The following sections list known problems and limitations at the time of release.
Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.
To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.
Although nothing prevents you from setting up replication for the cn=changelog suffix, doing so can interfere with replication. Do not replicate the cn=changelog suffix. The cn=changelog suffix is created by the retro changelog plug-in.
The Directory Server supports Sun Cluster 3.2. When Directory Server runs on Sun Cluster, and nsslapd-db-home-directory is set to use a directory that is not shared, multiple instances share database cache files. After a failover, the Directory Server instance on the new node uses its potentially outdated database cache files.
To work around this limitation, either use a directory for nsslapd-db-home-directory that is shared, or systematically remove the files under nsslapd-db-home-directory at Directory Server startup.
When LD_LIBRARY_PATH contains /usr/lib, the wrong SASL library is used, causing the dsadm command to fail after installation.
An LDAP modify operation on cn=config can only use the replace sub-operation. Any attempt to add or delete an attribute will be rejected with DSA is unwilling to perform, error 53. While Directory Server 5 accepted adding or deleting an attribute or attribute value, the update was applied to the dse.ldif file without any value validation, and the DSA internal state was not updated until the DSA was stopped and started.
The cn=config configuration interface is deprecated. Where possible use the dsconf command instead.
To work around this limitation, the LDAP modify replace sub-operation can be substituted for the add or delete sub-operation. No loss in functionality occurs. Furthermore, the state of the DSA configuration is more predictable following the change.
This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.
To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.
After you remove a replicated Directory Server instance from a replication topology, replication update vectors can continue to maintain references to the instance. As a result, you might encounter referrals to instances that no longer exist.
To work around this issue when installing from native packages, use the cacaoadm enable command as root.
To work around this issue on Windows, choose Log On from the properties of Common Agent Container service, enter the password of the user running the service, and press Apply. If you have not already done this setting, you will receive a message stating that the account user name has been granted the Log On As A Service right.
The Directory Server configuration property max-thread-per-connection-count does not apply for Windows systems.
A Microsoft Windows 2000 Standard Edition bug causes the Directory Server service to appear as disabled after the service has been deleted from Microsoft Management Console.
Console does not allow administrator to logon to the server running Windows XP.
As a workaround to this problem, the guest account must be disabled and the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0.
If you change an index configuration for an attribute, all searches that include that attribute as a filter are treated as not indexed. To ensure that searches including that attribute are properly processed, use the dsadm reindex or dsconf reindex commands to regenerate existing indexes every time you change an index configuration for an attribute. See Chapter 13, Directory Server Indexing, in Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide for details.
If the Directory Manager's password contains a space character, the Directory Manager account cannot create a directory server or directory proxy server instance by using the console.
Due to the same issue, the command dsccsetup ads-create —w password-file fails if the password file contains a space character.
In instances installed from the zip distribution of DSEE 6.0 and later releases, the dsadm and dpadm commands do not support the Service Management Facility (SMF). If the instance is registered to SMF manually, it is controlled by SMF so that if the instance is stopped via the dsadm or dpadm commands or through DSCC, SMF restarts the instance.
The SMF feature is fully supported only in the native distribution of DSEE 6.0 and later releases.
This section lists the known issues that are found at the time of Directory Server 6.3.1 release.
Directory Server has been seen to crash when the server is stopped while performing online export, backup, restore, or index creation.
The Directory Server hangs when running the stop-slapd command.
When entries are imported from LDIF, Directory Server does not generate createTimeStamp and modifyTimeStamp attributes.
LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.
If certificates contain localized names, the certificate cannot be deleted properly. They also cannot be listed properly.
Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Sun support.
When removing software, the dsee_deploy uninstall command does not stop or delete existing server instances.
To work around this limitation, follow the instructions in the Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide.
The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.
To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.
Export the certificate to a file.
The following example shows how to perform the export for servers in /local/supplier and /local/consumer.
$ dsadm show-cert -F der -o /tmp/supplier-cert.txt /local/supplier defaultCert $ dsadm show-cert -F der -o /tmp/consumer-cert.txt /local/consumer defaultCert |
Exchange the client and supplier certificates.
The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.
$ dsadm add-cert --ca /local/consumer supplierCert /tmp/supplier-cert.txt $ dsadm add-cert --ca /local/supplier consumerCert /tmp/consumer-cert.txt |
Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.
Add the replication manager DN on the consumer.
$ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN |
Update the rules in /local/consumer/alias/certmap.conf.
Restart both servers with the dsadm start command.
Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.
An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.
The certificate names containing multi-byte characters are shown as dots in the output of the dsadm show-cert instance-path valid-multibyte-cert-name command.
Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.
dn:o=mary\"red\"doe,o=example.com changetype:modify add:aci aci:(target="ldap:///o=mary\"red\"doe,o=example.com") (targetattr="*")(version 3.0; acl "testQuotes"; allow (all) userdn ="ldap:///self";)
dn:o=Example Company\, Inc.,dc=example,dc=com changetype:modify add:aci aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com") (targetattr="*")(version 3.0; acl "testComma"; allow (all) userdn ="ldap:///self";)
Examples with more than one comma that has been escaped have been observed to parse correctly, however.
The dpconf command has been seen to display the Enter "cn=Directory Manager" password: prompt twice when used in interactive mode.
On Windows, SASL authentication fails due to the following two reasons:
SASL encryption is used.
To workaround the issue caused by the SASL encryption, stop the server, edit dse.ldif, and reset SASL to the following.
dn: cn=SASL, cn=security, cn=config dssaslminssf: 0 dssaslmaxssf: 0 |
The installation is done using native packages.
To workaround the issue caused by the native packages installation , set SASL_PATH to install-dir\share\lib.
Directory Service Control Center does not properly display userCertificate binary values.
The dsrepair fix-entry does not work if the source is a tombstone and if the target is an entry (DEL not replicated).
Workaround: Use the dsrepair delete-entry command to explicitly delete the entry. Then use the dsrepair add-entry command to add the tombstone.
It is not clear from the name of the passwordRootdnMayBypassModsCheck configuration attribute that the server now allows any administrator to bypass password syntax checking when modifying another user's password, when the attribute is set.
On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.
Although the Directory Service Control Center allows you to copy the configuration of an existing server, it does not allow you to copy the plug-in configuration.
On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.
To work around this issue, change the LDIF file name so that it does not contain double-byte characters.
The dsadm enable-service command does not work correctly with Sun Cluster.
The dsee_deploy command has been seen to hang while registering the Monitoring Framework component into the Common Agent Container.
The supported SSLCiphers attribute on the root DSE lists NULL encryption ciphers not actually supported by the server.
Neither Directory Service Control Center nor the dsconf command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.
To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.
Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.
After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.
To work around this issue, change the permissions on the installations and server instance folders.
For the HP-UX platform, Directory Server Enterprise Edition man pages for the following sections cannot be accessed from the command line:
man5dpconf.
man5dsat.
man5dsconf.
man5dsoc.
man5dssd.
To workaround this issue, access the man pages at Sun Java System Directory Server Enterprise Edition 6.3 Man Page Reference. From that location, you can download a PDF of all Directory Server Enterprise Edition man pages.
An attempt to enter an invalid CoS Template results in a crash in versions of Directory Server 6.
When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.
To work around this issue, use a different browser such as Mozilla web browser.
After upgrading replica, and moving servers to new systems, you must recreate replication agreements to use new host names. Directory Service Control Center lets you delete the existing replication agreements, but does not allow you to create new agreements.
On Red Hat systems, the dsadm autostart command does not always ensure that the server instances start at boot time.
The dsconf command does not prompt for the appropriate dsSearchBaseDN setting when configuring DSML.
On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds.
When installing from the zip distribution, the dsee_deploy command does not provide an option to configure SNMP and stream adaptor ports.
To workaround this issue,
Enabled Monitoring Plug-in using the web console or dpconf.
Using cacaoadm set-param, change snmp-adaptor-port, snmp-adaptor-trap-port and commandstream-adaptor-port.
The dsconf help-properties command is set to work properly only after instance creation. In addition, the correct list of values for the dsml-client-auth-mode command should be client-cert-first | http-basic-only | client-cert-only.
In the Native patch delivery, the miniature calendar that is used to pick dates for filtering access logs is not properly localized in Traditional Chinese.
When creating an index on custom schema, a suffix level change of the all-ids-threshold is not permeated completely by the DSCC.
Some output displayed by the dsccmon, dsccreg, dsccsetup, and dsccrepair commands is not localized.
Changing the locale of the system and starting DSCC, does not display the pop-up window message in the locale that you selected.
On Solaris 10, the password verification fails for instances with multi-byte characters in their DN on English and Japanese locales.
The discovery of an instance of the Directory Server by the Java Enterprise System Monitoring Framework is not successful if the ns-slapd process was started remotely using rsh.
On HP-UX, detaching the gdb from a running process of ns-slapd, kills the process and generates core dump.
On HP-UX systems, applications using NSPR libraries crash and dump core after investigation with gdb. The problem occurs when you attach gdb to a running Directory Server instance, then use the gdb quit command.
Clicking Browse DSCC online help does not display the online help when you are using Internet Explorer.
The Directory Server plug-in API includes slapi_value_init()(), slapi_value_init_string()(), and slapi_value_init_berval()() functions.
These functions all require a "done" function to release internal elements. However, the public API is missing a slapi_value_done()() function.
Directory Server instance with multi-byte characters in its path may fail to be created in DSCC, to start or perform other regular tasks.
Some of these issues can be resolved by using the charset that was used to create the instance. Set the charset using the following commands:
# cacaoadm list-params | grep java-flags java-flags=-Xms4M -Xmx64M # cacaoadm stop # cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8" # cacaoadm start |
Use only the ASCII characters in the instance path to avoid these issues.
When modifying the password policy using the Directory Service Control Center, attributes that have not changed may be unknowingly reset.
Using the Directory Service Control Center to manage the default password policy does not causes any error. However, using the Directory Service Control Center to manage specialized password policies can cause unchanged attributes to be reset.
When you use the Service Management Facility (SMF) on Solaris 10 to enable a server instance, the instance might not start when you reboot the system and return the following error:
svcadm: Instance "svc:/instance_path" is in maintenance state. |
To work around this problem, use a local user to create Directory Server and Directory Proxy Server servers.
On HP-UX, the dsadm and dpadm commands might not find libicudata.sl.3 shared library.
As a workaround to this problem, set the SHLIB_PATH variable.
env SHLIB_PATH=${INSTALL_DIR}/dsee6/private/lib dsadm |
You might encounter an error when DSCC is used with the combination of Tomcat 5.5 and JDK 1.6.
As a workaround, use JDK 1.5 instead.
Sun Java System Application Server bundled with Solaris 10 cannot create SASL client connection for authenticated mechanism and does not communicate with common agent container.
As a workaround, change the JVM used by application server by editing the appserver-install-path/appserver/config/asenv.conf file and replace the AS_JAVA entry with AS_JAVA="/usr/java". Restart your Application Server domain.
The dsadm autostart can make native LDAP authentication to fail when you reboot the system.
As a workaround, reverse the order of reboot scripts. The default order is /etc/rc2.d/S71ldap.client and /etc/rc2.d/S72dsee_directory.
On Solaris 9 and Windows, when you access the online help from the console configured using Web archive file (WAR), it displays an error.
If you modify the port number using DSCC on a server that has replicated suffixes, problems arise when setting replication agreement between servers.
If unzip is unavailable on the system, dsee_deploy does not install any product.
To use a localized Directory Service Control Center, apply the Directory Server Enterprise Edition 6.3.1 localized patch before the Directory Server Enterprise Edition 6.3.1 core patch, or run the following commands in the specified order.
# dsccsetup console-unreg # dsccsetup console-reg |
There is no need to run the dsccsetup console-unreg and console reg commands if you apply the Directory Server Enterprise Edition 6.3.1 localized patch before the Directory Server Enterprise Edition 6.3.1 patch.
For zip based installation, the Directory Server Enterprise Edition 6.3.1 localized patch is not automatically applied to the Directory Service Control Center. As a workaround, undeploy and then redeploy the WAR file.
Directory Service Control Center and the dsadm command from versions 6.1 or later do not display built-in CA certificates of Directory Server instances that were created with the dsadm command from version 6.0.
To workaround this issue:
Add the 64-bit module with 64-bit version of modutil:
$ /usr/sfw/bin/64/modutil -add "Root Certs 64bit" -libfile /usr/lib/mps/64/libnssckbi.so -nocertdb \ -dbdir /instance-path/alias -dbprefix slapd- -secmod secmod.db |
The Directory Service Control Center has no RBAC capability.
For encoding other than UTF-8, and when the install path contains non-ASCII characters, then the dsee_deploy tool fails to set up the Java Enterprise System Monitoring Framework inside the common agent container.
The output of the dsadm show-*-log l command does not include the correct lines. It can include the last lines of a previously rotated log.
The output of the dsadm show-*-log command is not correct if some lines in the log contain more than 1024 characters.
For servers registered in DSCC as listening on all interfaces (0.0.0.0), attempting to use dsconf to modify the listen-address of the servers results in DSCC errors.
To have SSL port only and secure-listen-address setup with Directory Server Enterprise Edition 6.3, use this workaround:
Unregister the server from DSCC:
dsccreg remove-server /local/myserver |
Disable the LDAP port:
dsconf set-server-prop ldap-port:disabled |
Set up a secure-listen-address:
dsconf set-server-prop secure-listen-address:IPaddress |
dsadm restart /local/myserver |
Register the server using DSCC. In the Register Server wizard, specify the server's IP address. This operation cannot be undone.
After deploying the WAR file, the View Topology button does not always work. A Java exception sometimes occurs, which is based on org.apache.jsp.jsp.ReplicationTopology_jsp._jspService
The ldapmodify bulk import command can damage existing data. Specifying the option -B suffix causes all the existing data in the suffix to be removed.
The ldapmodify man page is therefore incorrect when it states that bulk import using the ldapmodify command does not erase entries that already exist.
In Windows, in the Korean locale, the dsadm start command does not display the nsslapd error log when ns-slapd fails to start.
In the Korean locale, clicking the Remove Attribute button in Encrypted Attributes Section of the Directory Service Control Center shows the following incomplete error message:
You have chosen to remove |
The message should be as follows:
You have chosen to remove {0} from the list of encrypted attributes. In order for the database files to reflect the configuration and to work properly you must Initialize the Suffix. Do you want to continue? |
Changing or deleting an attribute in the Additional Indexes table of the Indexes tab in the Directory Service Control Center can lead to stale information being displayed until the browser is refreshed.
On the Windows 2000 zip distribution, with the Tomcat 5.5 Application Server and using Internet Explorer 6, in the "Step 3: Assign Access Rights" of the "New DS Access Control Instruction" wizard in Directory Service Control Center, clicking on the "Delete" button of the "Assign Rights to Specified Users: " listbox, can produce an exception similar to the following:
The following error has occurred: Handler method "handleAssignACIToDeleteButtonRequest" not implemented, or has wrong method signature Show Details Hide Details com.iplanet.jato.command.CommandException: Handler method "handleAssignACIToDeleteButtonRequest" not implemented, or has wrong method signature com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute (DefaultRequestHandlingCommand.java:167) com.iplanet.jato.view.RequestHandlingViewBase.handleRequest (RequestHandlingViewBase.java:308) com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
Replication from Directory Server 6.X master to a 5.1 master is not working properly.
In traditional Chinese, in the Directory Service Control Center the translation of the string "Initialize Suffix with Data..." in the Replication Settings tab of a suffix is confusing.
Before upgrading from Directory Server Enterprise Edition 6.2 to Directory Server Enterprise Edition 6.3, the ntservice for each instance of Directory Server or the Directory Proxy Server must be manually stopped, but the dsee_deploy command fails to identify running instances of Directory Server or the Directory Proxy Server on the Microsoft Windows 2000 platform.
On the zip distribution of Microsoft Windows 2000, when upgrading, the dsee_deploy command can fail. The error message is as follows:
error: cannot delete old C:/local/upg6263/./dsee6/lib/bin/dsee_ntservice.exe
This indicates that an instance of the Directory Server or the Directory Proxy Server is still running. To stop the instance or instances, in Microsoft Windows 2000, select on Start > Settings > Control Panel, and choose Administrative Tools, then Services. For each service of the Directory Server or the Directory Proxy Server displayed in the right column, right click the instance and select Stop.
In the Directory Service Control Center, the Copy Suffix Configuration operation can produce erroneous pop-up windows.
DSCC cannot necessarily retrieve agent certificates that it creates. DSCC attempts to store the certificate in the 'agent-profile' in the DSCC registry, but if the DSCC registry's ldap-port is bound to the loopback interface, the certificate cannot be stored. However, the DSCC can read the DSCC registry because by design, so it must use localhost to communicate with DSCC registry.
To work around this limitation, use the ldapmodify command to create agent-profile in the DSCC registry.
An attempt to stop/start/restart server through a localized DSCC can lead to display garbled localized messages.
As a workaround edit the cacao.properties file and remove -Dfile.encoding=utf-8 flag then restart cacao under the preferred locale.
If a Directory Proxy Server instance has only secure-listen-socket/port enabled through DSCC and if server certificate is not default (for example, if it is a certificate-Authority-signed certificate), then DSCC cannot be used to manage the instance.
To work around this problem, unregister the DPS instance and then register it again. Another solution is to update the userCertificate information for the DPS instance in the DSCC registry using the server certificate.
Versions of Directory Server 5 and Directory Server Enterprise Edition 6 may encounter a performance issue when using Veritas file system (VxFS) version 4.1 and 5.0 on Solaris 9 and Solaris 10 (SPARC or x86). The performance issue is located within the fdsync system call and affects, for example, Directory Server checkpointing. This issue is addressed with Solaris VMODSORT feature. Refer to http://sunsolve.sun.com/search/document.do?assetkey=1-66-201248-1 for further information.
Directory Server Enterprise Edition 6 can encounter a performance issue (CR 6703850) when using the Veritas file system with the VMODSORT feature. This issue occurs when a page is added at the of the file (for example, id2entry.db3) This error causes the ftruncate system call use as many resources as when using the Veritas file system without the VMODSORT feature.
Password policies measure password length by the number of bytes, so a password containing multi-byte characters can meet password-length policy even if the password contains fewer characters than the policy's specified minimum. For example, a 7-character password with one 2-byte character satisfies a password policy with password minimum length set to 8.
Example 1 of the man page for the modrate command contains usage errors. The following example is correct:
modrate -D uid=hmiller,ou=people,dc=example,dc=com -w hillock -b "uid=test%d,ou=test,dc=example,dc=com" \ -C 3 -r 100 -M 'description:7:astring' |
The nsslapd-groupevalsizelimitis property is not documented. The following description applies to this property.
nsslapd-groupevalsizelimit-maximum number of static group members for ACI evaluation.
Defines the maximum number of members that a static group (including members of its sub-groups) can have for ACI evaluation.
cn=config
0 to the maximum 64-bit integer value
A value of -1 means infinite.
5000
Integer
nsslapd-groupevalsizelimit: 5000
See the attributes(5) man page for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-directory |
Stability Level |
Obsolete: Scheduled for removal after this release |
On UNIX systems, an attempt to change the path of any log file with dsconf set-log-prop or DSCC fails if the new path of the log file does not already exist.
The value of minheap is incorrectly described in the Sun Java System Directory Server Enterprise Edition 6.3 Man Page Reference. The value of minheap is twice the amount of heap memory used by the server at startup.
An attempt to edit an attribute value containing a carriage return results in corruption of the value.
Due to a potential database corruption present but undetected in version 6.2, before upgrading from Directory Server Enterprise Edition 6.2 to 6.3.1, rebuild the database by exporting it to an LDIF file and then reimport the LDIF file. In a replicated environment, rebuild or reinitialize all servers. Exporting, importing, and initializing servers in a replicated environment are described in the Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide.
This applies only to an upgrade from Directory Server Enterprise Edition 6.2. It does not apply to upgrades from version 6.0, 6.1, or 6.3.
Database names can contain only ASCII (7-bit) alphanumeric characters, hyphens (-), and underscores (_). Directory Server does not accept multibyte characters (such as in Chinese or Japanese character sets) in strings for database names, file names, and path names. To work around this issue when creating a Directory Server suffix having multibyte characters, specify a database name that has no multibyte characters. When creating a suffix on the command line, for example, explicitly set the --db-name option of the dsconf create-suffix command.
$ dsconf create-suffix --db-name asciiDBName multibyteSuffixDN |
Do not use the default database name for the suffix. Do not use multibyte characters for the database name.
Directory Server Enterprise Edition 6 does not stop gracefully during Windows shutdown when registered as a service. At system restart, the following message is logged in the error log file:
WARNING<20488> - Backend Database - conn=-1 op=-1 msgId=-1 - Detected Disorderly Shutdown last time Directory Server was running, recovering database. |
To work around this problem, stop the Directory Service manually before shutdown or reboot.
To stop the instances in Microsoft Windows, select Start > Settings > Control Panel, and select Administrative Tools and then Services. For each service of the Directory Server displayed in the right column, right click the instance and select Stop. Alternatively, run this command:
$ dsadm.exe stop instance-path |
Specification of network drives on Microsoft Windows is case-sensitive. Because of this, using both C:/ and c:/, for example, in DSEE administrative commands can cause replication to fail after the masters are restarted. As a workaround, use the 'DSEE_HOME/ds6/bin/dsconf accord-repl-agmt' to correct the replication agreement.
Specification of network drives on Microsoft Windows is case-sensitive. Because of this, using both C:/ and c:/, for example, in DSEE administrative commands can produce various error messages, such as the following:
WARNING<4227> - Plugins - conn=-1 op=-1 msgId=-1 - Detected plugin paths from another install, using current install |
To avoid these warnings, be sure to use C:/ consistently.
Back-end database errors can be reported on Windows 2000. This problem exists only on Microsoft Windows. When it occurs, the following error messages are logged in the error logs:
ERROR<20742> - Backend Database - conn=-1 op=-1 msgId=-1 - BAD MAP 1, err=5 ERROR<20741> - Backend Database - conn=-1 op=-1 msgId=-1 - BAD EV 1, err=5 |
This error is usually harmless, but rarely it can cause a crash (6798026) when an instance spawned by a user (administrator or any other user) conflicts with an instance spawned by another user (a windows service, administrator or any other user).
To work around this problem in production, all instances must be registered as services.
To work around this problem during testing, if no instance is started as windows service, then new instances must be started by the same user. If an instance is started as a windows service, the only workaround is to start the new instances using a Remote Desktop Connection (rdesktop).
Online help in DSCC might link to unknown web pages. In particular, some wizard menus might suggest the following:
For more information about data source configuration, see the "Sun Java System Directory Server Enterprise Edition Reference." |
Selecting the link to the DSEE Reference document produces an error message.
To work around this problem, select the link with the third mouse-button and choose the Open Link in New Window command from the pop-up menu. The selected document appears in the new browser window.
In a Multi-Master Replication configuration, replication from versions of Directory Server 6 to Directory Server 5.2 masters (with a maximum of four servers) works correctly.
In a Multi-Master Replication configuration, the migration of masters from JES 4 to Directory Server 6.3 might fail. For example, the following error message can appear after performing step 6 of Migrating the Masters in Sun Java System Directory Server Enterprise Edition 6.3 Migration Guide:
INFORMATION - NSMMReplicationPlugin - conn=-1 op=-1 msgId=-1 - _replica_configure_ruv: failed to create replica ruv tombstone entry (suffix); LDAP error - 53 |
To work around this problem, use these steps:
Stop all JES 4 masters.
Edit the dse.ldif configuration file manually and change nsslapd-readonly: on to nsslapd-readonly: off.
Run the dsmig migrate-config migration command.
Attempts to install DSEE6.3 patchzip (and later) on Japanese Windows always fail when deploying JESMF in Cacao, with results similar to the following:
Deploying JESMF in Cacao... ## Failed to run install-path/dsee6/cacao_2/bin/cacaoadm.bat deploy install-path/dsee6/mfwk/xml/com.sun.mfwk.xml #### #### Cannot execute command deploy: The connection has been closed by the server . #### ## Exit code is 1 Failed to register DS in JESMF. Error: Cannot register mfwk into cacao framework: |
Use the following steps to complete the installation after the failure:
Add the following to mfwk.properties in order to start Cacao.
com.sun.mfwk.agent.objects=false |
Run the following command to restart Cacao.
cacaoadm start |
Confirm that Cacao continues to run.
Run the following two commands:
$ dsccsetup mfwk-unreg $ dsccsetup mfwk-reg -t |
Run the following command to confirm that mfwk is properly registered in Cacao framework
$ install-path/dsee6/cacao_2/bin/cacaoadm list-modules |
If mfwk is properly registered, the command returns these results:
List of modules registered: com.sun.cacao.agent_logging 1.0 com.sun.cacao.command_stream_adaptor 1.0 com.sun.cacao.efd 2.1 com.sun.cacao.instrum 1.0 com.sun.cacao.invoker 1.0 com.sun.cacao.mib2simple 1.0 com.sun.cacao.rmi 1.0 com.sun.cacao.snmpv3_adaptor 1.0 com.sun.cmm.ds 1.0 com.sun.directory.nquick 1.0 com.sun.mfwk 2.0 |
Copy the following two files to install-path/dsee6/bin:
installer-path\DSEE_ZIP_Distribution\dsee_deploy.exe installer-path\DSEE_ZIP_Distribution\dsee_data\listrunnings.exe |
LDAP commands do not work on Windows (IPv6 enable)
An attempt to stop the server immediately after it starts might cause a crash in versions of DSEE 6.
The Directory Server Enterprise Edition 5.x password policy manages attributes with a password* naming pattern, and the Directory Server Enterprise Edition 6.x password policy manages attributes with a pwd* naming pattern. When running in Directory Server Enterprise Edition compatibility mode (such that attributes of both policies are managed), if a password policy's functionality is disabled, then some values of related attributes can differ between the 5.x attributes and the 6.x attributes. For example, if passwordUnlock is set to off, then the value of pwdLockoutDuration can be 0 at the same time that the value of passwordLockoutDuration is <>0.
The DSCC Agent cannot be registered in CACAO on Solaris 9. If the SUNWxcu4 package is missing from the system, then the command DSEE_HOME/dscc6/bin/dsccsetup cacao-reg fails with the error, Failed to configure Cacao.
In case of a Multi-Master Replication migration from Directory Server 5.2 to Directory Server 6.3, the Manual Reset of Replication Credentials in Sun Java System Directory Server Enterprise Edition 6.3 Migration Guide is not complete. The procedure directs you to run this command:
dsconf set-server-prop -h host -p port def-repl-manager-pwd-file:filename |
It is also necessary to run this undocumented command:
dsconf set-repl-agmt-prop -p port_master1 replicated_suffix master2:port_master2 auth-pwd-file:filename |
The dsmig migrate-config command returns commands that must be launched to reset replication credentials properly.
A non-existent Sun Microsystems plug-in can be considered to have a valid signature. The following warning message is displayed:
WARNING<4227> - Plugins - conn=-1 op=-1 msgId=-1 - Detected plugin paths from another install, using current install. |
This warning message appears only for plug-ins with a vendor of Sun Microsystems.
An unindexed search involving ACI evaluation that returns few entries can cause very low search performance. This issue applies only to this release DSEE6.3.1.
A memory shortage resource can cause versions of Directory Server 6 to crash. The following error message is written in the server errorlog file:
ERROR<5122> - binder-based resource limits - conn=-1 op=-1 msgId=-1 - System error: resource shortage PR_NewRWLock() failed for reslimit |
A directory server instance cannot be stopped by using dsadm stopcommand via Remote Desktop if the directory server instance was started via the console or the dsadm startcommand locally.
To work around this issue, run the following command to enable the service:
dsadm enable-service --type WIN_SERVICE instance-path |
Because of a problem described in Vulnerability Note VU#836068, MD5 vulnerable to collision attacks, Directory Server Enterprise Edition should avoid using the MD5 algorithm in signed certificates.
Use the following steps to determine the signature algorithm of a certificate.
Run the following command to display the list of certificates defined in a specific Directory Server instance.
$ dsadm list-certs instance-path |
Run the following command on each defined certificate to determine whether the certificate is signed with the MD5 algorithm:
$ dsadm show-cert instance-path cert-alias |
The following example shows typical output from the dsadm show-cert command for a MD5–signed certificate:
Certificate: Data: [...] Signature Algorithm: PKCS #1 MD5 With RSA Encryption [...] |
Run the following command to remove any MD5–signed certificates from the database:
$ dsadm remove-cert instance-path cert-alias |
Use the following steps to update the certificate database password. (The dsadm command generates a default certificate database password when creating a directory server instance.)
Stop the Directory Server instance.
Run the following command:
$ dsadm set-flags instance-path cert-pwd-prompt=on |
A message appears, prompting you for a password.
Enter a password that is at least eight characters long.
Restart the Directory Server instance and provide the Internal (Software) Token when prompted for it.
Replace any MD5–signed certificates with SHA-1–signed certificates. Use one of the following procedures, depending on whether your installation uses a self-signed certificate or a certificate acquired from a Certificate Authority.
Use the following steps to generate and store a self-signed certificate:
As a Directory Server administrator, run the following command to issue a self-signed certificate using the SHA-1 signing algorithm. (For more information about the certutil command, see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
$ certutil -S -x -n certName -s subject -d certs-db-path \ -P "slapd-" -t "CTu,u,u" -Z SHA1 |
Specifies generation of an individual certificate and adding it to the database.
Specifies generation of a self-signed certificate
Specifies the certificate's alias name, for example, defaultCert
Specifies the certificate owner for new certificates or certificate requests, for example, CN=...,OU=...
Specifies the database directory to contain the certificate and key database files.
Specifies the certificate database prefix
Specifies the trust arguments
Specifies SHA-1 as the certificate signature algorithm
The following example shows a typical use:
$ install-path/dsee6/bin/certutil -S -x -n "A-New-Cert" \ -s "CN=myhostname,CN=8890,CN=Directory Server,O=CompanyName" \ -d instance-path/alias \ -P "slapd-" -t "CTu,u,u" -Z SHA1 |
The command displays this prompt:
[Password or Pin for "NSS Certificate DB"] |
Enter the new certificate database password that you created.
Use the following steps to generate and store a certificate acquired from a Certificate Authority (CA):
Run the following command to issue a CA-Signed Server Certificate request:
$ certutil -R -s subject -d certs-db-path -P "slapd -a -Z SHA1 -o output-file |
Specifies to generate a CA-signed Server Certificate request
Specifies the certificate owner for new certificates or certificate requests, for example, CN=...,OU=...
Specifies the database directory to contain the certificate and key database files.
Specifies the certificate database prefix
Specifies that the certificate request be created in ASCII format instead of the default binary format
Specifies the output file for storing the certificate request
The following example shows a typical use:
$ install-path/dsee6/bin/certutil -R \ -s "CN=myhostname,CN=7601,CN=Directory Server,O=CompanyName" \ -d instance-path/alias \ -P "slapd-" -a -o /tmp/cert-req.txt |
The command displays this prompt:
[Password or Pin for "NSS Certificate DB" |
Enter the new certificate database password that you created.
Make sure that your Certificate Authority is no longer using the MD5 signature algorithm, and then send the certificate request to the Certificate Authority (either internal to your company or external, depending on your rules) to receive a CA-signed server certificate as described in To Request a CA-Signed Server Certificate in Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide.
When the Certificate Authority sends you the new certificate, run the following command to add the certificate to the certificates database:
$ dsadm add-cert ds-instance-path cert-alias signed-cert-alias |
This step is described in To Add the CA-Signed Server Certificate and the Trusted CA Certificate in Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide.
If the trusted Certificate Authority certificate is not already stored in the certificate database, run the following command to add it:
$ dsadm add-cert --ca instance-path trusted-cert-alias |
This step is described in To Add the CA-Signed Server Certificate and the Trusted CA Certificate in Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide.
Run the following command to verify that the new certificate is being used.
$ dsadm show-cert instance-path cert-alias Certificate: Data: [...] Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption [...] |
When the pwd-must-change-enabled property set to on and user account operations are invoked with the proxied authorization control, the only operation that can be performed on behalf of a user with a reset password is modification of the user's account password.
For versions prior to Directory Server Enterprise Edition 6.3.1, this operation was rejected as account unusable (as described in CR 6651645). Directory Server Enterprise Edition 6.3.1 added support for changing a reset password using proxied authorization, however, applying the 6.3.1 patch to an existing deployment caused the following issue. When an account password has been administratively reset, an operation on the account using proxied authorization is not strictly enforced to modifying the userpassword attribute. -
The cause of this issue is a change in the Directory Server plug-in ordering, which is not corrected for any existing instances during the 6.3.1 patch application. Any Directory Server instance created after upgrading to Directory Server Enterprise Edition 6.3.1 has the correct plug-in ordering.
For a Directory Server instance created before upgrading to Directory Server Enterprise Edition 6.3.1, an administrator must correct the instance's plug-in ordering list using the ldapmodify command.
The following example assumes the plug-in ordering has not be modified from the original ordering. If the deployment uses a custom ordering, modify the example to include the customization, but make sure that ACL preoperation precedes any PwP preoperation.
Restart the instance for the change to take effect.
$ install-path/dsrk6/bin/ldapmodify dn: cn=plugins, cn=config changetype:modify replace: plugin-order-preoperation-finish-entry-encode-result plugin-order-preoperation-finish-entry-encode-result: ACL preoperation,PwP preoperation - replace: plugin-order-preoperation-search plugin-order-preoperation-search: ACL preoperation,* - replace: plugin-order-preoperation-compare plugin-order-preoperation-compare: ACL preoperation,* - replace: plugin-order-preoperation-add plugin-order-preoperation-add: ACL preoperation,PwP preoperation,* - replace: plugin-order-internalpreoperation-add plugin-order-internalpreoperation-add: PwP internalpreoperation,* - replace: plugin-order-preoperation-modify plugin-order-preoperation-modify: ACL preoperation,PwP preoperation,* - replace: plugin-order-internalpreoperation-modify plugin-order-internalpreoperation-modify: PwP internalpreoperation,* - replace: plugin-order-preoperation-modrdn plugin-order-preoperation-modrdn: ACL preoperation,* - replace: plugin-order-preoperation-delete plugin-order-preoperation-delete: ACL preoperation,* - replace: plugin-order-bepreoperation-add plugin-order-bepreoperation-add: PwP bepreoperation,* - replace: plugin-order-bepreoperation-modify plugin-order-bepreoperation-modify: PwP bepreoperation,* |
When logs are rotated according to rotation-time or rotation-interval, the exact time at which the rotation occurs depends on several variables, including the following:
the values of the rotation-time, rotation-interval, rotation-now, and rotation-size properties
scheduling of the housekeeping thread
the effective size of the log file when the rotation condition is satisfied
The timestamp in the rotated log file (for example, access.timestamp) can therefore not be guaranteed.
The First Login Password Policy scenario described in To Set Up a First Login Password Policy in Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide is not complete. Before running the example, make sure that the Global Password Policy default entry ("cn=Password Policy,cn=config") is configured with the Password Must Change property set to TRUE.
If the user running the dsmig command does not own the target directory server instance, the command fails because it does not have adequate permission to generate and access migrated files.
The dsmig command can run successfully if it is run by the user who owns the target directory server and has at least read access to the source directory server. If these conditions cannot be met, perform the migration by exporting the database and importing it to the new directory server.
Configuration of Cacao can fail on Windows when the environment variable PERL5LIB is set to a pre-existing PERL version.
To work around this issue, edit both of the script files. For a ZIP installation of Directory Server Enterprise Edition, edit both of these files:
installPath/dsee6/cacao_2/configure.bat
installpath/dsee6/cacao_2/bin/cacaoadm.bat
For Sun Java Enterprise System 5 installations of Directory Server Enterprise Edition, edit both of these files:
C:\Program Files\Sun\JavaES5\share\cacao_2\configure.bat
C:\Program Files\Sun\JavaES5\share\cacao_2\bin\cacaoadm.bat
Edit each file and add this line at the beginning of each file:
set PERL5LIB= |
On Windows installations, the ldapsearch, ldapmodify, ldapcompare, and ldapdelete commands fail when multibyte characters are specified as the value for SASL bind options authid and authzid. Instead of receiving the raw characters, the command receives characters converted incorrectly by the code page used by the installation.
To prevent this conversion and provide to the command the raw characters, use one of the following code pages:
Code page 1252 for Windows western Europe
Code page 932 (Shift_JIS) for Windows Japanese
A programmatic solution is to create a new program to fork/exec the command (for example, ldapsearch) and provide the SASL bind arguments through the exec (and so without code-page translation).
The Administration Guide incorrectly states that you can use the Directory Service Control Center to set a referral to make a suffix be read-only. This capability is not implemented in the Directory Service Control Center unless replication is enabled for this suffix.