Skip Headers
Oracle® Fusion Middleware Release Notes for Oracle Directory Server Enterprise Edition
11g Release 1 (

Part Number E28975-02
Go to Documentation Home
Go to Table of Contents
Go to Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
PDF · Mobi · ePub

4 Directory Server Bugs Fixed and Known Problems

This chapter contains important, product-specific information available at the time of release of Directory Server 11g Release 1 (

This chapter contains the following sections:


Bug information has been migrated from one database to another. If a bug number contains 8 digits, then the detailed bug information is currently stored in the Oracle bug database BugDB. If a bug number contains 7 digits, then the detailed bug information originated in the legacy Sun bug database Bugster. In these Release Notes, a bug number may be listed using the form BugDB#/Bugster#.

4.1 Directory Server Bugs Fixed in This Release

The following tables summarize all bug fixes contained in Directory Server Enterprise Edition 11g R1 (

Table 4-1 Directory Server Bugs Fixed in This Release

Bug ID Description


Memory leak occurs when adding duplicate attribute values.


Replication should detect URL inconsistency in RUV.


If a search is performed for both attribute with and without subtype at the same time, the value with subtype is returned twice.


Exception is thrown when modifying a CoS template entry using DSCC.


Replication from one master to another master server halts.


Memory leak occurs using bin_ns-slapd.exe.


An ns-slapd crash occurs during LDIF import.


Performance issue with smartheap and multiple pools.


After configuring Directory Server as a Windows Service, you cannot stop the Directory Server instance or remove the Windows Service.


A double free error occurs when modifying a badly formed RDN.


Update Directory Server shared components.


An unexpected error occurs when using the Check Syntax button.


Using DSCC, an error message "Failure Count Reset" in Account Lockout is wrong.


When modifying a DN, a memory leak can occur if the moved entry has an entryID smaller than the new superior entry.


Minor memory leak during backup/restore task.


A memory leak may occur when you run bin_ns-slapd.exe using Oracle Directory Server Enterprise Edition versions 7.0 or on a 64-bit Windows Server.


If an error occurs during online rewrite task creation, the task is not destroyed internally. The server, waiting for the task to end, hangs at shutdown.


When replication is not configured on a Directory Server, using the command dsconf rewrite -f purge-csn=on crashes the server.


Time Based Log Rotation does not work as expected.


During reindexing, if any attribute is encrypted, Error 4804, Error 4806, and Error 21256 occur.


If a moddn operation is attempted, but the server is configured to reject moddn operations, then a memory leak can occur.


Using Directory Server, a dramatic drop in performance occurs after a failed modrdn operation.


Directory Server should return referral during reindexing.


The log for an indexed search indicates notes=U.


Data of type OCTETSTRING is corrupted by DSCC.


Heap corruption in ns-slapd password storage plugin.


If you attempt to add an ACI using the "New ACI From Syntax..." button, when you click OK or click Check Syntax, you are redirected to a login page.


When a Directory Proxy Server instance is stopped using either the dpadm command or SMF service, DSCC shows the DPS status as "Degraded."


Migration from Directory Server 5.2 to ODSEE 11g fails on nsMatchingRule.


Identity Synchronization for Windows on-demand synchronization fails under specific mixed case host-FQDN configuration.


Directory Server crashes while attempting a backup. After the server crashes, you cannot restart the server.


Corrupted IP address is logged when connections are aborted.


Directory Server does not start in read-only mode on SUSE Linux- 10 (X86_64).


When using dsmig config to migrate from Directory Server Enterprise Edition 5.2, the index configuration is not successfully migrated.


It is possible to modify an entry with a user whose password must be changed.


After being written with an invalid nsuniqueid, a database entry cannot be read.


Using the SASL bind GSSAPI, if there is a mismatch between authzid and authid, the bind is rejected.


Directory Server allows a poorly formed ldapmodify request to be processed.


Misleading error message is displayed in DSCC when max-age:unlimited is set.


Directory Server hangs after Error 20765.


The memberof plugin initialization searches can cause server to hang during shutdown.


Offline rewrite of a suffix does not use optional parameter.


Directory Server crashes due to replication stack issue.


Directory Server hangs while dsconf create-index is running.


Performance problem occurs on Directory Server running on HP 585 G5 and HP 580 G7 NUMA based hardware.


System crashes due to combination of ds-gather-filter-stats and base=one searches.


Improve re-indexing on production deployments to accommodate new attributes.


CoS fails to use the operational qualifier properly, so operational attributes are returned.


Directory Server instance registered as service does not stop properly upon Windows system shutdown.


The dsccmon command line output includes numerous but useless INFO messages making it difficult to read important information.


When adding a password policy to a sub suffix, if the DN uses a case different from the case used in suffix definitions, then the password policy is displayed twice.


DSCC displays incorrect information, "Operational Status : Index Modified - Initialization or Regeneration Required."


When running the insync command, a crash occurs if one or more upper-case character is used as a hostname of option -S.


When editing a default security certificate, the tooltip displays an invalid string.


Creating a replication suffix by copying the replication agreement from an existing suffix fails.


Password policy control OID is listed twice in the supported control attribute.


Command dsdconf reindex causes ns-slapd to crash if the database contains encrypted attributes AND if the database has been migrated from version 6.x or version 5.x.

4.2 Known Directory Server Limitations

This section lists known Directory Server limitations at the time of release.

Dtrace probes on Solaris 10 x64 may not work

A fix for this limitation is included in the Solaris 10 Update 11. (15699438/7022701)

Supported and unsupported filesystem types

UFS and ZFS are the recommended filesystem types for use with ODSEE on Solaris. LOFS is a supported filesystem for use with ODSEE on Solaris. However, if you use the LOFS filesystem, you may encounter performance issues. NFS and CIFS are not supported filesystems for use with ODSEE regardless of OS. (14605778)

Using SASL Authentication on Windows

If you use SASL authentication on Windows, enable starttls to avoid connection problems. (14556992)

Number of servers that can be managed using DSCC

The Directory Service Control Center (DSCC) enables centralized administration of Directory Server and Directory Proxy Server instances. The current version of DSCC has been tested successfully in an environment of 42 server instances, supporting most common configurations.

Proper Use of Entry Management Tab

The 'Entry Management' tab in DSCC is meant as a simple browser and editor. For advanced and regular browsing, editing, and monitoring of LDAP entries, use CLIs.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Oracle support.

To work around this limitation, install products and create server instances as a user having appropriate user and group permissions.

Do not replicate the cn=changelog suffix.

Although nothing prevents you from setting up replication for the cn=changelog suffix, doing so can interfere with replication. Do not replicate the cn=changelog suffix. The cn=changelog suffix is created by the retro changelog plug-in.

The wrong SASL library is loaded when LD_LIBRARY_PATH contains /usr/lib.

When LD_LIBRARY_PATH contains /usr/lib, the wrong SASL library is used, causing the dsadm command to fail after installation.

Use the LDAP replace operation to change cn=config attributes.

An LDAP modify operation on cn=config can only use the replace sub-operation. Any attempt to add or delete an attribute will be rejected with Error 53: DSA is unwilling to perform. While Directory Server 5 accepted adding or deleting an attribute or attribute value, the update was applied to the dse.ldif file without any value validation, and the DSA internal state was not updated until the DSA was stopped and started.


The cn=config configuration interface is deprecated. Where possible use the dsconf command instead.

To work around this limitation, the LDAP modify replace sub-operation can be substituted for the add or delete sub-operation. No loss in functionality occurs. Furthermore, the state of the DSA configuration is more predictable following the change.

On Windows systems, Directory Server does not allow Start TLS by default.

This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.

To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.

Replication update vectors may reference retired servers.

After you remove a replicated Directory Server instance from a replication topology, replication update vectors can continue to maintain references to the instance. As a result, you might encounter referrals to instances that no longer exist.

On Windows systems, max-thread-per-connection-count is not useful.

The Directory Server configuration properties max-thread-per-connection-count and ds-polling-thread-count do not apply for Windows systems.

Changing index configurations on the fly

If you change an index configuration for an attribute, all searches that include that attribute as a filter are treated as not indexed. To ensure that searches including that attribute are properly processed, use the dsadm reindex or dsconf reindex commands to regenerate existing indexes every time you change an index configuration for an attribute. See Chapter 12, ODSEE Indexing, in Administrator's Guide for Oracle Directory Server Enterprise Edition for details.

4.3 Known Directory Server Bugs

This section lists the issues that are known at the time of the Directory Server 11g Release 1 (


A previously undocumented limitation on ACI evaluation during MODRDN rejects the operation when the ACIs specify a deny rule. See the Administrator's Guide for Oracle Directory Server Enterprise Edition for more information.


Using WebLogic 10.3.6, when you double-click on a server to select it in DSCC, you are abruptly logged out of the console.


On Windows 2008 only, sometimes SASL/DIGEST-MD5 binds fails with an ASN.1 error, after which the connection appears to be not closed.


On Solaris 11 SPARC or X64, and on recent updates of Solaris 10, sometimes connections cannot be established between the Java-based client application dsconf and the Directory Server.

This is due to unwanted interactions between the JDK7 that ships with ODSEE and some Solaris 11 operating system libraries. To avoid this, do not use the system's libraries.

As a workaround, you can do one of the following:

  • In the file $INSTALL_DIR/dsee7/jre/lib/security/, remove any sunpkcs11 related entries.

  • Replace $INSTALL_DIR/dsee7/jre/lib/security/ with a modified version of the file that ships with the ODSEE:



When a DSCC registry is deleted, the registry information is not updated appropriately, and the registry information remains stored in the agent itself.


When attempting to deploy the DSCC WAR file on using Apache Tomcat 6.0.14, a Java exception occurs.


On Solaris 10 Update 10 and on Solaris 11 11.11, if the Directory Server instance is registered as an SMF service, you cannot start the server instance.


When replication is working correctly between a Directory Server 6.x master and a Directory Server 5.x consumer or master, the DSCC displays a false Operational Status "The destination suffix is not initialized." The destination suffix is actually initialized, and you can safely ignore the Perennial Status.


The replcheck command does not work with partial replication.

12305195 and 12305197/12302886

In the Japanese version of DSCC, when you click the Version button, the Version page does not display as designed. When you click the Help button, the Help page does not display as designed. In both instances, the title bar displays a question mark (?) instead of the proper page title.


If you use DSCC to modify one or more properties of an index attribute for a suffix, the data is actually updated in the backend, but the status is not updated in the suffix Indexes page as expected. Even clicking the Refresh button on the suffix Indexes page does not return the updated status.

To work around this issue, disconnect from DSCC, and then re-connect to DSCC. When you go to the suffix Indexes page, the status should be properly updated.


When attempting to view replication topology images in the DSCC, DSCC throws an error and indicates it cannot load the page.

To work around this issue, in the JVM options of the application server in which DSCC is deployed, apply the following:


The command dsconf help-properties inverts the description for the fractional replication properties. The following output:

repl-fractional-exclude-attr ... Replicate only the specified set of attributes
repl-fractional-include-attr ... Do not replicate the specified set of attributes

should be as follows:

repl-fractional-exclude-attr ... Do not replicate the specified set of attributes
repl-fractional-include-attr ... Replicate only the specified set of attributes

When some race conditions occur on replicated operations, the retro-changlog might not reflect the correct order of changes. There is no workaround at this time.


The server may hang if a changelog trimming is ongoing while an online restore is started.


The dsconf command binds as anonymous first when an SSL port is used. This may prevent dsconf from working in deployments where anonymous binds are rejected by the server.


If you set the idle timeout to a very small value, for example, 2s on a server instance, DSCC might display connection errors and prevent some operations that take long time to complete (like rotating logs). Make sure you set the idle timeout to at least 10s or 20s, and adjust the idle timeout according to your network latency.


The uidObject objectclass is missing from the schema.

To work around this issue, add the following objectclass to the 00core.ldif file:

objectClasses: ( NAME 'uidObject' SUP top AUXILIARY MUST uid X-ORIGIN 'RFC 4519')

An obsolete definition remains in the 28pilot.ldif file.

To work around this issue, add the following alias specification to the 28pilot.ldif file:

objectClasses: ( 0.9.2342.19200300.100.4.4 NAME ('newPilotPerson' 'pilotPerson') DESC <...>)

DSCC does not support host synonyms. When replicating the DSCC suffix, the host name in the replication agreement must match the host name in the DSCC registry.


In Windows, in the Korean locale, the dsadm start command does not display the nsslapd error log when ns-slapd fails to start.


After deploying the WAR file, the View Topology button does not always work. A Java exception sometimes occurs, which is based on org.apache.jsp.jsp.ReplicationTopology_jsp._jspService


The output of the dsadm show-*-log command is not correct if some lines in the log contain more than 1024 characters.


The output of the dsadm show-*-log l command does not include the correct lines. It can include the last lines of a previously rotated log.


Directory Service Control Center and the dsadm command from versions 6.1 or later do not display built-in CA certificates of Directory Server instances that were created with the dsadm command from version 6.0.

To workaround this issue:

Add the 64-bit module with 64-bit version of modutil:

$ /usr/sfw/bin/64/modutil -add "Root Certs 64bit" \
-libfile  /usr/lib/mps/64/ -nocertdb \
-dbdir /instance-path/alias -dbprefix slapd- -secmod secmod.db

For servers registered in DSCC as listening on all interfaces (, attempting to use dsconf to modify the listen-address of the servers results in DSCC errors.

To have an SSL port only and secure-listen-address setup with Directory Server Enterprise Edition, use this workaround:

  1. Unregister the server from DSCC:

    dsccreg remove-server /local/myserver
  2. Disable the LDAP port:

    dsconf set-server-prop ldap-port:disabled
  3. Set up a secure-listen-address:

    $ dsconf set-server-prop secure-listen-address:IPaddress
    $ dsadm restart /local/myserver
  4. Register the server using DSCC. In the Register Server wizard, specify the server's IP address. This operation cannot be undone.


When you use the Service Management Facility (SMF) on Solaris 10 to enable a server instance, the instance might not start when you reboot the system and return the following error:

svcadm: Instance "svc:/instance_path" is in maintenance state.

To work around this problem, use a local user to create Directory Server and Directory Proxy Server servers (that is, a user that is defined locally on the machine rather than an NIS user.)


When modifying the password policy using the Directory Service Control Center, attributes that have not changed may be unknowingly reset.

Using the Directory Service Control Center to manage the default password policy does not causes any error. However, using the Directory Service Control Center to manage specialized password policies can cause unchanged attributes to be reset.


On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds.


When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.

To work around this issue, use a different browser such as Mozilla web browser.


For the HP-UX platform, Directory Server Enterprise Edition man pages for the following sections cannot be accessed from the command line:

  • man5dpconf.

  • man5dsat.

  • man5dsconf.

  • man5dsoc.

  • man5dssd.

To workaround this issue, access the man pages at Man Page Reference for Oracle Directory Server Enterprise Edition. From that location, you can download a PDF of all Directory Server Enterprise Edition man pages.


During installation on Windows systems, ODSEE relies on Windows permissions settings for file protection. Be sure your permissions are set appropriately.

To work around this issue, change the permissions on the installations and server instance folders.


Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.


Neither Directory Service Control Center nor the dsconf command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.

To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.


On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.

To work around this issue, change the LDIF file name so that it does not contain double-byte characters.


On Windows, SASL authentication fails because SASL encryption is used.

To workaround the issue caused by the SASL encryption, stop the server, edit dse.ldif, and reset SASL to the following.

dn: cn=SASL, cn=security, cn=config
  dssaslminssf: 0
  dssaslmaxssf: 0

Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.

 (targetattr="*")(version 3.0; acl "testQuotes";
 allow (all) userdn ="ldap:///self";)

dn:o=Example Company\, Inc.,dc=example,dc=com
aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com")
 (targetattr="*")(version 3.0; acl "testComma";
 allow (all) userdn ="ldap:///self";)

Examples with more than one comma that has been escaped have been observed to parse correctly, however.


The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.

To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.

  1. Export the certificate to a file.

    The following example shows how to perform the export for servers in /local/supplier and /local/consumer.

    $ dsadm show-cert -F der -o /tmp/supplier-cert.txt \
      /local/supplier defaultCert
    $ dsadm show-cert -F der -o /tmp/consumer-cert.txt \
      /local/consumer defaultCert
  2. Exchange the client and supplier certificates.

    The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.

    $ dsadm add-cert --ca /local/consumer supplierCert \
    $ dsadm add-cert --ca /local/supplier consumerCert \
  3. Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.

  4. Add the replication manager DN on the consumer.

    $ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN
  5. Update the rules in /local/consumer/alias/certmap.conf.

  6. Restart both servers with the dsadm start command.


When entries are imported from LDIF, Directory Server does not generate createTimeStamp and modifyTimeStamp attributes.

LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.


Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Oracle support.