Sun Java System Directory Server Enterprise Edition 6.2 Release Notes

Known Directory Server Issues in 6.2

This section lists the known issues that are found at the time of Directory Server 6.2 release.

2113177

Directory Server has been seen to crash when the server is stopped while performing online export, backup, restore, or index creation.

2133169

When entries are imported from LDIF, Directory Server does not generate createTimeStamp and modifyTimeStamp attributes.

LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.

4979319

Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Sun support.

6358392

When removing software, the dsee_deploy uninstall command does not stop or delete existing server instances.

To work around this limitation, follow the instructions in the Sun Java System Directory Server Enterprise Edition 6.2 Installation Guide.

6366948

Directory Server has been seen to retain pwdFailureTime values on a consumer replica, even after the attribute values have been cleared on the supplier replica. The values remain after the modification of userPassword has been replicated.

6401484

The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.

    To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.

  1. Export the certificate to a file.

    The following example shows how to perform the export for servers in /local/supplier and /local/consumer.


    $ dsadm show-cert -F der -o /tmp/supplier-cert.txt /local/supplier defaultCert
    $ dsadm show-cert -F der -o /tmp/consumer-cert.txt /local/consumer defaultCert
  2. Exchange the client and supplier certificates.

    The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.


    $ dsadm add-cert --ca /local/consumer supplierCert /tmp/supplier-cert.txt
    $ dsadm add-cert --ca /local/supplier consumerCert /tmp/consumer-cert.txt
  3. Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.

  4. Add the replication manager DN on the consumer.


    $ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN
    
  5. Update the rules in /local/consumer/alias/certmap.conf.

  6. Restart both servers with the dsadm start command.

6412131

The certificate names containing multi-byte characters are shown as dots in the output of the dsadm show-cert instance-path valid-multibyte-cert-name command.

6410741

Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.

An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.

6415184

Directory Server instance with multi-byte characters in its path may fail to be created in DSCC, to start or perform other regular tasks.

Some of these issues can be resolved by using the charset that was used to create the instance. Set the charset using the following commands:


# cacaoadm list-params | grep java-flags
  java-flags=-Xms4M -Xmx64M

# cacaoadm stop
# cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8"
# cacaoadm start

Use only the ASCII characters in the instance path to avoid these issues.

6416407

Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.

dn:o=mary\"red\"doe,o=example.com
changetype:modify
add:aci
aci:(target="ldap:///o=mary\"red\"doe,o=example.com")
 (targetattr="*")(version 3.0; acl "testQuotes";
 allow (all) userdn ="ldap:///self";)
dn:o=Example Company\, Inc.,dc=example,dc=com
changetype:modify
add:aci
aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com")
 (targetattr="*")(version 3.0; acl "testComma";
 allow (all) userdn ="ldap:///self";)

Examples with more than one comma that has been escaped have been observed to parse correctly, however.

6428448

The dpconf command has been seen to display the Enter "cn=Directory Manager" password: prompt twice when used in interactive mode.

6443229

Directory Service Control Center does not allow you to manage PKCS#11 external security devices or tokens.

6446318

On Windows, SASL authentication fails due to the following two reasons:

  • SASL encryption is used.

    To workaround the issue caused by the SASL encryption, stop the server, edit dse.ldif, and reset SASL to the following.


    dn: cn=SASL, cn=security, cn=config
      dssaslminssf: 0
      dssaslmaxssf: 0
  • The installation is done using native packages.

    To workaround the issue caused by the native packages installation , set SASL_PATH to install-dir\share\lib.

6448572

Directory Service Control Center fails to generate a self-signed certificate when you specify the country.

6449828

Directory Service Control Center does not properly display userCertificate binary values.

6468074

The configuration attribute name, passwordRootdnMayBypassModsCheck, does not reflect that the server now allows any administrator to bypass password syntax checking when modifying another user's password when the attribute is set.

6468096

Do not set LD_LIBRARY_PATH before installing from the zip distribution or using the dsadm command.

6469154

On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.

6469296

The Directory Service Control Center feature that allows you to copy the configuration of an existing server does not allow you to copy the plug-in configuration.

6469688

On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.

To work around this issue, change the LDIF file name so that it does not contain double-byte characters.

6478568

The dsadm enable-service command does not work correctly with Sun Cluster.

6480753

The dsee_deploy command has been seen to hang while registering the Monitoring Framework component into the Common Agent Container.

6482378

The supportedSSLCiphers attribute on the root DSE lists NULL encryption ciphers not actually supported by the server.

6482888

Unless you start Directory Server at least once, the dsadm enable-service fails to restart Directory Server upon system reboot.

6483290

Neither Directory Service Control Center nor the dsconf command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.

To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.

6485560

Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.

6488197

After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.

To work around this issue, change the permissions on the installations and server instance folders.

6490653

When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.

To work around this issue, use a different browser such as Mozilla web browser.

6490762

After creating or adding a new certificate, Directory Server must be restarted for the change to take effect.

6491849

After upgrading replica, and moving servers to new systems, you must recreate replication agreements to use new host names. Directory Service Control Center lets you delete the existing replication agreements, but does not allow you to create new agreements.

6492894

On Red Hat systems, the dsadm autostart command does not always ensure that the server instances start at boot time.

6494997

The dsconf command does not prompt for the appropriate dsSearchBaseDN setting when configuring DSML.

6495004

On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds.

6497053

When installing from the zip distribution, the dsee_deploy command does not provide an option to configure SNMP and stream adaptor ports.

To workaround this issue,

  1. Enabled Monitoring Plug-in using the web console or dpconf.

  2. Using cacaoadm set-param, change snmp-adaptor-port, snmp-adaptor-trap-port and commandstream-adaptor-port.

6497894

The dsconf help-properties command is set to work properly only after instance creation. In addition, the correct list of values for the dsml-client-auth-mode command should be client-cert-first | http-basic-only | client-cert-only.

6498537

In order to use Directory Service Control Center on Windows XP systems, the guest account must be disabled. Additionally, the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0 in order for authentication to succeed.

6500936

In the Native patch delivery, the miniature calendar that is used to pick dates for filtering access logs is not properly localized in Traditional Chinese.

6501893

Output of the schema_push, repldisc, pwdhash, ns-inactivate, ns-activate, ns-accountstatus, mmldif, insync, fildif, entrycmp, dsrepair, dsee_deploy, dsadm show-cert, dsadm repack, and ldif commands are not localized.

6501900
6501902
6501904

Some output displayed by the dsccmon, dsccreg, dsccsetup, and dsccreg commands is not localized.

6503546

Changing the locale of the system and starting DSCC, does not display the pop-up window message in the locale that you selected.

6503558

When setting up Directory Service Control Center in a locale other than English, log messages concerning creation of the Directory Service Control Center Registry are not fully localized. Some log messages are shown in the locale used when setting up Directory Service Control Center.

6504180

On Solaris 10, the password verification fails for instances with multi-byte characters in their DN on English and Japanese locales.

6520646

Clicking Browse DSCC online help does not display the online help when you are using Internet Explorer.

6527999

The Directory Server plug-in API includes slapi_value_init()(), slapi_value_init_string()(), and slapi_value_init_berval()() functions.

These functions all require a "done" function to release internal elements. However, the public API is missing a slapi_value_done()() function.

6533281

Because of a known issue, nsslapd-idletimeout is not computed on Windows installations as documented under all conditions.

On Unix (including Solaris), nsslapd-idletimeout is computed when new connections are opened and when new data is received, as described in the documentation.

On Windows, nsslapd-idletimeout is computed the same way for secure connections or if ds-start-tls-enabled is true. However, for non-secure connections and if ds-start-tls-enabled is false, nsslapd-idletimeout is computed only when new connections are opened.

6536770

DSCC might not display long ACIs depending on the limit set by Internet Service Provider.

6538726

On Linux, If a Directory Server instance is started in a locale that is different from the locale in which the instance was created, the multi-byte characters do not display properly.

6542857

When you use Service Management Facility (SMF) in Solaris 10 to enable a server instance, the instance might not start when you reboot your system.

As a workaround, add the following lines which are marked with + to /opt/SUNWdsee/ds6/install/tmpl_smf.manifest.


...
restart_on="none" type="service"> 
<service_fmri value="svc:/network/initial:default"/> 
  </dependency> 
+ <dependency name="nameservice" grouping="require_all" \
+ restart_on="none" type="service"> 
+ <service_fmri value="svc:/milestone/name-services"/> 
+ </dependency> 
<exec_method type="method" name="start" 
exec="%%%INSTALL_PATH%%%/bin/dsadm start --exec %{sunds/path}"...
6547923

Directory Server Enterprise Edition Windows service fails to start more than one server instances when the system restarts.

6550543

You might encounter an error when DSCC is used with the combination of Tomcat 5.5 and JDK 1.6 .

As a workaround, use JDK 1.5 instead.

6551672

Sun Java System Application Server bundled with Solaris 10 cannot create SASL client connection for authenticated mechanism and does not communicate with common agent container.

As a workaround, change the JVM used by application server by editing the appserver-install-path/appserver/config/asenv.conf file and replace the AS_JAVA entry with AS_JAVA="/usr/java". Restart your Application Server domain.

6551685

The dsadm autostart can make native LDAP authentication to fail when you reboot the system.

As a workaround, reverse the order of reboot scripts. The default order is /etc/rc2.d/S71ldap.client and /etc/rc2.d/S72dsee_directory.

6554777

The DSCC Version window might display the html source code if it is configured by deploying the Web Archive (WAR) file with application server. As a workaround, add the following entries in domain-path/domain-name/config/default-web.xml.


<mime-mapping>
<extension>shtml</extension>
<mime-type>text/html</mime-type>
</mime-mapping>
6555192

On Linux, the localized server messages shown in the DSCC progress window might display the international characters garbled in non—English locales.

6557480

On Solaris 9 and Windows, when you access the online help from the console configured using Web archive file (WAR), it displays an error.

6565893

The idsktune command does not support SuSE Enterprise Linux.

6571672

If unzip is unavailable on the system, dsee_deploy does not install any product.

6573439

In the More View Options of an instance, the date shown under the Access Logs, Error Logs, and Audit Logs tabs is not localized.

6573440

If you configure the uniqueness plug-in to work across multiple attributes in Directory Server, an error is displayed during the Directory Server startup.

6577314

If you apply the Directory Server Enterprise Edition 6.2 patch without stopping the server instances, the dsadm info and dsadm stop will display that a server is down while the server is running.

6581469

The string err= is not translated in some of the Korean and Simplified Chinese messages.

6582831

On Solaris, the instances registered as a service might not start after restarting the system.

As a workaround to this problem, run the following commands:


# /usr/sbin/svccfg
svc:> select application/sun/ds
svc:/application/sun/ds> delpropvalue start/timeout_seconds 60
svc:/application/sun/ds> delpropvalue stop/timeout_seconds 60
svc:/application/sun/ds> addpropvalue start/timeout_seconds 600
svc:/application/sun/ds> addpropvalue stop/timeout_seconds 600
svc:/application/sun/ds> quit
6586231

In the dsconf help, Directory Server is sometimes incorrectly translated as répertoire instead of serveur d'annuaire in the French language.

6588319

In DSCC configured using Tomcat server, the title of the Help and Version pop-up windows displays the multi-byte strings garbled.

6589603

If you set the value of the configuration property, pwd-max-history-count, or the password policy attribute, pwdInHistory, to its maximum allowed value 24, the Directory Server instance might crash.

As a workaround, the value of pwd-max-history-count or pwdInHistory should not exceed 23.

6589942

In French, German, and Spanish languages, ROLE is translated in the dsconf enable-repl -? command's syntax but it is not translated later in the ROLE = master string.

6589949

In the command line interface help, the string INSTANCE_PATH is not translated in the German and Spanish languages.

6590558

On Linux, the Directory Server instances do not start at system restart if the maximum number of files are specified in the /etc/security/limits.conf file.

As a workaround, add the following in the etc/init.d/dsee_directory file.


# ulimit -Hn 65536
# ulimit -Sn 65536
6592543

The pop-up windows prompting the confirmation for stopping or unregistering servers display the doubled apostrophes in the French locale.