Known Directory Server Issues in 7.0 (Sun Directory Server Enterprise Edition 7.0 Release Notes)

Sun Directory Server Enterprise Edition 7.0 Release Notes

Known Directory Server Issues in 7.0

This section lists the known issues that are found at the time of Directory Server 7.0 release.

2113177

Directory Server has been seen to crash when the server is stopped while performing online export, backup, restore, or index creation.

2129151

The Directory Server hangs when running the stop-slapd command.

2133169

When entries are imported from LDIF, Directory Server does not generate createTimeStamp and modifyTimeStamp attributes.

LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.

4979319

Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Sun support.

6401484

The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.

To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.

Export the certificate to a file.

The following example shows how to perform the export for servers in /local/supplier and /local/consumer.

$ dsadm show-cert -F der -o /tmp/supplier-cert.txt \
  /local/supplier defaultCert
$ dsadm show-cert -F der -o /tmp/consumer-cert.txt \
  /local/consumer defaultCert

Exchange the client and supplier certificates.

The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.

$ dsadm add-cert --ca /local/consumer supplierCert \
  /tmp/supplier-cert.txt
$ dsadm add-cert --ca /local/supplier consumerCert \
  /tmp/consumer-cert.txt

Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.

Add the replication manager DN on the consumer.

$ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN

Update the rules in /local/consumer/alias/certmap.conf.
Restart both servers with the dsadm start command.

6410741

Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.

An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.

6412131

The certificate names containing multi-byte characters are shown as dots in the output of the dsadm show-cert instance-path valid-multibyte-cert-name command.

6416407

Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.

dn:o=mary\"red\"doe,o=example.com
changetype:modify
add:aci
aci:(target="ldap:///o=mary\"red\"doe,o=example.com")
 (targetattr="*")(version 3.0; acl "testQuotes";
 allow (all) userdn ="ldap:///self";)

dn:o=Example Company\, Inc.,dc=example,dc=com
changetype:modify
add:aci
aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com")
 (targetattr="*")(version 3.0; acl "testComma";
 allow (all) userdn ="ldap:///self";)

Examples with more than one comma that has been escaped have been observed to parse correctly, however.

6428448

The dpconf command has been seen to display the Enter "cn=Directory Manager" password: prompt twice when used in interactive mode.

6446318

On Windows, SASL authentication fails due to the following two reasons:

SASL encryption is used.

To workaround the issue caused by the SASL encryption, stop the server, edit dse.ldif, and reset SASL to the following.
dn: cn=SASL, cn=security, cn=config dssaslminssf: 0 dssaslmaxssf: 0
The installation is done using native packages.

To workaround the issue caused by the native packages installation , set SASL_PATH to install-dir\share\lib.

6449828

Directory Service Control Center does not properly display userCertificate binary values.

6461602

The dsrepair fix-entry does not work if the source is a tombstone and if the target is an entry (DEL not replicated).

Workaround: Use the dsrepair delete-entry command to explicitly delete the entry. Then use the dsrepair add-entry command to add the tombstone.

6468074

It is not clear from the name of the passwordRootdnMayBypassModsCheck configuration attribute that the server now allows any administrator to bypass password syntax checking when modifying another user's password, when the attribute is set.

6469154

On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.

6469296

Although the Directory Service Control Center allows you to copy the configuration of an existing server, it does not allow you to copy the plug-in configuration.

6469688

On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.

To work around this issue, change the LDIF file name so that it does not contain double-byte characters.

6483290

Neither Directory Service Control Center nor the dsconf command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.

To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.

6485560

Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.

6488197

After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.

To work around this issue, change the permissions on the installations and server instance folders.

6488284

For the HP-UX platform, Directory Server Enterprise Edition man pages for the following sections cannot be accessed from the command line:

man5dpconf.
man5dsat.
man5dsconf.
man5dsoc.
man5dssd.

To workaround this issue, access the man pages at Sun Directory Server Enterprise Edition 7.0 Man Page Reference. From that location, you can download a PDF of all Directory Server Enterprise Edition man pages.

6490557

An attempt to enter an invalid CoS Template results in a crash in versions of Directory Server 6.

6490653

When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.

To work around this issue, use a different browser such as Mozilla web browser.

6491849

After upgrading replica, and moving servers to new systems, you must recreate replication agreements to use new host names. Directory Service Control Center lets you delete the existing replication agreements, but does not allow you to create new agreements.

6492894

On Red Hat systems, the dsadm autostart command does not always ensure that the server instances start at boot time.

6494997

The dsconf command does not prompt for the appropriate dsSearchBaseDN setting when configuring DSML.

6495004

On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds.

6497894

The dsconf help-properties command is set to work properly only after instance creation. In addition, the correct list of values for the dsml-client-auth-mode command should be client-cert-first | http-basic-only | client-cert-only.

6500936

In the Native patch delivery, the miniature calendar that is used to pick dates for filtering access logs is not properly localized in Traditional Chinese.

6501320

When creating an index on custom schema, a suffix level change of the all-ids-threshold is not permeated completely by the DSCC.

6503509

Some output displayed by the dsccmon, dsccreg, dsccsetup, and dsccrepair commands is not localized.

6503546

Changing the locale of the system and starting DSCC, does not display the pop-up window message in the locale that you selected.

6504180

On Solaris 10, the password verification fails for instances with multi-byte characters in their DN on English and Japanese locales.

6504549

The discovery of an instance of the Directory Server by the Java Enterprise System Monitoring Framework is not successful if the ns-slapd process was started remotely using rsh.

6507312

On HP-UX systems, applications using NSPR libraries crash and dump core after investigation with gdb. The problem occurs when you attach gdb to a running Directory Server instance, then use the gdb quit command.

6520646

Clicking Browse DSCC online help does not display the online help when you are using Internet Explorer.

6527999

The Directory Server plug-in API includes slapi_value_init()(), slapi_value_init_string()(), and slapi_value_init_berval()() functions.

These functions all require a “done” function to release internal elements. However, the public API is missing a slapi_value_done()() function.

6541040

When modifying the password policy using the Directory Service Control Center, attributes that have not changed may be unknowingly reset.

Using the Directory Service Control Center to manage the default password policy does not causes any error. However, using the Directory Service Control Center to manage specialized password policies can cause unchanged attributes to be reset.

6542857

When you use the Service Management Facility (SMF) on Solaris 10 to enable a server instance, the instance might not start when you reboot the system and return the following error:

svcadm: Instance "svc:/instance_path" is in maintenance state.

To work around this problem, use a local user to create Directory Server and Directory Proxy Server servers.

6547992

On HP-UX, the dsadm and dpadm commands might not find libicudata.sl.3 shared library.

As a workaround to this problem, set the SHLIB_PATH variable.

env SHLIB_PATH=${INSTALL_DIR}/dsee6/private/lib dsadm

6551685

The dsadm autostart can make native LDAP authentication to fail when you reboot the system.

As a workaround, reverse the order of reboot scripts. The default order is /etc/rc2.d/S71ldap.client and /etc/rc2.d/S72dsee_directory.

6557480

On Solaris 9 and Windows, when you access the online help from the console configured using Web archive file (WAR), it displays an error.

6559825

If you modify the port number using DSCC on a server that has replicated suffixes, problems arise when setting replication agreement between servers.

6587801

Directory Service Control Center and the dsadm command from versions 6.1 or later do not display built-in CA certificates of Directory Server instances that were created with the dsadm command from version 6.0.

To workaround this issue:

Add the 64-bit module with 64-bit version of modutil:

$ /usr/sfw/bin/64/modutil -add "Root Certs 64bit" \
-libfile  /usr/lib/mps/64/libnssckbi.so -nocertdb \
-dbdir /instance-path/alias -dbprefix slapd- -secmod secmod.db

6630897

The output of the dsadm show-*-log l command does not include the correct lines. It can include the last lines of a previously rotated log.

6630924

The output of the dsadm show-*-log command is not correct if some lines in the log contain more than 1024 characters.

6634397

For servers registered in DSCC as listening on all interfaces (0.0.0.0), attempting to use dsconf to modify the listen-address of the servers results in DSCC errors.

To have SSL port only and secure-listen-address setup with Directory Server Enterprise Edition 6.3, use this workaround:

Unregister the server from DSCC:
dsccreg remove-server /local/myserver

Disable the LDAP port:

dsconf set-server-prop ldap-port:disabled

Set up a secure-listen-address:

$ dsconf set-server-prop secure-listen-address:IPaddress

$ dsadm restart /local/myserver

Register the server using DSCC. In the Register Server wizard, specify the server's IP address. This operation cannot be undone.

6637242

After deploying the WAR file, the View Topology button does not always work. A Java exception sometimes occurs, which is based on org.apache.jsp.jsp.ReplicationTopology_jsp._jspService

6640755

In Windows, in the Korean locale, the dsadm start command does not display the nsslapd error log when ns-slapd fails to start.

6648240

Changing or deleting an attribute in the Additional Indexes table of the Indexes tab in the Directory Service Control Center can lead to stale information being displayed until the browser is refreshed.

6689432

The error message displayed after a failed try to set use-cert-subject-as-bind-dn to false contains wrong property names.

6696857

If a Directory Proxy Server instance has only secure-listen-socket/port enabled through DSCC and if server certificate is not default (for example, if it is a certificate-Authority-signed certificate), then DSCC cannot be used to manage the instance.

To work around this problem, unregister the DPS instance and then register it again. Another solution is to update the userCertificate information for the DPS instance in the DSCC registry using the server certificate.

6720595

On UNIX systems, an attempt to change the path of any log file with dsconf set-log-prop or DSCC fails if the new path of the log file does not already exist.

6725346

Database names can contain only ASCII (7-bit) alphanumeric characters, hyphens (-), and underscores (_). Directory Server does not accept multibyte characters (such as in Chinese or Japanese character sets) in strings for database names, file names, and path names. To work around this issue when creating a Directory Server suffix having multibyte characters, specify a database name that has no multibyte characters. When creating a suffix on the command line, for example, explicitly set the --db-name option of the dsconf create-suffix command.

$ dsconf create-suffix --db-name asciiDBName multibyteSuffixDN

Do not use the default database name for the suffix. Do not use multibyte characters for the database name.

6750837

Specification of network drives on Microsoft Windows is case-sensitive. Because of this, using both C:/ and c:/, for example, in DSEE administrative commands can cause replication to fail after the masters are restarted. As a workaround, use the 'DSEE_HOME/ds6/bin/dsconf accord-repl-agmt' to correct the replication agreement.

6751354

Specification of network drives on Microsoft Windows is case-sensitive. Because of this, using both C:/ and c:/, for example, in DSEE administrative commands can produce various error messages, such as the following:

WARNING<4227> - Plugins - conn=-1 op=-1 msgId=-1 -  
Detected plugin paths from another install, using current install

To avoid these warnings, be sure to use C:/ consistently.

6752625

Online help in DSCC might link to unknown web pages. In particular, some wizard menus might suggest the following:

For more information about data source configuration, 
see the "Sun Directory Server Enterprise Edition Reference."

Selecting the link to the DSEE Reference document produces an error message.

To work around this problem, select the link with the third mouse-button and choose the Open Link in New Window command from the pop-up menu. The selected document appears in the new browser window.

6753020

In a Multi-Master Replication configuration including 5.2 consumers, maximum of 4 version 7.0 servers are supported.

6776034

The DSCC Agent cannot be registered in CACAO on Solaris 9. If the SUNWxcu4 package is missing from the system, then the command DSEE_HOME/dscc6/bin/dsccsetup cacao-reg fails with the error, Failed to configure Cacao.

To fix this issue, install the missing SUNWxcu4 package on your system.

6783994

The -f option does not work with the ldapcompare command.

6845087

On Windows, CLI displays garbage characters.

6853393

DSCC does not support host synonyms. When replicating the DSCC suffix, the host name in the replication agreement must match the host name in the DSCC registry.

6867762

When logs are rotated according to rotation-time or rotation-interval, the exact time at which the rotation occurs depends on several variables, including the following:

the values of the rotation-time, rotation-interval, rotation-now, and rotation-size properties
scheduling of the housekeeping thread
the effective size of the log file when the rotation condition is satisfied

The timestamp in the rotated log file (for example, access.timestamp) can therefore not be guaranteed.

6876315

If the user running the dsmig command does not own the target directory server instance, the command fails because it does not have adequate permission to generate and access migrated files.

The dsmig command can run successfully if it is run by the user who owns the target directory server and has at least read access to the source directory server. If these conditions cannot be met, perform the migration by exporting the database and importing it to the new directory server.

6885178

The man page for hosts_access incorrectly states that IPv6 is not supported on Windows systems.

6891486

Some debug messages and Error #20502, Serious failure during database checkpointing, err=2 (No such file or directory), can sometimes be logged right before the import processing starts. Such messages can be ignored, as they refer to the old suffix data being deleted.

6894136

If you set the idle timeout to a very small value, for example, 2s on a server instance, DSCC might display connection errors and prevent some operations that take long time to complete (like rotating logs). Make sure you set the idle timeout to at least 10s or 20s, and adjust the idle timeout according to your network latency.

6898825

On Windows 2008, Common Agent Framework sometimes refuses to be started from Windows Service Manager.

As a workaround, start the CACAO service manually using the cacaoadm start command.

6955408

On Windows systems, running the dsccsetup dismantle command does not completely remove the CACAO Windows service.

Workaround. After you have run the dsccsetup dismantle command, run cacaoadm prepare-uninstall before you uninstall Directory Server Enterprise Edition. This removes the CACAO Windows service.