This chapter contains important, product-specific information available at the time of release of Directory Proxy Server.
This chapter includes the following sections:
This section lists the bugs fixed since the last release of Directory Proxy Server.
Bug ID |
Description |
---|---|
6351249 |
The dpcfg command does not validate the values of properties that it handles. |
6417166 |
The directory server does not observe the resource limit policy's minimum-search-filter-substring-length property. |
6446600 |
The directory server does not always handle ACI notification changes coming from an LDAP source. |
6468142 |
Attribute names are stored differently in virtual view and in LDIF. |
6468198 |
The directory server should apply a default value to any virtual attribute that does not have a value set. |
6468593 |
All monitoring elements should have a value set for the statusDescription property. |
6468694 |
Search operations do not return complete information when an entry does not exist. |
6469976 |
The dpadm split-ldif command should provide more statistics, such as the number of entries skipped. |
6475156 |
For some properties, the dpcfg command changes the property's value and sets is-restart-required to false, although the directory server must be restarted for the change to take effect. |
6489771 |
Connection handlers bind anonymous binds incorrectly. |
6491133 |
Multibyte certificate attributes are not handled correctly. |
6491845 |
The DSCC does not display default values for Controls Allowed Through Proxy. |
6492447 |
The dpconf command should not be able to set the scriptable-alerts-command attribute. |
6495493 |
The dpadm command logs a SUNWdsee7-config is not installed message if SUNWdsee7-config is relocated. |
6520362 |
The dpconf get-jdbc-data-source-prop and set-jdbc-data-source-prop commands should support connection number properties. |
6527010 |
Directory Proxy Server cannot write JDBC attributes implying many-to-many (N:N) relationship between tables in the JDBC database. |
6527837 |
The proxy server should open fewer initial connections to LDAP servers. |
6536823 |
The proxy server closes client connections too frequently. |
6537654 |
The proxy server opens new connections to JDBC back ends too frequently. |
6539650 |
On Linux installations, the proxy server cannot create a multibyte DN. |
6547755 |
The DSCC does not create multibyte certificate names correctly. |
6550554 |
In the zh_cn/ja locale, the DSCC cannot create a multibyte proxy server instance. |
6554232 |
The proxy server cannot get the full list of attributes using the asterisk character (*) on a joined data view. |
6561139 |
The proxy server cannot roll back a JDBC transaction after an SQL exception. |
6562213 |
The proxy server can log the wrong operation number when using virtual groups. |
6562601 |
The DSCC does not display a certificate's properties. |
6567644 |
The proxy server submits incorrect requests to the database. |
6573259 |
When the ldapsearch command fails on a joined view, its returns internally mapped DNs in its error output |
6573264 |
The ldapsearch command should return error 32 when the base-DN does not exist in a JDBC source. |
6590816 |
Setting the connectionIdleTimeOutInSec property in the LDAP listener causes the DSCC to fail. |
6592394 |
In Windows installations, the dpadm create command accepts an invalid DN. |
6594076 |
Mod operations fail when a DN is mapped for an LDAP data view. |
6596223 |
An incorrect filter-join-rule causes an SQL error to be returned in the LDAP result. |
6596876 |
The value of the connectionIdleTimeOutInSec attribute should be measured in seconds and not milliseconds. |
6597598 |
Null pointer exceptions can occur during modification operations. |
6597608 |
LDAP transactions can succeed only partially. |
6599118 |
Modifying a non-string column with a string value returns SQL error messages. |
6599722 |
The proxy server can store incorrect values. |
6616197 |
Write operations to a secondary table fail when an attribute in filter-join-rule is non-numeric. |
6616898 |
The objectclass attribute cannot be stored in a secondary data view. |
6618968 |
Optimization for a join view should not occur when one entry is returned from a secondary view. |
6622852 |
Virtual transformation of def-value on a DN does not work as expected. |
6630730 |
A null pointer exception occurs in FailoverLoadBalancingAlgorithm.getSearchConnection. |
6637173 |
An entry's DN is no returned when no access rights exist on requested secondary attributes. |
6637608 |
ArrayIndexOutOfBoundsException and NegativeArraySizeException errors can occur under heavy load. |
6638374 |
An entry cannot be added through a join view if its UID attribute contains capital letters. |
6639044 |
An incorrect return code occurs when attempting to mod-delete an attribute without its value mapped to a single-row table. |
6639635 |
A modify-replace operation fails on an unset attribute mapped to a single-row table. |
6640879 |
The proxy server should return error 32 when using the source of an attr-name-mapping in the base of a search. |
6640884 |
The proxy server should not forward a search implying the source of attr-name-mapping to the directory server back end. |
6641888 |
Search operations return entries that contain attributes not present in viewable-attr. |
6641925 |
An add operation through a join view always creates the entry on a secondary JDBC data source. |
6642559 |
Write virtual transformations do not always work correctly. |
6642578 |
Writing virtual transformations do not work as expected when an entry is modified. |
6642686 |
remove-attr-value read virtual transformations do not work correctly if attribute is multi-valued |
6643121 |
The ldapmodify command fails when the foreign key is a VARCHAR. |
6643181 |
Problems can occur with JDBC data sources if string attributes are too long. |
6643701 |
The maxOperationPerInterval and operationRateCheckInterval properties do not work as expected. |
6646107 |
An ADD operation can fail when using a value longer than the column size. |
6648665 |
The max-client-connections property does not work if no operation is performed on the connection. |
6649071 |
Translated GUI text should be consistent. |
6651837 |
User DNs are not correctly normalized, causing ACIs to fail. |
6652476 |
Add operations can fail when schema checking is enabled if objectclass:top or a naming attribute is missing. |
6653253 |
A race condition in FailoverLoadBalancingAlgorithm can cause the proxy server to fail. |
6653453 |
Persistent Searches over SSL via the proxy server to the directory server fail to return expected data. |
6654625 |
Existing connections are disconnected when garbage collection is triggered to run |
6656324 |
The proxy server always converts DN values into lower case in ADD operations. |
6659381 |
The proxy server JVM fails under high search load using JDK 1.6. |
6661001 |
Reject operations are forwarded to the backend server. |
6661375 |
Sockets can remain in the CLOSE_WAIT state. |
6661474 |
The proxy server can miscalculate the connection numbers in connection pools. |
6661981 |
The attr-name-mappings property cannot be set if source-attr is a substring of client-attr. |
6663112 |
In Linux 64–bit installations, the proxy server cannot be started in 32–bit mode. |
6665983 |
Modifying an attribute that is not part of object-class does not work properly. |
6670752 |
The proxy server can throw this exception: java.io.IOException: Timeout when waiting to read from input stream |
6671579 |
Virtualization fails to resolve a virtually mapped base within a search filter. |
6676073 |
Incorrect attribute handling can cause modify operations in join data view to be routed incorrectly. |
6676076 |
Null pointer exceptions can occur in modify operations in join data view. |
6678386 |
Bind connections are not released and no more binds can be made when the maximum number of binds is reached. |
6680717 |
StringIndexOutOfBoundsException can occur when omitting the join-rule in a join view. |
6681502 |
Memory monitoring is disabled by default. |
6681932 |
A remove-attr-value write virtual transformation does not work correctly. |
6682004 |
The rule for a write remove-attr-value virtual transformation should be set on view-attribute-value. |
6686099 |
A server exception occurs when an ACI is stored in LDAP and the LDAP source is not available. |
6688180 |
An entry is duplicated under cn-monitor and incorrect values are stored for numDroppedOperations and receivedOperations. |
6688187 |
The time-resolution attribute does not become effective until the server is restarted. |
6689377 |
The default referral policy is set to discard. |
6689466 |
The dpconf command does not access the cert-search-bind-dn and cert-search-bind-pwd properties. |
6689577 |
A client cannot connect to the proxy server in the clear when ssl-policy is set to client in the data source. |
6691341 |
Monitoring with average-traffic-sampling-interval does not work correctly. |
6692090 |
The operationPerIntervalPeak property is specified in operations per interval while operationPerIntervalLastAverage property is specified in operations per second. |
6692627 |
An error can occur when decoding a search filter when using an LDAP browser. |
6692693 |
The proxy server does not use max-op-count-per-interval correctly. |
6697494 |
Shared attributes cannot be deleted through a join view when an entry is absent. |
6702095 |
When jdbc-attr is added to a table of existing object-class, its meta-data is not retrieved dynamically. |
6702169 |
Attribute value mapping of a DN does not work correctly if the entry is not one level below the data view's base DN. |
6706567 |
Join optimization does not work correctly with DN join rules when the primary and secondary view base are different. |
6707006 |
Filter join rules are not handled correctly in join data view. |
6707110 |
Search operations fail when a search filter contains attributes that are not part of jdbc-object-class. |
6711054 |
The proxy server does not support the SQL Server SQL type smalldatetime. |
6711320 |
One-level scope searches on some nonexistent cn=monitor child entries return incorrect search results. |
6713382 |
DN normalization fails to translate the sequences \dd or %dd found in attributes values. |
6714425 |
The ldapsearch command does not handle a quoted asterisk correctly. |
6714448 |
The ldapsearch command can incorrectly handle non-numeric characters in integer searches. |
6714856 |
Exceptions can occur in join data view. |
6717836 |
Replacing an attribute found in a multi-row primary table can set other attributes in that table to null. |
6717943 |
The default size limit for properties is set incorrectly. |
6720614 |
An error message is displayed when the proxy server starts. |
6721702 |
A JDBC search can fail when the primary table is not a single-row table. |
6724559 |
The proxy server should filter out requests that contain unallowed controls. |
6727763 |
Deleting an attribute found in a multi-row primary table deletes the matching entry. |
6728378 |
A null pointer exception can occur in a join data view during an add operation when no DN/object class rule is specified. |
6728746 |
The proxy server can not add an entry containing more than two object classes to a JDBC source. |
6730825 |
An attribute hiding rule does not return the filter attribute in the rule. |
6731666 |
The proxy server ignores the process-bind attribute value on data views. |
6734365 |
Attribute mapping is not cleared by use of another data view. |
6734438 |
The proxy server fails at startup if a mail alert is configured and the mail transfer agent is not available. |
6734559 |
Virtual DN mapping fails when depending on a virtual attribute. |
6734722 |
Backend connections remain in the CLOSE_WAIT state. |
6735304 |
An attribute with a null value cannot be hidden. |
6736621 |
The bind DN is rejected when a transformation fails. |
6737084 |
DNs can be mapped incorrectly. |
6739414 |
The proxy server changes the case of characters in attribute names. |
6739456 |
The configuration and log files should be accessible by groups. |
6739974 |
The proxy server returns attribute name mappings in lower case only. |
6741401 |
An ldapmodify add operation fails if the foreign key is stored in a multi-row primary table. |
6741403 |
The ldapsearch command can fail because of in incorrect join in a SELECT statement. |
6741410 |
The TYPE_OR_VALUE_ALREADY_EXISTS message should be returned when an existing value is added to an attribute. |
6742935 |
The NO_SUCH_ATTRIBUTE message should be returned when a delete operation is performed on a multi-valued attribute. |
6743357 |
A search operation with attribute filtering and multiple conditionals in the search filter returns error 1. |
6748387 |
The proxy server should log a message when an operation changes state. |
6750354 |
The proxy server should support requests for certificates with a keylength of 2048 bits. |
6751692 |
The dpadm start command fails when using the MaxTenuringThreshold Java argument. |
6752963 |
Exception messages can be logged incorrectly. |
6754091 |
A join view operation with a filter-join-rule returns StringIndexOutOfBoundsException. |
6757759 |
The proxy server can fail because of an incorrect JVM memory state. |
6758244 |
A search operation on a JDBC source with a base scope and a DN filter on glue entries should not return all attributes. |
6758812 |
The enabled-admin-alert property should accept a value of none and not accept a value of all. |
6759391 |
The instance path in cn=monitor should be normalized. |
6760526 |
The dppadm start command should create a DPS.pid file. |
6760951 |
The configuration schema contains an inconsistency with the directory configuration schema. |
6761017 |
A worker thread deadlock can occur. |
6761032 |
The searchMode property is defined incorrectly. |
6761875 |
High CPU use can occur, requiring that the proxy server be restarted. |
6764073 |
The proxy server can fail when configured to use proxied authentication. |
6766175 |
The ldapsearch command does not return an attribute with an empty value from a JDBC source. |
6767244 |
The proxy server fails to bind to the secondary view when using a join view. |
6767776 |
The proxy server cannot use DN mapping on the root DSE. |
6768924 |
The proxy server does not recognize a split macro in a virtual transformation as a macro. |
6778090 |
A compare operation does not work correctly on a virtual attribute in a join view. |
6778091 |
A compare operation does not work correctly on a secondary attribute in a join view. |
6782659 |
The SO_KEEPALIVE option is not set when a socket is created. |
6784464 |
The dpconf command should support the useTcpKeepAlive attribute. |
6794720 |
One-level searches on a data view from a JDBC source returns an unexpected error. |
6795597 |
Search performance on a join data view is poor when the primary view candidate list is large. |
6801024 |
A warning message at startup should provide more information about the cause of the warning. |
6802371 |
The acceptBacklog property is ignored for channel-based listeners. |
6807446 |
A join view can return case-sensitive attribute values twice. |
6808701 |
Inactivity heartbeats are not sent often enough for backend connections. |
6808704 |
Inactivity heartbeats are not sent for bound backend connections. |
6808706 |
Backend server checks might not occur often enough because of last server activity. |
6813566 |
The proxy server must be restarted for changes to monitoring-interval and monitoring-bind-timeout to take effect. |
6818788 |
The proxy server should provide the backend heartbeat more reliably. |
6819304 |
A null pointer exception occurs when searching on cn=monitor when defining a failover pool with no source. |
6819752 |
Persistent Search clients might not receive entry change notifications. |
6821752 |
Resources used by a persistent search are not cleaned up after the client disconnects. |
6828842 |
The proxy server can return error 1 when no backend servers are available, and it should return error 52. |
6832043 |
Client affinity should not be enabled when useAffinity=false and affinityPolicy are explicitly set |
6832498 |
The proxy server should not use MD5 as the signature algorithm in signed certificates. |
6835898 |
The dpconf command does not correctly handle attributes with a value of a single letter for Attribute/Entry Hiding. |
6845410 |
Renaming an attribute can break some BIND DNs. |
6847524 |
DNs with special characters are not written correctly in the configuration file. |
This section lists known problems and limitations at the time of release.
This section lists product limitations.
Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.
To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.
When creating a self-signed server certificate, make sure you specify a validity long enough that you do not have to renew the certificate.
To ensure atomicity, do not use the join data view for write operations. If you perform write operations on join data view, use an external mechanism to prevent or detect inconsistencies. You can monitor inconsistencies by monitoring Directory Proxy Server error log.
The log-buffer-size(5dpconf) man page displays the wrong default size of the access log buffer. The default buffer size for access log is 1M.
The man pages for pattern matching distribution algorithm incorrectly show the respective properties as single-valued. The properties are multi-valued.
Oracle handles an empty string as NULL. The empty string and NULL are both valid values for an LDAP entry, but it is not possible to distinguish the two in Oracle. This issue was corrected for other JDBC sources in issue 6766175, as noted in Bugs Fixed in Directory Proxy Server 7.0.
This section lists the known issues that are found at the time of Directory Proxy Server 7.0 release.
The modify DN operation is not supported for LDIF, JDBC, join and access control data views.
Currently, getEffectiveRight control is supported only for LDAP data views and does not yet take into account ACIs local to the proxy.
After generation of a CA-Signed Certificate request, when you refresh, the certificate is displayed as a self-signed certificate.
If the SSL port used by Directory Proxy Server is incorrect, after a secure search request on that port Directory Proxy Server may close all connections.
Directory Proxy Server fails to count the number of referral hops properly when configured to use authentication based on the client application credentials rather than proxy authorization.
It is possible to specify the base-dn property when creating a data view, but it is not possible to set the base-dn property to "", the root dse, after creating the data view.
Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.
An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.
After configuring alerts, you must restart Directory Proxy Server for the change to take effect.
Directory Proxy Server fails to rename an entry moving to another data view when numeric or lexicographic data distribution is configured.
In Directory Proxy Server, referral hop limit does not work.
On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.
After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.
To work around this issue, change the permissions on the installations and server instance folders.
On Windows, DSCC initialization can only be performed by Administrator user
Directory Service Control Center removes commas when changing the DN for an existing excluded subtree, or alternate search base.
After enabling or disabling non secure LDAP access for the first time, you must restart Directory Proxy Server for the change to take effect.
Time limit and size limit settings work only with LDAP data sources.
After using the command dpadm set-flags cert-pwd-store=off, Directory Proxy Server cannot be restarted using Directory Service Control Center.
The dpadm start command has been seen to fail when used with a server instance name combining both ASCII and multi-byte characters.
When setting the data-view-routing-custom-list property on an existing connection handler, an error occurs with data view names containing characters that must be escaped, such as commas.
To work around this issue, do not give data views names that contain characters that must be escaped. For example, do not use data view names containing DNs.
When using the DN renaming feature of Directory Proxy Server, notice that repeating DN components are renamed to only one replacement component.
Consider for example that you want to rename DNs that end in o=myCompany.com to end in dc=com. For entries whose DN repeats the original component, such as uid=userid,ou=people,o=myCompany.com,o=myCompany.com, the resulting renamed DN is uid=userid,ou=people,dc=com, and not uid=userid,ou=people,o=myCompany.com,dc=com.
The JDBC connection configuration to access Oracle 9 through Directory Proxy Server is not exactly as described in the documentation.
Consider the following configuration, with an Oracle 9 server listening on host myhost, port 1537 with the instance having system identifier (SID) MYINST. The instance has a database MYNAME.MYTABLE.
Typically, to configure access through to MYTABLE, set the following properties.
On the JDBC data source, set db-name:MYINST.
On the JDBC data source, set db-url:jdbc:oracle:thin:myhost:1537:.
On the JDBC table, set sql-table:MYNAME.MYTABLE
If these settings do not work, configure access through to MYTABLE with the following settings.
On the JDBC data source, set db-name:(CONNECT_DATA=(SERVICE_NAME=MYINST)))
On the JDBC data source, set db-url:jdbc:oracle:thin:@(DESCRIPTION= (ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost)(PORT=1537)))
On the JDBC table, set sql-table:MYNAME.MYTABLE
When you use the Service Management Facility (SMF) on Solaris 10 to enable a server instance, the instance might not start when you reboot the system and return the following error:
svcadm: Instance "svc:/instance_path" is in maintenance state. |
To work around this problem, use a local user to create Directory Server and Directory Proxy Server servers.
On HP-UX, if you access DSCC with multiple browser sessions set to different locales, DSCC might display some strings in a locale that is different from the locale set in the browser.
Console does not retrieve the backend status of the Directory Proxy Server instance if a machine has multiple host names.
In DSCC, in the More View Options of an instance, the date shown under the Access Logs, Error Logs, and Audit Logs tabs is not localized.
In DSCC 6.0, useTCPNoDelay is set to false by default when creating a data source with DSCC, while the default value of use-tcp-no-delay is set to true when creating instance through the administrative command dpconf create-ldap-data-source.
In DSCC configured using Tomcat server, the title of the Help and Version pop-up windows displays the multi-byte strings garbled.
The string owner in the output of the dpadm show-cert dps-instance-path command is not translated in Simplified Chinese and Traditional Chinese.
If the Directory Proxy Server configuration property allow-bind-operations is set to false, it is not possible to connect on an SSL port using the dpconf command line argument with the -–secure-port option. Connection by Start TLS (default) or by clear connection (the -–unsecured option) are still possible.
Directory Proxy Server does not change the DN of an ADD operation when the operation follows a referral in which the basedn is different from that of the original machine. Attempting an ADD against a Directory Proxy Server instance that has a Directory Server instance that is set to follow referrals, as opposed to just forwarding referrals, results in the ADD being rejected on the referred server because of an incorrect basedn.
Using the ldapmodify command to executing the ADD directly against the Directory Server instances allows the ADD to work.
No warning is issued when you set a password of insufficient length for the certificate database. If the password is too short, it is accepted by the Directory Service Control Center. Issuing the dpadm command with cert subcommands can then result in the commands hanging.
The proxy server bypasses the requires-bind-password property on the backend directory server.
The dpadm list-running-instances command does not list all the instances that are started from the current installation but lists the only instances that belong to the current user.
On OpenSolaris, when alerts are raised, Directory Proxy Server does not log them in syslog.
An obsolete definition remains in the 28pilot.ldif file.
To work around this issue, add the following alias specification to the 28pilot.ldif file:
objectClasses: ( 0.9.2342.19200300.100.4.4 NAME ('newPilotPerson' 'pilotPerson') DESC <...>) |
The uidObject objectclass is missing from the schema.
To work around this issue, add the following objectclass to the 00core.ldif file:
objectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject' SUP top AUXILIARY MUST uid X-ORIGIN 'RFC 4519') |
Directory Proxy Server reports a schema violation on attributes timeResolutionMode and timeResolutionInMillisec.
This message is harmless. To work around it, use the following steps:
Make sure that you have access to the jar program. This program is shipped with any JDK installation.
Stop the Directory Proxy Server instance.
Change the current directory to the Directory Server installation directory.
Run the following command to extract the schema file from the Directory Proxy Server archive
$ jar xvf dsee7/lib/jar/dps.jar com/sun/directory/proxy/config/config_schema.ldif |
Use a text editor to edit the schema file, com/sun/directory/proxy/config/config_schema.ldif and make these changes.
Delete the attribute attributeTypes containing the string NAME ( 'useNanoTimeforEtimes' ).
Add a new attribute attributeTypes with the following content:
attributeTypes: ( "" NAME ( 'timeResolutionInMilliSec' ) DESC '' \ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'DPS' )
Make sure to delimit parentheses with spaces.
Search for the attribute objectClasses containing the string NAME 'topConfigEntry'.
In this attribute line, search for the string useNanoTimeforEtimes and rename it as timeResolutionMode
Save the file and close it.
Run the following command to apply the changes done to the schema file to the Directory Proxy Server archive:
$ jar uvf dsee7/lib/jar/dps.jar com/sun/directory/proxy/config/config_schema.ldif |
On Windows Server 2008, if the server instance is setup to start at boot by using the dpadm enable-service command, the dpadm info command displays the status of the instance as Stopped. In that case, the instance cannot be stopped or restarted using the dpadm command or DSCC.
Use Windows Service manager to enable the server instance to start when the Windows server machine starts up.