Release Notes for iPlanet Directory Server 5.0 Service Pack 2
Updated March 22, 2002
These release notes contain important information available at the time of the release of iPlanet Directory Server 5.0 SP2. New features and enhancements, known limitations, and other late-breaking issues are addressed here. Read this document before you begin using iPlanet Directory Server 5.0 SP2.
An electronic version of these release notes can be found at the iPlanet documentation web site: http://docs.iplanet.com/docs/manuals/directory.html. Check the web site prior to installing and setting up your software and then periodically thereafter to view the most up-to-date release notes and manuals.
These release notes contain the following sections:
For information on hardware and software requirements, refer to the iPlanet Directory Server Installation Guide.
iPlanet Directory Server 5.0 SP2 can be downloaded from:
http://www.iplanet.com/downloads/patches
What's New in iPlanet Directory Server 5.0
iPlanet Directory Server 5.0 contains the following new features and enhancements:
-
A new and improved management console. Considerably reduces the effort involved in setting up and maintaining your directory service.
-
Multi-master replication. Provides a highly-available directory service for both read and write operations. Multi-master replication can be combined with simple and cascading replication scenarios to provide a highly flexible and scalable replication environment.
-
Legacy consumer replication. Makes it possible to replicate from a Directory Server 4.x supplier to a Directory Server 5.0 consumer. Provides you with a smooth migration path for your directory service if you are running Netscape Directory 4.x servers in a replicated environment.
-
Roles. Roles is a new concept in iPlanet Directory Server 5.0 based on virtual attributes. Roles serve as a dynamic and efficient grouping mechanism. Roles support Class of Service and can be used in defining access control.
-
Class of Service. Provides an efficient way of sharing attributes between entries in a way that is transparent to client applications.
-
Improved access control mechanism. The access control mechanism now supports macros to dramatically reduce the number of access control statements, and proportionally increase the speed of access control evaluation in the server. This access control mechanism also grants access for adding or deleting attribute values with critical impact using the targattrfilter keyword.
-
Distribution and chaining. Makes it possible to maintain a complete logical view of your DIT on a single Directory Server while storing your directory data on databases managed by other Directory Servers.
-
Multiple databases. Allows you to partition your directory data into multiple data stores on disk, which improves manageability and supports Directory Server's new chaining features as well as enhanced replication features, including fast, online replication initialization.
Due to architectural changes in iPlanet Directory Server 5.0, some features that were previously available are no longer included. These are:
-
NT Sync Service. You can no longer create NT accounts through the directory console. When you right click an entry under the Directory tab in the directory console and select New > User to display the Create New User dialog box, you still see the option NT User. As the NT Sync Service is no longer available, the NT User you create remains an entry in the directory only. No new NT account is created.
-
Database Back-end Plug-in Interface. The enhanced pre-operation interfaces may be used instead of the database back-end plug-in interface, to implement plug-ins that are designed to provide access to alternative directory data stores.
Note also that the plug-in API is currently an unsupported feature of iPlanet Directory Server 5.0. Please refer to our Directory Server 5.0 plug-in support FAQ at http://developer.iplanet.com/tech/directory/ for further information surrounding this issue. If you need to create custom plug-in functions you should contact the iPlanet Professional Services organization. For information, go to: http://www.iplanet.com/services.
Supported Platforms for iPlanet Directory Server 5.0 SP2
iPlanet Directory Server 5.0 SP2 is supported on the following platforms:
-
Sun Solaris 2.6 (UltraSPARC)
-
Sun Solaris 8 (UltraSPARC, 32-bit and 64-bit)
-
Microsoft Windows NT 4.0 Server (x86 only, Service Pack 6a)
-
Microsoft Windows 2000 Server (Service Pack 2)
-
Microsoft Windows 2000 Advanced Server (Service Pack 2)
-
Hewlett Packard HP-UX 11.0 (PA-RISC 1.1 or 2.0)
-
IBM AIX 4.3.3 (32-bit, PowerPC)
For information on the availability of iPlanet Directory Server 5.0 SP2 on the Compaq Tru64 operating system, contact your Compaq representative.
iPlanet Directory Server 5.0 SP2 is not supported on any version of Linux or OpenVMS.
On each operating environment, you must run the idsktune utility after installing the iPlanet Directory Server 5.0 SP2. Install the patches recommended by the idsktune utility. For further information, refer to the iPlanet Directory Server Installation Guide.
You can obtain Sun Solaris patches from:
-
http://sunsolve.sun.com
Problems Corrected in iPlanet Directory Server 5.0 SP2
iPlanet Directory Server 5.0 SP2 includes fixes to the following known problems that occurred in earlier releases of iPlanet Directory Server 5.0 SP1/5.0/4.x:
-
On database export, the path of the resulting export was not consistent (546287/4556568).
-
Several replication issues have been fixed (561842/4536280, 561523/4536149).
-
The operation was not propagated up to the consumer in replication (556770/4550044).
-
When a changelog option was set too high and if the rate of ADD/REMOVE/MODIFY/MODRDN
was high, the error log could be plagued by messages like: "NSMMReplicationPlugin
- libdb: Lock table is out of available locks" (559553/4546979).
-
The -v argument of the ns-slapd would not display anything (560336/4535858).
-
Some servers could fall into a state resulting in error messages such as, "Lock table is out of available locks" (561553/4536159).
-
An ldap request with undefined sort controls would crash the directory server (559792/4547063).
-
If log rotation was turned on, some operations may never have been logged (560429/4535880).
-
Installation could cause SIGSEGV (560041/4547147).
-
Could not set preferences (560396/4547267).
-
The printing of some characters was incorrect in the gateway (559959/4547115).
-
Memory leak in MMR (560856/4535983).
-
Incorrect value on deleting and adding a new value (550402/4539577).
-
Plug-in caused confusion in the iPlanet Meta Directory 5.0 (4527156).
-
Backup/restore mechanism did not work correctly (4525453).
-
Tombstones were not deleted under certain conditions (4599246).
-
Statement in filters was not working correctly (4525098).
-
The Replica ID was not displayed correctly on Windows platforms
(4589224).
-
The process of finding the password attribute has been changed (4619976).
-
Updating a consumer server in a replication environment from iDS 5.0 to iDS 5.0 SP1
broke replication (4533706).
-
On Windows platforms, a test could abort the replication
process by preventing the processing of some values for a given update (4616579).
-
Illegal SNMP PDU caused the Master agent to fail - CERT Advisory CA-2002-03 (4532320).
-
Subtyped attribute was not being stored in the directory as RFC 2256 mandates (4622371).
-
Replication became out of synchronization and stopped (4617085).
-
Password expiry was inconsistent (4532757).
-
The ns-slapd process crashed during import (4623119).
-
Connections were limited, under certain stress conditions, on Solaris (560859/4535985).
-
The most recent version of idsktune was not shipped in iDS 5.0 SP1 (4623199).
-
The server would return entries with deleted attributes but with no values (4627443).
-
A security problem concerning the retro-changelog plugin has been fixed (4618824).
-
Memory leak in the COS plugin has been fixed (4630124).
Problems Corrected in 5.0 Service Pack 1 (5.0 SP1)
- Problem displaying Chinese characters in console (550649).
- Memory leak of the DS server daemon when a persistent search operation
failed (526719).
- The DS server daemon output: "LOGINFO: Unable to open..." warning
in error log when log files were not stored in default directory. The
fix requires DS 5.0 SP1 to be installed and the "nsslapd-localuser"
attribute in the dse.ldif configuration file to be placed before
any log file information attributes (546422).
- Users could bypass the password change policy by specifying the old password in
the already hashed form. Now there is a check on this before accepting the
modification (531748).
- The verification of roles contained a memory leak which is fixed (549232).
- The LDAP compare operation did not work correctly when used with virtual
attributes (542831).
- Performance degradation when SSL was enabled on the server and no SSL connections occured (542456).
- At the initialization of the
replication, LDAP requests to the consumer directory may have shown entries that
belonged to the non-replicated part of the supplier server directory (536886).
- Performance of operations on replicated
sub-trees decreased as the number of deleted entries in the server increased (400635).
- Valid values for replica ID for a master are 1 through 254.
The replica ID for read-only replicas (hubs, consumers) was set to 255
regardless of prior setting. (391370, 538813, 541150). See also documentation section regarding the problem
with a replica ID.
- The directory server may have crashed when an ill-formed attempt was made to modify the schema and when no Oid was
specified with the attributeTypes attribute (556156).
- Potential crashes of iDS 5.0
under heavy schema modifications stress have been and solved (556244, 556260).
- In the internal callback search function, slapi_search_internal_callback(), if a search
operation was not completed, the connection was not
always properly closed.
Now these scenarios are detected, and the
operation is marked as abandoned so the backend next entry function is called again and
cleans things up (541439).
- On NT platforms when
using SSL connections, the ioblocktimeout value in slapd.conf was not
used correctly. The result was that connections were not
being closed when the ioblocktimeout normally should have closed them.
With this fix, the ioblocktimeout value is now correctly
used (when appropriate), specifically in the case of the Windows NT platform
with SSL connections (533790).
- Denial of Service in iDS 4.x on NT - CERT advisory 2001-18 (538511).
- The server sometimes crashed because it would run out of memory
for the thread stack of the replication thread used in on-line
replica creation (ORC). More specifically, this happened, if the
consumer server being ORC-initialized already had an existing, deeply
nested number of nodes, which would then be deleted by the supplier
as part of the ORC process. This problem was fixed by redefining the
thread stack size, to accomodate deeper
consumer server directory trees.(536710).
- Consumer replica could crash with replication involving constant updates to supplier(s) if replica IDs were duplicates (541144, 541150).
- Bad description of different Asian languages (543311).
- Memory problem when loading iDSAME installation ldif - Slapd core dumps (543574).
- Online backup and restore did not work correctly (547364).
- Trying to install iDS 5.0 on a Chinese localized HPUX machine resulted in the following error : "ns-update: Invalid multibyte character." (551599).
- On a replicated tree, when you disabled the database and shutdown the directory, it was impossible to restart it (551722).
- On a Japanese localized machine, using the console, an error message was displayed when requesting certificates (552699).
- SSL client authentication could deadlock the server (553195).
- When modifying schema on a replicated tree, one of the following error messages was displayed "unable to replicate schema" or "unable to read local schema" (554161, 556677).
- Removing an attribute value did not fully remove it (554309).
- Syntax error in propedit.properties file (554923).
- Could not edit ACI on localized zh version of iDS 5.0 (555357).
- Modifying the schema using a malformed attributeTypes description crashed the server (556156).
- Modifying the config (object cn=config) on a multi-cpu machine could crash or hang the ns-slapd server (556260).
- Migration could sometimes log an error while migrating on HP-UX when not justified (556286).
- Concurrent read/write on cn=config deadlocked the ns-slapd server (556626).
- nsslapd-attribute-name-exceptions attribute had no effect (556645).
- The following error sometimes occured when doing database backup/recovery: "libdb: log_get: /export/transaction/supplier01/log.0000000458: No such file or directory" (556687).
- Using the command db2ldif with the "-r" flag, sometimes produced a core file (556758).
- User was unable to authenticate with the Directory Server Gateway when
the password had expired; a core file was generated in /dsgw/bin.
The problem is solved (557016).
- Creating a hub test, some dummy entries caused an infinite loop in replication (557119).
- ldif2db hung when exporting files of more than 2GB (557237).
- When using Multi master replication iDS 5.0 sometimes logged the error : "Replication Purge Error: NSMMReplicationPlugin - _delete_tombstone: unable to delete tombstone" (551211, 547601).
- The Retro Changelog plugin logged internal replication operations, causing bad interoperability with iMD5.0 (557233).
Problems Corrected in 5.0
-
Could not start iPlanet Directory Server with multiple ACIs (388896).
-
Search performance was severely degraded when binding as an authenticated user (420890).
-
Incorrect bind to a consumer did not increment passwordretrycount attribute (354734).
-
LDIF :< character not interpreted by ldif2db command-line script. (82311)
-
Password policy did not work in a replicated environment. (256275)
-
Could not set nsslapd-maxthreadsperconn attribute to 0 as described in the iPlanet Directory Server Administrator's Guide. (355423)
Known Limitations
This section lists known limitations in iPlanet Directory Server 5.0 Service Pack 2 and their workarounds. The areas with known limitations are as follows:
Installation
Caution
|
We strongly recommend that no other iPlanet product (such as iPlanet Web Server) be installed into the same UNIX directory path as the iPlanet Directory Server product, as this may disable critical functionality required for the correct operation of the directory server.
In addition, on a Windows NT or Windows 2000 machine, the directory server should be installed independently of any other iPlanet product to avoid conflicts with DLLs.
|
-
On performing an upgrade from iPlanet Directory Server 5.0 to iPlanet Directory Server 5.0 SP2 on UNIX, the administration port identifier will be changed. If restoration of the old administration port identifier value is required, the command admconfig can be used.
The port identifier can be found in:
% <$IROOT>/admin-serv/config/adm.conf
The following example changes the port number to 63333 and restarts the
admin server. Note that the verbose level will be set to 5.
% <$IROOT>/bin/admin/admconfig -server orange.iplanet.com:67891 -user chlee:password
-verbose 5 -setPort 63333 -restart
-
If you are running iPlanet Directory Server 5.0 on a 64-bit Sun Solaris 8 UltraSPARC machine, it will run as a 32-bit application.
-
Do not use space characters in the file system directory name.
-
When installing Directory Server, the name of the file system directory where you install files must not contain any space characters.
-
Correct the configuration generated at installation time, if your suffix contains space characters. (533837)
-
If your suffix contains space characters, then you need to correct the suffix generated at installation time by the setup command to remove the spaces.
-
To correct the suffix using the console, select the top directory entry in the left-hand navigation pane of the Servers and Applications tab, edit the suffix in the User directory subtree field and click OK to save the changes.
-
Do not install iPlanet Directory Server 5.0 on top of an existing 4.x Directory Server installation.
-
If you already have a Directory Server 4.x and you want to install an iPlanet Directory Server 5.0 instance, install your iPlanet Directory Server 5.0 in a separate directory. Migrate your 4.x directory data into your 5.0 directory and when you are satisfied with the result of the migration, remove your 4.x Directory Server.
-
Always use the latest version of DLL files.
-
If you are installing on a Windows NT system that has newer DLL files than those supplied on the iPlanet Directory Server 5.0 CD, do not overwrite the newer DLL files with the versions on the iPlanet Directory Server 5.0 disc.
-
For example, this situation can occur if you are running the latest Windows NT Service Pack. Here, you will find your Windows NT Service Pack contains newer versions of the C and C++ runtime DLLs MSVCRT.DLL and MSVCIRT.DLL.
-
Use UTF-8 character set encoding when entering Distinguished Names for typical, silent, and express installation (523646)
-
When entering Distinguished Names for typical, silent, and express installation use UTF-8 character set encoding. Older encodings such as ISO-8859-1 are not supported. Installation operations will not convert data from local character set encoding to UTF-8 character set encoding.
-
Use UTF-8 character set encoding in all LDIF files when importing.
-
The LDIF files you use for import operations must use UTF-8 character set encoding. Import operations do not convert data from local character set encoding to UTF-8 character set encoding.
-
Be aware of DNS naming resolution problem on systems using NIS. (409922)
-
During installation, setup detects a default host and domain name. However, if your NIS domain is different from your DNS domain, the fully qualified host and domain name presented by the installer is incorrect. These values must be corrected to use the DNS domain name.
-
-
Use either a SPARC v8+ or an UltraSPARC (SPARC v9) processor for iPlanet Directory Server 5.0. (530106)
-
iPlanet Directory Server 5.0 requires the use of a SPARC v8+ or an UltraSPARC (SPARC v9) processor, as these processors include support for high performance and multiprocessor systems. Earlier SPARC processors are not supported.
Uninstallation
-
You will not receive a warning before proceeding with the uninstallation of the Directory Server which contains your configuration information under the o=NetscapeRoot suffix.
-
The configuration Directory Server containing o=NetscapeRoot contains the configuration data for your deployment, and should not therefore, be uninstalled before dependent Directory Servers. It is the first Directory Server you install and we strongly recommend that it be the last one you uninstall.
Migration
-
The Directory Server 4.1, 4.11, and 4.12 access, audit and error log disk space and log size attributes are not automatically migrated to iPlanet Directory Server 5.0. (539466)
-
The Directory Server 4.1, 4.11, and 4.12 attributes accesslog-maxlogdiskspace, accesslog-maxlogsize, auditlog-maxlogdiskspace, auditlog-maxlogsize, errorlog-maxlogdiskspace, and errorlog-maxlogsize are not automatically migrated to iPlanet Directory Server 5.0. and need to be migrated manually.
Windows NT / Windows 2000
-
Avoid using stdin and stdout on NT with the ldapmodify command-line utility.
-
Using stdin and stdout on NT with the ldapmodify command line utility has proved troublesome, particularly with non-ASCII data. It is, therefore, strongly recommended that you always use the -f argument to specify the file containing the LDIF update statements, for example, -f new_file, as this prevents the statements being read from stdin.
Security
- Deployments that use SSL for connection confidentiality across open networks that are subject
to possible active attacks against the SSL connection should not use server certificates
issued by one of the public Certification Authority (CA) organizations. (4615324)
To ensure that an attacker with a certificate issued by a public CA cannot use that
certificate to impersonate a directory server, the certificate databases of LDAP clients
and of directory servers establishing outgoing SSL connections for replication or chaining
must contain only the certificate of the non-public CA which issued the certificates to the
servers which will be contacted. All other CA certificates of public CAs must be removed
from the LDAP client or directory server's certificate database.
Deployments that are not subject to active attacks, or deployments that use additional
security mechanisms (such as a VPN when connections traverse the Internet) are not required
to use a non-public Certification Authority to obtain a server certificate.
-
On SSL-enabled servers, check that the file permissions on certificate database files, key databases files, and PIN files protect the sensitive information they contain.
-
Since the server does not enforce read-only permissions on SSL-enabled servers for certificate database files, key database files and PIN files, check that the file modes on UNIX or the ACLs on NT protect the sensitive information contained in these files.
-
If you have enabled certificate-based authentication in the Directory Server, do not map your certificate to a distinguished name under cn=config or cn=monitor. (539475)
-
If you map a certificate to a distinguished name under cn=config or cn=monitor bind attempts will fail. Map your certificate to an entry located elsewhere in the directory information tree.
-
On Windows NT and Windows 2000, a user on the console could shut down Directory Server. Care should be taken to restrict console access to computers running Directory Server.
-
Access Control and the MODRDN operation. (541099)
-
To explicitly deny MODRDN rights using ACIs, you must target the relevant entries but omit the targetattr keyword. For example, to prevent the cn=helpDeskGroup,ou=groups,o=sun.com group from renaming any entries in the set specified by the pattern cn=*, ou=people,o=sun.com, you would add the following ACI:
|
aci: (target="ldap:///cn=*,ou=people,o=sun.com")
(version 3.0; acl "Deny modrdn rights to the helpDeskGroup";
deny(write)
groupdn="ldap:///cn=helpDeskGroup,ou=groups,o=sun.com";)
|
|
-
Security vulnerability in iPlanet Web Server (535057)
-
iPlanet Administration Server is a lightweight version of iPlanet Web Server 4.1. A security vulnerability has recently been identified in iPlanet Web Server 4.1 which could potentially affect your server's installation security. The workaround for this security vulnerability is to install a patch which can be downloaded from:
-
http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16b.html
-
To install the patch, choose the platform-specific file you require, extract the content of the file in a separate directory and follow the instructions in the README file.
Note
|
You will need to modify the obj.conf file which is located in the [server-root]/admin-serv/config directory.
|
Schema
-
The schema provided with iPlanet Directory Server 5.0 differs from that specified in RFC 2256 for the groupOfNames and groupOfUniquenames object classes. In the schema provided, the member and uniquemember attribute types are optional, while RFC 2256 specifies that at least one value for these types must be present in the respective object class.
-
The LDAP RFCs (and X.500 standards) allow for an object class to have more than one superior. This behavior is not currently supported by Directory Server.
-
If you add more than 1 000 attributes to a single object class, the server will display configuration errors and fail to start.
-
Please note that the aci attribute is now an operational attribute, which means that it will not be returned in a search unless you explicitly request it.
Chaining
-
A server restart is required if changing the components allowed to chain. (528617)
-
If you modify the nsActiveChainingComponents attribute of the chaining database configuration entry, the server must be restarted for the changes to take effect. For example, if you modify the nsActiveChainingComponents attribute to prevent the ACI plug-in from chaining and do not restart the server, the plug-in will still be chained, potentially creating a security hole.
-
If chaining is configured between a 5.0 multiplexor and a 4.1x farm server, add the nsuniqueid attribute to the 4.1x farm server schema
-
If chaining is configured between a 5.0 multiplexor and a 4.12 farm server it is necessary to add the nsuniqueid attribute to the farm server schema. If this attribute is not added to the 4.1x Directory Server schema, the 5.0 multiplexor will not find the entry it expects and chaining will fail. To add the attribute type to the 4.1x schema add the following line to the 4.12 farm server slapd-user_at.conf file under /usr/netscape/server4/slapd-serverID/config:
|
attribute nsuniqueid nsuniqueid 2.16.840.1.113730.3.1.542 int
single operational
|
|
-
No explicit error message is sent to the user if an attempt to bind to a farm server during chaining fails because the password policy has expired. (527792)
-
If the first farm server fails and returns an operations error when using a failover server for database chaining, retry the operation to chain successfully. (531750)
-
Should the first farm server fail when using a failover server for database chaining, the client receives an operations error if it tries to read information from the multiplexor. The multiplexor does not process this operations error which prevents the next failover farm server from being contacted, and as a result, chaining fails. However, if you retry the same operation, chaining will succeed.
Replication
Directory Server Console
-
If you think the information displayed in the console is inaccurate, remember to use both the global and contextual refresh facilities.
-
Limitations to creating smart referrals using the UI. (490281)
-
The console supports smart referrals only when the DN in the referral matches the DN of the entry containing the referral. For example, if you set the smart referral ldap://host/dn2 on the entry of dn1, the console only works if dn2 and dn1 are identical.
-
If the DNs are not the same, you may see a recursive display or a blank screen in the console.
-
Misleading and erroneous iPlanet Directory Server 5.0 behavior for UID uniqueness plug-in.
-
As the UID Uniqueness plug-in is in fact one instance of the Attribute Uniqueness plug-in, you should not be able to add attribute names other than UID to the UID uniqueness plug-in using the console. Entering attribute names other than UID using the console causes Directory Server to behave in unexpected ways. If you want to ensure attribute uniqueness for additional attributes, you should create a new instance of the Attribute Uniqueness plug-in for each additional attribute. For more information see Chapter 17, "Using the Attribute Uniqueness Plug-in" in the iPlanet Directory Server Administrator's Guide.
-
If you change your Directory Manager credentials, you must exit Directory Server Console and restart it, for the change to be taken into account and no error messages to be returned. (538549)
-
You cannot run iPlanet Console on the remote display of Solaris 7 and Solaris 8 servers (applies to the IBM AIX platform only). (394393)
-
Trailing spaces are dropped during a remote console import. (541314)
-
Trailing spaces are not preserved during a remote console import operation but are preserved during both local console or ldif2db import operations.
-
Creating a Directory Server instance using the console creates a server in a different time zone on HP and IBM AIX. (541615)
-
To synchronize the different time zone which is generated when you create a Directory Server instance using the console with existing time zones, (which is essential for replication operations), restart the server using the restart-slapd command-line script. For further information on the command-line scripts, see Chapter 7, "Command-Line Scripts" in the iPlanet Directory Server Configuration, Command, and File Reference.
Core Server
-
The slapd process does not automatically start when the system boots. (531009)
-
On UNIX systems you will need to write an rc script to start the slapd process, as it does not start automatically when the system boots.
-
The server crashes if stopped during export, backup, restore, or index creation.
-
Do not stop the server during export, backup, restore, or index creation, as it can cause the server to crash. However, you can stop the server during an import without causing any problems.
-
You may encounter problems with your server crashing, if you have insufficient memory and disk space available on the host computer. (401318)
-
Huge Entry Cache on NT. (520693)
-
On Windows NT and AIX platforms, do not set "Memory available for Cache" in the Database Settings Tab to a value greater than 1073741824 bytes (1GB). (520693)
-
AIX maxdata entry cache setting. (538796)
-
AIX applications have a rather restrictive memory model. The AIX ns-slapd executable was created with a value of maxdata=0x50000000 to permit both the entry cache size (nsslapd-cachesize attribute) and database cache size (nsslapd-dbcachesize attribute) to be up to 1GB each. Raising the maxdata value increases the maximum entry cache size but lowers the maximum database cache size by the same amount, and vice-versa. Contact your iPlanet support representative if you want to adjust the maxdata value.
-
When changing the nsslapd-dbcachesize attribute value under cn=config, always check that the modification has been taken into account and that the server has not corrupted the value. (539845, 539847)
-
On HP-UX only, the maximum value for the nsslapd-dbcachesize attribute is 1GB, and not 2GB, as stated in the iPlanet Directory Server Configuration, Command, and File Reference.
-
This restriction is due to a PA-RISC hardware limitation that prevents memory-mapped files from crossing quadrant boundaries.
Server Plug-ins
-
iPlanet Directory Server 5.0 provides the UID Uniqueness plug-in by default. If you want to ensure attribute uniqueness for other attributes, you must create a new instance of the Attribute Uniqueness plug-in for each of those attributes. For more information on the Attribute Uniqueness plug-in, see Chapter 17, "Using the Attribute Uniqueness Plug-in" in the iPlanet Directory Server Administrator's Guide.
-
The Referential Integrity plug-in is now off by default.
-
The Referential Integrity plug-in should only be enabled on one master replica in a multi-master replication environment, to avoid conflict resolution loops. When enabling the Referential Integrity plug-in on servers issuing chaining requests, you must be sure to analyze your performance resource and time needs as well as your integrity needs. Note that integrity checks can be time consuming and draining on memory/CPU.
-
The UID Uniqueness plug-in is now off by default, due to operation restrictions which need to be addressed before enabling the plug-ins in a multi-master replication environment.
-
For more information on the UID Uniqueness plug-in and replication, see Chapter 17, "Using the Attribute Uniqueness Plug-in" in the iPlanet Directory Server Administrator's Guide.
-
Currently, entrystore and entryfetch plug-ins are not visible in the Tree view of the Directory Server Console.
-
The Access Control Plug-in does not use the value specified by the nsslapd-groupevalnestlevel attribute to specify the number of levels of nesting that access control will perform for group evaluation. Instead, the number of levels of nesting is hard-coded as 5. (519812)
Roles and Class of Service
-
Deleting a role does not update the nsRoleDN attribute for each role member. (533695)
-
When you delete a role in Directory Server, the role entry is deleted but the nsRoleDN attribute for each member is not updated. If you want to delete the nsRoleDN attribute from each role member you will have to do so manually. Alternatively, you can configure the Referential Integrity Plug-in to manage the nsRoleDN attribute, remembering to enable the plug-in if it is not enabled. For information on how to configure the Referential Integrity Plug-in see Chapter 2, "Creating Directory Entries" in the iPlanet Directory Server Administrator's Guide.
-
The nsRoleDN attribute should not be used for evaluating role membership in a user's entry. When evaluating role membership, use the nsrole attribute instead.
-
The behavior for negative CoS template priority values is not defined in the server and cosPriority is not supported by Indirect CoS. (539362)
-
Given that the behavior for negative CoS template priority values is not defined in Directory Server, do not enter negative values. Note that Indirect CoS does not support cosPriority.
-
The behavior of multiple qualifiers with cosAttribute in a CoS definition is undefined.
Indexing
-
VLV indexes do not work correctly if they encompass more than one database.
Documentation
-
When targeting ACIs and using the userattr keyword to associate the entry used to bind with the target entry, ROLEDN is not a supported bindType.
-
Chapter 6, "Managing Access Control" of the iPlanet Directory Server Administrator's Guide states incorrectly that ROLEDN is a supported bindType for using the userattr keyword. The only currently valid bindTypes are USERDN, GROUPDN, and LDAPURL.
-
Two of the maximum log disk space attributes in Chapter 5, "Migration from Earlier Versions" of the iPlanet Directory Server Configuration, Command, and File Reference are incorrect.
-
In Table 5-1 on page 183 of Chapter 5, "Migration from Earlier Versions" of the iPlanet Directory Server Configuration, Command, and File Reference the attributes nsslapd-accesslog-maxlogdiskspace and nsslapd-auditlog-maxlogdiskspace should read nsslapd-accesslog-logmaxdiskspace and nsslapd-auditlog-logmaxdiskspace.
-
On HP-UX only, the maximum value for the nsslapd-dbcachesize attribute is 1GB, and not 2GB, as stated in the iPlanet Directory Server Configuration, Command, and File Reference.
-
This restriction is due to a PA-RISC hardware limitation that prevents memory-mapped files from crossing quadrant boundaries.
- When assigning replica IDs to supplier servers in a replication configuration, you must assign a different replica ID to every supplier,
and the ID must be different from the replica ID assigned by default to all consumers.
-
Chapter 8 "Managing Replication" of the iPlanet Directory Server Administrator's Guide incorrectly states that for a given suffix, the replica ID must be the same on the read-write replica held on the supplier, and the read-only replica held on the consumer server or hub server.
-
Some of the examples in Chapter 6, "Managing Access Control" of the iPlanet Directory Server Administrator's Guide are wrong.
-
Some of the examples in Chapter 6, "Managing Access Control" of the iPlanet Directory Server Administrator's Guide are wrong. The examples that do not include the targetattr keyword and assume that all attributes of the target entries are also targeted by the ACI are wrong. The reason is that if the targetattr keyword is not stated explicitly, by default, access to all attributes is denied. If you want to grant access to all attributes, you must include the expression targetattr="*" in your ACI.
Internationalization
- Entering Asian Characters on HP-UX
-
If you are entering text into iPlanet Console, Asian characters (Japanese, Chinese, or Korean) may appear as empty boxes (393006). To fix this problem, install the required TrueType fonts for the language you need on your
system, and then set the JAVA_FONTS environment variable to the location of these fonts.
You may also want to contact Hewlett Packard about an updated Java Runtime Environment (JRE).
For more Information see Release Notes for iPlanet Console and Administration Server.
- When using the Japanese localised version of iPlanet Console
-
If you want the iPlanet Console to launch rendering the Japanese language instead of the default English you must start the console with the "ja" argument for localisation, i.e. "startconsole -lja".
- Impossible to input double byte characters for the suffix while installing on HP-UX
-
Due to different behaviour of the HP-UX shell, it is not possible to input double byte characters for the default suffix during the installation. The workaround involves inputting a dummy suffix during the installation, then using the console, adding a new suffix with the double byte characters, and finally deleting the old suffix.
Miscellaneous
-
Do not set command path and library path variables for executing command line utilities and Perl scripts.
-
In order to execute the command-line utilities and Perl scripts, you must change directory to the directory where they are stored. Although it is possible to set command path and library path variables to execute the utilities and scripts, this is not the recommended procedure because you run the risk, particularly when you have more than one server version installed, not only of disrupting the correct execution of other commands utilities and scripts, but also of compromising the security of the system.
-
You must authenticate as a valid administrative user before you can access the Directory Server Gateway or Directory Express clients. If anonymous access to these clients is needed, install them under a different web server.
-
Please note that the LDAP utility man pages on the Solaris platforms do not document the iPlanet version of the LDAP utilities ldapsearch, ldapmodify, ldapdelete and ldapadd. For further information regarding these iPlanet LDAP utilities, see the iPlanet Directory Server Configuration, Command, and File Reference.
-
On Solaris, you can only monitor one Directory Server instance at a time with SNMP. (84743)
-
A DN that contains several backslashed characters will be wrongly
normalized. This impacts the iPlanet Meta Directory because the data within
the retro-changelog will be corrupted (560298/4535845).
A workaround is to use the quoted DN syntax instead of the escaped one:
e.g.
cn=AllEntriesExcept,cn="ou=ntdc,dc=red,dc=iplanet,dc=com",cn=AllSubtreesExcept,cn=ToDirectory,cn=Filter11,cn=Filter,cn=NT Domain, cn=Connectors, cn=Shared Configuration, cn=System, ou=5,ou=Meta-Directory, ou=Global Preferences, ou=red.iplanet.com, o=NetscapeRoot
instead of:
cn=AllEntriesExcept,cn=ou=ntdc\,dc=red\,dc=iplanet\,dc=com,cn=AllSubtreesExcept,cn=ToDirectory,cn=Filter11,cn=Filter,cn=NT Domain, cn=Connectors, cn=Shared Configuration, cn=System, ou=5, ou=Meta-Directory, ou=Global Preferences, ou=red.iplanet.com, o=NetscapeRoot
-
If the directory server is running, it must be noted that using the db2ldif command can cause some entries to be omitted. To avoid this problem, you can use the db2ldif.pl command or stop the directory server (4631169).
-
It is not possible to read the logs using Directory Server Console, if the server is not running. (398837)
-
Although you cannot read the logs using Directory Server Console, if the server is not running, you can read them using the Administration Server Console. From your browser, type in http://your_hostname:administration_server_port_number. At the login prompt use the admin login and click on the link for Netscape Administration Express.
-
Some of the script and command-line usage information may be erroneous.
-
Directory Server Gateway is shipped with this release. However, in view of the fact that it will not be part of iPlanet Directory Server 5.1, we recommend that you investigate XMLDAP as a good starting point for a Directory Server Gateway replacement. For further information see:
-
http://www.iplanet.com/downloads/developer
-
Install patch 107733-09 if you are running Directory Server on a Solaris 2.6 machine to avoid LDAP library error messages when using LDAP utilities.(4580866, 387198)
-
- If you are running iPlanet Directory Server 5.0 on a Solaris 2.6 machine, install patch 107733, release number 09 (107733-09) on your Solaris machine to avoid receiving the following error message when using ldapsearch, ldapmodify, or ldapdelete:
Unable to retrieve LDAP library version information; this program requires
an LDAP library that implements revision 2004 or greater of the LDAP API.
You may obtain Sun Solaris patches from:
http://sunsolve.sun.com
Online Help and Online Documentation
-
To display the online documentation you can look at the files through your web browser. If you are working on an NT machine adapt the following URLs accordingly.
-
To display the iPlanet Directory Server Administrator's Guide:
-
file:///usr/iplanet/servers/manual/en/slapd/ag/contents.htm
-
To display the iPlanet Directory Server Configuration, Command, and File Reference:
-
file:///usr/iplanet/servers/manual/en/slapd/cli/contents.htm
-
To display the iPlanet Directory Server Deployment Guide :
-
file:///usr/iplanet/servers/manual/en/slapd/deploy/contents.htm
-
Note that these URLs assume that you have installed your directory server in the default installation directory /usr/iplanet/servers. If you have installed your server in a different location, adapt these URLs as appropriate.
-
The online help system for the iPlanet Directory Server is dependent upon the iPlanet Administration Server. To access the online help system, you will need to confirm the following:
-
Client IP address authorized on the Administration Server. The machine running iPlanet Directory Server Console needs access to the Administration Server. To configure the Administration Server to accept the client machine's IP address, do the following in the Administration Server:
-
Launch the iPlanet Administration Server Console. The console should be running on the same machine as the Administration Server.
-
Click the Configuration tab, then click the Network tab.
-
In the Connection Restrictions Settings, select "IP Addresses to Allow" from the pull down menu. Click Edit.
-
Edit the IP Addresses field to the following: *.*.*.*
-
This allows all clients access to the Administration Server.
-
Restart the Administration Server. You can now launch the online help by clicking any of the Help buttons in Directory Server Console.
Note
|
If your proxy IP address is not the same as the authorized domain value for Administration Server, Administration Server installation will prevent you from using the online help system. To prevent this from happening, you can add your proxy IP address to the list of allowed IP addresses for Administration Server.
|
How to Report Problems
For general information on iPlanet Directory Server 5.0, you can refer to:
If you have any questions or issues to raise regarding iPlanet Directory Server 5.0, subscribe to the following newsgroup:
When subscribing to the newsgroup which is hosted on secnews.netscape.com, specify 563 as the port number in addition to secure connections.
If you experience problems with iPlanet Directory Server 5.0, refer to iPlanet Technical Support:
For More Information
Useful iPlanet information can be found at the following Internet locations:
===================================================================
Copyright (c) 1989 The Regents of the University of California.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
- All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by the University of California,
Berkeley and its contributors.
- Neither the name of the University nor the names of its contributors may
be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
========================================================================
Copyright (C) 1987, 1988 Student Information Processing Board of the
Massachusetts Institute of Technology.
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted, provided
that the above copyright notice appear in all copies and that both that
copyright notice and this permission notice appear in supporting documentation,
and that the names of M.I.T. and the M.I.T. S.I.P.B. not be used in advertising
or publicity pertaining to distribution of the software without specific,
written prior permission. M.I.T. and the M.I.T. S.I.P.B. make no
representations about the suitability of this software for any purpose.
It is provided "as is" without express or implied warranty.
========================================================================
This product contains the following software derived from RSA Data
Security, Inc.
- MD5 Message-Digest Algorithm
========================================================================
The source code to the Standard Version of Perl can be obtained from CPAN
sites, including http://www.perl.com/.
========================================================================
This product incorporates compression code by the Info-ZIP group. There are
no extra charges or costs due to the use of this code; the original compression
sources are freely available from:
ftp://ftp.cdrom.com/pub/infozip/