Chapter 4 Directory Proxy Server Bugs Fixed and Known Problems

This chapter contains important, product-specific information available at the time of release of Directory Proxy Server.

This chapter includes the following sections:

• Bugs Fixed in Directory Proxy Server

• Known Problems and Limitations in Directory Proxy Server

Bugs Fixed in Directory Proxy Server

This section lists bugs fixed for this release.

The following bugs were fixed since the last release of Directory Proxy Server.

4883696

Allow read and write requests to be chained separately.

4883701

Add alphabetic and hash based data distribution algorithms.

4951403

Directory Proxy Server cannot follow referrals in bind requests.

4975248

Directory Proxy Server log file cannot exceed 2 GB.

5014402

Directory Proxy Server file handles leak memory.

The following bugs were found during the beta program, and subsequently fixed.

6348105

Error arises when performing a search through Directory Proxy Server and password lockout occurs.

6445085

Directory Service Control Center does not allow you to create a certificate request.

6492361

LDAP searches through Directory Proxy Server are not abandoned by Directory Proxy Server after being abandoned by the client application.

6492368

Substring searches are not possible through a join data view.

6492371

Searching DB2 through Directory Proxy Server results in an SqlException.

6492375

When create a JDBC object class the secondary table is not optional.

6493640

Deleting an SQL database entry does not function properly.

6493643

Shared, multivalued attribute values in databases are ignored.

Known Problems and Limitations in Directory Proxy Server

This section lists known problems and limitations at the time of release.

Directory Proxy Server Limitations

This section lists product limitations. Limitations are not always associated with a change request number.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.

To workaround this limitation, install products as a user having appropriate user and group permissions.

Self-signed server certificates cannot be renewed.

When creating a self-signed server certificate, make sure you specify a validity long enough that you do not have to renew the certificate.

Directory Proxy Server enables SSLv2 by default.

SSLv2 is the oldest of the SSL/TLS family of security protocols. Although SSLv2 was considered a large step forward in security protocols when it was new, it is now widely regarded as comparatively weak and obsolete. Use of SSLv2 is supported, but discouraged. Directory Proxy Server leaves SSLv2 enabled by default. To disable SSLv2 for Directory Proxy Server, set the enabled-ssl-protocols property to include only SSLv3 and TLSv1, for example.

$ dpconf get-server-prop -w /tmp/dps.pwd supported-ssl-protocols supported-ssl-protocols : SSLv2Hello supported-ssl-protocols : SSLv3 supported-ssl-protocols : TLSv1 $ dpconf set-server-prop -w /tmp/dps.pwd enabled-ssl-protocols:SSLv3 enabled-ssl-protocols:TLSv1 $ dpconf get-server-prop -w /tmp/dps.pwd enabled-ssl-protocols enabled-ssl-protocols : SSLv3 enabled-ssl-protocols : TLSv1

On Windows 2003 systems, do not use software installed with dsee_deploy from the zip distribution in the German locale.

Instead, when running on Windows 2003 in the German locale, install from native packages using the Java ES distribution.

Known Directory Proxy Server Issues

This section lists known issues. Known issues are associated with a change request number.

5042517

The modify DN operation is not supported for LDIF, JDBC, join and access control data views.

6255952

When local proxy ACIs are defined, operations using the get effective rights control may not return the correct information.

6356465

Directory Proxy Server has been seen to reject ACIs that specify subtypes to the target attribute, such as (targetattr = "locality;lang-fr-ca").

6357160

The dpconf command does not reject new line and line feed characters in property values. Avoid using new line and line feed characters when setting property values.

6359601

When ACIs are configured, Directory Proxy Server has been seen not to return the same results as a search directly on the LDAP data source.

6374344

Directory Proxy Server has been seen to return an operations error, stating that the server is unable to read the bind response, after a Directory Server data source is restarted.

6383532

Directory Proxy Server must be restarted when the authentication mode configuration is changed.

6386073

After a CA-Signed Certificate request is generated for Directory Proxy Server, you can refresh Directory Service Control Center. Directory Service Control Center then labels the certificate as self-signed.

6388022

You can configure to use SSL connections when the client application connects using SSL. If the SSL port used by Directory Proxy Server is incorrect, Directory Proxy Server has been seen to close all connections after a secure search.

6390118

Directory Proxy Server fails to count the number of referral hops properly when configured to use authentication based on the client application credentials rather than proxy authorization.

6390220

Directory Proxy Server allows you to set the base-dn property of a data view to the root DN, "", only when initially creating the data view.

6410741

Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.

An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.

6439055

Do not use the dollar sign, $, when defining attribute rules.

6439604

After configuring alerts, you must restart Directory Proxy Server for the change to take effect.

6445919

When you configure a virtual hierarchy with DN rules, Directory Proxy Server cannot always resolve searches based on the virtual DNs. For example, if the virtual DN is configured as uid=${entry.uid},cn=${entry.cn},dc=example,dc=com, searches with scope cn=some-cn,dc=example,dc=com fail.

6447554

Directory Proxy Server has been seen to fail to rename an entry moving to another data view when numeric or lexicographic data distribution is configured.

6458935

When working with join data views, Directory Proxy Server does not take data distribution algorithms in the views that make up the join.

To work around this issue, configure data distribution at the level of the join data view when using joins and data distribution together.

6463067

The dpadm autostart command does not work when you install software from native packages, and you relocate the native packages at installation time.

6469780

After configuring a JDBC data source, you must restart Directory Proxy Server for the change to take effect.

6475156

The dpconf command erroneously claims a restart is required when you set the bind-dn and num-write-init properties.

6475710

The modify RDN operation is not supported for entries in JDBC data views.

6475727

After using the dpconf delete-jdbc-object-class command, you must restart Directory Proxy Server for the change to take effect.

6475743

Directory Proxy Server has been seen to retrieve only one of two attributes mapped through JDBC with both attributes are mapped to the same database table column.

6477261

Directory Proxy Server incorrectly returns error 32, no such object, when accessing a JDBC attribute not specified in the configuration.

6479264

One level searches through JDBC data views have been seen to fail.

6479766

Directory Proxy Server does not allow you to manage schema over LDAP.

6486526

On Windows systems when you install Directory Proxy Server after Directory Server using the dsee_deploy command, the command returns an error suggesting that some common files could not be removed.

6486578

Directory Proxy Server should ignore the filter-join-rule property when it is used in a primary table.

6488197

After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.

To work around this issue, change the permissions on the installations and server instance folders.

6490763

Access Manager, when accessing Directory Server through Directory Proxy Server, has been seen to encounter caching problems related to persistent searches after Directory Server is restarted.

To work around this issue, restart either Access Manager or Directory Proxy Server after restarting Directory Server.

For further fine tuning, you can increase the number of and delay between Access Manager attempts to reestablish persistent search connections. You can increase these parameters by changing the following properties in the AMConfig.properties file.

• Increase com.iplanet.am.event.connection.num.retries, which represents the number of attempts. The default is 3 attempts.

• Increase com.iplanet.am.event.connection.delay.between.retries, which represents the number of milliseconds delay between attempts. The default is 3000 milliseconds.

6491133

When creating a self-signed certificate using Directory Service Control Center, do not use multibyte characters for the certificate names.

6491845

The default LDAP controls allowed through Directory Proxy Server are not displayed by Directory Service Control Center.

6492355

Directory Proxy Server does not update JDBC data sources with transactions. Instead, Directory Proxy Server performs operations in stages. Therefore, part of an update operation against a relational database can succeed although another part of the operation fails.

6492376

After configuring JDBC syntax, you must restart Directory Proxy Server for the change to take effect.

6493349

Directory Service Control Center removes commas when changing the DN for an existing excluded subtree, or alternate search base.

6494259

Directory Proxy Server does not recompute the alternate-search-base-dn property when you change the base-dn property of a data view.

6494400
6494405

On Windows systems when Directory Proxy Server is enabled as a service, do not use the dpadm cert-pwd-prompt=on command.

6494412

To enable email alerts from Directory Proxy Server to mail users on the local host, specify an email-alerts-message-from-address property before you enable email alerts.

$ dpconf set-server-prop email-alerts-message-from-address:admin@localhost

6494513

Increasing the number of Directory Proxy Server worker threads can prevent the server from restarting. This problem manifests itself as a java.lang.OutOfMemoryError error when the server is started. This problem occurs when the memory available to the Java Virtual Machine is not sufficient to allocate space for all worker threads.

To work around this issue, either use the dpadm command to allow the server to use more memory, or replace the server configuration file, instance-path/config/conf.ldif, with instance-path/config/conf.ldif.startok to use the previous configuration settings.

6494540

After enabling or disabling non secure LDAP access for the first time, you must restart Directory Proxy Server for the change to take effect.

6495395

Virtual directory macros using split do not work properly.

6497547

Time limit and size limit settings work only with LDAP data sources.

6497992

After using the command dpadm set-flags cert-pwd-store=off, Directory Proxy Server cannot be restarted using Directory Service Control Center.

6500275

When used with the jvm-args flag to allocate extra memory for the Java virtual machine, the dpadm command has been seen to return exit status 0 even though memory allocation fails. Error messages appear on the command line, however.

6500298

When using the jvm-args flag of the dpadm command and restarting the server, you cannot successfully allocate more than 2 GB memory for the Java virtual machine.

To work around this issue, use dpadm stop and dpadm start instead of dpadm restart.

6501867

The dpadm start command has been seen to fail when used with a server instance name combining both ASCII and Japanese multiple-byte characters.

6505112

When setting the data-view-routing-custom-list property on an existing connection handler, an error occurs with data view names containing characters that must be escaped, such as commas.

To work around this issue, do not give data views names that contain characters that must be escaped. For example, do not use data view names containing DNs.

6510583

Unlike previous versions, as stated in the manual page allowed-ldap-controls(5dpconf), Directory Proxy Server does not allow the server side sort control by default.

You can enable Directory Proxy Server support for the server side sort control by adding server-side-sorting to the list of allowed LDAP controls specified by the allowed-ldap-controls property.

$ dpconf set-server-prop \ allowed-ldap-controls:auth-request \ allowed-ldap-controls:chaining-loop-detection \ allowed-ldap-controls:manage-dsa \ allowed-ldap-controls:persistent-search \ allowed-ldap-controls:proxy-auth-v1 \ allowed-ldap-controls:proxy-auth-v2 \ allowed-ldap-controls:real-attributes-only \ allowed-ldap-controls:server-side-sorting

Notice that you must repeat the existing settings. Otherwise, only the server side sort control is allowed.

6511264

When using the DN renaming feature of Directory Proxy Server, notice that repeating DN components are renamed to only one replacement component.

Consider for example that you want to rename DNs that end in o=myCompany.com to end in dc=com. For entries whose DN repeats the original component, such as uid=userid,ou=people,o=myCompany.com,o=myCompany.com, the resulting renamed DN is uid=userid,ou=people,dc=com, and not uid=userid,ou=people,o=myCompany.com,dc=com.

6516261

When used with German and Chinese locales, Directory Service Control Center has been seen to fail to create new Directory Proxy Server instances. The dsccreg add-server also has been seen to fail to register Directory Proxy Server instances.

To work around this issue on a Windows system, switch to the U.S. English locale before creating the instance.

6517615

The JDBC connection configuration to access Oracle 9 through Directory Proxy Server might not be as straightforward as shown in the documentation.

Consider the following configuration. You have an Oracle 9 server listening on host myhost, port 1537 with the instance having system identifier (SID) MYINST. The instance has a database MYNAME.MYTABLE.

Typically, to configure access through to MYTABLE, you would set the following properties.

• On the JDBC data source, set db-name:MYINST.

• On the JDBC data source, set db-url:jdbc:oracle:thin:myhost:1537:.

• On the JDBC table, set sql-table:MYNAME.MYTABLE.

If these settings do not work for you, try configuring access through to MYTABLE with the following settings.

• On the JDBC data source, set db-name:(CONNECT_DATA=(SERVICE_NAME=MYINST))).

• On the JDBC data source, set db-url:jdbc:oracle:thin:@(DESCRIPTION= (ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost)(PORT=1537))).

• On the JDBC table, set sql-table:MYNAME.MYTABLE.