NETSCAPE DIRECTORY SERVER
Release 4.12
Last updated June 22, 2001
CONTENTS
These release notes include:
Installation Requirements
Corrections to 4.11
Known Problems
Things to Be Aware Of
More Information
INSTALLATION
REQUIREMENTS
Netscape Directory Server 4.12 can be installed on Unix or Windows NT.
For platform requirements and pointers to installation instructions, please
see:
http://docs.iplanet.com/docs/manuals/directory/412/installation.html.
CORRECTIONS TO 4.11
June 22, 2001 Release Note correction. As of Release 4.12 of the
Netscape Directory Server, FORTEZZA support has been discontinued. All
previous references to FORTEZZA have been removed from these Release Notes.
No other changes to these Release Notes have been made.
The Netscape Directory Server 4.12 contains a new version of the Console,
version 4.2. It also contains a new Admin Express HTML graphical user interface
(GUI). For information on this GUI, please refer to the documentation on
the Console, version 4.2.
In addition, this release of the Directory Server contains fixes to
the following known problems in Netscape Directory Server 4.11:
-
A problem existed where if the server shut down while the Directory Console
was trying to create a replication agreement, the Directory Console would
still attempt to create the agreement. This produced confusing error messages.
In this release, the Directory Console no longer attempts to create the
agreement if the server is not running. (385051)
-
DNS is required on your machine in order to install many Netscape components;
however, previous versions of the setup program did not check to see if
DNS was running. Consequently, install would abort. The setup program now
verifies that DNS is running. (316651)
-
This release of the Directory Server contains an updated root CA certificate.
For more information about root certificate expiration and iPlanet servers,
see the Digital Certificate Security
Alert. (371068, 382273)
-
The Directory Console no longer searches the directory tree at startup.
Now, the Console performs this search on demand, (such as when you select
the Directory tab), significantly decreasing startup time. (368135)
-
The Directory Server Administrator's Guide does not include any
information about the configuration parameter that allows you to use underscores
and hyphens in attribute and object class names. (383527, 337438)
To confgure this option, complete the following:
-
Stop the server.
-
Open the slapd.conf file and find the line that begins with the
following:
attribute_name_exceptions 0
-
Change the zero to 1 (one).
-
Restart the server.
-
If you edit a user entry from the Directory Browser, you use the User &
Group editor. This window also has the Advanced... button which pops up
the generic property editor. Previously, if you changed the Email Address
in the property editor, your changes were lost when you dismissed the window.
These changes are no longer discarded when you dismiss the window. (341109)
-
Previously, if a very complex search filter was presented to the Directory
Server as part of a search request, the server would sometimes crash. This
problem has been corrected. (395995)
-
Previously, if the secure-listenhost parameter was used, the Directory
Server would hang indefinitely during startup. This has been corrected.
(363687)
-
In version 4.11, the Directory Server Console would fail to open if the
DIT had many branches. This problem has been fixed. (367132)
-
In certain circumstances, the attribute Passwordretrycount would
get modified an additional time on each level of replication. This problem
has been fixed. (390891)
-
Windows NT systems, the Directory Server would occasionally allocate unnecessary
file descriptors, sometimes causing the ns-slapd process to fail. This
problem has been corrected. (391414)
-
The Directory Server now correctly generates the VLV index (previously,
the server would not correctly index some entries). (381057)
-
This version of the Directory Server fixes the problem where the db_home_directory
setting would sometimes get corrupted when there was a change in the configuration
database (cn=config,cn=ldbm). (368875)
-
The mcc.bat file now properly handles upgrades from version 4.1
to versions 4.11 and 4.12. (367149)
-
All referrals are now correctly followed by all versions of the Console.
(367041)
-
The Directory Server will now start up in SSL mode if it encounters any
unknown ciphers (previously the server would not respond if it encountered
an unknown cipher). During the start-up procedure, the server will log
a warning to the error log if it encounters any unknown ciphers. (399179)
KNOWN PROBLEMS
This section lists known problems with Netscape Directory Server 4.12,
including:
The problems are identified by bug number to help you refer to them if
you need to contact technical support.
Installation, Migration, and Upgrade
-
If you cancel NT Synchronization Service installation before entering the
hostname and port, the next time you reboot the machine the NT Synchronization
Service attempts to start and fails. (395062)
-
On Windows NT systems, you must use the Typical Installation procedures
to upgrade from Directory Server 4.1 to 4.11 or 4.12; if you use the Custom
Installation procedures, the installation will fail. (367312)
-
Unix only: The platform version included in the name of the gzipped installation
package does not necessarily match the version of the platform that the
binaries run on. (368822)
For example, the following package contains the product binaries for
Solaris 2.6, 7, and 8:
directory-4_12-domestic-us_sparc-sun-solaris2_6_tar.gz
-
The Installation Guide that shipped with the server does not contain the
procedure for upgrading from a previous 4.x release. This information is
now available from the Installation Guide hosted on iPlanet's website at
(367383):
http://docs.iplanet.com/docs/manuals/directory/41/install/upgrade.htm
-
The installation program no longer asks you if you want the installation
cache deleted (it is now deleted by default). To cause the installation
cache to be saved when the installation is completed, run setup with the
-k option. You must run the setup program with -k if you want to perform
a silent installation. (339769, 387540, 330298)
-
On Linux, set the TERM environment variable to vt100 before you install.
If you do not set your terminal to vt100, the screen text displayed during
installation may be offset and difficult to read. (348576)
-
On Windows NT, you must install Communicator 4.x before you can install
the NT Synch Service. (350963)
-
If you are migrating your supplier or consumer Directory Server from a
previous release and you want to maintain the replication agreements from
the old server, you must migrate into a new instance instead of an existing
one.
Replication agreements are denoted by the port number of the supplier
and consumer server, and the port number is not transferred if you migrate
into an existing instance. Therefore, if you choose to migrate your supplier
or consumer Directory Server into an existing instance, you will need to
reconfigure the replication agreements with the correct port numbers. (351935)
-
Migration from a 1.x server to 4.12 on Digital Unix or Irix is not supported.
(351461)
-
After migration from 3.x to 4.12 on NT, you may have two server instances
(one 3.x and one 4.12) listening on the same port. If you no longer want
to use your 3.x server, delete it using the 3.x administrative interface,
or disable it in the Services Control Panel. (351663)
-
If you want to migrate an SSL-enabled Directory Server to the 4.x release,
follow these steps (117420, 347858):
-
Turn off SSL in the old server.
-
Migrate the old server to 4.x.
-
>From the command line, change to:
/<4x_Server_Root>/bin/admin/admin/bin
Where <4x_Server_Root> is the directory where you
installed
the 4.x Directory Server.
-
run the sec-migrate command-line utility as follows:
On Unix:
./sec-migrate <Old_Server_Root> <CertDB_Alias><4x_Server_Root>
slapd-<CertDB_Alias> <Old_CertDB_Password>
On Windows NT:
sec-migrate <Old_Server_Root> <CertDB_Alias><4x_Server_Root>
slapd-<CertDB_Alias> <Old_CertDB_Password>
Where <Old_Server_Root> is the directory where you installed
the pre 4.0 Directory Server,<CertDB_Alias> is the alias you
used when setting up the certificate database, <4x_Server_Root>
is the directory where you installed the 4.x Directory Server, and <CertDB_Password>
is the certificate database password.
For example,
./sec-migrate /NSHOME/ds30/ mycertdb /usr/netscape/server4/ slapd-mycertdb
mycertdbpw
-
>From the command line, change to:
/<4x_Server_Root>/alias
-
Rename slapd-<CertDB_Alias>-key3.db3.db to slapd-<CertDB_Alias>-key3.db.
-
Rename slapd-<CertDB_Alias>-cert7.db7.db to slapd-<CertDB_Alias>-cert7.db.
-
Rename <CertDB_Alias>-password.txt to slapd-<CertDB_Alias>-pin.txt.
In 4.0, you only needed to type the password in the file in cleartext,
for example mypassword. For 4.1 through 4.12, you need to include
the token name and password in slapd-<CertDB_Alias>-pin.txt
as follows:
Token:Password
For example:
Internal (Software) Token:mypassword
-
On the Directory Server Console for the migrated instance, select the Configuration
tab and then select the root entry in the navigation tree in the left pane.
-
Select the Encryption tab in the right pane.
-
Select the Enable SSL checkbox.
-
Select at least one cipher family.
-
Click Save.
-
Restart the 4.x Directory Server.
-
Netscape recommends setting the database cache (dbcache in slapd.ldbm.conf)
on NT to a value no greater than 800 Mb. (116968)
-
When a configuration directory used to register Netscape servers is uninstalled
(that is, a directory that contains a o=NetscapeRoot tree), those directories
are no longer manageable from Netscape Console. Do not uninstall a configuration
directory unless you have already uninstalled all other Netscape servers
that are configured in that directory instance. (301667)
-
Windows NT only. If you uninstall the Directory Server and you select everything
to uninstall except for the NT Synchronization Service, then the uninstaller
is deleted from your system and you can no longer uninstall the synch service.
In this situation, to uninstall the synch service, reinstall the server
and immediately uninstall it again, this time selecting the synchronization
service. (336657)
-
Currently, the installation program allows you to enter an installation
path that contains names that start with a number (for example: e:\0449)
This should not be allowed. Do not use a path that contains names beginning
with numbers. (349138)
-
Unix only. If you attempt to migrate a server that was running as root
to a server that is running as an unprivileged user, the migration will
fail. Always migrate a server that is running as root to a server that
is also running as root. (347692)
-
AIX only. While installing on AIX, the "Extracting....> messages are truncated
and it looks like installation has halted when it has not. Wait a few moments
and all of the packages will be extracted. Once the packages are extracted,
you are prompted to press a key for installation to continue. This message
may also be truncated. Press any key and the installation will then proceed
normally. (349687)
-
You cannot uninstall the directory server if there is no space left on
the device. Clear up some disk space and then uninstall the server. (352130)
Administration Server and
Netscape Console
Replication
-
CIR only. If you initialize a consumer server from the Directory Console,
the message box ".. wait while consumer is being initialised" does not
always disappear when initialization is complete. Also, if you cancel the
message box and attempt to view the contents of the directory from the
Directory Console, the entries may not be visible. To correct this, after
initializing the consumer, exit and restart the Directory Console and initialize
the consumer again. (390871)
-
In the Directory Console, when creating a CIR agreement with SSL enabled,
the pulldown menu displays an incorrect SSL port number. You must click
the Other button, and enter the correct SSL port number. This problem sometimes
occurs on the AIX platform while creating an SIR agreement; the consumer's
pulldown menu is empty, so the SSL port number needs to be entered manually
by clicking the Other button. (398694)
-
In the Directory Console, when creating an SIR agreement with SSL enabled,
in some cases, the console generates java exceptions. This does not affect
the SIR agreement, which is correctly created and saved. (398694)
-
Use of dc-style naming is not supported with cascaded replication. (381549)
-
The hostname portion of the fully-qualified domain name entered during
server installation must exactly match the hostname of the machine running
the directory server. If it does not, you will be unable to configure replication
agreements. (382436)
Plug-Ins
-
Do not list the configuration for the PTA plug-in in slapd.conf
multiple times. If you do so, only the last configuration is used. Instead,
specify multiple LDAP URLs or subtrees as documented in Using
the Pass-Through Authentication Plug-In. (379678)
-
The COS plug-in is not supported in this release of the Directory Server;
it is provided as an example only.
Documentation
-
In Chapter 6 of the Directory Server Administrator's Guide, the
description of "Password Change After Reset" should also state that only
the unrestricted user (Root DN) can trigger the password reset. (383384)
-
In Chapter 1 of the Directory Server Administrator's Guide, the
procedure for starting and stopping the server from the command-line incorrectly
states that the scripts to start and stop the server must be run using
the same UID and GID that the server uses. Instead, if your server runs
on a port less than 1024, you must be logged in as root to run these scripts.
(335710)
-
The Directory Server Plug-In Programmer's Guide contains misleading
information about creating additional database plug-ins for use with Directory
Server. User-created database plug-ins are not supported with Directory
Server 4.x. (364180)
-
The valid range documented for the Look Through Limit parameter in Chapter
17, "C onfiguration Parameters" in the Administrator's Guide is incorrect.
The correct range is -1 to maximum integer. (381073)
-
In addition to the configuration information provided in Using
the Pass-Through Authentication Plug-In, you can also use multiple
LDAP URLs for the pass-through subtree parameter <subtree>.
(380266)
-
The Administrator's Guide incorrectly defines the ioblocktimeout
parameter. The unit used to determine when the connection to a stalled
LDAP client should be closed is ticks, not milliseconds. Also, the number
of ticks-per-second is different on different operating systems, therefore,
the default value of 1800000 is not 30 minutes on all platforms. (367448)
-
The 4.1 Installation Guide that shipped with the server does not contain
the procedure for upgrading from a previous 4.x release. This information
is now available from the Installation Guide hosted on iPlanet's website
at (367383):
http://docs.iplanet.com/docs/manuals/directory/41/install/upgrade.htm
-
The Directory Server Gateway documentation incorrectly gives the location
of the authck directory as (365271):
<NSHOME>/dsgw/authck
The documentation should say that the directory is located at:
<NSHOME>/bin/slapd/authck
-
The documentation does not indicate where Bitstream Cyberbit font can be
located. This font is necessary for any Netscape browser that will attempt
to display non-english characters. (352274)
The font can be obtained from the following URL:
http://ftp.netscape.com/pub/communicator/extras/fonts/windows/
There are several readme files there that you should examine:
-
READMEfirst.txt contains information on platform recommendations.
-
ReadMe.htm or Readme.wri contain the installation/usage
documentation.
-
The Netscape Directory Server Installation
Guide does not adequately describe the migration procedure for large
directories. For large directory sizes (as a rule of thumb, anything greater
than 5000 entries), the documented migration procedure is not sufficient
because these entries are transferred between the old directory and the
new directory over LDAP, which will be relatively slow. (352275)
Instead, use the following procedure to migrate your directory:
-
Export your old directory to LDIF.
-
Create a simple directory structure in LDIF that matches the suffixes used
by your Directory Server. This should be a very simple file that only contains
the root entries for every suffix served by your Directory Server.
-
Shutdown your old directory server.
-
Delete your old directory's database.
-
Import the simple directory that you created in step 2 to your old directory
server.
-
Perform the migration as described in the Netscape Directory Server
Installation Guide.
-
Shutdown your newly migrated Directory Server.
-
Backup your new database. This is especially important if your new Directory
Server is a configuration directory (that is, it contains the o=NetscapeRoot
tree).
-
Import your original database from the LDIF that you saved in step 1. When
you do this, use the <NSHOME>/slapd-<serverID>/ldif2db
script, as this script will automatically preserve o=NetscapeRoot configuration
information so that it is included in your newly imported database.
-
Start your new Directory Server. You are done with migration.
Import and Export
-
Using Netscape Console, if you attempt to export a suffix that does not
exist the console does not warn you of the error but instead returns an
"Unexpected Error" message and then exits. (339555)
Internationalization
-
If you are running a domestic version of Netscape Directory Server, and
you want to view non-Latin-1 characters using the Directory Server Gateway
or Directory Express from a Communicator client, you need to configure
Communicator to display the correct fonts. See http://home.netscape.com/eng/intl/basics.html#fonts
for more specific information. (330218)
NT Synchronization Service
-
You may receive an error message that states "Error connecting to Synch
Service on port 5003" when attempting to synchronize, add all users, apply
changes, or stop the NT Synchronization Service. If this happens, exit
and restart the Configuration Tool. (38870)
-
You cannot use silent install to install just the NT Synchronization Service.
(109661)
Security and Access Control
-
When SSL is enabled on the NT Directory Server, attempts to start the directory
server from Netscape Console result in potentially confusing dialog boxes
if a dongle file is not used to store the key file password. A dialog box
appears on the machine where the Directory Server is running asking for
the key file password (this password is required before an SSL-enabled
Directory Server can be started). If nothing is entered into this dialog
box, a dialog box indicating that the Directory Server could not be started
will appear on the machine where Netscape Console is running. To work around
this problem, start the server from a Netscape Console running on the machine
where the server is running, unless you have a dongle file. (301624).
-
When the server is in SSL mode, the server console issues a warning dialog
upon server restart to let you know that a password will be required to
restart the server. However, this warning is not issued the first time
you restart to go into SSL mode. Also, the warning continues to be issued
for every restart after you take the server out of SSL mode. (333022, 341898)
SNMP Agent
-
On UNIX, the Netscape SNMP (Simple Network Management Protocol) subagent
will generate an unexpected error during startup unless the SNMP master
port is set to 199. (316650)
Directory Server Gateway
-
On Linux, if you want to use the Directory Server Gateway with Apache,
you must set the SERVER_URL environment variable in httpd.conf
to the web server on which the gateway runs. For example:
setenv SERVER_URL http://dsgwHomePage
-
If you want to use Directory Server Gateway with a Web Server other than
the Netscape Administration Server, you need to complete the following:
(338438)
Miscellaneous
-
On Windows NT, the Directory Server uses a hidden window named slapd-[server
identifier] to restart the server if it crashes. Anyone with access to
the machine who knows the name of the hidden window may be able to shut
down the server by shutting down the hidden window. (335719)
-
The server will not start up if DN's included in slapd.conf have
spaces. Always use %20 in place of spaces when including DNs in slapd.conf.
(349824)
For example, this is the correct way to format a DN in slapd.conf:
ldap://phonebook.airius.com/o%3Dace%20industry
while this is not correct:
ldap://phonebook.airius.com/o=ace industry
-
While 3.x Calendar Server will work with a 4.x Directory Server, the Calendar
Server requires the Directory Server to report itself as a 3.x Directory
Server. You can cause a 4.x Directory Server to report itself as a 3.x
Directory Server by using the versionstring parameter in slapd.conf.
Place the following line in your slapd.conf file and restart your server:
versionstring "Netscape-Directory/3.1"
THINGS TO BE
AWARE
OF
These exceptions are also documented in the customer documentation for
release 4.x of the Netscape Directory Server.
Configuration Files
-
On Windows NT, you can no longer use backslashes "\" in path names in the
configuration files; instead, use forward slashes "/".
Directory Server Gateway
-
If you add a user through the NT Synchronization Service and the user's
full name is not specified in Windows NT, the Synchronization Service
uses the NT UID as the value for the entry's cn attribute. In this situation,
the "Full Name" field on the gateway displays the NT UID of the user.
If you add a user through the NT Synchronization Service and the user's
full name is specified in Windows NT in addition to the NT UID,
then the Synchronization Service creates one cn with the NT user name and
also creates one cn with the full name. In this case, the gateway displays
both cns in the format NT uid+full name. (312457)
-
In order to use the gateway, Javascript must be turned on in Communicator.
(318303)
-
Specify the full DN for advanced searches on group members. (113063)
-
The syntax for gateway URLs changed between Directory Server 3.x and 4.x.
See the Directory Server Gateway Customization Guide for more information.
Netscape Console
-
Netscape Console does not support SSL certificate-based client authentication.
Directory servers configured to require SSL client authentication must
be managed from the command line. However, servers configured to allow
SSL client authentication may be managed from Netscape Console. (312404)
LDAP URLs
Directory Server Schema
-
If the Directory Server schema includes an object class that contains an
undefined attribute, on startup the server assumes that the undefined attribute
is a cis attribute and logs an error message stating that the attribute
needs to be added to the schema. This may cause unexpected behavior if
the undefined attribute is meant to contain data in any syntax other than
cis, for example, binary. (334257)
Migration
-
If you have multi-valued RDNs in your pre-4.1 directory, then when you
upgrade to Directory Server 4.1 or greater, you must export your database
to LDIF, perform the migration, and then reimport your database.
MORE INFORMATION
Installation instructions and release notes for all iPlanet and Netscape
servers are posted at http://docs.iplanet.com/docs/manuals/index.html.
Copyright 2000 © Sun Microsystems, Inc. Some preexisting portions
Copyright © 2000 Netscape Communications Corp. All Rights Reserved.