This section lists the known issues that are found at the time of Directory Server 7.0 release.
Directory Server has been seen to crash when the server is stopped while performing online export, backup, restore, or index creation.
The Directory Server hangs when running the stop-slapd command.
When entries are imported from LDIF, Directory Server does not generate createTimeStamp and modifyTimeStamp attributes.
LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.
Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Sun support.
The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.
To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.
Export the certificate to a file.
The following example shows how to perform the export for servers in /local/supplier and /local/consumer.
$ dsadm show-cert -F der -o /tmp/supplier-cert.txt \ /local/supplier defaultCert $ dsadm show-cert -F der -o /tmp/consumer-cert.txt \ /local/consumer defaultCert |
Exchange the client and supplier certificates.
The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.
$ dsadm add-cert --ca /local/consumer supplierCert \ /tmp/supplier-cert.txt $ dsadm add-cert --ca /local/supplier consumerCert \ /tmp/consumer-cert.txt |
Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.
Add the replication manager DN on the consumer.
$ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN |
Update the rules in /local/consumer/alias/certmap.conf.
Restart both servers with the dsadm start command.
Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.
An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.
The certificate names containing multi-byte characters are shown as dots in the output of the dsadm show-cert instance-path valid-multibyte-cert-name command.
Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.
dn:o=mary\"red\"doe,o=example.com changetype:modify add:aci aci:(target="ldap:///o=mary\"red\"doe,o=example.com") (targetattr="*")(version 3.0; acl "testQuotes"; allow (all) userdn ="ldap:///self";)
dn:o=Example Company\, Inc.,dc=example,dc=com changetype:modify add:aci aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com") (targetattr="*")(version 3.0; acl "testComma"; allow (all) userdn ="ldap:///self";)
Examples with more than one comma that has been escaped have been observed to parse correctly, however.
The dpconf command has been seen to display the Enter "cn=Directory Manager" password: prompt twice when used in interactive mode.
On Windows, SASL authentication fails due to the following two reasons:
SASL encryption is used.
To workaround the issue caused by the SASL encryption, stop the server, edit dse.ldif, and reset SASL to the following.
dn: cn=SASL, cn=security, cn=config dssaslminssf: 0 dssaslmaxssf: 0 |
The installation is done using native packages.
To workaround the issue caused by the native packages installation , set SASL_PATH to install-dir\share\lib.
Directory Service Control Center does not properly display userCertificate binary values.
The dsrepair fix-entry does not work if the source is a tombstone and if the target is an entry (DEL not replicated).
Workaround: Use the dsrepair delete-entry command to explicitly delete the entry. Then use the dsrepair add-entry command to add the tombstone.
It is not clear from the name of the passwordRootdnMayBypassModsCheck configuration attribute that the server now allows any administrator to bypass password syntax checking when modifying another user's password, when the attribute is set.
On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.
Although the Directory Service Control Center allows you to copy the configuration of an existing server, it does not allow you to copy the plug-in configuration.
On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.
To work around this issue, change the LDIF file name so that it does not contain double-byte characters.
Neither Directory Service Control Center nor the dsconf command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.
To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.
Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.
After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.
To work around this issue, change the permissions on the installations and server instance folders.
For the HP-UX platform, Directory Server Enterprise Edition man pages for the following sections cannot be accessed from the command line:
man5dpconf.
man5dsat.
man5dsconf.
man5dsoc.
man5dssd.
To workaround this issue, access the man pages at Sun Directory Server Enterprise Edition 7.0 Man Page Reference. From that location, you can download a PDF of all Directory Server Enterprise Edition man pages.
An attempt to enter an invalid CoS Template results in a crash in versions of Directory Server 6.
When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.
To work around this issue, use a different browser such as Mozilla web browser.
After upgrading replica, and moving servers to new systems, you must recreate replication agreements to use new host names. Directory Service Control Center lets you delete the existing replication agreements, but does not allow you to create new agreements.
On Red Hat systems, the dsadm autostart command does not always ensure that the server instances start at boot time.
The dsconf command does not prompt for the appropriate dsSearchBaseDN setting when configuring DSML.
On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds.
The dsconf help-properties command is set to work properly only after instance creation. In addition, the correct list of values for the dsml-client-auth-mode command should be client-cert-first | http-basic-only | client-cert-only.
In the Native patch delivery, the miniature calendar that is used to pick dates for filtering access logs is not properly localized in Traditional Chinese.
When creating an index on custom schema, a suffix level change of the all-ids-threshold is not permeated completely by the DSCC.
Some output displayed by the dsccmon, dsccreg, dsccsetup, and dsccrepair commands is not localized.
Changing the locale of the system and starting DSCC, does not display the pop-up window message in the locale that you selected.
On Solaris 10, the password verification fails for instances with multi-byte characters in their DN on English and Japanese locales.
The discovery of an instance of the Directory Server by the Java Enterprise System Monitoring Framework is not successful if the ns-slapd process was started remotely using rsh.
On HP-UX systems, applications using NSPR libraries crash and dump core after investigation with gdb. The problem occurs when you attach gdb to a running Directory Server instance, then use the gdb quit command.
Clicking Browse DSCC online help does not display the online help when you are using Internet Explorer.
The Directory Server plug-in API includes slapi_value_init()(), slapi_value_init_string()(), and slapi_value_init_berval()() functions.
These functions all require a “done” function to release internal elements. However, the public API is missing a slapi_value_done()() function.
When modifying the password policy using the Directory Service Control Center, attributes that have not changed may be unknowingly reset.
Using the Directory Service Control Center to manage the default password policy does not causes any error. However, using the Directory Service Control Center to manage specialized password policies can cause unchanged attributes to be reset.
When you use the Service Management Facility (SMF) on Solaris 10 to enable a server instance, the instance might not start when you reboot the system and return the following error:
svcadm: Instance "svc:/instance_path" is in maintenance state. |
To work around this problem, use a local user to create Directory Server and Directory Proxy Server servers.
On HP-UX, the dsadm and dpadm commands might not find libicudata.sl.3 shared library.
As a workaround to this problem, set the SHLIB_PATH variable.
env SHLIB_PATH=${INSTALL_DIR}/dsee6/private/lib dsadm |
The dsadm autostart can make native LDAP authentication to fail when you reboot the system.
As a workaround, reverse the order of reboot scripts. The default order is /etc/rc2.d/S71ldap.client and /etc/rc2.d/S72dsee_directory.
On Solaris 9 and Windows, when you access the online help from the console configured using Web archive file (WAR), it displays an error.
If you modify the port number using DSCC on a server that has replicated suffixes, problems arise when setting replication agreement between servers.
Directory Service Control Center and the dsadm command from versions 6.1 or later do not display built-in CA certificates of Directory Server instances that were created with the dsadm command from version 6.0.
To workaround this issue:
Add the 64-bit module with 64-bit version of modutil:
$ /usr/sfw/bin/64/modutil -add "Root Certs 64bit" \ -libfile /usr/lib/mps/64/libnssckbi.so -nocertdb \ -dbdir /instance-path/alias -dbprefix slapd- -secmod secmod.db |
The output of the dsadm show-*-log l command does not include the correct lines. It can include the last lines of a previously rotated log.
The output of the dsadm show-*-log command is not correct if some lines in the log contain more than 1024 characters.
For servers registered in DSCC as listening on all interfaces (0.0.0.0), attempting to use dsconf to modify the listen-address of the servers results in DSCC errors.
To have SSL port only and secure-listen-address setup with Directory Server Enterprise Edition 6.3, use this workaround:
Unregister the server from DSCC:
dsccreg remove-server /local/myserver |
Disable the LDAP port:
dsconf set-server-prop ldap-port:disabled |
Set up a secure-listen-address:
$ dsconf set-server-prop secure-listen-address:IPaddress |
$ dsadm restart /local/myserver |
Register the server using DSCC. In the Register Server wizard, specify the server's IP address. This operation cannot be undone.
After deploying the WAR file, the View Topology button does not always work. A Java exception sometimes occurs, which is based on org.apache.jsp.jsp.ReplicationTopology_jsp._jspService
In Windows, in the Korean locale, the dsadm start command does not display the nsslapd error log when ns-slapd fails to start.
Changing or deleting an attribute in the Additional Indexes table of the Indexes tab in the Directory Service Control Center can lead to stale information being displayed until the browser is refreshed.
The error message displayed after a failed try to set use-cert-subject-as-bind-dn to false contains wrong property names.
If a Directory Proxy Server instance has only secure-listen-socket/port enabled through DSCC and if server certificate is not default (for example, if it is a certificate-Authority-signed certificate), then DSCC cannot be used to manage the instance.
To work around this problem, unregister the DPS instance and then register it again. Another solution is to update the userCertificate information for the DPS instance in the DSCC registry using the server certificate.
On UNIX systems, an attempt to change the path of any log file with dsconf set-log-prop or DSCC fails if the new path of the log file does not already exist.
Database names can contain only ASCII (7-bit) alphanumeric characters, hyphens (-), and underscores (_). Directory Server does not accept multibyte characters (such as in Chinese or Japanese character sets) in strings for database names, file names, and path names. To work around this issue when creating a Directory Server suffix having multibyte characters, specify a database name that has no multibyte characters. When creating a suffix on the command line, for example, explicitly set the --db-name option of the dsconf create-suffix command.
$ dsconf create-suffix --db-name asciiDBName multibyteSuffixDN |
Do not use the default database name for the suffix. Do not use multibyte characters for the database name.
Specification of network drives on Microsoft Windows is case-sensitive. Because of this, using both C:/ and c:/, for example, in DSEE administrative commands can cause replication to fail after the masters are restarted. As a workaround, use the 'DSEE_HOME/ds6/bin/dsconf accord-repl-agmt' to correct the replication agreement.
Specification of network drives on Microsoft Windows is case-sensitive. Because of this, using both C:/ and c:/, for example, in DSEE administrative commands can produce various error messages, such as the following:
WARNING<4227> - Plugins - conn=-1 op=-1 msgId=-1 - Detected plugin paths from another install, using current install |
To avoid these warnings, be sure to use C:/ consistently.
Online help in DSCC might link to unknown web pages. In particular, some wizard menus might suggest the following:
For more information about data source configuration, see the "Sun Directory Server Enterprise Edition Reference." |
Selecting the link to the DSEE Reference document produces an error message.
To work around this problem, select the link with the third mouse-button and choose the Open Link in New Window command from the pop-up menu. The selected document appears in the new browser window.
In a Multi-Master Replication configuration including 5.2 consumers, maximum of 4 version 7.0 servers are supported.
The DSCC Agent cannot be registered in CACAO on Solaris 9. If the SUNWxcu4 package is missing from the system, then the command DSEE_HOME/dscc6/bin/dsccsetup cacao-reg fails with the error, Failed to configure Cacao.
To fix this issue, install the missing SUNWxcu4 package on your system.
The -f option does not work with the ldapcompare command.
On Windows, CLI displays garbage characters.
DSCC does not support host synonyms. When replicating the DSCC suffix, the host name in the replication agreement must match the host name in the DSCC registry.
When logs are rotated according to rotation-time or rotation-interval, the exact time at which the rotation occurs depends on several variables, including the following:
the values of the rotation-time, rotation-interval, rotation-now, and rotation-size properties
scheduling of the housekeeping thread
the effective size of the log file when the rotation condition is satisfied
The timestamp in the rotated log file (for example, access.timestamp) can therefore not be guaranteed.
If the user running the dsmig command does not own the target directory server instance, the command fails because it does not have adequate permission to generate and access migrated files.
The dsmig command can run successfully if it is run by the user who owns the target directory server and has at least read access to the source directory server. If these conditions cannot be met, perform the migration by exporting the database and importing it to the new directory server.
The man page for hosts_access incorrectly states that IPv6 is not supported on Windows systems.
Some debug messages and Error #20502, Serious failure during database checkpointing, err=2 (No such file or directory), can sometimes be logged right before the import processing starts. Such messages can be ignored, as they refer to the old suffix data being deleted.
If you set the idle timeout to a very small value, for example, 2s on a server instance, DSCC might display connection errors and prevent some operations that take long time to complete (like rotating logs). Make sure you set the idle timeout to at least 10s or 20s, and adjust the idle timeout according to your network latency.
On Windows 2008, Common Agent Framework sometimes refuses to be started from Windows Service Manager.
As a workaround, start the CACAO service manually using the cacaoadm start command.
On Windows systems, running the dsccsetup dismantle command does not completely remove the CACAO Windows service.
Workaround. After you have run the dsccsetup dismantle command, run cacaoadm prepare-uninstall before you uninstall Directory Server Enterprise Edition. This removes the CACAO Windows service.