Directory Server 5.1 Service Pack 4 Release Notes

Updated February 23, 2005

Part Number 819-1814-10

These release notes contain important information available at the time of the release of Sun[tm] ONE Directory Server 5.1 Service Pack 4. This product was formerly called iPlanet Directory Server. New features and enhancements, known limitations, and other late breaking issues are addressed here. Read this document before you begin using iPlanet Directory Server 5.1 Service Pack 4.

An electronic version of these release notes can be found on Sun's documentation web site:

http://docs.sun.com/coll/S1_ipDirectoryServer_51

Check the web site prior to installing and setting up your software and then periodically thereafter to view the most up to date release notes and manuals.

These release notes contain the following sections:

• Revision History

• What's New in iPlanet Directory Server 5.1

• Supported Platforms for iPlanet Directory Server 5.1 Service Pack 4

• Installation Procedures for iPlanet Directory Server 5.1 Service Pack 4

• Problems Corrected in iPlanet Directory Server 5.1 Service Pack 4

• Enhancements and Problems Corrected in iPlanet Directory Server 5.1

• Known Limitations

• Accessing Online Help and Online Documentation

• How to Report Problems

• For More Information

• Third Party License Acknowledgments

For information on hardware and software requirements, refer to the iPlanet Directory Server Installation Guide.

Revision History

Date	Description of Changes
February 24, 2005	Note on Solaris 10 support.
February 10, 2005	Publication of Directory Server 5.1 Service Pack 4 Release Notes. For ease of reference, additions and changes to these Release Notes (as compared to the Directory Server 5.1 Service Pack 3 Release Notes) appear in green.
June 28, 2004	Note added on changing port numbers.
May 05, 2004	Note added on legacy replication.
December 2, 2003	Publication of Directory Server 5.1 Service Pack 3 Release Notes. Certain known limitations that appeared in the previous Release Notes have been removed because they have been fixed in Directory Server 5.1 Service Pack 3. These include : In section Security : 4529541, 4527617, 4527608, 4527623 and 4530739 In section Replication : 4665571

---

What's New in iPlanet Directory Server 5.1

iPlanet Directory Server 5.1 contains the following new features and enhancements:

• Updated and improved management console. The new Directory Server Console offers an improved dialog for configuring replication, and a new directory browser. In this release, the Directory tab has several layout options for navigating the directory tree: as before with leaf entries in the right-hand pane, as a single tree in a single pane, or with attributes for the selected entry displayed on the right. For details, refer to Chapter 1 of the iPlanet Directory Server Administrator's Guide.

• Performance Improvements over Directory Server 5.0. This new release of Directory Server offers increased performance over Directory Server 5.0 and 4.x.

• Support for IPv6. Directory Server 5.1 can accept incoming connections from IPv6 clients. Currently Directory Server cannot interpret IPv6 addresses in access control instructions, or use IPv6 connections for operations such as replication and chaining. The Administration Console cannot be used on networks supporting only IPv6.

• Improved scalability and performance of Roles and Class of Service. Roles and Class of Service, introduced in iPlanet Directory Server 5.0, have been enhanced in this release to increase scalability.

• Support for the plug-in API. If you need to create custom plug-in functions you can also contact the iPlanet Professional Services organization at: http://www.sun.com/service/sunps/sun one/index.html.

• Schema Documentation. A new document, iPlanet Directory Server Schema Reference, describes the schema provided with Directory Server 5.1. The document focuses on schema objects useful to support your directory information.

Due to architectural changes made in iPlanet Directory Server, some features that were previously available are no longer included. These are:

• NT Sync Service. You can no longer create Windows NT accounts through the directory console. When you right click an entry under the Directory tab in the directory console and select New>User to display the Create New User dialog box, you still see the NTUser tab in the left-hand column. Since the Windows NT Sync Service is no longer available, using the fields of the NT User tab will create an entry in the directory only. No new Windows NT account is created.

• Database Backend Plug-in Interface. The enhanced pre-operation interfaces may be used instead of the database backend plug-in interface, to implement plug-ins that are designed to provide access to alternative directory data stores.

• Directory Server Gateway. The Directory Server Gateway is no longer delivered with iPlanet Directory Server 5.1. We recommend that you investigate LDAP Tag Library, scheduled to be available as part of the iPlanet Directory Server Resource Kit 5.1, as a good Directory Server Gateway replacement. For further information see: 

http://wwws.sun.com/software/download/

Supported Platforms for iPlanet Directory Server 5.1 Service Pack 4

Directory Server 5.1 Service Pack 4 is supported on the following platforms:

• Sun Solaris 10 for SPARC (64-bit) and x86
  This release of Directory Server is supported on Solaris 10 with the Solaris native packages delivery (IPLTxxxx packages) only.
  

• Sun Solaris 9 for SPARC and x86 (32 and 64-bit)

• Sun Solaris 8 for UltraSPARC (32 and 64-bit)

• Microsoft Windows NT 4.0 Server, SP 6a (x86 only)

• Microsoft Windows 2000 Server and Advanced Server SP 4 (x86 only)

• Hewlett-Packard HP-UX 11.0/11i (PA-RISC 1.1 or 2.0)

• IBM AIX 4.3.3 (Power PC)

• Red Hat Linux 7.2 (IA-32)

This release of Directory Server is not supported on Sun Solaris 2.6 or Sun Solaris 7. You must upgrade to Sun Solaris 8 before upgrading to or installing Directory Server 5.1 Service Pack 4.

Directory Server 5.1 Service Pack 4 requires specific operating system patches or service packs to be installed before Directory Server can be installed. Installation of Directory Server 5.1 Service Pack 4 may fail if the recommended patches or service packs are not present.

On operating systems other than Windows, you must run the idsktune utility prior to installing Directory Server 5.1 Service Pack 4. After you expand the product package, you will find the idsktune utility in the same directory as the setup program. Install the patches recommended by the idsktune utility. For more  information, refer to the iPlanet Directory Server Installation Guide.

You can obtain Sun Solaris patches from:

http://sunsolve.sun.com

Installation Procedures for iPlanet Directory Server 5.1 Service Pack 4

Note	If you run Administration Server as root, all commands initiated by the administration user will also be run as root. Therefore you must apply the same rules of confidentiality and security to the administration password as you would to the root password of your server.

If you are performing a new installation, refer to the iPlanet Directory Server Installation Guide. If you are upgrading from Directory Server 5.1, 5.1 SP1, 5.1 SP2 or 5.1 SP3, perform your upgrade as follows:

• If you are running a ZIP installation, upgrade by using the patch ZIP provided with Directory Server 5.1 SP4
• If you are running IPLT packages, upgrade by installing the following packages:
  
  SPARC: 113859-04
  x86: 114273-04 

Directory Server 5.1 SP4 and Directory Server 5.2.x both deliver a /usr/sbin/directoryserver command. (6176080).
Depending on the default version of Directory Server that is currently set, the /usr/sbin/directoryserver command calls the directoryserver command delivered with Directory Server 5.1 or that delivered with Directory Server 5.2.

The root administrator can set or get the default version of Directory Server by using the directoryserver command.

The directoryserver command delivered with Directory Server 5.1 SP4 has the following, additional options compared to that delivered with previous versions of Directory Server 5.1:

Usage: directoryserver
        -setdefaultversion | -d <version>
Usage: directoryserver
        -getdefaultversion | -g
Usage: directoryserver
        -listversions | -l
Usage: directoryserver
        -useversion | -u <version> subcommand {options-and-arguments ...}
        where options-and-arguments depend on the specific subcommand
Usage: directoryserver
    subcommand {options-and-arguments ...}
    where options-and-arguments depend on the specific subcommand
 
Important: The Directory Server 5.1 Service Pack 4 patches, 113859-04 and 114273-04, can be applied on a Solaris 10 system (SPARC and x86) only if this server has been upgraded from a Solaris 9 system.

It is possible to install Service Pack 4 on top of an existing, unbundled Directory Server 5.1 installation by performing the following steps:

1. Ensure that Administration Server is running.
2. Ensure that Directory Server 5.1 is running.
3. See the "Installation" section of the Known Limitations for instructions that apply to certain configurations. In particular, you must turn off the password history and disable the "check password history" features before installing Service Pack 4. 
4. Follow the procedures under "Using Typical Installation" in Chapter 3, "Using Express and Typical Installation," of the iPlanet Directory Server Installation Guide.
   

NOTE: In step 10, be sure to use the full path to the location where you originally installed Directory Server 5.1.

Directory Server 5.1 Service Pack 4 can also be installed on top of a running, localized, version of Directory Server 5.1. The objects delivered in Service Pack 4 (binaries, Java files, and so on) are not involved in the localization mechanism.

On HP-UX 11.0/11i platforms, ensure that the number of file descriptors is less than or equal to 2048 before installing Directory Server 5.1 Service Pack 4. Refer to the "Installation" section of the "Known Limitations" for more information.

If you are migrating from Netscape Directory Server 4.x (up to 4.16 SP1) or iPlanet Directory Server 5.0, refer to Chapter 6, Migrating From Previous Versions in the iPlanet Directory Server Installation Guide. Also, see the relevant installation and migration paragraphs in the "Known Limitations" section of these Release Notes.

Problems Corrected in iPlanet Directory Server 5.1 Service Pack 4

Directory Server 5.1 Service Pack 4 includes fixes to the following known problems that occurred in earlier releases of Directory Server. Fixes introduced in Service Pack 4 appear in green.

Replication

• The delete operation was not propagated to consumers in cascading replication. (4550044)
• On Windows platforms, an optimization test aborted replication processing. (4616579)
• nsTombstone entries were not purged. (4617521)
• Directory Server encountered many tombstone errors. (4633404)
• A replication supplier was disabled and could not restart when the RUV database was corrupt. (4533706)
• Replication became unsynchronized and stopped. (4617085)
• Changing case-sensitive attribute values failed in MMR. (4624693)
• A replication supplier crashed after deleting attributes. (4627443)
• Directory Server crashed or hung when replication was enabled. (4643122)
• Replication failed when migrating a consumer from Directory Server 5.0 and subsequent Service Packs. (4646392)
• Replication failed to restart from a supplier to a consumer. (4658810)
• Replication between 4.x and 5.1 servers stopped when updating operational attributes. (4665571)
• Directory Server crashed when certain replication agreement attributes were missing. (4672889)
• Turning system time backwards stopped replication. (4672960)
• A consumer chained database initialization requests when the distribution plug-in was enabled. (4684519)
• It was not possible to monitor the replication update vector in the replica object. (4691101)
• During data import the change log database could become corrupt and replication could fail. (4711201)
• Replication stalled for ten minutes and the server was inaccessible. (4711202)
• Referrals for modifying entries failed, due to the DN being trimmed at space characters. (4627760 and 4743633)
• Tombstone entries were not deleted if one master was never updated. (4639560)
• Accounts could not be unlocked on non-master 5.0 servers. (4527608)
• An invalid replication configuration caused the consumer to crash. (4742450)
• Disabling and re-enabling replication stopped replication on one master in a multi-master configuration. (4748399)
• In certain cases, a replication configuration in which a 5.1 consumer accepted updates from a legacy master, caused the server to crash. (4675387)
• Replication was unreliable with MODRDN operations from a 4.16 supplier. (4778334)
• The change log was not purged properly when a consumer was stopped before any changes were replicated. (4758387)
• Change log trimming did not take place in a multimaster environment. (4780230)
• Configuring nsslapd-changelogmaxage replaced the top object class of the cn=changelog5,cn=config entry with an indecipherable binary value. (4704039)
• During replication, modifications could be missing on a consumer. (4786475)
• Legacy replication failed when Password policy was enabled on 4.x servers. (4767182)
• The CSN value generating process has been improved to avoid a time skew. (4695152)
• Replication would not restart after restoring a database with the bak2db utility. (4689805)
• Replication broke when initialization occurred from both supplier servers. (4797685)
• A deadlock occurred on the ns-slapd server due to a cross locking problem in the entry cache. (4786154)
• Issuing two total updates on a server at the same time caused the first server to be unable to complete the operation. (4773823)
• Replication could crash when modifying an entry with a missing attribute name. (4813998)
• Directory Server could produce nsuniqueids that were not unique. (4818005)
• A modify-replace operation for a non-existent attribute caused the attribute to be present in searches. (4820037)
• A potential inconsistency between the replica update vector in the database and the change log has been fixed. (4836446)
• Directory Server could crash during the replication operation. (4863706)
• Password policy attributes were incorrectly handled in replication. (4930098)
• A consumer could crash if the syntax for an attribute was changed to "single value" and an entry with existing multi-valued data was changed. (4898449)
• In a multi-master replication configuration with one master serving as a backup server, when entries were modified and added on only one of the masters, replication consumed more and more time and CPU to propagate changes to the consumers. (4817676)
• After unconfiguring a master replica and reconfiguring it with another replica ID, errors regarding duplicate referrals occurred. (4863943)
• Several tombstone purging threads sometimes ran in parallel for the same replica. This generated errors messages because the threads were attempting to delete the same entries. It also caused useless resource usage (CPU and memory). (4920323)
• A deadlock in multi-master replication was possible during the conflict resolution process. (4925223)
• A useless (but harmless) error message regarding malloc 0 bytes was displayed during some VLV searches when an entry contained an attribute with an empty value. (4942664)
• On Linux platforms, Directory Server could crash when a replica agreement thread called gethostbyname. (4826863)
• After an online initialization, the consumer performance counters were not returned. (4838624)
• Imported tombstone entries were not purged. (4856329)
• Replication sessions over SSL could time out within slapd_poll(823). (4850722)
• Replication sometimes stopped with a systematic "Replication Busy" message. This happened when the replication session was still running while the agreement was being deleted. (4863001)
• In a multi-master replication topology, a re-initialized master was unable to replicate any changes. (4881653)
• At start time, the RUV object was sometimes NULL, which caused the server to crash. (4911678)Replication was not properly replayed in case that repeated ModifyRequest is made on entry. (4846165)
• In a replicated environment a consumer could crash if the updates coming from the supplier contained a large amount of state information. (4904414)
• Improvement of the CSN generator to avoid the time skew between a supplier and a consumer. (2101315)
• During CSN calculation, an offset is computed which adjusts time difference between a supplier and a consumer. This process is now activated every 250 milliseconds (it was one second in previous Directory Server 5.1 releases.) (4976005)
• A 24 hour time drift may occur between two replicas, which caused the replication mechanism to stop in previous versions. From Service Pack 4, a warning message is logged only. (5024106)
• Inconsistency between a master and consumer occurred when a super object class was added to the entry being modified. This is no longer the case. (2118490)
• Directory Server sometimes crashed on the consumer side during schema replication when legacy replication was enabled. (2121114)
• Replication halted after a consumer was stopped. (2121615)
• Directory Server sometimes crashed during a replication session if an entry contained duplicate values. (4976010)
• Replication stopped when deleting a null DN entry. (4976481)
• Under certain conditions, replication of the passwordExpirationTime and passwordExpWarned attributes did not succeed. (5013318)
• Replication sometimes stopped and restarted after issuing a "Send Updates Now" operation. (5071022)
• Hub replicas were sometimes unable to replicate updates due to an incorrect replica ID 65535 in the RUV. (5103276)

Console

• The replica ID was not displayed correctly on Windows platforms. (4589224)
• It was not possible to use special characters in the console administrator password. (4672914)
• User data could not be accessed in a remote directory server with SSL enabled. (4663658)
• Console modifications to the RDN caused exception violations when saved. (4668480)
• The Console did not display time correctly. (4615165)
• Bold Japanese characters were displayed as square boxes. (4645544)
• Removal of CA certificates failed. (4658787)
• The default install parameter for "Number of file descriptors" was out of range. (4592931)
• The Console could not display the user menu if there were more than 35 users. (4749234)
• It was not possible to set or clear the HUB radio button through the Console. (4538268)
• The Console failed to load the jss library on Linux platforms. (4704635)
• The iPlanet Administration Express tool was unable to display data if the installation path was too long. (4738639)
• Console startup failed on Windows 2000 if the installation path contained spaces. (4789601)
• The Console did not allow the addition of a member to a group which contained a double quote in the DN. (4683476)
• The Console performed a modrdn operation if no change was made in the Console Property Editor window and the OK button was pressed. (4669525)
• Directory Server hung when a backup task was issued from the Console. (4735919)
• The Indexes tab in Directory Server Console (Configuration Tab, data subtree, userRoot database, Indexes Tab) appeared as a blank screen. (4530509)
• The Console did not update modified/removed entry names. (4614559)
• Administration Express failed to display logs when a non default log directory was configured. (4911711)
• Directory Console on Windows rendered certain operations slowly. (4840960)
• The Console process grew when adding users. (4912539)
• In Directory Server 5.1 Service Pack 1 and following versions, the console did not handle backslashes in the RDN. This is fixed in Service Pack 4. (2057900)
• In Directory Server 5.1 Service Pack 3 and following versions, the startconsole command failed on Windows platforms with a Japanese or Korean locale. This is fixed in Service Pack 4. (2079262)
• On Windows NT, the console was unable to display the content of log files if they had been moved to a different directory. (5071675)
• When attempting to modify an entry using the property editor, the console returned the error "Unknown error with naming attribute" if the RDN and the matching attribute in the entry DN were in a different case. (4819904)

Database

• Old data was sometimes written back into the current database. (4638816)
• The ns-slapd process crashed during import operations. (4623119) 
• The maximum number of object locks was not set to the correct scaled value and caused the error message "libdb: Lock table is out of available locks". (4651972)
• Issuing the command db2ldif.pl -s "suffix" could cause replication to stop and the server to hang due to a database lock that was never unlocked. (4802963)
• Within a multi-master replication configuration, the error : "_cl5GetNextEntry: failed to get entry; db error - 12 Not enough space" was possible. (4652031)
• Database indexes were inappropriately set to ALLIDS. (4705641)
• Directory Server now supports large files (larger than 2GB). (4716745)
• The performance problem on HP-UX platforms has been fixed. (4911023)
• Directory Server sometimes crashed if an entry was deleted and immediately added again. (4885686)
• BVERSION and ancestorid.db3 files were left behind when deleting suffix. (4829894)
• Attribute subtypes were deleted from an index if they had the same value. (4912664)
• A number of issues in the database component (cores dumped upon stress, store unavailable under certain conditions, errors messages) have been fixed. (4938445, 4921426, 4916248, 4751092, 4866060)
• Under load, Directory Server stopped deleting the transaction logs and eventually consumed all free disk space. (5026748) (5104371)
• The bak2db command failed when databases were located in directories such as "db/db1", "db/db1/db2", "db/db1/db2/db3". (2121481)

Plug-Ins

• In a replication configuration, when the retro change log plug-in was enabled, change log trimming occurred every five minutes, regardless of the nsslapd-changelogmaxage value. (4652859 and 4809504)
• Only the first modification in the attribute to be checked was taken into account by both the 7-bit checking plug-in and the uid uniqueness plug-in. (4754469)
• The 7-bit checking plug-in did not check the correct attribute. (4786547)
• The distribution plug-in did not handle internal operations correctly. (4684519)
• The certificate mapping plug-in was not loaded on Linux platforms. (4778128)
• Directory Server could crash when adding a large number of entries that used the Roles Plug-In. (4865859)
• The ldapsearch -A operation against a chained database failed on results. (4865525)
• The Referential Integrity plug-in needed to be shutdown before the backend was shutdown. (4865653)
• Modifying an entry when the Attribute Uniqueness plug-in is enabled might cause Directory Server to crash. (2097654)
• Directory Server could crash while trimming the retro change log. (2099422)
• It was not possible to configure pass through authentication with URLs containing the same suffix. (2121644)
• The Pass Through Authentication Plug-In did not fail over to a second running server if the first configured server was unreachable. (5052660) 

Security 

• The process of finding the password attribute has been changed. (4619976)
• Directory Server did not verify the SSL peer host name. (4615324)
• Password expiration was inconsistent. (4532757)
• A security problem concerning the retro change log plug-in has been fixed. (4618824)
• The number of unsuccessful attempts was not reset after a successful bind. (4645887)
• An illegal SNMP PDU caused the Master agent to fail - CERT Advisory CA-2002-03. (4532320)
• The server failed to detect all the "empty string cases" for ACI definitions. This caused a core dump. (4719564)
• A security issue in 5.x Directory Administration Server (iWS 6.0SP1 and iWS 6.0SP2) has been fixed. (4707395)
• The ACI for 'Directory Administrators Group' has been fixed. (4713256)
• ACI evaluation was incorrectly performed for parent rules. (4753087)
• ACI evaluation was incorrectly applied to the recursive deletion of entries. (4795280)
• User passwords were still in clear after running the ldif2db command utility with the passwordStorageScheme set to SSHA. (4669879)
• The Directory Server instance hung when the SSL bound application was suspended. (4786504)
• The delete operation based on an entry DN containing numerous commas crashed the server. (4735062)
• The Directory Server Perl scripts exposed the user DN password. (4732352)
• The passwordHistory attribute did not work correctly. (4686213)
• A possible denial of service attack in Windows 2000 and Windows NT connection handling has been fixed (that is, aborted connections may remain open). (4773920)
• Directory Server could crash in an ACI evaluation. (4809846)
• Under certain conditions, binding with certificate and simple authentication could cause Directory Server to hang. (4883250)
• The passwordRetryCount failed to increment correctly in Directory Server 5.x. (4856290)
• It was possible to "ignore" password expiration. (4908443)
• Certain entries were incorrectly hidden or displayed if the ACL contained checks on attribute values or macro ACIs, and subtree or single-level searches were performed. (4913176 and 4918912)
• A vulnerability in SSL/TLS implementations of cipher suites that use block ciphers has been fixed. (4854898)
• ACI evaluation on database link servers failed to return only the DN attribute. (4913984)
• Local ACIs did not work correctly over a database link when specifying DNs. (4922595)
• Directory Server sometimes crashed when evaluating an ACL. (4830417)
• Directory Server hung when an ACL was modified and evaluated at the same time. (4840786)
• Directory Server now includes the fix for the security alert (referenced in bug ID 4945089). (4957279)
• The ASN1 Decoder could suffer Denial of service Attacks - CERT Advisory CA-2003-26 (4945089)
• A security issue in the Administration Express tool has been fixed. (4854827)
• An incorrect ACI syntax crashed Directory Server systematically. (4851870)
• Incorrect ACI syntax errors occurred after migration from Netscape Directory Server 4.x to Directory server 5.x. (4899320)
• Directory Server was prone to a root-dot-dot security attack due to a missing URL sanitation. (4929089)
• A MODIFY INTERNAL operation on the passwordRetryCount attribute could be chained to other servers. (4897873)
• Directory Server crashed during SSL initialization while running two start_tls sessions in parallel. (2097541)
• There was a deadlock with the start_tls and disconnect_server functions. (2097665)
• Directory Server sometimes crashed during ACI evaluation while modifying the value of a long attribute name - CERT security note: VU#258905 - (2121079)
• Directory Server could crash while checking the history of a clear password. (2097456)
• Directory Server 5.1 Service Pack 4 has been upgraded from NSS v3.3.4.1 to v3.3.4.2 to support SSL with certificates from Verisign. (4994274)
• Directory Server could crash at startup during ACI evaluation. (2119155)
• During the evaluation of the group access ACI, the Directory Server sometimes allocated a large memory size then exited because of a lack of memory. (2120414).
• The attribute passwordRetryCount was not updated properly when a bind failed. (4957314)
• Directory Server would not start up unless the change log files had the correct write permissions. (4957384)
• During a replication session, the pseudo attribute unhashed#user#password displayed the user password in clear text. (4965036)
• On Windows NT, Directory Server over SSL hung if there were more than sixty open SSL connections. (5084650)

Recovery 

• A Directory Server instance did not restart after a system crash. (4620546)
• Directory Server crashed when a client abandoned a persistent search operation. (4640273)

Connection

• Connections were sometimes closed even though they were not idle for the specified idletimeout. (4791877)
• Persistent search operations were not removed properly from the connection. (4671360)
• Connections for persistent searches were not cleaned up on Windows NT. (4886421)
• Various issues (memory leaks, crashes, error messages displayed) occurred when initiating or abandoning persistent searches. (4824825 and 4834508)
• On Windows NT, Directory Server could crash while removing an operation (pointing to a NULL value) from the connection. (4953750)
• On Windows NT, Directory Server did not close idle connections. (5044378) 

LDAP access 

• Directory searches failed on replicas with a scope of "one". (4614741)
• Directory crashed (SIGBUS) during a search. (4639232)
• The "bind time-out" was ignored for an unresponsive host. (4639408)
• Directory Server responded incorrectly to an unbind request. (4623308)
• The ldapmodify command incorrectly interpreted base 64 encoded values. (4665564)
• Directory Server crashed when binding to an entry that was being created. (4674387)
• Searches displayed incorrect results for specific order of search filters containing not operators. (4715955)
• A range search for an empty range such as (&(uid>=7)(uid<=9)) crashed the server. (4708296)
• Issuing an ldapdelete command with a very large DN could cause Directory Server to crash. (4735062)
• Substring searches did not work correctly on integer syntax attributes. (4717121)
• Directory Server accepted multiple additions of identical attribute-value pairs. (4722987)
• A "numsubordinates assertion failure" error occurred when adding a child entry to a parent entry on one master while simultaneously deleting the same parent entry from another master. (4709128)
• Directory Server crashed when filters were nested too deeply. (4621920)
• Directory Server could crash when performing an internal modification while attributes were being deleted. (4759670)
• Directory Server could crash when binding with an entry that had two or more virtual attribute values. (4787220)
• It was possible to create an entry with duplicate object class values. (4761010)
• Leading and trailing white spaces were ignored in substring searches. (4537169)
• Adding a value, then deleting another value in the same modify operation was badly handled by replication. (4780807)
• An ldapmodify operation on consumers with the managedsait control returned an "unwilling to perform" error instead of a referral. (4857614)
• Search results were logged twice if there was no backend for the search base. (4943975)
• Search operations were performed even if a custom pre_search plug-in returned a non-zero status. (4838863)
• A search on cn=config returned the directory manager DN (nsslapd-rootdn) in lowercase instead of maintaining the original case. (4880352)
• The triviality check was skipped when more than one attribute was modified. (4867299)
• Directory Server could crash when performing triviality check with empty attribute value in a modification operation. (4948365)
• Directory Server would sometimes crash when importing large entries. (4935077)
• Directory Server did not manage spaces in substring search filters correctly. (4537169)
• Directory Server could crash on intensive use of persistent searches and abandon operations. (4826265)
• Directory Server could crash if nationalization matching rule searches occurred in parallel. (4865435)
• Special characters (such as "(") were not allowed in the userPassword attribute for the administration entry. (4819399)
• DN normalization with double backslashes has been improved. (4848325)
• Directory Server sometimes crashed when importing a corrupted LDIF file. (4903397)
• Persistent search operations returned tombstone purging events. (2097509)
• On AIX platforms, an ladpsearch operation with a very long filter could cause Directory Server to crash. (2097600)
• The substring index became corrupted when deleting similar multiple attribute values. (2098090)
• A VLV search based on an empty container returned error 1 instead of 0. (2101163)
• Multiple asynchronous searches on the root DSE could cause Directory Server to crash. (2108974)
• The SLAPI_RESULT_CODE parameter was not updated in the pblock when sending the result. (5053912)
• An ldapsearch operation on the root DSE did not return the correct requested VLV indexes. (5088018)

Performance 

• Enabling the retro change log plug-in caused performance issues. (4639310)
• A looping thread increased CPU consumption. (4629441)
• A memory leak in the CoS plug-in has been fixed. (4630124)
• A memory leak in schema searches has been fixed. (4682961)
• The fix for bug ID 4705601 introduced a performance drawback : ldif2db hung during data import. (4738221)
• An ldif import crashed if entries contained a large number (more than 128) of attributes. (4723630)
• ldif2db crashed when importing an ldif file that contained entries with several values for an attribute, and these values were not continuous. (4737978)
• If the server was in a tombstone purging loop it did not react to the stop signal until it had completed. Thus, the server could take a long time to stop. (4646350)
• A memory leak existed in replication synchronization of two replicas. (4756215)
• A memory leak existed in password modification. (4773751)
• A memory leak existed in persistent search. (4777358)
• A memory leak existed in the ldapcompare operation. (4765575)
• Directory Server appeared to hang when an unindexed attribute in the referential integrity plug-in was present, and the plug-in was enabled during an update operation. This bug is fixed for all new instances using the nsroledn attribute. (4754595)
• Directory Server sometimes crashed during the import of a database. (4742083)
• A memory leak in the connection handling on Windows NT has been fixed. (4649319)
• A memory leak in replication has been fixed. (4805734)
• A modify/replace operation with more than five values generated duplicate values and a memory leak. (4807803)
• A modify/replace operation with more than five values corrupted the present/deleted values and generated a memory leak. (4813355)
• A memory leak in the start replication operation has been fixed. (4821198)
• A performance problem existed when adding an entry with an asterisk ("*") in the dn due to substring search for tombstones. (4891116)
• A memory leak on consumers in a single master replication configuration has been fixed. (4805734)
• After a certain time, database performance dropped due to database cache trickling. (4850717)
• Searches on suffix that contained a subsuffix triggered a memory leak. (4881181)
• A memory leak doing a series of adds and then deletes has been fixed. (4945548)
• Query performance deteriorated with large numbers of static groups. (2065178)
• A performance degradation with consecutive modrdn operations has been fixed. (2069342)
• An fdsync operation in Directory Server 5.1x caused a degradation in performance. (4921143)
• Directory Server sometimes stopped responding when an ldapsearch operation requested too many attributes. (2101262)
• Under certain conditions, Directory Server hangs due to a deadlock with internal counters. (2120389)
• Directory Server sometimes crashed while updating indexes which had no keys. (2120699)
• Directory Server could show performance degradation with substring searches if attribute values were too large. (4851879)
• Directory Server hangs when running VLV search and update operations simultaneously. (4973380)
• Directory server sometimes failed to stop. (5047431)
• A memory leak when running persistent search operations has been fixed. (2097441)
• A significant memory leak in Directory Server 5.1 has been fixed. (2097623)
• A memory leak occurred during certain modify operations, if the user was not allowed to modify some of the attributes. (2099197)
• A memory leak on modify operations of multi-valued attributes with substring indexes has been fixed. (4990956)
• A memory leak in the function cl5CreateReplayIterator() on the supplier and hub has been fixed. (5072159)
• A memory leak when evaluating a specific format of ACI has been fixed. (2117983)

Conformance 

• The default schema contained extra definitions not in RFC2307. (4629102)
• A DN that contained several escaped characters was incorrectly normalized. (4535845)
• A DN with white spaces did not conform to RFC2252. (4687038)
• Subtype attributes were not stored in the directory, as RFC2256 mandates. (4622371)
• There were issues when both LDAPv2 and LDAPv3 applications were using certificate related attributes. (4819710)

SNMP

• SNMP could crash on the HP-UX platform. (4743796)
• The SNMP master agent in Directory Server 5.1 Service Pack 3 was not sending traps. (4980328)

Logs

• Directory Server did not rotate the log files correctly. (4628444)
• The detection of a large BER encoded operation was logged in the error log file if the replication log level was activated. (4778154)
• Replication error messages were logged on the supplier if the passwordRetryCount was updated. (4784168)
• Aborting a backup (db2bak) prevented the removal of the transaction logs. (4815733)
• Access log rotation did not occur on restarting slapd. (4846332)
• The audit log files were not being rotated as configured. (4826843)
• The attribute nsslapd-accesslog-logminfreediskspace did not work as expected. (4928129)
• The audit log did not report the modifiersName and modifyTimestamp attributes on MODRDN operations. (2063534)
• The value of the nsslapd-XXXXXXlog-logmaxdiskspace attribute was not applied correctly over two Gigabytes. (4976129)
• If the nsslapd-XXXXXXlog-logexpirationtimeunit attribute, but not the nsslapd-XXXXXXlog-logexpirationtime attribute was defined, the deletion policy did not work correctly. (2121688)
• If the nsslapd-XXXXXXlog-logexpirationtime attribute, but not the  nsslapd-XXXXXXlog-logexpirationtimeunit was defined, the deletion policy did not work correctly. (5098376)
• The nsslapd-XXXXXXlog-logexpirationtimeunit attribute did not set the correct default value. (2101333)
• When the password policy was enabled on the consumer, the message "password is expiring on consumer in %d seconds" was incorrectly displayed on the master. (2120541)

Miscellaneous

• The most recent version of idsktune was not shipped in Directory Server 5.1. (4623199)
• Multiple attribute uniqueness plug-ins forced uniqueness between each other. (4649615)
• Time stamps in log files were stored incorrectly when Directory Server shut down. (4656846)
• htmladmin.exe crashed when a secured Administration Server was stopped. (4529402)
• iPlanet Directory Access Router 5.0 was not able to share the same Administration Server <ServerRoot> as iPlanet Directory Server 5.1. (4692956) (This issue has been fixed on Solaris platforms only.)
• The db2ldif -r command created cache files as root and did not clean them up properly. (4656657 and 4653016)
• ns-slapd dbtest tool was not working. (4781823)
• Running the ldapsearch command with the sort option did not obtain the expected results. (4776001)
• A 2-pass ldif2db operation did not merge the indexes correctly. (4783910)
• VLV searches sometimes produced "Server reported sorting error". (4715065)
• Directory Server sometimes crashed while restoring the database. (4714196)
• The restore operation failed after server creation, until the server was restarted. (4714358)
• Running db2ldif -r with the -s or -n options could cause ns-slapd to crash. (4856331)
• ns-accountstatus.pl failed if the suffix included a white space. (4932782)
• Invalid warnings were displayed regarding index fragmentation. (4821289)
• db2ldif miscounted the number of processed entries. (4842620)
• If the retro change log plug-in was activated before a backup, the restore operation did not work. (4864622)
• ldif2db could crash if the dn component contained escaped trailing spaces. (4836491)
• bak2db failed if the target database directories were missing. (4894995)
• Running db2ldif -r could cause Directory Server to crash if smart referrals were defined. (2121347)
• Running db2ldif -r could cause Directory Server to crash if tombstone objects were being purged. (6185038)

Enhancements and Problems Corrected in iPlanet Directory Server 5.1

iPlanet Directory Server 5.1 includes enhancements and fixes to the following known problems that occurred in earlier releases of iPlanet Directory Server:

• Previous releases of Directory Server included a security vulnerability in iPlanet Web Server 4.1. (535057)
• Directory Server 5.1 uses iPlanet Web Server 6, in which this vulnerability has been fixed.
• Server restart is no longer required after a change to the components allowed to chain. (528617)
• In previous releases of Directory Server, the console supported smart referrals only when the DN in the referral matched the DN of the entry containing the referral. (490281) Updated functionality in the console has removed this limitation and enhanced smart referral support.
• In previous releases of Directory Server, after changing the Directory Manager credentials, you were required to exit Directory Server Console and restart it for the change to be taken into account. (538549) This limitation has been removed.
• The behavior of multiple qualifiers with cosAttribute in a CoS definition is no longer undefined.
• In previous releases of Directory Server, you were required to authorize client IP access to the Administration Server from the machine running Directory Server Console. This limitation has been removed.
• When a delete operation is performed, the audit log now displays the DN identity of the operator. The additional information appears in the audit log as modifiersName: DN, where DN is the identity used to perform the delete operation.
• The newrdn and newsuperior operations are now recorded in the access log and any errors are described in the error log. (547272) Schema is now replicated during a total update operation. (541599)
• If you modify your schema on a server and then create a new replica, the initialization of this replica automatically updates the schema on the consumer server. Previously, the schema was not replicated when the replica was initialized, but instead with the first incremental update of the replica.
• In previous releases of Directory Server, changes to the nsslapd-dbcachesize attribute value under cn=config, were not always correctly taken into account. (539845, 539847) This condition is corrected in iPlanet Directory Server 5.1. The server writes an error message into the error log if the new value you provide is not within the permitted boundaries.
• In previous releases of Directory Server, deleting a role did not update the nsRoleDN attribute for each role member (533695). In iPlanet Directory Server 5.1, the referential integrity plug-in is configured to manage the nsRoleDN attribute. However, you must enable the referential integrity plug-in. By default, this plug-in is disabled. Also, add an equality index on nsRoleDN. Refer to the iPlanet Directory Server Administrator's Guide for details on creating indexes. 

Known Limitations

This section lists known limitations in Directory Server 5.1 Service Pack 4 and their workarounds. The areas with known limitations are as follows:

• Installation 
• Uninstallation 
• Migration 
• Windows NT / Windows 2000 
• Security 
• Schema  
• Chaining 
• Replication 
• Directory Server Console 
• Core Server 
• Server Plug-ins 
• Roles and Class of Service 
• Indexing 
• Tuning 
• Conformance 
• Compatibility 
• Miscellaneous

Installation

---

Caution

No other iPlanet product (such as iPlanet Web Server) be installed in the same UNIX directory path as Directory Server, because this may disable critical functionality required for the correct operation of Directory Server. In addition, on a Windows NT or Windows 2000 machine, Directory Server should be installed independently of any other iPlanet product to avoid conflicts with DLLs.

---

Before upgrading from Directory Server 5.1 or 5.1 SP1, you must set your password policy not to check password syntax or password history (4830364). Follow the procedures in the iPlanet Directory Server Administrator's Guide to turn off these two features.

• On performing an upgrade from Directory Server 5.1 to Directory Server 5.1 Service Pack 4 on UNIX, the administration port identifier will be changed. If restoration of the old administration port identifier value is required, the command admconfig can be used.
  
  The port identifier can be found in:
  
  % <ServerRoot>/admin-serv/config/adm.conf
  
  The following example changes the port number to 63333 and restarts the Administration Server (note that the verbose level will be set to 5):
  
  % <ServerRoot>/bin/admin/admconfig -server orange.iplanet.com:67891 -user chlee:password -verbose 5 -setPort 63333 -restart
  
  
• When performing an upgrade from the following versions of Directory Server the following warning message is logged: add value to attribute type aci in entry o=NetscapeRoot failed: duplicate value. This is a normal message because the ACI value for the entry o=NetscapeRoot is already set.

  • Directory Server 5.1

  • Directory Server 5.1 Service Pack 1

  • Directory Server 5.1 SP1 HOTFIX

  • Directory Server 5.1 Service Pack 

  • Directory Server 5.1 SP2 HOTFIX3

  • Directory Server 5.1 Service Pack 3

  • Directory Server 5.1 Service Pack 4

• iPlanet Directory Server cannot be installed properly through Microsoft Terminal Services.
  
  
• On Windows 2000, setup -f does not work without the -s option (4524708). If you perform installation using a configuration file on Windows 2000, it must be silent. For example:

  setup -s -f filename

• On HP-UX platforms only, before installing Directory Server 5.1 Service Pack 4 as a fresh installation or upgrading from a 5.1 version, you must verify that the number of file descriptors is less than or equal to 2048. If you do not check this, installation fails with the error:
  

  
  [slapd-(hostname)]: starting up server ...
  [slapd-(hostname)]: - iPlanet-Directory/5.1 Service Pack 4 B2005.032.0645 starting up
  [slapd-(hostname)]: - slapd started. Listening on all interfaces port 29000 for LDAP requests
  Your new directory server has been started.
  error: can't bind to server:Unable to bind to server. (Can't contact LDAP server (81) returned from
  ldap_simple_bind_s(cn=Directory Manager))
  system_errno:9
  ERROR. Failure installing iPlanet Directory Server. Do you want to continue [n]?
  
  

  This problem is described in bug ID 4756839. To prevent this failure during a Service Pack 4 installation, launch the command ulimit -n and, depending on the result (value<=2048) enter the command ulimit -n 2048.
  
  
• For Solaris (SPARC on x86) package installations, if Directory Server 5.2 packages are detected when the patch containing Service Pack 4 is applied (patch 113859-04 or patch 114273-04) a WARNING message is displayed. However, the installation of Service Pack 4 will continue unless you actively stop the installation. (4884416)
  
  
• On Windows systems, after upgrading a Japanese localized Directory Server version 5.1 to Service Pack 4, you must modify the start script "iPlanet Console 5.1" to start the console in Japanese. The script is located in:
  

  C:\Documents and Settings\All Users\Start Menu\Programs\iPlanet Server Products

Select the shortcut TAB and add -l ja to the startconsole.exe script line. Click the Apply button to save your change.

• The Administration Server in the Japanese localized bundled Directory Server breaks after applying patch 113859-02. You must therefore upgrade the SUNWj3rt package before applying patch 113859-x.
  
  
• On Solaris platforms, when a directory instance is created the number of file descriptors is set to a hard limit (rlim_max). This can be checked by entering the command ulimit -a -H. On Solaris 9, the default hard limit is 65536, and on Solaris 8 it is 1024.
  
  
• On Windows systems, the domain name for your host machine must be correctly configured prior to installing Directory Server 5.1 Service Pack 4. To configure the domain name for your host:
  

  (On Windows NT)

  • Open the Control Panel and run the Network utility.
  • Select the Protocols tab.
  • Select TCP/IP Protocol from the list.
  • Open the Properties dialog box.
  • Complete the fields under the DNS tab.

  (On Windows 2000)

  • Right-click on My Computer and select Properties.
  • On the Network Identification tab, select Properties.
  • Click More and complete the Primary DNS suffix of this computer field.
    
    
• If you are running Directory Server 5.1 Service Pack 4 on a 64-bit Sun Solaris 8 UltraSPARC machine, it will run as a 32-bit application.
  
  
• Do not install Directory Server 5.1 Service Pack 4 on top of an existing 4.x or 5.0 Directory Server installation. If Directory Server 4.x or 5.0 is already installed, install Directory Server 5.1 Service Pack 4 in a separate directory. After migrating your 4.x or 5.0 directory data to the Service Pack 4 directory and testing the results, remove the 4.x or 5.0 Directory Server.
  
  
• On Windows systems, always use the latest version of DLL files. Do not overwrite the more recent DLL files with those delivered with Directory Server 5.1 Service Pack 4.
  
  
• Use UTF-8 character set encoding when entering Distinguished Names during installation. Other encodings such as ISO-8859-1 are not supported. Installation operations do not convert data from local character set encoding to UTF-8 character set encoding.  LDIF files used to import data must also use UTF-8 character set encoding. Import operations do not convert data from local character set encoding to UTF-8 character set encoding.
  
  
• Be aware of the DNS naming resolution issue on systems using NIS. (4526504)
  
  
• During installation, setup detects a default host and domain name. If your NIS domain is different from your DNS domain, the fully qualified host and domain name presented by the installer is incorrect. These values must be corrected to use the DNS domain name. (4527593)
  
  
• AIX fixes have moved from:
  http://server.software.ibm.com/cgi-bin/support/rs6000.support/downloads
to http://www-1.ibm.com/servers/eserver/support/


• On AIX, you must install the X11.adt package in order for the Console to function. This package is not part of the standard bundle.

Uninstallation

• You will not receive a warning before proceeding with the uninstallation of the directory server containing configuration information under the o=NetscapeRoot suffix. This is the first directory server you installed and should be the last one you uninstall.
  
  
• On Windows 2000, after uninstallation of directory components installed with silent installation (setup -s -f filename) reinstallation always places directory components in the original install folder. (4526014) You can avoid this problem by removing all *.inf files in the \Documents and Settings\Administrator\Local Settings\Temp folder on the system disk drive after uninstallation.

Migration

• The Directory Server 4.x and 5.0 attributes accesslog-maxlogdiskspace, accesslog-maxlogsize, auditlog-maxlogdiskspace,auditlog-maxlogsize, errorlog-maxlogdiskspace, and errorlog-maxlogsize must be migrated manually. (4529536) Update these values for the Logs entries in Directory Server Console under the Configuration tab. In each case, *log-maxlogsize values must remain smaller than *log-maxlogdiskspace values for the attributes to remain coherent. For more information, refer to the instructions on monitoring server and database activity in the iPlanet Directory Server Administrator's Guide.

• The migration procedure may attempt to restart the server while it is already running. (4529552) Ignore error messages concerning attempts to restart the server by migrateInstance5.

• On systems other than Windows, migration from Directory Server 5.0 to Directory Server 5.1 Service Pack 4 may fail if the PATH environment variable does not contain . (4529657) If necessary update your PATH appropriately. For example: 

  (ksh) $ export PATH=$PATH:.

  (csh) % setenv PATH ${PATH}:.

Windows NT / Windows 2000

• Avoid using stdin and stdout on Windows NT with the ldapmodify command-line utility, particularly with non-ASCII data. Always use the -f option to specify the file containing the LDIF update statements (-f new_file) as this prevents the statements being read from stdin.

• On Windows NT 4.0, the maximum address space an application can use is 2 GB. Because   Directory Server 5.1 Service Pack 4 cannot use more than 2 GB of virtual memory, the sum of all caches configured for the server must be strictly less than 2 GB. If the size of the entry caches and of the database cache exceeds this limit, Directory Server will exit with an error message. For more information on cache limits on Windows NT, and on Windows 2000, refer to the iPlanet Directory Server Installation Guide.

• On Windows 2000, the default font used by the console does not allow you to input Japanese characters. To avoid this issue, change the font. You can change the console font by selecting Preferences from the Edit menu in the Directory Console, and then changing the font through the interface under the Fonts tab.

• On Windows systems, when managing the Directory Server SNMP subagent, all operations (start/stop/restart) return a failure (such as "An error occurred when...").
  The requested operation actually succeeds but the result returned to the Console is incorrect.

• On Windows NT / Windows 2000, stopping then starting Administration Server from Directory Server 5.1 Service Pack 4 will log an event stated as an error in the Application log (Settings > Control Panel > Administrative Tools > Event Viewer). The description of the event is the following:

  The description for Event ID ( 0 ) in Source ( admin51-serv ) cannot
  be found. The local computer may not have the necessary registry
  information or message DLL files to display messages from a remote
  computer. The following information is part of the event:
  startup: server started successfully.

  This is a warning message, since the Administration Server is correctly started. (4794690)

Security

• Deployments that use SSL for connection confidentiality across open networks that are subject to possible active attacks against the SSL connection should not use server certificates issued by one of the public Certification Authority (CA) organizations. (4615324)

• To receive a warning message every time before a password expires, the attribute passwordExpireWithoutWarning must be set to "off". (4532757)

• The correct procedure to change the administrator password in iPlanet Directory Server 5.x. (4708944) is as follows:

  1. Log in to the Console as "cn=Directory Manager".
  2. Under the Users &Groups tab, change the administration user password in LDAP.
  3. Open the Administration Server Console.
  4. Select Configuration, Access.
  5. Change the administration password.
     (This password is stored in the admpw file.)
  6. Return to the Users & Groups tab.
  7. Click the Directory button.
  8. Change the User Directory Subtree to "o=NetscapeRoot".
  9. Search for "admin"(this is the Configuration Administrator).
  10. Change the password.

• To ensure that an attacker with a certificate issued by a public CA cannot use that certificate to impersonate a Directory Server, the certificate databases of LDAP clients and of directory servers establishing outgoing SSL connections for replication or chaining must contain only the certificate of the non-public CA that issued the certificates to the servers which will be contacted. All other certificates from public CAs must be removed from the LDAP client or directory server's certificate database.
  Deployments that are not subject to active attacks or deployments that use additional security mechanisms (such as a VPN when connections traverse the Internet) are not required to use a non-public Certification Authority to obtain a server certificate.

• As the server does not enforce read-only permissions on SSL-enabled servers for certificate database files, key database files and PIN files, check that the file permissions on UNIX and ACLs on Windows protect the sensitive information contained in these files.

• If you have enabled certificate-based authentication in Directory Server, do not map your certificate to a distinguished name under cn=config or cn=monitor. (4529535) If you do so, bind attempts fail. Instead, map your certificate to an entry located elsewhere in the directory information tree.

• On Windows NT and Windows 2000, a user on the console can shut down Directory Server. Care should be taken to restrict console access to computers running Directory Server.

• To explicitly deny MODRDN rights using ACIs, you must target the relevant entries but omit the targetattr keyword. (4529533) The following example ACI prevents the cn=helpDeskGroup,ou=groups,o=sun.com group from renaming any entries in the set specified by the pattern cn=*,ou=people,o=sun.com :

  aci:(target="ldap:///cn=*,ou=people,o=sun.com") (version 3.0; acl "Deny modrdn rights to the helpDeskGroup"; deny(write) groupdn="ldap:///cn=helpDeskGroup,ou=groups,o=sun.com";)

• Macro ACIs do not work if the subject is one of the constant types such as all or anyone. (4529529)

• Account lockout remains in effect after a user password has been changed (4527623). If users forget their passwords and are locked out of the directory, the rootDN or entry entitled to change the user password can reset the account lock.

Schema

• The schema provided with iPlanet Directory Server 5.1 differs from that specified in RFC 2256 for the groupOfNames and groupOfUniquenames object classes. In the schema provided, the member and uniquemember attribute types are optional, while RFC 2256 specifies that at least one value for these types must be present in the respective object class.

• The LDAP RFCs (and X.500 standards) allow for an object class to have more than one superior. This behavior is not currently supported by Directory Server.

• If you add more than 1,000 attributes to a single object class, the server displays configuration errors and fails to start.

• Note that the aci attribute is now an operational attribute. It is not returned in a search unless you explicitly request it. 

Chaining

• If chaining is configured between a 5.1 multiplexor and a 4.x farm server, add the nsuniqueid attribute to the 4.x farm server schema. If the nsuniqueid attribute is not added to the 4.x Directory Server schema, the 5.1 multiplexor does not find the entry it expects, so chaining fails. To add the attribute type to the 4.x schema add the following line to the 4.x farm server slapd-user_at.conf file under /usr/netscape/server4/slapd-serverID/config:

  attribute nsuniqueid nsuniqueid 2.16.840.1.113730.3.1.542 int single operational

• No explicit error message is sent to the user when an attempt to bind to a farm server during chaining fails because the password policy has expired. (4529539)

• If the first farm server fails and returns an operations error when using a failover server for database chaining, retry the operation to chain successfully. (4529537) Should the first farm server fail when using a failover server for database chaining, the client receives an operations error if it tries to read information from the multiplexor. The multiplexor does not process this operations error which prevents the next failover farm server from being contacted, and as a result, chaining fails. However, if you retry the exact same operation, chaining succeeds.

Replication

• If you change the port number on a supplier server, the change log database is cleared and replication will halt. In this case all consumers, hubs and suppliers must be reinitialized before replication can continue.

• In the iPlanet Directory Server Administrator's Guide the section "Configuring Directory Server 5.1 as a Consumer of a Legacy Directory Server" incorrectly states that you do not need to specify a Supplier DN when configuring the consumer settings (step 7.) This is incorrect. When you configure the consumer settings, you must specify the Supplier DN that the legacy supplier server will use to bind. If you do not, you will not be able to save the consumer configuration.

• Multi-master replication (MMR) is supported in a single data-center deployment. Master Directory Servers must be connected via a high-speed, low-latency network, (with minimum connections speeds of 100Mb/second) to achieve full MMR support. MMR is not supported on a network where the bandwidth between Master Directory Servers is less then 1Mb/second and the latency is greater than 10ms, or on a network that might experience significant packet loss; which is the throughput and conditions that you might experience over a wide area network.

  MMR support for wide area network (WAN) deployments is available in Directory Server version 5.2. 

• When configuring a multi-master replication deployment, the referential integrity plug-in must be enabled with the same configuration on all masters. The Deployment and Administration Guides incorrectly state that only one of the masters requires this plug-in.

• Replication configured over SSL with certificate-based authentication will not work if the supplier's certificate is self-signed or if the supplier's certificate is only capable of behaving as an SSL server certificate, that is, unable to play the role of the client during an SSL handshake.

• To change a replica role, you must disable replication, change the replica role, and then re-enable replication. (4527621)

• Local schema modifications may be overwritten when a consumer database is created. (4529530)

• Monitoring the replication update vector (RUV) for a replica object was adversely affected by a timing issue. It is now possible to monitor the RUV directly from the replica by doing the following search:

  ldapsearch -h <hostname> -p <port number> -D <directory manager> -w <password> -b "cn=config" objectclass=nsds5Replica" nsds50ruv

• Removing the change log of a supplier through Directory Server Console requires that you  remove the Replication Agreement before clearing the Enable Changelog checkbox. This step is missing from the Administration Guide. (5043682) To re-enable this change log, you will need to re-create the Replication Agreement.
  
  Note that the above does not apply if the removal of the change log is performed with the following command line procedure:
  
  stop the server
rm -rf ServerRoot/slapd-serverID/changelogdb
re-start the server
  
  In this case the ServerRoot/slapd-serverID/changelogdb directory will be recreated with no additional configuration.

Directory Server Console

• Trailing spaces are not preserved during a remote console import operation. Trailing spaces are preserved during both local console and ldif2db import operations. (4529532)
  
  
• Creating a Directory Server instance using the console creates a server in a different time zone on HP-UX and IBM AIX. (4529531) To synchronize the instance for replication, restart the server using the restart-slapd command-line script. For more information concerning restart-slapd, refer to the iPlanet Directory Server Configuration, Command, and File Reference.
  
  
• Users without read access to configuration information cannot see the directory suffix in the directory browser of the console. (4525360) To allow such users read access, add it through ACI. Refer to the iPlanet Directory Server Administrator's Guide for instructions.
  
  
• On Linux, an SNMP subagent cannot be started using the console (4738032). As a workaround, start the subagent from the command line as follows:
  
  # cd ServerRoot/bin/slapd/serverid
  # ./ns-ldapagt -d ServerRoot/slapd-serverID
  
  Note: The SNMP master agent must be configured and working.
  
  
• On HP-UX, the JAVA_FONTS environment variable must be correctly set to enable use of Japanese characters in the console. For example:
  
  JAVA_FONTS=/opt/asx/lib/X11/fonts/ttfjpn.st/typefaces
  
  Adjust the path accordingly for your environment.
  
  
• Users and roles cannot be created through the console as inactivated. (4521017) Inactivate the user or role after you create it instead.

Core Server 

• The slapd process does not start automatically when the system boots. On UNIX systems write an rc script to start the slapd process at boot time.
  
  
• Stopping the server during export, backup, restore, or index creation causes it to crash.
  
  
• On Windows NT and AIX platforms, do not set Memory available for Cache in the Database Settings to a value greater than 1073741824 bytes (1GB).
  
  
• AIX applications have a restrictive memory model. The AIX ns-slapd executable is created with a value of maxdata=0x50000000 to permit both the entry cache size (nsslapd-cachesize attribute) and database cachesize (nsslapd-dbcachesize attribute) to be up to 1GB each. Raising the maxdata value increases the maximum entry cache size but lowers the maximum database cache size by the same amount, and vice versa. Contact your Directory Server support representative if you need to adjust the maxdata value.
  
  
• Initializing the database with a file that is not accessible causes the server to crash. (4523595)

Server plug-ins 

• Directory Server 5.1 Service Pack 4 provides the UID Uniqueness plug-in. By default the plug-in is not activated. To ensure attribute uniqueness for specific attributes, create a new instance of the Attribute Uniqueness plug-in for each attribute. For more information on the Attribute Uniqueness plug-in, refer to the iPlanet Directory Server Administrator's Guide.
  
  
• The referential integrity plug-in is now off by default. Refer to "Maintaining Referential Integrity" in Chapter 2 of the iPlanet Directory Server Administrator's Guide for instructions on enabling and configuring the referential integrity plug-in. However, the documentation incorrectly states that the referential integrity plug-in should be enabled only on one master server. In multi-master replication environments, you must enable the plug-in with an identical configuration on all master servers.
  
  
• When enabling the referential integrity plug-in in Directory Server 5.1 Service Pack 4, if an unindexed attribute is present in the referential integrity plug-in attribute list, the server may encounter performance issues. (4754595)
  
  
• The Access Control plug-in does not use the value specified by the nsslapd-groupevalnestlevel attribute to specify the number of levels of nesting access control performs for group evaluation. Instead, levels of nesting is hard coded as 5. (4529540)
  
  
• When disk space is filled, Directory Server crashes and does not restart. (4527611)
  
  
• When replicating from a 4.x master to a 5.x consumer, with referential integrity enabled, you must reconfigure the referential integrity plug-in on the 4.x master to write referential integrity changes to the 4.x change log. This enables referential integrity changes to be replicated. If you do not reconfigure the plug-in, referential integrity will not work correctly.
  
  
• To reconfigure the referential integrity plug-in in this environment:Stop the 4.x server.
  
  
1. Open the slapd.ldbm.conf file located in ServerRoot/slapd-ServerID/config/.
   
   
2. Locate the line that begins :
   

   plugin postoperation on "referential integrity postoperation"
   
   

3. Modify this line by changing the argument that appears just before the list of attributes from 0 to 1.
   
   For example, change:
   plugin postoperation on "referential integrity postoperation" "ServerRoot/lib/referint-plugin.dll"
   referint_postop_init 0 "ServerRoot/slapd-serverID/logs/referint" 0 "member" "uniquemember" "owner"
   "seeAlso"
   to
   plugin postoperation on "referential integrity postoperation" "ServerRoot/lib/referint-plugin.dll"
   referint_postop_init 0 "ServerRoot/slapd-serverID/logs/referint" 1 "member" "uniquemember" "owner"
   "seeAlso"
   
   
4. Save the slapd.ldbm.conf file.
   
   
5. Restart the server.
   
   
6. Reinitialize the 5.x consumer from the 4.x supplier.

Roles and Class of Service 

• The nsRoleDN attribute is used to define a role. It should not be used for evaluating role membership in a user's entry. When evaluating role membership, look at the nsrole attribute instead.
  
  
• The behavior for negative CoS template priority values is not defined in the server. Do not enter negative values. Note that Indirect CoS does not support cosPriority.

Indexing

• VLV indexes do not work correctly if they encompass more than one database.
  
  
• If extreme index key fragmentation occurs (which can be caused by frequent add and delete operations) and you have not adjusted the value of ns-slapd-db-idl-divisor, it is possible that extra entry IDs will be maintained in the index key (up to a maximum of 2029 extra entries). This can occur because Directory Server does not count all the entry IDs against Allidsthreshold until an index block becomes full. To remedy this, run db2index on an index. This will correct the index fragmentation and set the key to ALLIDS.

Tuning

The amount of memory allocated during entry cache allocation is greater than the amount of memory requested. Therefore, more memory is allocated than specified with the nsslapd-cachememsize parameter. As a consequence the Directory Server process grows more than expected and can exceed the process size limit for 32-bit processes - which results in undesired behavior.

In order to handle modifications made to directory data in the same order on all replica servers (including suppliers and hubs), the directory needs to keep the change history of attributes. This is also called the entry state information. The history is purged after the purge delay - but only when the entry is modified again. So entries can grow large and use more room in the entry cache. This consequently reduces the number of entries in the cache. With large attributes or a high modification frequency, entries can grow larger than the entry cache itself. This results in undesired behavior. For single-valued attributes, the history is not kept. The state information can be dumped using db2ldif -r - a normal LDAP search operation returns the current values.

To avoid undesired behavior, do the following:


• Do NOT use nsslapd-cachesize to set the entry cache limit. Set this parameter to -1. Use nsslapd-cachememsize instead.
• When migrating from 4.16SP1 to 5.x, use nsslapd-cachememsize rather than nsslapd-cachesize.
• The sum of all caches for a 32-bit version must not exceed 2 GB
• Make sure that ns-slapd (32-bit) never exceeds 3.0 GB in a fully primed but inactive state, or 3.2GB in an active state.
• Set the nsslapd-cachememsize parameter to 60 % of your desired entry cache maximum.
• Examine your schema definition. Set attributes to single-valued unless otherwise required.

Conformance

• By default, Directory Server 5.1 Service Pack 4 does not conform to RFC2252 when handling:
  
  
  • DNs with multiple white spaces. (4687038)
  • DNs with multiple escaped characters. (4535845)

  To enforce conformance with RFC2252, do the following:

  • Create a file <ServerRoot>/slapd-<ServerInstance>/config/newnormdn.
  • Restart the directory instance.
  • Rebuild the index databases, either by doing a db2ldif and ldif2db, or by rebuilding any index with DN syntax (entryDN, for example) (see Chapter 10, Managing Indexes in the iPlanet Directory Server Administrator's Guide.)
    
    
• Issues may arise when both LDAPv2 and LDAPv3 applications use certificate related attributes. (4819710):
  
  
  • The LDAPv2 protocol specifies that the attribute should be xxxxx (where xxxxx is one of: UserCertificate, CACertificate, CertificateRevocationList, AuthorityRevocationList, or CrossCertificatePair.)
    
    
  • The LDAPv3 protocol specifies that the attribute should be xxxxx;binary.

  Directory Server considers the values associated with xxxxx;binary and xxxxx as two different values. In practice, this is not always what is required.

  A new configuration parameter nsslapd-binary-mode has been created in cn=config to change this behavior. The value of nsslapd-binary-mode can be one of compat51, auto, or strict.

  • compat51 is the default value and provides the original behavior. xxxxx and xxxxx;binary refer to distinct values (where xxxxx is one of: UserCertificate, CACertificate, CertificateRevocationList, AuthorityRevocationList, or CrossCertificatePair.)
    
    
  • auto implies that the server considers xxxxx and xxxxx;binary as the same attribute. Searches return either the attribute specifically requested or xxxxx in LDAPv2 and xxxxx;binary in LDAPv3.
    
    
  • strict is the same as auto except that requests that are not conformant are rejected with an INVALID PROTOCOL error (reject ;binary subtype in an LDAPv2 request or without subtype in an LDAPv3 request.)

Compatibility

• Some performance issues have been observed when 5.x retro change log functionality is used (Meta Directory) (4639310). Directory Server 5.1 Service Pack 3 fixed these performance issues by preventing internal attributes from being logged. To activate the fix, import the following LDIF file (through the console or using ldapmodify):

  dn: cn=Retro Changelog plug-in,cn=plug-ins,cn=config
changetype: modify
add: nsslapd-plug-inarg0
nsslapd-plug-inarg0: -ignore_attributes
add: nsslapd-plug-inarg1
nsslapd-plug-inarg1: copyingFrom

• On Windows platforms, iPlanet Directory Access Router 5.0 is not able to share the same Administration Server <ServerRoot> as Directory Server 5.1. (4692956)

Miscellaneous

• When you dump a database by using the db2ldif command, the errorlog files might not rotate as expected. This error is due to a conflict between db2ldif and ns-slapd. Both of these commands write into the errors.rotationinfo file without preserving the information that is already in the file. This is a known bug (4977934). This bug cannot be fixed through a Service Pack but will be addressed in the next release of Directory Server if a new log mechanism is introduced.
  
  
• If you launch a db2back operation, cancel it (using CTRL-C), and then import new data, the transaction logs are no longer deleted. (4815733)
  You may encounter a situation that forces you to use CTRL-C while db2back is in progress. In this case, you should use the db2back.pl script as a work-around. Note that this issue is solved in Directory server 5.2.
  
  
• Do not set command path and library path variables for executing command line utilities and Perl scripts. Instead change to the directory in which they are stored. Although it is possible to set command path and library path variables to execute the utilities and scripts, this is not the recommended procedure because you run the risk, particularly when you have more than one server version installed, not only of disrupting the correct execution of other command utilities and scripts, but also of compromising the security of the system.
  
  
• On Sun Solaris only, the idsktune utility reports as missing any patches in the Sun recommended patch list that are not installed on the system, even if those patches relate to packages you have not installed.
  
  
• Note the LDAP utility man pages on the Sun Solaris platforms do not document the iPlanet version of the LDAP utilities ldapsearch, ldapmodify, ldapdelete, and ldapadd. For information regarding these utilities, refer to the iPlanet Directory Server Configuration, Command, and File Reference.
  
  
• On Sun Solaris, you can monitor only one Directory Server instance at a time with SNMP. (4529542)
  
  
• You cannot read logs through the Directory Server Console if the server is not running. Instead, browse the iPlanet Console page at:

  http://hostname:administration_server_port_number


  Select the iPlanet Administration Express link, and log in as admin.
  
  
• For security reasons, many command line scripts written in Perl can now read the bind password interactively (-w- option). This functionality requires the Term::ReadKey Perl module, available separately. You can download this module from:
  
  http://www.perl.com/CPAN/CPAN.html
  
  All other script functionality remains available without this module. After installing the Term::ReadKey Perl module, enable the Perl scripts to read the bind password interactively by editing each script, uncommenting the appropriate lines.
  
  
• Some of the script and command-line usage information is not up to date.
  
  
• Unsynchronized server configuration information can cause restores to fail. Immediately after changing the configuration, back up all files under the configuration directory, install-dir/slapd-serverid/config including the dse.ldif file.
  
  
• Changing the maximum size of the transaction log file has no effect if log files already exist in the database directory. (4523783) Instead, stop the server, modify nsslapd-db-logfile-size in dse.ldif manually, remove all log.* files from the database directory, and restart the server.
  
  
• The iPlanet Directory Server Adminstrator's Guide incorrectly suggests stopping Directory Server and using ldapmodify to change the transaction log directory. (4525267) Instead, stop the server, modify the nsslapd-db-logdirectory attribute in the dse.ldif file using a text editor, and restart the server.
  
  
• The server does not support LDAP search requests containing a filter that references virtual attributes. (4527614)
  
  
• bak2db can restore a database only to the default location. (4522793) To work around this, create the database remotely and add it with ldapmodify. To create a database remotely:

  • Create an LDIF file:

    dn: cn=databasename,cn=ldbm database,cn=plug-ins,cn=config changetype: add objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance cn: databasename nsslapd-suffix: o=databasename nsslapd-directory: /path/to/databasename dn: cn="o=databasename",cn=mapping tree,cn=config changetype: add objectclass: top objectclass: extensibleObject objectclass: nsMappingTree cn: "o=databasename" nsslapd-state: backend nsslapd-backend: databasename

  • Use the ldapmodify utility to add the database:

    ldapmodify -D "cn=Directory Manager" -w password -f /path/to/databasename

  To move an existing database to another file system location:

  • Export the database to LDIF format using the db2ldif utility.

  • Follow the instructions provided in the iPlanet Directory Server Administrator's Guide to delete the database.

  • Create the database at the new location.

  • Use the ldif2db utility to restore the database you exported to LDIF format.

  Note that once the database has been relocated, backups made from the old locations with the db2bak utility are no longer valid. Attempts to restore them may render the server unusable.

• The section entitled "Configuring the Directory Manager" in the iPlanet Directory Server Administrator's Guide states "The password for this user is defined in the nsslapd-rootdn attribute". This is incorrect. The password is actually defined in the nsslapd-rootpw attribute instead of the  nsslapd-rootdn attribute.

Accessing Online Help and Online Documentation

The online documentation files are installed with your Directory Server and can be found with your browser.

If you are working under Windows NT or have installed Directory Server 5.1 Service Pack 4 in a location other than /usr/iplanet/servers, adapt the following URLs accordingly:

Documentation Home Page: file:///usr/iplanet/servers/manual/en/slapd/dochome.htm

iPlanet Directory Server Installation Guide: file:///usr/iplanet/servers/manual/en/slapd/install/contents.htm

iPlanet Directory Server Deployment Guide: file:///usr/iplanet/servers/manual/en/slapd/deploy/contents.htm

iPlanet Directory Server Administrator's Guide: file:///usr/iplanet/servers/manual/en/slapd/ag/contents.htm

iPlanet Directory Server Configuration, Command, and File Reference: file:///usr/iplanet/servers/manual/en/slapd/cli/contents.htm

iPlanet Directory Server Schema Reference: file:///usr/iplanet/servers/manual/en/slapd/schema/contents.htm

How to Report Problems

For general information on Directory Server, refer to:

http://wwws.sun.com/software/products/directory_srvr/home_directory.html

Sun Support Services maintains an online knowledge base containing technical articles and technical notes about common Directory Server issues. Search SunSolve at:

http://sunsolve.Sun.COM/pub-cgi/show.pl?target=home

If you experience issues with Directory Server 5.1 Service Pack 4, refer to Sun Software Support Services:

http://www.sun.com/service/sunone/software/index.html

For More Information

Useful product information can be found at the following URLs:

• Directory Server/Identity Management release notes and other documentation
  http://docs.sun.com/db/prod/s1dirsrv

• Sun Java System Professional Services information
  http://www.sun.com/service/sunps/sun one/index.html

• Sun developer information
  http://developers.sun.com/

• Sun learning solutions
  http://www.sun.com/supportraining/

• Sun product data sheets
  http://wwws.sun.com/software

• Sun Certified Engineer training
  http://wwws.sun.com/ software/training/certification/directory.html

Third-Party License Acknowledgments

Copyright © 1989 The Regents of the University of California. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistribution in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: 

   This product includes software developed by the University of California, Berkeley and its contributors.

4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright © 1987, 1988 Student Information Processing Board of the Massachusetts Institute of Technology. 

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the names of M.I.T. and the M.I.T. S.I.P.B. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. and the M.I.T. S.I.P.B. make no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.

This product contains the following software derived from RSA Data Security, Inc.

• MD5 Message-Digest Algorithm

The source code to the Standard Version of Perl can be obtained from CPAN sites, including http://www.perl.com/. 

This product incorporates compression code by the Info-ZIP group. There are no extra charges or costs due to the use of this code; the original compression sources are freely available from: 

ftp://ftp.info-zip.org/pub/infozip/

Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved.