This chapter contains important, product-specific information available at the time of release of Directory Server.
This chapter includes the following sections:
This section lists bugs fixed for this release.
The following bugs were fixed since the last release of Directory Server.
Issue with ;binary attributes and compliance with RFC 1274.
Console process grows when adding users.
Console cannot display an access log greater than 60 MB when a filter is used.
Log size settings over 2 GB do not work.
Directory Server crashes when a client sends a certificate without an issuer DN.
Adding an entry crashes Directory Server.
Directory Server dumps core due to an incorrect search performed by a plug-in.
Deadlock in access control plug-in.
Unable to configure pass-through authentication with URLs containing the same suffix.
DN checking operation is not properly carried out by Directory Server.
Regression related to ignoring referrals.
ldapsearch -A fails against a chained database.
During shutdown, referential integrity plug-in can crash Directory Server.
VLV indexes are broken.
Binding with certificate authentication and a simple bind can cause Directory Server to hang.
Replicated updates can stop replication.
Crash while deleting a browsing index.
Subtree plug-in logs superfluous postoperation warnings.
Referential Integrity plug-in does not allocate enough space for internal search.
Password expiration does not completely prevent users from binding.
Strange reverse DNS request issued at startup.
All attribute subtypes get deleted from index.
Directory Server dumps core in acl_access_allowed().
Wildcard searches work poorly with single character attribute values.
Some wildcard searches trigger problems.
ldif2db -n userRoot -i test.ldif causes a bus error.
ACIs and ACLs do not take extra whitespace into account.
Memory leak with persistent searches.
Directory Server dumps core when checking the history of a clear text password.
Persistent search returns tombstone purging events.
Start TLS is not thread safe.
bak2db fails with nested directory databases.
Buffer Overflow in re_comp().
Significant memory leak.
Directory Server core dumps in preop_modify() when the attribute uniqueness plug-in is active.
Directory Server crashes on receipt of an invalid PDU.
Substring index becomes corrupt if one of similar multiple values is deleted.
Installation fails on HP-UX.
Replication commands should have a timeout parameter.
Crash when trimming the retro changelog.
Duplicate uid attribute values arise when encryption is performed.
db2ldif -r removes the guardian file.
The audit log can fail to rotate as configured.
Access log rotation does not occur upon restart.
Some tombstone entries are not being purged.
Could not set referrals for replica errors.
Unable to release IDs on the consumer after the link is down for more than 5 minutes.
VLV search based on empty container returns err=1.
Memory leak in search on suffix containing referral subsuffix.
Adding entry with "*" chars in DN field incur full scan of tombstones.
repldisc does not properly work with multiple instances on the same host.
A modify or delete of more than five values deletes all values.
Crash when removing a RUV when using multiple Solaris 9 x86 masters.
DENY macro ACI applies to entries that should not be affected.
Log settings for minimum free disk space do not work as expected.
Directory Server stops responding when LDAP search with too many attributes is sent.
Search operation with "-" char in filter leads to failure.
Link loss longer than five minutes causes consumer not to sync after network recovery.
ADD not replicated, DEL cannot be replayed when using multi-master replication over SSL.
Expiration time unit does not take the right default value.
Schema deletions not propagated correctly.
Consumers hang when schema is pushed over replication.
Transaction logs are not always deleted.
Special DN with ; and , crashes Directory Server.
Internal search causes Console to display warning.
Directory Server crashes when changelog trimming is enabled.
Master and consumer expand superior object class differently.
Slow import with complex DIT.
Directory Server crashes at startup in ACI code.
Crash occurs when reading the replication agreement.
Chaining downcasts DNs.
ACL does not work as expected if nested group is specified as groupdn.
Directory Server exits after 4 GB realloc().
Directory Server crashes during a specific search when adding a subsuffix.
Crash at startup when nsslapd-binary-mode is set.
Unexpected password is expiring on consumer in %d seconds message reported.
Inconsistency in replicated data between master and consumer.
Multiple password changes can lead to clear-text password.
Directory Server connection is unexpectedly down.
Crash when checking access control during modify operation.
Crash on consumer during schema replication if legacy replication is enabled.
Updates to the retro changelog lost on master.
Excess warning messages about replay of operation already seen.
Race condition occurs when closing connections.
Online index task request and simultaneous access control search leads to hang.
Index corruption with very large number of matches.
Memory leak in individual password policies.
Crash in replication when difference between system clock is greater than 24 hours.
Data inconsistency after restarting masters under load.
Crash when shutting down server as changelog is being trimmed.
Huge memory leak topology using old protocol with mixed versions.
Crash with DSML PDU larger than 2 KB.
Need a tool to check database integrity.
fildif cannot handle files larger than 2GB.
Replication halts and restarts with send update now.
Clean RUV task does not remove RUV with read-only replica ID.
Deadlock between replica and connection locks.
Schema replication can miss changes.
Substring searches very slow.
mmldif delta files do not contain LDIF update statements.
Crash while processing modification with retro changelog plug-in turned on.
Memory leak when DN normalization fails.
db2ldif.pl -r can cause hang.
Adding and deleting an attribute in a single modify operation is not replicated correctly.
Crash if resource limit for number of file descriptors is dynamically increased.
Performance problems when doing searches with the en-US collation rule.
Exit when allocating 4 GB to handle access control for a group member.
Checkpoint forced even when no updates are performed.
CoS does not take effect for entries in nested organization.
Error during the creation of subsuffix or clone under a search workload.
Deadlock in database while evaluating the ACLs during a modify operation.
Replication may be slow to restart after a network outage.
A consumer does not detect there is pending operation and when closing an idle replication connection.
Modification lost when using ldapmodify.
Performance issue when deleting non existent attribute.
Deleting multivalued attributes results in high etime.
Adding and deleting the same entry on replica can lead to replication issues.
Performance degradation when purging tombstones in multi master environment.
Deletion operation is not flagged as dependent on a previous modification.
Retro Changelog plug-in fails to record changes if regular replication is disabled.
Duplicate unique IDs can be generated.
Allow administrators to reset passwords.
Cannot stop or use master after total update fails when using multi master replication over SSL.
Add the return code for errors that could not be logged in the changelog.
Hub not replicating due to bad hub replica ID, 65535, in hub RUV.
Lack of disk space causes looping in db2bak internal task.
ACI returns incorrect results when fix is applied.
Bad server side sort performance when data contains many identical values.
passwordRetryCount does not get incremented when passwordResetFailureCount is set to 0.
Performance degradation in substring searches.
Memory leak with virtual attributes.
Searches for subtype attributes does not work correctly with nsslapd-search-tune enabled.
Restart of a fractional consumer breaks replication with configuration error.
Crash within SASL bind check.
Hang when replication agreement is initialized from another master.
Infrequent updates on standby replica can cause replication to stop for prolonged periods.
Crash when referential integrity log file is truncated.
Hang when an error occurs during error log rotation.
No further adds possible after first empty replace operation on single-valued, replicated attribute.
Crash in replicated operation.
Log rotation does not work correctly after restart.
Generated CSN is not systematically higher than previous CSN.
Some CoS attributes not generated for entries under nested organizations.
Classic CoS under nested organization does not work as configured.
Bad default value for nsslapd-maxbersize.
Tools needed to monitor completeness, status, and availability of servers in large, multi master deployments.
Schema checking on hubs should be enabled by default.
Invalid values are accepted for minimum password length in individual password policies.
LDIF containing encrypted attribute values corrupts indexes during import.
ldif2db has been seen to hang.
Deadlock between tombstone purging thread and access control plug-in.
On Windows systems, DSML request fails when instance path contains a space.
Crash when adding VLV index with incorrect vlvFilter.
Remote denial of service attack possible with large memory allocation.
Partial replication can break when several suppliers are configured for changelog trimming.
Merge during ldif2db skips keys due to incorrect continuation block prefix.
Memory leak when index contains a continuation block.
The mmldif command should support huge files.
Individual password policy specifies plain text, but password in new entry is replicated in encrypted form.
CoS attribute not found on entries after online initialization.
Memory leak in ACI group member evaluation.
When nsslapd-db-transaction-batch-val is set, transaction flush fails to enforce the limit.
Import can corrupt state of entries having userPassword attributes.
Incorrect page size computation creates indexes with many overflow pages after a reindexing operation.
Substring performance requires improvement.
Entries can be skipped while importing an LDIF file generated with db2ldif.pl -r.
ioblocktimeout not always enforced when writing result over secure connection.
Potential crash when renaming corrupted child entry.
Memory leak when handling password histories.
Zero allocation error when retro changelog and TMR plug-in is enabled.
Memory leak during LDAP write operations upon failure to update a matching rule index.
Operational attribute entrydn added before the entry is cached.
VLV searches leak memory.
Restore fails following binary copy when CN attribute does not match case.
Memory leak in decryption code.
Retro changelog plug-in should be executed for selected backends.
Performance issues when searching for tombstone entries.
No feedback from import during delay processing large entries.
Allow more database configuration attributes to be set over LDAP.
Provide a changelog purge vector over LDAP.
Allow a grace login period after passwords expire.
Allow complete replication configuration and management on the command line.
Enable support for libwrap.
Set default changelog maximum age to seven days.
Provide frozen mode to allow file system snapshot backups.
Make it possible to import additional entries without initialization.
Incorrect error message when exporting a subtree with db2ldif -s.
Modify performance degrades until all entries are modified.
Backend instances called default do not work.
Allow account validation through an LDAP bind without the user password.
Adding entries with object class nsTombstone can cause replication to fail.
Support required for SASL/GSS encryption.
Make the SNMP agent work with the native operating system agents.
Stopping Directory Server is sometimes slow during poll for results in a replication session.
Need a way or a tool to monitor progress during recovery after a crash.
More control needed over cache sizes.
Changelog database and other databases do not shrink even after data is removed.
Role fails to work on consumer after online initialization.
Allow disabling of anonymous binds.
Need an attribute that shows the groups to which an entry belongs.
Crash on startup with message trying to allocate 0 or a negative number of bytes.
Add port number in access log when a client connection is created.
Need a non-intrusive way to count the number of active persistent searches.
Document plug-in execution order.
Avoid traversing nscpentrydn index when purging tombstones.
Log an error when using connection based access control and the client list is not specified.
Remove the time bomb.
Display connection number under cn=monitor in same format as access log.
Support a plug-in for password syntax checking.
changeNumber is not indexed by default.
Maximum connection backlog queue incorrectly hard coded as 128.
Crash while enabling replication.
The following bugs were found during the beta program, and subsequently fixed.
A disorderly shutdown was detected when memory allocation failed.
Output from the idsync command is misleading.
Error when using an option to create a replication agreement on the command line.
Memory allocation issue leads to no more space message.
Setting the directory administrator password on the command line is confusing.
Password reset and password lockout interact incorrectly.
Result code is misleading for a bind where the password must be reset.
Log rotation subcommand name is not clear.
Command line tools should use the --D bind-dn option to specify the administrator.
Command line usage should always list global options.
Output after starting replication on the command line is misleading.
Allow binary copy from a master replica to a dedicated consumer.
Make subcommands for replication configuration easier to understand.
Some subcommands names are misleading.
Password lockout not working properly after a number of failed attempts.
Fix syntax validation property online help.
Make unit sizes consistent when setting configuration property values.
Error in option when listing indexes from the command line.
Import through dsconf fails.
Issues arise when configuring replication using the command line.
Directory Service Control Center page to configure server groups leads to JSP not found error.
Adding approximate and substring indexes causes equality indexes to stop working.
The dsee_deploy command should work with install directory names only one character in length.
The uid attribute is not displayed correctly in the Entry Overview tab of DSCC for POSIX users.
Changing nsslapd-infolog-area does not change errors log contents.
Allow DSCC to create a server instance running as nobody.
Allow changes to client control settings in the Directory Server Configuration tab of DSCC.
Installation should not remove existing Java version.
Allow DSCC to delete replication agreements.
Clarify how to change the password with ldapmodify when pwdSafeModify is on.
Allow DSCC to register existing server instances.
Allow DSCC to edit a server location.
The path for the tool to register DSCC with Sun Java Web Console is not valid in the online help.
With a presence index configured, searches still appear unindexed in the access log.
Allow DSCC to work properly when creating servers on Solaris zones.
Fix errors after configuring a suffix through DSCC.
After a delete operation, the DSCC window does not close.
Deleting an index type leads to an Error null message.
Fix server instance registration issue that occurs when a DSCC session times out.
This section lists known problems and limitations at the time of release.
This section lists product limitations. Limitations are not always associated with a change request number.
Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.
To workaround this limitation, install products as a user having appropriate user and group permissions.
Although nothing prevents you from setting up replication for the cn=changelog suffix, doing so can interfere with replication. Do not replication the cn=changelog suffix.
Instead, when running on Windows 2003 in the German locale, install from native packages using the Java ES distribution.
When Directory Server runs on Sun Cluster, and nsslapd-db-home-directory is set to use a directory that is not shared, multiple instances share database cache files. After a failover, the Directory Server instance on the new node uses its potentially outdated database cache files.
To work around this limitation, either use a directory for nsslapd-db-home-directory that is shared, or systematically remove the files under nsslapd-db-home-directory at Directory Server startup.
When LD_LIBRARY_PATH contains /usr/lib, the wrong SASL library is used, causing the dsadm command to fail after installation.
An LDAP modify operation on cn=config can only use the replace sub-operation. Any attempt to add or delete an attribute will be rejected with DSA is unwilling to perform, error 53. While Directory Server 5 accepted adding or deleting an attribute or attribute value, the update was applied to the dse.ldif file without any value validation, and the DSA internal state was not updated until the DSA was stopped and started.
The cn=config configuration interface is deprecated. Where possible use the dsconf command instead.
To work around this limitation, the LDAP modify replace sub-operation can be substituted for the add or delete sub-operation. No loss in functionality occurs. Furthermore, the state of the DSA configuration is more predictable following the change.
This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.
To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.
After you remove a replicated Directory Server instance from a replication topology, replication update vectors can continue to maintain references to the instance. As a result, you might encounter referrals to instances that no longer exist.
To work around this issue when installing from native packages, use the cacaoadm enable command as root.
Directory Server now updates the pwdChangedTime operational attribute whenever a password is modified. As this attribute is updated even before you enable password expiration, old passwords expire immediately when you enable password expiration.
An additional condition can cause immediate expiration when you run Directory Server in version 5 password policy mode. If you enabled password expiration in the past, and then turned expiration off, Directory Server still has timestamps on passwordExpirationTime operational attributes. Therefore, when you enable password expiration again, passwords with old passwordExpirationTime operational attributes can expire immediately.
You can give users grace logins to change their password with pwdGraceAuthNLimit. Alternatively, when running Directory Server in version 5 compatible mode for password policy, you can configure Directory Server to warn users before their passwords expire. Set passwordExpireWithoutWarning to off. Also, set passwordWarning appropriately.
The Directory Server configuration property max-thread-per-connection-count does not apply for Windows systems.
A Microsoft Windows 2000 Standard Edition bug causes the Directory Server service to appear as disabled after the service has been deleted from Microsoft Management Console.
This section lists known issues. Known issues are associated with a change request number.
Directory Server has been seen to crash when the server is stopped while performing online export, backup, restore, or index creation.
When entries are imported from LDIF, Directory Server does not generate createTimeStamp and modifyTimeStamp attributes.
LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.
The pwdChangedTime attribute and usePwdChangedTime attribute are defined in Directory Server 5 2004Q2, 2005Q4, and the current version. These attributes are not defined in earlier versions. When an entry is defined with password expiration in a version where these attributes are defined, the entry contains the pwdChangedTime attribute and usePwdChangedTime attribute. When that entry is replicated to a supplier that runs an earlier version, the supplier cannot process any modifications to that entry. A schema violation error occurs because the supplier does not have the pwdChangedTime attribute in its schema.
usePwdChangedTime is no longer used. Instead, the operational attribute pwdChangedTime is updated whenever the password is modified.
To work around this issue, define the pwdChangedTime attribute and usePwdChangedTime attribute in the 00core.ldif file. You must define these attributes for all servers in the replication topology that run a version that does not define these attributes. The attribute type definitions are as follows.
attributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.16 NAME 'pwdChangedTime' DESC 'Directory Server defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE USAGE directoryOperation X-DS-USE 'internal' X-ORIGIN 'Sun Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.9.1.597 NAME 'usePwdChangedTime' DESC 'Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-DS-USE 'internal' X-ORIGIN 'Sun Directory Server' )
Do not migrate new servers to the new password policy while older servers are still present in the replication topology.
Demoting a replica to be a dedicated, read-only consumer, then promoting the server again can break replication.
If you use a zero-length password to bind to a directory, your bind is an anonymous bind. This bind is not a simple bind. Third party applications that authenticate users by performing a test bind might exhibit a security hole if such applications are not aware of this behavior.
Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Sun support.
When removing software, the dsee_deploy uninstall command does not stop or delete existing server instances.
To work around this limitation, follow the instructions in the Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.
Directory Server has been seen to retain pwdFailureTime values on a consumer replica, even after the attribute values have been cleared on the supplier replica. The values remain after the modification of userPassword has been replicated.
When installing software from the zip distribution, do not use the -N (--no-cacao) option if you intend subsequently to manage servers with Directory Service Control Center. The Common Agent Container cannot be installed separately later.
The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.
To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.
Export the certificate to a file.
The following example shows how to perform the export for servers in /local/supplier and /local/consumer.
$ dsadm show-cert -F der -o /tmp/supplier-cert.txt /local/supplier defaultCert $ dsadm show-cert -F der -o /tmp/consumer-cert.txt /local/consumer defaultCert |
Exchange the client and supplier certificates.
The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.
$ dsadm add-cert --ca /local/consumer supplierCert /tmp/supplier-cert.txt $ dsadm add-cert --ca /local/supplier consumerCert /tmp/consumer-cert.txt |
Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.
Add the replication manager DN on the consumer.
$ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN |
Update the rules in /local/consumer/alias/certmap.conf.
Restart both servers with the dsadm start command.
Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.
An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.
Directory Server instances with multibyte names can not be registered in Directory Service Control Center.
To work around this issue, configure the Common Agent Container as follows.
# cacaoadm stop # cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8" # cacaoadm start |
Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.
dn:o=mary\"red\"doe,o=example.com changetype:modify add:aci aci:(target="ldap:///o=mary\"red\"doe,o=example.com") (targetattr="*")(version 3.0; acl "testQuotes"; allow (all) userdn ="ldap:///self";)
dn:o=Example Company\, Inc.,dc=example,dc=com changetype:modify add:aci aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com") (targetattr="*")(version 3.0; acl "testComma"; allow (all) userdn ="ldap:///self";)
Examples with more than one comma that has been escaped have been observed to parse correctly, however.
The dpconf command has been seen to display the Enter "cn=Directory Manager" password: prompt twice when used in interactive mode.
When running server management commands in the French locale, some messages displayed by the commands are missing apostrophes.
Directory Service Control Center does not allow you to manage PKCS#11 external security devices or tokens.
SASL authentication has been seen to fail on Windows systems when SASL encryption is used.
Directory Service Control Center fails to generate a self-signed certificate when you specify the country.
Directory Service Control Center does not properly display userCertificate binary values.
The configuration attribute name, passwordRootdnMayBypassModsCheck, does not reflect that the server now allows any administrator to bypass password syntax checking when modifying another user's password when the attribute is set.
Do not set LD_LIBRARY_PATH before installing from the zip distribution or using the dsadm command.
The Directory Service Control Center feature that allows you to copy the configuration of an existing server does not allow you to copy the plug-in configuration.
On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.
To work around this issue, change the LDIF file name so that it does not contain double-byte characters.
When using a browser running in Chinese, Japanese, or Korean locales, logs generated by Directory Service Control Center when creating a server instance contain garbage.
To work around this issue perform the following commands on the Common Agent Container where the new server instance is to be created.
cocaoadm stop cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8" cacaoadm start |
The dsadm enable-service command does not work correctly with Sun Cluster.
When using a browser running in the French locale, duplicate apostrophes appear in Directory Service Control Center.
The dsee_deploy command has been seen to hang while registering the Monitoring Framework component into the Common Agent Container.
The supportedSSLCiphers attribute on the root DSE lists NULL encryption ciphers not actually supported by the server.
Unless you start Directory Server at least once, the dsadm enable-service fails to restart Directory Server upon system reboot.
Neither Directory Service Control Center nor the dsconf command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.
To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.
Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.
After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.
To work around this issue, change the permissions on the installations and server instance folders.
The dsadm autostart command fails when multiple instances are specified, and the command fails for one of the instances.
The dsadm autostart command does not support white space in the instance file name.
The dsmig command has been seen not to migrate values for some configuration attributes that are not identified in the upgrade and migration documentation.
The following configuration attributes are concerned:
nsslapd-db-durable-transaction
nsslapd-db-replication-batch-val
nsslapd-disk-low-threshold
nsslapd-disk-full-threshold
After a total update on master replica bearing significant write load, in some cases the generation ID for the master having undergone total update is not set properly. As a result, replication fails.
When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.
To work around this issue, use a different browser such as Mozilla web browser.
After creating or adding a new certificate, Directory Server must be restarted for the change to take effect.
After upgrading replica, and moving servers to new systems, you must recreate replication agreements to use new host names. Directory Service Control Center lets you delete the existing replication agreements, but does not allow you to create new agreements.
On Red Hat systems, the dsadm autostart command does not always ensure that the server instances start at boot time.
Directory Server does not properly handle Chinese multibyte character in strings for database names, file names, and path names.
To work around this issue when creating a Directory Server suffix having Chinese multibyte characters, specify a database name that has no multibyte characters. When creating a suffix on the command line, for example, explicitly set the --db-name option of the dsconf create-suffix command.
$ dsconf create-suffix --db-name asciiDBName multibyteSuffixDN |
Do not use the default database name for the suffix.
On Windows systems when Directory Server is enabled as a service, do not use the dsadm cert-pwd-prompt=on command.
The following replication error messages have been seen to persist on agreements with a consumer even after a total update is performed on the consumer.
Error sending replication updates. Error Message: Replication error updating replica: Unable to start a replication session : transient error - Failed to get supported proto. Error code 907. Operational Status Error sending updates to server host:port. Error: Replication error updating replica: Incremental update session abored : fatal error - Send extended op failed. Error code: 824.
To eliminate the messages, disable the replication agreement, and then enable the replication agreement.
When stopping multiple master replica under heavy load in a multi master replication configuration, the servers may take several minutes to stop.
After an import operation is performed on a master where read-write-mode is set to read-only, Directory Server fails to restart.
The dsconf command does not prompt for the appropriate dsSearchBaseDN setting when configuring DSML.
On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds.
You must configure DSML before you can monitor DSML with Java ES Monitoring Framework.
When using a browser running in a Chinese locale, the More on Server Groups link in Directory Service Control Center is incorrect, leading to an application error page.
When installing from the zip distribution, the dsee_deploy command does not provide an option to configure SNMP and stream adaptor ports.
The dsconf help-properties command is set to work properly only after instance creation. In addition, the correct list of values for the dsml-client-auth-mode command should be client-cert-first | http-basic-only | client-cert-only.
In order to use Directory Service Control Center on Windows XP systems, the guest account must be disabled. Additionally, the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0 in order for authentication to succeed.
After installing from the zip distribution on Solaris and Red Hat systems, Directory Server does not appear through SNMP after the Common Agent Container, cacao, is restarted.
To work around this issue on Solaris systems, apply all recommended patches listed in Directory Server, Directory Proxy Server, and Directory Server Resource Kit Operating System Requirements.
Output of the entrycmp, fildif, insync, mmldif, and ns-accountstatus commands are not localized.
Some output displayed by the dsccmon, dsccreg, dsccsetup, and dsccreg commands is not localized.
After accessing Directory Service Control Center for the first time and registering a Directory Server instance, a warning and an exception are written to the Sun Java Web Console logs.
You can ignore safely ignore the warning, failed to retreive "server-pid" from command ouptut, and the exception. The exception output appears as follows.
StandardWrapperValve[wizardWindowServlet]: Servlet.service() for servlet wizardWindowServlet threw exception java.lang.IllegalStateException: Cannot forward after response has been committed
When setting up Directory Service Control Center in a locale other than English, log messages concerning creation of the Directory Service Control Center Registry are not fully localized. Some log messages are shown in the locale used when setting up Directory Service Control Center.
After manual reboot following installation on a Windows system with the Java ES installer, Directory Server is not running. However, Directory Server can appear to be running in the Task Manager. When this occurs, Directory Server cannot be restarted from the Task Manager.
To work around this issue, remove the process ID file from the logs folder.
The dsmig migrate-data -R -N command has been seen to fail when upgrading from Directory Server 5 2005Q1.
To work around failures in automatic data migration, migrate the data manually as described in Chapter 3, Migrating Directory Server Manually, in Sun Java System Directory Server Enterprise Edition 6.0 Migration Guide.
On HP-UX systems, applications using NSPR libraries crash and dump core after investigation with gdb. The problem occurs when you attach gdb to a running Directory Server instance, then use the gdb quit command.
When accessing Directory Service Control Center through Internet Explorer 6, saving index configuration changes for a suffix causes a null error to appear. The progress window for the operation appears to freeze.
To work around this issue, access Directory Service Control Center through a different browser, such as a Mozilla-based browser.
When you edit a directory entry through Directory Service Control Center, if the entry is simultaneously changed by some other method, refreshing the display does not show the changes.
Directory Service Control Center has been seen to show incorrect status for the User-Changeable field of Global Password Policy, pwd-user-change-enabled.
To work around this issue, use the dsconf(1M) command to read the pwd-user-change-enabled server property.
$ dsconf get-server-prop -w /tmp/ds.pwd pwd-user-change-enabled pwd-user-change-enabled : off |
When upgrading from Directory Server 5.2, if you have a certificate database that contains no trusted certificates, the dsmig migrate-config command fails. This problem can occur when you have created a certificate database, but never used the database, nor set up SSL.
To work around this issue, follow these steps.
Remove the new, empty Directory Server 6 instance.
Rename the ServerRoot/alias/slapd-serverID-cert8.db and ServerRoot/alias/slapd-serverID-key3.db files that the Directory Server 5.2 instance uses.
$ cd ServerRoot/alias $ mv slapd-serverID-cert8.db slapd-serverID-cert8.db.old $ mv slapd-serverID-key3.db slapd-serverID-key3.db.old |
Perform the upgrade and migration process again.
On HP-UX systems, Directory Service Control Center has been seen to show a null pointer exception error message when starting and stopping a Directory Server instance. The error affects Directory Service Control Center, not the Directory Server instance.
When migrating a Directory Server configuration, the dsmig migrate-config command fails if the -R option is used but not all suffixes in the existing configuration are replicated.
To work around this issue, perform the following steps.
Stop the old server.
In the old server instance, dse.ldif configuration file entry with DN cn=changelog5,cn=config comment out the following attributes using hash marks, #.
#nsslapd-changelogmaxage: ... #nsslapd-changelogmaxentries: ...
Make a note of the values for these attributes.
Migrate the server configuration using the dsmig migrate-config command.
On the new server instance, for every suffix that has a configuration entry with DN of the form cn=replica,cn=suffix-dn,cn=mapping tree,cn=config, run the following commands.
$ dsconf set-suffix-prop -p port suffix-dn repl-cl-max-age:old-value |
Here old-value means the value of nsslapd-changelogmaxage in the old server instance.
$ dsconf set-suffix-prop -p port suffix-dn repl-cl-max-entry-count:old-value/nbr-suffixes |
Here old-value means the value of nsslapd-changelogmaxentries in the old server instance. nbr-suffixes is the total number of replicated suffixes.
Directory Server does not allow you to enable password quality checking alone without at least one other password policy feature.
To work around this issue, enable at least one additional password policy feature when you enable password quality checking. The following example enables password quality checking, and also enforces a minimum age before the password is changed.
$ dsconf set-server-prop pwd-check-enabled:on pwd-min-age:1h |