| Previous | Contents | Next | |||
This chapter contains important, product-specific information available at the time of release of Directory Server.
This chapter includes the following sections:
This section lists the bugs fixed since Directory Server Enterprise Edition 6.3.1.1.1.
Table 3-1 Bugs Fixed in Directory Server Enterprise Edition Bundle Patch 6.3.1.1.1
Oracle Bug ID |
Sun Bug ID |
Synopsis |
|---|---|---|
13078242 |
NONE |
Heap corruption in password storage plug-in |
12904374 |
NONE |
ISW Windows fails on-demand synchronization under specific mix case host/FQDN configuration |
12839666 |
NONE |
IP address can be corrupted in access log on Windows |
12589178 |
NONE |
Server hangs after error<20765> |
12567769 |
NONE |
Memberof plug-in initialization searches can hang server during shutdown |
12417570 |
NONE |
Crash scheduled replication |
12380407 |
NONE |
Security - DSCC admin user login binds to DPS as "simple" |
12307633 |
7016943 |
DS instance registered as a service may not stop properly upon Windows system shutdown |
12306566 |
7012145 |
The bindsecurityerrors value is not updated after normal user bind failure |
12304952 |
7005125 |
Superclass is ignored if its name starts with the value of entry objectclasses |
12304657 |
7003676 |
Pass through authentication hangs in connection establishment |
12304545 |
7003083 |
VLV index may become unusable after a bulk update |
12304022 |
7000827 |
dsccsetup ads-create prints null, aborts and leaves half-created DS |
12302712 |
6993372 |
Inconsistency between master replicas after password update |
12302510 |
6992374 |
Directory Server hangs while doing a schema change |
12302124 |
6990425 |
Old cn values can reappear by consecutive modrdns applied to different masters |
12301678 |
6988271 |
Fix for 6751047 can cause a hang in schema change |
12301079 |
6984573 |
Memory leak — mpp_be_pre_modify |
12300888 |
6983217 |
VLV search hangs directory server |
12299854 |
6977339 |
DS Returns incorrect search results with aci and nsslapd-search-tune |
12299233 |
6973941 |
numsubordinates attribute value is incorrect after an incremental import (dsconf import —k) |
12298505 |
6970231 |
Replication breaks when modrdn/moddn on m1 conflicts with mod on m2 (on rdn attributes) |
12295968 |
6958152 |
Leak in ldap_dn_normalize_rdn when processing invalid dn. |
12295364 |
6955859 |
Core dump during re-index operation when directory cannot be opened |
12294689 |
6952989 |
Incorrect entry size calculation can result in a crash |
12292259 |
2191558 |
The first pwdfailuretime gets deleted after pwdlockoutduration has passed |
12292207 |
2191522 |
Ntservice code is not compliant to Microsoft requirement |
12291628 |
6940840 |
Crashes occur while running multiple root DSE searches |
12290364 |
6935592 |
DSCC shows incorrect server status after server host machine is “uinit 0” |
12288595 |
6927881 |
DSEE Windows service makes other services to go into disabled state |
12287221 |
6921222 |
Incorrect csn states for rdn attributes |
12287192 |
6921014 |
Retro changelog memory leak |
12287091 |
6920520 |
DS hangs: deadlocks between acllist lock and dse lock |
12287054 |
6920416 |
"comma" is unexpectedly appended after etime in access logs |
12287008 |
6920144 |
Fast looping mod-moddn operation on an entry makes moddn fail with operation error |
12284829 |
6908942 |
Crash while replaying some operations in DSEE 6.x |
12284721 |
6908622 |
Insync dumps core if any upper-case character is used as a hostname of option —s |
12284228 |
6906234 |
Audit log does not contain entire change to binary attributes |
12284120 |
6905595 |
Frozen mode does not returns referral as specified in the documentation |
12283759 |
6904355 |
Deadlock after online restore |
12283326 |
6902477 |
No recovery after DS crash |
12283245 |
6902127 |
Memory leak in slapi_value_new_string |
12283244 |
6902119 |
Memory leak in mapping_tree_entry_modify_callback |
12282982 |
6900955 |
passwordexpirationtime attribute is removed on replicated master |
12282968 |
6900781 |
Restore via dsadm should place database in referral mode |
12281521 |
6894059 |
Fractional replication can break, evaluating only updates from a subset of replica |
12281343 |
6892914 |
Memory leak in cos-plugin |
12280109 |
6887642 |
proxyauth does not recognize grace logins for password changes |
12278958 |
6881605 |
Apparent deadlock situation when shutdown occurs using SMF in DSEE |
12278328 |
6878311 |
DSEE uid uniqueness plugin cannot handle more than one plus (+) symbol in in a dn/uid |
12277806 |
6875690 |
Random crash while importing an LDIF with an entry with size exactly 8192 bytes |
12277381 |
6873828 |
Stopping an instance using dsadm from a different DSEE installation does not work |
12276115 |
6867762 |
Access log isn't rotated at specified rotation time |
12276085 |
6867669 |
dsml causes ns-slapd crash in write_audit_log_entry |
12274908 |
6861340 |
Inconsistent search result with range filter and multi-valued attribute if equality index exists |
12274466 |
6859942 |
Strong password policy incorrectly handles extended ascii character set |
12273467 |
6856557 |
passwordexpirationtime attribute should be ignored by password policy once server is in DS6 mode |
12272605 |
6852500 |
Deleted group members do not show up in retrocl entry when a uniquemember is deleted from group |
12272498 |
6852119 |
Memory leak during ldif import with replication meta-data |
12272288 |
6851491 |
Buffer overflow in CoS cache creation while evaluating CoS template |
12272123 |
6850537 |
Non-compliant with rfc 4522 when returning binary attributes in search requests |
12272023 |
6849928 |
Import with purging csn fails on sub-suffixes |
12271958 |
6849658 |
Uniqueness plug-in does not handle subtypes during add operation |
12271934 |
6849485 |
Server crashes when doing a dsml search and bind dn password must be changed |
12271824 |
6848926 |
Crash when failing to add entry to DSE backend |
12271706 |
6848272 |
Macro ACI does not correctly handle dn containing brackets |
12271477 |
6846934 |
nsslapd-listenhost breaks ACIs which contain "ip" in keyword |
12271413 |
6846693 |
DS crash in csnset_size_sh |
12271396 |
6846588 |
On WINDOWS SSL, listener can stop to respond |
12269801 |
6838896 |
ns-accountstatus, ns-activate and ns-inactivate cannot handle long dns |
12269660 |
6838287 |
dsadm and DSCC display logs 1 hour behind during DST if DS is on windows 2003 |
12269548 |
6837808 |
Heap corruption during evaluation of ACI during modify operation |
12269423 |
6837200 |
Deadlock at startup w/ changelog trimming thread |
12269284 |
6836463 |
Retro changelog reports thousands of error 32 after restart |
12269115 |
6835550 |
MMR replication: after import replica should stay in read-only mode |
12268925 |
6834783 |
VLV error seen soon after import and enabling replication when having VLV indexes configured |
12268135 |
6831502 |
Directory Server should return appropriate error upon detecting error in BDB layer |
12267366 |
6827661 |
Unable to stop DS by dsadm stop on Windows 2003 |
12265773 |
6821219 |
ACI evaluation incorrectly uses cached result |
12264161 |
6813613 |
Permission denied during replication in SSL-client |
12263399 |
6810513 |
Database restore with flag for move-archive fails on Windows |
12263064 |
6809149 |
After db panic, monitoring replication latency conduct to a heap corruption |
12262434 |
6806271 |
MMR: an attribute with more than 8 values, dsee 6.x/7.x fails to detect duplicate in added values |
12261881 |
6803704 |
Server crashes when building cos cache if cosspecifier > 1024 chars. |
12261856 |
6803553 |
When CoS template contains a single double quote, cos grade is parsed badly |
12261673 |
6802840 |
Log rotation stops after running dsconf with option rotate-log-now |
12260542 |
6798026 |
DS crash on Windows |
12260100 |
6796266 |
When memberof plugin preload is not finished (at startup), stopping DS triggers a crash |
12258618 |
6790060 |
Big performance regression in unindexed search ACL evaluation |
12258455 |
6789448 |
Exception raised when setting property "pwd-accept-hashed-pwd-enabled” |
12257265 |
6784701 |
Substring searches return notes=u if equality index is not present |
12256949 |
6783425 |
Evaluation of a complex fitlter can create contention |
12255529 |
6778960 |
Memory leak in system test |
12255451 |
6778808 |
dsadmin/dsconf restore exit status 0 despite existing/non-existing suffix |
12254904 |
6777643 |
Insync may crash because of a double free |
12253966 |
6774167 |
Unable to delete a SHA encoded userpassword attribute through ldapmodify |
12253744 |
6773132 |
Dsconf export should fail with error when target file system becomes full |
12253661 |
6772760 |
Crash slapd if stop just after start |
12253413 |
6771728 |
Replication broken because mod csn is smaller than the previous add csn |
12252654 |
6768405 |
dsconf does not handle '-' character', not rfc 4512 compliant |
12251783 |
6764616 |
Replication fails for suffix with space character(o=a b) if its prefix (o=a) is replicated |
12251428 |
6763091 |
Password policy assignments using roles - CoS are not visible immediately and requires server restart |
12251416 |
6763058 |
dsconf fails to restore (move-archive) a non root backup to a target instance owned by root |
12250643 |
6759886 |
modifiersname is logged incorrectly for delete operations in MMR |
12250166 |
6757834 |
Error: "gle plugin: could not get entry for bind operation" for anonymous binds with client authentication |
12250027 |
6757251 |
Support certificate requests with customizable keylength |
12249793 |
6756240 |
Crash in pr_poll_with_poll when ds-polling-thread-count > 1 |
12249582 |
6755187 |
Random err=50 (insufficient access) on rh50 |
12249175 |
6753117 |
5.2 patch 6 + lk_6572388_6576080_6633243 crashes on t2000 |
12249011 |
6752475 |
Backend db errors on windows 2000 |
12248917 |
6751952 |
Replication halts and restarts with "send update now". |
12248678 |
6751047 |
Replication fails with error 34 (invalid dn) |
12248455 |
6750238 |
The first attempt of DS restart at reboot system might fail with system event id 7022 on Windows |
12248119 |
6748713 |
Idletimeout does not work as expected , DS closes connection without waiting for idletimeout |
12247648 |
6746574 |
'nsslapd-return-exact-case: on' doesn't work correctly for certificaterevocationlist |
12247570 |
6746125 |
DS6.3: ldapsearch for certificaterevocationlist with non-existing subtype returns result incorrectly |
12246977 |
6743017 |
Core when using backup/restore |
12246882 |
6742347 |
DS does not stop during windows shutdown when registered as a service |
12246806 |
6741863 |
DS crashes when bind attempted on disabled suffix |
12246328 |
6739300 |
DSEE generates huge retro changelog when big static groups are involved |
12245899 |
6737235 |
Targetscope can be handled incorrectly for anonymous acis |
12245704 |
6736172 |
cacertificate and crosscertificatepair are not correctly added |
12245677 |
6735966 |
Connection polling code has side effects if polling is disabled (hang or performance loss) |
12245564 |
6735368 |
dsadmin restores exit status 0 (success) despite error during the recovery |
12244863 |
6731941 |
Number of simultaneous pass through authentications cannot be limited |
12244731 |
6731261 |
ISW plugin crashes while abandoning connection |
12243134 |
6723208 |
DSCC corrupts mailsieverulesource when user is updated. |
12242651 |
6721412 |
Certain substring filter does not work when searching localized attributes |
12242643 |
6721369 |
Can't set the heap-high-threshold-size while using multiple memory |
12241683 |
6716661 |
dsconf limitation: repl-schedule property must be multivalued. |
12241481 |
6715911 |
Server crash when creating new suffix with the top entry if suffix contains slash ( \ ) |
12241478 |
6715895 |
No suffix is shown if the suffix contains special character escaped by slash ( \ ) |
12241476 |
6715890 |
Unable to enable replica if suffix contains a special character |
12241335 |
6715303 |
Directory Server crashes when fetching values of a virtual attribute |
12240732 |
6712614 |
starttls performance better in 5.x versions than in 6.x versions. |
12239751 |
6708615 |
Directory server crashes when stopping the server while indexing is going on |
12239621 |
6708194 |
DSCC time-based log rotation/deletion policy can't be set to do not automatically rotate/delete |
12235057 |
6690684 |
dsccreg is unable to register a server instance bound to a specific IP address |
12227513 |
6663324 |
Time-based log rotation stops when time goes back |
12224934 |
6654030 |
Replication problems between SUN DS5.1 and DSEE - incorrect RUVs |
12224815 |
6653574 |
Replication problems between SUN DS5.1 and DSEE if prioritized replication is enabled |
12221672 |
6643225 |
Fix for 6310880 could corrupt entries, need automatic repair |
12221464 |
6642364 |
PWP policy state updates from internal modifies appear in replica dsa audit logs , not in local audit logs |
12220992 |
6640285 |
Using dsconf to set the nsslapd-changelogmaxage for retro changelog fails; no trimming occurs |
12204941 |
6573436 |
Data page with older lsn is used to make an update in db results in or is the cause of data corruption |
12202392 |
6562921 |
Windows: service management is case sensitive |
12164063 |
6422147 |
Directory crashes with nsrole negate search |
12153388 |
6386671 |
Duplicate values can be added in ldif import |
12149861 |
6374916 |
Crash in start-tls operation |
12144144 |
6356373 |
Indirect CoS doesn't use multiple templates as documented |
12143952 |
6355718 |
Inconsistent search results due to access controls |
12140124 |
6341398 |
Memory leak in CoS |
12140117 |
6341382 |
Network error read with sasl security enabled |
12133842 |
6321793 |
Csnset insertion error |
12128694 |
6303598 |
Retrocl : crash in slapi_be_unlock if nsslapd-readonly set to on in in cn=changelog |
12127586 |
6299664 |
Modify using replace on an attribute for the first time with a value of 0 results in a null value |
12126447 |
6295323 |
Memory leak in virtual attribute (withCoS plugin) |
12099009 |
6181237 |
Warning<10288> replay of an already seen operation too often in error log |
12088236 |
5087249 |
Tcp_keepalive_interval and tcp_ip_abort_interval configuration attributes cannot be used for timeout |
12076064 |
4987124 |
uid uniqueness not enforced |
11733602 |
NONE |
Stack overflow when doing modrdn operation with some dn |
The following sections list known problems and limitations at the time of release.
Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.
To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.
Although nothing prevents you from setting up replication for the cn=changelog suffix, doing so can interfere with replication. Do not replicate the cn=changelog suffix. The cn=changelog suffix is created by the retro changelog plug-in.
The Directory Server supports Sun Cluster 3.2. When Directory Server runs on Sun Cluster, and nsslapd-db-home-directory is set to use a directory that is not shared, multiple instances share database cache files. After a failover, the Directory Server instance on the new node uses its potentially outdated database cache files.
To work around this limitation, either use a directory for nsslapd-db-home-directory that is shared, or systematically remove the files under nsslapd-db-home-directory at Directory Server startup.
When LD_LIBRARY_PATH contains /usr/lib, the wrong SASL library is used, causing the dsadm command to fail after installation.
An LDAP modify operation on cn=config can only use the replace sub-operation. Any attempt to add or delete an attribute will be rejected with DSA is unwilling to perform, error 53. While Directory Server 5 accepted adding or deleting an attribute or attribute value, the update was applied to the dse.ldif file without any value validation, and the DSA internal state was not updated until the DSA was stopped and started.
Note - The cn=config configuration interface is deprecated. Where possible use the dsconf command instead.
To work around this limitation, the LDAP modify replace sub-operation can be substituted for the add or delete sub-operation. No loss in functionality occurs. Furthermore, the state of the DSA configuration is more predictable following the change.
This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.
To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.
After you remove a replicated Directory Server instance from a replication topology, replication update vectors can continue to maintain references to the instance. As a result, you might encounter referrals to instances that no longer exist.
To work around this issue when installing from native packages, use the cacaoadm enable command as root.
To work around this issue on Windows, choose Log On from the properties of Common Agent Container service, enter the password of the user running the service, and press Apply. If you have not already done this setting, you will receive a message stating that the account user name has been granted the Log On As A Service right.
The Directory Server configuration property max-thread-per-connection-count does not apply for Windows systems.
A Microsoft Windows 2000 Standard Edition bug causes the Directory Server service to appear as disabled after the service has been deleted from Microsoft Management Console.
Console does not allow administrator to logon to the server running Windows XP.
As a workaround to this problem, the guest account must be disabled and the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0.
If you change an index configuration for an attribute, all searches that include that attribute as a filter are treated as not indexed. To ensure that searches including that attribute are properly processed, use the dsadm reindex or dsconf reindex commands to regenerate existing indexes every time you change an index configuration for an attribute. See “Chapter 13, Directory Server Indexing” in Sun Java System Directory Server Enterprise Edition 6.3 Administration Guidefor details.
If the Directory Manager's password contains a space character, the Directory Manager account cannot create a directory server or directory proxy server instance by using the console.
Due to the same issue, the command dsccsetup ads-create —w password-file fails if the password file contains a space character.
In instances installed from the zip distribution of DSEE 6.0 and later releases, the dsadm and dpadm commands do not support the Service Management Facility (SMF). If the instance is registered to SMF manually, it is controlled by SMF so that if the instance is stopped via the dsadm or dpadm commands or through DSCC, SMF restarts the instance.
The SMF feature is fully supported only in the native distribution of DSEE 6.0 and later releases.
This section lists the known issues that are found at the time of Directory Server Bundle Patch 6.3.1.1.1 release. Each issue in the following list is identified with a two-part ID using the following form: Sun BugTrack ID/Oracle BugDB ID.
The Directory Server hangs when running the stop-slapd command.
If certificates contain localized names, the certificate cannot be deleted properly. They also cannot be listed properly.
Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact My Oracle Support.
When removing software, the dsee_deploy uninstall command does not stop or delete existing server instances.
To work around this limitation, follow the instructions in the Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide.
The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.
To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.
Export the certificate to a file.
The following example shows how to perform the export for servers in /local/supplier and /local/consumer.
$ dsadm show-cert -F der -o /tmp/supplier-cert.txt /local/supplier defaultCert $ dsadm show-cert -F der -o /tmp/consumer-cert.txt /local/consumer defaultCert
Exchange the client and supplier certificates.
The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.
$ dsadm add-cert --ca /local/consumer supplierCert /tmp/supplier-cert.txt $ dsadm add-cert --ca /local/supplier consumerCert /tmp/consumer-cert.txt
Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.
Add the replication manager DN on the consumer.
$ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN
Update the rules in /local/consumer/alias/certmap.conf.
Restart both servers with the dsadm start command.
Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.
An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.
The certificate names containing multi-byte characters are shown as dots in the output of the dsadm show-cert instance-path valid-multibyte-cert-name command.
Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.
dn:o=mary\"red\"doe,o=example.com changetype:modify add:aci aci:(target="ldap:///o=mary\"red\"doe,o=example.com") (targetattr="*")(version 3.0; acl "testQuotes"; allow (all) userdn ="ldap:///self";)
dn:o=Example Company\, Inc.,dc=example,dc=com changetype:modify add:aci aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com") (targetattr="*")(version 3.0; acl "testComma"; allow (all) userdn ="ldap:///self";)
Examples with more than one comma that has been escaped have been observed to parse correctly, however.
On Windows, SASL authentication fails due to the following two reasons:
SASL encryption is used.
To workaround the issue caused by the SASL encryption, stop the server, edit dse.ldif, and reset SASL to the following.
dn: cn=SASL, cn=security, cn=config dssaslminssf: 0 dssaslmaxssf: 0
The installation is done using native packages.
To workaround the issue caused by the native packages installation , set SASL_PATH to install-dir\share\lib.
Directory Service Control Center does not properly display userCertificate binary values.
The dsrepair fix-entry does not work if the source is a tombstone and if the target is an entry (DEL not replicated).
Workaround: Use the dsrepair delete-entry command to explicitly delete the entry. Then use the dsrepair add-entry command to add the tombstone.
It is not clear from the name of the passwordRootdnMayBypassModsCheck configuration attribute that the server now allows any administrator to bypass password syntax checking when modifying another user's password, when the attribute is set.
On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.
Although the Directory Service Control Center allows you to copy the configuration of an existing server, it does not allow you to copy the plug-in configuration.
On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.
To work around this issue, change the LDIF file name so that it does not contain double-byte characters.
The dsadm enable-service - - type CLUSTER command does not configure the cluster agent the properly; it is missing a dependency on the file system.
As a workaround, manually add the dependency. Example:
scrgadm -c -j ds--global-iplanet-sc1-ldap1vol1-jls-ds-1389 -y Resource_dependencies=disks
where:
ds--global-iplanet-sc1-ldap1vol1-jls-ds-1389 is the name of the Directory Server created by dsadm.
disks is the name of the HAStoragePlus resource as created by the user.
The dsee_deploy command has been seen to hang while registering the Monitoring Framework component into the Common Agent Container.
Neither Directory Service Control Center nor the dsconf command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.
To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.
Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.
After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.
To work around this issue, change the permissions on the installations and server instance folders.
For the HP-UX platform, Directory Server Enterprise Edition man pages for the following sections cannot be accessed from the command line:
man5dsat.
man5dsconf.
man5dsoc.
man5dssd.
To workaround this issue, access the man pages at Sun Java System Directory Server Enterprise Edition 6.3 Man Page Reference. From that location, you can download a PDF of all Directory Server Enterprise Edition man pages.
An attempt to enter an invalid CoS Template results in a crash in versions of Directory Server 6.
When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.
To work around this issue, use a different browser such as Mozilla web browser.
On Red Hat systems, the dsadm autostart command does not always ensure that the server instances start at boot time.
The dsconf command does not prompt for the appropriate dsSearchBaseDN setting when configuring DSML.
On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds.
When installing from the zip distribution, the dsee_deploy command does not provide an option to configure SNMP and stream adaptor ports.
To workaround this issue,
Enabled Monitoring Plug-in using the web console or dpconf.
Using cacaoadm set-param, change snmp-adaptor-port, snmp-adaptor-trap-port and commandstream-adaptor-port.
The dsconf help-properties command is set to work properly only after instance creation. In addition, the correct list of values for the dsml-client-auth-mode command should be client-cert-first | http-basic-only | client-cert-only.
When creating an index on custom schema, a suffix level change of the all-ids-threshold is not permeated completely by the DSCC.
Some output displayed by the dsccmon, dsccreg, dsccsetup, and dsccrepair commands is not localized.
Changing the locale of the system and starting DSCC, does not display the pop-up window message in the locale that you selected.
On Solaris 10, the password verification fails for instances with multi-byte characters in their DN on English and Japanese locales.
The discovery of an instance of the Directory Server by the Java Enterprise System Monitoring Framework is not successful if the ns-slapd process was started remotely using rsh.
Clicking Browse DSCC online help does not display the online help when you are using Internet Explorer.
The Directory Server plug-in API includes slapi_value_init()(), slapi_value_init_string()(), and slapi_value_init_berval()() functions.
These functions all require a "done" function to release internal elements. However, the public API is missing a slapi_value_done()() function.
Directory Server instance with multi-byte characters in its path may fail to be created in DSCC, to start or perform other regular tasks.
Some of these issues can be resolved by using the charset that was used to create the instance. Set the charset using the following commands:
# cacaoadm list-params | grep java-flags java-flags=-Xms4M -Xmx64M # cacaoadm stop # cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8" # cacaoadm start
Use only the ASCII characters in the instance path to avoid these issues.
When modifying the password policy using the Directory Service Control Center, attributes that have not changed may be unknowingly reset.
Using the Directory Service Control Center to manage the default password policy does not causes any error. However, using the Directory Service Control Center to manage specialized password policies can cause unchanged attributes to be reset.
When you use the Service Management Facility (SMF) on Solaris 10 to enable a server instance, the instance might not start when you reboot the system and return the following error:
svcadm: Instance "svc:/instance_path" is in maintenance state.
To work around this problem, use a local user to create Directory Server and Directory Proxy Server servers.
On HP-UX, the dsadm and dpadm commands might not find libicudata.sl.3 shared library.
As a workaround to this problem, set the SHLIB_PATH variable.
env SHLIB_PATH=${INSTALL_DIR}/dsee6/private/lib dsadmYou might encounter an error when DSCC is used with the combination of Tomcat 5.5 and JDK 1.6.
As a workaround, use JDK 1.5 instead.
Sun Java System Application Server bundled with Solaris 10 cannot create SASL client connection for authenticated mechanism and does not communicate with common agent container.
As a workaround, change the JVM used by application server by editing the appserver-install-path/appserver/config/asenv.conf file and replace the AS_JAVA entry with AS_JAVA="/usr/java". Restart your Application Server domain.
The dsadm autostart can make native LDAP authentication to fail when you reboot the system.
As a workaround, reverse the order of reboot scripts. The default order is /etc/rc2.d/S71ldap.client and /etc/rc2.d/S72dsee_directory.
On Solaris 9 and Windows, when you access the online help from the console configured using Web archive file (WAR), it displays an error.
If you modify the port number using DSCC on a server that has replicated suffixes, problems arise when setting replication agreement between servers.
If unzip is unavailable on the system, dsee_deploy does not install any product.
To use a localized Directory Service Control Center, apply the Directory Server Enterprise Edition Bundle Patch 6.3.1.1.1 localized patch before the Directory Server Enterprise Edition Bundle Patch 6.3.1.1.1 core patch, or run the following commands in the specified order.
# dsccsetup console-unreg # dsccsetup console-reg
There is no need to run the dsccsetup console-unreg and console reg commands if you apply the Directory Server Enterprise Edition Bundle Patch 6.3.1.1.1 localized patch before the Directory Server Enterprise Edition Bundle Patch 6.3.1.1.1 patch.
For zip based installation, the Directory Server Enterprise Edition Bundle Patch 6.3.1.1.1 localized patch is not automatically applied to the Directory Service Control Center. As a workaround, undeploy and then redeploy the WAR file.
Directory Service Control Center and the dsadm command from versions 6.1 or later do not display built-in CA certificates of Directory Server instances that were created with the dsadm command from version 6.0.
To workaround this issue:
Add the 64-bit module with 64-bit version of modutil:
$ /usr/sfw/bin/64/modutil -add "Root Certs 64bit" -libfile /usr/lib/mps/64/libnssckbi.so -nocertdb \ -dbdir /instance-path/alias -dbprefix slapd- -secmod secmod.db
On HP_UX, the Directory Service Control Center has no RBAC capability.
For encoding other than UTF-8, and when the install path contains non-ASCII characters, then the dsee_deploy tool fails to set up the Java Enterprise System Monitoring Framework inside the common agent container.
The output of the dsadm show-*-log l command does not include the correct lines. It can include the last lines of a previously rotated log.
The output of the dsadm show-*-log command is not correct if some lines in the log contain more than 1024 characters.
For servers registered in DSCC as listening on all interfaces (0.0.0.0), attempting to use dsconf to modify the listen-address of the servers results in DSCC errors.
To have SSL port only and secure-listen-address setup with Directory Server Enterprise Edition 6.3, use this workaround:
Unregister the server from DSCC:
dsccreg remove-server /local/myserver
Disable the LDAP port:
dsconf set-server-prop ldap-port:disabled
Set up a secure-listen-address:
dsconf set-server-prop secure-listen-address:IPaddress
dsadm restart /local/myserver
Register the server using DSCC. In the Register Server wizard, specify the server's IP address. This operation cannot be undone.
After deploying the WAR file, the View Topology button does not always work. A Java exception sometimes occurs, which is based on org.apache.jsp.jsp.ReplicationTopology_jsp._jspService
The ldapmodify bulk import command can damage existing data. Specifying the option -B suffix causes all the existing data in the suffix to be removed.
The ldapmodify man page is therefore incorrect when it states that bulk import using the ldapmodify command does not erase entries that already exist.
In Windows, in the Korean locale, the dsadm start command does not display the nsslapd error log when ns-slapd fails to start.
In the Korean locale, clicking the Remove Attribute button in Encrypted Attributes Section of the Directory Service Control Center shows the following incomplete error message:
You have chosen to remove
The message should be as follows:
You have chosen to remove {0} from the list of encrypted attributes.
In order for the database files to reflect the configuration and
to work properly you must Initialize the Suffix.
Do you want to continue?Changing or deleting an attribute in the Additional Indexes table of the Indexes tab in the Directory Service Control Center can lead to stale information being displayed until the browser is refreshed.
On the Windows 2000 zip distribution, with the Tomcat 5.5 Application Server and using Internet Explorer 6, in the "Step 3: Assign Access Rights" of the "New DS Access Control Instruction" wizard in Directory Service Control Center, clicking on the "Delete" button of the "Assign Rights to Specified Users: " listbox, can produce an exception similar to the following:
The following error has occurred:
Handler method "handleAssignACIToDeleteButtonRequest" not implemented,
or has wrong method signature
Show Details
Hide Details
com.iplanet.jato.command.CommandException: Handler method
"handleAssignACIToDeleteButtonRequest" not implemented, or has wrong method signature
com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute
(DefaultRequestHandlingCommand.java:167)
com.iplanet.jato.view.RequestHandlingViewBase.handleRequest
(RequestHandlingViewBase.java:308)
com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)In traditional Chinese, in the Directory Service Control Center the translation of the string "Initialize Suffix with Data..." in the Replication Settings tab of a suffix is confusing.
In the Directory Service Control Center, the Copy Suffix Configuration operation can produce erroneous pop-up windows.
DSCC cannot necessarily retrieve agent certificates that it creates. DSCC attempts to store the certificate in the 'agent-profile' in the DSCC registry, but if the DSCC registry's ldap-port is bound to the loopback interface, the certificate cannot be stored. However, the DSCC can read the DSCC registry because by design, so it must use localhost to communicate with DSCC registry.
To work around this limitation, use the ldapmodify command to create agent-profile in the DSCC registry.
An attempt to stop/start/restart server through a localized DSCC can lead to display garbled localized messages.
As a workaround edit the cacao.properties file and remove -Dfile.encoding=utf-8 flag then restart cacao under the preferred locale.
If a Directory Proxy Server instance has only secure-listen-socket/port enabled through DSCC and if server certificate is not default (for example, if it is a certificate-Authority-signed certificate), then DSCC cannot be used to manage the instance.
To work around this problem, unregister the DPS instance and then register it again. Another solution is to update the userCertificate information for the DPS instance in the DSCC registry using the server certificate.
Versions of Directory Server 5 and Directory Server Enterprise Edition 6 may encounter a performance issue when using Veritas file system (VxFS) version 4.1 and 5.0 on Solaris 9 and Solaris 10 (SPARC or x86). The performance issue is located within the fdsync system call and affects, for example, Directory Server checkpointing. This issue is addressed with Solaris VMODSORT feature. See "VERITAS File System (VxFS) Versions 4.1 and 5.0 Running on Solaris 9 and Solaris 10 May Experience Degraded I/O Performance While Synchronizing to Disk"for further information.
Directory Server Enterprise Edition 6 can encounter a performance issue (CR 6703850) when using the Veritas file system with the VMODSORT feature. This issue occurs when a page is added at the of the file (for example, id2entry.db3) This error causes the ftruncate system call use as many resources as when using the Veritas file system without the VMODSORT feature.
Password policies measure password length by the number of bytes, so a password containing multi-byte characters can meet password-length policy even if the password contains fewer characters than the policy's specified minimum. For example, a 7-character password with one 2-byte character satisfies a password policy with password minimum length set to 8.
Example 1 of the man page for the modrate command contains usage errors. The following example is correct:
modrate -D uid=hmiller,ou=people,dc=example,dc=com -w hillock -b "uid=test%d,ou=test,dc=example,dc=com" \ -C 3 -r 100 -M 'description:7:astring'
The nsslapd-groupevalsizelimitis property is not documented. The following description applies to this property.
nsslapd-groupevalsizelimit-maximum number of static group members for ACI evaluation.
Defines the maximum number of members that a static group (including members of its sub-groups) can have for ACI evaluation.
cn=config
0 to the maximum 64-bit integer value
A value of -1 means infinite.
5000
Integer
nsslapd-groupevalsizelimit: 5000
See the attributes(5) man page for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
|---|---|
Availability |
SUNWldap-directory |
Stability Level |
Obsolete: Scheduled for removal after this release |
On UNIX systems, an attempt to change the path of any log file with dsconf set-log-prop or DSCC fails if the new path of the log file does not already exist.
An attempt to edit an attribute value containing a carriage return results in corruption of the value.
Due to a potential database corruption present but undetected in version 6.2, before upgrading from Directory Server Enterprise Edition 6.2 to 6.3.1, rebuild the database by exporting it to an LDIF file and then reimport the LDIF file. In a replicated environment, rebuild or reinitialize all servers. Exporting, importing, and initializing servers in a replicated environment are described in the Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide.
Note - This applies only to an upgrade from Directory Server Enterprise Edition 6.2. It does not apply to upgrades from version 6.0, 6.1, or 6.3.
Database names can contain only ASCII (7-bit) alphanumeric characters, hyphens (-), and underscores (_). Directory Server does not accept multibyte characters (such as in Chinese or Japanese character sets) in strings for database names, file names, and path names. To work around this issue when creating a Directory Server suffix having multibyte characters, specify a database name that has no multibyte characters. When creating a suffix on the command line, for example, explicitly set the --db-name option of the dsconf create-suffix command.
$ dsconf create-suffix --db-name asciiDBName multibyteSuffixDN
Do not use the default database name for the suffix. Do not use multibyte characters for the database name.
The Directory Server crashes when under a heavy load during DN normalization.
To work around this issue, disable the DN cache. The DN cache is enabled by default.
To disable the DN cache, complete the following steps:
Run the following dsconf command. Example:
# dsconf set-server-prop -host hostname -p port_number dn-cache-count:disabled
Restart Directory Server.
To verify that the DN cache is disabled, run the ldapsearch command. Example:
# ldapsearch -host hostname -p port_number -D "cn=directory manager" -w password -b "cn=monitor" cn=monitor cached_ndn_stat dn: cn=monitor cached_ndn_stat: DN cache is disabled
Directory Server Enterprise Edition 6 does not stop gracefully during Windows shutdown when registered as a service. At system restart, the following message is logged in the error log file:
WARNING<20488> - Backend Database - conn=-1 op=-1 msgId=-1 - Detected Disorderly Shutdown last time Directory Server was running, recovering database.
To work around this problem, stop the Directory Service manually before shutdown or reboot.
To stop the instances in Microsoft Windows, select Start > Settings > Control Panel, and select Administrative Tools and then Services. For each service of the Directory Server displayed in the right column, right click the instance and select Stop. Alternatively, run this command:
$ dsadm.exe stop instance-path
Specification of network drives on Microsoft Windows is case-sensitive. Because of this, using both C:/ and c:/, for example, in DSEE administrative commands can cause replication to fail after the masters are restarted. As a workaround, use the 'DSEE_HOME/ds6/bin/dsconf accord-repl-agmt' to correct the replication agreement.
Specification of network drives on Microsoft Windows is case-sensitive. Because of this, using both C:/ and c:/, for example, in DSEE administrative commands can produce various error messages, such as the following:
WARNING<4227> - Plugins - conn=-1 op=-1 msgId=-1 - Detected plugin paths from another install, using current install
To avoid these warnings, be sure to use C:/ consistently.
Back-end database errors can be reported on Windows 2000. This problem exists only on Microsoft Windows. When it occurs, the following error messages are logged in the error logs:
ERROR<20742> - Backend Database - conn=-1 op=-1 msgId=-1 - BAD MAP 1, err=5 ERROR<20741> - Backend Database - conn=-1 op=-1 msgId=-1 - BAD EV 1, err=5
This error is usually harmless, but rarely it can cause a crash (6798026) when an instance spawned by a user (administrator or any other user) conflicts with an instance spawned by another user (a windows service, administrator or any other user).
To work around this problem in production, all instances must be registered as services.
To work around this problem during testing, if no instance is started as windows service, then new instances must be started by the same user. If an instance is started as a windows service, the only workaround is to start the new instances using a Remote Desktop Connection (rdesktop).
Online help in DSCC might link to unknown web pages. In particular, some wizard menus might suggest the following:
For more information about data source configuration, see the "Sun Java System Directory Server Enterprise Edition Reference."
Selecting the link to the DSEE Reference document produces an error message.
To work around this problem, select the link with the third mouse-button and choose the Open Link in New Window command from the pop-up menu. The selected document appears in the new browser window.
In a Multi-Master Replication configuration, replication from versions of Directory Server 6 to Directory Server 5.2 masters (with a maximum of four servers) works correctly.
In a Multi-Master Replication configuration, the migration of masters from JES 4 to Directory Server 6.3 might fail. For example, the following error message can appear after performing step 6 of “Migrating the Masters” in the Sun Java System Directory Server Enterprise Edition 6.3 Migration Guide:
INFORMATION - NSMMReplicationPlugin - conn=-1 op=-1 msgId=-1 - _replica_configure_ruv: failed to create replica ruv tombstone entry (suffix); LDAP error - 53
To work around this problem, use these steps:
Stop all JES 4 masters.
Edit the dse.ldif configuration file manually and change nsslapd-readonly: on to nsslapd-readonly: off.
Run the dsmig migrate-config migration command.
Attempts to install DSEE6.3 patchzip (and later) on Japanese Windows always fail when deploying JESMF in Cacao, with results similar to the following:
Deploying JESMF in Cacao... ## Failed to run install-path/dsee6/cacao_2/bin/cacaoadm.bat deploy install-path/dsee6/mfwk/xml/com.sun.mfwk.xml #### #### Cannot execute command deploy: The connection has been closed by the server . #### ## Exit code is 1 Failed to register DS in JESMF. Error: Cannot register mfwk into cacao framework:
Use the following steps to complete the installation after the failure:
Add the following to mfwk.properties in order to start Cacao.
com.sun.mfwk.agent.objects=false
Run the following command to restart Cacao.
cacaoadm start
Confirm that Cacao continues to run.
Run the following two commands:
$ dsccsetup mfwk-unreg $ dsccsetup mfwk-reg -t
Run the following command to confirm that mfwk is properly registered in Cacao framework
$ install-path/dsee6/cacao_2/bin/cacaoadm list-modules
If mfwk is properly registered, the command returns these results:
List of modules registered: com.sun.cacao.agent_logging 1.0 com.sun.cacao.command_stream_adaptor 1.0 com.sun.cacao.efd 2.1 com.sun.cacao.instrum 1.0 com.sun.cacao.invoker 1.0 com.sun.cacao.mib2simple 1.0 com.sun.cacao.rmi 1.0 com.sun.cacao.snmpv3_adaptor 1.0 com.sun.cmm.ds 1.0 com.sun.directory.nquick 1.0 com.sun.mfwk 2.0
Copy the following two files to install-path/dsee6/bin:
installer-path\DSEE_ZIP_Distribution\dsee_deploy.exe installer-path\DSEE_ZIP_Distribution\dsee_data\listrunnings.exe
LDAP commands do not work on Windows (IPv6 enable)
The Directory Server Enterprise Edition 5.x password policy manages attributes with a password* naming pattern, and the Directory Server Enterprise Edition 6.x password policy manages attributes with a pwd* naming pattern. When running in Directory Server Enterprise Edition compatibility mode (such that attributes of both policies are managed), if a password policy's functionality is disabled, then some values of related attributes can differ between the 5.x attributes and the 6.x attributes. For example, if passwordUnlock is set to off, then the value of pwdLockoutDuration can be 0 at the same time that the value of passwordLockoutDuration is <>0.
The DSCC Agent cannot be registered in CACAO on Solaris 9. If the SUNWxcu4 package is missing from the system, then the command DSEE_HOME/dscc6/bin/dsccsetup cacao-reg fails with the error, Failed to configure Cacao.
In case of a Multi-Master Replication migration from Directory Server 5.2 to Directory Server 6.3, the “Manual Reset of Replication Credentials” in the Sun Java System Directory Server Enterprise Edition 6.3 Migration Guide is not complete. The procedure directs you to run this command:
dsconf set-server-prop -h host -p port def-repl-manager-pwd-file:filename
It is also necessary to run this undocumented command:
dsconf set-repl-agmt-prop -p port_master1 replicated_suffix master2:port_master2 auth-pwd-file:filename
The dsmig migrate-config command returns commands that must be launched to reset replication credentials properly.
A non-existent Sun Microsystems plug-in can be considered to have a valid signature. The following warning message is displayed:
WARNING<4227> - Plugins - conn=-1 op=-1 msgId=-1 - Detected plugin paths from another install, using current install.
This warning message appears only for plug-ins with a vendor of Sun Microsystems.
A memory shortage resource can cause versions of Directory Server 6 to crash. The following error message is written in the server errorlog file:
ERROR<5122> - binder-based resource limits - conn=-1 op=-1 msgId=-1 -
System error: resource shortage PR_NewRWLock() failed for reslimitA directory server instance cannot be stopped by using dsadm stopcommand via Remote Desktop if the directory server instance was started via the console or the dsadm startcommand locally.
To work around this issue, run the following command to enable the service:
dsadm enable-service --type WIN_SERVICE instance-path
Because of a problem described in Vulnerability Note VU#836068, MD5 vulnerable to collision attacks, Directory Server Enterprise Edition should avoid using the MD5 algorithm in signed certificates.
Use the following steps to determine the signature algorithm of a certificate.
Run the following command to display the list of certificates defined in a specific Directory Server instance.
$ dsadm list-certs instance-path
Run the following command on each defined certificate to determine whether the certificate is signed with the MD5 algorithm:
$ dsadm show-cert instance-path cert-alias
The following example shows typical output from the dsadm show-cert command for a MD5–signed certificate:
Certificate: Data: [...] Signature Algorithm: PKCS #1 MD5 With RSA Encryption [...]
Run the following command to remove any MD5–signed certificates from the database:
$ dsadm remove-cert instance-path cert-alias
Use the following steps to update the certificate database password. (The dsadm command generates a default certificate database password when creating a directory server instance.)
Stop the Directory Server instance.
Run the following command:
$ dsadm set-flags instance-path cert-pwd-prompt=on
A message appears, prompting you for a password.
Enter a password that is at least eight characters long.
Restart the Directory Server instance and provide the Internal (Software) Token when prompted for it.
Replace any MD5–signed certificates with SHA-1–signed certificates. Use one of the following procedures, depending on whether your installation uses a self-signed certificate or a certificate acquired from a Certificate Authority.
Use the following steps to generate and store a self-signed certificate:
As a Directory Server administrator, run the following command to issue a self-signed certificate using the SHA-1 signing algorithm. (For more information about the certutil command, see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
$ certutil -S -x -n certName -s subject -d certs-db-path \ -P "slapd-" -t "CTu,u,u" -Z SHA1
Specifies generation of an individual certificate and adding it to the database.
Specifies generation of a self-signed certificate
Specifies the certificate's alias name, for example, defaultCert
Specifies the certificate owner for new certificates or certificate requests, for example, CN=...,OU=...
Specifies the database directory to contain the certificate and key database files.
Specifies the certificate database prefix
Specifies the trust arguments
Specifies SHA-1 as the certificate signature algorithm
The following example shows a typical use:
$ install-path/dsee6/bin/certutil -S -x -n "A-New-Cert" \ -s "CN=myhostname,CN=8890,CN=Directory Server,O=CompanyName" \ -d instance-path/alias \ -P "slapd-" -t "CTu,u,u" -Z SHA1
The command displays this prompt:
[Password or Pin for "NSS Certificate DB"]
Enter the new certificate database password that you created.
Use the following steps to generate and store a certificate acquired from a Certificate Authority (CA):
Run the following command to issue a CA-Signed Server Certificate request:
$ certutil -R -s subject -d certs-db-path -P "slapd -a -Z SHA1 -o output-file
Specifies to generate a CA-signed Server Certificate request
Specifies the certificate owner for new certificates or certificate requests, for example, CN=...,OU=...
Specifies the database directory to contain the certificate and key database files.
Specifies the certificate database prefix
Specifies that the certificate request be created in ASCII format instead of the default binary format
Specifies the output file for storing the certificate request
The following example shows a typical use:
$ install-path/dsee6/bin/certutil -R \ -s "CN=myhostname,CN=7601,CN=Directory Server,O=CompanyName" \ -d instance-path/alias \ -P "slapd-" -a -o /tmp/cert-req.txt
The command displays this prompt:
[Password or Pin for "NSS Certificate DB"
Enter the new certificate database password that you created.
Make sure that your Certificate Authority is no longer using the MD5 signature algorithm, and then send the certificate request to the Certificate Authority (either internal to your company or external, depending on your rules) to receive a CA-signed server certificate as described in “To Request a CA-Signed Server Certificate” in the Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide.
When the Certificate Authority sends you the new certificate, run the following command to add the certificate to the certificates database:
$ dsadm add-cert ds-instance-path cert-alias signed-cert-alias
This step is described in “To Add the CA-Signed Server Certificate and the Trusted CA Certificate” in the Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide.
If the trusted Certificate Authority certificate is not already stored in the certificate database, run the following command to add it:
$ dsadm add-cert --ca instance-path trusted-cert-alias
This step is described in “To Add the CA-Signed Server Certificate and the Trusted CA Certificate” in the Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide.
Run the following command to verify that the new certificate is being used.
$ dsadm show-cert instance-path cert-alias Certificate: Data: [...] Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption [...]
When the pwd-must-change-enabled property set to on and user account operations are invoked with the proxied authorization control, the only operation that can be performed on behalf of a user with a reset password is modification of the user's account password.
For versions prior to Directory Server Enterprise Edition 6.3.1, this operation was rejected as account unusable (as described in CR 6651645). Directory Server Enterprise Edition 6.3.1 added support for changing a reset password using proxied authorization, however, applying the 6.3.1 patch to an existing deployment caused the following issue. When an account password has been administratively reset, an operation on the account using proxied authorization is not strictly enforced to modifying the userpassword attribute. -
The cause of this issue is a change in the Directory Server plug-in ordering, which is not corrected for any existing instances during the 6.3.1 patch application. Any Directory Server instance created after upgrading to Directory Server Enterprise Edition 6.3.1 has the correct plug-in ordering.
For a Directory Server instance created before upgrading to Directory Server Enterprise Edition 6.3.1, an administrator must correct the instance's plug-in ordering list using the ldapmodify command.
The following example assumes the plug-in ordering has not be modified from the original ordering. If the deployment uses a custom ordering, modify the example to include the customization, but make sure that ACL preoperation precedes any PwP preoperation.
Restart the instance for the change to take effect.
$ install-path/dsrk6/bin/ldapmodify dn: cn=plugins, cn=config changetype:modify replace: plugin-order-preoperation-finish-entry-encode-result plugin-order-preoperation-finish-entry-encode-result: ACL preoperation,PwP preoperation - replace: plugin-order-preoperation-search plugin-order-preoperation-search: ACL preoperation,* - replace: plugin-order-preoperation-compare plugin-order-preoperation-compare: ACL preoperation,* - replace: plugin-order-preoperation-add plugin-order-preoperation-add: ACL preoperation,PwP preoperation,* - replace: plugin-order-internalpreoperation-add plugin-order-internalpreoperation-add: PwP internalpreoperation,* - replace: plugin-order-preoperation-modify plugin-order-preoperation-modify: ACL preoperation,PwP preoperation,* - replace: plugin-order-internalpreoperation-modify plugin-order-internalpreoperation-modify: PwP internalpreoperation,* - replace: plugin-order-preoperation-modrdn plugin-order-preoperation-modrdn: ACL preoperation,* - replace: plugin-order-preoperation-delete plugin-order-preoperation-delete: ACL preoperation,* - replace: plugin-order-bepreoperation-add plugin-order-bepreoperation-add: PwP bepreoperation,* - replace: plugin-order-bepreoperation-modify plugin-order-bepreoperation-modify: PwP bepreoperation,*
The First Login Password Policy scenario described in “To Set Up a First Login Password Policy” in theSun Java System Directory Server Enterprise Edition 6.3 Administration Guide is not complete. Before running the example, make sure that the Global Password Policy default entry ("cn=Password Policy,cn=config") is configured with the Password Must Change property set to TRUE.
If the user running the dsmig command does not own the target directory server instance, the command fails because it does not have adequate permission to generate and access migrated files.
The dsmig command can run successfully if it is run by the user who owns the target directory server and has at least read access to the source directory server. If these conditions cannot be met, perform the migration by exporting the database and importing it to the new directory server.
Configuration of Cacao can fail on Windows when the environment variable PERL5LIB is set to a pre-existing PERL version.
To work around this issue, edit both of the script files. For a ZIP installation of Directory Server Enterprise Edition, edit both of these files:
installPath/dsee6/cacao_2/configure.bat
installpath/dsee6/cacao_2/bin/cacaoadm.bat
For Sun Java Enterprise System 5 installations of Directory Server Enterprise Edition, edit both of these files:
C:\Program Files\Sun\JavaES5\share\cacao_2\configure.bat
C:\Program Files\Sun\JavaES5\share\cacao_2\bin\cacaoadm.bat
Edit each file and add this line at the beginning of each file:
set PERL5LIB=
On Windows installations, the ldapsearch, ldapmodify, ldapcompare, and ldapdelete commands fail when multibyte characters are specified as the value for SASL bind options authid and authzid. Instead of receiving the raw characters, the command receives characters converted incorrectly by the code page used by the installation.
To prevent this conversion and provide to the command the raw characters, use one of the following code pages:
Code page 1252 for Windows western Europe
Code page 932 (Shift_JIS) for Windows Japanese
A programmatic solution is to create a new program to fork/exec the command (for example, ldapsearch) and provide the SASL bind arguments through the exec (and so without code-page translation).
The Administration Guide incorrectly states that you can use the Directory Service Control Center to set a referral to make a suffix be read-only. This capability is not implemented in the Directory Service Control Center unless replication is enabled for this suffix.
| Previous | Contents | Next |