|
These release notes contain important information available at the time of
the release of iPlanet Directory Server 5.1 Service Pack 1. New features and
enhancements, known limitations, and other late breaking issues are addressed
here. Read this document before you begin using iPlanet Directory Server 5.1
Service Pack 1.
An electronic version of these release notes can be found at the iPlanet
documentation web site:
-
http://docs.sun.com/db?p=coll/S1_ipDirectoryServer_51
Check the web site prior to installing and setting up your software and
then periodically thereafter to view the most up to date release notes and
manuals.
These release notes contain the following sections:
For information on hardware and software requirements, refer to the
iPlanet Directory Server Installation Guide.
What's New in iPlanet Directory Server 5.1
iPlanet Directory Server 5.1 contains the following new features and enhancements:
- Updated and improved management console. The new Directory Server Console
offers an improved dialog for configuring replication, and a new directory
browser. In this release, the Directory tab has several layout options for navigating
the directory tree: as before with leaf entries in the right-hand pane, as a
single tree in a single pane, or with attributes for the selected entry displayed
on the right. For details, refer to Chapter 1 of the
iPlanet Directory Server Administrator's Guide.
- Performance Improvements over Directory Server 5.0. This new release
of Directory Server offers increased performance over Directory Server
5.0 and 4.x.
- Support for IPv6. Directory Server 5.1 can accept incoming connections
from IPv6 clients. Currently the Directory Server cannot interpret IPv6
addresses in access control instructions, or use IPv6 connections for
operations such as replication and chaining. The Administration Console
cannot be used on networks supporting only IPv6.
- Improved scalability and performance of Roles and Class of Service.
Roles and Class of Service, introduced in iPlanet Directory Server 5.0,
have been enhanced in this release to increase scalability.
- Support for the Plugin API. If you need to create custom plugin
functions you can also contact the iPlanet Professional Services organization at:
http://www.sun.com/service/sunps/sunone/index.html.
- Schema Documentation. A new document, iPlanet Directory Server
Schema Reference, describes the schema provided with Directory Server 5.1.
The document focuses on schema objects useful to support your directory information.
Due to architectural changes made in iPlanet Directory Server, some features
that were previously available are no longer included. These are:
Supported Platforms for iPlanet Directory Server 5.1 Service Pack 1
iPlanet Directory Server 5.1 Service Pack 1 is supported on the following
platforms:
- Sun Solaris 8 for UltraSPARC (32 and 64-bit) operating environment
- Microsoft Windows NT 4.0 Server, SP 6a (x86 only)
- Microsoft Windows 2000 Server and Advanced Server SP 2 (x86 only)
- Hewlett-Packard HP-UX 11.0/11i (PA-RISC 1.1 or 2.0)
- IBM AIX 4.3.3 (Power PC)
- Red Hat Linux 7.2 (IA-32)
This release of iPlanet Directory Server is not supported on Sun Solaris 2.6
or Sun Solaris 7. You must upgrade to Sun Solaris 8 prior to upgrading to
or installing iPlanet Directory Server 5.1 Service Pack 1.
iPlanet Directory Server 5.1 Service Pack 1 requires specific operating
system patches or service packs to be installed before iPlanet Directory
Server can be installed. Installation of iPlanet Directory Server 5.1 Service
Pack 1 may fail if the recommended patches or service packs are not present.
On operating environments other than Windows, you must run the
idsktune utility
prior to installing iPlanet Directory Server 5.1 Service Pack 1. After you
expand the product package, you will find the
idsktune
utility in the same directory as the
setup program.
Install the patches recommended by the
idsktune utility.
For further information, refer to the
iPlanet Directory Server Installation Guide.
You may obtain Sun Solaris patches from:
-
http://sunsolve.sun.com
Installation procedures for iPlanet Directory Server 5.1 Service Pack 1
Note |
If
you run Administration Server as root, all commands initiated by the
administration user will also be run as root. Therefore you must apply
the same rules of confidentiality and
security to the administration password as you would to the root
password of your server.
|
- If you are performing a new installation:
Please refer to the
iPlanet Directory Server Installation Guide.
- If you are upgrading from iPlanet Directory Server 5.1:
It is possible to install Service Pack 1 on top of an existing
iPlanet Directory Server 5.1 installation by performing the following steps:
- Be sure the administration server is running.
- Be sure the iPlanet Directory Server 5.1 is running.
- Apply the "Typical installation" procedures in
Chapter 3, Using Express and Typical Installation.
NOTE: make sure in step 10, the full path to the location where you
originally installed the Directory server 5.1 is used.
- If you are migrating from iPlanet Directory Server 4.x or 5.0:
Please refer to
Chapter 6, Migrating From Previous Versions in the iPlanet
Directory Server Installation Guide. Also, see the
caution and
attributes compatibility sections.
Problems Corrected in iPlanet Directory Server 5.1 Service Pack 1
iPlanet Directory Server 5.1 Service Pack 1 includes fixes to the following
known problems that occurred in earlier releases of iPlanet Directory Server:
- Replication
- Delete operation was not propagated to the consumer in cascaded replication (4550044)
- On Windows platforms, an optimization test aborted replication processing (4616579)
- nsTombstone entries were not purged (4617521)
- Directory server encountered many tombstone errors (4633404)
- Replication supplier was disabled and could not restart when the RUV database was corrupted (4533706)
- Replication became unsynchronized and stopped (4617085)
- Changing case sensitive attribute values failed in MMR (4624693)
- Replication supplier crashed after deleting attribute (4627443)
- Directory crashed or hung when replication was enabled (4643122)
- Replication broke when migrating consumer from 5.0 and subsequent Service Packs (4646392)
- Replication failed to restart from supplier to consumer (4658810)
- Replication between 4.x and 5.1 halted when updating operational attributes (4665571)
- Directory server crashed when some replication agreement attributes were missing (4672889)
- Turning system time backwards halted replication (4672960)
- Consumer chained a database initialisation request when distribution plugin was enabled (4684519)
- Could not monitor the replication update vector in the replica object (4691101)
- Console
- The Replica ID was not displayed correctly on Windows platforms (4589224)
- Could not use special character in console administrator password (4672914)
- Could not access user data in a remote directory server with SSL enabled (4663658)
- Console modifications for RDN caused exception violations when saved (4668480)
- Console did not display time correctly (4615165)
- Bold Japanese characters were displayed as square boxes (4645544)
- Removal of CA certificates failed (4658787)
- Database
- Old data could be written back into the current database (4638816)
- The ns-slapd process crashed during import (4623119)
- Security
- The process of finding the password attribute has been changed (4619976)
- Directory server did not verify the SSL peer hostname (4615324)
- Password expiration was inconsistent (4532757)
- A security problem concerning the retro-changelog plugin has been fixed (4618824)
- The number of unsuccessful attempts not reset after a successful bind (4645887)
- Illegal SNMP PDU caused the Master agent to fail - CERT Advisory CA-2002-03 (4532320)
- LDAP access
- Directory search failed on Replica with scope of "one" (4614741)
- Directory crashed (SIGBUS) during a search (4639232)
- "bind timeout" was ignored for non responding host (4639408)
- Directory responded incorrectly to an unbind request (4623308)
- ldapmodify incorrectly interpreted base64 encoded values (4665564)
- Directory server crashed when binding to an entry that was being created (4674387)
- Performance
- Enabling retro-changelog caused performance issues (4639310)
- A looping thread increased CPU consumption (4629441)
- Memory leak in the CoS plugin has been fixed (4630124)
- Memory leak in schema search has been fixed (4682961)
- Conformance
- Default schema contained extra definitions not in RFC2307 (4629102)
- A DN that contained several escaped characters was wrongly normalized (4535845)
- A DN with white spaces did not conform to RFC2252 (4687038)
- Subtyped attribute was not being stored in the directory as RFC2256 mandates (4622371)
- Miscellaneous
- The most recent version of idsktune not shipped in iDS 5.1 (4623199)
- Multiple Attribute uniqueness plugins forced uniqueness BETWEEN each other (4649615)
- timestamps in log files were stored incorrectly when the directory server shutdown (4656846)
- htmladmin.exe crashed when secured admin server was stopped (4529402)
- iPlanet Directory Access Router 5.0 was not able to share the same admin server
<ServerRoot> as iPlanet Directory Server 5.1 (4692956) (fixed on solaris only)
Enhancements and Problems Corrected in iPlanet Directory Server 5.1
iPlanet Directory Server 5.1 includes enhancements and fixes to the following
known problems that occurred in earlier releases of iPlanet Directory Server:
- A previous release of iPlanet Directory Server included a security
vulnerability in iPlanet Web Server 4.1. (535057) iPlanet Directory Server 5.1
uses iPlanet Web Server 6 in which this vulnerability has been fixed.
- Server restart is no longer required after a change to the components allowed to chain. (528617)
- In a previous version of iPlanet Directory Server, the console supported smart
referrals only when the DN in the referral matches the DN of the entry containing
the referral. (490281) Updated functionality in the console has removed this limitation
and enhanced smart referral support.
- With a previous release of iPlanet Directory Server, after changing the Directory Manager
credentials, you were required to exit Directory Server Console and restart it for the change
to be taken into account. (538549) This limitation has been removed.
- The behavior of multiple qualifiers with cosAttribute
in a CoS definition is no longer undefined.
- With a previous release of iPlanet Directory Server, you were required to authorize client
IP access to the Administration Server from the machine running Directory Server Console. This
limitation has been removed.
- When a delete operation is performed, the audit log now displays the DN identity of the
operator. The additional information appears in the audit log as
modifiersName: DN, where DN
is the identity used to perform the delete operation.
- The newrdn and
newsuperior operations are now recorded
in the access log and any errors are described in the error log. (547272)
- Schema is now replicated during a total update operation. (541599)
- If you modify your schema on a server and then create a new replica, the initialization of this
replica automatically updates the schema on the consumer server. Previously, the schema was not
replicated when the replica was initialized, but instead with the first incremental update of the
replica.
- In previous releases of iPlanet Directory Server, changes to the
nsslapd-dbcachesize attribute value
under cn=config, were not always correctly
taken into account. (539845, 539847) This condition is corrected in iPlanet Directory Server 5.1.
The server writes an error message in the error log if the new value you provide is not within the
permitted boundaries.
- In previous releases of iPlanet Directory Server, deleting a role did not update the
nsRoleDN attribute for each role
member (533695). In iPlanet Directory Server 5.1, the Referential Integrity plugin is configured
to manage the nsRoleDN attribute.
However, you must enable the Referential Integrity plugin. By default, this plugin is disabled.
Also, add an equality index on nsRoleDN. Refer to the
iPlanet Directory Server Administrator's Guide for details on creating indexes.
Known Limitations
This section lists known limitations present for iPlanet Directory Server
5.1 Service Pack 1 and their workarounds. The areas with known limitations are
as follows:
Installation
-
Caution
We strongly recommend that no other iPlanet product (such as iPlanet Web Server) be installed
into the same Unix directory path as the iPlanet Directory Server product, as this may disable
critical functionality required for the correct operation of the directory server.
In addition, on a Windows NT or Windows 2000 machine, the directory server should be installed
independently of any other iPlanet product to avoid conflicts with DLLs.
- It is a known problem that Directory Server cannot be installed through
Microsoft Terminal Services.
- On performing an upgrade from iPlanet Directory Server 5.1 to iPlanet Directory Server 5.1
Service Pack 1 on Unix, the administration port identifier will be changed. If restoration of
the old administration port identifier value is required, the command admconfig can be
used.
The port identifier can be found in:
% <ServerRoot>/admin-serv/config/adm.conf
The following example changes the port number to 63333 and restarts the admin server (note that the
verbose level will be set to 5):
% <ServerRoot>/bin/admin/admconfig -server orange.iplanet.com:67891 -user
chlee:password -verbose 5 -setPort 63333 -restart
- iPlanet Directory Server cannot be installed properly through Microsoft Terminal Services.
- On Windows 2000, setup -f does not work
without the -s option (4524708). If you perform
installation using a configuration file on Windows 2000, it must be silent. For example:
-
setup -s -f filename
- On Windows, the domain name for your host machine must be correctly configured prior to installing
iPlanet Directory Server 5.1 Service Pack 1. To configure the domain name for your host:
- (On NT) Open the Control Panel and run the
Network
utility. Select the Protocols tab,
select TCP/IP Protocol from the list, and open
the Properties dialog box. Correctly fill the
fields under the DNS tab.
- (On 2000) Click right on My Computer,
then select Properties. Under the
Network Identification tab, select
Properties, click
More, and correctly fill the
Primary DNS suffix of this computer field.
-
If you are running iPlanet Directory Server 5.1 Service Pack 1 on a 64-bit Sun Solaris 8 UltraSPARC
machine, it will run as a 32-bit application.
-
The directory path where you install iPlanet Directory Server 5.1 Service Pack 1 must not contain space characters.
-
If your suffix contains space characters, correct the suffix generated at installation time to remove the
spaces. (4526501) Using the console, select the top directory entry in the left-hand navigation pane of
the Servers and Applications tab, edit the
suffix in the User directory subtree field,
and then click OK to save the changes.
-
Do not install iPlanet Directory Server 5.1 Service Pack 1 on top of an existing 4.x or 5.0 Directory Server
installation. If you already have Directory Server 4.x or 5.0, install iPlanet Directory Server 5.1 Service Pack 1
in a separate directory. After migrating your 4.x or 5.0 directory data to your 5.1 Service Pack 1 directory and
testing the results, remove your 4.x or 5.0 Directory Server.
-
On Windows, always use the latest version of DLL files. Do not overwrite the more recent DLL files with those
delivered with iPlanet Directory Server 5.1 Service Pack 1.
-
Use UTF-8 character set encoding when entering Distinguished Names during installation. Other encodings
such as ISO-8859-1 are not supported. Installation operations do not convert data from local character
set encoding to UTF-8 character set encoding.
-
LDIF files used to import data must also use UTF-8 character set encoding. Import operations do not
convert data from local character set encoding to UTF-8 character set encoding.
-
Be aware of the DNS naming resolution issue on systems using NIS. (4526504) During installation,
setup detects a default host and domain name. If
your NIS domain is different from your DNS domain, the fully qualified host and domain name presented by
the installer is incorrect. These values must be corrected to use the DNS domain name.
-
(4527593) AIX fixes have moved from:
-
http://server.software.ibm.com/cgi-bin/support/rs6000.support/downloads
-
as indicated in the iPlanet Directory Server Installation Guide to:
-
http://techsupport.services.ibm.com/server/fixes
-
On AIX, you must install the X11.adt package in
order for the console to function. This package is not part of the standard bundle.
Uninstallation
-
You will not receive a warning before proceeding with the uninstallation of the iPlanet Directory Server 5.1
Service Pack 1 containing your configuration information under the
o=NetscapeRoot suffix. This is the first
Directory Server you installed. We strongly recommend that it be the last one you uninstall.
-
On Windows 2000, after uninstallation of directory components installed with silent installation
(setup -s -ffilename)
reinstallation always places directory components in the original install folder. (4526014)
You can avoid this problem by removing all *.inf
files in the
\Documents and Settings\Administrator\Local Settings\Temp folder on the system disk
drive after uninstallation.
Migration
-
The Directory Server 4.x and 5.0 attributes
accesslog-maxlogdiskspace, accesslog-maxlogsize, auditlog-maxlogdiskspace,auditlog-maxlogsize,
errorlog-maxlogdiskspace, and
errorlog-maxlogsize must be migrated
manually. (4529536) Update these values for the Logs
entries in the Directory Server Console under the
Configuration tab. In each case, *log-maxlogsize
values must remain smaller than *log-maxlogdiskspace
values for the attributes to remain coherent. For further information, refer to the instructions on monitoring
server and database activity in the iPlanet Directory Server Administrator's Guide.
-
The migration procedure may attempt to restart the server while the server is already running. (4529552)
Ignore error messages concerning attempts to restart the server by migrateInstance5.
-
On systems other than Windows, migration from iPlanet Directory Server 5.0 to 5.1 Service Pack 1 may fail if
the PATH environment variable does not contain
. (4529657) If necessary update your
PATH appropriately. For example:
-
(ksh) $ export PATH=$PATH:.
-
(csh) % setenv PATH ${PATH}:.
Windows NT / Windows 2000
- Avoid using stdin
and stdout on NT with
the ldapmodify
command-line utility, particularly with non-ASCII data. We strongly recommend
you always use the -f
option to specify the file containing the LDIF update statements
(-f
new_file)
as this prevents the statements being read from
stdin.
-
On Windows NT 4.0, the maximum address space an application can use is 2 GB.
As iPlanet Directory Server 5.1 Service Pack 1 cannot use more than 2 GB of
virtual memory, the sum of all caches configured for the server must be
strictly less than 2 GB. If the size of the entry caches and of the database
cache exceed this limit, Directory Server will exit with an error message.
For more information on cache limits on Windoes NT, and on Windows 2000, refer to the
iPlanet Directory Server Installation Guide.
-
On Windows 2000, the default font used by the console does not allow you to
input Japanese characters. To avoid this issue, change the font. You can
change the console font by selecting
Preferences from
the Edit menu in
the directory console, and then changing the font through the interface
under the Fonts tab.
Security
- Deployments that use SSL for connection confidentiality across open
networks that are subject
to possible active attacks against the SSL connection should not use server certificates
issued by one of the public Certification Authority (CA) organizations. (4615324)
To ensure that an attacker with a certificate issued by a public CA cannot use that
certificate to impersonate a directory server, the certificate databases of LDAP clients and
of directory servers establishing outgoing SSL connections for replication or chaining
must contain only the certificate of the non-public CA which issued the certificates to the
servers which will be contacted; all other CA certificates of public CAs must be removed
from the LDAP client or directory servers certificate database.
Deployments that are not subject to active attacks or deployments that use additional
security mechanisms (such as a VPN when connections traverse the Internet) are not required
to use a non-public Certification Authority to obtain a server certificate.
- Directory Server does not correctly parse ACI target entry DNs containing quotes. (4529541) The
following example causes a syntax error:
|
dn:o=mary\"red\"doe,o=iplanet.com,o=isp
changetype:modify
add:aci
aci:(target="ldap:///o=mary\"red\"doe,o=example.com,o=isp")(targetattr="*")
(version 3.0; acl "test"; allow (all) userdn ="ldap:///self";)
|
|
- Use of semicolons in ACI permissions can cause the directory server to
crash. (4527617)
- As the server does not enforce read-only permissions on SSL-enabled servers for certificate
database files, key database files and PIN files, check that the file permissions on Unix and
ACLs on Windows protect the sensitive information contained in these files.
-
If you have enabled certificate-based authentication in the Directory Server,
do not map your certificate to a distinguished name under
cn=config or
cn=monitor.
(4529535) If you do so, bind attempts fail. Instead, map your certificate to
an entry located elsewhere in the directory information tree.
-
On Windows NT and Windows 2000, a user on the console can shut down Directory
Server. Care should be taken to restrict console access to computers running
Directory Server.
-
To explicitly deny MODRDN rights using ACIs, you must target the relevant entries but
omit the targetattr
keyword. (4529533) The following example ACI prevents the
cn=helpDeskGroup,ou=groups,o=sun.com group from renaming any entries
in the set specified by the pattern
cn=*, ou=people,o=sun.com:
|
aci: (target="ldap:///cn=*,ou=people,o=sun.com")
(version 3.0; acl "Deny modrdn rights to the helpDeskGroup";
deny(write)
groupdn="ldap:///cn=helpDeskGroup,ou=groups,o=sun.com";)
|
|
- If the account locking mechanism of the password policy is enabled, once a user is locked
out on a read-only replica, the account cannot be unlocked. (4527608) To work around the issue,
use the ldapmodify utility to set the
passwordLockoutDuration attribute to
120 (seconds) and the
passwordUnlock attribute to
on in
cn=config.
-
Macro ACIs do not work if the subject is one of the constant types such as
all or
anyone. (4529529)
- Account lockout remains in effect even after the user password is changed.
(4527623) To work around this issue, reset the lockout attributes
accountUnlockTime,
passwordRetryCount,
and retryCountResetTime
to unlock the account.
- When the password policy is enabled, setting the
passwordHistory attribute to a value
lower than the number of times a user password has already been modified may cause the server to
crash. (4530739) The default passwordHistory
value is set to 6 when the password policy is
enabled. To avoid this issue, do not reduce the value of
passwordHistory after enabling the password policy.
Schema
-
The schema provided with iPlanet Directory Server 5.1 differs from that specified in RFC 2256 for the
groupOfNames and
groupOfUniquenames object classes. In the
schema provided, the member and
uniquemember attribute types are
optional, while RFC 2256 specifies that at least one value for these types must be present in the
respective object class.
-
The LDAP RFCs (and X.500 standards) allow for an object class to have more than one superior. This
behavior is not currently supported by Directory Server.
-
If you add more than 1,000 attributes to a single object class, the server displays configuration
errors and fails to start.
-
Note that the aci attribute is now an
operational attribute. It is not returned in a search unless you explicitly request it.
Chaining
Replication
- If you change the port number on a supplier server, the changelog database is cleared
and replication will halt. In this case all consumers, hubs and suppliers must be reinitialized
before replication can continue.
- In the iPlanet Directory Server Administrator's Guide the section "Configuring Directory Server 5.1 as a Consumer of a Legacy Directory Server" incorrectly states that you do not need to specify a Supplier DN when configuring the consumer settings (step 7.) This is incorrect. When you configure the consumer settings, you must specify the Supplier DN that the legacy supplier server will use to bind. If you do not, you will not be able to save the consumer configuration.
- Multi-master replication (MMR) is supported in a single data-center
deployment. Master Directory Servers must be connected via a high-speed,
low-latency network, (with minimum connections speeds of 100Mb/second)
to achieve full MMR support. MMR is not supported on a network where the
bandwidth between Master Directory Servers is less then 1Mb/second and
the latency is greater than 10ms, or on a network that might experience
significant packet loss; which is the throughput and conditions
that you might experience over a wide area network.
Support for wide area network (WAN) deployments is slated for a future
release of iPlanet Directory Server.
- When configuring a multi-master replication deployment, the
referential integrity plugin must be enabled on all masters.
The Deployment and Administrator's Guides erroneously state
that only one of the masters requires this plugin.
- Replication configured over SSL with certificate-based authentication will not work if the
supplier's certificate is a self-signed one or if the supplier's certificate is only capable of
behaving as an SSL server certificate, that is, unable to play the role of the client during an
SSL handshake.
- If you need to change a replica role, you must disable replication, change the replica role,
and then enable replication again. (4527621)
-
Local schema modifications may be overwritten when a consumer database is created. (4529530)
- Monitoring the replication update vector (RUV) for a replica object was adversly affected by a
timing issue. It is now possible to monitor the RUV directly from the replica by doing the following search:
ldapsearch -h <hostname> -p <port number> -D <directory manager> -w <password> -b "cn=config" objectclass=nsds5Replica" nsds50ruv
- In a topology, where an iPlanet Directory Server 5.1 Service Pack 1 is a
Dedicated consumer of a 4.x directory server supplier (4665571),
messages of the following type will be written to the error log:
NSMMReplicationPlugin - csnplCommit: can't find csn 3d0f496f0001ffff0000
NSMMReplicationPlugin - ruv_update_ruv: cannot commit csn 3d0f496f0001ffff0000
NSMMReplicationPlugin - replica_update_ruv: unable to update RUV for replica <suffix> csn = 3d0f496f0001ffff0000
To prevent such a situation from occuring, configure the iPlanet Directory
Server 5.1 Service Pack 1 instance as a Single Master (because a 5.x
master may also be a consumer).
Directory Server Console
- Trailing spaces are not preserved during a remote console import operation. Trailing spaces are
preserved during both local console and ldif2db
import operations. (4529532)
- Creating a Directory Server instance using the console creates a server in a different time zone on
HP and IBM AIX. (4529531) To synchronize the instance for replication, restart the server using the
restart-slapd command-line script. For further
information concerning restart-slapd, refer to
the
iPlanet Directory Server Configuration, Command, and File Reference.
- Users without read access to configuration information cannot see the directory suffix in the directory
browser of the console. (4525360) To allow such users read access, add it through ACI. Refer to the
iPlanet Directory Server Administrator's Guide for instructions.
- On Linux, an SNMP subagent cannot be started using the console (4738032). As a workaround,
start the subagent from the command line as follows:
# cd ServerRoot/bin/slapd/serveri
# ./ns-ldapagt -d ServerRoot/slapd-serverID
Note The SNMP master agent must be configured and working.
- On HP-UX, the JAVA_FONTS environment variable
must be correctly set to enable use of Japanese characters in the console. For
example:
-
JAVA_FONTS=/opt/asx/lib/X11/fonts/ttfjpn.st/typefaces
-
Adjust the path accordingly for your environment.
-
Hubs cannot be modified through the directory console. (4527619) Modify the
appropriate supplier instead.
- Users and roles cannot be created through the console as inactivated.
(4521017) Inactivate the user or role after you create it instead.
Core Server
- The slapd process
does not automatically start when the system boots. On Unix systems write an
rc script to start the slapd process at boot time.
- Stopping the server during export, backup, restore, or index creation
causes it to crash.
- On Windows NT and AIX platforms, do not set
Memory available for Cache in the
Database Settings to a value greater than 1073741824 bytes (1GB).
- AIX applications have a restrictive memory model. The AIX
ns-slapd executable
is created with a value of maxdata=0x50000000 to permit both the entry cache size
(nsslapd-cachesize
attribute) and database cachesize
(nsslapd-dbcachesize
attribute) to be up to 1GB each. Raising the maxdata value increases the maximum entry cache size
but lowers the maximum database cache size by the same amount, and vice versa.
Contact your iPlanet support representative if you need to adjust the
maxdata value.
- Initializing the database with a file that is not accessible causes the
server to crash. (4523595)
- A backup performed on a new database immediately after adding and
initializing it cannot be restored. (4531022) To work around this issue, stop
and restart the server after adding and initializing the database but before
performing the backup.
Server plugins
- iPlanet Directory Server 5.1 Service Pack 1 provides the UID Uniqueness
plugin. By default the plugin is not activated. To ensure attribute uniqueness
for specific attributes, create a new instance of the Attribute Uniqueness
plugin for each attribute. For more information on the Attribute Uniqueness
plugin, refer to the
iPlanet Directory Server Administrator's Guide.
- The Referential Integrity plugin is now off
by default. The Referential Integrity plugin should only be enabled on
one master replica in a multi-master replication environment to avoid
conflict resolution loops. Before enabling the Referential Integrity
plugin on servers issuing chaining requests, analyze your performance
resource, time and integrity needs. Integrity checks can consume
significant memory and CPU resources.
- The Access Control plugin does not use the value specified by the nsslapd-groupevalnestlevel
attribute to specify the number of levels of nesting access control
performs for group evaluation. Instead, levels of nesting is hard coded
as 5. (4529540)
- When disk space is filled, the directory server crashes and does not restart. (4527611)
Roles and Class of Service
- The nsRoleDN
attribute is used to define a role. It should not be used for
evaluating role membership in a user's entry. When evaluating role
membership, look at the nsrole attribute instead.
- The behavior for negative CoS template priority values is not defined in the server and cosPriority is not supported by Indirect CoS. Do not enter negative values. Note Indirect CoS does not support cosPriority.
Indexing
- VLV indexes do not work correctly if they encompass more than one database.
- If extreme index key fragmentation occurs (which can be caused by frequent
add and delete operations) and you have not adjusted
ns-slapd-db-idl-divisor,
then it is possible that extra entry IDs will be maintained
in the index key (up to a maximun of 2029 extra entries).
This can occur because Directory Server does not count all the
entry ID's against Allidsthreshold
until an index block becomes full. To remedy this, run
Db2index on an index; this will
correct the index fragmentation and set the key to
ALLIDS.
Conformance
- By default iPlanet Directory Server 5.1 Service Pack 1 does not conform to RFC2252 when handling:
- DN with multiple white spaces (4687038)
- DN with multiple escaped characters(4535845)
To enforce conformance with RFC2252, perform the following steps:
- Create a file <ServerRoot>/slapd-<ServerInstance>/config/newnormdn
- Restart the directory instance
- Rebuild the index databases, either by doing an db2ldif and ldif2db, or
by rebuilding any index with DN syntax (e.g. entryDN) (see
Chapter 10, Managing Indexes in the iPlanet Directory Server
Administrator's Guide)
Compatibility
Miscellaneous
- Do not set command path and library path variables for executing command line utilities and Perl scripts.
Instead change to the directory where they are stored. Although it is possible to set command path and library
path variables to execute the utilities and scripts, this is not the recommended procedure because you
run the risk, particularly when you have more than one server version installed, not only of disrupting the
correct execution of other commands utilities and scripts, but also of compromising the security of the system.
- Sun Solaris only. The idsktune utility
reports as missing any patches in the Sun recommended patch list that are not installed on the
system, even if those patches relate to packages you have not installed.
- Note the LDAP utility manpages on the Sun Solaris platforms do not
document the iPlanet version of the LDAP utilities
ldapsearch,
ldapmodify,
ldapdelete and
ldapadd.
For information regarding these utilities, refer to the
iPlanet Directory Server Configuration, Command, and File Reference.
- On Sun Solaris, you can monitor only one Directory Server instance at a time with SNMP. (4529542)
- You
cannot read logs through the Directory Server Console if the server is
not running. Instead, browse the iPlanet Console page at
-
http://hostname:administration_server_port_number
-
Select the iPlanet Administration Express link, and then login as admin.
- For security reasons, many command line scripts written in Perl can now read the bind password interactively (-w - option). This functionality requires the Term::ReadKey Perl module, available separately. You can download this module from:
-
http://www.perl.com/CPAN/CPAN.html
-
All other script functionality remains available without this module. After installing the Term::ReadKey
Perl module, enable the Perl scripts to read the bind password
interactively by editing each script, uncommenting the appropriate
lines.
-
Some of the script and command-line usage information is not up to date.
- Unsynchronized
server configuration information can cause restores to fail.
Immediately after changing the configuration, back up all files under
configuration directory, install-dir/slapd-serverid/config, including the dse.ldif file.
- Changing
the maximum size of the transaction log file has no effect if log files
already exist in the database directory. (4523783) Instead, stop the
server, modify nsslapd-db-logfile-size in dse.ldif manually, remove all log.* files from the database directory, and then restart the server.
- The iPlanet Directory Server Adminstrator's Guide incorrectly
suggests stopping the directory server and using
ldapmodify to change
the transaction log directory. (4525267) Instead, stop the server, modify the
nsslapd-db-logdirectory
attribute in the dse.ldif file using a text editor, and then restart the server.
- The server does not support LDAP search requests containing a filter that references virtual attributes. (4527614)
- bak2db can restore a database only to the default location. (4522793) Create the database remotely and add it with ldapmodify.
-
To create a database remotely, create an LDIF file:
|
dn: cn=databasename,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
cn: databasename
nsslapd-suffix: o=databasename
nsslapd-directory: /path/to/databasename
dn: cn="o=databasename",cn=mapping tree,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
objectclass: nsMappingTree
cn: "o=databasename"
nsslapd-state: backend
nsslapd-backend: databasename
|
|
-
Next, use the ldapmodify utility to add the database:
-
ldapmodify -D "cn=Directory Manager" -w password -f /path/to/databasename
-
To move an existing database to another file system location, dump the database to LDIF format using the db2ldif utility, follow the instructions provided in the iPlanet Directory Server Administrator's Guide to delete the database, create the database at the new location, and then use the ldif2db utility to restore the database you dumped to LDIF format.
-
After the database has been relocated, backups made from the old locations with the db2bak utility are no longer valid. Attempts to restore them may render the server unusable.
Accessing Online Help and Online Documentation
-
The online documentation files are installed with your Directory Server and can be found with your browser.
-
If you are working
on under Windows NT or have installed iPlanet Directory Server 5.1
Service Pack 1 in a different location than /usr/iplanet/servers, adapt the following URLs accordingly.
-
Documentation Home Page:
-
file:///usr/iplanet/servers/manual/en/slapd/dochome.htm
-
iPlanet Directory Server Installation Guide:
-
file:///usr/iplanet/servers/manual/en/slapd/install/contents.htm
-
iPlanet Directory Server Deployment Guide :
-
file:///usr/iplanet/servers/manual/en/slapd/deploy/contents.htm
-
iPlanet Directory Server Administrator's Guide:
-
file:///usr/iplanet/servers/manual/en/slapd/ag/contents.htm
-
iPlanet Directory Server Configuration, Command, and File Reference:
-
file:///usr/iplanet/servers/manual/en/slapd/cli/contents.htm
-
iPlanet Directory Server Schema Reference:
-
file:///usr/iplanet/servers/manual/en/slapd/schema/contents.htm
How to Report Problems
For general information on iPlanet Directory Server 5.1 Service Pack 1,
you can refer to:
-
http://wwws.sun.com/software/products/directory_srvr/home_directory.html
Sun ONE Support maintains an online Knowledge Base containing technical
articles and technotes about common iPlanet product issues. Search SunSolve at:
-
http://sunsolve.Sun.COM/pub-cgi/show.pl?target=home
If you have any questions or issues to raise regarding iPlanet Directory
Server 5.1 Service Pack 1, subscribe to the following newsgroup:
-
iplanet.server.directory
If you experience issues with iPlanet Directory Server 5.1 Service Pack 1,
refer to iPlanet Technical Support:
-
http://www.sun.com/service/sunone/software/index.html
For More Information
Useful iPlanet information can be found at the following URLs:
Third-Party License Acknowledgements
===================================================================
Copyright (c) 1989 The Regents of the University of California.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
- All advertising materials mentioning features or use of this software
must display the following acknowledgements:
This product includes software developed by the University of California,
Berkeley and its contributors.
- Neither the name of the University nor the names of its contributors may
be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
========================================================================
Copyright (C) 1987, 1988 Student Information Processing Board of the
Massachusetts Institute of Technology.
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted, provided
that the above copyright notice appear in all copies and that both that
copyright notice and this permission notice appear in supporting documentation,
and that the names of M.I.T. and the M.I.T. S.I.P.B. not be used in advertising
or publicity pertaining to distribution of the software without specific,
written prior permission. M.I.T. and the M.I.T. S.I.P.B. make no
representations about the suitability of this software for any purpose.
It is provided "as is" without express or implied warranty.
========================================================================
This product contains the following software derived from RSA Data
Security, Inc.
- MD5 Message-Digest Algorithm
========================================================================
The source code to the Standard Version of Perl can be obtained from CPAN
sites, including http://www.perl.com/.
========================================================================
This product incorporates compression code by the Info-ZIP group. There are
no extra charges or costs due to the use of this code; the original compression
sources are freely available from:
ftp://ftp.cdrom.com/pub/infozip/
|
|