Oracle Fusion Middleware Release Notes for Oracle Directory Server Enterprise Edition

Chapter 4 Directory Server Bugs Fixed and Known Problems

This chapter contains important, product-specific information available at the time of release of Directory Server 11g Release 1 (11.1.1).

This chapter covers the following topics:

Bugs Fixed in This Release

This section lists the bugs fixed in Directory Server 7.0 and Directory Server 11g Release 1 (11.1.1).

Table 4–1 Bugs Fixed in Directory Server 11g Release 1 (11.1.1)

Bug ID

Description

4987124

UIDs for entries are not required to be unique.

5087249

Network connections remain established regardless of the settings of the tcp_keepalive_interval and tcp_ip_abort_interval attributes.

6181237

The message WARNING<1028> — Replay of an already seen operation occurs frequently in the error log.

6192090

The insync command cannot parse a host specification provided to it if the host specification contains an at sign (@).

6250000

Non-unique values of nsuniqueid can be added to a replication topology and cause replication to fail.

6283810

Using the ldapmodify command to delete an attribute can cause replication to fail.

6292310

Modifying an entry's RDN at the same time as modifying an attribute value of the entry's parent puts the directory server in deadlock.

6295323

A memory leak occurs in searches that return virtual attributes.

6299664

Performing a modify operation using replace with a value of 0 for the first time on an attribute results in a NULL value.

6340125

If a change log is created and read simultaneously, the directory server can fail.

6341382

Read errors can occur when SASL security is enabled.

6356373

The indirect Class of Service feature does not support multiple templates as documented.

6374916

The start-tls operation sometimes causes a server crash.

6382134

The ldapcompare command can fail if a Class of Service is configured.

6386671

ou=groups can contain duplicate data.

6479754

Replication can fail after SSL is configured as documented.

6490419

The ldapsearch command can return inconsistent results.

6497556

On Windows installations, the dsadm info command can display the incorrect owner of ns-slapd.

6498501

On HP-UX installations, the dsadm stop and restart commands can behave inconsistently when the monitoring plug-in is enabled.

6499077

The warning message for an unregistered suffix contains extra characters.

6500908

Certificates with names that contain localized characters cannot be listed or deleted correctly.

6504891

The dsadm autostart command can return incorrect error messages.

6506019

On HP-UX installations, the directory server can fail when the GNU debugger (GDB) releases the ns-slapd process.

6536777

On UNIX installations, the JVM of the Application Server must be started with -Djava.awt.headless=true to enable replication topology rendering.

6542953

Multiple ZIP installations do not manage all CACAO ports correctly.

6548467

The DSCC cannot be accessed through its URL when a previous connection is still open.

6550543

DSCC can return errors when run with Java 1.6.

6551672

The Application Server returns an Unable to create SASL client conn for auth mechanism message and cannot communicate with CACAO.

6557499

Registering and deploying JESMF creates defunct processes.

6561787

DSCC parses dsinstancemain.confirmreadonly incorrectly.

6562921

Data passed to Windows service management must maintain the correct character case.

6572853

The Class of Service statistics monitor reports results incorrectly.

6579286

On Windows installations, the dsrepair command fails because of a missing directory in the PATH environment variable.

6579820

On Windows installations, the plcheck command fails.

6582585

DSCC cannot access the log files when the instance path contains multi-byte characters.

6586725

A memory leak occurs in multi-master replication over SSL.

6593775

DSCC does not display all suffixes.

6594285

DSCC fails to support RBAC.

6617936

When the repldisc command encounters an error connecting to a replica over SSL, its credentials are not properly handled.

6620846

The repldisc command in interactive mode should not request the host name and port number.

6620851

The repldisc command in interactive mode should not request replicas that cannot be connected.

6634048

External use of the reversible password plug-in can cause replication to fail.

6640285

No trimming occurs when dsconf is used to set the nsslapd-changelogmaxage for the retro change log.

6640806

Re-indexing requires too much time to complete.

6641259

The DSCC displays a message that describes the Replication Settings tab incorrectly.

6642364

Some password policy updates appear in replicated audit logs but not in the local audit log.

6644137

The DSCC displays a message that describes the Promote/Demote Suffix function incorrectly.

6644368

The repldisc command fails to compare host names correctly.

6645742

Replication stops between servers of different versions after a failed login of a known user with an incorrect password.

6646794

The DSCC ACI wizard produces invalid ACIs when multiple targetattr values are selected.

6650039

A replication master can fail when replication stops normally.

6651645

Passwords cannot be changed through proxied authorization when pwdReset is set to true.

6659728

Performance can be degraded when the access log is enabled.

6662669

The dsconf set-log-prop command does not change permissions on log files in a timely manner.

6663324

Time-based log rotation stops when the machine time is set back.

6663553

Extra spaces in an ACI string can cause incorrect ACI evaluations.

6670977

The DSCC fails to display a long ACI.

6675384

Complex Class-of Service deployments can cause the directory server to fail.

6680142

Several text files require correction.

6680718

Rotation can become deadlocked.

6683182

A user password can become expired even if passwordMaxAge is set to a high value.

6683870

The DSCC can corrupt entries with binary attributes during modification.

6684993

Under certain circumstances, the password policy attribute pwdMinLength is not enforced.

6686131

The DSCC displays some links incorrectly.

6686199

The directory server can fail if the uniqueness-among-attribute-set plug-in is configured.

6686632

The directory server fails if a pre-op plug-in performs an access control check on an entry before deleting it.

6687304

Changes to client authentication made with the DSCC do not become effective until the directory server is restarted.

6688454

Pass-through authentication can prevent the directory server from stopping correctly.

6688891

The audit log contains old passwords.

6689290

DSCC can display incorrect message text when starting and stopping the directory server.

6689454

Errors can occur if a database is restored and the backup has a very large change log.

6690684

A server instance bound to a specific IP address can fail to become registered.

6700232

The directory server can become deadlocked when accessing the change log.

6704259

Replication operations require too much time.

6704261

A multiple-pass LDIF import operation can produce an incorrect index.

6704754

The Logging property rotation-time cannot be set to undefined even though it is listed as an allowed value

6705319

DSCC does not disable a referral completely.

6706009

The DSCC does not handle subtype attributes correctly when editing entries.

6707089

The directory server can fail when evaluating an ACI.

6707164

A binary restore of the database recreates the replication change log.

6708194

The DSCC cannot set the time-base log rotation and deletion policy to Do Not Automatically Rotate/Delete.

6708615

The directory server fails when stopping the server when indexing is active.

6711123

Backup and export files can become invalid if infrequently updated masters receive updates.

6712614

The starttls command runs slowly.

6715303

The directory server fails when fetching values of a virtual attribute.

6715911

The directory server can fail when creating a new suffix in the Top entry if the name of the suffix contains a back slash (\).

6716661

The repl-schedule property should be multivalued.

6717507

Enabling replication can incorrectly update VLV indexes

6718308

The DSCC does not log all messages when restoring the database.

6721412

Certain substring filters do not work when searching localized attributes.

6723208

The DSCC corrupts mailSieveRuleSource when it updates a user.

6726890

The change log is not always trimmed correctly.

6731941

The number of simultaneous pass-through authentications cannot be limited.

6735966

On Windows installations, the directory server can fail under load when encryption is disabled.

6736172

The directory server can add the cACertificate and crossCertificatePair properties twice.

6737227

The directory server can fail under load during DN normalization.

6737235

The targetscope keyword is sometimes handled incorrectly for anonymous ACIs.

6739300

The retro change log can grow very large when managing large static groups.

6740791

A memory leak can occur in the directory server when binding users whose password policy is assigned in a Class of Service.

6742347

In Windows installations, the directory server does not stop during shutdown when registered as a service.

6746125

The ldapsearch command can return incorrect results for a search of certificateRevocationList with non-existent subtypes.

6746574

When set to on, nsslapd-return-exact-case does not work correctly for certificateRevocationList.

6748713

The directory server can close a connection before idletimeout has elapsed.

6750238

In Windows installations, the first attempt of the directory server to restart after the system is rebooted can fail with System Event ID 7022.

6750240

des-plugin.so is not signed.

6751358

Prioritized replication does not work as designed.

6751952

Replication stops and restarts when a send update now operation occurs.

6752586

Identity Synchronization for Windows plug-in does not start.

6752738

An exported LDIF can include an entry's Replica Update Vector.

6753742

Upgrading a multi-master replication topology can fail.

6755852

The directory server cannot be installed on some Japanese Windows systems.

6756240

The directory server can fail because of polling issues.

6759200

directory server can fail because of binding with SASL.

6759886

DEL operations are replicated in a multi-master topology, modifiersname is logged incorrectly in the audit log of the consumer.

6763091

The password policy assigned to a user entry through a role is not effective until the directory server is restarted.

6764616

Replication can fail if the suffix name contains a space.

6768405

The dsconf command does not correctly handle a hyphen (-).

6771728

Replication can fail if a MOD CSN (Change Sequence Number) is smaller than the previous ADD CSN.

6772760

The directory server can fail if it is stopped immediately after it is started.

6772870

A consumer can become unsynchronized when ds-polling-thread-count is greater than 1.

6772918

The dsconf info command does not always detect the directory server's version number.

6773132

The dsconf export command does not log an error when it fails because the target file system is full.

6774167

Unable to replace an SHA-encoded userpassword attribute value.

Although this issue is fixed in this release, the fix is not complete until all Directory Server instances in your topology have been upgraded to version 11g R1 (11.1.1). Until all Directory Server instances have been upgraded, you must delete the userpassword attribute and then add it again before you attempt to add a new value or values. (You cannot simply delete an existing value if you do not know the unencrypted value of the attribute.)

To delete the userpassword attribute and all password values, use the following command:

$ /opt/dsee7/dsrk/bin/ldapmodify -D cn=admin,cn=Administrators,cn=config -w -
Enter bind password:
dn: uid=Aaron.Atrc,ou=People,dc=example,dc=com
changetype: modify
delete: userpassword

modifying entry uid=Aaron.Atrc,ou=People,dc=example,dc=com

$

When you have deleted the userpassword attribute, you can add it again with the password values that you wanted to keep.

$ /opt/dsee7/dsrk/bin/ldapmodify -D cn=admin,cn=Administrators,cn=config -w -
Enter bind password: 
dn: uid=Aaron.Atrc,ou=People,dc=example,dc=com
changetype: modify
add: userpassword
userpassword: {SSHA}F/F+lmDvsWnS5XIpblmgtExK8Ve2flhjWn6kVQ==

modifying entry uid=Aaron.Atrc,ou=People,dc=example,dc=com

$

6777643

The insync operation can fail.

6779940

The dsconf matching-rule property for indexes should be multi-valued.

6779962

The dsadm export command cannot index collation plug-in matching rules.

6783425

The searchrate command can fail when processing a complex filter.

6784701

Substring searches are unindexed if an equality index is not present.

6785664

Running the server as a Windows service is not completely compliant with Microsoft requirements.

6789448

An error can occur when the pwd-accept-hashed-pwd-enabled property is set.

6790060

ACI evaluation during unindexed searches can require too much time.

6791372

The directory server can fail when the authrate command is running.

6793557

The directory server can fail when the DSML plug-in receives a corrupted DSML message.

6796266

The directory server can fail when it is stopped if the memberof plug-in is not completely preloaded.

6797187

The dsadm add-selfsign-cert command adds self-inconsistent certificates to the database.

6798026

On Windows installations, the directory server can crash during search operations.

6802840

On Solaris systems, log rotation stops after running dsconf with the rotate-log-now option.

6806271

In multi-master replication topologies, the directory server can fail to detect duplicate values for attributes with more than eight values.

6809149

Recovery from a database failure can cause the heap to be corrupted.

6821219

ACI evaluation incorrectly uses cached results.

6821682

The dsconf command does not handle the dsml-min-parser-count and dsml-max-parser-count properties correctly.

6827661

On some Windows installations, the dsadm stop command does not stop the directory server.

6834291

The sequence of plug-in operation should be reordered.

6834783

With VLV indexes configured, VLV errors are seen shortly after an import operation.

6835539

The DSCC can encounter an error when creating or modifying a specialized password policy.

6835550

In multi-master replication topologies, replication can fail after importing a replica.

6836463

The retro change log reports a large number of error 32 errors after a server restart.

6837200

The change log trimming thread can cause the directory server to fail at startup.

6837808

ACI evaluation during a modify operation can corrupt the heap.

6838287

On Windows systems, dsadm and DSCC logs are an hour behind during daylight savings time.

6844176

Memory leaks can occur when using CoS.

6846588

On Windows systems, the server stops responding to SSL requests under certain NSS/NSPR version conditions.

6846693

The directory server can crash after importing new entries.

6846934

ACIs with the ip keyword are not always evaluated correctly.

6848272

Macro ACIs do not handle DNs that include brackets.

6849485

The server crashes during a DSML search if the bind password needs to be changed.

6849658

The Uniqueness plug in does not handle subtypes during add operations.

6849928

Importing can fail to create a replica correctly.

6850042

The ZIP distribution of the directory server should use non-default port numbers.

6850537

Search requests should return binary attributes in accordance with RFC 4522.

6851491

The directory server can crash during Class of Service operations.

6852119

A memory leak can occur when importing an LDIF with replication meta-data.

6852500

When a uniquemember is deleted from a group, the deleted group member is not displayed in the retro change log entry.

6853884

The dsmig migrate-config command logs a configuration warning for the Strong Password Check plug-in.

6853981

The first pwdFailureTime value is deleted when the pwdLockoutDuration has passed.

6856557

The passwordexpirationtime attribute should be ignored by the password policy when the server is in DS6–mode.

6859942

A strong password policy handles extended ASCII incorrectly.

6861340

Inconsistent search results are produced when searching multi-valued attributes with a range filter, if an equality index exists.

6867669

Running a dsmlmodify operation causes the server to crash.

6867812

ACIs that include wild cards do not work correctly in certain cases.

6873828

Stopping a server instance using a dsadm command from a different installation does not work.

6878311

The UID Uniqueness plug in cannot handle more than one + symbol in a dn or uid.

6881605

A deadlock situation can occur on server shutdown when SMF is used.

6887642

Proxy authorization does not recognize grace logins for password changes.

6892914

A memory leak occurs in the CoS plug in.

6894059

Under certain conditions, fractional replication only evaluates updates from a subset of replicas.

6896757

The minimum-search-filter-substring-length of a resource limit policy does not work on complex search filters.

6900781

Performing a restore by using dsadm should place the database in referral mode.

6900955

Consecutive password changes cause the passwordexpirationtime attribute to be removed from the second master in a two-way multimaster topology.

6902119

A memory leak occurs in the mapping tree code.

6902127

A memory leak occurs in the id2entry code.

6904986

dsccsetup —V returns unexpected null in output.

6902477

No recovery is performed when the server is restarted after a crash.

6905595

Frozen mode does not return referrals as expected.

6906234

The audit log does not contain the entire change when binary attributes are modified.

6908622

The insync command dumps core if uppercase characters are used in the hostname, with the option -S.

6908942

In a replicated topology with DSEE 6.x servers, the server sometimes crashes when replaying certain operation to the DSEE 6.x servers.

6912294

The RUV cannot be updated for the first change on a master.

6915746

When sending specifically crafted LDAP messages, the server can crash.

6918089

Running a dsadm reindex on the vlv attribute can cause the server to crash.

6920416

When modifying entries under cn=config, a comma is appended after the etime.

6920520

Bind DNs in cn=config can cause a deadlock in the server.

6920573

Running a reindex can leave the entryDN and parentID indexes in an inconsistent state.

6921014

Memory leaks can occur in the retro change log.

6921222

The state information for the change of an rdn attribute is missing in certain cases.

6923243

Running a vlv reindex operation does not work as expected.

6927120

Reindexing a VLV index hangs.

6927881

Running the directory server as a Windows service can disable other services.

6939218

The server crashes if asynchronous searches are performed after a GSSAPI SASL bind.

6940840

On Windows systems, the server crashes when running multiple root DSE searches.

6944409

In the zh_CN locale, an exception is generated when attempting to view the error, access, or audit logs.

6949107

Setting the ds-gather-filter-stats property to on can crash the server.

6949854

The command dsadm —A 1d does not return the most recent logs.

6950645

When deploying DSCC on a machine with no default locale, several log messages stating couldn't set locale correctly are generated.

6960494

The server occasionally crashes when filter statistics are enabled and a filter with more than three different filter elements is used.

Known Problems and Limitations in Directory Server

This section lists known problems and limitations at the time of release.

Directory Server Limitations

Number of servers that can be managed using DSCC

The Directory Service Control Center (DSCC) enables centralized administration of Directory Server and Directory Proxy Server instances. The current version of DSCC has been tested successfully in an environment of 42 server instances, supporting most common configurations.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Oracle support.

To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.

Do not replicate the cn=changelog suffix.

Although nothing prevents you from setting up replication for the cn=changelog suffix, doing so can interfere with replication. Do not replicate the cn=changelog suffix. The cn=changelog suffix is created by the retro changelog plug-in.

The wrong SASL library is loaded when LD_LIBRARY_PATH contains /usr/lib.

When LD_LIBRARY_PATH contains /usr/lib, the wrong SASL library is used, causing the dsadm command to fail after installation.

Use the LDAP replace operation to change cn=config attributes.

An LDAP modify operation on cn=config can only use the replace sub-operation. Any attempt to add or delete an attribute will be rejected with DSA is unwilling to perform, error 53. While Directory Server 5 accepted adding or deleting an attribute or attribute value, the update was applied to the dse.ldif file without any value validation, and the DSA internal state was not updated until the DSA was stopped and started.

Note –

The cn=config configuration interface is deprecated. Where possible use the dsconf command instead.

To work around this limitation, the LDAP modify replace sub-operation can be substituted for the add or delete sub-operation. No loss in functionality occurs. Furthermore, the state of the DSA configuration is more predictable following the change.

On Windows systems, Directory Server does not allow Start TLS by default.

This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.

To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.

Replication update vectors may reference retired servers.

After you remove a replicated Directory Server instance from a replication topology, replication update vectors can continue to maintain references to the instance. As a result, you might encounter referrals to instances that no longer exist.

The Common Agent Container is not started at boot time.

To work around this issue when installing from native packages, use the cacaoadm enable command as root.

To work around this issue on Windows, choose Log On from the properties of Common Agent Container service, enter the password of the user running the service, and press Apply. If you have not already done this setting, you will receive a message stating that the account user name has been granted the Log On As A Service right.

max-thread-per-connection-count is not useful on Windows systems.

The Directory Server configuration properties max-thread-per-connection-count and ds-polling-thread-count do not apply for Windows systems.

Console does not allow administrator login on Windows XP

The console does not allow administrators to log in to a server running Windows XP.

As a workaround to this problem, the guest account must be disabled and the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0.

Changing Index Configurations on the Fly

If you change an index configuration for an attribute, all searches that include that attribute as a filter are treated as not indexed. To ensure that searches including that attribute are properly processed, use the dsadm reindex or dsconf reindex commands to regenerate existing indexes every time you change an index configuration for an attribute. See Chapter 12, Directory Server Indexing, in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition for details.

Number of connections and operations are not enforced on PTA servers

The maximum number of connections (maxconns) and the maximum number of operations (maxops) are not enforced on PTA servers.

When installed with the ZIP distribution, Directory Server uses port 21162 as the default of the Common Agent Framework (CACAO).

The default port of the Common Agent Framework (CACAO) is 11162. When installed with the native distribution, Directory Server uses this default port. However, when installed with the ZIP distribution, Directory Server uses port 21162 by default. Be sure to specify the right port number when creating or registering a server instance with DSCC.

The console does not allow you to create a Directory Server or Directory Proxy Server instance if the Directory Manager's password contains a space character. (6830908)

If the Directory Manager's password contains a space character, the Directory Manager account cannot create a directory server or directory proxy server instance by using the console.

Due to the same issue, the command dsccsetup ads-create —w password-file fails if the password file contains a space character.

Known Directory Server Issues in 11`g` Release 1 (11.1.1)

This section lists the issues that are known at the time of the Directory Server 11g Release 1 (11.1.1).

4678334

Directory Server has been seen to crash when the server is stopped while performing online export, backup, restore, or index creation.

4979319

Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Oracle support.

6235452

When entries are imported from LDIF, Directory Server does not generate createTimeStamp and modifyTimeStamp attributes.

LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.

6245092

The Directory Server hangs when running the stop-slapd command.

6276634

After changing the schema definition of an attribute from multi-valued to single-valued, modify replace operations on that attribute are refused.

To avoid potential problems after making such a change, do the following:

Export the additional data, without replication (dsadm export -Q ...).
Reimport the data from the resulting LDIF file.

Be aware that their might be skipped entries if the resulting entry is no longer compatible with the schema.
Reinitialize the other replicas in the topology.

6401484

The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.

To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.

Export the certificate to a file.

The following example shows how to perform the export for servers in /local/supplier and /local/consumer.

$ dsadm show-cert -F der -o /tmp/supplier-cert.txt \
  /local/supplier defaultCert
$ dsadm show-cert -F der -o /tmp/consumer-cert.txt \
  /local/consumer defaultCert

Exchange the client and supplier certificates.

The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.

$ dsadm add-cert --ca /local/consumer supplierCert \
  /tmp/supplier-cert.txt
$ dsadm add-cert --ca /local/supplier consumerCert \
  /tmp/consumer-cert.txt

Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.

Add the replication manager DN on the consumer.

$ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN

Update the rules in /local/consumer/alias/certmap.conf.
Restart both servers with the dsadm start command.

6410741

Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.

An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.

6412131

The certificate names containing multi-byte characters are shown as dots in the output of the dsadm show-cert instance-path valid-multibyte-cert-name command.

6416407

Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.

dn:o=mary\"red\"doe,o=example.com
changetype:modify
add:aci
aci:(target="ldap:///o=mary\"red\"doe,o=example.com")
 (targetattr="*")(version 3.0; acl "testQuotes";
 allow (all) userdn ="ldap:///self";)

dn:o=Example Company\, Inc.,dc=example,dc=com
changetype:modify
add:aci
aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com")
 (targetattr="*")(version 3.0; acl "testComma";
 allow (all) userdn ="ldap:///self";)

Examples with more than one comma that has been escaped have been observed to parse correctly, however.

6446318

On Windows, SASL authentication fails due to the following two reasons:

SASL encryption is used.

To workaround the issue caused by the SASL encryption, stop the server, edit dse.ldif, and reset SASL to the following.
dn: cn=SASL, cn=security, cn=config dssaslminssf: 0 dssaslmaxssf: 0
The installation is done using native packages.

To workaround the issue caused by the native packages installation , set SASL_PATH to install-dir\share\lib.

6449828

Directory Service Control Center does not properly display userCertificate binary values.

6468074

It is not clear from the name of the passwordRootdnMayBypassModsCheck configuration attribute that the server now allows any administrator to bypass password syntax checking when modifying another user's password, when the attribute is set.

6469154

On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.

6469296

Although the Directory Service Control Center allows you to copy the configuration of an existing server, it does not allow you to copy the plug-in configuration.

6469688

On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.

To work around this issue, change the LDIF file name so that it does not contain double-byte characters.

6483290

Neither Directory Service Control Center nor the dsconf command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.

To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.

6485560

Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.

6488197

After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.

To work around this issue, change the permissions on the installations and server instance folders.

6488284

For the HP-UX platform, Directory Server Enterprise Edition man pages for the following sections cannot be accessed from the command line:

man5dpconf.
man5dsat.
man5dsconf.
man5dsoc.
man5dssd.

To workaround this issue, access the man pages at Oracle Fusion Middleware Man Page Reference for Oracle Directory Server Enterprise Edition. From that location, you can download a PDF of all Directory Server Enterprise Edition man pages.

6490557

An attempt to enter an invalid CoS Template results in a crash in versions of Directory Server 6.

6490653

When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.

To work around this issue, use a different browser such as Mozilla web browser.

6491849

After upgrading replica, and moving servers to new systems, you must recreate replication agreements to use new host names. Directory Service Control Center lets you delete the existing replication agreements, but does not allow you to create new agreements.

6492894

On Red Hat systems, the dsadm autostart command does not always ensure that the server instances start at boot time.

6494997

The dsconf command does not prompt for the appropriate dsSearchBaseDN setting when configuring DSML.

6495004

On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds.

6497894

The dsconf help-properties command is set to work properly only after instance creation. In addition, the correct list of values for the dsml-client-auth-mode command should be client-cert-first | http-basic-only | client-cert-only.

6500936

In the Native patch delivery, the miniature calendar that is used to pick dates for filtering access logs is not properly localized in Traditional Chinese.

6501320

When creating an index on custom schema, a suffix level change of the all-ids-threshold is not permeated completely by the DSCC.

6503509

Some output displayed by the dsccmon, dsccreg, dsccsetup, and dsccrepair commands is not localized.

6503546

Changing the locale of the system and starting DSCC, does not display the pop-up window message in the locale that you selected.

6504180

On Solaris 10, the password verification fails for instances with multi-byte characters in their DN on English and Japanese locales.

6504549

The discovery of an instance of the Directory Server by the Java Enterprise System Monitoring Framework is not successful if the ns-slapd process was started remotely using rsh.

6507312

On HP-UX systems, applications using NSPR libraries crash and dump core after investigation with gdb. The problem occurs when you attach gdb to a running Directory Server instance, then use the gdb quit command.

6520646

Clicking Browse DSCC online help does not display the online help when you are using Internet Explorer.

6527999

The Directory Server plug-in API includes slapi_value_init()(), slapi_value_init_string()(), and slapi_value_init_berval()() functions.

These functions all require a “done” function to release internal elements. However, the public API is missing a slapi_value_done()() function.

6541040

When modifying the password policy using the Directory Service Control Center, attributes that have not changed may be unknowingly reset.

Using the Directory Service Control Center to manage the default password policy does not causes any error. However, using the Directory Service Control Center to manage specialized password policies can cause unchanged attributes to be reset.

6542857

When you use the Service Management Facility (SMF) on Solaris 10 to enable a server instance, the instance might not start when you reboot the system and return the following error:

svcadm: Instance "svc:/instance_path" is in maintenance state.

To work around this problem, use a local user to create Directory Server and Directory Proxy Server servers (that is, a user that is defined locally on the machine rather than an NIS user.)

6547992

On HP-UX, the dsadm and dpadm commands might not find libicudata.sl.3 shared library.

As a workaround to this problem, set the SHLIB_PATH variable.

env SHLIB_PATH=${INSTALL_DIR}/dsee6/private/lib dsadm

6551685

The dsadm autostart can make native LDAP authentication to fail when you reboot the system.

As a workaround, reverse the order of reboot scripts. The default order is /etc/rc2.d/S71ldap.client and /etc/rc2.d/S72dsee_directory.

6557480

On Solaris 9 and Windows, when you access the online help from the console configured using Web archive file (WAR), it displays an error.

6559825

If you modify the port number using DSCC on a server that has replicated suffixes, problems arise when setting replication agreement between servers.

6571038

For servers registered in DSCC as listening on all interfaces (0.0.0.0), attempting to use dsconf to modify the listen-address of the servers results in DSCC errors.

To have an SSL port only and secure-listen-address setup with Directory Server Enterprise Edition, use this workaround:

Unregister the server from DSCC:
dsccreg remove-server /local/myserver

Disable the LDAP port:

dsconf set-server-prop ldap-port:disabled

Set up a secure-listen-address:

$ dsconf set-server-prop secure-listen-address:IPaddress

$ dsadm restart /local/myserver

Register the server using DSCC. In the Register Server wizard, specify the server's IP address. This operation cannot be undone.

6587801

Directory Service Control Center and the dsadm command from versions 6.1 or later do not display built-in CA certificates of Directory Server instances that were created with the dsadm command from version 6.0.

To workaround this issue:

Add the 64-bit module with 64-bit version of modutil:

$ /usr/sfw/bin/64/modutil -add "Root Certs 64bit" \
-libfile  /usr/lib/mps/64/libnssckbi.so -nocertdb \
-dbdir /instance-path/alias -dbprefix slapd- -secmod secmod.db

6630897

The output of the dsadm show-*-log l command does not include the correct lines. It can include the last lines of a previously rotated log.

6630924

The output of the dsadm show-*-log command is not correct if some lines in the log contain more than 1024 characters.

6637242

After deploying the WAR file, the View Topology button does not always work. A Java exception sometimes occurs, which is based on org.apache.jsp.jsp.ReplicationTopology_jsp._jspService

6640755

In Windows, in the Korean locale, the dsadm start command does not display the nsslapd error log when ns-slapd fails to start.

6648240

Changing or deleting an attribute in the Additional Indexes table of the Indexes tab in the Directory Service Control Center can lead to stale information being displayed until the browser is refreshed.

6720595

On UNIX systems, an attempt to change the path of any log file with dsconf set-log-prop or DSCC fails if the new path of the log file does not already exist.

6750837

Specification of network drives on Microsoft Windows is case-sensitive. Because of this, using both C:/ and c:/, for example, in DSEE administrative commands can cause replication to fail after the masters are restarted. As a workaround, use the dsconf accord-repl-agmt command to correct the replication agreement.

6751354

Specification of network drives on Microsoft Windows is case-sensitive. Because of this, using both C:/ and c:/, for example, in DSEE administrative commands can produce various error messages, such as the following:

WARNING<4227> - Plugins - conn=-1 op=-1 msgId=-1 -
Detected plugin paths from another install, using current install

To avoid these warnings, be sure to use C:/ consistently.

6752625

Online help in DSCC might link to unknown web pages. In particular, some wizard menus might suggest the following:

For more information about data source configuration, 
see the "Oracle Directory Server Enterprise Edition Reference."

Selecting the link to the Directory Server Enterprise Edition Reference document produces an error message.

To work around this problem, select the link with the third mouse-button and choose the Open Link in New Window command from the pop-up menu. The selected document appears in the new browser window.

6776034

The DSCC Agent cannot be registered in CACAO on Solaris 9. If the SUNWxcu4 package is missing from the system, then the command DSEE_HOME/dscc6/bin/dsccsetup cacao-reg fails with the error, Failed to configure Cacao.

To fix this issue, install the missing SUNWxcu4 package on your system.

6783994

The -f option does not work with the ldapcompare command.

6845087

On Windows, CLI displays garbage characters.

6853393

DSCC does not support host synonyms. When replicating the DSCC suffix, the host name in the replication agreement must match the host name in the DSCC registry.

6867762

When logs are rotated according to rotation-time or rotation-interval, the exact time at which the rotation occurs depends on several variables, including the following:

the values of the rotation-time, rotation-interval, rotation-now, and rotation-size properties
scheduling of the housekeeping thread
the effective size of the log file when the rotation condition is satisfied

The timestamp in the rotated log file (for example, access.timestamp) can therefore not be guaranteed.

6876315

If the user running the dsmig command does not own the target directory server instance, the command fails because it does not have adequate permission to generate and access migrated files.

The dsmig command can run successfully if it is run by the user who owns the target directory server and has at least read access to the source directory server. If these conditions cannot be met, perform the migration by exporting the database and importing it to the new directory server.

6885178

The man page for hosts_access incorrectly states that IPv6 is not supported on Windows systems.

6891486

Some debug messages and Error #20502, Serious failure during database checkpointing, err=2 (No such file or directory), can sometimes be logged right before the import processing starts. Such messages can be ignored, as they refer to the old suffix data being deleted.

6894136

If you set the idle timeout to a very small value, for example, 2s on a server instance, DSCC might display connection errors and prevent some operations that take long time to complete (like rotating logs). Make sure you set the idle timeout to at least 10s or 20s, and adjust the idle timeout according to your network latency.

6953929

The server occasionally crashes when running the dsadm show-access-log or dsadm show-error-log commands, if the command is launched while a log rotation is in progress.

6955408

On Windows systems, running the dsccsetup dismantle command does not completely remove the CACAO Windows service.

Workaround. After you have run the dsccsetup dismantle command, run cacaoadm prepare-uninstall before you uninstall Directory Server Enterprise Edition. This removes the CACAO Windows service.

6962704

A side effect of the new Compliance with RFC 4511 is that some searches might be slower than with previous versions of Directory Server, when using multi-valued attributes. To alleviate this, either set compat-flag to no-rfc4511 or declare the user attribute as SINGLE-VALUE in the schema.

6966010

The command dsconf help-properties inverts the description for the fractional replication properties. The following output:

repl-fractional-exclude-attr ... Replicate only the specified set of attributes
repl-fractional-include-attr ... Do not replicate the specified set of attributes

should be as follows:

repl-fractional-exclude-attr ... Do not replicate the specified set of attributes
repl-fractional-include-attr ... Replicate only the specified set of attributes

Chapter 4 Directory Server Bugs Fixed and Known Problems

Bugs Fixed in This Release

Known Problems and Limitations in Directory Server

Directory Server Limitations

Known Directory Server Issues in 11g Release 1 (11.1.1)

Known Directory Server Issues in 11`g` Release 1 (11.1.1)