| Directory Server Access Management Edition Release Notes |
Release Notes
iPlanet™ Directory Server Access Management Edition, Version 5.1
Updated June 7, 2002
These release notes contain important information on iPlanet Directory Server Access Management Edition, version 5.1. Enhancements, installation notes, known problems, and late-breaking issues are addressed. Read this document before installing DSAME.
DSAME, version 5.1 is not compatible with any previous Beta release. Uninstall any Beta release before installing this version. Do not move existing data because the schema and many internal entries have changed; this includes the iPlanet Directory Server and Web Server versions that were originally installed. Use the new versions included in this release. These release notes contain the following sections:
Known Problems and Limitations
Installation
How to Report Problems
Known Problems and Limitations
Below are listed the known problems and limitations found while testing this version of DSAME.
Installation
Update-o.pl Does Not Update The Organizations (4674154)
The update-o.pl migration script hardcodes the ldapasearch and ldapmodify path but does not set the LD_LIBRARY_PATH or update the organizations because ldapmodify is commented out. The user must change the paths as stated in the perl script.
Installation Passes In ja_jp_eucJP Locale; Fails In ja_Jp_UTF8 locale (4678948)
To install, change the locale to Japanese and install again.
Removing DIrectory Server Removes All Software in Directory (4536926)
When Directory Server is installed with DSAME, it is installed in a directory chosen by the installer, by default, /usr/iplanet/servers. When DSAME is uninstalled, all files in that directory are removed. If something else has been installed in that directory, it will also be removed. No other software should be installed in that directory.
Installation Script Does Not Check for Link Validity or the Absolute Path
The installation script aminstall does not check for link validity or for the absolute path. If an invalid location is specified, the installation of a DSAME component may fail even though the installation process appears to have completed successfully. (4536926)
Install Log Message Irrelevant
The following message appears in the install log after installation. It has no relevance to the successful application of DSAME. (4536466)
Deploying web application Loading new configuration Reconfigure failure: server not running Web application deploy successful
Deployment
User Profile Locale Must Be Consistent With Server (4626054)
When the DSAME locale is set to anything other than english (iso8859-1), a user can change the user service language to a different locale but they cannot switch back to an english locale.
Administrative Limit Exceeded In Directory Server (4682664)
If the nsLookthroughlimit in Directory Server is set lower than the number of organizations in your DIT, the console will display DS_ERROR_CODE_11 (Administrative Limit Exceeded). No organizations will be displayed.
Incorrect Error Page Displayed (4680795)
The incorrect error page is displayed when Identity Server is installed with Sun One Application Server. When users are created and user-based authentication is configured in Core authentication but a user service template is not created, the following error will be called when a user attempts to login:
ACI Error Occurs If Organization RDN Has Commas (4646182)
A root suffix that has an embedded comma can not be used, for example, o=sun microsystem, ca.
Maximum Number of Services Supported by the DSAME console
For this release of DSAME, up to 50 services can be displayed in the DSAME console. (4536927)
Error Messages Display When Loading Sample Service
If you load the sample service into Directory, and then register that service to an organization, the errors copied below are found in the Directory Server error log. The errors display because no service template has been created; they require no action. (4539108)
Configuration
Browser Cache Size Needs To Be Set Higher Than 0 (4666806)
The cache size of the browser with which you are viewing DSAME needs to be set higher than 0.
Allowable Log Delimiters Is Inconsistent (4664745)
Following are a list of log delimiters:
Delimiters consisting only of N spaces are not allowed.
If N-spaces are bounded by characters, those spaces are included.
N-spaces preceededing the first character are not included.
Non-ASCII Login IDs
Do not use multi-byte characters (8 and 16 bit) in login IDs or email addresses. (4538007)
Configuring amUser.xml For Multiple Naming Attributes
In order to manage a user with multiple naming attributes, ensure that the naming attribute type in amUser.xml is changed to list from its default value of single. (4536186)
Configuring serverconfig.xml For SSL Port
Ensure that serverconfig.xml is configured correctly when listening to SSL port 636. The correct configuration is <Server name="server" host="host address" port="636" type="SSL"/> Setting the type to simple when the port is for SSL will cause DSAME to hang. (4536852)
Configuring serverconfig.xml For Connection Pools
DSAME uses an LDAP connection to request information from Directory Server. By default, the minimum number of LDAP connections allowed when DSAME is started is 1; the maximum number of connections is 10. If at any time more than 1 simultaneous request is being made from DSAME to Directory Server, additional connections will be dynamically added up to the maximum of 10. These default values can be increased, depending on the size of your organization, by modifying the serverconfig.xml file. This file is used by both amadmin and the DSAME SDK. The SDK needs to allow for 100-500 connections. amadmin needs only the default 1-10. Therefore, for optimum usage, it is recommended that you keep one serverconfig.xml file for each purpose, loading and reloading it depending upon your current need. (4536447)
Authentication
Custom Authentication Module Should Not Encode URL (4654293)
A custom authentication module should not encode the URL for a non-cookie supported browser; for non-cookie supported browsers the url will be:http://dsameserver/servlet;ipsserver=ssotoken
If the Gateway is used and it shortens the URL by rewritting, it causes problems with the Gateway. Gateway should encode and decode the session info in the URL.
Command Line
ModifyUser.xml File Does Not Work (4684792)
The ModifyUser.xml file is not working. User modification may be done through the console, through ldapmodify or by deleting and recreating the user.
Amadmin Hangs After java.lang.OutOfMemoryError (4682773)
amadmin should not be used for bulk operations. If too many operations are attempted from one xml file, amadmin will appear to hang and ultimately run out of memory.
Performance Considerations When Using amadmin
When you create directory entries using amadmin, roles associated with that entry are also created. For example, when you create an Organization, an associated Organization Administrator role and an Organization Help Desk role are created. Roles contain ACIs which take longer to create than other types of objects. Creating objects that have associated roles can therefore significantly increase the time it takes to process the additions to your directory tree. (4536928,4538402) If your DIT is particularly large or complex, this can also significantly increase the time it takes to process deletions from your directory tree. (4536928,4538402) amadmin should not be used for large scale updates. (4537112)
Non-Root Users and amAdmin/amPassword (4679609)
In order for a non-root user (default upon installation being amadmin) to run amAdmin and amPassword, the AMConfig.properties file must allow read and write permission to the user. Additionally, the trust database files of the iPlanet Web Server (located at DSAME_server_root/SUNWam/servers/alias) must allow read and write to the user running amAdmin. (4536067)
Console
Location Bar Does Not Wrap URLs (4666228)
The browser location bar in the top frame does not wrap lines when the organization name exceeds more than the amount of characters that the browser window can display. To change this behavior, modify the controlling jsp for the frames display, AMAdminFrame.jsp.
Console Overwrites Attributes With Same Name (4684958)
If an attribute is defined as both Dynamic type and User type, the console incorrectly sets the default values for user attributes with the default values of dynamic attributes. By default, no attributes in DSAME are defined as both Dynamic type and User type. This is only an issue if custom services are added with attributes that are both Dynamic type and User type.
Browser Does Not Reset Form Contents (4679073)
The Self Registration Reset Form button does not reset the form contents.
User and Policy Management
Multiple Values Not Stored In User Naming Attribute Upon Creation (4682474)
When a multi-valued attribute is used for the user naming attribute, only one of the values will be stored at creation time. You can set multiple when modifying the user entry.
Use Only Unique Value For iplanet-am-admin-console-user-return Attribute (4682460)
If the iplanet-am-admin-console-user-return attribute has duplicate values across users, they are not displayed. A unique value must be used for this attribute.
Incorrect Error Message When Deleting Service Template (4681741)
When the Help Desk Administrator tries to delete a service template, the "No template available for this service. Do you want to create it?" message is displayed. The correct error message is "Insufficient access."
Policy URLs With Trailing Space Are Not Enforced (4683613)
If a URL in a policy rule is defined with trailing space, the policy will fail. The trailing space must be removed.
Admin Can Not Add Self To Groups (4684804)
From the user profile page, an administrator can not add self to Groups at the isp level.
No Error Message On Roles Properties Page (4684796)
If a user does not have permission to modify the role display profile in the Roles Properties page, there is no error message. The modifications just do not get saved.
User Cannot Modify A Role's Assigned Type (4677624)
Once a role is created, there is no way to know what type was assigned to it. Thus, there is no way to modify the assigned type.
Setting User to Inactive in DSAME Does Not Set User to Inactive in Directory Server
When you use DSAME to deactivate a user, DSAME sets the attribute inetAccountStatus to inactive while Directory Server uses the attribute nsAccountLock to determine account status. By default, DSAME does not use nsAccountLock. This gives "inactive" DSAME users the ability to interact with infrastructures which do not pass through DSAME. The nsAccountLock attribute can be added to the amUser.xml file in DSAME. (If you want to use only one of these status attributes, you can remove inetAccountStatus.) Once you remove and reload the schema, the nsAccountLock attribute will display in the user's profile. A limitation of this workaround is that the nsAccountLock attribute cannot be added to a role. DSAME does not support operational attributes in roles at this time. (4537106)
User Properties Reset Button Works Visually Only
When a user logs in and modifies one of their properties, the Reset button will change the property back in the GUI only. When Submit is clicked, an error will be returned "Unable to update object." To workaround this error, enter the original value of the property again and click Submit. (4536455)
Double Quotes Are Not Supported
Do not use double quotes in user names or organization names; in Directory Server, the quotes will be stripped from the name. For example, if you create a username "User1" , the Directory Server creates the userID User1 without the quotes. (4539190)
User Entry Has No Password
If a user entry does not have read access to their userPassword attribute, they will not see a password when they log in. To correct this either remove the attribute from the user profile page or change the user's read access permission. (4537067)
Group Administrator Can Prevent Higher-level Administrators from Logging In
Administrators at the organization and people container level generally have a wider scope of access than do group administrators. But by default, when a user is added to a group administrator role, that user can change the password of any other user in the group. For example, in this structure, UserX could change the password of a People Container Administrator and an Organization Help Desk Administrator, preventing them from successfully logging in.
People Container Administrator
The default ACIs are set this way by design. You can modify the ACIs to meet your own requirements. ACI documentation is provided. (4536857)
Internationalization
i18n Characters in the DSAME Log
I18n characters (example: uid=renée) are not displayed correctly in the DSAME log although the characters are displayed correctly in the DSAME console. The logs can be read correctly by running iconv from the command line using the input and output character sets and the log file name as arguments. (4536986)
Documentation
Unix And SafeWord Authentication Modules Are Discussed in Windows 2000 Online Help Documentation (4684045)
Although Unix and SafeWord Authentication Modules are discussed in the Online Documentation for Windows 2000, they are only supported on the Solaris OS.
When Installing DSAME On Top of Application Server Documentation Not Accessible (4684151)
When DSAME is installed on top of iPlanet Application Server rather than iPlanet Web Server, the application documentation is not accesible.
Changing the Default User Entry Naming Attribute for Membership Authentication
To change the default user entry naming attribute for Membership authentications, the amMembership.xml needs to be modified. The value of the attribute iplanet-am-auth-membership-user-naming-attribute needs to be changed to that of the LDAP attribute to be used instead of the default, uid. In addition, the attribute chosen needs to be added to register.html, membership.properties and membership.html. (4536427)
Because the authentication screens appear in the incorrect locale, the User service must be registered and configured with the required locale in order to ensure all authentication screens appear in the correct locale. (4681903)
Login to DSAME as the Super Administrator you specified at installation.
When DSAME is installed with the Full Install option and then is uninstalled, the Directory Server will not uninstall. (4676798)From the User Management view, select the link to the default organization created during installation.
Choose Services from the Show menu.
Open the Properties page for this service and click Create.
Enter the required locale in the Inherited Locale field and submit the change.
When installing Agents, do not use the Unix directory path syntax. (4685100)
When uninstalling Identity Server, close the Services window (Start/Programs/Administrative Tools/Services). (4666933)
After uninstalling the Identity Server application, remove all relevant files from the registry. In addition, the machine needs to be rebooted before proceeding with the re-installation. (4665941)
Identity Server installs Sun One Web Server and Sun One Directory Server as parts of its own setup; they have their own registry entries which are managed by the Identity Server in a separate registry file called ProductRegistry. If the Web Server or the Directory Server are unistalled without invoking the Identity Server, the application's components will not be removed from the Registry file. Any attempt to reinstall these applications using the Identity Server installer will find the previous installation. Therefore, if the Web Server or Directory Server are installed through the Identity Server installer, they should be removed only through the Identity Server uninstaller. (4665941)
Identity Server does not support command line installation on machines with Windows 2000 operating systems other than the silent installation. (4662346)
Miscellaneous
Server Error While Trying To Logout After Session Timeout (4682600)
An error will be written upon user logout if the HttpSession expires before the user logs out.
Console Panels Do Not Load (4639370)
Upon logging in to the Identity Server console, the panels are not visible. To work around this issue, reload the page using the browser Reload button.
Intermediate Error Message Missing (4661056)
The intermediate login page which should appear when a session has timed out is missing.
Bind Failed Message During Installation (4655217)
A bind failure message might appear during installation. It is harmless.
Running DSAME Against Read Only Replica Servers
DSAME does not support running the console against read-only replica servers unless no modifications are made. (4536456)The iPlanet Knowledge Base can be used to search for answers to your iPlanet product questions. This repository is available at: http://knowledgebase.iplanet.com/NASApp/ikb/index.jsp
If you experience problems with Identity Server, version 5.1, refer to Technical Support at: http://www.sun.com/service/support/software/iplanet/index.html
- Please have the following information available when you contact support:
For More Information
Useful information can be found at the following internet locations:
For general information on Sun One Identity Server, refer to: http://wwws.sun.com/software/iplanet/products/iplanet_directory_ame/home_directory_ame.html
For general information on other iPlanet server products, refer to: http://wwws.sun.com/software/product_categories/directory_servers_identity_mgmt.html
For links to iPlanet product documentation, refer to: http://docs.iplanet.com/docs/manuals/
For information on iPlanet Professional Services, refer to: http://www.sun.com/service/sunps/iplanet/
For information on iPlanet technical training, refer to: http://wwws.sun.com/software/training/
For iPlanet product developer information, refer to: http://developer.iplanet.com/
Third-Party License Acknowledgements
===================================================================Copyright (c) 1989 The Regents of the University of California.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
All advertising materials mentioning features or use of this software must display the following acknowledgement:
Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
- This product includes software developed by the University of California, Berkeley and its contributors.
========================================================================
Copyright (C) 1987, 1988 Student Information Processing Board of the Massachusetts Institute of Technology.
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the names of M.I.T. and the M.I.T. S.I.P.B. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. and the M.I.T. S.I.P.B. make no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
========================================================================
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.
Sun, Sun Microsystems, the Sun logo, iPlanet are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.
Federal Acquisitions: Commercial Software -- Government Users Subject to Standard License Terms and Conditions. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of the product or this document may be reproduced in any form by any means without prior written authorization of the Sun Microsystems, Inc. and its licensers, if any.
THIS DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
Copyright © 2002 Sun Microsystems, Inc.
Last Updated June 07, 2002