This section lists known problems and limitations at the time of release.
This section lists product limitations.
Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.
To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.
Although nothing prevents you from setting up replication for the cn=changelog suffix, doing so can interfere with replication. Do not replication the cn=changelog suffix.
Instead, when running on Windows 2003 in the German locale, install from native packages using the Java ES distribution.
When Directory Server runs on Sun Cluster, and nsslapd-db-home-directory is set to use a directory that is not shared, multiple instances share database cache files. After a failover, the Directory Server instance on the new node uses its potentially outdated database cache files.
To work around this limitation, either use a directory for nsslapd-db-home-directory that is shared, or systematically remove the files under nsslapd-db-home-directory at Directory Server startup.
When LD_LIBRARY_PATH contains /usr/lib, the wrong SASL library is used, causing the dsadm command to fail after installation.
An LDAP modify operation on cn=config can only use the replace sub-operation. Any attempt to add or delete an attribute will be rejected with DSA is unwilling to perform, error 53. While Directory Server 5 accepted adding or deleting an attribute or attribute value, the update was applied to the dse.ldif file without any value validation, and the DSA internal state was not updated until the DSA was stopped and started.
The cn=config configuration interface is deprecated. Where possible use the dsconf command instead.
To work around this limitation, the LDAP modify replace sub-operation can be substituted for the add or delete sub-operation. No loss in functionality occurs. Furthermore, the state of the DSA configuration is more predictable following the change.
This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.
To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.
After you remove a replicated Directory Server instance from a replication topology, replication update vectors can continue to maintain references to the instance. As a result, you might encounter referrals to instances that no longer exist.
To work around this issue when installing from native packages, use the cacaoadm enable command as root.
The Directory Server configuration property max-thread-per-connection-count does not apply for Windows systems.
A Microsoft Windows 2000 Standard Edition bug causes the Directory Server service to appear as disabled after the service has been deleted from Microsoft Management Console.
Console does not allow administrator to logon to the server running Windows XP.
As a workaround to this problem, the guest account must be disabled and the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0.
This section lists the known issues that are found at the time of Directory Server 6.1 release. This list is additional to the list of the Known Directory Server Issues in 6.0.
Directory Server instance with multi-byte name can not be registered in DSCC. As a workaround, use the charset that was used to create the instance.
# cacaoadm list-params | grep java-flags java-flags=-Xms4M -Xmx64M # cacaoadm stop # cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8" # cacaoadm start |
On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.
As a workaround to this problem, set the class path using following command:
set CLASSPATH="C:\Program Files\Sun\JavaES5\DSEE\ds6\lib\slapwcli.jar; C:\Program Files\Sun\JavaES5\DSEE\ds6\lib\slapy.jar; C:\Program Files\Sun\JavaES5\DSEE\ds6\lib\slapycli.jar; C:\Program Files\Sun\JavaES5\DSEE\ds6\lib\slapycli_l10n.jar; C:\Program Files\Sun\JavaES5\DSEE\dsee6\lib\clip.jar; C:\Program Files\Sun\JavaES5\DSEE\dsee6\lib\jar\common.jar; C:\Program Files\Sun\JavaES5\DSEE\dsee6\lib\jar\common_cfg.jar; C:\Program Files\Sun\JavaES5\DSEE\ds6\lib\slapwcli_l10n.jar; C:\Program Files\Sun\JavaES5\DSEE\dsee6\lib\clip_l10n.jar; C:\Program Files\Sun\JavaES5\DSEE\dsee6\lib\jar\common_cfg_l10n.jar;" java -Dsun.directory.clip.arg0=dsadm -Dsun.directory.dcc.path.slapx=dsadm -classpath %CLASSPATH% com.sun.directory.slapy.cli.SlapyMain --help |
On Windows, the permissions on Directory Server and Directory Proxy Server are not set, which enables the non administrator user to remove the server instances and installation. As a workaround, change the permissions of instance and installation folders to avoid the unauthorized access.
In the Native patch delivery, the miniature calendar that is used to pick dates for filtering access logs is not properly localized in Traditional Chinese.
Output of the schema_push, repldisc, pwdhash, ns-inactivate, ns-activate, ns-accountstatus, mmldif, insync, fildif, entrycmp, dsrepair, dsee_deploy, dsadm show-cert, dsadm repack, and ldif commands are not localized.
Changing the locale of the system and starting DSCC, does not display the pop-up window message in the locale that you selected.
When changing LDAP passwords by using the password change extended operation, the current password of the account is required even if pwdSafeModify is off.
If you bind as the root dn, the current password of the account is not required. For example, cn=directory manager.
Migrating Directory Server 5.1 instance using dsmig migrate-all old-instance-path new-instance-path, might not successfully migrate the instance.
As a workaround to this problem, edit the new-instance-path/config/schema/11rfc2307.ldif file and replace the following line
objectClasses: ( 1.3.6.1.1.1.2.9 NAME 'automount' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( cn $ automountInformation ) MAY ( description ) X-ORIGIN 'RFC 2307' ) |
with the line given below.
objectClasses: ( automount-oid NAME 'automount' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( cn $ automountInformation ) MAY ( description ) X-ORIGIN 'RFC 2307' ) |
Migrating Directory Server 5.2 schema using the dsmig migrate-schema old-instance-path new-instance-path command fails, if the old Directory Server 5.2 99user.ldif file contains attributes defined in version 6.0.
As a workaround, remove all the Directory Server 6.0 attributes that are included in the old Directory Server 5.2 99user.ldif file and relaunch the migration from the beginning.
The dsadm import –help is not fully translated in French locale.
Clicking Browse DSCC online help does not display the online help when you are using Internet Explorer.
In the Filter drop-down menu under the Suffixes tab of Directory Servers, the Replicated menu item is not translated into Traditional and Simplified Chinese languages.
The Attribute label in suffix indexes in DSCC is not translated for non-Japanese locales.
DSCC might not display long ACIs depending on the limit set by Internet Service Provider.
On Linux, If a Directory Server instance is started in a locale that is different from the locale in which the instance was created, the multi-byte characters do not display properly.
In the optional replication settings of a Directory Server instance, the Referrals label is not translated for French locale.
When you use Service Management Facility (SMF) in Solaris 10 to enable a server instance, the instance might not start when you reboot your system.
As a workaround, add the following lines which are marked with + to /opt/SUNWdsee/ds6/install/tmpl_smf.manifest.
... restart_on="none" type="service"> <service_fmri value="svc:/network/initial:default"/> </dependency> + <dependency name="nameservice" grouping="require_all" \ + restart_on="none" type="service"> + <service_fmri value="svc:/milestone/name-services"/> + </dependency> <exec_method type="method" name="start" exec="%%%INSTALL_PATH%%%/bin/dsadm start --exec %{sunds/path}"... |
Directory Server Enterprise Edition Windows service fails to start more than one server instances when the system restarts.
On HP-UX, the dsadm and dpadm commands might not find libicudata.sl.3 shared library.
As a workaround to this problem, set the SHLIB_PATH variable.
env SHLIB_PATH=${INSTALL_DIR}/dsee6/private/lib dsadm |
Sun Java System Application Server bundled with Solaris 10 cannot create SASL client connection for authenticated mechanism and does not communicate with common agent container.
Change the JVM used by application server by editing the appserver-install-path/appserver/config/asenv.conf file and replace the AS_JAVA entry with AS_JAVA="/usr/java". Restart your Application Server domain.
The dsadm autostart can make native LDAP authentication to fail when you reboot the system.
As a workaround, reverse the order of reboot scripts. The default order is /etc/rc2.d/S71ldap.client and /etc/rc2.d/S72dsee_directory.
The DSCC Version window might display the html source code if it is configured by deploying the Web Archive (WAR) file with application server. As a workaround, add the following entries in domain-path/domain-name/config/default-web.xml.
<mime-mapping> <extension>shtml</extension> <mime-type>text/html</mime-type> </mime-mapping> |
The dsee_deploy command displays error messages even if the installation using zip distribution is successful.
The passwordStorageScheme.5dsat man page should include the following details.
The CRYPT password storage scheme now supports MD5, Blowfish, and other strong algorithms. To specify the algorithm used, give the format of the salt in the nsslapd-plugingarg() argument as follows:
nsslapd-pluginarg(): value
The value is in the form of a snprintf format string corresponding to specific salt formats. For example, some of the formats supported include the following:
%.2s
$1$%.8s
$2a$04$%.22s
$md5$%.8s$
If the string value maps to an algorithm that is not supported by the operating system, then a warning message is logged and the hash will be made using the default UNIX algorithm with a salt made of 31 random characters.
The dsee_deploy man page wrongly mentions installation and uninstallation of Directory Service Control Center, which is not directly installable using zip distribution. Though the WAR file is copied on your system during the installation using zip distribution, which can be further deployed with application server to configure Directory Service Control Center.
On HP-UX systems, after the successful upgrade using Native patches, DSCC is unable to restart the Directory Server instances.
Some of the jar files loaded in lockhart are not upgraded after applying 125310-02 and 125278-02 patches.
As a workaround, run the following commands in the given sequence:
dsccsetup console-unreg dsccsetup console-reg |
This section lists the issues that are found at the time of Directory Server 6.0 release.
Directory Server has been seen to crash when the server is stopped while performing online export, backup, restore, or index creation.
When entries are imported from LDIF, Directory Server does not generate createTimeStamp and modifyTimeStamp attributes.
LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.
Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Sun support.
When removing software, the dsee_deploy uninstall command does not stop or delete existing server instances.
To work around this limitation, follow the instructions in the Sun Java System Directory Server Enterprise Edition 6.1 Installation Guide.
Directory Server has been seen to retain pwdFailureTime values on a consumer replica, even after the attribute values have been cleared on the supplier replica. The values remain after the modification of userPassword has been replicated.
When installing software from the zip distribution, do not use the -N (--no-cacao) option if you intend subsequently to manage servers with Directory Service Control Center. The Common Agent Container cannot be installed separately later.
The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.
To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.
Export the certificate to a file.
The following example shows how to perform the export for servers in /local/supplier and /local/consumer.
$ dsadm show-cert -F der -o /tmp/supplier-cert.txt /local/supplier defaultCert $ dsadm show-cert -F der -o /tmp/consumer-cert.txt /local/consumer defaultCert |
Exchange the client and supplier certificates.
The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.
$ dsadm add-cert --ca /local/consumer supplierCert /tmp/supplier-cert.txt $ dsadm add-cert --ca /local/supplier consumerCert /tmp/consumer-cert.txt |
Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.
Add the replication manager DN on the consumer.
$ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN |
Update the rules in /local/consumer/alias/certmap.conf.
Restart both servers with the dsadm start command.
Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.
An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.
Directory Server instances with multi-byte names can not be registered in Directory Service Control Center.
To work around this issue, configure the Common Agent Container as follows.
# cacaoadm stop # cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8" # cacaoadm start |
Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.
dn:o=mary\"red\"doe,o=example.com changetype:modify add:aci aci:(target="ldap:///o=mary\"red\"doe,o=example.com") (targetattr="*")(version 3.0; acl "testQuotes"; allow (all) userdn ="ldap:///self";)
dn:o=Example Company\, Inc.,dc=example,dc=com changetype:modify add:aci aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com") (targetattr="*")(version 3.0; acl "testComma"; allow (all) userdn ="ldap:///self";)
Examples with more than one comma that has been escaped have been observed to parse correctly, however.
The dpconf command has been seen to display the Enter "cn=Directory Manager" password: prompt twice when used in interactive mode.
When running server management commands in the French locale, some messages displayed by the commands are missing apostrophes.
Directory Service Control Center does not allow you to manage PKCS#11 external security devices or tokens.
SASL authentication has been seen to fail on Windows systems when SASL encryption is used.
As a workaround to this issue, reset SASL to the following.
dn: cn=SASL, cn=security, cn=config dssaslminssf: 0 dssaslmaxssf: 0 |
Directory Service Control Center fails to generate a self-signed certificate when you specify the country.
Directory Service Control Center does not properly display userCertificate binary values.
The configuration attribute name, passwordRootdnMayBypassModsCheck, does not reflect that the server now allows any administrator to bypass password syntax checking when modifying another user's password when the attribute is set.
Do not set LD_LIBRARY_PATH before installing from the zip distribution or using the dsadm command.
The Directory Service Control Center feature that allows you to copy the configuration of an existing server does not allow you to copy the plug-in configuration.
On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.
To work around this issue, change the LDIF file name so that it does not contain double-byte characters.
When using a browser running in Chinese, Japanese, or Korean locales, logs generated by Directory Service Control Center when creating a server instance contain garbage.
To work around this issue perform the following commands on the Common Agent Container where the new server instance is to be created.
cocaoadm stop cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8" cacaoadm start |
The dsadm enable-service command does not work correctly with Sun Cluster.
When using a browser running in the French locale, duplicate apostrophes appear in Directory Service Control Center.
The dsee_deploy command has been seen to hang while registering the Monitoring Framework component into the Common Agent Container.
The supportedSSLCiphers attribute on the root DSE lists NULL encryption ciphers not actually supported by the server.
Unless you start Directory Server at least once, the dsadm enable-service fails to restart Directory Server upon system reboot.
Neither Directory Service Control Center nor the dsconf command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.
To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.
Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.
After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.
To work around this issue, change the permissions on the installations and server instance folders.
The dsadm autostart command fails when multiple instances are specified, and the command fails for one of the instances.
The dsadm autostart command does not support white space in the instance file name.
The dsmig command has been seen not to migrate values for some configuration attributes that are not identified in the upgrade and migration documentation.
The following configuration attributes are concerned:
nsslapd-db-durable-transaction
nsslapd-db-replication-batch-val
nsslapd-disk-low-threshold
nsslapd-disk-full-threshold
After a total update on master replica bearing significant write load, in some cases the generation ID for the master having undergone total update is not set properly. As a result, replication fails.
When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.
To work around this issue, use a different browser such as Mozilla web browser.
After creating or adding a new certificate, Directory Server must be restarted for the change to take effect.
After upgrading replica, and moving servers to new systems, you must recreate replication agreements to use new host names. Directory Service Control Center lets you delete the existing replication agreements, but does not allow you to create new agreements.
On Red Hat systems, the dsadm autostart command does not always ensure that the server instances start at boot time.
Directory Server does not properly handle Chinese multi-byte character in strings for database names, file names, and path names.
To work around this issue when creating a Directory Server suffix having Chinese multi-byte characters, specify a database name that has no multi-byte characters. When creating a suffix on the command line, for example, explicitly set the --db-name option of the dsconf create-suffix command.
$ dsconf create-suffix --db-name asciiDBName multibyteSuffixDN |
Do not use the default database name for the suffix.
On Windows systems when Directory Server is enabled as a service, do not use the dsadm cert-pwd-prompt=on command.
The following replication error messages have been seen to persist on agreements with a consumer even after a total update is performed on the consumer.
Error sending replication updates. Error Message: Replication error updating replica: Unable to start a replication session : transient error - Failed to get supported proto. Error code 907. Operational Status Error sending updates to server host:port. Error: Replication error updating replica: Incremental update session abored : fatal error - Send extended op failed. Error code: 824.
To eliminate the messages, disable the replication agreement, and then enable the replication agreement.
When stopping multiple master replica under heavy load in a multi master replication configuration, the servers may take several minutes to stop.
After an import operation is performed on a master where read-write-mode is set to read-only, Directory Server fails to restart.
The dsconf command does not prompt for the appropriate dsSearchBaseDN setting when configuring DSML.
On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds.
You must configure DSML before you can monitor DSML with Java ES Monitoring Framework.
The More on Server Groups, More on read/write mode, and More on this table links in Directory Service Control Center point to English online help on all the locales.
When installing from the zip distribution, the dsee_deploy command does not provide an option to configure SNMP and stream adaptor ports.
To workaround this issue,
Enabled Monitoring Plugin using the web console or dpconf.
Using cacaoadm set-param, change snmp-adaptor-port, snmp-adaptor-trap-port and commandstream-adaptor-port.
The dsconf help-properties command is set to work properly only after instance creation. In addition, the correct list of values for the dsml-client-auth-mode command should be client-cert-first | http-basic-only | client-cert-only.
In order to use Directory Service Control Center on Windows XP systems, the guest account must be disabled. Additionally, the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0 in order for authentication to succeed.
After installing from the zip distribution on Solaris and Red Hat systems, Directory Server does not appear through SNMP after the Common Agent Container, cacao, is restarted.
To work around this issue on Solaris systems, apply all recommended patches listed in Directory Server, Directory Proxy Server, and Directory Server Resource Kit Operating System Requirements.
Some output displayed by the dsccmon, dsccreg, dsccsetup, and dsccreg commands is not localized.
After accessing Directory Service Control Center for the first time and registering a Directory Server instance, a warning and an exception are written to the Sun Java Web Console logs.
You can ignore safely ignore the warning, failed to retreive "server-pid" from command ouptut, and the exception. The exception output appears as follows.
StandardWrapperValve[wizardWindowServlet]: Servlet.service() for servlet wizardWindowServlet threw exception java.lang.IllegalStateException: Cannot forward after response has been committed
When setting up Directory Service Control Center in a locale other than English, log messages concerning creation of the Directory Service Control Center Registry are not fully localized. Some log messages are shown in the locale used when setting up Directory Service Control Center.
After manual reboot following installation on a Windows system with the Java ES installer, Directory Server is not running. However, Directory Server can appear to be running in the Task Manager. When this occurs, Directory Server cannot be restarted from the Task Manager.
To work around this issue, remove the process ID file from the logs folder.
The dsmig migrate-data -R -N command has been seen to fail when upgrading from Directory Server 5 2005Q1.
To work around failures in automatic data migration, migrate the data manually as described in Chapter 3, Migrating Directory Server Manually, in Sun Java System Directory Server Enterprise Edition 6.1 Migration Guide.
On HP-UX systems, applications using NSPR libraries crash and dump core after investigation with gdb. The problem occurs when you attach gdb to a running Directory Server instance, then use the gdb quit command.
When accessing Directory Service Control Center through Internet Explorer 6, saving index configuration changes for a suffix causes a null error to appear. The progress window for the operation appears to freeze.
To work around this issue, access Directory Service Control Center through a different browser, such as a Mozilla-based browser.
When you edit a directory entry through Directory Service Control Center, if the entry is simultaneously changed by some other method, refreshing the display does not show the changes.
Directory Service Control Center has been seen to show incorrect status for the User-Changeable field of Global Password Policy, pwd-user-change-enabled.
To work around this issue, use the dsconf(1M) command to read the pwd-user-change-enabled server property.
$ dsconf get-server-prop -w /tmp/ds.pwd pwd-user-change-enabled pwd-user-change-enabled : off |
When upgrading from Directory Server 5.2, if you have a certificate database that contains no trusted certificates, the dsmig migrate-config command fails. This problem can occur when you have created a certificate database, but never used the database, nor set up SSL.
To work around this issue, follow these steps.
Remove the new, empty Directory Server 6 instance.
Rename the ServerRoot/alias/slapd-serverID-cert8.db and ServerRoot/alias/slapd-serverID-key3.db files that the Directory Server 5.2 instance uses.
$ cd ServerRoot/alias $ mv slapd-serverID-cert8.db slapd-serverID-cert8.db.old $ mv slapd-serverID-key3.db slapd-serverID-key3.db.old |
Perform the upgrade and migration process again.
On HP-UX systems, Directory Service Control Center has been seen to show a null pointer exception error message when starting and stopping a Directory Server instance. The error affects Directory Service Control Center, not the Directory Server instance.
When migrating a Directory Server configuration, the dsmig migrate-config command fails if the -R option is used but not all suffixes in the existing configuration are replicated.
To work around this issue, perform the following steps.
Stop the old server.
In the old server instance, dse.ldif configuration file entry with DN cn=changelog5,cn=config comment out the following attributes using hash marks, #.
#nsslapd-changelogmaxage: ... #nsslapd-changelogmaxentries: ...
Make a note of the values for these attributes.
Migrate the server configuration using the dsmig migrate-config command.
On the new server instance, for every suffix that has a configuration entry with DN of the form cn=replica,cn=suffix-dn,cn=mapping tree,cn=config, run the following commands.
$ dsconf set-suffix-prop -p port suffix-dn repl-cl-max-age:old-value |
Here old-value means the value of nsslapd-changelogmaxage in the old server instance.
$ dsconf set-suffix-prop -p port suffix-dn repl-cl-max-entry-count:old-value/nbr-suffixes |
Here old-value means the value of nsslapd-changelogmaxentries in the old server instance. nbr-suffixes is the total number of replicated suffixes.