Oracle® Fusion Middleware Release Notes for Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1.7.0) Part Number E28975-02 |
|
|
PDF · Mobi · ePub |
This chapter contains important, product-specific information available at the time of release of Directory Server 11g Release 1 (11.1.1.7.0).
This chapter contains the following sections:
Note:
Bug information has been migrated from one database to another. If a bug number contains 8 digits, then the detailed bug information is currently stored in the Oracle bug database BugDB. If a bug number contains 7 digits, then the detailed bug information originated in the legacy Sun bug database Bugster. In these Release Notes, a bug number may be listed using the form BugDB#/Bugster#.
The following tables summarize all bug fixes contained in Directory Server Enterprise Edition 11g R1 (11.1.1.7.0).
Table 4-1 Directory Server Bugs Fixed in This Release
Bug ID | Description |
---|---|
14393413 |
Memory leak occurs when adding duplicate attribute values. |
14377168 |
Replication should detect URL inconsistency in RUV. |
14369830 |
If a search is performed for both attribute with and without subtype at the same time, the value with subtype is returned twice. |
14347268 |
Exception is thrown when modifying a CoS template entry using DSCC. |
14227880 |
Replication from one master to another master server halts. |
14198000 |
Memory leak occurs using |
14147844 |
An |
14090933 |
Performance issue with smartheap and multiple pools. |
14074152 |
After configuring Directory Server as a Windows Service, you cannot stop the Directory Server instance or remove the Windows Service. |
14056973 |
A double free error occurs when modifying a badly formed RDN. |
14052999 |
Update Directory Server shared components. |
13973308 |
An unexpected error occurs when using the Check Syntax button. |
13918298 |
Using DSCC, an error message "Failure Count Reset" in Account Lockout is wrong. |
13833118 |
When modifying a DN, a memory leak can occur if the moved entry has an entryID smaller than the new superior entry. |
13824107 |
Minor memory leak during backup/restore task. |
13795374 |
A memory leak may occur when you run |
13599534 |
If an error occurs during online rewrite task creation, the task is not destroyed internally. The server, waiting for the task to end, hangs at shutdown. |
13591464 |
When replication is not configured on a Directory Server, using the command |
13585561 |
Time Based Log Rotation does not work as expected. |
13536842 |
During reindexing, if any attribute is encrypted, Error 4804, Error 4806, and Error 21256 occur. |
13499849 |
If a |
13447459 |
Using Directory Server 11.1.1.3.0, a dramatic drop in performance occurs after a failed modrdn operation. |
13413986 |
Directory Server should return referral during reindexing. |
13390361 |
The log for an indexed search indicates |
13242112 |
Data of type OCTETSTRING is corrupted by DSCC. |
13078242 |
Heap corruption in |
13064841 |
If you attempt to add an ACI using the "New ACI From Syntax..." button, when you click OK or click Check Syntax, you are redirected to a login page. |
13044577 |
When a Directory Proxy Server instance is stopped using either the dpadm command or SMF service, DSCC shows the DPS status as "Degraded." |
12972095 |
Migration from Directory Server 5.2 to ODSEE 11g fails on |
12904374 |
Identity Synchronization for Windows on-demand synchronization fails under specific mixed case host-FQDN configuration. |
12859825 |
Directory Server crashes while attempting a backup. After the server crashes, you cannot restart the server. |
12839666 |
Corrupted IP address is logged when connections are aborted. |
12830963 |
Directory Server 11.1.1.3.0 does not start in read-only mode on SUSE Linux- 10 (X86_64). |
12824002 |
When using dsmig config to migrate from Directory Server Enterprise Edition 5.2, the index configuration is not successfully migrated. |
12751400 |
It is possible to modify an entry with a user whose password must be changed. |
12708119 |
After being written with an invalid |
12654448 |
Using the SASL bind GSSAPI, if there is a mismatch between |
12647512 |
Directory Server allows a poorly formed |
12603625 |
Misleading error message is displayed in DSCC when |
12589178 |
Directory Server hangs after Error 20765. |
12567769 |
The memberof plugin initialization searches can cause server to hang during shutdown. |
12534890 |
Offline rewrite of a suffix does not use optional parameter. |
12417570 |
Directory Server crashes due to replication stack issue. |
12376213 |
Directory Server hangs while |
12352171 |
Performance problem occurs on Directory Server running on HP 585 G5 and HP 580 G7 NUMA based hardware. |
12336193 |
System crashes due to combination of |
12310114 |
Improve re-indexing on production deployments to accommodate new attributes. |
12309638 |
CoS fails to use the operational qualifier properly, so operational attributes are returned. |
12307634 |
Directory Server instance registered as service does not stop properly upon Windows system shutdown. |
12305811/7008961 |
The dsccmon command line output includes numerous but useless INFO messages making it difficult to read important information. |
12302779/6993689 |
When adding a password policy to a sub suffix, if the DN uses a case different from the case used in suffix definitions, then the password policy is displayed twice. |
12287748/6924135 |
DSCC displays incorrect information, "Operational Status : Index Modified - Initialization or Regeneration Required." |
12284721/6908622 |
When running the insync command, a crash occurs if one or more upper-case character is used as a hostname of option |
12258927/6791392 |
When editing a default security certificate, the tooltip displays an invalid string. |
12199602/6550038 |
Creating a replication suffix by copying the replication agreement from an existing suffix fails. |
12170721/6445363 |
Password policy control OID is listed twice in the supported control attribute. |
11886697 |
Command dsdconf reindex causes |
This section lists known Directory Server limitations at the time of release.
A fix for this limitation is included in the Solaris 10 Update 11. (15699438/7022701)
UFS and ZFS are the recommended filesystem types for use with ODSEE on Solaris. LOFS is a supported filesystem for use with ODSEE on Solaris. However, if you use the LOFS filesystem, you may encounter performance issues. NFS and CIFS are not supported filesystems for use with ODSEE regardless of OS. (14605778)
If you use SASL authentication on Windows, enable starttls
to avoid connection problems. (14556992)
The Directory Service Control Center (DSCC) enables centralized administration of Directory Server and Directory Proxy Server instances. The current version of DSCC has been tested successfully in an environment of 42 server instances, supporting most common configurations.
The 'Entry Management' tab in DSCC is meant as a simple browser and editor. For advanced and regular browsing, editing, and monitoring of LDAP entries, use CLIs.
Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Oracle support.
To work around this limitation, install products and create server instances as a user having appropriate user and group permissions.
cn=changelog
suffix.Although nothing prevents you from setting up replication for the cn=changelog
suffix, doing so can interfere with replication. Do not replicate the cn=changelog
suffix. The cn=changelog
suffix is created by the retro changelog plug-in.
LD_LIBRARY_PATH
contains /usr/lib
.When LD_LIBRARY_PATH
contains /usr/lib
, the wrong SASL library is used, causing the dsadm
command to fail after installation.
cn=config
attributes.An LDAP modify operation on cn=config
can only use the replace sub-operation. Any attempt to add or delete an attribute will be rejected with Error 53: DSA is unwilling to perform
. While Directory Server 5 accepted adding or deleting an attribute or attribute value, the update was applied to the dse.ldif
file without any value validation, and the DSA internal state was not updated until the DSA was stopped and started.
Note:
The cn=config
configuration interface is deprecated. Where possible use the dsconf
command instead.
To work around this limitation, the LDAP modify replace sub-operation can be substituted for the add or delete sub-operation. No loss in functionality occurs. Furthermore, the state of the DSA configuration is more predictable following the change.
This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.
To work around this issue, consider using the -P
option with the dsconf
command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e
option with the dsconf
command. The option lets you connect to the standard port without requesting a secure connection.
After you remove a replicated Directory Server instance from a replication topology, replication update vectors can continue to maintain references to the instance. As a result, you might encounter referrals to instances that no longer exist.
max-thread-per-connection-count
is not useful.The Directory Server configuration properties max-thread-per-connection-count
and ds-polling-thread-count
do not apply for Windows systems.
If you change an index configuration for an attribute, all searches that include that attribute as a filter are treated as not indexed. To ensure that searches including that attribute are properly processed, use the dsadm reindex
or dsconf reindex
commands to regenerate existing indexes every time you change an index configuration for an attribute. See Chapter 12, ODSEE Indexing, in Administrator's Guide for Oracle Directory Server Enterprise Edition for details.
This section lists the issues that are known at the time of the Directory Server 11g Release 1 (11.1.1.7.0).
A previously undocumented limitation on ACI evaluation during MODRDN
rejects the operation when the ACIs specify a deny rule. See the Administrator's Guide for Oracle Directory Server Enterprise Edition for more information.
Using WebLogic 10.3.6, when you double-click on a server to select it in DSCC, you are abruptly logged out of the console.
On Windows 2008 only, sometimes SASL/DIGEST-MD5 binds fails with an ASN.1 error, after which the connection appears to be not closed.
On Solaris 11 SPARC or X64, and on recent updates of Solaris 10, sometimes connections cannot be established between the Java-based client application dsconf
and the Directory Server.
This is due to unwanted interactions between the JDK7 that ships with ODSEE and some Solaris 11 operating system libraries. To avoid this, do not use the system's libraries.
As a workaround, you can do one of the following:
In the file $INSTALL_DIR/dsee7/jre/lib/security/java.security
, remove any sunpkcs11
related entries.
Replace $INSTALL_DIR/dsee7/jre/lib/security/java.security
with a modified version of the file that ships with the ODSEE:
$INSTALL_DIR/dsee7/resources/install/java.security.nosunpkcs11
When a DSCC registry is deleted, the registry information is not updated appropriately, and the registry information remains stored in the agent itself.
When attempting to deploy the DSCC WAR file on using Apache Tomcat 6.0.14, a Java exception occurs.
On Solaris 10 Update 10 and on Solaris 11 11.11, if the Directory Server instance is registered as an SMF service, you cannot start the server instance.
When replication is working correctly between a Directory Server 6.x master and a Directory Server 5.x consumer or master, the DSCC displays a false Operational Status "The destination suffix is not initialized." The destination suffix is actually initialized, and you can safely ignore the Perennial Status.
The replcheck
command does not work with partial replication.
In the Japanese version of DSCC, when you click the Version button, the Version page does not display as designed. When you click the Help button, the Help page does not display as designed. In both instances, the title bar displays a question mark (?) instead of the proper page title.
If you use DSCC to modify one or more properties of an index attribute for a suffix, the data is actually updated in the backend, but the status is not updated in the suffix Indexes page as expected. Even clicking the Refresh button on the suffix Indexes page does not return the updated status.
To work around this issue, disconnect from DSCC, and then re-connect to DSCC. When you go to the suffix Indexes page, the status should be properly updated.
When attempting to view replication topology images in the DSCC, DSCC throws an error and indicates it cannot load the page.
To work around this issue, in the JVM options of the application server in which DSCC is deployed, apply the following:
-Djava.awt.headless=true
The command dsconf help-properties
inverts the description for the fractional replication properties. The following output:
repl-fractional-exclude-attr ... Replicate only the specified set of attributes repl-fractional-include-attr ... Do not replicate the specified set of attributes
should be as follows:
repl-fractional-exclude-attr ... Do not replicate the specified set of attributes repl-fractional-include-attr ... Replicate only the specified set of attributes
When some race conditions occur on replicated operations, the retro-changlog
might not reflect the correct order of changes. There is no workaround at this time.
The server may hang if a changelog
trimming is ongoing while an online restore is started.
The dsconf
command binds as anonymous first when an SSL port is used. This may prevent dsconf
from working in deployments where anonymous binds are rejected by the server.
If you set the idle timeout to a very small value, for example, 2s
on a server instance, DSCC might display connection errors and prevent some operations that take long time to complete (like rotating logs). Make sure you set the idle timeout to at least 10s
or 20s
, and adjust the idle timeout according to your network latency.
The uidObject
objectclass is missing from the schema.
To work around this issue, add the following objectclass to the 00core.ldif
file:
objectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject' SUP top AUXILIARY MUST uid X-ORIGIN 'RFC 4519')
An obsolete definition remains in the 28pilot.ldif
file.
To work around this issue, add the following alias specification to the 28pilot.ldif
file:
objectClasses: ( 0.9.2342.19200300.100.4.4 NAME ('newPilotPerson' 'pilotPerson') DESC <...>)
DSCC does not support host synonyms. When replicating the DSCC suffix, the host name in the replication agreement must match the host name in the DSCC registry.
In Windows, in the Korean locale, the dsadm start
command does not display the nsslapd
error log when ns-slapd
fails to start.
After deploying the WAR file, the View Topology button does not always work. A Java exception sometimes occurs, which is based on org.apache.jsp.jsp.ReplicationTopology_jsp._jspService
The output of the dsadm show-*-log
command is not correct if some lines in the log contain more than 1024 characters.
The output of the dsadm show-*-log l
command does not include the correct lines. It can include the last lines of a previously rotated log.
Directory Service Control Center and the dsadm
command from versions 6.1 or later do not display built-in CA certificates of Directory Server instances that were created with the dsadm
command from version 6.0.
To workaround this issue:
Add the 64-bit module with 64-bit version of modutil
:
$ /usr/sfw/bin/64/modutil -add "Root Certs 64bit" \ -libfile /usr/lib/mps/64/libnssckbi.so -nocertdb \ -dbdir /instance-path/alias -dbprefix slapd- -secmod secmod.db
For servers registered in DSCC as listening on all interfaces (0.0.0.0), attempting to use dsconf
to modify the listen-address of the servers results in DSCC errors.
To have an SSL port only and secure-listen-address setup with Directory Server Enterprise Edition, use this workaround:
Unregister the server from DSCC:
dsccreg remove-server /local/myserver
Disable the LDAP port:
dsconf set-server-prop ldap-port:disabled
Set up a secure-listen-address:
$ dsconf set-server-prop secure-listen-address:IPaddress $ dsadm restart /local/myserver
Register the server using DSCC. In the Register Server wizard, specify the server's IP address. This operation cannot be undone.
When you use the Service Management Facility (SMF) on Solaris 10 to enable a server instance, the instance might not start when you reboot the system and return the following error:
svcadm: Instance "svc:/instance_path" is in maintenance state.
To work around this problem, use a local user to create Directory Server and Directory Proxy Server servers (that is, a user that is defined locally on the machine rather than an NIS user.)
When modifying the password policy using the Directory Service Control Center, attributes that have not changed may be unknowingly reset.
Using the Directory Service Control Center to manage the default password policy does not causes any error. However, using the Directory Service Control Center to manage specialized password policies can cause unchanged attributes to be reset.
On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds
.
When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.
To work around this issue, use a different browser such as Mozilla web browser.
For the HP-UX platform, Directory Server Enterprise Edition man pages for the following sections cannot be accessed from the command line:
man5dpconf
.
man5dsat
.
man5dsconf
.
man5dsoc
.
man5dssd
.
To workaround this issue, access the man pages at Man Page Reference for Oracle Directory Server Enterprise Edition. From that location, you can download a PDF of all Directory Server Enterprise Edition man pages.
During installation on Windows systems, ODSEE relies on Windows permissions settings for file protection. Be sure your permissions are set appropriately.
To work around this issue, change the permissions on the installations and server instance folders.
Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.
Neither Directory Service Control Center nor the dsconf
command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.
To change the server behavior, adjust the ds-require-valid-plugin-signature
and ds-verify-valid-plugin-signature
attributes on cn=config
. Both attributes take either on
or off
.
On Windows systems, the dsconf
command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.
To work around this issue, change the LDIF file name so that it does not contain double-byte characters.
On Windows, SASL authentication fails because SASL encryption is used.
To workaround the issue caused by the SASL encryption, stop the server, edit dse.ldif
, and reset SASL to the following.
dn: cn=SASL, cn=security, cn=config dssaslminssf: 0 dssaslmaxssf: 0
Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.
dn:o=mary\"red\"doe,o=example.com changetype:modify add:aci aci:(target="ldap:///o=mary\"red\"doe,o=example.com") (targetattr="*")(version 3.0; acl "testQuotes"; allow (all) userdn ="ldap:///self";) dn:o=Example Company\, Inc.,dc=example,dc=com changetype:modify add:aci aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com") (targetattr="*")(version 3.0; acl "testComma"; allow (all) userdn ="ldap:///self";)
Examples with more than one comma that has been escaped have been observed to parse correctly, however.
The dsconf accord-repl-agmt
command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.
To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.
Export the certificate to a file.
The following example shows how to perform the export for servers in /local/supplier
and /local/consumer
.
$ dsadm show-cert -F der -o /tmp/supplier-cert.txt \ /local/supplier defaultCert $ dsadm show-cert -F der -o /tmp/consumer-cert.txt \ /local/consumer defaultCert
Exchange the client and supplier certificates.
The following example shows how to perform the exchange for servers in /local/supplier
and /local/consumer
.
$ dsadm add-cert --ca /local/consumer supplierCert \ /tmp/supplier-cert.txt $ dsadm add-cert --ca /local/supplier consumerCert \ /tmp/consumer-cert.txt
Add the SSL client entry on the consumer, including the supplierCert
certificate on a usercertificate;binary
attribute, with the proper subjectDN
.
Add the replication manager DN on the consumer.
$ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN
Update the rules in /local/consumer/alias/certmap.conf
.
Restart both servers with the dsadm start
command.
When entries are imported from LDIF, Directory Server does not generate createTimeStamp
and modifyTimeStamp
attributes.
LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.
Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Oracle support.