NETSCAPE D
IRECTORY SERVER
Release 4.15
Last updated February 21, 2002
CONTENTS
These release notes include:
Installation Notes
Corrections to 4.13/Internal Only 4.14
Known Problems
Things to Be Aware Of
More Information
INSTALLATION
NOTES
These installation notes include the following information:
Supported Platforms and Hardware Requirements
This release of Directory Server is supported on the following platforms,
with the noted requirements:
- Solaris 2.6 and Solaris 8 (32-bit OS mode with the Sun recommended patch set).
- Solaris 8 (64-bit OS mode running in compatability/emulation mode).
- HP-UX 11.00 (with the noted restrictions/recommendations).
- Redhat Linux 6.0 (Including kernel 2.2.5 and glibc 2.1.1).
- Windows NT 4.0, with service pack 6a.
On all platforms, 64 Mb of RAM is required to run Directory Server 4.15. More
memory is required for large directory sizes.
When configuring the Directory Server cache values keep in mind the following formula:
(dbcachesize * 1.25 ) + (cachesize * avg. size of entry * #CPUs) < available memory
A minimal installation of Directory Server requires 200 Mb of disk space. More disk
space is required as your directory size (and therefore your database) grows.
The Netscape Console and the Directory Server console (the graphical user
interfaces used to administer the server) are provided via a Java application.
The consoles run on all platforms supported by the server, as well as on a
remote Windows 95 system.
A stand-alone installation of the console requires 64 Mb of memory and
40 Mb of disk space.
Recommended Patches for Solaris 2.6 and Solaris 8
Patches for Solaris 2.6
105181-28: SunOS 5.6: Kernel update patch
105210-38: SunOS 5.6: libaio, libc & watchmalloc patch
105216-04: SunOS 5.6: /usr/sbin/rpcbind patch
105284-41: Motif 1.2.7: Runtime library patch
105338-27: CDE 1.2: dtmail patch
105356-18: SunOS 5.6: /kernel/drv/ssd and /kernel/drv/sd patch
105357-04: SunOS 5.6: /kernel/drv/ses patch
105375-26: SunOS 5.6: sf & socal driver patch
105379-06: SunOS 5.6: /kernel/misc/nfssrv patch
105395-06: SunOS 5.6: /usr/lib/sendmail patch
105401-34: SunOS 5.6: libnsl and NIS+ commands patch
105403-04: SunOS 5.6: ypbind/ypserv patch
105407-01: SunOS 5.6: /usr/bin/volrmmount patch
105464-02: OpenWindows 3.6: Multiple xterm fixes
105472-08: SunOS 5.6: /usr/lib/autofs/automountd patch
105486-04: SunOS 5.6: /kernel/fs/hsfs patch
105529-11: SunOS 5.6: /kernel/drv/tcp patch
105552-03: SunOS 5.6: /usr/sbin/rpc.nisd_resolv patch
105558-04: CDE 1.2: dtpad patch
105562-03: SunOS 5.6: chkey and keylogin patch
105566-11: CDE 1.2: calendar manager patch
105568-23: SunOS 5.6: /usr/lib/libthread.so.1 patch
105580-18: SunOS 5.6: /kernel/drv/glm patch
105591-09: SunOS 5.6: Shared library patch for C++
105615-08: SunOS 5.6: /usr/lib/nfs/mountd patch
105633-57: OpenWindows 3.6: Xsun patch
105642-08: SunOS 5.6: prtdiag patch
105665-03: SunOS 5.6: /usr/bin/login patch
105667-03: SunOS 5.6: /usr/bin/rdist patch
105669-10: CDE 1.2: libDtSvc Patch
105703-27: CDE 1.2: dtlogin patch
105720-14: SunOS 5.6: /kernel/fs/nfs patch
105722-07: SunOS 5.6: /usr/lib/fs/ufs/ufsdump and ufsrestore patch
105741-09: SunOS 5.6: /kernel/drv/ecpp patch
105755-10: SunOS 5.6: libresolv, in.named, named-xfer, nslookup, nstest patch
105780-05: SunOS 5.6: /kernel/fs/fifofs patch
105786-14: SunOS 5.6: /kernel/drv/ip driver patch
105792-06: SunOS 5.6: /usr/sbin/tar patch
105800-07: SunOS 5.6: /usr/bin/admintool, y2000 patch
105802-15: OpenWindows 3.6: ToolTalk patch
105837-03: CDE 1.2: dtappgather Patch, including SDE 1.0 installations
105847-09: SunOS 5.6: /kernel/drv/st.conf and /kernel/drv/st patch
106027-09: CDE 1.2 / SDE 1.0: dtsession patch
106040-16: SunOS 5.6: X Input & Output Method patch
106049-02: SunOS 5.6: /usr/sbin/in.telnetd patch
106112-06: CDE 1.2: dtfile patch
106123-05: SunOS 5.6: sgml patch
106125-11: SunOS 5.6: Patch for patchadd and patchrm
106193-06: SunOS 5.6: Patch for Taiwan timezone
106222-01: OpenWindows 3.6: filemgr (ff.core) fixes
106226-01: SunOS 5.6: /usr/sbin/format patch
106235-08: SunOS 5.6: lp patch
106242-02: CDE 1.2: libDtHelp.so.1 fixes
106257-05: SunOS 5.6: /usr/lib/libpam.so.1 patch
106271-06: SunOS 5.6: /usr/lib/security/pam_unix.so.1 patch
106285-03: SunOS 5.6: /kernel/sys/msgsys patch
106292-11: SunOS 5.6: pkgadd/pkginstall & related utilities
106301-03: SunOS 5.6: /usr/sbin/in.ftpd patch
106361-11: SunOS 5.6: csh/jsh/ksh/rksh/rsh/sh patch
106409-01: SunOS 5.6: Fixes the Traditional Chinese TrueType fonts
106415-04: OpenWindows 3.6: xdm patch
106429-02: SunOS 5.6: /kernel/drv/mm patch
106437-03: CDE 1.2: Print Manager Patch
106439-07: SunOS 5.6: /usr/sbin/syslogd patch
106448-01: SunOS 5.6: /usr/sbin/ping patch
106468-04: SunOS 5.6: /usr/bin/cu and usr/bin/uustat patch
106495-01: SunOS 5.6: truss & truss support library patch
106522-04: SunOS 5.6: /usr/bin/ftp patch
106569-01: SunOS 5.6: libauth.a & libauth.so.1 patch
106592-03: SunOS 5.6: /usr/lib/nfs/statd patch
106625-11: SunOS 5.6: libsec.a, libsec.so.1 and /kernel/fs/ufs patch
106639-05: SunOS 5.6: /kernel/strmod/rpcmod patch
106648-01: OpenWindows 3.6: libce suid/sgid security fix
106649-01: OpenWindows 3.6: libdeskset patch
106650-04: OpenWindows 3.6: mailtool attachment security patch
106828-01: SunOS 5.6: /usr/bin/date patch
106834-02: SunOS 5.6: cp/ln/mv patch
106882-02: SunOS 5.6: /usr/lib/nfs/nfsd patch
107336-01: OpenWindows 3.6: KCMS configure tool has a security vulnerability
107434-01: CDE 1.2: Spell checking occasionally kills mail
107490-01: SunOS 5.6: savecore doesn't work if swap slice is over 2G
107565-02: SunOS 5.6: /usr/sbin/in.tftpd patch
107618-02: SunOS 5.6: patch /usr/sbin/vold
107733-09: SunOS 5.6: Linker patch
107758-01: SunOS 5.6: Pax incorrectly change mode of symlink target file
107766-01: SunOS 5.6: ASET cklist reports unchanged 6month older files as new
107774-01: SunOS 5.6: inetd denial-of-service attack
107991-02: SunOS 5.6: /usr/sbin/static/rcp patch
108091-03: SunOS 5.6: ssJDK1.2.1_03 fails with fatal error in ISO8859-01 Locales
108199-01: CDE 1.2: dtspcd Patch
108201-01: CDE 1.2: dtaction Patch
108307-02: SunOS 5.6: keyserv fixes
108333-02: SunOS 5.6: jserver buffer overflow
108346-03: SunOS 5.6: patch usr/sbin/rpc.nispasswdd
108468-02: SunOS 5.6: ldterm streams module fixes
108492-01: SunOS 5.6: Snoop may be exploited to gain root access
108499-01: SunOS 5.6: ASET sets the gid on /tmp, /var/tmp when setting med high
108660-01: SunOS 5.6: Patch for sadmind
108804-02: SunOS 5.6: /usr/bin/tip patch
108890-01: SunOS 5.6: patch /usr/lib/netsvc/yp/ypxfrd
108893-01: SunOS 5.6: patch /usr/lib/netsvc/yp/rpc.ypupdated
108895-01: SunOS 5.6: patch /usr/sbin/rpc.bootparamd
109266-01: SunOS 5.6: security: /bin/mail has buffer overflow
109339-02: SunOS 5.6: nscd's size grows -0TTL values not implemented
109388-01: SunOS 5.6: patch /usr/vmsys/bin/chkperm
109719-01: SunOS 5.6: arp should lose set-gid bid
110990-01: SunOS 5.6: Patch for ttymon
111029-01: SunOS 5.6: /kernel/sys/semsys patch
111109-01: SunOS 5.6: Patch to /usr/bin/nawk
111240-01: SunOS 5.6: Patch to /usr/bin/finger
111560-01: SunOS 5.6: dmesg security problem
111664-01: SunOS 5.6: bzip patch
Patches 106409-01 and 108091-03 are not included in the Sun Recommended Patch cluster
but can be obtained from the J2SE 1.2.2 Localized JRE patch set.
Patches for Solaris 8
108528-09: SunOS 5.8: kernel update patch
108652-35: X11 6.4.1 Xsun patch
108725-05: SunOS 5.8: st driver patch
108827-10: SunOS 5.8: libthread patch
108869-06: SunOS 5.8: snmpdx/mibiisa/libssasnmp/snmplib patch
108875-09: SunOS 5.8: c2audit patch
108968-05: SunOS 5.8: vol/vold/rmmount patch
108974-11: SunOS 5.8: dada, uata, dad, sd and scsi drivers patch
108975-04: SunOS 5.8: /usr/bin/rmformat and /usr/sbin/format patch
108977-01: SunOS 5.8: libsmedia patch
108985-03: SunOS 5.8: /usr/sbin/in.rshd patch
108987-04: SunOS 5.8: Patch for patchadd and patchrm
108989-02: SunOS 5.8: /usr/kernel/sys/acctctl and /usr/kernel/sys/exacctsys patch
108991-13: SunOS 5.8: /usr/lib/libc.so.1 patch
108993-03: SunOS 5.8: nss and ldap patch
109091-04: SunOS 5.8: /usr/lib/fs/ufs/ufsrestore patch
109137-01: SunOS 5.8: /usr/sadm/install/bin/pkginstall patch
109181-03: SunOS 5.8: /kernel/fs/cachefs patch
109277-01: SunOS 5.8: /usr/bin/iostat patch
109279-13: SunOS 5.8: /kernel/drv/ip patch
109318-12: SunOS 5.8: suninstall patch
109320-03: SunOS 5.8: LP patch
109322-07: SunOS 5.8: libnsl patch
109324-02: SunOS 5.8: sh/jsh/rsh/pfsh patch
109326-05: SunOS 5.8: libresolv.so.2, in.named patch
109470-02: CDE 1.4: Actions Patch
109587-03: SunOS 5.8: libspmistore patch
109742-04: SunOS 5.8: /kernel/drv/icmp patch
109783-01: SunOS 5.8: /usr/lib/nfs/nfsd patch
109805-03: SunOS 5.8: pam_krb5.so.1 patch
109898-02: SunOS 5.8: /kernel/drv/arp patch
109951-01: SunOS 5.8: jserver buffer overflow
110075-01: SunOS 5.8: /kernel/drv/devinfo and /kernel/drv/sparcv9/devinfo patch
110283-03: SunOS 5.8: mkfs and newfs patch
110286-02: OpenWindows 3.6.2: Tooltalk patch
110322-01: SunOS 5.8: /usr/lib/netsvc/yp/ypbind patch
110383-01: SunOS 5.8: libnvpair patch
110387-03: SunOS 5.8: ufssnapshots support, ufsdump patch
110453-01: SunOS 5.8: admintool patch
110458-02: SunOS 5.8: libcurses patch
110662-02: SunOS 5.8: ksh patch
110700-01: SunOS 5.8: automount patch
110898-02: SunOS 5.8: csh/pfcsh patch
110901-01: SunOS 5.8: /kernel/drv/sgen and /kernel/drv/sparcv9/sgen patch
110934-01: SunOS 5.8: pkgtrans, pkgadd, pkgchk and libpkg.a patch
110939-01: SunOS 5.8: /usr/lib/acct/closewtmp patch
110943-01: SunOS 5.8: /usr/bin/tcsh patch
110945-01: SunOS 5.8: /usr/sbin/syslogd patch
110951-01: SunOS 5.8: /usr/sbin/tar and /usr/sbin/static/tar patch
111071-01: SunOS 5.8: cu patch
111111-01: SunOS 5.8: nawk line length limit corrupts patch dependency checking
111232-01: SunOS 5.8: patch in.fingerd
111234-01: SunOS 5.8: patch finger
111293-03: SunOS 5.8: /usr/lib/libdevinfo.so.1 patch
111325-01: SunOS 5.8: /usr/lib/saf/ttymon patch
111327-02: SunOS 5.8: libsocket patch
111363-01: SunOS 5.8: /usr/sbin/installf patch
111548-01: SunOS 5.8: catman, man, whatis, apropos and makewhatis patch
111570-01: SunOS 5.8: uucp patch
HP-UX Recommendations
Please use the following patches when running Directory Server 4.15 on HP-UX 11.00:
- PHCO_20765 libc cumulative patch
- PHKL_20202 Fix pthread error return, nfs/tcp panic
- PHKL_18543 PM/VM/UFS/async/scsi/io/DMAPI/JFS/perf patch
- PHCO_22453 fsck_vxfs(1M) cumulative patch
- PHCO_21187 cumulative SAM/ObAM patch
- PHKL_22589 LOFS, select(), IDS/9000 and umount race fix
- PHKL_20674 fix VxFS unmount hang & MMF, sync panics
- PHCO_19666 libpthreads cumulative patch
- PHSS_21906 C++ runtime libraries (aCC A.03.26)
- PHNE_21767 cumulative ARPA Transport patch
- XSWGR1100 General Release Bundle (Sept 2000 or latest)
- You should upgrade to patch PHNE_21767 if you have already installed patch PHNE_16283.
Also, please set your kernel parameters as follows:
- Make sure the minimum size of the maxdsiz kernel parameter is as follows:
(dbcachesize * 1.25) + (cachesize * average size of entries * #CPUs)
Note that the default value for dbcachesize is 10 Mb. The default for cachesize is 1000.
If you are running on a single CPU machine and your average directory entry size is 10 Kb,
make sure your maxdsiz is at least 22.5 Mb, calculated as follows:
(10,000,000 * 1.25) + (1,000 * 10,000 * 1)
- Set max_thread_proc (max number of threads per process) to 128.
- Set ncallout (max number of pending timeouts) to (128 + NPROC).
- Set maxfiles to at least 120.
Refer to the HP documentation for further information and recommendations about setting these parameters.
The HP-UX Large Memory Model
The ns-slapd process can now grow up to 2 Gb in process size.
Note: Specific HP-UX patches are required in order to fully take
advantage of this newly available address space: you need these HPUX 11.00
patches for Large Memory Model (Beyond the 1 Gb quadrant limitation):
- PHCO_22453 11.00 fsck_vxfs(1M) cumulative patch
- PHCO_21187 cumulative SAM/ObAM patch
- PHKL_22432 VxFS 3.1 icache cumulative patch
- PHKL_22589 LOFS, select(), IDS/9000 and umount race fix
- PHKL_21610 Large Data Space, kernel memory leak fix
- PHKL_21507 Fix for crfree, MPI panic; IDS/9000 support
- PHKL_20228 Large Data Space (7 of 8)
- PHKL_21039 semget;large data space;msgmnb;SEMMSL
- XSWGR1100 General Release Bundle (Sept 2000 or latest)
Tuning for the Large Memory Model
The maximum value for the kernel param maxdsiz is 0x7B03A000 (Approx. 2 Gb),
which is the acceptable maximum value recommended by HP.
Tune the directory server dbcachesize and entry cachesize in the slapd.ldbm.conf file.
The following recommendations apply to Directory Server 4.15:
- The maximum value for dbcachesize is 858993450.
This is due to a PA-RISC hardware limitation which prevents memory-mapped
files to cross quadrant boundaries. Therefore, the 1 Gb quadrant size limits how
big the dbcachesize attribute can be. The data base code allocates 25% of overhead space
to manage the dbcachesize. When you take 1 Gb and subtract 25% of overhead you obtain the
max value for dbcacheszie: 858993450.
- Ensure that the combined values for dbcachesize and entry cachesize are tuned to not
exceed a total of 2 Gb:
(dbcachesize * 1.25 ) + (cachesize * avg. size of entry * #CPUs) < maxdsiz (max. 2 Gb)
CORRECTIONS TO 4.13
/INTERNAL ONLY 4.14
This release of the Directory Server contains fixes
to the following known problems reported in iPlanet Directory Server 4.13:
- A problem existed where if the server was
on the Windows NT platform and was using SSL connections, the ioblocktimeout
value in slapd.conf was not used correctly. This means the end results
was that connections were not being closed when the ioblocktimeout normally
should have been reached and closed them. With this fix, the ioblocktimeout
value is now correctly used (when appropriate) specifically in the case of
the Windows NT platform with SSL connections. (533790)
- Excessive duplicate logs (closed - B1) when
a LDAP connection is closed by an LDAP client. Server will slow down, but
will functional. (534193).
- If an application (e.g. ldapmodify) tried
to replace an attribute value with a value which contains more than 20 "+"
signs the server would crash. This has been corrected. (521161)
- If the referential integrity plugin is configured
to work with a delay and an entry whose dn contains a non 7-bit ascii character
is the deleted, the server crashes when the referint plugin runs. This has
been corrected. (532632)
- If the uniqueness plugin is enabled for an
attribute, it only works properly when an other entry with the same attribute
value is added. If an existing attribute is modified (changetype: modify
or modrdn) a duplicate value could be generated. This has been corrected.
(531734)
- Memory leak of the DS server daemon occurred
when a persistent search operation fails (e.g., because the base DN does
not exist). Operation resources are never released for a persistent search
operation. We now release the operation resources when a persistent search
operation fails. (526719)
- The Directory Server would not release memory
on malformed requests. This has been corrected (122588).
- (HP-UX, NT and Solaris versions only) Search
requests on large schema definitions or large static groups were causing
the ns-slapd process to increase in size above 200 MB. Depending on
resources (RAM/SWAP/DISK), the ns-slapd was exiting with ber_printf errors
or malloc/calloc errors. To fix this problem, a new Smart Heap v6.0
memory management component is now integrated into the iDS to fix problems
with allocation/deallocation of memory. (530740/531749)
- There was a problem when using the Pass Through
Authentication plugin: If a user with an expired password tried to bind through
the Pass Through Authentication mechanism, the directory server crashed (Segmentation
Fault). This has been corrected. (532228)
- A security hole was identified that allowed
for malicious operations to crash the Directory Server. This has been
corrected. (539965)
- The internal callback search function, slapi_search_internal_callback(),
had a bug that if a search operation was not able to be completed, we didn't
always close the "connection" properly. Now we detect these scenarios,
and mark the operation as abandoned so the backend next entry function gets
called again and has a chance to clean things up. (541439)
- Due to a side effect of a fix in DS4.13 ACIs
containing ldap:///self rules or usednattr based rules were no longer
correctly handled. This has been corrected in 4.14. In addition the
problem present in earlier versions that in connection with these rules the
Directory Server sometimes returned more results than allowed by the aci
was also corrected. (542104)
This release
of the Directory Server also contains fixes to the following known problems
reported in iPlanet Directory Server 4.14 (iDS 4.14 was
only released internally as part of iPlanet
Portal Server 3.0 SP3):
- A problem has been detected in the internal release of DS 4.14 whereby
words like "and", "or", and "not" are improperly treated as keywords when
they appear as part of the distinguished name. The code now does a better
job in handling the double quotes (") which delimit the distinguished names
when parsing the bind rules of the ACIs therefore avoiding the improper treatment
of "and", "or", and "not" as boolean operators. (551690)
- The server could sometimes crash because it would run out of memory
for the thread stack of the replication thread used in on-line replica creation
(ORC). This more specifically would happen if the consumer server being ORC
initialized already had an existing, deeply nested number of nodes, which
would then be deleted by the supplier as part of the ORC process. This bug
was fixed by redefining the thread stack size, for just this given ORC specific
replication thread only, to be a much more reasonably larger size, to accommodate
deeper existing consumer server directory trees that are being ORC initialized.
(536710)
-
CERT® Advisory CA-2001-18 Multiple Vulnerabilities in Several
Implementations of the Lightweight Directory Access Protocol (LDAP)
. If the server receives fragmented ber encodings where the first fragment
is only 1 byte, this would corrupt the connection structure data. If this
connection structure were to be reused by another connection it would continue
to contain invalid data causing the new connection to be disconnected.
Eventually this would cause a denial of service attack as all the connection
structures would be corrupted. Connection structure data is now reset for
every new connection. (552394)
- If a connection with a large number of pending operations is terminated
before those operations have completed, the directory server will continue
to process those operations. If this happens with enough connections with
enough pending operations, the directory server will start very quickly
consuming large amounts of memory, eventually to the point of crashing.
This has been corrected. (551413)
- When a single LDAP connection is heavily loaded,
new requests coming on other connections may wait for either the arrival of
another request or the completion of the tasks requested by the heavily loaded
connection. This has been corrected so that only requests coming from the
heavily loaded connections are waiting. They now wait for the completion of
the tasks requested by their connection. (530204/550620)
KNOWN
PROBLEMS
This section lists known problems with Netscape Directory
Server 4.13, including:
The problems are identified by bug number to help you
refer to them if you need to contact technical support.
Installation, Migration, and Upgrade
- Users may run into upgrade issues going from
DS 4.11 to DS 4.14 when SSL is enabled. This condition is alleviated by disabling
SSL before upgrading and then re-enabling SSL after upgrading. (530413)
- Users may run into upgrade issues with SSL
enabled on Unix servers. The install will appear to hang: although there
will be no prompt to enter a password, type in the key password and press
Enter and the upgrade will complete successfully (530391)
- If you cancel NT Synchronization Service installation
before entering the host name and port, the next time you reboot the machine
the NT Synchronization Service attempts to start and fails. (395062)
- On Windows NT systems, you must use the Typical
Installation procedures to upgrade from Directory Server 4.1 to 4.11 or 4.14;
if you use the Custom Installation procedures, the installation will fail.
(367312)
- Unix only: The platform version included in
the name of the gzipped installation package does not necessarily match the
version of the platform that the binaries run on. (368822)
For example, the following package contains the
product binaries for Solaris 2.6, 7, and 8:
directory-4_12-domestic-us_sparc-sun-solaris2_6_tar.gz
- The Installation Guide that shipped with the
server does not contain the procedure for upgrading from a previous 4.x release.
This information is now available from the Installation Guide hosted on iPlanet's
website at (367383):
http://docs.iplanet.com/docs/manuals/directory/41/install/upgrade.htm
- The installation program no longer asks you
if you want the installation cache deleted (it is now deleted by default).
To cause the installation cache to be saved when the installation is completed,
run setup with the -k option. You must run the setup program with -k if you
want to perform a silent installation. (339769, 387540, 330298)
- On Linux, set the TERM environment variable
to vt100 before you install. If you do not set your terminal to vt100, the
screen text displayed during installation may be offset and difficult to
read. (348576)
- On Windows NT, you must install Communicator
4.x before you can install the NT Synch Service. (350963)
- If you are migrating your supplier or consumer
Directory Server from a previous release and you want to maintain the replication
agreements from the old server, you must migrate into a new instance instead
of an existing one. Replication agreements are denoted by the port number
of the supplier and consumer server, and the port number is not transferred
if you migrate into an existing instance. Therefore, if you choose to migrate
your supplier or consumer Directory Server into an existing instance, you
will need to reconfigure the replication agreements with the correct port
numbers. (351935)
- Migration from a 1.x server to 4.14 on Digital
Unix or Irix is not supported. (351461)
- After migration from 3.x to 4.14 on NT, you
may have two server instances (one 3.x and one 4.14) listening on the same
port. If you no longer want to use your 3.x server, delete it using the 3.x
administrative interface, or disable it in the Services Control Panel. (351663)
- If you want to migrate an SSL-enabled Directory
Server to the 4.x release, follow these steps (117420, 347858):
- Turn off SSL in the old server.
- Migrate the old server to 4.x.
>From the command line, change to:
/<4x_Server_Root>/bin/admin/admin/bin
Where <4x_Server_Root>
is the directory where you installed the 4.x Directory Server.
- Run the sec-migrate command-line utility
as follows:
On Unix:
./sec-migrate <Old_Server_Root><CertDB_Alias><4x_Server_Root>
slapd-<CertDB_Alias><Old_CertDB_Password>
On Windows NT:
sec-migrate <Old_Server_Root>
<CertDB_Alias><4x_Server_Root> slapd-<CertDB_Alias>
<Old_CertDB_Password>
Where <Old_Server_Root> is the
directory where you installed the pre 4.0 Directory Server,<CertDB_Alias>
is the alias you used when setting up the certificate database, <4x_Server_Root>
is the directory where you installed the 4.x Directory Server, and <CertDB_Password>
is the certificate database password.
For example,
./sec-migrate /NSHOME/ds30/ mycertdb /usr/netscape/server4/
slapd-mycertdb mycertdbpw
- >From the command line, change to:
/<4x_Server_Root>/alias
- Rename slapd-<CertDB_Alias>
-key3.db3.db to slapd-<CertDB_Alias>-key3.db.
- Rename slapd-<CertDB_Alias>
-cert7.db7.db to slapd-<CertDB_Alias>-cert7.db
.
- Rename <CertDB_Alias>-password.txt
to slapd-<CertDB_Alias>-pin.txt.
In 4.0, you only needed to type the password
in the file in cleartext, for example mypassword. For 4.1 through
4.12, you need to include the token name and password in slapd-<CertDB_Alias>
-pin.txt as follows:
Token:Password
For example:
Internal (Software) Token:mypassword
- On the Directory Server Console for the
migrated instance, select the Configuration tab and then select the root
entry in the navigation tree in the left pane.
- Select the Encryption tab in the right pane.
- Select the Enable SSL checkbox.
- Select at least one cipher family.
- Click Save.
- Restart the 4.x Directory Server.
- Netscape recommends setting the database cache
(dbcache in slapd.ldbm.conf) on NT to a value no greater than 800 Mb. (116968)
- When a configuration directory used to register
Netscape servers is uninstalled (that is, a directory that contains a o=NetscapeRoot
tree), those directories are no longer manageable from Netscape Console. Do
not uninstall a configuration directory unless you have already uninstalled
all other Netscape servers that are configured in that directory instance.
(301667)
- Windows NT only. If you uninstall the Directory
Server and you select everything to uninstall except for the NT Synchronization
Service, then the uninstaller is deleted from your system and you can no longer
uninstall the Synchronization Service. In this situation, to uninstall the
Synchronization Service, reinstall the server and immediately uninstall it
again, this time selecting the Synchronization Service. (336657)
- Currently, the installation program allows
you to enter an installation path that contains names that start with a number
(for example: e:\0449) This should not be allowed. Do not use a path that
contains names beginning with numbers. (349138)
- Unix only. If you attempt to migrate a server
that was running as root to a server that is running as an unprivileged user,
the migration will fail. Always migrate a server that is running as root to
a server that is also running as root. (347692)
- AIX only. While installing on AIX, the "Extracting....>"
messages are truncated, and it looks like installation has halted when it
has not. Wait a few moments and all of the packages will be extracted. Once
the packages are extracted, you are prompted to press a key for installation
to continue. This message may also be truncated. Press any key and the installation
will then proceed normally. (349687)
- You cannot uninstall the Directory Server
if there is no space left on the device. Clear up some disk space and then
uninstall the server. (352130)
Administration Server and Netscape Console
- When remote access (rlogin + set DISPLAY)
is made to a console running on a different Unix flavor, font-conversion
warning messages might be displayed during the startup. They should be ignored.
(527028)
- If you add a suffix using the Directory Server
Console, the console may get into a state where any subsequent adds result
in duplicate suffixes displayed in the Suffix list. (344160)
- Using continuous refresh for log file viewing
in the Directory Server Console may result in NullPointerException output
in the terminal window. If you receive this error, use the following method
instead of continuous refresh to see log file activity in real time. (354953)
- >From the command prompt, change to the
following directory:
<NSHOME>/slapd-<serverID
>/logs
- Type the following command:
tail -f access/errors
tail -f immediately displays the output.
- Netscape Console doesn't allow you to edit
entries that have a multivalued RDN. (353885, 352206)
- NT only. When you access help from one of
the help buttons in the Directory Console, sometimes the help text is not
displayed in the browser. You must restart Netscape Communicator to correct
the problem. (399626)
- Do not resize the Property Editor while an
attribute is highlighted. Instead, deselect the attribute before resizing
the window. If you do not, the pop-up menu will not appear when you right-click
in the Property Editor. (336767)
- On all Unix platforms, underscores in text
boxes may not be displayed. If you use Netscape Console with eXceed X Server
for Windows NT, you need to restart the console if you experience this error.
(336626)
- Search results window in the Directory Server
Console is not fully visible. However, enlarging the Search Results window
allows the entire results to be seen. (339333)
- If you attempt to create an attribute name
with an extremely long name, the resulting confirmation box will include
an "OK" button that can be off the screen. This is because the attribute
name will not truncate or wrap in the confirmation dialog box. (340542)
- When you bring up the Directory tab on the
Directory Server Console and click on a node in the left pane that contains
subentries, the server sorts the subentries and displays them in the right
pane of the console. However, the server follows referrals using the same
bind credentials with which you log in to the console. If you're logged in
as the Directory Manager, and the Directory Manager has a different password
on the remote server, the referral bind fails. In response, the local server
console displays a red dot followed by the text "Entry could not be read"
in the right pane. Also, because the referral was not followed, the entry
is not sorted in the list. Instead, the entry is listed at the end of the
list in the Directory Console. (336983)
- The ACI user interface will allow you to enter
any character where time (numerical) data is expected. (346308)
Replication
- CIR only. If you initialize a consumer server
from the Directory Console, the message box ".. wait while consumer is being
initialized" does not always disappear when initialization is complete. Also,
if you cancel the message box and attempt to view the contents of the directory
from the Directory Console, the entries may not be visible. To correct this,
after initializing the consumer, exit and restart the Directory Console and
initialize the consumer again. (390871)
- In the Directory Console, when creating a
CIR agreement with SSL enabled, the pulldown menu displays an incorrect SSL
port number. You must click the Other button, and enter the correct SSL port
number. This problem sometimes occurs on the AIX platform while creating
an SIR agreement; the consumer's pulldown menu is empty, so the SSL port
number needs to be entered manually by clicking the Other button. (398694)
- In the Directory Console, when creating an
SIR agreement with SSL enabled, in some cases the console generates java
exceptions. This does not affect the SIR agreement, which is correctly created
and saved. (398694)
- Use of dc-style naming is not supported with
cascaded replication. (381549)
- The hostname portion of the fully-qualified
domain name entered during server installation must exactly match the hostname
of the machine running the Directory Server. If it does not, you will be unable
to configure replication agreements. (382436)
Plug-Ins
- Do not list the configuration for the PTA
plug-in in slapd.conf multiple times. If you do so, only the last
configuration is used. Instead, specify multiple LDAP URLs or subtrees as
documented in
Using the Pass-Through Authentication Plug-In
. (379678)
- The COS plug-in is not supported in this release
of the Directory Server; it is provided as an example only.
Documentation
- In Chapter 6 of the Directory Server Administrator's
Guide, the description of "Password Change After Reset" should also state
that only the unrestricted user (Root DN) can trigger the password reset.
(383384)
- In Chapter 1 of the Directory Server Administrator's
Guide, the procedure for starting and stopping the server from the command-line
incorrectly states that the scripts to start and stop the server must be
run using the same UID and GID that the server uses. Instead, if your server
runs on a port less than 1024, you must be logged in as root to run these
scripts. (335710)
- The Directory Server Plug-In Programmer's
Guide contains misleading information about creating additional database
plug-ins for use with Directory Server. User-created database plug-ins are
not supported with Directory Server 4.x. (364180)
- The valid range documented for the Look Through
Limit parameter in Chapter 17, "Configuration Parameters" in the Administrator's
Guide, is incorrect. The correct range is -1 to maximum integer. (381073)
- In addition to the configuration information
provided in
Using the Pass-Through Authentication Plug-In
, you can also use multiple LDAP URLs for the pass-through subtree parameter
<subtree>. (380266)
- The Administrator's Guide incorrectly
defines the ioblocktimeout parameter. The unit used to determine
when the connection to a stalled LDAP client should be closed is ticks, not
milliseconds. Also, the number of ticks-per-second is different on different
operating systems, therefore, the default value of 1800000 is not 30 minutes
on all platforms. (367448)
- The 4.1 Installation Guide that shipped
with the server does not contain the procedure for upgrading from a previous
4.x release. This information is now available from the Installation Guide
hosted on iPlanet's website at (367383):
http://docs.iplanet.com/docs/manuals/directory/41/install/upgrade.htm
- The Directory Server Gateway documentation
incorrectly gives the location of the authck directory as (365271):
<NSHOME>/dsgw/authck
The documentation should say that the directory
is located at:
<NSHOME>/bin/slapd/authck
- The documentation does not indicate where
Bitstream Cyberbit font can be located. This font is necessary for any Netscape
browser that attempts to display non-English characters. (352274)
The font can be obtained from the following
URL:
http://ftp.netscape.com/pub/communicator/extras/fonts/windows/
There are several readme files there that you
should examine:
- READMEfirst.txt contains information
on platform recommendations.
- ReadMe.htm or Readme.wri
contain the installation/usage documentation.
- The Netscape Directory Server Installation
Guide does not adequately describe the migration procedure for large
directories. For large directory sizes (as a rule of thumb, anything greater
than 5000 entries), the documented migration procedure is not sufficient
because these entries are transferred between the old directory and the new
directory over LDAP, which will be relatively slow. (352275)
Instead, use the following procedure to migrate
your directory:
- Export your old directory to LDIF.
- Create a simple directory structure in
LDIF that matches the suffixes used by your Directory Server. This should
be a very simple file that only contains the root entries for every suffix
served by your Directory Server.
- Shutdown your old Directory Server.
- Delete your old directory's database.
- Import the simple directory that you created
in step 2 to your old Directory Server.
- Perform the migration as described in
the Netscape Directory Server Installation Guide.
- Shutdown your newly migrated Directory
Server.
- Backup your new database. This is especially
important if your new Directory Server is a configuration directory (that
is, it contains the o=NetscapeRoot tree).
- Import your original database from the
LDIF that you saved in step 1. When you do this, use the <NSHOME
>/slapd-<serverID>/ldif2db script, as this script will automatically
preserve o=NetscapeRoot configuration information so that it is included
in your newly imported database.
- Start your new Directory Server. You are
done with migration.
Import and Export
- Using Netscape Console, if you attempt to
export a suffix that does not exist the console does not warn you of the
error but instead returns an "Unexpected Error" message and then exits. (339555)
Internationalization
- If you are running a domestic version of
Netscape Directory Server, and you want to view non-Latin-1 characters using
the Directory Server Gateway or Directory Express from a Communicator client,
you need to configure Communicator to display the correct fonts. See
http://home.netscape.com/eng/intl/basics.html#fonts
for more specific information. (330218)
NT Synchronization Service
- You may receive an error message that states
"Error connecting to Synch Service on port 5003" when attempting to synchronize,
add all users, apply changes, or stop the NT Synchronization Service. If this
happens, exit and restart the Configuration Tool. (38870)
- You cannot use silent install to install
just the NT Synchronization Service. (109661)
Security and Access Control
- When SSL is enabled on the NT Directory
Server, attempts to start the Directory Server from Netscape Console result
in potentially confusing dialog boxes if a dongle file is not used to store
the key file password. A dialog box appears on the machine where the Directory
Server is running asking for the key file password (this password is required
before an SSL-enabled Directory Server can be started). If nothing is entered
into this dialog box, a dialog box indicating that the Directory Server could
not be started will appear on the machine where Netscape Console is running.
To work around this problem, start the server from a Netscape Console running
on the machine where the server is running, unless you have a dongle file.
(301624).
- When the server is in SSL mode, the server
console issues a warning dialog upon server restart to let you know that
a password will be required to restart the server. However, this warning
is not issued the first time you restart to go into SSL mode. Also, the warning
continues to be issued for every restart after you take the server out of
SSL mode. (333022, 341898)
SNMP Agent
- On UNIX, the Netscape SNMP (Simple Network
Management Protocol) subagent will generate an unexpected error during startup
unless the SNMP master port is set to 199. (316650)
Directory Server Gateway
Miscellaneous
- On Windows NT, the Directory Server uses
a hidden window named slapd-[server identifier] to restart the server if
it crashes. Anyone with access to the machine who knows the name of the hidden
window may be able to shut down the server by shutting down the hidden window.
(335719)
- The server will not start up if DNs included
in slapd.conf have spaces. Always use %20 in place of spaces when
including DNs in slapd.conf. (349824)
For example, this is the correct way to format
a DN in slapd.conf:
ldap://phonebook.airius.com/o%3Dace%20industry
while this is not correct:
ldap://phonebook.airius.com/o=ace industry
- While Calendar Server 3.x will work with
Directory Server 4.x , the Calendar Server requires the Directory Server
to report itself as a 3.x Directory Server. You can cause Directory Server
4.x to report itself as a 3.x Directory Server by using the versionstring
parameter in slapd.conf. Place the following line in your slapd.conf
file and restart your server:
versionstring "Netscape-Directory/3.1"
THINGS TO
BE
AWARE OF
These exceptions are also documented in the customer
documentation for release 4.x of the Netscape Directory Server.
Configuration Files
- On Windows NT, you can no longer use backslashes
"\" in path names in the configuration files; instead, use forward slashes
"/".
Directory Server Gateway
- If you add a user through the NT Synchronization
Service and the user's full name is not specified in Windows NT, the
Synchronization Service uses the NT UID as the value for the entry's cn attribute.
In this situation, the "Full Name" field on the gateway displays the NT UID
of the user.
If you add a user through the NT Synchronization
Service and the user's full name is specified in Windows NT in addition
to the NT UID, then the Synchronization Service creates one cn with the NT
user name and also creates one cn with the full name. In this case, the gateway
displays both cns in the format NT uid+full name. (312457)
- In order to use the gateway, Javascript
must be turned on in Communicator. (318303)
- Specify the full DN for advanced searches
on group members. (113063)
- The syntax for gateway URLs changed between
Directory Server 3.x and 4.x. See the Directory Server Gateway Customization
Guide for more information.
Netscape Console
- Netscape Console does not support SSL certificate-based
client authentication. Directory servers configured to require SSL client
authentication must be managed from the command line. However, servers configured
to allow SSL client authentication may be managed from Netscape Console.
(312404)
LDAP URLs
Directory Server Schema
- If the Directory Server schema includes
an object class that contains an undefined attribute, on startup the server
assumes that the undefined attribute is a cis attribute and logs an error
message stating that the attribute needs to be added to the schema. This
may cause unexpected behavior if the undefined attribute is meant to contain
data in any syntax other than cis, for example, binary. (334257)
Migration
- If you have multi-valued RDNs in your pre-4.1
directory, when you upgrade to Directory Server 4.1 or greater, you must
export your database to LDIF, perform the migration, and then reimport your
database.
MORE
INFORMATION
Installation instructions and release notes for all
iPlanet and Netscape servers are posted at
http://docs.iplanet.com/docs/manuals/index.html
.