test

Sun Directory Server Enterprise Edition 7.0 Release Notes

Known Problems and Limitations in Directory Proxy Server

This section lists known problems and limitations at the time of release.

Directory Proxy Server 7.0 Limitations

This section lists product limitations.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.

To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.

Self-signed server certificates cannot be renewed.

When creating a self-signed server certificate, make sure you specify a validity long enough that you do not have to renew the certificate.

Directory Proxy Server does not ensure atomicity with the join data view write operations.

To ensure atomicity, do not use the join data view for write operations. If you perform write operations on join data view, use an external mechanism to prevent or detect inconsistencies. You can monitor inconsistencies by monitoring Directory Proxy Server error log.

Wrong default value in man pages

The log-buffer-size(5dpconf) man page displays the wrong default size of the access log buffer. The default buffer size for access log is 1M.

The man pages for pattern matching distribution algorithm incorrectly show the respective properties as single-valued. The properties are multi-valued.

When Oracle is the JDBC source, the ldapsearch command does not return an attribute with an empty value.

Oracle handles an empty string as NULL. The empty string and NULL are both valid values for an LDAP entry, but it is not possible to distinguish the two in Oracle. This issue was corrected for other JDBC sources in issue 6766175, as noted in Bugs Fixed in Directory Proxy Server 7.0.

Known Directory Proxy Server Issues in 7.0

This section lists the known issues that are found at the time of Directory Proxy Server 7.0 release.

5042517

The modify DN operation is not supported for LDIF, JDBC, join and access control data views.

6355714

Currently, getEffectiveRight control is supported only for LDAP data views and does not yet take into account ACIs local to the proxy.

6386073

After generation of a CA-Signed Certificate request, when you refresh, the certificate is displayed as a self-signed certificate.

6388022

If the SSL port used by Directory Proxy Server is incorrect, after a secure search request on that port Directory Proxy Server may close all connections.

6390118

Directory Proxy Server fails to count the number of referral hops properly when configured to use authentication based on the client application credentials rather than proxy authorization.

6390220

It is possible to specify the base-dn property when creating a data view, but it is not possible to set the base-dn property to "", the root dse, after creating the data view.

6410741

Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.

An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.

6439604

After configuring alerts, you must restart Directory Proxy Server for the change to take effect.

6447554

Directory Proxy Server fails to rename an entry moving to another data view when numeric or lexicographic data distribution is configured.

6461510

In Directory Proxy Server, referral hop limit does not work.

6469154

On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.

6488197

After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.

To work around this issue, change the permissions on the installations and server instance folders.

6488297

On Windows, DSCC initialization can only be performed by Administrator user

6493349

Directory Service Control Center removes commas when changing the DN for an existing excluded subtree, or alternate search base.

6494540

After enabling or disabling non secure LDAP access for the first time, you must restart Directory Proxy Server for the change to take effect.

6497547

Time limit and size limit settings work only with LDAP data sources.

6497992

After using the command dpadm set-flags cert-pwd-store=off, Directory Proxy Server cannot be restarted using Directory Service Control Center.

6501867

The dpadm start command has been seen to fail when used with a server instance name combining both ASCII and multi-byte characters.

6505112

When setting the data-view-routing-custom-list property on an existing connection handler, an error occurs with data view names containing characters that must be escaped, such as commas.

To work around this issue, do not give data views names that contain characters that must be escaped. For example, do not use data view names containing DNs.

6511264

When using the DN renaming feature of Directory Proxy Server, notice that repeating DN components are renamed to only one replacement component.

Consider for example that you want to rename DNs that end in o=myCompany.com to end in dc=com. For entries whose DN repeats the original component, such as uid=userid,ou=people,o=myCompany.com,o=myCompany.com, the resulting renamed DN is uid=userid,ou=people,dc=com, and not uid=userid,ou=people,o=myCompany.com,dc=com.

6520368

The JDBC connection configuration to access Oracle 9 through Directory Proxy Server is not exactly as described in the documentation.

Consider the following configuration, with an Oracle 9 server listening on host myhost, port 1537 with the instance having system identifier (SID) MYINST. The instance has a database MYNAME.MYTABLE.

Typically, to configure access through to MYTABLE, set the following properties.

  • On the JDBC data source, set db-name:MYINST.

  • On the JDBC data source, set db-url:jdbc:oracle:thin:myhost:1537:.

  • On the JDBC table, set sql-table:MYNAME.MYTABLE

If these settings do not work, configure access through to MYTABLE with the following settings.

  • On the JDBC data source, set db-name:(CONNECT_DATA=(SERVICE_NAME=MYINST)))

  • On the JDBC data source, set db-url:jdbc:oracle:thin:@(DESCRIPTION= (ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost)(PORT=1537)))

  • On the JDBC table, set sql-table:MYNAME.MYTABLE

6542857

When you use the Service Management Facility (SMF) on Solaris 10 to enable a server instance, the instance might not start when you reboot the system and return the following error:


svcadm: Instance "svc:/instance_path" is in maintenance state.

To work around this problem, use a local user to create Directory Server and Directory Proxy Server servers.

6547759

On HP-UX, if you access DSCC with multiple browser sessions set to different locales, DSCC might display some strings in a locale that is different from the locale set in the browser.

6551076

Console does not retrieve the backend status of the Directory Proxy Server instance if a machine has multiple host names.

6573439

In DSCC, in the More View Options of an instance, the date shown under the Access Logs, Error Logs, and Audit Logs tabs is not localized.

6583798

In DSCC 6.0, useTCPNoDelay is set to false by default when creating a data source with DSCC, while the default value of use-tcp-no-delay is set to true when creating instance through the administrative command dpconf create-ldap-data-source.

6588319

In DSCC configured using Tomcat server, the title of the Help and Version pop-up windows displays the multi-byte strings garbled.

6590460

The string owner in the output of the dpadm show-cert dps-instance-path command is not translated in Simplified Chinese and Traditional Chinese.

6639674

If the Directory Proxy Server configuration property allow-bind-operations is set to false, it is not possible to connect on an SSL port using the dpconf command line argument with the -–secure-port option. Connection by Start TLS (default) or by clear connection (the -–unsecured option) are still possible.

6640597

Directory Proxy Server does not change the DN of an ADD operation when the operation follows a referral in which the basedn is different from that of the original machine. Attempting an ADD against a Directory Proxy Server instance that has a Directory Server instance that is set to follow referrals, as opposed to just forwarding referrals, results in the ADD being rejected on the referred server because of an incorrect basedn.

Using the ldapmodify command to executing the ADD directly against the Directory Server instances allows the ADD to work.

6649984

No warning is issued when you set a password of insufficient length for the certificate database. If the password is too short, it is accepted by the Directory Service Control Center. Issuing the dpadm command with cert subcommands can then result in the commands hanging.

6723858

The proxy server bypasses the requires-bind-password property on the backend directory server.

6757756

The dpadm list-running-instances command does not list all the instances that are started from the current installation but lists the only instances that belong to the current user.

6791946

On OpenSolaris, when alerts are raised, Directory Proxy Server does not log them in syslog.

6874624

An obsolete definition remains in the 28pilot.ldif file.

To work around this issue, add the following alias specification to the 28pilot.ldif file:


objectClasses: ( 0.9.2342.19200300.100.4.4 NAME ('newPilotPerson' 'pilotPerson') DESC <...>)
6874631

The uidObject objectclass is missing from the schema.

To work around this issue, add the following objectclass to the 00core.ldif file:


objectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject' SUP top AUXILIARY MUST uid X-ORIGIN 'RFC 4519')
6889439

Directory Proxy Server reports a schema violation on attributes timeResolutionMode and timeResolutionInMillisec.

This message is harmless. To work around it, use the following steps:

  1. Make sure that you have access to the jar program. This program is shipped with any JDK installation.

  2. Stop the Directory Proxy Server instance.

  3. Change the current directory to the Directory Server installation directory.

  4. Run the following command to extract the schema file from the Directory Proxy Server archive


    $ jar xvf dsee7/lib/jar/dps.jar com/sun/directory/proxy/config/config_schema.ldif

  5. Use a text editor to edit the schema file, com/sun/directory/proxy/config/config_schema.ldif and make these changes.

    1. Delete the attribute attributeTypes containing the string NAME ( 'useNanoTimeforEtimes' ).

    2. Add a new attribute attributeTypes with the following content:

      attributeTypes: ( "" NAME ( 'timeResolutionInMilliSec' ) DESC '' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'DPS' )

      Make sure to delimit parentheses with spaces.

    3. Search for the attribute objectClasses containing the string NAME 'topConfigEntry'.

    4. In this attribute line, search for the string useNanoTimeforEtimes and rename it as timeResolutionMode

    5. Save the file and close it.

  6. Run the following command to apply the changes done to the schema file to the Directory Proxy Server archive:


    $ jar uvf dsee7/lib/jar/dps.jar com/sun/directory/proxy/config/config_schema.ldif
6899299

On Windows Server 2008, if the server instance is setup to start at boot by using the dpadm enable-service command, the dpadm info command displays the status of the instance as Stopped. In that case, the instance cannot be stopped or restarted using the dpadm command or DSCC.

Use Windows Service manager to enable the server instance to start when the Windows server machine starts up.