iPlanet Meta-Directory 5.0
Release Notes
These Release Notes contain important information regarding Meta-Directory
version 5.0. Installation notes, known problems, and other late-breaking
issues are addressed in this document; you should read this document before
you install and use iPlanet Meta-Directory.
These release notes contain the following sections:
Installation Notes
There are no special Installation Notes for this release. For details on installing
iPlanet Meta-Directory version 5.0, see the
iPlanet Meta-Directory Installation Guide.
Known Problems and Limitations
This section lists and describes the known problems reported for the
release of iPlanet Meta-Directory, version 5.0. The known problems are
arranged into the following sections:
Installation and Uninstallation Notes
Incorrect Disk Size Information During Installation
During the installation of some Meta-Directory components, the installer
program might not immediately refresh the disk size information.
( #395532 )
Installer Miscalculates Disk Space Required
After you have downloaded
the product binaries and double clicked on the setup for installation, the
installer program has been known to miscalculate the disk space required to
install Meta-Directory on your system.
( #521974 )
Installation Directories
Currently, you must install Meta-Directory into a directory tree whose
name is represented as seven-bit ASCII.
( #541000 )
Specifying the Change Log Directory During Installation of Meta-Directory
If you specify a nonexistent directory for the change log during the Meta-Directory
installation process, the associated Directory Server will not be restarted by the
Meta-Directory installation process; you must manually restart the associated Directory
Server.
( # N/A )
Re-installing On Solaris Systems
If you need to reinstall Meta-Directory (or one of it's components) on a Solaris
system, you will need to reinstall all the currently-installed components. There
will be no loss of data or configuration settings when you reinstall the components.
( #533938 )
Uninstalling Meta-Directory
Before you uninstall Meta-Directory, be sure to stop all Meta-Directory
components from the console and make sure they have finished
processing before you initiate the uninstall process. In particular, the
join engine takes time to shut down if it is processing a large volume of
data. Beginning the uninstall process while Meta-Directory components are
still processing will cause the uninstall to fail.
( #549615 )
Uninstalling Meta-Directory with a Stopped Directory Server
If you run the Meta-Directory uninstall script after you have shut down the
Directory Server instance that hosts the Meta-Directory configuration, it is
possible that the system will crash. Be sure that the Directory Server instance that
hosts the Meta-Directory configuration is running before beginning the uninstall
procedure.
( #541345 )
Uninstalling Individual Meta-Directory Components
On Solaris systems, if you uninstall a single Meta-Directory component from
a system, other installed components (such as the join engine and any
instances of Directory Server) will fail if those components are in the same
server root as the Meta-Directory component you are uninstalling.
( #553545 )
Workaround
The problem arises from the deletion of files used by the other services.
Reinstall the deleted files and restart any associated components. If you
unpacked the tar file into the directory <meta_dist> ,
then issue the following command to replace the deleted files:
unzip -o <meta_dist>/join/join.zip
"lib/lib*.so" -d <NETSITE_ROOT>
General Notes
One Join Engine Instance Per Administration Domain
Currently, you can configure only a single join engine per administration
domain. This means that you can have only a single join engine for each
Meta-Directory setup.
( #547061 )
Multi-Value "mail" Attribute Values Not Saved
If you are using Netscape Directory Server 4.1x, you will not be able to
enter multiple values into a "mail" attribute (actually, you can
enter multiple values, but only the first value is saved). This problem
is resolved with iPlanet Directory Server 5.0.
( #531047 )
Configuration Data Server
The Meta-Directory configuration is hosted on an instance of Directory
Server. If the configuration Directory Server is unavailable, the
Meta-Directory console will not operate.
( #551102 )
Automatic Console Refresh
Some committed actions (such as adding or deleting a participating connector
view, or adding or removing some rules or rule sets) do not automatically
trigger a Meta-Directory console refresh. You should always manually refresh the
console after performing a committed action.
( #525182 )
LDAP Attribute Subtypes
LDAP supports three attribute subtypes, language, binary, and pronunciation. Although
Meta-Directory will flow attributes that contain subtype values, you cannot create
join rules based on the attribute subtypes.
( #538454 )
Extra Spaces Trimmed From RDN Values
Currently, the join engine trims off extraneous spaces when it conducts a
search using an RDN value. This results in searches failing when
the join engine attempts to join entries between the meta view and the
associated connector view. For example, suppose the meta view has and entry
with the following RDN value:
cn=TEXT{space}{space}{space}TEXT, ou= {...etc}
In the join process, the join engine trims this value to the
following, causing the join to fail:
cn=TEXT{space}TEXT, ou= {...etc}
( #539818 )
Workaround
Use the Query/Fix-It Tool to search for unassociated entries and manually
link them.
Duplicated Email Values
In the Meta-Directory console, it is possible to inadvertently duplicate the
value of the email attribute. If you view an entry that is contained in either
a meta view or a connector view, then press the Advanced button to edit the entry,
the value of the E-Mail attribute will be duplicated when you close the Edit
Entry window.
( #537063 )
"Out of Memory" Errors
It is a known problem that the Meta-Directory console can generate "Out of
Memory" errors if the console is left open for extended periods of time.
( #542008 )
Workaround
It is advisable to shut down and reopen the Meta-Directory console once a day during the
time that you are synchronizing large amounts of data. This applies to Solaris systems
only.
Changing the Log File Directory
If you specify a log file directory from the Meta-Directory console, do not
end the directory specification with a slash ("/"); the join
engine will not write log files to a directory specified in this manner.
( #551346 )
Invalid Log File Location on Remote Machines
When you create a new instance of a Meta-Directory component, you can specify
the location of its log directory. Currently, Meta-Directory cannot
validate log file directories that are located on remote machines. If you
enter an invalid log directory, Meta-Directory will be unable to create log files
for that component. A remote machine is any machine that is not the one hosting the
Meta-Directory console.
( #549459 )
Workaround
Make sure the path you specify for the connector logs are
valid; both the drive and the directory structure of the specified path must
exist for logging to take place.
Connector View Name Size Limitation
Internally, Meta-Directory limits connector view names to five
characters. However, the current release of the Meta-Directory console
allows you to enter more than five characters when naming connector views.
Assigning view names with more than five characters will cause errors
when Meta-Directory writes to the log files. The input field for naming
connectors will be limited in the next product release.
( #553165 )
Viewing Entries in a Connector or Meta View
Currently you will not be able to view entries in the meta view or a connector
view if the view contains more than 2,000 entries. In this case, you will need to
create a browsing index from the respective Directory Server instance.
( #537940 )
Join Rule Names
Do not use trailing whitespace in your join rule names; the whitespace gets
truncated in conversion and you will not be able to test them using the
Join Rule Tester.
( #554192 )
Flowing Attributes From the Meta View Outward
If you set up a system so that changes to all attributes are made only by
clients to the meta view, you must still enable the flow of attributes to
the meta view by checking Flow Attributes to Meta View. This checkbox is
not a switch to disallow modifications from connector views, instead the
flow of attributes is controlled by the join rules you write.
( #550271 )
Multiple Directory Server Instances and Deleting Entries
You will not be able to delete an entry from a connector view from the Meta-Directory
console if the connector view is hosted by a different Directory Server instance
than the one that hosts the meta view. In this case, you must use the Directory Server
console to delete the entry from the connector view.
( #551606 )
Log File Computations Incorrect for Large Values
It is a known problem that the log file size computations are incorrect
for values greater than 4 Gb due to a data type limitation. For
example, you might see something similar to the following:
[2001/03/30 15:25:31.44 -0800] 2357:387584 3 Log Free disk space
: 545.000000, Min required : -193435.966797
There are three fields that are affected by this data type problem:
- Max. Log File Size
- Max. Reserved Free Space
- Max. Disk usage
( #538928 )
Deployment Notes
Notes for Configurations With Multiple Directory Server Instances
If you use different Directory Server instances for you Meta-Directory configuration,
meta view, and connector views, Note the following:
- The Directory Server hosting the Meta-Directory configuration will be displayed
in the Meta-Directory console as a Data Server, although technically it does not host
user data.
- The Directory Server hosting the Meta-Directory configuration must have the
Retro Change Log enabled.
( # N/A )
Meta-Directory Instance Creation: "Parent Not Found" Error
When creating an instance of a Meta-Directory component (such as a join
engine or connector), the view that is hosted by that component must be
placed under a directory suffix that contains a data node.
For example, suppose you create the new suffix
"o=MetaViews" . If you then try to create an instance
of the join engine, and specify "ou=MV1, o=MetaViews" ,
the instance creation will fail. (The process fails because a search for
"o=MetaViews" returns no such object.)
( #544651 )
Workaround
The workaround is to manually create the suffix "o=MetaViews" .
Setting the All IDs Threshold
In the Meta-Directory Deployment Guide, it is recommended that
you adjust the All IDs Threshold from its default setting. For example, it's
recommended that you set the All IDs Threshold value to 500001 if you are
synchronizing 500 Kb of data.
However, configuring the All IDs Threshold before you bulk-load data into
a connector view can cause extremely slow load times. It might be faster to
first load the data, then adjust the All IDs Threshold value. However, note
that changing the All IDs Threshold will result in new indexes being built
for the DIT.
( #551129 )
Windows NT Uninstallation Option: Clean Up Local Files
When uninstalling the Meta-Directory components on a Windows NT system, the
uninstallation UI will prompt for a username/password and it will ask if
you would like to clean up local files. Checking this option will cause the
installation to halt with the error message:
No value exists for the name <ConfigDirectoryLdapURL>
( #552480 )
Distributing Loads
In general, if you expect heavy loads on the hardware systems hosting your
Meta-Directory components, you should plan to distribute loads by
hosting your meta view and connector views on different systems than the one
that hosts your join engine.
In addition, to maximize performance, schedule synchronization cycles
according to the time it takes to perform an entire synchronization. For
example, if it takes the join engine five hours to synchronize a large database,
you should not schedule synchronization cycles more than three
or four times per day.
If the system hosting your Meta-Directory components becomes too heavily
loaded, you might experience memory allocation problems. One symptom of this
problem is that nsperlconn will silently stop. If you do experience
a memory failure problem, shut down and restart the join engine and connectors.
In addition, consider adding more resources to your Meta-Directory system.
( #552673 )
Join Engine Notes
Network or Directory Server Failures
Currently, if the network experiences a failure, or if you shut down and
restart the Directory Server, you must stop and restart the join engine.
Also, you must Disable and then Enable any views associated with the join
engine to ensure that the "Enable" of the view has been properly
registered with the join engine.
For example, if you restart the Directory Server instance that
hosts the Meta-Directory configuration (or any Directory Server instance
associated with a connector view), you must restart join engine and you
must re-enable any associated views. Note that the Directory Server instances
must be up and running before you restart the join engine.
( #553743 )
"Unknown" Status in the Join Engine
It is sometimes possible for the join engine to show a status of "Unknown"
after you issue a refresh command. This is caused by the join engine being preoccupied
with processing entries before it can respond to the status request from the Meta-Directory
console.
( #546873 )
Using Binary Attributes as Join Criteria
The join engine does not currently accept binary attributes (JPEG photos, digital
certificates, and so on) as a selection criteria in join rules.
( #543136 )
Universal Connector Notes
Removing a Universal Connector Instance
If you remove an instance of a Universal Connector using the Meta-Directory
console, the console should prompt if you also want to remove the associated
connector view and participating view. The current version of Meta-Directory
does not offer the prompt and you should remove the views manually.
( #553200 )
Universal Text Parser (UTP) Token functionality
When you customize the task.cfg file for comma separated value
(CSV) input files (this is the csv.cfg file that you have
renamed task.cfg ),
note that the Token functionality does not properly operate with the default
settings and you should not use the feature in this release. See the
Configuration and Administration Guide for details on tokens.
( #553015 )
Universal Connector (UTC) Attribute Flow Rules
If you delete an entry that is owned by a connector view from its corresponding
external data source (such as from NT SAM or from Active Directory), the
Universal connector will add the connector view-owned entry back to the
external data repository in the next synchronization cycle. The problem is that
user-defined attribute flow rules are not properly applied when the entry is
added back.
( #552556 )
Workaround
Delete the connector view-owned entry from the associated Directory
Server instance and re-add the entry.
Universal Connector Status is Misrepresented in the Meta-Directory Console
It is possible for the Meta-Directory console to misstate the UTC status as
disabled, when in fact the component is up and running. This condition is
normally caused by a timeout; the request by the Meta-Directory console
timed out before the UTC was able to respond. If such a condition occurs,
restart the Meta-Directory console.
( #546405 )
Attribute Values Fail to Update
When synchronizing data between an external data source and a connector
view, the UTC does not propagate changes for a given attribute if the change
reduces the number of values contained in that attribute to zero. Even though,
changes to other attributes in the same modification operation will be
correctly synchronized by UTC.
For example, suppose you flow a group with three members from an
external data source to a connector view. Afterwards, a user modifies the
group entry in two ways: they remove all three values from the member
attribute and they change the group description. After processing the
change, the connector view will contain the new group description, but the
member attribute will remain unchanged (the group entry in the connector
view will still contain the original three values in the member attribute).
( #545751 )
Workaround
In cases where this might be a problem, you can add a dummy value to the
attributes whose number of values might be reduced to zero through
a modification operation.
Entry Modification Delays
Modifications made to entries in Universal Connector-based connector views
might not be propagated to their associated external data sources for up to
three synchronization cycles. Possible delays depend on the timing of your
modifications.
( #536763 )
Specifying Script Names for the Universal Text Parser
When creating a connector using the Universal Text Parser (UTP), you must specify
the name of the script that you will be using for the connector (normally, this is
template.pl). The Meta-Directory console does not validate either path or the script
name of the value you input. If an incorrect value is entered, the connector will not
function.
( #541138 )
Universal Text Parser Options
The ValidateDataFile option in the task.cfg file is not
supported in the current release of the Universal Text Parser. If the
input data file is absent, the following error message will be logged:
Error opening input file <filename>
( #552930 )
Database (Oracle) Connector Notes
You Cannot Uninstrument an Oracle Data Server If a User Is Connected
If the join engine is running when you try to uninstrument your Oracle Data
Server, the SQL scripts will fail saying that it could not remove the user. This
means is that the change log user is already connected to the Oracle database and
is "active" or had a current login session to Oracle.
( #527730 )
Workaround
Stop the join engine before removing the Oracle data server.
Missed Entries During Synchronization
It has been observed that the join engine may sometimes miss random entries
when it is stressed by large loads (such as if you are refreshing 500,000
entries in a configuration that hosts multiple connector views).
( #553807 )
After you synchronize entries between an
Oracle connector view and the meta view, use the Query/Fix-It
Tool to search for and join entries in the meta view that are unassociated
with the corresponding entries in the Oracle connector view.
"Triggers Created with Compilation Errors" Warning
It is a known sqlplus limitation
that a single SQL query can have a maximum of 500 lines of 80 characters
each. If you attempt to instrument an Oracle table with a large number of
columns, you might receive the "Triggers Created with Compilation
Errors" warning message.
( #537216 )
Removing an Oracle Data Server From a Meta-Directory Setup
If you plan to remove an Oracle data server from your Meta-Directory setup,
you should first disable the connector view and participating view that's
associated with the data server prior to removing the data server from the
setup. Once you remove the Oracle data server, you should shut down and
restart the Meta-Directory console.
( #527730 )
Oracle Mapping Failure, DA_E_ALREADY_EXISTS
Under high stress conditions (where the system hosting the join engine is
heavily loaded), the join engine might create an entry in the Oracle proxy
view, even though the entry already exists. This results in the respective
connector view to become disabled, and the logs will report the error as:
Oracle Mapping Failure, DA_E_ALREADY_EXISTS...
( #553087 )
Workaround
Modify the mdsgeneralconfiguration attribute of cn=system as follows:
dn: cn=System, ou=5, ou=Meta-Directory, ou=Global
Preferences, ou=<hostName>.com, o=NetscapeRoot
changetype: modify
replace: mdsGeneralConfiguration
mdsGeneralConfiguration: IgnoreMapErrorsForRefreshEvents=80004005,80042044
mdsGeneralConfiguration: IgnoreMapErrorsForDCNSEvents=80042044
Refreshing a Connector View With Many Modifications
If you are simultaneously refreshing two or more connector views with the
meta view and there are at least 30 percent simultaneous changes being made to
the data contained in the meta view, there is a possibility that the data
flowing to an Oracle connector view could get locked out. This behavior has
been observed with a load 150 Kb or more. Note that flows to other connector
views will continue unabated.
( #545784 )
Workaround
If the Oracle connector view gets locked out, you should do the following:
- Refresh each connector view.
- Interweave simultaneous refresh operations so they occur a few minutes
apart from each other.
Active Directory Connector Notes
Domain Names for Active Directory Connectors
During the instance creation of an Active Directory connector, the
Meta-Directory console accepts an invalid or non-existent "Domain."
In addition, the console does not validate "Top Level Synch DN" names.
Even with the invalid names, the instance creation will complete, but the
instance will not be operational.
( #541149 )
Workaround
Be sure to validate the domain name and the Top Sync DN values before
creating instances of the Active Directory connector.
Deleting Group Members From the Connector View
If you flow a group of entries from Active Directory to its associated
connector view, and delete some of the group entries from the connector
view, the entries remain deleted in the view. Because Active Directory owns
the entries, they should be refreshed in the connector view during the
next synchronization cycle, but they are not.
( #540318 )
Login ID Values Containing Spaces
Entries created in the Active Directory database should not contain
login id values with spaces or special characters. If there
are spaces in the login id field, the entry will properly flow to its
associated connector view, however, any modifications to it from the
Meta-Directory side will result in a modification made to the login id
value. Spaces and special characters may be used anywhere else in an entry,
except for login id values. There is no problem for user entries created
in Meta-Directory (which get synchronized to the Active Directory).
( #552728 )
Setting The Log Level
While configuring the Active Directory connector, be sure to set the log
level to a value of "1", "2", or "3" in
the adc.ini file. Currently, there is no error checking here and
product accepts any character.
( #540442 )
Searching in ADSpecific Mode
Only users and groups with objectclass top, person, organizationalperson,
inetorgperson, and the like are returned by searches through the
Meta-Directory console. The search tool fails to return results
for the object classes mdsADUser, mdsADPerson, and other Active
Directory-specific attributes that are used by
the Active Directory connector when it is operated in ADSpecific mode.
( #546969 )
Workaround
When an Active Directory connector is instantiated in ADSpecific mode,
you must specify filter rules to search for any ADSpecific attributes.
Choose Advance > Filter, then key in the appropriate filter rule, such
as "(objectclass=mdsADUser)" .
Stopping the Active Director Connector
If you stop the Active Directory connector, the process running the connector might take
a long time to terminate if the connector is busy processing entries. Only when all the
entries have been processed will the connector be stopped.
( #541790 )
Windows NT Domain Connector Notes
Domain Names for NT Domain Connectors
During the instance creation of an NT Domain connector, the
Meta-Directory console accepts an invalid or non-existent "Domain."
Even with the invalid name, the instance creation will complete, but the
instance will not be operational.
( #541149 )
Workaround
Be sure to validate the domain name before you
create an instance of the NT Domain connector.
Need to Refresh Before Modifications Appear
When defining a new attribute flow rule using Windows NT Domain connector
(or other Universal Connector-based connectors), you will need to do a
refresh in Meta-Directory console in order to see the attribute rule name
appear from the drop-down box of the General tab.
( #525036 )
Related Information
Useful iPlanet information can be found at the following Internet locations:
|