Oracle Fusion Middleware Release Notes for Oracle Directory Server Enterprise Edition

Chapter 4 Directory Server Bugs Fixed and Known Problems

This chapter contains important, product-specific information available at the time of release of Directory Server 11g Release 1 (11.1.1).

This chapter covers the following topics:

Bugs Fixed in This Release

This section lists the bugs fixed in Directory Server 7.0 and Directory Server 11g Release 1 (11.1.1).

Table 4–1 Bugs Fixed in Directory Server 11g Release 1 (11.1.1)

Bug ID 



UIDs for entries are not required to be unique. 


Network connections remain established regardless of the settings of the tcp_keepalive_interval and tcp_ip_abort_interval attributes.


The message WARNING<1028> — Replay of an already seen operation occurs frequently in the error log.


The insync command cannot parse a host specification provided to it if the host specification contains an at sign (@).


Non-unique values of nsuniqueid can be added to a replication topology and cause replication to fail.


Using the ldapmodify command to delete an attribute can cause replication to fail.


Modifying an entry's RDN at the same time as modifying an attribute value of the entry's parent puts the directory server in deadlock. 


A memory leak occurs in searches that return virtual attributes. 


Performing a modify operation using replace with a value of 0 for the first time on an attribute results in a NULL value.


If a change log is created and read simultaneously, the directory server can fail. 


Read errors can occur when SASL security is enabled. 


The indirect Class of Service feature does not support multiple templates as documented. 


The start-tls operation sometimes causes a server crash.


The ldapcompare command can fail if a Class of Service is configured.


ou=groups can contain duplicate data.


Replication can fail after SSL is configured as documented. 


The ldapsearch command can return inconsistent results.


On Windows installations, the dsadm info command can display the incorrect owner of ns-slapd.


On HP-UX installations, the dsadm stop and restart commands can behave inconsistently when the monitoring plug-in is enabled.


The warning message for an unregistered suffix contains extra characters. 


Certificates with names that contain localized characters cannot be listed or deleted correctly. 


The dsadm autostart command can return incorrect error messages.


On HP-UX installations, the directory server can fail when the GNU debugger (GDB) releases the ns-slapd process.


On UNIX installations, the JVM of the Application Server must be started with -Djava.awt.headless=true to enable replication topology rendering.


Multiple ZIP installations do not manage all CACAO ports correctly. 


The DSCC cannot be accessed through its URL when a previous connection is still open. 


DSCC can return errors when run with Java 1.6. 


The Application Server returns an Unable to create SASL client conn for auth mechanism message and cannot communicate with CACAO.


Registering and deploying JESMF creates defunct processes. 


DSCC parses dsinstancemain.confirmreadonly incorrectly.


Data passed to Windows service management must maintain the correct character case. 


The Class of Service statistics monitor reports results incorrectly. 


On Windows installations, the dsrepair command fails because of a missing directory in the PATH environment variable.


On Windows installations, the plcheck command fails.


DSCC cannot access the log files when the instance path contains multi-byte characters. 


A memory leak occurs in multi-master replication over SSL. 


DSCC does not display all suffixes. 


DSCC fails to support RBAC. 


When the repldisc command encounters an error connecting to a replica over SSL, its credentials are not properly handled.


The repldisc command in interactive mode should not request the host name and port number.


The repldisc command in interactive mode should not request replicas that cannot be connected.


External use of the reversible password plug-in can cause replication to fail. 


No trimming occurs when dsconf is used to set the nsslapd-changelogmaxage for the retro change log.


Re-indexing requires too much time to complete. 


The DSCC displays a message that describes the Replication Settings tab incorrectly. 


Some password policy updates appear in replicated audit logs but not in the local audit log. 


The DSCC displays a message that describes the Promote/Demote Suffix function incorrectly. 


The repldisc command fails to compare host names correctly.


Replication stops between servers of different versions after a failed login of a known user with an incorrect password. 


The DSCC ACI wizard produces invalid ACIs when multiple targetattr values are selected.


A replication master can fail when replication stops normally. 


Passwords cannot be changed through proxied authorization when pwdReset is set to true.


Performance can be degraded when the access log is enabled. 


The dsconf set-log-prop command does not change permissions on log files in a timely manner.


Time-based log rotation stops when the machine time is set back. 


Extra spaces in an ACI string can cause incorrect ACI evaluations. 


The DSCC fails to display a long ACI. 


Complex Class-of Service deployments can cause the directory server to fail. 


Several text files require correction. 


Rotation can become deadlocked. 


A user password can become expired even if passwordMaxAge is set to a high value.


The DSCC can corrupt entries with binary attributes during modification. 


Under certain circumstances, the password policy attribute pwdMinLength is not enforced.


The DSCC displays some links incorrectly. 


The directory server can fail if the uniqueness-among-attribute-set plug-in is configured.


The directory server fails if a pre-op plug-in performs an access control check on an entry before deleting it. 


Changes to client authentication made with the DSCC do not become effective until the directory server is restarted. 


Pass-through authentication can prevent the directory server from stopping correctly. 


The audit log contains old passwords. 


DSCC can display incorrect message text when starting and stopping the directory server. 


Errors can occur if a database is restored and the backup has a very large change log. 


A server instance bound to a specific IP address can fail to become registered. 


The directory server can become deadlocked when accessing the change log. 


Replication operations require too much time. 


A multiple-pass LDIF import operation can produce an incorrect index. 


The Logging property rotation-time cannot be set to undefined even though it is listed as an allowed value


DSCC does not disable a referral completely. 


The DSCC does not handle subtype attributes correctly when editing entries. 


The directory server can fail when evaluating an ACI. 


A binary restore of the database recreates the replication change log. 


The DSCC cannot set the time-base log rotation and deletion policy to Do Not Automatically Rotate/Delete. 


The directory server fails when stopping the server when indexing is active. 


Backup and export files can become invalid if infrequently updated masters receive updates. 


The starttls command runs slowly.


The directory server fails when fetching values of a virtual attribute. 


The directory server can fail when creating a new suffix in the Top entry if the name of the suffix contains a back slash (\).


The repl-schedule property should be multivalued.


Enabling replication can incorrectly update VLV indexes 


The DSCC does not log all messages when restoring the database. 


Certain substring filters do not work when searching localized attributes. 


The DSCC corrupts mailSieveRuleSource when it updates a user.


The change log is not always trimmed correctly. 


The number of simultaneous pass-through authentications cannot be limited. 


On Windows installations, the directory server can fail under load when encryption is disabled. 


The directory server can add the cACertificate and crossCertificatePair properties twice.


The directory server can fail under load during DN normalization. 


The targetscope keyword is sometimes handled incorrectly for anonymous ACIs.


The retro change log can grow very large when managing large static groups. 


A memory leak can occur in the directory server when binding users whose password policy is assigned in a Class of Service. 


In Windows installations, the directory server does not stop during shutdown when registered as a service. 


The ldapsearch command can return incorrect results for a search of certificateRevocationList with non-existent subtypes.


When set to on, nsslapd-return-exact-case does not work correctly for certificateRevocationList.


The directory server can close a connection before idletimeout has elapsed.


In Windows installations, the first attempt of the directory server to restart after the system is rebooted can fail with System Event ID 7022. 

6750240 is not signed.


Prioritized replication does not work as designed. 


Replication stops and restarts when a send update now operation occurs. 


Identity Synchronization for Windows plug-in does not start. 


An exported LDIF can include an entry's Replica Update Vector. 


Upgrading a multi-master replication topology can fail. 


The directory server cannot be installed on some Japanese Windows systems. 


The directory server can fail because of polling issues. 


directory server can fail because of binding with SASL. 


DEL operations are replicated in a multi-master topology, modifiersname is logged incorrectly in the audit log of the consumer.


The password policy assigned to a user entry through a role is not effective until the directory server is restarted. 


Replication can fail if the suffix name contains a space. 


The dsconf command does not correctly handle a hyphen (-).


Replication can fail if a MOD CSN (Change Sequence Number) is smaller than the previous ADD CSN. 


The directory server can fail if it is stopped immediately after it is started. 


A consumer can become unsynchronized when ds-polling-thread-count is greater than 1.


The dsconf info command does not always detect the directory server's version number.


The dsconf export command does not log an error when it fails because the target file system is full.


Unable to replace an SHA-encoded userpassword attribute value.

Although this issue is fixed in this release, the fix is not complete until all Directory Server instances in your topology have been upgraded to version 11g R1 (11.1.1). Until all Directory Server instances have been upgraded, you must delete the userpassword attribute and then add it again before you attempt to add a new value or values. (You cannot simply delete an existing value if you do not know the unencrypted value of the attribute.)

To delete the userpassword attribute and all password values, use the following command: 

$ /opt/dsee7/dsrk/bin/ldapmodify -D cn=admin,cn=Administrators,cn=config -w -
Enter bind password:
dn: uid=Aaron.Atrc,ou=People,dc=example,dc=com
changetype: modify
delete: userpassword

modifying entry uid=Aaron.Atrc,ou=People,dc=example,dc=com


When you have deleted the userpassword attribute, you can add it again with the password values that you wanted to keep.

$ /opt/dsee7/dsrk/bin/ldapmodify -D cn=admin,cn=Administrators,cn=config -w -
Enter bind password: 
dn: uid=Aaron.Atrc,ou=People,dc=example,dc=com
changetype: modify
add: userpassword
userpassword: {SSHA}F/F+lmDvsWnS5XIpblmgtExK8Ve2flhjWn6kVQ==

modifying entry uid=Aaron.Atrc,ou=People,dc=example,dc=com



The insync operation can fail.


The dsconf matching-rule property for indexes should be multi-valued.


The dsadm export command cannot index collation plug-in matching rules.


The searchrate command can fail when processing a complex filter.


Substring searches are unindexed if an equality index is not present. 


Running the server as a Windows service is not completely compliant with Microsoft requirements. 


An error can occur when the pwd-accept-hashed-pwd-enabled property is set.


ACI evaluation during unindexed searches can require too much time. 


The directory server can fail when the authrate command is running.


The directory server can fail when the DSML plug-in receives a corrupted DSML message. 


The directory server can fail when it is stopped if the memberof plug-in is not completely preloaded.


The dsadm add-selfsign-cert command adds self-inconsistent certificates to the database.


On Windows installations, the directory server can crash during search operations. 


On Solaris systems, log rotation stops after running dsconf with the rotate-log-now option.


In multi-master replication topologies, the directory server can fail to detect duplicate values for attributes with more than eight values. 


Recovery from a database failure can cause the heap to be corrupted. 


ACI evaluation incorrectly uses cached results. 


The dsconf command does not handle the dsml-min-parser-count and dsml-max-parser-count properties correctly.


On some Windows installations, the dsadm stop command does not stop the directory server.


The sequence of plug-in operation should be reordered. 


With VLV indexes configured, VLV errors are seen shortly after an import operation. 


The DSCC can encounter an error when creating or modifying a specialized password policy. 


In multi-master replication topologies, replication can fail after importing a replica. 


The retro change log reports a large number of error 32 errors after a server restart.


The change log trimming thread can cause the directory server to fail at startup. 


ACI evaluation during a modify operation can corrupt the heap. 


On Windows systems, dsadm and DSCC logs are an hour behind during daylight savings time.


Memory leaks can occur when using CoS. 


On Windows systems, the server stops responding to SSL requests under certain NSS/NSPR version conditions. 


The directory server can crash after importing new entries. 


ACIs with the ip keyword are not always evaluated correctly.


Macro ACIs do not handle DNs that include brackets. 


The server crashes during a DSML search if the bind password needs to be changed. 


The Uniqueness plug in does not handle subtypes during add operations. 


Importing can fail to create a replica correctly. 


The ZIP distribution of the directory server should use non-default port numbers. 


Search requests should return binary attributes in accordance with RFC 4522. 


The directory server can crash during Class of Service operations. 


A memory leak can occur when importing an LDIF with replication meta-data. 


When a uniquemember is deleted from a group, the deleted group member is not displayed in the retro change log entry.


The dsmig migrate-config command logs a configuration warning for the Strong Password Check plug-in.


The first pwdFailureTime value is deleted when the pwdLockoutDuration has passed.


The passwordexpirationtime attribute should be ignored by the password policy when the server is in DS6–mode.


A strong password policy handles extended ASCII incorrectly. 


Inconsistent search results are produced when searching multi-valued attributes with a range filter, if an equality index exists. 


Running a dsmlmodify operation causes the server to crash.


ACIs that include wild cards do not work correctly in certain cases. 


Stopping a server instance using a dsadm command from a different installation does not work.


The UID Uniqueness plug in cannot handle more than one + symbol in a dn or uid.


A deadlock situation can occur on server shutdown when SMF is used. 


Proxy authorization does not recognize grace logins for password changes. 


A memory leak occurs in the CoS plug in. 


Under certain conditions, fractional replication only evaluates updates from a subset of replicas. 


The minimum-search-filter-substring-length of a resource limit policy does not work on complex search filters.


Performing a restore by using dsadm should place the database in referral mode.


Consecutive password changes cause the passwordexpirationtime attribute to be removed from the second master in a two-way multimaster topology.


A memory leak occurs in the mapping tree code. 


A memory leak occurs in the id2entry code.


dsccsetup —V returns unexpected null in output.


No recovery is performed when the server is restarted after a crash. 


Frozen mode does not return referrals as expected. 


The audit log does not contain the entire change when binary attributes are modified. 


The insync command dumps core if uppercase characters are used in the hostname, with the option -S.


In a replicated topology with DSEE 6.x servers, the server sometimes crashes when replaying certain operation to the DSEE 6.x servers. 


The RUV cannot be updated for the first change on a master. 


When sending specifically crafted LDAP messages, the server can crash. 


Running a dsadm reindex on the vlv attribute can cause the server to crash.


When modifying entries under cn=config, a comma is appended after the etime.


Bind DNs in cn=config can cause a deadlock in the server.


Running a reindex can leave the entryDN and parentID indexes in an inconsistent state.


Memory leaks can occur in the retro change log. 


The state information for the change of an rdn attribute is missing in certain cases.


Running a vlv reindex operation does not work as expected.


Reindexing a VLV index hangs. 


Running the directory server as a Windows service can disable other services. 


The server crashes if asynchronous searches are performed after a GSSAPI SASL bind. 


On Windows systems, the server crashes when running multiple root DSE searches. 


In the zh_CN locale, an exception is generated when attempting to view the error, access, or audit logs.


Setting the ds-gather-filter-stats property to on can crash the server.


The command dsadm —A 1d does not return the most recent logs.


When deploying DSCC on a machine with no default locale, several log messages stating couldn't set locale correctly are generated.


The server occasionally crashes when filter statistics are enabled and a filter with more than three different filter elements is used. 

Known Problems and Limitations in Directory Server

This section lists known problems and limitations at the time of release.

Directory Server Limitations

Number of servers that can be managed using DSCC

The Directory Service Control Center (DSCC) enables centralized administration of Directory Server and Directory Proxy Server instances. The current version of DSCC has been tested successfully in an environment of 42 server instances, supporting most common configurations.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Oracle support.

To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.

Do not replicate the cn=changelog suffix.

Although nothing prevents you from setting up replication for the cn=changelog suffix, doing so can interfere with replication. Do not replicate the cn=changelog suffix. The cn=changelog suffix is created by the retro changelog plug-in.

The wrong SASL library is loaded when LD_LIBRARY_PATH contains /usr/lib.

When LD_LIBRARY_PATH contains /usr/lib, the wrong SASL library is used, causing the dsadm command to fail after installation.

Use the LDAP replace operation to change cn=config attributes.

An LDAP modify operation on cn=config can only use the replace sub-operation. Any attempt to add or delete an attribute will be rejected with DSA is unwilling to perform, error 53. While Directory Server 5 accepted adding or deleting an attribute or attribute value, the update was applied to the dse.ldif file without any value validation, and the DSA internal state was not updated until the DSA was stopped and started.

Note –

The cn=config configuration interface is deprecated. Where possible use the dsconf command instead.

To work around this limitation, the LDAP modify replace sub-operation can be substituted for the add or delete sub-operation. No loss in functionality occurs. Furthermore, the state of the DSA configuration is more predictable following the change.

On Windows systems, Directory Server does not allow Start TLS by default.

This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.

To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.

Replication update vectors may reference retired servers.

After you remove a replicated Directory Server instance from a replication topology, replication update vectors can continue to maintain references to the instance. As a result, you might encounter referrals to instances that no longer exist.

The Common Agent Container is not started at boot time.

To work around this issue when installing from native packages, use the cacaoadm enable command as root.

To work around this issue on Windows, choose Log On from the properties of Common Agent Container service, enter the password of the user running the service, and press Apply. If you have not already done this setting, you will receive a message stating that the account user name has been granted the Log On As A Service right.

max-thread-per-connection-count is not useful on Windows systems.

The Directory Server configuration properties max-thread-per-connection-count and ds-polling-thread-count do not apply for Windows systems.

Console does not allow administrator login on Windows XP

The console does not allow administrators to log in to a server running Windows XP.

As a workaround to this problem, the guest account must be disabled and the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0.

Changing Index Configurations on the Fly

If you change an index configuration for an attribute, all searches that include that attribute as a filter are treated as not indexed. To ensure that searches including that attribute are properly processed, use the dsadm reindex or dsconf reindex commands to regenerate existing indexes every time you change an index configuration for an attribute. See Chapter 12, Directory Server Indexing, in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition for details.

Number of connections and operations are not enforced on PTA servers

The maximum number of connections (maxconns) and the maximum number of operations (maxops) are not enforced on PTA servers.

When installed with the ZIP distribution, Directory Server uses port 21162 as the default of the Common Agent Framework (CACAO).

The default port of the Common Agent Framework (CACAO) is 11162. When installed with the native distribution, Directory Server uses this default port. However, when installed with the ZIP distribution, Directory Server uses port 21162 by default. Be sure to specify the right port number when creating or registering a server instance with DSCC.

The console does not allow you to create a Directory Server or Directory Proxy Server instance if the Directory Manager's password contains a space character. (6830908)

If the Directory Manager's password contains a space character, the Directory Manager account cannot create a directory server or directory proxy server instance by using the console.

Due to the same issue, the command dsccsetup ads-create —w password-file fails if the password file contains a space character.

Known Directory Server Issues in 11g Release 1 (11.1.1)

This section lists the issues that are known at the time of the Directory Server 11g Release 1 (11.1.1).


Directory Server has been seen to crash when the server is stopped while performing online export, backup, restore, or index creation.


Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Oracle support.


When entries are imported from LDIF, Directory Server does not generate createTimeStamp and modifyTimeStamp attributes.

LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.


The Directory Server hangs when running the stop-slapd command.


After changing the schema definition of an attribute from multi-valued to single-valued, modify replace operations on that attribute are refused.

To avoid potential problems after making such a change, do the following:

  1. Export the additional data, without replication (dsadm export -Q ...).

  2. Reimport the data from the resulting LDIF file.

    Be aware that their might be skipped entries if the resulting entry is no longer compatible with the schema.

  3. Reinitialize the other replicas in the topology.


The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.

    To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.

  1. Export the certificate to a file.

    The following example shows how to perform the export for servers in /local/supplier and /local/consumer.

    $ dsadm show-cert -F der -o /tmp/supplier-cert.txt \
      /local/supplier defaultCert
    $ dsadm show-cert -F der -o /tmp/consumer-cert.txt \
      /local/consumer defaultCert
  2. Exchange the client and supplier certificates.

    The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.

    $ dsadm add-cert --ca /local/consumer supplierCert \
    $ dsadm add-cert --ca /local/supplier consumerCert \
  3. Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.

  4. Add the replication manager DN on the consumer.

    $ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN
  5. Update the rules in /local/consumer/alias/certmap.conf.

  6. Restart both servers with the dsadm start command.


Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.

An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.


The certificate names containing multi-byte characters are shown as dots in the output of the dsadm show-cert instance-path valid-multibyte-cert-name command.


Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.

 (targetattr="*")(version 3.0; acl "testQuotes";
 allow (all) userdn ="ldap:///self";)
dn:o=Example Company\, Inc.,dc=example,dc=com
aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com")
 (targetattr="*")(version 3.0; acl "testComma";
 allow (all) userdn ="ldap:///self";)

Examples with more than one comma that has been escaped have been observed to parse correctly, however.


On Windows, SASL authentication fails due to the following two reasons:

  • SASL encryption is used.

    To workaround the issue caused by the SASL encryption, stop the server, edit dse.ldif, and reset SASL to the following.

    dn: cn=SASL, cn=security, cn=config
      dssaslminssf: 0
      dssaslmaxssf: 0
  • The installation is done using native packages.

    To workaround the issue caused by the native packages installation , set SASL_PATH to install-dir\share\lib.


Directory Service Control Center does not properly display userCertificate binary values.


It is not clear from the name of the passwordRootdnMayBypassModsCheck configuration attribute that the server now allows any administrator to bypass password syntax checking when modifying another user's password, when the attribute is set.


On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.


Although the Directory Service Control Center allows you to copy the configuration of an existing server, it does not allow you to copy the plug-in configuration.


On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.

To work around this issue, change the LDIF file name so that it does not contain double-byte characters.


Neither Directory Service Control Center nor the dsconf command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.

To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.


Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.


After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.

To work around this issue, change the permissions on the installations and server instance folders.


For the HP-UX platform, Directory Server Enterprise Edition man pages for the following sections cannot be accessed from the command line:

  • man5dpconf.

  • man5dsat.

  • man5dsconf.

  • man5dsoc.

  • man5dssd.

To workaround this issue, access the man pages at Oracle Fusion Middleware Man Page Reference for Oracle Directory Server Enterprise Edition. From that location, you can download a PDF of all Directory Server Enterprise Edition man pages.


An attempt to enter an invalid CoS Template results in a crash in versions of Directory Server 6.


When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.

To work around this issue, use a different browser such as Mozilla web browser.


After upgrading replica, and moving servers to new systems, you must recreate replication agreements to use new host names. Directory Service Control Center lets you delete the existing replication agreements, but does not allow you to create new agreements.


On Red Hat systems, the dsadm autostart command does not always ensure that the server instances start at boot time.


The dsconf command does not prompt for the appropriate dsSearchBaseDN setting when configuring DSML.


On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds.


The dsconf help-properties command is set to work properly only after instance creation. In addition, the correct list of values for the dsml-client-auth-mode command should be client-cert-first | http-basic-only | client-cert-only.


In the Native patch delivery, the miniature calendar that is used to pick dates for filtering access logs is not properly localized in Traditional Chinese.


When creating an index on custom schema, a suffix level change of the all-ids-threshold is not permeated completely by the DSCC.


Some output displayed by the dsccmon, dsccreg, dsccsetup, and dsccrepair commands is not localized.


Changing the locale of the system and starting DSCC, does not display the pop-up window message in the locale that you selected.


On Solaris 10, the password verification fails for instances with multi-byte characters in their DN on English and Japanese locales.


The discovery of an instance of the Directory Server by the Java Enterprise System Monitoring Framework is not successful if the ns-slapd process was started remotely using rsh.


On HP-UX systems, applications using NSPR libraries crash and dump core after investigation with gdb. The problem occurs when you attach gdb to a running Directory Server instance, then use the gdb quit command.


Clicking Browse DSCC online help does not display the online help when you are using Internet Explorer.


The Directory Server plug-in API includes slapi_value_init()(), slapi_value_init_string()(), and slapi_value_init_berval()() functions.

These functions all require a “done” function to release internal elements. However, the public API is missing a slapi_value_done()() function.


When modifying the password policy using the Directory Service Control Center, attributes that have not changed may be unknowingly reset.

Using the Directory Service Control Center to manage the default password policy does not causes any error. However, using the Directory Service Control Center to manage specialized password policies can cause unchanged attributes to be reset.


When you use the Service Management Facility (SMF) on Solaris 10 to enable a server instance, the instance might not start when you reboot the system and return the following error:

svcadm: Instance "svc:/instance_path" is in maintenance state.

To work around this problem, use a local user to create Directory Server and Directory Proxy Server servers (that is, a user that is defined locally on the machine rather than an NIS user.)


On HP-UX, the dsadm and dpadm commands might not find shared library.

As a workaround to this problem, set the SHLIB_PATH variable.

env SHLIB_PATH=${INSTALL_DIR}/dsee6/private/lib dsadm

The dsadm autostart can make native LDAP authentication to fail when you reboot the system.

As a workaround, reverse the order of reboot scripts. The default order is /etc/rc2.d/S71ldap.client and /etc/rc2.d/S72dsee_directory.


On Solaris 9 and Windows, when you access the online help from the console configured using Web archive file (WAR), it displays an error.


If you modify the port number using DSCC on a server that has replicated suffixes, problems arise when setting replication agreement between servers.


For servers registered in DSCC as listening on all interfaces (, attempting to use dsconf to modify the listen-address of the servers results in DSCC errors.

To have an SSL port only and secure-listen-address setup with Directory Server Enterprise Edition, use this workaround:

  1. Unregister the server from DSCC:

    dsccreg remove-server /local/myserver
  2. Disable the LDAP port:

    dsconf set-server-prop ldap-port:disabled
  3. Set up a secure-listen-address:

    $ dsconf set-server-prop secure-listen-address:IPaddress

    $ dsadm restart /local/myserver
  4. Register the server using DSCC. In the Register Server wizard, specify the server's IP address. This operation cannot be undone.


Directory Service Control Center and the dsadm command from versions 6.1 or later do not display built-in CA certificates of Directory Server instances that were created with the dsadm command from version 6.0.

To workaround this issue:

Add the 64-bit module with 64-bit version of modutil:

$ /usr/sfw/bin/64/modutil -add "Root Certs 64bit" \
-libfile  /usr/lib/mps/64/ -nocertdb \
-dbdir /instance-path/alias -dbprefix slapd- -secmod secmod.db

The output of the dsadm show-*-log l command does not include the correct lines. It can include the last lines of a previously rotated log.


The output of the dsadm show-*-log command is not correct if some lines in the log contain more than 1024 characters.


After deploying the WAR file, the View Topology button does not always work. A Java exception sometimes occurs, which is based on org.apache.jsp.jsp.ReplicationTopology_jsp._jspService


In Windows, in the Korean locale, the dsadm start command does not display the nsslapd error log when ns-slapd fails to start.


Changing or deleting an attribute in the Additional Indexes table of the Indexes tab in the Directory Service Control Center can lead to stale information being displayed until the browser is refreshed.


On UNIX systems, an attempt to change the path of any log file with dsconf set-log-prop or DSCC fails if the new path of the log file does not already exist.


Specification of network drives on Microsoft Windows is case-sensitive. Because of this, using both C:/ and c:/, for example, in DSEE administrative commands can cause replication to fail after the masters are restarted. As a workaround, use the dsconf accord-repl-agmt command to correct the replication agreement.


Specification of network drives on Microsoft Windows is case-sensitive. Because of this, using both C:/ and c:/, for example, in DSEE administrative commands can produce various error messages, such as the following:

WARNING<4227> - Plugins - conn=-1 op=-1 msgId=-1 -
Detected plugin paths from another install, using current install

To avoid these warnings, be sure to use C:/ consistently.


Online help in DSCC might link to unknown web pages. In particular, some wizard menus might suggest the following:

For more information about data source configuration, 
see the "Oracle Directory Server Enterprise Edition Reference."

Selecting the link to the Directory Server Enterprise Edition Reference document produces an error message.

To work around this problem, select the link with the third mouse-button and choose the Open Link in New Window command from the pop-up menu. The selected document appears in the new browser window.


The DSCC Agent cannot be registered in CACAO on Solaris 9. If the SUNWxcu4 package is missing from the system, then the command DSEE_HOME/dscc6/bin/dsccsetup cacao-reg fails with the error, Failed to configure Cacao.

To fix this issue, install the missing SUNWxcu4 package on your system.


The -f option does not work with the ldapcompare command.


On Windows, CLI displays garbage characters.


DSCC does not support host synonyms. When replicating the DSCC suffix, the host name in the replication agreement must match the host name in the DSCC registry.


When logs are rotated according to rotation-time or rotation-interval, the exact time at which the rotation occurs depends on several variables, including the following:

  • the values of the rotation-time, rotation-interval, rotation-now, and rotation-size properties

  • scheduling of the housekeeping thread

  • the effective size of the log file when the rotation condition is satisfied

The timestamp in the rotated log file (for example, access.timestamp) can therefore not be guaranteed.


If the user running the dsmig command does not own the target directory server instance, the command fails because it does not have adequate permission to generate and access migrated files.

The dsmig command can run successfully if it is run by the user who owns the target directory server and has at least read access to the source directory server. If these conditions cannot be met, perform the migration by exporting the database and importing it to the new directory server.


The man page for hosts_access incorrectly states that IPv6 is not supported on Windows systems.


Some debug messages and Error #20502, Serious failure during database checkpointing, err=2 (No such file or directory), can sometimes be logged right before the import processing starts. Such messages can be ignored, as they refer to the old suffix data being deleted.


If you set the idle timeout to a very small value, for example, 2s on a server instance, DSCC might display connection errors and prevent some operations that take long time to complete (like rotating logs). Make sure you set the idle timeout to at least 10s or 20s, and adjust the idle timeout according to your network latency.


The server occasionally crashes when running the dsadm show-access-log or dsadm show-error-log commands, if the command is launched while a log rotation is in progress.


On Windows systems, running the dsccsetup dismantle command does not completely remove the CACAO Windows service.

Workaround. After you have run the dsccsetup dismantle command, run cacaoadm prepare-uninstall before you uninstall Directory Server Enterprise Edition. This removes the CACAO Windows service.


A side effect of the new Compliance with RFC 4511 is that some searches might be slower than with previous versions of Directory Server, when using multi-valued attributes. To alleviate this, either set compat-flag to no-rfc4511 or declare the user attribute as SINGLE-VALUE in the schema.


The command dsconf help-properties inverts the description for the fractional replication properties. The following output:

repl-fractional-exclude-attr ... Replicate only the specified set of attributes
repl-fractional-include-attr ... Do not replicate the specified set of attributes

should be as follows:

repl-fractional-exclude-attr ... Do not replicate the specified set of attributes
repl-fractional-include-attr ... Replicate only the specified set of attributes