These release notes contain important information available at the time of the release of iPlanet Directory Server 5.0. New features and enhancements, known limitations, and other late-breaking issues are addressed here. Read this document before you begin using iPlanet Directory Server 5.0.
An electronic version of these release notes can be found at the iPlanet documentation web site: http://docs.iplanet.com/docs/manuals/directory.html. Check the web site prior to installing and setting up your software and then periodically thereafter to view the most up-to-date release notes and manuals.
These release notes contain the following sections:
For information on hardware and software requirements, refer to the iPlanet Directory Server Installation Guide.
iPlanet Directory Server 5.0 can be downloaded from:
iPlanet Directory Server 5.0 contains the following new features and enhancements:
Due to architectural changes in iPlanet Directory Server 5.0, some features that were previously available are no longer included. These are:
Note also that the plug-in API is currently an unsupported feature of iPlanet Directory Server 5.0. Please refer to our Directory Server 5.0 plug-in support FAQ at http://developer.iplanet.com/tech/directory/ for further information surrounding this issue. If you need to create custom plug-in functions you should contact the iPlanet Professional Services organization. For information, go to: http://www.iplanet.com/services/pro_serv/index.html
iPlanet Directory Server 5.0 is supported on the following platforms:
For information on the availability of iPlanet Directory Server 5.0 on the Compaq Tru64 operating system, contact your Compaq representative.
iPlanet Directory Server 5.0 is not supported on any version of Linux or OpenVMS.
This release of iPlanet Directory Server requires specific operating system patches or service packs to be installed before iPlanet Directory Server can be installed. For further information, refer to the iPlanet Directory Server Installation Guide.
iPlanet Directory Server 5.0 includes fixes to the following known problems that occurred in earlier releases of iPlanet Directory Server 4.x:
This section lists known limitations present for iPlanet Directory Server 5.0 and their workarounds. The areas with known limitations are as follows:
When installing Directory Server, the name of the file system directory where you install files must not contain any space characters.
If your suffix contains space characters, then you need to correct the suffix generated at installation time by the setup command to remove the spaces.
To correct the suffix using the console, select the top directory entry in the left-hand navigation pane of the Servers and Applications tab, edit the suffix in the User directory subtree field and click OK to save the changes.
If you already have a Directory Server 4.x and you want to install an iPlanet Directory Server 5.0 instance, install your iPlanet Directory Server 5.0 in a separate directory. Migrate your 4.x directory data into your 5.0 directory and when you are satisfied with the result of the migration, remove your 4.x Directory Server.
If you are installing on a Windows NT system that has newer DLL files than those supplied on the iPlanet Directory Server 5.0 CD, do not overwrite the newer DLL files with the versions on the iPlanet Directory Server 5.0 disc.
For example, this situation can occur if you are running the latest Windows NT Service Pack. Here, you will find your Windows NT Service Pack contains newer versions of the C and C++ runtime DLLs MSVCRT.DLL and MSVCIRT.DLL.
When entering Distinguished Names for typical, silent, and express installation use UTF-8 character set encoding. Older encodings such as ISO-8859-1 are not supported. Installation operations will not convert data from local character set encoding to UTF-8 character set encoding.
The LDIF files you use for import operations must use UTF-8 character set encoding. Import operations do not convert data from local character set encoding to UTF-8 character set encoding.
During installation, setup detects a default host and domain name. However, if your NIS domain is different from your DNS domain, the fully qualified host and domain name presented by the installer is incorrect. These values must be corrected to use the DNS domain name.
The configuration Directory Server containing o=NetscapeRoot contains the configuration data for your deployment, and should not therefore, be uninstalled before dependent Directory Servers. It is the first Directory Server you install and we strongly recommend that it be the last one you uninstall.
Using stdin and stdout on NT with the ldapmodify command line utility has proved troublesome, particularly with non-ASCII data. It is, therefore, strongly recommended that you always use the -f argument to specify the file containing the LDIF update statements, for example, -f new_file, as this prevents the statements being read from stdin.
To ensure that an attacker with a certificate issued by a public CA cannot use that certificate to impersonate a directory server, the certificate databases of LDAP clients a nd of directory servers establishing outgoing SSL connections for replication or chaining must contain only the certificate of the non-public CA which issued the certificates to the servers which will be contacted; all other CA certificates of public CAs must be removed from the LDAP client or directory server’s certificate database.
Deployments thta are not subject to active attacks or deployments that use additional security mechanisms (such as a VPN when connections traverse the Internet) are not required to use a non-public Certification Authority to obtain a server certificate.
Since the server does not enforce read-only permissions on SSL-enabled servers for certificate database files, key database files and PIN files, check that the file modes on UNIX or the ACLs on NT protect the sensitive information contained in these files.
If you map a certificate to a distinguished name under cn=config or cn=monitor bind attempts will fail. Map your certificate to an entry located elsewhere in the directory information tree.
To explicitly deny MODRDN rights using ACIs, you must target the relevant entries but omit the targetattr keyword. For example, to prevent the cn=helpDeskGroup,ou=groups,o=sun.com group from renaming any entries in the set specified by the pattern cn=*, ou=people,o=sun.com, you would add the following ACI:
aci: (target="ldap:///cn=*,ou=people,o=sun.com")
(version 3.0; acl "Deny modrdn rights to the helpDeskGroup";
deny(write)
groupdn="ldap:///cn=helpDeskGroup,ou=groups,o=sun.com";)
iPlanet Administration Server is a lightweight version of iPlanet Web Server 4.1. A security vulnerability has recently been identified in iPlanet Web Server 4.1 which could potentially affect your server's installation security. The workaround for this security vulnerability is to install a patch which can be downloaded from:
http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16b.html
To install the patch, choose the platform-specific file you require, extract the content of the file in a separate directory and follow the instructions in the README file.
You will need to modify the obj.conf file which is located in the [server-root]/admin-serv/config directory.
Note
If you modify the nsActiveChainingComponents attribute of the chaining database configuration entry, the server must be restarted for the changes to take effect. For example, if you modify the nsActiveChainingComponents attribute to prevent the ACI plug-in from chaining and do not restart the server, the plug-in will still be chained, potentially creating a security hole.
If chaining is configured between a 5.0 multiplexor and a 4.12 farm server it is necessary to add the nsuniqueid attribute to the farm server schema. If this attribute is not added to the 4.1x Directory Server schema, the 5.0 multiplexor will not find the entry it expects and chaining will fail. To add the attribute type to the 4.1x schema add the following line to the 4.12 farm server slapd-user_at.conf file under /usr/netscape/server4/slapd-serverID/config:
attribute nsuniqueid nsuniqueid 2.16.840.1.113730.3.1.542 int
single operational
Should the first farm server fail when using a failover server for database chaining, the client receives an operations error if it tries to read information from the multiplexor. The multiplexor does not process this operations error which prevents the next failover farm server from being contacted, and as a result, chaining fails. However, if you retry the exact same operation, chaining will succeed.
Support for wide area network (WAN) deployments is slated for a future release of iPlanet Directory Server.
The console supports smart referrals only when the DN in the referral matches the DN of the entry containing the referral. For example, if you set the smart referral ldap://host/dn2 on the entry of dn1, the console only works if dn2 and dn1 are identical.
If the DNs are not the same, you may see a recursive display or a blank screen in the console.
As the UID Uniqueness plug-in is in fact one instance of the Attribute Uniqueness plug-in, you should not be able to add attribute names other than UID to the UID uniqueness plug-in using the console. Entering attribute names other than UID using the console causes Directory Server to behave in unexpected ways. If you want to ensure attribute uniqueness for additional attributes, you should create a new instance of the Attribute Uniqueness plug-in for each additional attribute. For more information see Chapter 17, "Using the Attribute Uniqueness Plug-in" in the iPlanet Directory Server Administrator's Guide.
Trailing spaces are not preserved during a remote console import operation but are preserved during both local console or ldif2db import operations.
To synchronize the different time zone which is generated when you create a Directory Server instance using the console with existing time zones, (which is essential for replication operations), restart the server using the restart-slapd command-line script. For further information on the command-line scripts, see Chapter 7, "Command-Line Scripts" in the iPlanet Directory Server Configuration, Command, and File Reference.
On UNIX systems you will need to write an rc script to start the slapd process, as it does not start automatically when the system boots.
Do not stop the server during export, backup, restore, or index creation, as it can cause the server to crash. However, you can stop the server during an import without causing any problems.
On Windows NT and AIX platforms, do not set "Memory available for Cache" in the Database Settings Tab to a value greater than 1073741824 bytes (1GB). (Bug 520693)
AIX applications have a rather restrictive memory model. The AIX ns-slapd executable was created with a value of maxdata=0x50000000 to permit both the entry cache size (nsslapd-cachesize attribute) and database cachesize (nsslapd-dbcachesize attribute) to be up to 1GB each. Raising the maxdata value increases the maximum entry cache size but lowers the maximum database cachesize by the same amount, and vice-versa. Contact your iPlanet support representative if you want to adjust the maxdata value.
The Referential Integrity plug-in should only be enabled on one master replica in a multi-master replication environment, to avoid conflict resolution loops. When enabling the Referential Integrity plug-in on servers issuing chaining requests, you must be sure to analyze your performance resource and time needs as well as your integrity needs. Note that integrity checks can be time consuming and draining on memory/CPU.
For more information on the UID Uniqueness plug-in and replication, see Chapter 17, "Using the Attribute Uniqueness Plug-in" in the iPlanet Directory Server Administrator's Guide.
When you delete a role in Directory Server, the role entry is deleted but the nsRoleDN attribute for each member is not updated. If you want to delete the nsRoleDN attribute from each role member you will have to do so manually. Alternatively, you can configure the Referential Integrity Plug-in to manage the nsRoleDN attribute, remembering to enable the plug-in if it is not enabled. For information on how to configure the Referential Integrity Plug-in see Chapter 2, "Creating Directory Entries" in the iPlanet Directory Server Administrator's Guide.
Given that the behavior for negative CoS template priority values is not defined in Directory Server, do not enter negative values. Note that Indirect CoS does not support cosPriority.
To display the iPlanet Directory Server Administrator's Guide:
file:///usr/iplanet/servers/manual/en/slapd/ag/contents.htm
To display the iPlanet Directory Server Configuration, Command, and File Reference:
file:///usr/iplanet/servers/manual/en/slapd/cli/contents.htm
To display the iPlanet Directory Server Deployment Guide :
file:///usr/iplanet/servers/manual/en/slapd/deploy/contents.htm
Note that these URLs assume that you have installed your directory server in the default installation directory /usr/iplanet/servers. If you have installed your server in a different location, adapt these URLs as appropriate.
Client IP address authorized on the Administration Server. The machine running iPlanet Directory Server Console needs access to the Administration Server. To configure the Administration Server to accept the client machine's IP address, do the following in the Administration Server:
Chapter 6, "Managing Access Control" of the iPlanet Directory Server Administrator's Guide states incorrectly that ROLEDN is a supported bindType for using the userattr keyword. The only currently valid bindTypes are USERDN, GROUPDN, and LDAPURL.
In Table 5-1 on page 183 of Chapter 5, "Migration from Earlier Versions" of the iPlanet Directory Server Configuration, Command, and File Reference the attributes nsslapd-accesslog-maxlogdiskspace and nsslapd-auditlog-maxlogdiskspace should read nsslapd-accesslog-logmaxdiskspace and nsslapd-auditlog-logmaxdiskspace.
This restriction is due to a PA-RISC hardware limitation that prevents memory-mapped files from crossing quadrant boundaries.
Some of the examples in Chapter 6, "Managing Access Control" of the iPlanet Directory Server Administrator's Guide are wrong. The examples that do not include the targetattr keyword and assume that all attributes of the target entries are also targeted by the ACI are wrong. The reason is that if the targetattr keyword is not stated explicitly, by default, access to all attributes is denied. If you want to grant access to all attributes, you must include the expression targetattr="*" in your ACI.
In order to execute the command-line utilities and Perl scripts, you must change directory to the directory where they are stored. Although it is possible to set command path and library path variables to execute the utilities and scripts, this is not the recommended procedure because you run the risk, particularly when you have more than one server version installed, not only of disrupting the correct execution of other commands utilities and scripts, but also of compromising the security of the system.
Although you cannot read the logs using Directory Server Console, if the server is not running, you can read them using the Administration Server Console. From your browser, type in http://your_hostname:administration_server_port_number. At the login prompt use the admin login and click on the link for Netscape Administration Express.
If you are running iPlanet Directory Server 5.0 on a Solaris 2.6 machine, install patch 107738, release number 08 (107738-08) on your Solaris machine to avoid receiving the following error message when using ldapsearch, ldapmodify, or ldapdelete:
unable to retrieve LDAP library version information; this program
requires an LDAP library that implements revision 2004 or greater
of the LDAP API.
You can obtain patches from http://sunsolve.Sun.COM
For general information on iPlanet Directory Server 5.0, you can refer to:
If you have any questions or issues to raise regarding iPlanet Directory Server 5.0, subscribe to the following newsgroup:
When subscribing to the newsgroup which is hosted on secnews.netscape.com, specify 563 as the port number in addition to secure connections.
If you experience problems with iPlanet Directory Server 5.0, refer to iPlanet Technical Support:
Useful iPlanet information can be found at the following Internet locations:
===================================================================
Copyright (c) 1989 The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
This product includes software developed by the University of California, Berkeley and its contributors.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
========================================================================
Copyright (C) 1987, 1988 Student Information Processing Board of the Massachusetts Institute of Technology.
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the names of M.I.T. and the M.I.T. S.I.P.B. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. and the M.I.T. S.I.P.B. make no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
========================================================================
This product contains the following software derived from RSA Data Security, Inc.
========================================================================
The source code to the Standard Version of Perl can be obtained from CPAN sites, including http://www.perl.com/.
========================================================================
This product incorporates compression code by the Info-ZIP group. There are no extra charges or costs due to the use of this code; the original compression sources are freely available from:
ftp://ftp.cdrom.com/pub/infozip/