Sun Java System Directory Server Enterprise Edition 6.0 Release Notes

Directory Server Limitations

This section lists product limitations. Limitations are not always associated with a change request number.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.

To workaround this limitation, install products as a user having appropriate user and group permissions.

Do not replicate the cn=changelog suffix.

Although nothing prevents you from setting up replication for the cn=changelog suffix, doing so can interfere with replication. Do not replication the cn=changelog suffix.

On Windows 2003 systems, do not use software installed with dsee_deploy from the zip distribution in the German locale.

Instead, when running on Windows 2003 in the German locale, install from native packages using the Java ES distribution.

Database cache may be outdated after failover on Sun Cluster.

When Directory Server runs on Sun Cluster, and nsslapd-db-home-directory is set to use a directory that is not shared, multiple instances share database cache files. After a failover, the Directory Server instance on the new node uses its potentially outdated database cache files.

To work around this limitation, either use a directory for nsslapd-db-home-directory that is shared, or systematically remove the files under nsslapd-db-home-directory at Directory Server startup.

The wrong SASL library is loaded when LD_LIBRARY_PATH contains /usr/lib.

When LD_LIBRARY_PATH contains /usr/lib, the wrong SASL library is used, causing the dsadm command to fail after installation.

Use the LDAP replace operation to change cn=config attributes.

An LDAP modify operation on cn=config can only use the replace sub-operation. Any attempt to add or delete an attribute will be rejected with DSA is unwilling to perform, error 53. While Directory Server 5 accepted adding or deleting an attribute or attribute value, the update was applied to the dse.ldif file without any value validation, and the DSA internal state was not updated until the DSA was stopped and started.


Note –

The cn=config configuration interface is deprecated. Where possible use the dsconf command instead.


To work around this limitation, the LDAP modify replace sub-operation can be substituted for the add or delete sub-operation. No loss in functionality occurs. Furthermore, the state of the DSA configuration is more predictable following the change.

On Windows systems, Directory Server does not allow Start TLS by default.

This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.

To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.

Replication update vectors may reference retired servers.

After you remove a replicated Directory Server instance from a replication topology, replication update vectors can continue to maintain references to the instance. As a result, you might encounter referrals to instances that no longer exist.

The Common Agent Container is not started at boot time.

To work around this issue when installing from native packages, use the cacaoadm enable command as root.

Enabling password expiration can cause mass expiration.

Directory Server now updates the pwdChangedTime operational attribute whenever a password is modified. As this attribute is updated even before you enable password expiration, old passwords expire immediately when you enable password expiration.

An additional condition can cause immediate expiration when you run Directory Server in version 5 password policy mode. If you enabled password expiration in the past, and then turned expiration off, Directory Server still has timestamps on passwordExpirationTime operational attributes. Therefore, when you enable password expiration again, passwords with old passwordExpirationTime operational attributes can expire immediately.

You can give users grace logins to change their password with pwdGraceAuthNLimit. Alternatively, when running Directory Server in version 5 compatible mode for password policy, you can configure Directory Server to warn users before their passwords expire. Set passwordExpireWithoutWarning to off. Also, set passwordWarning appropriately.

max-thread-per-connection-count is not useful on Windows systems.

The Directory Server configuration property max-thread-per-connection-count does not apply for Windows systems.

A Microsoft Windows bug shows service startup type as disabled.

A Microsoft Windows 2000 Standard Edition bug causes the Directory Server service to appear as disabled after the service has been deleted from Microsoft Management Console.