JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Release Notes 11g Release 1 (
search filter icon
search icon

Document Information


1.  New Features in Oracle Directory Server Enterprise Edition 11g Release 1 (

2.  Compatibility Issues

3.  Installation Notes

4.  ODSEE Bugs Fixed and Known Problems

Bugs Fixed in This Release

Known Problems and Limitations in ODSEE

ODSEE Limitations

Known ODSEE Issues in 11g Release 1 (

5.  Directory Proxy Server Bugs Fixed and Known Problems

6.  Directory Server Resource Kit Bugs Fixed and Known Problems

Known Problems and Limitations in ODSEE

This section lists known problems and limitations at the time of release.

ODSEE Limitations

Number of servers that can be managed using DSCC

The Directory Service Control Center (DSCC) enables centralized administration of ODSEE and Directory Proxy Server instances. The current version of DSCC has been tested successfully in an environment of 42 server instances, supporting most common configurations.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Oracle support.

To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.

Do not replicate the cn=changelog suffix.

Although nothing prevents you from setting up replication for the cn=changelog suffix, doing so can interfere with replication. Do not replicate the cn=changelog suffix. The cn=changelog suffix is created by the retro changelog plug-in.

The wrong SASL library is loaded when LD_LIBRARY_PATH contains /usr/lib.

When LD_LIBRARY_PATH contains /usr/lib, the wrong SASL library is used, causing the dsadm command to fail after installation.

Use the LDAP replace operation to change cn=config attributes.

An LDAP modify operation on cn=config can only use the replace sub-operation. Any attempt to add or delete an attribute will be rejected with Error 53: DSA is unwilling to perform. While ODSEE 5 accepted adding or deleting an attribute or attribute value, the update was applied to the dse.ldif file without any value validation, and the DSA internal state was not updated until the DSA was stopped and started.

Note - The cn=config configuration interface is deprecated. Where possible use the dsconf command instead.

To work around this limitation, the LDAP modify replace sub-operation can be substituted for the add or delete sub-operation. No loss in functionality occurs. Furthermore, the state of the DSA configuration is more predictable following the change.

On Windows systems, ODSEE does not allow Start TLS by default.

This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.

To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.

Replication update vectors may reference retired servers.

After you remove a replicated ODSEE instance from a replication topology, replication update vectors can continue to maintain references to the instance. As a result, you might encounter referrals to instances that no longer exist.

The Common Agent Container is not started at boot time.

To work around this issue when installing from native packages, use the cacaoadm enable command as root.

To work around this issue on Windows, choose Log On from the properties of Common Agent Container service, enter the password of the user running the service, and press Apply. If you have not already done this setting, you will receive a message stating that the account user name has been granted the Log On As A Service right.

max-thread-per-connection-count is not useful on Windows systems.

The ODSEE configuration properties max-thread-per-connection-count and ds-polling-thread-count do not apply for Windows systems.

Console does not allow administrator login on Windows XP

The console does not allow administrators to log in to a server running Windows XP.

As a workaround to this problem, the guest account must be disabled and the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0.

Changing Index Configurations on the Fly

If you change an index configuration for an attribute, all searches that include that attribute as a filter are treated as not indexed. To ensure that searches including that attribute are properly processed, use the dsadm reindex or dsconf reindex commands to regenerate existing indexes every time you change an index configuration for an attribute. See Chapter 12, Directory Server Indexing, in Oracle Directory Server Enterprise Edition Administration Guide for details.

When installed with the ZIP distribution, ODSEE uses port 21162 as the default of the Common Agent Framework (CACAO).

The default port of the Common Agent Framework (CACAO) is 11162. When installed with the native distribution, ODSEE uses this default port. However, when installed with the ZIP distribution, ODSEE uses port 21162 by default. Be sure to specify the right port number when creating or registering a server instance with DSCC.

Known ODSEE Issues in 11g Release 1 (

This section lists the issues that are known at the time of the ODSEE 11g Release 1 (


The server may hang if a changelog trimming is ongoing while an online restore is started.


Some ODSEE error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Oracle support.


When entries are imported from LDIF, ODSEE does not generate createTimeStamp and modifyTimeStamp attributes.

LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.


The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.

To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.

  1. Export the certificate to a file.

    The following example shows how to perform the export for servers in /local/supplier and /local/consumer.

    $ dsadm show-cert -F der -o /tmp/supplier-cert.txt \
      /local/supplier defaultCert
    $ dsadm show-cert -F der -o /tmp/consumer-cert.txt \
      /local/consumer defaultCert
  2. Exchange the client and supplier certificates.

    The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.

    $ dsadm add-cert --ca /local/consumer supplierCert \
    $ dsadm add-cert --ca /local/supplier consumerCert \
  3. Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.

  4. Add the replication manager DN on the consumer.

    $ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN
  5. Update the rules in /local/consumer/alias/certmap.conf.

  6. Restart both servers with the dsadm start command.


ODSEE does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.

 (targetattr="*")(version 3.0; acl "testQuotes";
 allow (all) userdn ="ldap:///self";)
dn:o=Example Company\, Inc.,dc=example,dc=com
aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com")
 (targetattr="*")(version 3.0; acl "testComma";
 allow (all) userdn ="ldap:///self";)

Examples with more than one comma that has been escaped have been observed to parse correctly, however.


On Windows, SASL authentication fails because SASL encryption is used.

To workaround the issue caused by the SASL encryption, stop the server, edit dse.ldif, and reset SASL to the following.

dn: cn=SASL, cn=security, cn=config
  dssaslminssf: 0
  dssaslmaxssf: 0

On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.

To work around this issue, change the LDIF file name so that it does not contain double-byte characters.


Neither Directory Service Control Center nor the dsconf command allows you to configure how ODSEE handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. ODSEE logs a warning for invalid signatures.

To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.


Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.


After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.

To work around this issue, change the permissions on the installations and server instance folders.


For the HP-UX platform, Directory Server Enterprise Edition man pages for the following sections cannot be accessed from the command line:

  • man5dpconf.

  • man5dsat.

  • man5dsconf.

  • man5dsoc.

  • man5dssd.

To workaround this issue, access the man pages at Oracle Directory Server Enterprise Edition Man Page Reference. From that location, you can download a PDF of all Directory Server Enterprise Edition man pages.


When enabling referral mode for ODSEE by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.

To work around this issue, use a different browser such as Mozilla web browser.


After upgrading replica, and moving servers to new systems, you must recreate replication agreements to use new host names. Directory Service Control Center lets you delete the existing replication agreements, but does not allow you to create new agreements.


On Windows systems, ODSEE has been seen to fail to start when the base name of the instance is ds.


On Solaris 10, the password verification fails for instances with multi-byte characters in their DN on English and Japanese locales.


When modifying the password policy using the Directory Service Control Center, attributes that have not changed may be unknowingly reset.

Using the Directory Service Control Center to manage the default password policy does not causes any error. However, using the Directory Service Control Center to manage specialized password policies can cause unchanged attributes to be reset.


When you use the Service Management Facility (SMF) on Solaris 10 to enable a server instance, the instance might not start when you reboot the system and return the following error:

svcadm: Instance "svc:/instance_path" is in maintenance state.

To work around this problem, use a local user to create Directory Server and Directory Proxy Server servers (that is, a user that is defined locally on the machine rather than an NIS user.)


The dsadm autostart can make native LDAP authentication to fail when you reboot the system.

As a workaround, reverse the order of reboot scripts. The default order is /etc/rc2.d/S71ldap.client and /etc/rc2.d/S72dsee_directory.


On Solaris 9 and Windows, when you access the online help from the console configured using Web archive file (WAR), it displays an error.


For servers registered in DSCC as listening on all interfaces (, attempting to use dsconf to modify the listen-address of the servers results in DSCC errors.

To have an SSL port only and secure-listen-address setup with Directory Server Enterprise Edition, use this workaround:

  1. Unregister the server from DSCC:

    dsccreg remove-server /local/myserver
  2. Disable the LDAP port:

    dsconf set-server-prop ldap-port:disabled
  3. Set up a secure-listen-address:

    $ dsconf set-server-prop secure-listen-address:IPaddress
    $ dsadm restart /local/myserver
  4. Register the server using DSCC. In the Register Server wizard, specify the server's IP address. This operation cannot be undone.


Directory Service Control Center and the dsadm command from versions 6.1 or later do not display built-in CA certificates of ODSEE instances that were created with the dsadm command from version 6.0.

To workaround this issue:

Add the 64-bit module with 64-bit version of modutil:

$ /usr/sfw/bin/64/modutil -add "Root Certs 64bit" \
-libfile  /usr/lib/mps/64/ -nocertdb \
-dbdir /instance-path/alias -dbprefix slapd- -secmod secmod.db

The output of the dsadm show-*-log l command does not include the correct lines. It can include the last lines of a previously rotated log.


The output of the dsadm show-*-log command is not correct if some lines in the log contain more than 1024 characters.


After deploying the WAR file, the View Topology button does not always work. A Java exception sometimes occurs, which is based on org.apache.jsp.jsp.ReplicationTopology_jsp._jspService


In Windows, in the Korean locale, the dsadm start command does not display the nsslapd error log when ns-slapd fails to start.


Changing or deleting an attribute in the Additional Indexes table of the Indexes tab in the Directory Service Control Center can lead to stale information being displayed until the browser is refreshed.


DSCC does not support host synonyms. When replicating the DSCC suffix, the host name in the replication agreement must match the host name in the DSCC registry.


An obsolete definition remains in the 28pilot.ldif file.

To work around this issue, add the following alias specification to the 28pilot.ldif file:

objectClasses: ( 0.9.2342.19200300.100.4.4 NAME ('newPilotPerson' 'pilotPerson') DESC <...>)

The uidObject objectclass is missing from the schema.

To work around this issue, add the following objectclass to the 00core.ldif file:

objectClasses: ( NAME 'uidObject' SUP top AUXILIARY MUST uid X-ORIGIN 'RFC 4519')

The man page for hosts_access incorrectly states that IPv6 is not supported on Windows systems.


If you set the idle timeout to a very small value, for example, 2s on a server instance, DSCC might display connection errors and prevent some operations that take long time to complete (like rotating logs). Make sure you set the idle timeout to at least 10s or 20s, and adjust the idle timeout according to your network latency.


The dsconf command binds as anonymous first when an SSL port is used. This may prevent dsconf from working in deployments where anonymous binds are rejected by the server.


On Windows systems, running the dsccsetup dismantle command does not completely remove the CACAO Windows service.

Workaround. After you have run the dsccsetup dismantle command, run cacaoadm prepare-uninstall before you uninstall Directory Server Enterprise Edition. This removes the CACAO Windows service.


When some race conditions occur on replicated operations, the retro-changlog might not reflect the correct order of changes. There is no workaround at this time.


The command dsconf help-properties inverts the description for the fractional replication properties. The following output:

repl-fractional-exclude-attr ... Replicate only the specified set of attributes
repl-fractional-include-attr ... Do not replicate the specified set of attributes

should be as follows:

repl-fractional-exclude-attr ... Do not replicate the specified set of attributes
repl-fractional-include-attr ... Replicate only the specified set of attributes

When attempting to view replication topology images in the DSCC, DSCC throws an error and indicates it cannot load the page.

To work around this issue, in the GlassFish JVM options, apply the following:


If you use DSCC to modify one or more properties of an index attribute for a suffix, the data is actually updated in the back end, but the status is not updated in the suffix Indexes page as expected. Even clicking the Refresh button on the suffix Indexes page does not return the updated status.

To work around this issue,disconnect from DSCC and, and then re-connect to DSCC. When you go to the suffix Indexes page, the status should be properly updated.

12305195 and 12305197

In the Japanese version of DSCC, when you click the Version button, the Version page does not display as designed. When you click the Help button, the Help page does not display as designed. In both instances, the title bar displays a question mark (?) instead of the proper page title.

This is due to an issue with Internet Explorer 7. As a workaround, use Firefox 3 to display version or Help information.


In DSEE 7.0, ODSEE 11g R1, 11g R1, and g R1, when the password for the Certificate Database is explicitly set (for example, cert-pwd-prompt:on), you cannot view certificates through DSCC. On the Directory Server instance, if you use DSCC to browse the Security > General tab, the following error message is displayed:

You must have a certificate to be able to enable SSL. Go to the Certificates tab to get a certificate for this Directory Server. 

To work around this issue, disable the cert-pwd-prompt flag . Example:

dsadm set-flaga instance-path cert-pwd-prompt=off