Oracle Fusion Middleware Release Notes for Oracle Directory Server Enterprise Edition

Known Problems and Limitations in Directory Proxy Server

This section lists known problems and limitations at the time of release.

Directory Proxy Server Limitations

This section lists product limitations.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Oracle support.

To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.

Self-signed server certificates cannot be renewed.

When creating a self-signed server certificate, make sure you specify a validity long enough that you do not have to renew the certificate.

Directory Proxy Server does not ensure atomicity with the join data view write operations.

To ensure atomicity, do not use the join data view for write operations. If you perform write operations on join data view, use an external mechanism to prevent or detect inconsistencies. You can monitor inconsistencies by monitoring Directory Proxy Server error log.

Wrong default value in man pages

The log-buffer-size (5dpconf) man page displays the wrong default size of the access log buffer. The default buffer size for access log is 1M.

The man pages for pattern matching distribution algorithm incorrectly show the respective properties as single-valued. The properties are multi-valued.

When Oracle is the JDBC source, the ldapsearch command does not return an attribute with an empty value.

Oracle handles an empty string as NULL. The empty string and NULL are both valid values for an LDAP entry, but it is not possible to distinguish the two in Oracle. This issue was corrected for other JDBC sources in issue 6766175, as noted in Bugs Fixed in This Release.

Known Directory Proxy Server Issues in 11g Release 1 (11.1.1)

This section lists the known issues that are found at the time of Directory Proxy Server 11g Release 1 (11.1.1) release.


The modify DN operation is not supported for LDIF, JDBC, join and access control data views.


Currently, getEffectiveRight control is supported only for LDAP data views and does not yet take into account ACIs local to the proxy.


After generation of a CA-Signed Certificate request, when you refresh, the certificate is displayed as a self-signed certificate.


If the SSL port used by Directory Proxy Server is incorrect, after a secure search request on that port Directory Proxy Server may close all connections.


Directory Proxy Server fails to count the number of referral hops properly when configured to use authentication based on the client application credentials rather than proxy authorization.


It is possible to specify the base-dn property when creating a data view, but it is not possible to set the base-dn property to "", the root dse, after creating the data view.


Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.

An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.


After configuring alerts, you must restart Directory Proxy Server for the change to take effect.


Directory Proxy Server fails to rename an entry moving to another data view when numeric or lexicographic data distribution is configured.


In Directory Proxy Server, referral hop limit does not work.


On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.


After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.

To work around this issue, change the permissions on the installations and server instance folders.


On Windows, DSCC initialization can only be performed by Administrator user


Directory Service Control Center removes commas when changing the DN for an existing excluded subtree, or alternate search base.


After enabling or disabling non secure LDAP access for the first time, you must restart Directory Proxy Server for the change to take effect.


Time limit and size limit settings work only with LDAP data sources.


After using the command dpadm set-flags cert-pwd-store=off, Directory Proxy Server cannot be restarted using Directory Service Control Center.


The dpadm start command has been seen to fail when used with a server instance name combining both ASCII and multi-byte characters.


When setting the data-view-routing-custom-list property on an existing connection handler, an error occurs with data view names containing characters that must be escaped, such as commas.

To work around this issue, do not give data views names that contain characters that must be escaped. For example, do not use data view names containing DNs.


When using the DN renaming feature of Directory Proxy Server, notice that repeating DN components are renamed to only one replacement component.

Consider for example that you want to rename DNs that end in to end in dc=com. For entries whose DN repeats the original component, such as uid=userid,ou=people,,, the resulting renamed DN is uid=userid,ou=people,dc=com, and not uid=userid,ou=people,,dc=com.


The JDBC connection configuration to access Oracle 9 through Directory Proxy Server is not exactly as described in the documentation.

Consider the following configuration, with an Oracle 9 server listening on host myhost, port 1537 with the instance having system identifier (SID) MYINST. The instance has a database MYNAME.MYTABLE.

Typically, to configure access through to MYTABLE, set the following properties.

  • On the JDBC data source, set db-name:MYINST.

  • On the JDBC data source, set db-url:jdbc:oracle:thin:myhost:1537:.

  • On the JDBC table, set sql-table:MYNAME.MYTABLE

If these settings do not work, configure access through to MYTABLE with the following settings.

  • On the JDBC data source, set db-name:(CONNECT_DATA=(SERVICE_NAME=MYINST)))

  • On the JDBC data source, set db-url:jdbc:oracle:thin:@(DESCRIPTION= (ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost)(PORT=1537)))

  • On the JDBC table, set sql-table:MYNAME.MYTABLE


When you use the Service Management Facility (SMF) on Solaris 10 to enable a server instance, the instance might not start when you reboot the system and return the following error:

svcadm: Instance "svc:/instance_path" is in maintenance state.

To work around this problem, use a local user to create Directory Server and Directory Proxy Server servers.


On HP-UX, if you access DSCC with multiple browser sessions set to different locales, DSCC might display some strings in a locale that is different from the locale set in the browser.


Console does not retrieve the backend status of the Directory Proxy Server instance if a machine has multiple host names.


In DSCC, in the More View Options of an instance, the date shown under the Access Logs, Error Logs, and Audit Logs tabs is not localized.


When you create a data source by using DSCC, the value of useTCPNoDelay is set to false by default. However, the default value of use-tcp-no-delay is set to true when you create a data source by using dpconf create-ldap-data-source.


In DSCC configured using Tomcat server, the title of the Help and Version pop-up windows displays the multi-byte strings garbled.


The string owner in the output of the dpadm show-cert dps-instance-path command is not translated in Simplified Chinese and Traditional Chinese.


If the Directory Proxy Server configuration property allow-bind-operations is set to false, it is not possible to connect on an SSL port using the dpconf command line argument with the -–secure-port option. Connection by Start TLS (default) or by clear connection (the -–unsecured option) are still possible.


Directory Proxy Server does not change the DN of an ADD operation when the operation follows a referral in which the basedn is different from that of the original machine. Attempting an ADD against a Directory Proxy Server instance that has a Directory Server instance that is set to follow referrals, as opposed to just forwarding referrals, results in the ADD being rejected on the referred server because of an incorrect basedn.

Using the ldapmodify command to executing the ADD directly against the Directory Server instances allows the ADD to work.


No warning is issued when you set a password of insufficient length for the certificate database. If the password is too short, it is accepted by the Directory Service Control Center. Issuing the dpadm command with cert subcommands can then result in the commands hanging.


The error message that is displayed after a failed attempt to set use-cert-subject-as-bind-dn to false contains incorrect property names.


If a Directory Proxy Server instance has only secure-listen-socket/port enabled through DSCC, and if the server certificate is not the default (for example, if it is a certificate-Authority-signed certificate), DSCC cannot be used to manage the instance.

To work around this problem, unregister the proxy server instance and then register it again. Alternatively, update the userCertificate information for the proxy server instance in the DSCC registry, using the server certificate.


The proxy server bypasses the requires-bind-password property on the backend directory server.


The dpadm list-running-instances command does not list all the instances that are started from the current installation but lists the only instances that belong to the current user.


On OpenSolaris, when alerts are raised, Directory Proxy Server does not log them in syslog.


An obsolete definition remains in the 28pilot.ldif file.

To work around this issue, add the following alias specification to the 28pilot.ldif file:

objectClasses: ( 0.9.2342.19200300.100.4.4 NAME ('newPilotPerson' 'pilotPerson') DESC <...>)

The uidObject objectclass is missing from the schema.

To work around this issue, add the following objectclass to the 00core.ldif file:

objectClasses: ( NAME 'uidObject' SUP top AUXILIARY MUST uid X-ORIGIN 'RFC 4519')

Directory Proxy Server reports a schema violation on attributes timeResolutionMode and timeResolutionInMillisec.

This message is harmless. To work around it, use the following steps:

  1. Make sure that you have access to the jar program. This program is shipped with any JDK installation.

  2. Stop the Directory Proxy Server instance.

  3. Change the current directory to the Directory Server installation directory.

  4. Run the following command to extract the schema file from the Directory Proxy Server archive

    $ jar xvf dsee7/lib/jar/dps.jar com/sun/directory/proxy/config/config_schema.ldif
  5. Use a text editor to edit the schema file, com/sun/directory/proxy/config/config_schema.ldif and make these changes.

    1. Delete the attribute attributeTypes containing the string NAME ( 'useNanoTimeforEtimes' ).

    2. Add a new attribute attributeTypes with the following content:

      attributeTypes: ( "" NAME ( 'timeResolutionInMilliSec' ) DESC '' \

      Make sure to delimit parentheses with spaces.

    3. Search for the attribute objectClasses containing the string NAME 'topConfigEntry'.

    4. In this attribute line, search for the string useNanoTimeforEtimes and rename it as timeResolutionMode

    5. Save the file and close it.

  6. Run the following command to apply the changes done to the schema file to the Directory Proxy Server archive:

    $ jar uvf dsee7/lib/jar/dps.jar com/sun/directory/proxy/config/config_schema.ldif

For bind operations, the Directory Proxy Server currently works correctly only with Directory Server data stores.


If you do not provide a subject DN when creating a certificate request (using dpadm request-cert or DSCC), the default subject DN is cn=value,cn=value. The certificate request is issued without a warning, but the request is not accepted by most certificate authorities.

Similarly, if you do not provide a valid ISO 3166 country code when creating a certificate request (using dpadm request-cert or DSCC), the certificate request is issued without a warning, but the request is not accepted by the certificate authority.