuration in which a 5.1 consumer accepted updates from a legacy master, caused the server to crash. (4675387)
- Replication was unreliable with MODRDN operations from a 4.16 supplier. (4778334)
- The change log was not purged properly when a consumer was stopped before any changes were replicated. (4758387)
- Change log trimming did not take place in a multimaster environment. (4780230)
- Configuring
nsslapd-changelogmaxage
replaced thetop
object class of thecn=changelog5,cn=config
entry with an indecipherable binary value. (4704039)- During replication, modifications could be missing on a consumer. (4786475)
- Legacy replication failed when Password policy was enabled on 4.x servers. (4767182)
- The CSN value generating process has been improved to avoid a time skew. (4695152)
- Replication would not restart after restoring a database with the
bak2db
utility. (4689805)- Replication broke when initialization occurred from both supplier servers. (4797685)
- A deadlock occurred on the
ns-slapd
server due to a cross locking problem in the entry cache. (4786154)- Issuing two total updates on a server at the same time caused the first server to be unable to complete the operation. (4773823)
- Replication could crash when modifying an entry with a missing attribute name. (4813998)
- Directory Server could produce
nsuniqueid
s that were not unique. (4818005)- A modify-replace operation for a non-existent attribute caused the attribute to be present in searches. (4820037)
- A potential inconsistency between the replica update vector in the database and the change log has been fixed. (4836446)
- Directory Server could crash during the replication operation. (4863706)
- Password policy attributes were incorrectly handled in replication. (4930098)
- A consumer could crash if the syntax for an attribute was changed to "single value" and an entry with existing multi-valued data was changed. (4898449)
- In a multi-master replication configuration with one master serving as a backup server, when entries were modified and added on only one of the masters, replication consumed more and more time and CPU to propagate changes to the consumers. (4817676)
- After unconfiguring a master replica and reconfiguring it with another replica ID, errors regarding duplicate referrals occurred. (4863943)
- Several tombstone purging threads sometimes ran in parallel for the same replica. This generated errors messages because the threads were attempting to delete the same entries. It also caused useless resource usage (CPU and memory). (4920323)
- A deadlock in multi-master replication was possible during the conflict resolution process. (4925223)
- A useless (but harmless) error message regarding malloc 0 bytes was displayed during some VLV searches when an entry contained an attribute with an empty value. (4942664)
- On Linux platforms, Directory Server could crash when a replica agreement thread called
gethostbyname
. (4826863)- After an online initialization, the consumer performance counters were not returned. (4838624)
- Imported tombstone entries were not purged. (4856329)
- Replication sessions over SSL could time out within
slapd_poll(823)
. (4850722)- Replication sometimes stopped with a systematic "Replication Busy" message. This happened when the replication session was still running while the agreement was being deleted. (4863001)
- In a multi-master replication topology, a re-initialized master was unable to replicate any changes. (4881653)
- At start time, the RUV object was sometimes NULL, which caused the server to crash. (4911678)Replication was not properly replayed in case that repeated ModifyRequest is made on entry. (4846165)
- In a replicated environment a consumer could crash if the updates coming from the supplier contained a large amount of state information. (4904414)
- Improvement of the CSN generator to avoid the time skew between a supplier and a consumer. (2101315)
- During CSN calculation, an offset is computed which adjusts time difference between a supplier and a consumer. This process is now activated every 250 milliseconds (it was one second in previous Directory Server 5.1 releases.) (4976005)
- A 24 hour time drift may occur between two replicas, which caused the replication mechanism to stop in previous versions. From Service Pack 4, a warning message is logged only. (5024106)
- Inconsistency between a master and consumer occurred when a super object class was added to the entry being modified. This is no longer the case. (2118490)
- Directory Server sometimes crashed on the consumer side during schema replication when legacy replication was enabled. (2121114)
- Replication halted after a consumer was stopped. (2121615)
- Directory Server sometimes crashed during a replication session if an entry contained duplicate values. (4976010)
- Replication stopped when deleting a null DN entry. (4976481)
- Under certain conditions, replication of the
passwordExpirationTime
andpasswordExpWarned
attributes did not succeed. (5013318)- Replication sometimes stopped and restarted after issuing a "Send Updates Now" operation. (5071022)
- Hub replicas were sometimes unable to replicate updates due to an incorrect replica ID 65535 in the RUV. (5103276)
Console
- The replica ID was not displayed correctly on Windows platforms. (4589224)
- It was not possible to use special characters in the console administrator password. (4672914)
- User data could not be accessed in a remote directory server with SSL enabled. (4663658)
- Console modifications to the RDN caused exception violations when saved. (4668480)
- The Console did not display time correctly. (4615165)
- Bold Japanese characters were displayed as square boxes. (4645544)
- Removal of CA certificates failed. (4658787)
- The default install parameter for "Number of file descriptors" was out of range. (4592931)
- The Console could not display the user menu if there were more than 35 users. (4749234)
- It was not possible to set or clear the HUB radio button through the Console. (4538268)
- The Console failed to load the
jss
library on Linux platforms. (4704635)- The iPlanet Administration Express tool was unable to display data if the installation path was too long. (4738639)
- Console startup failed on Windows 2000 if the installation path contained spaces. (4789601)
- The Console did not allow the addition of a member to a group which contained a double quote in the DN. (4683476)
- The Console performed a
modrdn
operation if no change was made in the Console Property Editor window and the OK button was pressed. (4669525)- Directory Server hung when a backup task was issued from the Console. (4735919)
- The Indexes tab in Directory Server Console (Configuration Tab, data subtree, userRoot database, Indexes Tab) appeared as a blank screen. (4530509)
- The Console did not update modified/removed entry names. (4614559)
- Administration Express failed to display logs when a non default log directory was configured. (4911711)
- Directory Console on Windows rendered certain operations slowly. (4840960)
- The Console process grew when adding users. (4912539)
- In Directory Server 5.1 Service Pack 1 and following versions, the console did not handle backslashes in the RDN. This is fixed in Service Pack 4. (2057900)
- In Directory Server 5.1 Service Pack 3 and following versions, the startconsole command failed on Windows platforms with a Japanese or Korean locale. This is fixed in Service Pack 4. (2079262)
- On Windows NT, the console was unable to display the content of log files if they had been moved to a different directory. (5071675)
- When attempting to modify an entry using the property editor, the console returned the error "Unknown error with naming attribute" if the RDN and the matching attribute in the entry DN were in a different case. (4819904)
Database
- Old data was sometimes written back into the current database. (4638816)
- The
ns-slapd
process crashed during import operations. (4623119)- The maximum number of object locks was not set to the correct scaled value and caused the error message "libdb: Lock table is out of available locks". (4651972)
- Issuing the command db2ldif.pl -s "suffix" could cause replication to stop and the server to hang due to a database lock that was never unlocked. (4802963)
- Within a multi-master replication configuration, the error : "_cl5GetNextEntry: failed to get entry; db error - 12 Not enough space" was possible. (4652031)
- Database indexes were inappropriately set to ALLIDS. (4705641)
- Directory Server now supports large files (larger than 2GB). (4716745)
- The performance problem on HP-UX platforms has been fixed. (4911023)
- Directory Server sometimes crashed if an entry was deleted and immediately added again. (4885686)
BVERSION
andancestorid.db3
files were left behind when deleting suffix. (4829894)- Attribute subtypes were deleted from an index if they had the same value. (4912664)
- A number of issues in the database component (cores dumped upon stress, store unavailable under certain conditions, errors messages) have been fixed. (4938445, 4921426, 4916248, 4751092, 4866060)
- Under load, Directory Server stopped deleting the transaction logs and eventually consumed all free disk space. (5026748) (5104371)
- The
bak2db
command failed when databases were located in directories such as "db/db1", "db/db1/db2", "db/db1/db2/db3". (2121481)Plug-Ins
- In a replication configuration, when the retro change log plug-in was enabled, change log trimming occurred every five minutes, regardless of the
nsslapd-changelogmaxage
value. (4652859 and 4809504)- Only the first modification in the attribute to be checked was taken into account by both the 7-bit checking plug-in and the uid uniqueness plug-in. (4754469)
- The 7-bit checking plug-in did not check the correct attribute. (4786547)
- The distribution plug-in did not handle internal operations correctly. (4684519)
- The certificate mapping plug-in was not loaded on Linux platforms. (4778128)
- Directory Server could crash when adding a large number of entries that used the Roles Plug-In. (4865859)
- The
ldapsearch -A
operation against a chained database failed on results. (4865525)- The Referential Integrity plug-in needed to be shutdown before the backend was shutdown. (4865653)
- Modifying an entry when the Attribute Uniqueness plug-in is enabled might cause Directory Server to crash. (2097654)
- Directory Server could crash while trimming the retro change log. (2099422)
- It was not possible to configure pass through authentication with URLs containing the same suffix. (2121644)
- The Pass Through Authentication Plug-In did not fail over to a second running server if the first configured server was unreachable. (5052660)
Security
- The process of finding the password attribute has been changed. (4619976)
- Directory Server did not verify the SSL peer host name. (4615324)
- Password expiration was inconsistent. (4532757)
- A security problem concerning the retro change log plug-in has been fixed. (4618824)
- The number of unsuccessful attempts was not reset after a successful bind. (4645887)
- An illegal SNMP PDU caused the Master agent to fail - CERT Advisory CA-2002-03. (4532320)
- The server failed to detect all the "empty string cases" for ACI definitions. This caused a core dump. (4719564)
- A security issue in 5.x Directory Administration Server (iWS 6.0SP1 and iWS 6.0SP2) has been fixed. (4707395)
- The ACI for 'Directory Administrators Group' has been fixed. (4713256)
- ACI evaluation was incorrectly performed for parent rules. (4753087)
- ACI evaluation was incorrectly applied to the recursive deletion of entries. (4795280)
- User passwords were still in clear after running the
ldif2db
command utility with thepasswordStorageScheme
set to SSHA. (4669879)- The Directory Server instance hung when the SSL bound application was suspended. (4786504)
- The delete operation based on an entry DN containing numerous commas crashed the server. (4735062)
- The Directory Server Perl scripts exposed the user DN password. (4732352)
- The
passwordHistory
attribute did not work correctly. (4686213)- A possible denial of service attack in Windows 2000 and Windows NT connection handling has been fixed (that is, aborted connections may remain open). (4773920)
- Directory Server could crash in an ACI evaluation. (4809846)
- Under certain conditions, binding with certificate and simple authentication could cause Directory Server to hang. (4883250)
- The
passwordRetryCount
failed to increment correctly in Directory Server 5.x. (4856290)- It was possible to "ignore" password expiration. (4908443)
- Certain entries were incorrectly hidden or displayed if the ACL contained checks on attribute values or macro ACIs, and subtree or single-level searches were performed. (4913176 and 4918912)
- A vulnerability in SSL/TLS implementations of cipher suites that use block ciphers has been fixed. (4854898)
- ACI evaluation on database link servers failed to return only the DN attribute. (4913984)
- Local ACIs did not work correctly over a database link when specifying DNs. (4922595)
- Directory Server sometimes crashed when evaluating an ACL. (4830417)
- Directory Server hung when an ACL was modified and evaluated at the same time. (4840786)
- Directory Server now includes the fix for the security alert (referenced in bug ID 4945089). (4957279)
- The ASN1 Decoder could suffer Denial of service Attacks - CERT Advisory CA-2003-26 (4945089)
- A security issue in the Administration Express tool has been fixed. (4854827)
- An incorrect ACI syntax crashed Directory Server systematically. (4851870)
- Incorrect ACI syntax errors occurred after migration from Netscape Directory Server 4.x to Directory server 5.x. (4899320)
- Directory Server was prone to a root-dot-dot security attack due to a missing URL sanitation. (4929089)
- A MODIFY INTERNAL operation on the
passwordRetryCount
attribute could be chained to other servers. (4897873)- Directory Server crashed during SSL initialization while running two
start_tls
sessions in parallel. (2097541)- There was a deadlock with the
start_tls
anddisconnect_server
functions. (2097665)- Directory Server sometimes crashed during ACI evaluation while modifying the value of a long attribute name - CERT security note: VU#258905 - (2121079)
- Directory Server could crash while checking the history of a clear password. (2097456)
- Directory Server 5.1 Service Pack 4 has been upgraded from NSS v3.3.4.1 to v3.3.4.2 to support SSL with certificates from Verisign. (4994274)
- Directory Server could crash at startup during ACI evaluation. (2119155)
- During the evaluation of the group access ACI, the Directory Server sometimes allocated a large memory size then exited because of a lack of memory. (2120414).
- The attribute
passwordRetryCount
was not updated properly when a bind failed. (4957314)- Directory Server would not start up unless the change log files had the correct write permissions. (4957384)
- During a replication session, the pseudo attribute
unhashed#user#password
displayed the user password in clear text. (4965036)- On Windows NT, Directory Server over SSL hung if there were more than sixty open SSL connections. (5084650)
Recovery
- A Directory Server instance did not restart after a system crash. (4620546)
- Directory Server crashed when a client abandoned a persistent search operation. (4640273)
Connection
- Connections were sometimes closed even though they were not idle for the specified
idletimeout
. (4791877)- Persistent search operations were not removed properly from the connection. (4671360)
- Connections for persistent searches were not cleaned up on Windows NT. (4886421)
- Various issues (memory leaks, crashes, error messages displayed) occurred when initiating or abandoning persistent searches. (4824825 and 4834508)
- On Windows NT, Directory Server could crash while removing an operation (pointing to a NULL value) from the connection. (4953750)
- On Windows NT, Directory Server did not close idle connections. (5044378)
LDAP access
- Directory searches failed on replicas with a scope of "one". (4614741)
- Directory crashed (SIGBUS) during a search. (4639232)
- The "bind time-out" was ignored for an unresponsive host. (4639408)
- Directory Server responded incorrectly to an unbind request. (4623308)
- The
ldapmodify
command incorrectly interpreted base 64 encoded values. (4665564)- Directory Server crashed when binding to an entry that was being created. (4674387)
- Searches displayed incorrect results for specific order of search filters containing
not
operators. (4715955)- A range search for an empty range such as
(&(uid>=7)(uid<=9))
crashed the server. (4708296)- Issuing an
ldapdelete
command with a very large DN could cause Directory Server to crash. (4735062)- Substring searches did not work correctly on integer syntax attributes. (4717121)
- Directory Server accepted multiple additions of identical attribute-value pairs. (4722987)
- A "numsubordinates assertion failure" error occurred when adding a child entry to a parent entry on one master while simultaneously deleting the same parent entry from another master. (4709128)
- Directory Server crashed when filters were nested too deeply. (4621920)
- Directory Server could crash when performing an internal modification while attributes were being deleted. (4759670)
- Directory Server could crash when binding with an entry that had two or more virtual attribute values. (4787220)
- It was possible to create an entry with duplicate object class values. (4761010)
- Leading and trailing white spaces were ignored in substring searches. (4537169)
- Adding a value, then deleting another value in the same modify operation was badly handled by replication. (4780807)
- An
ldapmodify
operation on consumers with the managedsait control returned an "unwilling to perform" error instead of a referral. (4857614)- Search results were logged twice if there was no backend for the search base. (4943975)
- Search operations were performed even if a custom pre_search plug-in returned a non-zero status. (4838863)
- A search on
cn=config
returned the directory manager DN (nsslapd-rootdn
) in lowercase instead of maintaining the original case. (4880352)- The triviality check was skipped when more than one attribute was modified. (4867299)
- Directory Server could crash when performing triviality check with empty attribute value in a modification operation. (4948365)
- Directory Server would sometimes crash when importing large entries. (4935077)
- Directory Server did not manage spaces in substring search filters correctly. (4537169)
- Directory Server could crash on intensive use of persistent searches and abandon operations. (4826265)
- Directory Server could crash if nationalization matching rule searches occurred in parallel. (4865435)
- Special characters (such as "(") were not allowed in the
userPassword
attribute for the administration entry. (4819399)- DN normalization with double backslashes has been improved. (4848325)
- Directory Server sometimes crashed when importing a corrupted LDIF file. (4903397)
- Persistent search operations returned tombstone purging events. (2097509)
- On AIX platforms, an
ladpsearch
operation with a very long filter could cause Directory Server to crash. (2097600)- The substring index became corrupted when deleting similar multiple attribute values. (2098090)
- A VLV search based on an empty container returned error 1 instead of 0. (2101163)
- Multiple asynchronous searches on the root DSE could cause Directory Server to crash. (2108974)
- The SLAPI_RESULT_CODE parameter was not updated in the
pblock
when sending the result. (5053912)- An
ldapsearch
operation on the root DSE did not return the correct requested VLV indexes. (5088018)Performance
- Enabling the retro change log plug-in caused performance issues. (4639310)
- A looping thread increased CPU consumption. (4629441)
- A memory leak in the CoS plug-in has been fixed. (4630124)
- A memory leak in schema searches has been fixed. (4682961)
- The fix for bug ID 4705601 introduced a performance drawback :
ldif2db
hung during data import. (4738221)- An
ldif
import crashed if entries contained a large number (more than 128) of attributes. (4723630)ldif2db
crashed when importing an ldif file that contained entries with several values for an attribute, and these values were not continuous. (4737978)- If the server was in a tombstone purging loop it did not react to the stop signal until it had completed. Thus, the server could take a long time to stop. (4646350)
- A memory leak existed in replication synchronization of two replicas. (4756215)
- A memory leak existed in password modification. (4773751)
- A memory leak existed in persistent search. (4777358)
- A memory leak existed in the
ldapcompare
operation. (4765575)- Directory Server appeared to hang when an unindexed attribute in the referential integrity plug-in was present, and the plug-in was enabled during an update operation. This bug is fixed for all new instances using the
nsroledn
attribute. (4754595)- Directory Server sometimes crashed during the import of a database. (4742083)
- A memory leak in the connection handling on Windows NT has been fixed. (4649319)
- A memory leak in replication has been fixed. (4805734)
- A modify/replace operation with more than five values generated duplicate values and a memory leak. (4807803)
- A modify/replace operation with more than five values corrupted the present/deleted values and generated a memory leak. (4813355)
- A memory leak in the start replication operation has been fixed. (4821198)
- A performance problem existed when adding an entry with an asterisk ("*") in the dn due to substring search for tombstones. (4891116)
- A memory leak on consumers in a single master replication configuration has been fixed. (4805734)
- After a certain time, database performance dropped due to database cache trickling. (4850717)
- Searches on suffix that contained a subsuffix triggered a memory leak. (4881181)
- A memory leak doing a series of adds and then deletes has been fixed. (4945548)
- Query performance deteriorated with large numbers of static groups. (2065178)
- A performance degradation with consecutive
modrdn
operations has been fixed. (2069342)- An fdsync operation in Directory Server 5.1x caused a degradation in performance. (4921143)
- Directory Server sometimes stopped responding when an
ldapsearch
operation requested too many attributes. (2101262)- Under certain conditions, Directory Server hangs due to a deadlock with internal counters. (2120389)
- Directory Server sometimes crashed while updating indexes which had no keys. (2120699)
- Directory Server could show performance degradation with substring searches if attribute values were too large. (4851879)
- Directory Server hangs when running VLV search and update operations simultaneously. (4973380)
- Directory server sometimes failed to stop. (5047431)
- A memory leak when running persistent search operations has been fixed. (2097441)
- A significant memory leak in Directory Server 5.1 has been fixed. (2097623)
- A memory leak occurred during certain
modify
operations, if the user was not allowed to modify some of the attributes. (2099197)- A memory leak on
modify
operations of multi-valued attributes with substring indexes has been fixed. (4990956)- A memory leak in the function
cl5CreateReplayIterator()
on the supplier and hub has been fixed. (5072159)- A memory leak when evaluating a specific format of ACI has been fixed. (2117983)
Conformance
- The default schema contained extra definitions not in RFC2307. (4629102)
- A DN that contained several escaped characters was incorrectly normalized. (4535845)
- A DN with white spaces did not conform to RFC2252. (4687038)
- Subtype attributes were not stored in the directory, as RFC2256 mandates. (4622371)
- There were issues when both LDAPv2 and LDAPv3 applications were using certificate related attributes. (4819710)
SNMP
- SNMP could crash on the HP-UX platform. (4743796)
- The SNMP master agent in Directory Server 5.1 Service Pack 3 was not sending traps. (4980328)
Logs
- Directory Server did not rotate the log files correctly. (4628444)
- The detection of a large BER encoded operation was logged in the error log file if the replication log level was activated. (4778154)
- Replication error messages were logged on the supplier if the
passwordRetryCount
was updated. (4784168)- Aborting a backup (
db2bak
) prevented the removal of the transaction logs. (4815733)- Access log rotation did not occur on restarting
slapd
. (4846332)- The audit log files were not being rotated as configured. (4826843)
- The attribute
nsslapd-accesslog-logminfreediskspace
did not work as expected. (4928129)- The audit log did not report the
modifiersName
andmodifyTimestamp
attributes on MODRDN operations. (2063534)- The value of the
nsslapd-XXXXXXlog-logmaxdiskspace
attribute was not applied correctly over two Gigabytes. (4976129)- If the
nsslapd-XXXXXXlog-logexpirationtimeunit
attribute, but not thensslapd-XXXXXXlog-logexpirationtime
attribute was defined, the deletion policy did not work correctly. (2121688)- If the
nsslapd-XXXXXXlog-logexpirationtime
attribute, but not thensslapd-XXXXXXlog-logexpirationtimeunit
was defined, the deletion policy did not work correctly. (5098376)- The
nsslapd-XXXXXXlog-logexpirationtimeunit
attribute did not set the correct default value. (2101333)- When the password policy was enabled on the consumer, the message "password is expiring on consumer in %d seconds" was incorrectly displayed on the master. (2120541)
Miscellaneous
- The most recent version of
idsktune
was not shipped in Directory Server 5.1. (4623199)- Multiple attribute uniqueness plug-ins forced uniqueness between each other. (4649615)
- Time stamps in log files were stored incorrectly when Directory Server shut down. (4656846)
htmladmin.exe
crashed when a secured Administration Server was stopped. (4529402)- iPlanet Directory Access Router 5.0 was not able to share the same Administration Server <ServerRoot> as iPlanet Directory Server 5.1. (4692956) (This issue has been fixed on Solaris platforms only.)
- The
db2ldif -r
command created cache files as root and did not clean them up properly. (4656657 and 4653016)ns-slapd dbtest
tool was not working. (4781823)- Running the
ldapsearch
command with the sort option did not obtain the expected results. (4776001)- A 2-pass
ldif2db
operation did not merge the indexes correctly. (4783910)- VLV searches sometimes produced "Server reported sorting error". (4715065)
- Directory Server sometimes crashed while restoring the database. (4714196)
- The
restore
operation failed after server creation, until the server was restarted. (4714358)- Running
db2ldif -r
with the-s
or-n
options could causens-slapd
to crash. (4856331)ns-accountstatus.pl
failed if the suffix included a white space. (4932782)- Invalid warnings were displayed regarding index fragmentation. (4821289)
db2ldif
miscounted the number of processed entries. (4842620)- If the retro change log plug-in was activated before a backup, the restore operation did not work. (4864622)
ldif2db
could crash if the dn component contained escaped trailing spaces. (4836491)bak2db
failed if the target database directories were missing. (4894995)- Running
db2ldif -r
could cause Directory Server to crash if smart referrals were defined. (2121347)- Running
db2ldif -r
could cause Directory Server to crash if tombstone objects were being purged. (6185038)
iPlanet Directory Server 5.1 includes enhancements and fixes to the following known problems that occurred in earlier releases of iPlanet Directory Server:
- Previous releases of Directory Server included a security vulnerability in iPlanet Web Server 4.1. (535057)
- Directory Server 5.1 uses iPlanet Web Server 6, in which this vulnerability has been fixed.
- Server restart is no longer required after a change to the components allowed to chain. (528617)
- In previous releases of Directory Server, the console supported smart referrals only when the DN in the referral matched the DN of the entry containing the referral. (490281) Updated functionality in the console has removed this limitation and enhanced smart referral support.
- In previous releases of Directory Server, after changing the Directory Manager credentials, you were required to exit Directory Server Console and restart it for the change to be taken into account. (538549) This limitation has been removed.
- The behavior of multiple qualifiers with cosAttribute in a CoS definition is no longer undefined.
- In previous releases of Directory Server, you were required to authorize client IP access to the Administration Server from the machine running Directory Server Console. This limitation has been removed.
- When a delete operation is performed, the audit log now displays the DN identity of the operator. The additional information appears in the audit log as modifiersName: DN, where DN is the identity used to perform the delete operation.
- The newrdn and newsuperior operations are now recorded in the access log and any errors are described in the error log. (547272) Schema is now replicated during a total update operation. (541599)
- If you modify your schema on a server and then create a new replica, the initialization of this replica automatically updates the schema on the consumer server. Previously, the schema was not replicated when the replica was initialized, but instead with the first incremental update of the replica.
- In previous releases of Directory Server, changes to the
nsslapd-dbcachesize
attribute value undercn=config,
were not always correctly taken into account. (539845, 539847) This condition is corrected in iPlanet Directory Server 5.1. The server writes an error message into the error log if the new value you provide is not within the permitted boundaries.- In previous releases of Directory Server, deleting a role did not update the
nsRoleDN
attribute for each role member (533695). In iPlanet Directory Server 5.1, the referential integrity plug-in is configured to manage thensRoleDN
attribute. However, you must enable the referential integrity plug-in. By default, this plug-in is disabled. Also, add an equality index onnsRoleDN
. Refer to the iPlanet Directory Server Administrator's Guide for details on creating indexes.
This section lists known limitations in Directory Server 5.1 Service Pack 4 and their workarounds. The areas with known limitations are as follows:
Caution |
No other iPlanet product (such as iPlanet Web Server) be installed
in the same UNIX directory path as Directory Server, because this may
disable critical functionality required for the correct operation of
Directory Server. |
Before upgrading from Directory Server 5.1 or 5.1 SP1, you must set your password policy not to check password syntax or password history (4830364). Follow the procedures in the iPlanet Directory Server Administrator's Guide to turn off these two features.
Directory Server 5.1
Directory Server 5.1 Service Pack 1
Directory Server 5.1 SP1 HOTFIX
Directory Server 5.1 Service Pack
Directory Server 5.1 SP2 HOTFIX3
Directory Server 5.1 Service Pack 3
Directory Server 5.1 Service Pack 4
setup -s -f filename
This problem is described in bug ID 4756839. To prevent this failure during a Service Pack 4 installation, launch the command ulimit -n and, depending on the result (value<=2048) enter the command ulimit -n 2048.
[slapd-(hostname)]: starting up server ...
[slapd-(hostname)]: - iPlanet-Directory/5.1 Service Pack 4 B2005.032.0645 starting up
[slapd-(hostname)]: - slapd started. Listening on all interfaces port 29000 for LDAP requests
Your new directory server has been started.
error: can't bind to server:Unable to bind to server. (Can't contact LDAP server (81) returned from
ldap_simple_bind_s(cn=Directory Manager))
system_errno:9
ERROR. Failure installing iPlanet Directory Server. Do you want to continue [n]?
C:\Documents and Settings\All
Users\Start Menu\Programs\iPlanet Server Products
Select the shortcut TAB and add -l ja to thestartconsole.exe
script line. Click the Apply button to save your change.
rlim_max
). This can be checked by entering the command
ulimit -a -H. On Solaris 9, the default hard limit is 65536,
and on Solaris 8 it is 1024.(On Windows NT)
(On Windows 2000)
setup
detects a default host and domain name. If your NIS domain is different
from your DNS domain, the fully qualified host and domain name presented
by the installer is incorrect. These values must be corrected to use the
DNS domain name. (4527593)http://server.software.ibm.com/cgi-bin/support/rs6000.support/downloads
to http://www-1.ibm.com/servers/eserver/support/
X11.adt
package in order for the Console to function. This package is not part
of the standard bundle. The Directory Server 4.x and 5.0 attributes accesslog-maxlogdiskspace, accesslog-maxlogsize, auditlog-maxlogdiskspace,auditlog-maxlogsize, errorlog-maxlogdiskspace, and errorlog-maxlogsize must be migrated manually. (4529536) Update these values for the Logs entries in Directory Server Console under the Configuration tab. In each case, *log-maxlogsize values must remain smaller than *log-maxlogdiskspace values for the attributes to remain coherent. For more information, refer to the instructions on monitoring server and database activity in the iPlanet Directory Server Administrator's Guide.
The migration procedure may attempt to restart the server while it is already running. (4529552) Ignore error messages concerning attempts to restart the server by migrateInstance5.
On systems other than Windows, migration from Directory Server 5.0 to Directory Server 5.1 Service Pack 4 may fail if the PATH environment variable does not contain . (4529657) If necessary update your PATH appropriately. For example:
(ksh) $ export PATH=$PATH:.
(csh) % setenv PATH ${PATH}:.
Avoid using stdin and stdout on Windows NT with the ldapmodify command-line utility, particularly with non-ASCII data. Always use the -f option to specify the file containing the LDIF update statements (-f new_file) as this prevents the statements being read from stdin.
On Windows NT 4.0, the maximum address space an application can use is 2 GB. Because Directory Server 5.1 Service Pack 4 cannot use more than 2 GB of virtual memory, the sum of all caches configured for the server must be strictly less than 2 GB. If the size of the entry caches and of the database cache exceeds this limit, Directory Server will exit with an error message. For more information on cache limits on Windows NT, and on Windows 2000, refer to the iPlanet Directory Server Installation Guide.
On Windows 2000, the default font used by the console does not allow you to input Japanese characters. To avoid this issue, change the font. You can change the console font by selecting Preferences from the Edit menu in the Directory Console, and then changing the font through the interface under the Fonts tab.
On Windows systems, when managing the Directory Server SNMP subagent, all operations (start/stop/restart) return a failure (such as "An error occurred when...").
The requested operation actually succeeds but the result returned to the Console is incorrect.
On Windows NT / Windows 2000, stopping then starting Administration Server from Directory Server 5.1 Service Pack 4 will log an event stated as an error in the Application log (Settings > Control Panel > Administrative Tools > Event Viewer). The description of the event is the following:
The description for Event ID ( 0 ) in Source ( admin51-serv ) cannot
be found. The local computer may not have the necessary registry
information or message DLL files to display messages from a remote
computer. The following information is part of the event:
startup: server started successfully.
This is a warning message, since the Administration Server is correctly started. (4794690)
Deployments that use SSL for connection confidentiality across open networks that are subject to possible active attacks against the SSL connection should not use server certificates issued by one of the public Certification Authority (CA) organizations. (4615324)
To receive a warning message every
time before a password expires, the attribute passwordExpireWithoutWarning
must be set to "off". (4532757)
The correct procedure to change the administrator password in iPlanet Directory Server 5.x. (4708944) is as follows:
To ensure that an attacker with a certificate issued by a public CA cannot use that certificate to impersonate a Directory Server, the certificate databases of LDAP clients and of directory servers establishing outgoing SSL connections for replication or chaining must contain only the certificate of the non-public CA that issued the certificates to the servers which will be contacted. All other certificates from public CAs must be removed from the LDAP client or directory server's certificate database.
Deployments that are not subject to active attacks or deployments that use additional security mechanisms (such as a VPN when connections traverse the Internet) are not required to use a non-public Certification Authority to obtain a server certificate.
As the server does not enforce read-only permissions on SSL-enabled servers for certificate database files, key database files and PIN files, check that the file permissions on UNIX and ACLs on Windows protect the sensitive information contained in these files.
If you have enabled certificate-based authentication in Directory Server, do not map your certificate to a distinguished name undercn=config
orcn=monitor
. (4529535) If you do so, bind attempts fail. Instead, map your certificate to an entry located elsewhere in the directory information tree.
On Windows NT and Windows 2000, a user on the console can shut down Directory Server. Care should be taken to restrict console access to computers running Directory Server.
To explicitly denyMODRDN
rights using ACIs, you must target the relevant entries but omit thetargetattr
keyword. (4529533) The following example ACI prevents thecn=helpDeskGroup,ou=groups,o=sun.com
group from renaming any entries in the set specified by the patterncn=*,ou=people,o=sun.com
:
|
|
|
Macro ACIs do not work if the subject is one of the constant types such as all or anyone. (4529529)
Account lockout remains in effect after a user password has been changed (4527623). If users forget their passwords and are locked out of the directory, the rootDN or entry entitled to change the user password can reset the account lock.
The schema provided with iPlanet Directory Server 5.1 differs from that specified in RFC 2256 for thegroupOfNames
andgroupOfUniquenames
object classes. In the schema provided, themember
anduniquemember
attribute types are optional, while RFC 2256 specifies that at least one value for these types must be present in the respective object class.
The LDAP RFCs (and X.500 standards) allow for an object class to have more than one superior. This behavior is not currently supported by Directory Server.
If you add more than 1,000 attributes to a single object class, the server displays configuration errors and fails to start.
Note that the aci
attribute
is now an operational attribute. It is not returned in a search unless
you explicitly request it.
If chaining is configured between a 5.1 multiplexor and a 4.x farm server, add thensuniqueid
attribute to the 4.x farm server schema. If thensuniqueid
attribute is not added to the 4.x Directory Server schema, the 5.1 multiplexor does not find the entry it expects, so chaining fails. To add the attribute type to the 4.x schema add the following line to the 4.x farm serverslapd-user_at.conf
file under/usr/netscape/server4/slapd-serverID/config
:
|
|
|
No explicit error message is sent to the user when an attempt to bind to a farm server during chaining fails because the password policy has expired. (4529539)
If the first farm server fails and returns an operations error when using a failover server for database chaining, retry the operation to chain successfully. (4529537) Should the first farm server fail when using a failover server for database chaining, the client receives an operations error if it tries to read information from the multiplexor. The multiplexor does not process this operations error which prevents the next failover farm server from being contacted, and as a result, chaining fails. However, if you retry the exact same operation, chaining succeeds.
If you change the port number on a supplier server, the change log database is cleared and replication will halt. In this case all consumers, hubs and suppliers must be reinitialized before replication can continue.
In the iPlanet Directory Server Administrator's Guide the section "Configuring Directory Server 5.1 as a Consumer of a Legacy Directory Server" incorrectly states that you do not need to specify a Supplier DN when configuring the consumer settings (step 7.) This is incorrect. When you configure the consumer settings, you must specify the Supplier DN that the legacy supplier server will use to bind. If you do not, you will not be able to save the consumer configuration.
Multi-master replication (MMR) is supported in a single data-center deployment. Master Directory Servers must be connected via a high-speed, low-latency network, (with minimum connections speeds of 100Mb/second) to achieve full MMR support. MMR is not supported on a network where the bandwidth between Master Directory Servers is less then 1Mb/second and the latency is greater than 10ms, or on a network that might experience significant packet loss; which is the throughput and conditions that you might experience over a wide area network.
MMR support for wide area network (WAN) deployments is available in Directory Server version 5.2.
When configuring a multi-master replication deployment, the referential integrity plug-in must be enabled with the same configuration on all masters. The Deployment and Administration Guides incorrectly state that only one of the masters requires this plug-in.
Replication configured over SSL with certificate-based authentication will not work if the supplier's certificate is self-signed or if the supplier's certificate is only capable of behaving as an SSL server certificate, that is, unable to play the role of the client during an SSL handshake.
To change a replica role, you must disable replication, change the replica role, and then re-enable replication. (4527621)
Local schema modifications may be overwritten when a consumer database is created. (4529530)
Monitoring the replication update vector (RUV) for a replica object was adversely affected by a timing issue. It is now possible to monitor the RUV directly from the replica by doing the following search:
ldapsearch -h <hostname>
-p <port number> -D <directory manager> -w
<password> -b "cn=config" objectclass=nsds5Replica" nsds50ruv
Removing the change log of a supplier through Directory Server Console requires that you remove the Replication Agreement before clearing the Enable Changelog checkbox. This step is missing from the Administration Guide. (5043682) To re-enable this change log, you will need to re-create the Replication Agreement.
Note that the above does not apply if the removal of the change log is performed with the following command line procedure:
stop the server
rm -rf ServerRoot/slapd-serverID/changelogdb
re-start the server
In this case theServerRoot/slapd-serverID/changelogdb
directory will be recreated with no additional configuration.
ldif2db
import operations. (4529532)restart-slapd
command-line script. For
more information concerning restart-slapd
, refer to the iPlanet Directory
Server Configuration, Command, and File Reference.JAVA_FONTS
environment
variable must be correctly set to enable use of Japanese characters in
the console. For example:slapd
process does not
start automatically when the system boots. On UNIX systems write an rc
script to start the slapd
process at boot time.Memory available for Cache
in the Database
Settings
to a value greater than 1073741824 bytes (1GB).ns-slapd
executable is created with a value
of maxdata=0x50000000
to permit both the entry cache size
(nsslapd-cachesize
attribute) and database cachesize (nsslapd-dbcachesize
attribute) to be up to 1GB each. Raising the maxdata
value
increases the maximum entry cache size but lowers the maximum database
cache size by the same amount, and vice versa. Contact your Directory Server
support representative if you need to adjust the maxdata
value.nsslapd-groupevalnestlevel
attribute
to specify the number of levels of nesting access control performs for
group evaluation. Instead, levels of nesting is hard coded as 5. (4529540)plugin postoperation on "referential integrity postoperation"
nsRoleDN
attribute is
used to define a role. It should not be used for evaluating role membership
in a user's entry. When evaluating role membership, look at the nsrole
attribute instead.cosPriority
.
Indexing
ns-slapd-db-idl-divisor
, it is
possible that extra entry IDs will be maintained in the index key (up
to a maximum of 2029 extra entries). This can occur because Directory
Server does not count all the entry IDs against Allidsthreshold
until an index block becomes full. To remedy this, run db2index
on an index. This will correct the index fragmentation and set the key
to ALLIDS
. To enforce conformance with RFC2252, do the following:
db2ldif
and ldif2db
, or by rebuilding
any index with DN syntax (entryDN, for example) (see Chapter 10,
Managing Indexes in the iPlanet Directory Server Administrator's
Guide.)UserCertificate
,
CACertificate
, CertificateRevocationList
, AuthorityRevocationList
,
or CrossCertificatePair
.)Directory Server considers the values associated with xxxxx;binary and xxxxx as two different values. In practice, this is not always what is required.
A new configuration parameter nsslapd-binary-mode has been created incn=config
to change this behavior. The value ofnsslapd-binary-mode
can be one of compat51, auto, or strict.
UserCertificate
,
CACertificate
, CertificateRevocationList
,
AuthorityRevocationList
, or CrossCertificatePair
.)ldapmodify
):
dn: cn=Retro Changelog plug-in,cn=plug-ins,cn=config
changetype: modify
add: nsslapd-plug-inarg0
nsslapd-plug-inarg0: -ignore_attributes
add: nsslapd-plug-inarg1
nsslapd-plug-inarg1: copyingFrom
db2ldif command,
the errorlog
files might not rotate as expected. This error is due to a conflict between
db2ldif
and ns-slapd.
Both of these commands
write into
the errors.rotationinfo
file without preserving the
information that is already in the file. This is a known bug (4977934).
This bug cannot be fixed through a Service Pack but will be addressed
in the next release of Directory Server if a new log mechanism is introduced.db2back
operation, cancel it (using CTRL-C), and then
import new data, the transaction logs are no longer deleted. (4815733)db2back
is in
progress. In this case, you should use the db2back.pl
script
as a work-around. Note that this issue is solved in Directory server 5.2.idsktune
utility reports as missing any patches in the Sun recommended patch list
that are not installed on the system, even if those patches relate to
packages you have not installed.ldapsearch
, ldapmodify
, ldapdelete
,
and ldapadd
. For information regarding these utilities,
refer to the iPlanet Directory
Server Configuration, Command, and File Reference.http://hostname:administration_server_port_number
Select the iPlanet Administration Express
link, and log in as admin
.-w-
option). This functionality requires the Term::ReadKey
Perl
module, available separately. You can download this module from:
http://www.perl.com/CPAN/CPAN.html
Term::ReadKey
Perl module, enable the
Perl scripts to read the bind password interactively by editing each script,
uncommenting the appropriate lines.install-dir/slapd-serverid/config
including the dse.ldif
file.nsslapd-db-logfile-size
in dse.ldif
manually, remove all log.*
files
from the database directory, and restart the server.ldapmodify
to change the transaction log directory. (4525267) Instead, stop the
server, modify the nsslapd-db-logdirectory
attribute in
the dse.ldif
file using a text editor, and restart
the server.bak2db
can restore a database
only to the default location. (4522793) To work around this, create the
database remotely and add it with ldapmodify
. To create
a database remotely:
Create an LDIF file:
Use the ldapmodify
utility to add the database:
ldapmodify -D "cn=Directory
Manager" -w password -f /path/to/databasename
To move an existing database to another file system location:
Export
the database to LDIF format using the db2ldif
utility.
Follow the instructions provided in the iPlanet Directory Server Administrator's Guide to delete the database.
Create the database at the new location.
Use the ldif2db
utility
to restore the database you exported to LDIF format.
Note that once the database has been
relocated, backups made from the old locations with the db2bak
utility are no longer valid. Attempts to restore them may render the
server unusable.
The section entitled "Configuring the Directory Manager" in the iPlanet Directory Server Administrator's Guide states "The password for this user is defined in the nsslapd-rootdn attribute". This is incorrect. The password is actually defined in the nsslapd-rootpw attribute instead of the nsslapd-rootdn attribute.
The online documentation files are installed with your Directory Server and can be found with your browser.
If you are working under Windows NT or
have installed Directory Server 5.1 Service Pack 4
in a location other than /usr/iplanet/servers
, adapt the following
URLs accordingly:
Documentation Home Page: file:///usr/iplanet/servers/manual/en/slapd/dochome.htm
iPlanet Directory Server Installation Guide: file:///usr/iplanet/servers/manual/en/slapd/install/contents.htm
iPlanet Directory Server Deployment Guide: file:///usr/iplanet/servers/manual/en/slapd/deploy/contents.htm
iPlanet Directory Server Administrator's Guide: file:///usr/iplanet/servers/manual/en/slapd/ag/contents.htm
iPlanet Directory Server Configuration, Command, and File Reference: file:///usr/iplanet/servers/manual/en/slapd/cli/contents.htm
iPlanet Directory Server Schema Reference: file:///usr/iplanet/servers/manual/en/slapd/schema/contents.htm
For general information on Directory Server, refer to:
http://wwws.sun.com/software/products/directory_srvr/home_directory.html
Sun Support Services maintains an online knowledge base containing technical articles and technical notes about common Directory Server issues. Search SunSolve at:
http://sunsolve.Sun.COM/pub-cgi/show.pl?target=home
If you experience issues with Directory Server 5.1 Service Pack 4, refer to Sun Software Support Services:
http://www.sun.com/service/sunone/software/index.html
Useful product information can be found at the following URLs:
Directory Server/Identity Management release notes and other documentation
http://docs.sun.com/db/prod/s1dirsrv
Sun Java System Professional Services information
http://www.sun.com/service/sunps/sun one/index.html
Sun developer information
http://developers.sun.com/
Sun learning solutions
http://www.sun.com/supportraining/
Sun product data sheets
http://wwws.sun.com/software
Sun Certified Engineer training
http://wwws.sun.com/ software/training/certification/directory.html
Copyright © 1989 The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistribution in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
All advertising materials mentioning features or use of this software must display the following acknowledgment:
This product includes software developed by the University of California, Berkeley and its contributors.
Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Copyright © 1987, 1988 Student Information Processing Board of the Massachusetts Institute of Technology.
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the names of M.I.T. and the M.I.T. S.I.P.B. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. and the M.I.T. S.I.P.B. make no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
This product contains the following software derived from RSA Data Security, Inc.
MD5 Message-Digest Algorithm
The source code to the Standard Version of Perl can be obtained from CPAN sites, including http://www.perl.com/.
This product incorporates compression code by the Info-ZIP group. There are no extra charges or costs due to the use of this code; the original compression sources are freely available from:
ftp://ftp.info-zip.org/pub/infozip/
Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved.