NETSCAPE DIRECTORY
SERVER
Release 4.13
Last updated November 20, 2001
CONTENTS
These release notes include:
Installation Requirements
Corrections to 4.12
New Features and Enhancements
Known Problems
Things to Be Aware Of
More Information
INSTALLATION
REQUIREMENTS
Netscape Directory Server 4.13 can be installed on
Unix or Windows NT. For platform requirements and pointers to installation
instructions, please see:
http://docs.iplanet.com/docs/manuals/directory/413/installation.html.
CORRECTIONS TO 4.12
June 22, 2001 Release Note correction. As of Release 4.12 of the
Netscape Directory Server, FORTEZZA support has been discontinued. All
previous references to FORTEZZA have been removed from these Release Notes.
No other changes to these Release Notes have been made.
This release of the Directory Server contains
fixes to the following known problems in Netscape Directory Server 4.12:
-
A problem existed where the Directory Server crashes
when the Netscape Application Server (NAS) attempted to register applications.
When the Directory server and NAS communicate on port 689, applications
can be registered and changes made to the NAS configuration stored in the
o=Netscaperoot. If the same thing was attempted on the production
port (589), the Directory server crashes while registering the applications.
This has been corrected and this condition no longer exists. (525761)
-
A problem existed where if SSL is enabled on a supplier,
non-SSL replication will not function. This has been corrected. (511781).
-
A problem existed where users are granted rights
that are not set in the ACI. This was due to an erroneous evaluation
of member groups. Users rights are now correctly granted. (482561)
-
The logs on the client as well as on the server side
would show that the DS sends resultCode=0 when the administrative
limit is exceeded and when the server-side-sort control is sent in the
request. The correct result code is now sent when the administrative limit
is exceeded. (394184)
-
Related to (394184), LDAPConnection.search would
not take into account return code and returnedControls when there were
no entries in the search result response. Correct reaction now occurs.
(400260)
-
Related to the previously listed defect, ldapjdk
did not parse resultCode for the SortResponseControl. The resultCode is
now parsed correctly. (401187)
-
A problem existed where the database recovery time
from a system crash was extremely lengthy. This problem was made worse
when there were a large number of entries in the DB. Corrections to the
database library and to backup and restore routines have corrected this.
(396243)
-
If a multi-valued attribute had two values that each
started with the same three characters, had a substring index configured
for this attribute, and one of these two values was deleted, then a substring
search for the first three characters would not return the entry.
This has been corrected and this same scenario will now correctly return
that user entry.
Note: If you have already been experiencing
strange search results, ACI evaluation problems, or anything else that
may manifest from an inaccurate index, you will need to regenerate those
index files per the manual, as well as install this new version that has
the fix. Simply installing this new version will not automatically rebuild
your existing (possibly inaccurate) index files. (398411)
-
It was reported that instances that include '_' in
their names could not be migrated. This has been corrected and the underscore
is now included as a word constituent. (403481)
-
NT synch would not synch ntuserprofile for a new
user. Corrections now allow the ntuserprofile to be synched at initial
creation. (396160)
-
A request to add the ability to direct the server
to deposit a core file in a customer-defined location was made. The problem
was that the existing hard-coded location of "/" can cause a core file
not to get written due to permissions, lack of disk space, etc.
This new functionality results in the location now being the current location
of your error log file, which an administrator can change. (495881)
-
Performing db2ldif -r would cause a core dump if
the supplier failed to bind to the consumer. This has been corrected. (396886)
-
Customers experienced frequent freezes or hangs of
the Directory Server, as occasionally the Directory Server consumed all
CPU time and would become non-responsive. This has been corrected. (514362)
NEW
FEATURES
AND ENHANCEMENTS
This point release of the Directory Server provides
the following new features:
User definable
core file directory
The ability to direct the server to deposit a core
file in a more customer-defined location. This new functionality
results in the location now being the current location of your error log
file, which an administrator can change. For example, if you want
any future core files to go to the /xxxx/yyyy/ directory, go to the Configuration
| Logs | Error Log area in the Directory Server Console, and change
the error log file location to be /xxxx/yyyy/errors (495881)
HP-UX Large Memory Model
The ns-slapd process can now grow up to 2 Gb in process size.
Note: Specific HP-UX patches are required in order to fully take advantage
of this newly available address space. Specifically, you need these HPUX 11.00 patches
for Large Memory Model (Beyond the 1 Gb quadrant limitation):
- PHCO_22453 11.00 fsck_vxfs(1M) cumulative patch
- PHCO_21187 cumulative SAM/ObAM patch
- PHKL_22432 VxFS 3.1 icache cumulative patch
- PHKL_22589 LOFS, select(), IDS/9000 and umount race fix
- PHKL_21610 Large Data Space, kernel memory leak fix
- PHKL_21507 Fix for crfree, MPI panic; IDS/9000 support
- PHKL_20228 Large Data Space (7 of 8)
- PHKL_21039 semget;large data space;msgmnb;SEMMSL
- XSWGR1100 General Release Bundle (Sept 2000 or latest)
Tuning for the Large Memory Model
The maximum value for the kernel param 'maxdsiz'
is 0x7B03A000 (Approx. 2 Gb), which is the acceptable maximum
value recommended by HP.
Tuning of the directory server 'dbcachesize' and entry 'cachesize'
in the slapd.ldbm.conf file.
The following recommendations apply to iDS 4.1x:
- The maximum value for dbcachesize is 858993450.
This is due to a PA-RISC hardware limitation which prevents memory-mapped files
to cross quadrant boundaries. Therefore, the 1 GB quadrant size limits
how big the dbcachesize attribute can be. The data base code allocates 25% of
overhead space to manage the dbcachesize. When you take 1 Gb and
subtract 25% of overhead we obtain the max value for dbcacheszie of 858993450.
- Ensure that the combined values for 'dbcachesize' and entry 'cachesize' are
tuned not to exceed 2 Gb total:
(dbcachesize * 1.25 ) + (cachesize * avg. size of entry * #CPUs) < maxdsiz (max. 2 Gb)
New AIX Large Memory Model
AIX users reported that the 256 Mbytes default limitation
imposed on the ns-slapd is restrictive. We recompiled/relinked the ns-slapd
with -bmaxdata equal to (0x50000000) that gave us maximum
values for process data space, 'dbcachesize', and entry 'cachesize'.
These values fit the iPlanet Directory Server data base recommendations,
which stand at 75% for 'dbcachesize' and 25% for entry 'cachesize'.
(520052)
-
Tuning for AIX 4.3.2 and 4.3.3 Large Memory Model
(beyond the 256 Mbyte segment limitation)
To achieve the maximum value (1.342 Gbytes) of
process data space, we recommend you tune the following params
in the
slapd.ldbm.conf file:
1) 1.000 Gbytes of 'dbcachesize' which
can be tuned by the directory administrator.
2) 342,000 entries of (1 Kbytes) average size
for entry 'cachesize' which can also be tuned.
These values can be changed, but keep in mind
the following equation when making adjustments:
'dbcachesize' + entry 'cachesize'
<= 1.342 Gbytes of process data space
Note: Although there is an external way
to modify 'maxdata' for ns-slapd and obtain higher values for 'process
data space,' as described in the IBM site for large memory model, it is
not currently supported by iPlanet.
KNOWN PROBLEMS
This section lists known problems with Netscape Directory
Server 4.13, including:
The problems are identified by bug number to help
you refer to them if you need to contact technical support.
Installation,
Migration, and Upgrade
-
Users may run into upgrade issues going from DS 4.11
to DS 4.13 when SSL is enabled. This condition is alleviated by disabling
SSL before upgrading and then re-enabling SSL after upgrading. (530413)
-
Users may run into upgrade issues with SSL enabled
on Unix servers. The install will appear to hang: although there will be
no prompt to enter a password, type in the key password and press Enter
and the upgrade will complete successfully (530391)
-
If you cancel NT Synchronization Service installation
before entering the host name and port, the next time you reboot the machine
the NT Synchronization Service attempts to start and fails. (395062)
-
On Windows NT systems, you must use the Typical Installation
procedures to upgrade from Directory Server 4.1 to 4.11 or 4.12; if you
use the Custom Installation procedures, the installation will fail. (367312)
-
Unix only: The platform version included in the name
of the gzipped installation package does not necessarily match the version
of the platform that the binaries run on. (368822)
For example, the following package contains the
product binaries for Solaris 2.6, 7, and 8:
directory-4_12-domestic-us_sparc-sun-solaris2_6_tar.gz
-
The Installation Guide that shipped with the server
does not contain the procedure for upgrading from a previous 4.x release.
This information is now available from the Installation Guide hosted on
iPlanet's website at (367383):
http://docs.iplanet.com/docs/manuals/directory/41/install/upgrade.htm
-
The installation program no longer asks you if you
want the installation cache deleted (it is now deleted by default). To
cause the installation cache to be saved when the installation is completed,
run setup with the -k option. You must run the setup program with -k if
you want to perform a silent installation. (339769, 387540, 330298)
-
On Linux, set the TERM environment variable to vt100
before you install. If you do not set your terminal to vt100, the screen
text displayed during installation may be offset and difficult to read.
(348576)
-
On Windows NT, you must install Communicator 4.x
before you can install the NT Synch Service. (350963)
-
If you are migrating your supplier or consumer Directory
Server from a previous release and you want to maintain the replication
agreements from the old server, you must migrate into a new instance instead
of an existing one. Replication agreements are denoted by the port number
of the supplier and consumer server, and the port number is not transferred
if you migrate into an existing instance. Therefore, if you choose to migrate
your supplier or consumer Directory Server into an existing instance, you
will need to reconfigure the replication agreements with the correct port
numbers. (351935)
-
Migration from a 1.x server to 4.12 on Digital Unix
or Irix is not supported. (351461)
-
After migration from 3.x to 4.12 on NT, you may have
two server instances (one 3.x and one 4.12) listening on the same port.
If you no longer want to use your 3.x server, delete it using the 3.x administrative
interface, or disable it in the Services Control Panel. (351663)
-
If you want to migrate an SSL-enabled Directory Server
to the 4.x release, follow these steps (117420, 347858):
-
Turn off SSL in the old server.
-
Migrate the old server to 4.x.
>From the command line, change to:
/<4x_Server_Root>/bin/admin/admin/bin
Where <4x_Server_Root> is
the directory where you installed the 4.x Directory Server.
-
Run the sec-migrate command-line utility as follows:
On Unix:
./sec-migrate <Old_Server_Root><CertDB_Alias><4x_Server_Root>
slapd-<CertDB_Alias><Old_CertDB_Password>
On Windows NT:
sec-migrate <Old_Server_Root> <CertDB_Alias><4x_Server_Root>
slapd-<CertDB_Alias> <Old_CertDB_Password>
Where <Old_Server_Root> is the directory
where you installed the pre 4.0 Directory Server,<CertDB_Alias>
is the alias you used when setting up the certificate database, <4x_Server_Root>
is the directory where you installed the 4.x Directory Server, and <CertDB_Password>
is the certificate database password.
For example,
./sec-migrate /NSHOME/ds30/ mycertdb /usr/netscape/server4/
slapd-mycertdb mycertdbpw
-
>From the command line, change to:
/<4x_Server_Root>/alias
-
Rename slapd-<CertDB_Alias>-key3.db3.db
to slapd-<CertDB_Alias>-key3.db.
-
Rename slapd-<CertDB_Alias>-cert7.db7.db
to slapd-<CertDB_Alias>-cert7.db.
-
Rename <CertDB_Alias>-password.txt
to slapd-<CertDB_Alias>-pin.txt.
In 4.0, you only needed to type the password in
the file in cleartext, for example mypassword. For 4.1 through
4.12, you need to include the token name and password in slapd-<CertDB_Alias>-pin.txt
as follows:
Token:Password
For example:
Internal (Software) Token:mypassword
-
On the Directory Server Console for the migrated
instance, select the Configuration tab and then select the root entry in
the navigation tree in the left pane.
-
Select the Encryption tab in the right pane.
-
Select the Enable SSL checkbox.
-
Select at least one cipher family.
-
Click Save.
-
Restart the 4.x Directory Server.
-
Netscape recommends setting the database cache (dbcache
in slapd.ldbm.conf) on NT to a value no greater than 800 Mb. (116968)
-
When a configuration directory used to register Netscape
servers is uninstalled (that is, a directory that contains a o=NetscapeRoot
tree), those directories are no longer manageable from Netscape Console.
Do not uninstall a configuration directory unless you have already uninstalled
all other Netscape servers that are configured in that directory instance.
(301667)
-
Windows NT only. If you uninstall the Directory Server
and you select everything to uninstall except for the NT Synchronization
Service, then the uninstaller is deleted from your system and you can no
longer uninstall the Synchronization Service. In this situation, to uninstall
the Synchronization Service, reinstall the server and immediately uninstall
it again, this time selecting the Synchronization Service. (336657)
-
Currently, the installation program allows you to
enter an installation path that contains names that start with a number
(for example: e:\0449) This should not be allowed. Do not use a path that
contains names beginning with numbers. (349138)
-
Unix only. If you attempt to migrate a server that
was running as root to a server that is running as an unprivileged user,
the migration will fail. Always migrate a server that is running as root
to a server that is also running as root. (347692)
-
AIX only. While installing on AIX, the "Extracting....>"
messages are truncated, and it looks like installation has halted when
it has not. Wait a few moments and all of the packages will be extracted.
Once the packages are extracted, you are prompted to press a key for installation
to continue. This message may also be truncated. Press any key and the
installation will then proceed normally. (349687)
-
You cannot uninstall the Directory Server if there
is no space left on the device. Clear up some disk space and then uninstall
the server. (352130)
Administration
Server and Netscape Console
Replication
-
CIR only. If you initialize a consumer server from
the Directory Console, the message box ".. wait while consumer is being
initialized" does not always disappear when initialization is complete.
Also, if you cancel the message box and attempt to view the contents of
the directory from the Directory Console, the entries may not be visible.
To correct this, after initializing the consumer, exit and restart the
Directory Console and initialize the consumer again. (390871)
-
In the Directory Console, when creating a CIR agreement
with SSL enabled, the pulldown menu displays an incorrect SSL port number.
You must click the Other button, and enter the correct SSL port number.
This problem sometimes occurs on the AIX platform while creating an SIR
agreement; the consumer's pulldown menu is empty, so the SSL port number
needs to be entered manually by clicking the Other button. (398694)
-
In the Directory Console, when creating an SIR agreement
with SSL enabled, in some cases the console generates java exceptions.
This does not affect the SIR agreement, which is correctly created and
saved. (398694)
-
Use of dc-style naming is not supported with cascaded
replication. (381549)
-
The hostname portion of the fully-qualified domain
name entered during server installation must exactly match the hostname
of the machine running the Directory Server. If it does not, you will be
unable to configure replication agreements. (382436)
Plug-Ins
-
Do not list the configuration for the PTA plug-in
in slapd.conf multiple times. If you do so, only the last configuration
is used. Instead, specify multiple LDAP URLs or subtrees as documented
in Using
the Pass-Through Authentication Plug-In. (379678)
-
The COS plug-in is not supported in this release
of the Directory Server; it is provided as an example only.
Documentation
-
In Chapter 6 of the Directory Server Administrator's
Guide, the description of "Password Change After Reset" should also
state that only the unrestricted user (Root DN) can trigger the password
reset. (383384)
-
In Chapter 1 of the Directory Server Administrator's
Guide, the procedure for starting and stopping the server from the
command-line incorrectly states that the scripts to start and stop the
server must be run using the same UID and GID that the server uses. Instead,
if your server runs on a port less than 1024, you must be logged in as
root to run these scripts. (335710)
-
The Directory Server Plug-In Programmer's Guide
contains misleading information about creating additional database plug-ins
for use with Directory Server. User-created database plug-ins are not supported
with Directory Server 4.x. (364180)
-
The valid range documented for the Look Through Limit
parameter in Chapter 17, "Configuration Parameters" in the Administrator's
Guide, is incorrect. The correct range is -1 to maximum integer. (381073)
-
In addition to the configuration information provided
in Using
the Pass-Through Authentication Plug-In, you can also use multiple
LDAP URLs for the pass-through subtree parameter <subtree>.
(380266)
-
The Administrator's Guide incorrectly defines
the ioblocktimeout parameter. The unit used to determine when
the connection to a stalled LDAP client should be closed is ticks, not
milliseconds. Also, the number of ticks-per-second is different on different
operating systems, therefore, the default value of 1800000 is not 30 minutes
on all platforms. (367448)
-
The 4.1 Installation Guide that shipped with
the server does not contain the procedure for upgrading from a previous
4.x release. This information is now available from the Installation
Guide hosted on iPlanet's website at (367383):
http://docs.iplanet.com/docs/manuals/directory/41/install/upgrade.htm
-
The Directory Server Gateway documentation incorrectly
gives the location of the authck directory as (365271):
<NSHOME>/dsgw/authck
The documentation should say that the directory
is located at:
<NSHOME>/bin/slapd/authck
-
The documentation does not indicate where Bitstream
Cyberbit font can be located. This font is necessary for any Netscape browser
that attempts to display non-English characters. (352274)
The font can be obtained from the following URL:
http://ftp.netscape.com/pub/communicator/extras/fonts/windows/
There are several readme files there that you
should examine:
-
READMEfirst.txt contains information on
platform recommendations.
-
ReadMe.htm or Readme.wri contain
the installation/usage documentation.
-
The Netscape Directory Server Installation Guide
does not adequately describe the migration procedure for large directories.
For large directory sizes (as a rule of thumb, anything greater than 5000
entries), the documented migration procedure is not sufficient because
these entries are transferred between the old directory and the new directory
over LDAP, which will be relatively slow. (352275)
Instead, use the following procedure to migrate
your directory:
-
Export your old directory to LDIF.
-
Create a simple directory structure in LDIF that
matches the suffixes used by your Directory Server. This should be a very
simple file that only contains the root entries for every suffix served
by your Directory Server.
-
Shutdown your old Directory Server.
-
Delete your old directory's database.
-
Import the simple directory that you created in step
2 to your old Directory Server.
-
Perform the migration as described in the Netscape
Directory Server Installation Guide.
-
Shutdown your newly migrated Directory Server.
-
Backup your new database. This is especially important
if your new Directory Server is a configuration directory (that is, it
contains the o=NetscapeRoot tree).
-
Import your original database from the LDIF that
you saved in step 1. When you do this, use the <NSHOME>/slapd-<serverID>/ldif2db
script, as this script will automatically preserve o=NetscapeRoot configuration
information so that it is included in your newly imported database.
-
Start your new Directory Server. You are done with
migration.
Import and Export
-
Using Netscape Console, if you attempt to export
a suffix that does not exist the console does not warn you of the error
but instead returns an "Unexpected Error" message and then exits. (339555)
Internationalization
-
If you are running a domestic version of Netscape
Directory Server, and you want to view non-Latin-1 characters using the
Directory Server Gateway or Directory Express from a Communicator client,
you need to configure Communicator to display the correct fonts. See http://home.netscape.com/eng/intl/basics.html#fonts
for more specific information. (330218)
NT Synchronization
Service
-
You may receive an error message that states "Error
connecting to Synch Service on port 5003" when attempting to synchronize,
add all users, apply changes, or stop the NT Synchronization Service. If
this happens, exit and restart the Configuration Tool. (38870)
-
You cannot use silent install to install just the
NT Synchronization Service. (109661)
Security and Access
Control
-
When SSL is enabled on the NT Directory Server, attempts
to start the Directory Server from Netscape Console result in potentially
confusing dialog boxes if a dongle file is not used to store the key file
password. A dialog box appears on the machine where the Directory Server
is running asking for the key file password (this password is required
before an SSL-enabled Directory Server can be started). If nothing is entered
into this dialog box, a dialog box indicating that the Directory Server
could not be started will appear on the machine where Netscape Console
is running. To work around this problem, start the server from a Netscape
Console running on the machine where the server is running, unless you
have a dongle file. (301624).
-
When the server is in SSL mode, the server console
issues a warning dialog upon server restart to let you know that a password
will be required to restart the server. However, this warning is not issued
the first time you restart to go into SSL mode. Also, the warning continues
to be issued for every restart after you take the server out of SSL mode.
(333022, 341898)
SNMP Agent
-
On UNIX, the Netscape SNMP (Simple Network Management
Protocol) subagent will generate an unexpected error during startup unless
the SNMP master port is set to 199. (316650)
Directory Server Gateway
Miscellaneous
-
On Windows NT, the Directory Server uses a hidden
window named slapd-[server identifier] to restart the server if it crashes.
Anyone with access to the machine who knows the name of the hidden window
may be able to shut down the server by shutting down the hidden window.
(335719)
-
The server will not start up if DNs included in slapd.conf
have spaces. Always use %20 in place of spaces when including DNs in slapd.conf.
(349824)
For example, this is the correct way to format
a DN in slapd.conf:
ldap://phonebook.airius.com/o%3Dace%20industry
while this is not correct:
ldap://phonebook.airius.com/o=ace industry
-
While Calendar Server 3.x will work with Directory
Server 4.x , the Calendar Server requires the Directory Server to report
itself as a 3.x Directory Server. You can cause Directory Server 4.x to
report itself as a 3.x Directory Server by using the versionstring
parameter in slapd.conf. Place the following line in your slapd.conf
file and restart your server:
versionstring "Netscape-Directory/3.1"
THINGS TO BEAWARE
OF
These exceptions are also documented in the customer
documentation for release 4.x of the Netscape Directory Server.
Configuration Files
-
On Windows NT, you can no longer use backslashes
"\" in path names in the configuration files; instead, use forward slashes
"/".
Directory Server Gateway
-
If you add a user through the NT Synchronization
Service and the user's full name is not specified in Windows NT,
the Synchronization Service uses the NT UID as the value for the entry's
cn attribute. In this situation, the "Full Name" field on the gateway displays
the NT UID of the user.
If you add a user through the NT Synchronization
Service and the user's full name is specified in Windows NT in addition
to the NT UID, then the Synchronization Service creates one cn with the
NT user name and also creates one cn with the full name. In this case,
the gateway displays both cns in the format NT uid+full name.
(312457)
-
In order to use the gateway, Javascript must be turned
on in Communicator. (318303)
-
Specify the full DN for advanced searches on group
members. (113063)
-
The syntax for gateway URLs changed between Directory
Server 3.x and 4.x. See the Directory Server Gateway Customization Guide
for more information.
Netscape Console
-
Netscape Console does not support SSL certificate-based
client authentication. Directory servers configured to require SSL client
authentication must be managed from the command line. However, servers
configured to allow SSL client authentication may be managed from Netscape
Console. (312404)
LDAP URLs
Directory Server Schema
-
If the Directory Server schema includes an object
class that contains an undefined attribute, on startup the server assumes
that the undefined attribute is a cis attribute and logs an error message
stating that the attribute needs to be added to the schema. This may cause
unexpected behavior if the undefined attribute is meant to contain data
in any syntax other than cis, for example, binary. (334257)
Migration
-
If you have multi-valued RDNs in your pre-4.1 directory,
when you upgrade to Directory Server 4.1 or greater, you must export your
database to LDIF, perform the migration, and then reimport your database.
MORE INFORMATION
Installation instructions and release notes for all
iPlanet and Netscape servers are posted at http://docs.iplanet.com/docs/manuals/index.html.