Sun™ ONE Directory Server 5.2 Release Notes

Version 5.2

Part Number 816-6703-10

January 2005

These release notes contain important information available at the time of release of Version 5.2 of Sun Open Net Environment (Sun ONE) Directory Server. New features and enhancements, known limitations and problems, technical notes, and other information are addressed here. Read this document before you begin using Directory Server 5.2.

The most up-to-date version of these release notes can be found at the Sun ONE documentation web site: http://docs.sun.com/doc/816-6703-10. Check the web site prior to installing and setting up your software and then periodically thereafter to view the most up-to-date release notes and manuals.

These release notes contain the following sections:

Revision History
About Directory Server, Version 5.2
What’s New in Directory Server, Version 5.2
Supported Platforms
Installation Notes
Errata and Directory Server Documentation Updates
Compatibility Issues
Enhancements Made and Problems Corrected
Known Issues
Accessing Product Documentation
How to Report Problems and Provide Feedback
Additional Sun Resources

---

Revision History

Table 1  Revision History

Date	Description of Changes
January 07, 2005	Addition of IBM AIX 5.2 to Supported Platforms and note regarding EOSL of IBM AIX 5.1.
November 17, 2004	Directory Server Resource Kit Tools Reference errata updated - warning regarding references to documentation on mozilla.org that may be out of date.
October 11, 2004	DsmlSearch does not handle chunked DSML responses (#5104932). Replication fails after recreating schema with new OIDs (#5050755).
August 30, 2004	The console cannot display certificates with a quotation mark (“) in the DN (#5067904).
August 23, 2004	Amendment of Supported Platforms to indicate that support for Microsoft Windows Server 2003 Enterprise Edition (IA-32) is restricted to the compressed archive update.
July 16, 2004	Addition of Microsoft Windows Server 2003 Enterprise Edition (IA-32) to the Supported Platforms. An update is available for compressed archive versions of Directory Server 5.2. Patching compressed archive versions of Directory Server in a localized environment requires the English update utility (#5069508). Patching compressed archive versions of Directory Server in a localized environment causes the Administration Console to display the incorrect name (#5069443) Patching compressed archive versions of Directory Server fails if Windows Event Viewer is open (#5061260). Creating a new role via the console fails with a Java exception (#5063342). Patching compressed archive versions of Directory Server fails if the administration password includes special characters (#5068370). Patching compressed archive versions of Directory Server fails if the administration password is longer than eight characters (#5070064). The mechanism for patching compressed archive versions of Directory Server requires the unzip utility (#5057611). With compressed archive installations, if either Administration Server or Directory Server is installed as root, uninstallation must also be run as root (#5014882). The Directory Server Installation and Tuning Guide recommends that you use a Java Runtime Environment version 1.4.1 or later. When installing in locales other than C, additional language support packages are required.
December 8, 2003	A number of issues have been resolved in the Directory Server 5.2 product packaged with the Sun JavaTM Enterprise System. See Installation Notes for details. Additional documentation required on using referential integrity plug-in with legacy replication (#4956596)
October 28, 2003	Directory Server Resource Kit Tools Reference errata updated.
September 16, 2003	Administration Guide errata updated - certain LDAP controls incorrectly exposed with regard to chaining. Installation and Tuning Guide errata updated - HA documentation. Supported Platforms updated.
August 27, 2003	Changes made to the html version of the Administration Guide available at http://docs.sun.com/doc/816-6698-10/contents.html. Addition to Installation Notes (caution regarding use of Administration Server password.)
July 11, 2003	The changelog is not purged by default (#4881004) Multibyte characters at installation cause configuration problems (#4882927) (amended to apply to all languages, and not only to the Japanese version)
June 26, 2003	Updated issue #4882801 to specify platform
June 23, 2003	Addition of the following: Note on write capability and multi-master replication Note on initializing replicas in a multi-master replication scenario Problem with multibyte characters at installation of Japanese version (#4882927) Problem with multibyte characters in suffixes for traditional Chinese version (#4882801) Note on localized documentation availability Addition to Administration Guide errata
June 10, 2003	Addition of Japanese locale issue on HP-UX systems
June 6, 2003	Initial release of these release notes

---

About Directory Server, Version 5.2

Sun ONE Directory Server 5.2 is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Sun ONE Directory Server software is part of Sun ONE, Sun’s standards-based software vision, architecture, platform, and expertise for building and deploying Services On Demand.

---

What’s New in Directory Server, Version 5.2

Sun ONE Directory Server 5.2 contains the following new features and enhancements:

Updated and improved server management console

Directory Server Console now offers a simplified interface for configuring replication and provides support for IPv6. For details on the new console, refer to “Using the Directory Server Console” in Chapter 1 of the Sun ONE Directory Server Administration Guide.

Enhanced replication functionality

New replication features include:

Support for 4-way multi-master replication

Note that multi-master replication is designed with high availability in mind. In some deployments, adding master replicas can also significantly increase the total number of writes a replication topology can absorb. Such deployments typically involve applications needing to write directory data reused locally. In these deployments, data updates may converge more slowly across the entire topology.

In general, there is a real cost to keeping data consistent across multiple servers. If you need high data consistency and fast convergence across the entire replication topology, you may not be able to increase overall write throughput simply by adding servers.

Support for multi-master replication over WAN
Online promotion and demotion of servers
Fractional replication (the ability to replicate a subset of attributes)
The following replication monitoring tools:

insync - indicates the synchronization state between a master replica and one or more consumer replicas.

entrycmp - compares the attributes and values of the same entry on two different servers.

repldisc - enables you to discover a replication topology, constructing a graph of all known servers and displaying a matrix describing the topology.

Note that these tools are also compatible with Directory Server 5.1 Service Packs 1 and 2.

Improved replication failover
Improved concurrent replication updates

Concurrent changes can be received on a single consumer from multiple suppliers.

Within a replication session, multiple updates can be replayed concurrently.

Note	A master initialized from another master in a multi-master configuration will process replication updates and allow read operations, but will return referrals for all write operations from clients. To revert a master to read-write mode, set the ds5BeginReplicaAcceptUpdates configuration attribute to start to explicitly allow update operations. You should verify that the new master replica has converged with the other masters before enabling updates. The change to allow updates may be done using either the replication configuration panel on the Directory Server console or through the command line. For more information, see “Initializing Replicas” in the Sun ONE Directory Server Administration Guide.

Directory access through DSMLv2/SOAP
Support for IPv6
Large cache support. A server running in 64-bit mode can address more than 4GB of data. Refer to the Directory Server Installation and Tuning Guide for more information.
Ability for LDAP clients to obtain their effective access rights
Simplified migration from 4.x and 5.x to 5.2
Multiple password policies
The ability to encrypt attributes other than passwords
Interactive GUI installer
Support for startTLS on Windows
Improved error logging
Flexible role scope
Ability to use virtual attributes in search filters
Support for Sun Crypto Accelerator 1000 Board
Performance improvements
Advanced binary copy

Enables the cloning of master or consumer replicas using the binary backup files from one server to restore the identical directory contents on another server.

Improved product documentation

The 5.2 documentation set includes the following new guides:

Installation and Tuning Guide
Getting Started Guide
Plug-In API Programming Guide
Plug-In API Reference

Important updates to the existing documentation include:

Error code documentation in the Reference Manual.
New replication documentation in the Deployment and Administration Guides and in the Reference Manual.
New Password Policy and Attribute Encryption information in the Deployment and Administration Guides.
Product documentation is no longer installed with the product but is available on the product CD and on the web.

Due to architectural changes made in Directory Server 5.2, some features that were available in Directory Server 4.x are no longer included. These are:

Password synchronization with Windows. This functionality has been replaced by the Sun ONE Identity Synchronization for Windows product.
Database Backend Plug-in Interface. The enhanced pre-operation interface may be used instead of the database backend plug-in interface, to implement plug-ins that are designed to provide access to alternative directory data stores.
In addition, the distribution plug-in architecture and functionality will change substantially in a future release of Directory Server.

---

Supported Platforms

Directory Server 5.2 is available on the following platforms:

Sun Solaris 8 for UltraSPARC (32 and 64 bit)
Sun Solaris 9 for SPARC (32 and 64 bit)
Sun Solaris 9 for x86 (IA-32)
Microsoft Windows 2000 Server and Advanced Server SP 3 (IA-32)
Directory Server 5.2 has also been validated with Windows 2000 Service Pack 4.
Microsoft Windows Server 2003 Enterprise Edition (IA-32)
The original release of Directory Server 5.2 has not been validated on Microsoft Windows Server 2003 Enterprise Edition. Only the compressed archive update (patchzip) is validated on this platform.
Red Hat Linux 7.2 (IA-32)
Red Hat Linux AS 2.1 U2
Sun Linux 5.0 (Sun LX50)
The update to compressed archive installations of Directory Server (patchzip) has not been validated on Sun Linux 5.0.
Hewlett-Packard HP-UX 11i PA-RISC 1.1 or 2.0 (32 bit and 64 bit)
IBM AIX 5.1 (Power PC) (32 bit)
As of 31 December 2004, AIX 5.1 is no longer supported by IBM. If you are using the original release of Directory Server 5.2 on this platform, you are advised to update to the compressed archive update (patchzip), which is supported on AIX 5.2.
IBM AIX 5.2 (Power PC) (32 bit)
The original release of Directory Server 5.2 has not been validated on IBM AIX 5.2. Only the compressed archive update (patchzip) is validated on this platform. The original release of Directory Server 5.2 has been validated on IBM AIX 5.1, but this platform is no longer supported by IBM.

Note	Directory Server 5.2 has been validated with Sun Cluster 3.1.

For information on the availability of Directory Server on the Compaq Tru64 operating system, contact your Compaq representative.

Specific operating system patches or service packs may need to be installed before Directory Server 5.2 can be installed. For further information, refer to the Sun ONE Directory Server Installation and Tuning Guide. You can obtain Solaris patches from http://sunsolve.sun.com

---

Installation Notes

An update is available for compressed archive versions of Directory Server 5.2.

This update brings the product in line with the Directory Server product packaged with the Sun Java^TM Enterprise System 2004Q2. You will sometimes see this update referred to as the patchzip utility in the documentation. The enhancements and bug fixes available in this update are documented in the Sun Java System Directory Server 5 2004Q2 Release Notes. The update is available at http://sunsolve.sun.com with the following Patch IDs:

AIX             117670-01
HP-UX           117669-01
Linux           117668-01
SunOS           117665-01
SunOS_i86pc     117666-01
Windows         117667-01

Localized Patch IDs are as follows:

de       117798-01
es       117799-01
fr       117800-01
ja       117801-01
ko       117802-01
zh       117803-01
zh_TW    117804-01

Installation instructions for the update are provided in the README files available at this URL.

Patching compressed archive versions of Directory Server in a localized environment requires the English update utility (#5069508)

If you have installed a localized version of Directory Server via compressed archive, and are updating the installation, do the following:

Run the English version of the compressed archive update utility.
Extract the patch file appropriate to your locale to the directory in which Directory Server is installed (the ServerRoot directory.) Run the unzip command with the -o option (to overwrite existing files) and as the user who owns the ServerRoot directory. For example

unzip -o 5.2_Patch_2-ja.zip -d ServerRoot

If you do not complete both of these steps in the correct order, the update will fail. (The unzip utility is delivered with the compressed archive update, except for Linux platforms, on which you must install the unzip utility.)

Patching compressed archive versions of Directory Server fails if Windows Event Viewer is open (#5061260)

On Windows platforms, if you have installed Directory Server via compressed archive, and are updating the installation, the update fails if Windows Event Viewer is open.

Workaround
Close the Event Viewer before launching the compressed archive update.

Patching compressed archive versions of Directory Server fails if the administration password includes special characters (#5068370)

On Windows platforms, if you have installed Directory Server via compressed archive, and are updating the installation, using certain special characters in the administration password causes the update to fail. Known special characters that cause problems include ‘&’.

Workaround 1

Instead of running the install script directly, create a file (filename) containing the administration ID and password, for example:

Admin Id: admin
Admin Password: &password

Run the following command:

lib\nsPerl5.005_03\bin\MSWin32-x86\perl.exe upgrade.pl "ServerRoot" -f filename

Workaround 2
Change the administration password temporarily while performing the update. For information on how to change the administration password, see “To Change the Configuration Administrator’s User Name or Password” in Chapter 4 of the Administration Server Administration Guide.

Patching compressed archive versions of Directory Server fails if the administration password is longer than eight characters (#5070064)

On HP-UX, if you have installed Directory Server via compressed archive, and are updating the installation, an administration password longer than eight characters causes the update to fail.

Workaround
Change the administration password temporarily while performing the update. For information on how to change the administration password, see “To Change the Configuration Administrator’s User Name or Password” in Chapter 4 of the Administration Server Administration Guide.

The mechanism for patching compressed archive versions of Directory Server requires the unzip utility (#5057611)

On Linux platforms, if you have installed Directory Server via compressed archive, you must install the unzip utility before running the compressed archive update. (On other platforms, the unzip utility is delivered with the compressed archive update.)

The Directory Server Installation and Tuning Guide recommends that you use a Java Runtime Environment version 1.4.1 or later.

Note that the latest JRE and JDK can be downloaded from http://java.sun.com/.

With compressed archive installations, if either Administration Server or Directory Server is installed as root, uninstallation must also be run as root (#5014882).

If you do not run the uninstallation as root, the product registry is not updated correctly.

When installing in locales other than C, additional language support packages are required.

For a complete list of the packages required, see “Localized Packages for Component Products“ in the Sun Java Enterprise System 2003Q4 Installation Guide.

The Directory Server 5.2 product packaged with the Sun JavaTM Enterprise System 2003Q4 provides the following enhancements and bug fixes:

Directory Server Bugs
VLV indexes did not work correctly on Sparc 64 (#4877307)
Merging VLV indexes with no entries after importing of data did not work correctly (#4877894)
The ieee802Device and bootableDevice object classes were not backward compatible (#4884562)
The server would crash if changelog trimming was enabled (#4891228)
An erroneous reverse-DNS request was issued at server startup (#4909592)
The location of J2SE as used by the Java Enterprise System and its components was not the same as the J2SE location used by Directory Server (#4924002)
Administration Server Bugs
The console did not support backslashes in the RDN (#4737629)
In the Japanese locale, the Fonts tab in the Console Preferences window did not work correctly (#4838530)
In the Japanese locale, the CA Certs and Revoked Certs tabs were absent from the Manage Certificates window (#4865986)
In the Japanese locale, the default size of the Create New Domain window was too small (#4866621)
Certain online help windows were inoperable (#4866623)
Creating a new group with new members through the console caused an LDAP exception error (#4868083)
For all Asian locales (ja, ko, zh, and zh-TW), the console login online help window did not work correctly (#4868579)
In the Chinese Taiwan locale, the online help contents were not displayed when the Launch in Browser button was pressed. (#4881871)
The online help button on the Console login window did not work correctly (#4890502)

To bring Directory Server in line with the Java Enterprise System, install the following patches, available at http://sunsolve.sun.com:

Solaris 9 (SPARC)

114049-04/ SunOS 5.9: Netscape Portable Runtime(4.1.4)/Network Security System(3.3.4)
114677-05/ SunOS 5.9: International Components for Unicode Patch
115342-01/ SunOS 5.9: Simple Authentication and Security Layer (2.01)
115610-01/ SunOS 5.9_sparc: Sun ONE AdminServer 5.2 patch
115614-01/ SunOS 5.9 : Sun ONE Directory Server 5.2 patch
115926-02/ SunOS 5.9: NSPR4.1.6 / NSS 3.3.6 / JSS 3.1.2.5

Solaris 9 (x86)

114050-04/ SunOS 5.9_x86: Netscape Portable Runtime(4.1.4)/Network Security System(3.3.4)
114678-05/ SunOS 5.9_x86: International Components for Unicode Patch
115611-01/ SunOS 5.9_x86 : Sun ONE AdminServer 5.2 patch
115615-01/ SunOS 5.9_x86 : Sun ONE Directory Server 5.2 patch
115927-02/ SunOS 5.9_x86: NSPR4.1.6 / NSS 3.3.6 / JSS 3.1.2.5

Solaris 8 (SPARC)

114045-03/ SunOS 5.8: Netscape Portable Runtime(4.1.4)/Network Security System(3.3.4)
115328-01/ SunOS 5.8: Simple Authentication and Security Layer (2.01)
115924-02/ SunOS 5.8: NSPR4.1.6 / NSS 3.3.6 / JSS 3.1.2.5
116103-03/ SunOS 5.8: International Components for Unicode Patch

For more information on the Sun Java Enterprise System, see http://wwws.sun.com/software/learnabout/enterprisesystem/index.html.

If you run Administration Server as root, all commands initiated by the administration user will also be run as root.

Therefore you must apply the same rules of confidentiality and security to the administration password as you would to the root password of your server.

The idsktune utility is up to date as at the release date of Directory Server 5.2.

Inaccuracies may therefore arise if new patches are provided after this date.

On Solaris systems, the SUNWnisu package is required for installation to succeed.

Note that the presence of SUNWnisu does not imply that you must use NIS.

Installation paths that contain space characters are not supported.

Do not use space characters in your installation path.

When installing Directory Server 5.2 from Solaris Packages, do not specify a symbolic link as the ServerRoot.

The ServerRoot is the path from which you access the shared binary files of Directory Server, Administration Server, and the command line tools. If you do specify a symbolic link as the ServerRoot, and then attempt to start the Administration Server as someone other than the root user, the following error is output:

You must be root to run this command

In Directory Server 5.2, the schema file 11rfc2307.ldif has been altered to conform to rfc2307.

This file corresponds to 10rfc2307.ldif (for 5.1 zip installations) and to 11rfc23.ldif (for 5.1 Solaris packages). Applications using the deprecated 5.1 version of this schema may be affected by this change. A summary of the modifications follows:

The automount and automountInformation attributes have been removed.
The list of allowed attributes of the ipHost objectclass no longer includes o $ ou $ owner $ seeAlso $ serialNumber.
The list of manadatory attributes for the ieee802Device objectclass no longer includes cn.
The list of allowed attributes for the ieee802Device objectclass no longer includes description $ l $ o $ ou $ owner $ seeAlso $ serialNumber.
The list of manadatory attributes for the bootableDevice objectclass no longer includes cn.
The list of allowed attributes for the bootableDevice objectclass no longer includes description $ l $ o $ ou $ owner $ seeAlso $ serialNumber.
The OID of the nisMap objectclass is now 1.3.6.1.1.1.2.9.

When migrating from Directory Server 5.1 to 5.2, the old version of this file is migrated to avoid potential inconsistency between the schema and the database. If you have not customized this file, and if your database does not refer to the schema contained within it, you can remove it from your 5.1 schema before performing the migration. This will enable you to have a version of the file that conforms to rfc2307.

If you have customized this file, or if your database refers to the schema contained within it, perform the following steps:

For zip installations, remove the 10rfc2307.ldif file from the 5.1 schema directory and copy the 5.2 11rfc2307.ldif file to the 5.1 schema directory. (5.1 Directory Server Solaris packages already include this change.)
Copy the following files from the 5.2 schema directory into the 5.1 schema directory, overwriting the 5.1 copies of these files:
11rfc2307.ldif, 50ns-msg.ldif, 30ns-common.ldif, 50ns-directory.ldif, 50ns-mail.ldif, 50ns-mlm.ldif, 50ns-admin.ldif, 50ns-certificate.ldif, 50ns-netshare.ldif, 50ns-legacy.ldif, and 20subscriber.ldif.

NOTE: This issue also impacts replication. See the Replication section for more information.

To use SASL Kerberos authentication on Solaris platforms, you must ensure that DNS is configured.

On Linux systems, the combined configured cache values should not exceed 600MB.

IPv6 support has not been extensively tested on Windows systems.

When uninstalling Directory Server on Windows systems, be aware that certain basic system libraries used by Directory Server (nsldap32v50.dll, for example) may be used by other installed products.

You can select not to uninstall these libraries if other products are using them.

---

Errata and Directory Server Documentation Updates

Directory Server Resource Kit Tools Reference

Chapter 30, “Network Security Services,” references mozilla.org for documentation. The documentation on mozilla.org appears, however, to be out of date with respect to the tools provided with Directory Server Resource Kit. For example, support for public/private 2048-bit key pairs and certificates is not mentioned in that documentation.

Reference Manual

The description of the ldif2db, db2ldif, and db2ldif.pl command-line scripts in Chapter 2, “Command-Line Scripts” are inaccurate. Each of these scripts should include the following options, in addition to what is documented:

Table 2  Additional Options to ldif2db, db2ldif, and db2ldif.pl Command-Line Scripts

Option	Meaning
-Y	Specifies the password for the key database (used for attribute encryption.)
-y	Specifies the file in which the password for the key database is held (used for attribute encryption.)

Plug-In API Programming Guide

Chapter 5, Extending Client Request Handling, describes the use of Pre-Operation and Post-Operation Plug-Ins. This section should include the following note:

Note	For SASL authentication mechanisms, any bind pre-operation plug-in or post-operation plug-in may be called several times for the same authentication request. This is because multiple LDAP BIND operations may be used to implement that authentication mechanism, as is the case for DIGEST-MD5, for example.

Administration Guide

Chapter 8, “Managing Replication,” states that you need to reinitialize all consumers in a topology if you disable the change log or move it to a new location. In fact, this caution applies only if there are changes that have not been replicated to other servers in the topology when the change log directory is changed. If all changes have been replicated before the change log is moved (that is, if all servers are in sync,) there is no risk associated with moving the change log directory, and no reinitialization is required.
Chapter 3, “Creating Your Directory Tree,” incorrectly states that the persistent search control (OID 2.16.840.1.113730.3.4.3) can be chained. In the current Directory Server implementation, this is not the case.

In addition to the persistent search control, the following controls are incorrectly exposed in the Administration Guide:

2.16.840.1.113730.3.4.4 (Password expired notification)
2.16.840.1.113730.3.4.5 (Password expiring notification)
2.16.840.1.113730.3.4.15 (Authentication response)

These three controls are returned to the client by Directory Server, so are not affected by chaining configuration.

2.16.840.1.113730.3.4.13 (Replication update information)

This control should not be used with chaining by Directory Server clients.

The online version of the Administration Guide has been updated as follows:
The note under Defining Permissions in Chapter 6, “Managing Access Control,” erroneously stated that you could not create "deny" ACIs from the Console. This note is removed in the newer version.
The section Replication Retry Algorithm in Chapter 8, “Managing Replication,” has been corrected (see point 4 below.)
Chapter 3 of the HTML version on the CD is truncated. For the correct version of this file, consult the online version (on docs.sun.com) or download the documentation set, in HTML format.
Chapter 8, Managing Replication, contains the following with regard to the replication retry algorithm:

“The retry pattern is as follows: 20, 40, 80, then 160 seconds. The supplier will then retry every 160 seconds.”

This should be:

“The retry pattern is as follows: 20, 40, 80, 160, then 300 seconds. The supplier will then retry every 300 seconds (5 minutes).”

Installation and Tuning Guide

Appendix C - Installing Sun Cluster HA for Directory Server should include the following note:

Note	When installing and configuring the Sun Cluster HA for Directory Server data service, the Solaris packages must be installed on local, non-shared disks. In addition, the ServerRoot must be on shared or global disks.

Directory Server Resource Kit Tools Reference

Although it is included in the documentation, the iPlanet LDAP Administrative Shell (ilash) is not included in the current release of the Directory Server Resource Kit (DSRK.)
In Chapter 3, “ldapsearch,” the -o option of the ldapsearch command is incorrectly documented. This option does not format the output of search results so that no line breaks are used within individual attribute values, as indicated in this chapter.

Instead, the -o option is used to specify the SASL options mech, realm, authid and authzid.

For more information on these options, see “Examples of the ldapsearch Command” in Chapter 11 of the Sun ONE Directory Server Administration Guide.

This error corresponds to bug #4784801.

General

Certain books in the documentation set identify the Directory SDKs for C and for Java as iPlanet brand products. In all instances, these should be identified as Sun ONE brand products.

Note	Localized documentation is posted to http://docs.sun.com/ as it becomes available.

---

Compatibility Issues

Note that the LDAP utility manpages on Sun Solaris platforms do not document the Sun ONE version of the LDAP utilities ldapsearch, ldapmodify, ldapdelete and ldapadd. For information regarding these utilities, refer to the Sun ONE Directory Server Resource Kit Tools Reference.

---

Enhancements Made and Problems Corrected

Directory Server 5.2 includes enhancements and fixes to the following known problems that occurred in earlier releases:

Replication

Delete operation was not propagated to the consumer in cascading replication. (#4550044)
On Windows platforms, an optimization test aborted replication processing. (#4616579)
nsTombstone entries were not purged. (#4617521)
Directory server encountered many tombstone errors. (#4633404)
Replication supplier was disabled and could not restart when the RUV database was corrupted. (#4533706)
Replication became unsynchronized and stopped. (#4617085)
Changing case sensitive attribute values failed in MMR. (#4624693)
Replication supplier crashed after deleting attribute. (#4627443)
Directory crashed or hung when replication was enabled. (#4643122)
Replication broke when migrating consumer from 5.0 and subsequent Service Packs. (#4646392)
Replication failed to restart from supplier to consumer. (#4658810)
Replication between 4.x and 5.1 halted when updating operational attributes. (#4665571)
Directory server crashed when certain replication agreement attributes were missing. (#4672889)
Turning back the system time halted replication. (#4672960)
Could not monitor the replication update vector in the replica object. (#4691101)
Replication had to be disabled to change a replica role. (#4527621)
Replication did not restart after a database was restored with bak2db. (#4689805)

Console

Creating a Directory Server instance using the console created a server in a different time zone on HP-UX and IBM AIX. (#4529531)
The SNMP master agent could not be started via the console. (#4795483)
Hubs could not be modified through the console. (#4527619)
For search results with multiple entries, only the first entry was displayed in the console. (#4726158)
The browse dialog box loaded from the password policy interface or from the class of service interface did not display all existing password policies. (#4722159)
Data in a remote Directory Server could not be accessed via the console with SSL enabled. (#4663658)
The Replica ID was not displayed correctly on Windows platforms. (#4589224)
Console modifications for RDN caused exception violations when saved. (#4668480)
The console did not display time correctly. (#4615165)
Bold Japanese characters were displayed as square boxes. (#4645544)
Removal of CA certificates failed. (#4658787)
The Clone Suffix Configuration option was not supported by the console. (#4700966)
SSL was not supported by the console on Linux. (#4704635)
The certificate management wizard in the Directory console failed to import a new CA certificate. (#4645545)

Database

bak2db could restore a database to its original location only. (#4522793)
A backup performed on a new database immediately after adding and initializing it could not be restored. (#4531022)
Old data could be written back into the current database. (#4638816)
The ns-slapd process crashed during import. (#4623119)
Initializing the database with an inaccessible file caused Directory Server to crash. (#4523595)

Security

The Access Control plug-in did not use the value specified by the nsslapd-groupevalnestlevel attribute to specify the number of levels of nesting access control performs for group evaluation. (#4529540)
Use of semicolons in ACI permissions caused Directory Server to crash. (#4527617)
The process of finding the password attribute has been changed. (#4619976)
Directory Server did not verify the SSL peer hostname. (#4615324)
There was a security problem concerning the retro-changelog plug-in. (#4618824)
The number of unsuccessful attempts was not reset after a successful bind. (#4645887)
Illegal SNMP PDU caused the Master agent to fail - CERT Advisory CA-2002-03. (#4532320)
When password policy was enabled, setting the passwordHistory attribute to a value lower than the number of times a user password had been modified caused the server to crash. (#4530739)
Bind attempts failed when certificates were mapped to a distinguished name under cn=config or cn=monitor. (#4529535)
If the account locking mechanism of the password policy was enabled, once a user was locked out on a read-only replica, the account could not be unlocked. (#4527608).

Roles and Class of Service

The costemplatedn attribute has been changed from a string type to a dn type in the schema to ensure that all values of a dn are returned in a search, regardless of spaces. With this change, the following search filter: "(objectclass=ldapsubentry)(costemplatedn=cn=template1, o=example.com)"
will return an entry containing a costemplate value of "cn=template1,o=example.com". In previous versions of Directory Server, the search filter would not have returned this entry, because of the space.

LDAP Access

Directory search failed on Replica with scope of "one". (#4614741)
Directory Server crashed (SIGBUS) during a search. (#4639232)
Directory Server responded incorrectly to an unbind request. (#4623308)
ldapmodify incorrectly interpreted base64 encoded values. (#4665564)
Directory Server crashed when binding to an entry that was being created. (#4674387)
Directory Server did not support LDAP search requests containing a filter that referenced virtual attributes. (#4527614)

Performance

Enabling the retro-changelog affected performance. (#4639310)
A looping thread increased CPU consumption. (#4629441)
Memory leak in the CoS plug-in has been fixed. (#4630124)
Memory leak in schema search has been fixed. (#4682961)

Conformance

Default schema contained extra definitions not in RFC2307. (#4629102)
A DN that contained several escaped characters was incorrectly normalized. (#4535845)
A DN with white spaces did not conform to RFC2252. (#4687038)

Installation, Uninstallation and Migration

On Windows 2000, after uninstallation of directory components installed with silent installation (setup -s -f filename) reinstallation placed directory components in the original install folder. (#4526014)
On Red Hat Linux 7.2, uninstallation did not kill the active administration server processes. (#4744465)
The Directory Server 4.x and 5.0 attributes accesslog-maxlogdiskspace, accesslog-maxlogsize, auditlog-maxlogdiskspace, auditlog-maxlogsize, errorlog-maxlogdiskspace, and errorlog-maxlogsize were not migrated automatically. (#4529536)
The version of the idsktune utility included in this Beta release has been updated. (#4745287)
Installation failed if European or US UTF-8 locales were specified. (#4745711)

Miscellaneous

The LDAP command-line utilities on HP-UX did not correctly convert character sets to UTF-8. (#4792861)
The nsbindtimeout parameter, used to specify the number of seconds before a bind attempt timed out, did not work correctly with an unresponsive host. (#4639408)
The value of the ds-hdsml-poolmaxsize attribute was Base64 encoded in the dse.ldif file. (#4744565)
Multiple Attribute uniqueness plug-ins forced uniqueness BETWEEN each other. (#4649615)
Timestamps in log files were stored incorrectly when Directory Server shutdown. (#4656846)
htmladmin.exe crashed when secured admin server was stopped. (#4529402)
Directory Access Router 5.0 was not able to share the same admin server ServerRoot as Directory Server. (Fixed on Solaris platforms.) (#4692956)
When the disk was full, Directory Server would crash and would not restart. (#4527611)
On Linux platforms, the Directory Server did not support files larger than 2GB. (#4716745)

---

Known Issues

This section contains a list of the more important known issues at the time of the Directory Server 5.2 release. These issues are divided into the following sections:

Installation, Uninstallation, and Migration
Security
Schema
Replication
Directory Server Console
Core Server
Miscellaneous

Installation, Uninstallation, and Migration

Multibyte characters at installation cause configuration problems (#4882927)

At installation, using multibyte characters for anything other than the suffix name causes Directory Server and Administration Server configuration to fail.

Workaround
Use monobyte characters for all fields other than the suffix name.

Multibyte characters cannot be used in the suffix name during installation of the traditional Chinese (zh_TW) version (#4882801)

If multibyte characters are entered as the suffix name during installation of the traditional Chinese (zh_TW) version, the suffix name does not display correctly in the console. This issue is restricted to 32-bit and 64-bit installations from Solaris packages on SPARC processors.

Workaround

Create a monobyte suffix at installation. Once installation is complete, create the desired multibyte suffix using the console.
Upgrade your JRE to version 1.4.1 or later.

On HP-UX systems, when the system locale is set to Japanese, the Administration Server does not start by default (#4869632)

Workaround
Before installing using a locale other than US English, set the LANG environment variable to C, as documented in the Sun ONE Directory Server Installation and Tuning Guide. Note that this issue has been corrected in the Japanese localized version of Directory Server.

Harmless error message occurs on installation (#4820566)

After a successful installation, the following error is logged:

ERROR<5398> - Entry - conn=-1 op=-1 msgId=-1 - Duplicate value addition in attribute "aci"

This error is harmless and can be ignored.

An installation path of more than 54 characters prevents the Administration Server from starting correctly (#4788213)

Workaround
Ensure that your full installation path does not contain more than 54 characters.

Directory Server cannot be installed through Microsoft Terminal Services (#4710132)

A root suffix cannot contain spaces (#4526501)

Workaround
If your root suffix contains space characters, correct the suffix generated at installation time to remove the spaces:

In the Sun ONE Server console, select the top directory entry in the left-hand navigation pane of the Servers and Applications tab.
Click Edit and modify the suffix in the User directory subtree field.
Click OK to save the change.

Error message with migrateInstance5 (#4529552)

When running the migrateInstance5 script with error logging disabled, a message is displayed indicating that the migration procedure is attempting to restart the server while the server is already running.

If error logging is disabled, you can ignore this error message.

If this message appears when error logging is enabled, consult the error log for more information.

Security

DNS keyword in ACIs (#4725671)

If the DNS keyword is used in an ACI, any DNS administrator can access the directory by modifying a PTR record, and can thereby provide the privileges granted by the ACI.

Workaround
Use the IP keyword in the ACI, to include all IP addresses in the domain.

Entry DNs containing quotes (#4529541)

Directory Server does not correctly parse ACI target entry DNs containing quotes. The following example causes a syntax error:

dn:o=mary\"red\"doe,o=example.com,o=isp changetype:modify add:aci aci:(target="ldap:///o=mary\"red\"doe,o=example.com,o=isp")(targetattr="*") (version 3.0; acl "test"; allow (all) userdn ="ldap:///self";)

Account lockout after password change (#4527623)

Account lockout remains in effect after a user password has been changed. If users forget their passwords and are locked out of the directory, they are unable to log in until the lockout attributes (accountUnlockTime, passwordRetryCount, and retryCountResetTime) are cleared, even if an administrator has reset their passwords.

Workaround
Reset the lockout attributes accountUnlockTime, passwordRetryCount, and retryCountResetTime to unlock the account.

Schema

nsslapd-ds4-compatible-schema attribute (#4666007)

Setting the nsslapd-ds4-compatible-schema attribute to on may cause slapd to fail to start.

This problem has been fixed for the default schema provided with Directory Server 5.2. However, the problem may still be apparent in custom schema modifications. Directory Server 4.x notation is not LDAPv3 compliant and support for this notation will be removed in a future release of Directory Server.

Workaround
For custom schema:

Check the error log to identify the schema element that is causing the error.
Edit the file in which this element is defined.

Change the element description (DESC) to ensure that none of the following keywords appear: must, may, obsolete, x-origin.

Save the file and restart the server.

For example, in the following file:

   ServerRoot/slapd-serverID/config/schema/20subscriber.ldif

Change the description for the inetUser attribute from:

'Auxiliary class which must be present in an entry for delivery of subscriber services' to

'Auxiliary class which has to be present in an entry for delivery of subscriber services'

Replication

Replication fails after recreating schema with new OIDs (#5050755)

If you delete an attribute or object class in a user-defined schema, and then recreate it with a new OID, adding entries using this schema may cause replication to stop. This problem also occurs when an OID in a user-defined schema is changed.

Workaround
If this problem causes replication to stop, manually replace the 99user.ldif file on the consumer with the 99user.ldif on the supplier, and restart the consumer.

Additional documentation required on using referential integrity plug-in with legacy replication (#4956596)

When replicating from a 4.x master to a 5.x consumer, with referential integrity enabled, you must reconfigure the referential integrity plug-in on the 4.x master to write referential integrity changes to the 4.x changelog. This enables referential integrity changes to be replicated. If you do not reconfigure the plug-in, referential integrity will not work correctly.

To reconfigure the referential integrity plug-in in this environment:

Stop the 4.x server.
Open the slapd.ldbm.conf file located in ServerRoot/slapd-ServerID/config/.
Locate the line that begins:

plugin postoperation on "referential integrity postoperation"

Modify this line by changing the argument that appears just before the list of attributes from 0 to 1.

For example, change:

plugin postoperation on "referential integrity postoperation" "ServerRoot/lib/referint-plugin.dll" referint_postop_init 0 "ServerRoot/slapd-serverID/logs/referint" 0 "member" "uniquemember" "owner" "seeAlso"

to

plugin postoperation on "referential integrity postoperation" "ServerRoot/lib/referint-plugin.dll" referint_postop_init 0 "ServerRoot/slapd-serverID/logs/referint" 1 "member" "uniquemember" "owner" "seeAlso"

Save the slapd.ldbm.conf file.
Restart the server.
Reinitialize the 5.x consumer from the 4.x supplier.

The changelog is not purged by default (#4881004)

When configuring replication, be aware that the changelog is not purged by default. This means that the changelog.db3 files will continue to grow ad infinitum.

Workaround
Set a value for the maximum changelog age or for the maximum number of changelog records. To do this, select Configuration>Data>Replication from Directory Server Console, or modify the attributes nsslapd-changelogmaxage or nsslapd-changelomaxentries under cn=changelog5,cn=config (using the command line.) The nsslapd-changelogmaxage attribute should be set to the same value as the nsDS5ReplicaPurgeDelay attribute under cn=replica,cn=suffixName,cn=mapping tree,cn=config. For more information on these attributes, see Chapter 4, “Core Server Configuration Attributes” in the Sun ONE Directory Server Reference Manual.

The insync command-line tool has no concept of partial replication (#4856286)

Reported delays may therefore be inaccurate when partial replication is configured.

Workaround
If partial replication is configured, use the ldapsearch utility to determine the value of the ds5ReplicaPendingChangesCount attribute. This read-only attribute provides the number of changes not yet sent to the specified consumer. The attribute must be specifically requested in the ldapsearch operation. Note that an ldapsearch command on this attribute will have a performance impact on the server.

Multi-master replication over SSL (#4727672)

In a multi-master replication scenario, if replication is enabled over SSL using simple authentication, it is not possible to enable replication between the same servers over SSL using certificate-based client authentication.

Workaround
To enable replication over SSL using certificate-based client authentication, restart at least one of the servers.

Aborting a total update (#4741320)

If a total update is aborted while in progress, it is not possible to launch another total update, or to reenable replication on the suffix.

Workaround
Do not abort a total update while it is in progress.

Replication monitoring tools and literal IPv6 addresses (#4702476)

The replication monitoring tools (entrycmp, insync and repldisc) do not support LDAP URLs containing literal IPv6 addresses.

Local schema modifications may be overwritten when a consumer database is created (#4537230)

Note

The replication monitoring tools rely on read access to cn=config to obtain the replication status. This should be taken into account particularly when replication is configured over SSL.

Note

In Directory Server 5.2, the schema file 11rfc2307.ldif has been altered to conform to rfc2307. If replication is enabled between 5.2 servers and 5.1 servers, the rfc2307 schema MUST be corrected on the 5.1 servers, or replication will not work correctly. To ensure correct replication between a 5.2 server and a 5.1 server:

For zip installations, remove the 10rfc2307.ldif file from the 5.1 schema directory and copy the 5.2 11rfc2307.ldif file to the 5.1 schema directory. (5.1 Directory Server Solaris packages already include this change.)
Copy the following files from the 5.2 schema directory into the 5.1 schema directory, overwriting the 5.1 copies of these files:
11rfc2307.ldif, 50ns-msg.ldif, 30ns-common.ldif, 50ns-directory.ldif, 50ns-mail.ldif, 50ns-mlm.ldif, 50ns-admin.ldif, 50ns-certificate.ldif, 50ns-netshare.ldif, 50ns-legacy.ldif, and 20subscriber.ldif.
Restart the 5.1 server.
In the 5.2 server, set the nsslapd-schema-repl-useronly attribute under cn=config to on.
Configure replication on both servers.
Initialize the replicas.

Initially, certain schema attributes may be replicated between the servers as they synchronize other schema elements but this is benign and will not cause any problems. See the Installation Notes for details on how the schema has changed.

Directory Server Console

The console cannot display certificates with a quotation mark (“) in the DN (#5067904)

Workaround
Use the certutil utility to view the certificates in the database.

Creating a new role via the console fails with a Java exception (#5063342)

If you have upgraded to Directory Server 5.2 Patch 2, creating a new role using the console fails with a Java exception error.

Workaround 1
Edit the Configuration Directory Server, and update the class to be called by the console, as follows:

ldapsearch -1 -p CDS port -b o=Netscaperoot cn=nsroledefinition 1.1
 dn: cn=nsroledefinition, cn=ResourceEditorExtension, ou=4.0, ou=Admin, ou=Global
 Preferences, ou=administration domain, o=NetscapeRoot
ldapmodify -p CDS port -D root dn -w root pw
Result of previous command
changetype: modify
replace: nsclassname
nsclassname: com.netscape.admin.dirserv.roledit.ResEditorRoleInfo@ds522.jar
nsclassname: com.netscape.admin.dirserv.roledit.ResEditorRoleMembers@ds522.jar
nsclassname: com.netscape.admin.dirserv.roledit.ResEditorRoleAccountPage@ds522.jar

modifying entry cn=nsroledefinition, cn=ResourceEditorExtension, ou=4.0,
ou=Admin, ou=Global Preferences, ou=france.sun.com, o=NetscapeRoot

^C
Restart the console.

A side effect of this workaround may be that it is no longer possible to create a new role using the console, on a server of a different version, using the same Configuration Directory Server.

Workaround 2
Use the ldapmodify command to create the new role.

Patching compressed archive versions of Directory Server in a localized environment causes the Administration Console to display the incorrect name (#5069443)

If you have installed a localized version of Directory Server via compressed archive, and are updating the installation, the Administration Server console name changes from Sun Java System to Sun ONE. This change is harmless and can be ignored.

Creating a new group with new members (#4868083)

Creating a new group with new members through the console causes an LDAP exception error. If you create a new group through the console, and attempt to add members before saving the group, the following error is displayed:

Save Error Cannot save to directory server: netscape.ldap.LDAPException: error results (2); protocol violation: attribute uniquemember has no values; Protocol error

Workaround
Add the group and save it (by clicking OK on the Create New Group window), then add the members.

The console does not support passwords containing a colon (#4535932)

The console does not support passwords containing a colon (:).

Workaround
Do not use colons in passwords.

The console and external security devices (#4795512)

The console does not support the management of external security devices, such as Sun Crypto Accelerator 1000 Board.

Workaround
External security devices must be managed via the command line.

Trailing spaces are not preserved during a remote console import operation (#4529532)

Trailing spaces are preserved during both local console and ldif2db import operations.

Running the startconsole command with the -l option (#4843693)

On Windows systems, running the startconsole command with the -l option does not set the locale correctly. The console cannot display I18N characters unless the locale is set.

Workaround
In addition to using the -l option with the startconsole command, set the locale as follows:

Select Start > Settings > Control Panel.
Select Regional Options.
On the General tab of the Regional Options window, select the required locale from the Your locale dropdown list.
Click OK.

Core Server

Stopping the server during export, backup, restore, or index creation causes it to crash (#4678334)

Miscellaneous

DsmlSearch does not handle chunked DSML responses (#5104932)

Although Directory Server includes a configurable (ds-hdsml-responsemsgsize) response buffer size to allow chunked DSML responses, the DsmlSearch utility delivered with Directory Server Resource Kit cannot currently handle chunked DSML responses. In consequence, the DsmlSearch utility cannot handle search responses where results generated are larger than the response buffer size. For instance, a search for "objectclass=*" might result in a chunked response, causing DsmlSearch to print a stack trace. This limitation does not affect client utilities that can handle chunked DSML responses.

Statistics for SNMP subagents (#4529542)

On UNIX platforms, statistics are generated only for the last SNMP subagent that is started. This implies that you can monitor only one Directory Server instance at a time with SNMP.

Transaction logs and the db2bak command-line utility (#4815733)

Transaction logs are no longer deleted if the db2bak command-line utility is cancelled. Database transaction log removal is temporarily disabled while db2bak is running, and is not reenabled if the command terminates prematurely.

Workaround
Do not interrupt (with CTRL-C, for example) the db2bak command while a backup is in progress. To avoid this problem, it is strongly recommended that you use db2bak.pl (directoryserver db2bak-task for Solaris packages.)

The pass-through authentication (PTA) plug-in cannot be configured to accept multiple authenticating Directory Servers with the same suffix (#4845622)

Changing the maximum size of the transaction log file has no effect if log files already exist in the database directory (#4523783)

Workaround
Stop the server, modify the nsslapd-db-logfile-size attribute in the dse.ldif manually, remove all log.* files from the database directory, and restart the server.

ldapsearch on Linux systems (#4755958)

On Linux systems, an ldapsearch operation without a host name, such as

ldapsearch -D ... -w ... -h -p 389

returns an error 91 (ldap_simple_bind: Can't connect to the LDAP server - No route to host). On other platforms, an error 89 (LDAP_PARAM_ERROR) is returned. This is because on Linux systems, it is possible to resolve a host such as "-p", so the connect function attempts to do so, and fails.

---

Accessing Product Documentation

The online documentation files are contained on the product CD and can be accessed via a browser. In addition, you can download the entire documentation set, in HTML format.

Once you have downloaded this file, extract it to the following location:

ServerRoot/manual/en/slapd

The documentation set can then be accessed from:

ServerRoot/manual/en/slapd/index.html

or from the Directory Server Console, by selecting Documentation Home from the Help menu.

---

How to Report Problems and Provide Feedback

If you have problems with Sun ONE Directory Server, contact Sun customer support using one of the following mechanisms:

Sun Software Support services online at
http://www.sun.com/service/sunone/software

This site has links to the Knowledge Base, Online Support Center, and ProductTracker, as well as to maintenance programs and support contact numbers.

The telephone dispatch number associated with your maintenance contract

So that we can best assist you in resolving problems, please have the following information available when you contact support:

Description of the problem, including the situation where the problem occurs and its impact on your operation
Machine type, operating system version, and product version, including any patches and other software that might be affecting the problem
Detailed steps on the methods you have used to reproduce the problem
Any error logs or core dumps

Sun Welcomes Your Comments

Sun is interested in improving its documentation and welcomes your comments and suggestions. Email your comments to Sun at this address:

docfeedback@sun.com

Please include the part number (816-6703-10) of the document in the subject line of your email.

---

Additional Sun Resources

Useful Sun ONE information can be found at the following Internet locations:

Sun ONE Documentation
http://docs.sun.com/prod/sunone
Sun ONE Software Products and Service
http://www.sun.com/software
Sun ONE Software Support Services
http://www.sun.com/service/sunone/software
Sun ONE Support and Knowledge Base
http://www.sun.com/service/support/software
Sun Support and Training Services
http://www.sun.com/supportraining
Sun ONE Consulting and Professional Services
http://www.sun.com/service/sunps/sunone
Sun ONE Developer Information
http://sunonedev.sun.com
Sun Developer Support Services
http://www.sun.com/developers/support
Sun ONE Software Training
http://www.sun.com/software/training
Sun Software Data Sheets
http://wwws.sun.com/software
Sun ONE Directory Server Certification
http://training.sun.com/US/certification/middleware/dir_server.html

---

Copyright � 2004 Sun Microsystems, Inc. All rights reserved.

Sun, Sun Microsystems, the Sun logo, Solaris, Java and the Java Coffee Cup logo are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Use of Directory Server is subject to the terms described in the license agreement accompanying it.