Chapter 3 Directory Server Bugs Fixed and Known Problems

This chapter contains important, product-specific information available at the time of release of Directory Server.

This chapter includes the following sections:

• Bugs Fixed in Directory Server 6.2

• Known Problems and Limitations in Directory Server

Bugs Fixed in Directory Server 6.2

This section lists the bugs fixed since the last release of Directory Server.

6500297

After installing from the zip distribution on Solaris and Linux, Directory Server does not appear through SNMP after the Common Agent Container, cacao, is restarted.

6509701

When changing LDAP passwords by using the password change extended operation, the current password of the account is required even if pwdSafeModify is off.

6520653

On Windows 2003 systems, do not use software installed with dsee_deploy from the zip distribution in the German locale.

6540157

After running db2ldif or ldif2db, the new changelog is created but the old changelog is not removed.

6558119

When replication is enabled, ns-slapd crashes .

6561746

Migrating a Directory Server 5.1 master to 6.x displays an error.

6561772

Some of the jar files loaded in lockhart are not upgraded after applying 125310-02 and 125278-02 patches.

6564778

The dsconf create-plugin -Y pwdstoragescheme command adds the plug-in entry with incorrect DN

Known Problems and Limitations in Directory Server

This section lists known problems and limitations at the time of release.

Directory Server Limitations

This section lists product limitations.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.

To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.

Do not replicate the cn=changelog suffix.

Although nothing prevents you from setting up replication for the cn=changelog suffix, doing so can interfere with replication. Do not replicate the cn=changelog suffix. The cn=changelog suffix is created by the retro changelog plug-in.

Database cache may be outdated after failover on Sun Cluster.

When Directory Server runs on Sun Cluster, and nsslapd-db-home-directory is set to use a directory that is not shared, multiple instances share database cache files. After a failover, the Directory Server instance on the new node uses its potentially outdated database cache files.

To work around this limitation, either use a directory for nsslapd-db-home-directory that is shared, or systematically remove the files under nsslapd-db-home-directory at Directory Server startup.

The wrong SASL library is loaded when LD_LIBRARY_PATH contains /usr/lib.

When LD_LIBRARY_PATH contains /usr/lib, the wrong SASL library is used, causing the dsadm command to fail after installation.

Use the LDAP replace operation to change cn=config attributes.

An LDAP modify operation on cn=config can only use the replace sub-operation. Any attempt to add or delete an attribute will be rejected with DSA is unwilling to perform, error 53. While Directory Server 5 accepted adding or deleting an attribute or attribute value, the update was applied to the dse.ldif file without any value validation, and the DSA internal state was not updated until the DSA was stopped and started.

---

Note –

The cn=config configuration interface is deprecated. Where possible use the dsconf command instead.

---

To work around this limitation, the LDAP modify replace sub-operation can be substituted for the add or delete sub-operation. No loss in functionality occurs. Furthermore, the state of the DSA configuration is more predictable following the change.

On Windows systems, Directory Server does not allow Start TLS by default.

This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.

To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.

Replication update vectors may reference retired servers.

After you remove a replicated Directory Server instance from a replication topology, replication update vectors can continue to maintain references to the instance. As a result, you might encounter referrals to instances that no longer exist.

The Common Agent Container is not started at boot time.

To work around this issue when installing from native packages, use the cacaoadm enable command as root.

max-thread-per-connection-count is not useful on Windows systems.

The Directory Server configuration property max-thread-per-connection-count does not apply for Windows systems.

A Microsoft Windows bug shows service startup type as disabled.

A Microsoft Windows 2000 Standard Edition bug causes the Directory Server service to appear as disabled after the service has been deleted from Microsoft Management Console.

Console does not allow administrator login on Windows XP

Console does not allow administrator to logon to the server running Windows XP.

As a workaround to this problem, the guest account must be disabled and the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0.

Known Directory Server Issues in 6.2

This section lists the known issues that are found at the time of Directory Server 6.2 release.

2113177

Directory Server has been seen to crash when the server is stopped while performing online export, backup, restore, or index creation.

2133169

When entries are imported from LDIF, Directory Server does not generate createTimeStamp and modifyTimeStamp attributes.

LDIF import is optimized for speed. The import process does not generate these attributes. To work around this limitation, add rather than import the entries. Alternatively, preprocess the LDIF to add the attributes before import.

4979319

Some Directory Server error messages refer to the Database Errors Guide, which does not exist. If you cannot understand the meaning of a critical error message that is not documented, contact Sun support.

6358392

When removing software, the dsee_deploy uninstall command does not stop or delete existing server instances.

To work around this limitation, follow the instructions in the Sun Java System Directory Server Enterprise Edition 6.2 Installation Guide.

6366948

Directory Server has been seen to retain pwdFailureTime values on a consumer replica, even after the attribute values have been cleared on the supplier replica. The values remain after the modification of userPassword has been replicated.

6401484

The dsconf accord-repl-agmt command cannot align authentication properties of the replication agreement when SSL client authentication is used on the destination suffix.

To work around this issue, store the supplier certificate in the configuration on the consumer, following these steps. The examples command shown are based on two instances on the same host.

1. Export the certificate to a file.

   The following example shows how to perform the export for servers in /local/supplier and /local/consumer.

   $ dsadm show-cert -F der -o /tmp/supplier-cert.txt /local/supplier defaultCert $ dsadm show-cert -F der -o /tmp/consumer-cert.txt /local/consumer defaultCert

2. Exchange the client and supplier certificates.

   The following example shows how to perform the exchange for servers in /local/supplier and /local/consumer.

   $ dsadm add-cert --ca /local/consumer supplierCert /tmp/supplier-cert.txt $ dsadm add-cert --ca /local/supplier consumerCert /tmp/consumer-cert.txt

3. Add the SSL client entry on the consumer, including the supplierCert certificate on a usercertificate;binary attribute, with the proper subjectDN.

4. Add the replication manager DN on the consumer.

   $ dsconf set-suffix-prop suffix-dn repl-manager-bind-dn:entryDN

5. Update the rules in /local/consumer/alias/certmap.conf.

6. Restart both servers with the dsadm start command.

6412131

The certificate names containing multi-byte characters are shown as dots in the output of the dsadm show-cert instance-path valid-multibyte-cert-name command.

6410741

Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.

An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.

6415184

Directory Server instance with multi-byte characters in its path may fail to be created in DSCC, to start or perform other regular tasks.

Some of these issues can be resolved by using the charset that was used to create the instance. Set the charset using the following commands:

# cacaoadm list-params | grep java-flags java-flags=-Xms4M -Xmx64M # cacaoadm stop # cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8" # cacaoadm start

Use only the ASCII characters in the instance path to avoid these issues.

6416407

Directory Server does not correctly parse ACI target DNs containing escaped quotes or a single escaped comma. The following example modifications cause syntax errors.

dn:o=mary\"red\"doe,o=example.com
changetype:modify
add:aci
aci:(target="ldap:///o=mary\"red\"doe,o=example.com")
 (targetattr="*")(version 3.0; acl "testQuotes";
 allow (all) userdn ="ldap:///self";)

dn:o=Example Company\, Inc.,dc=example,dc=com
changetype:modify
add:aci
aci:(target="ldap:///o=Example Company\, Inc.,dc=example,dc=com")
 (targetattr="*")(version 3.0; acl "testComma";
 allow (all) userdn ="ldap:///self";)

Examples with more than one comma that has been escaped have been observed to parse correctly, however.

6428448

The dpconf command has been seen to display the Enter "cn=Directory Manager" password: prompt twice when used in interactive mode.

6443229

Directory Service Control Center does not allow you to manage PKCS#11 external security devices or tokens.

6446318

On Windows, SASL authentication fails due to the following two reasons:

• SASL encryption is used.

  To workaround the issue caused by the SASL encryption, stop the server, edit dse.ldif, and reset SASL to the following.

  dn: cn=SASL, cn=security, cn=config dssaslminssf: 0 dssaslmaxssf: 0

• The installation is done using native packages.

  To workaround the issue caused by the native packages installation , set SASL_PATH to install-dir\share\lib.

6448572

Directory Service Control Center fails to generate a self-signed certificate when you specify the country.

6449828

Directory Service Control Center does not properly display userCertificate binary values.

6468074

The configuration attribute name, passwordRootdnMayBypassModsCheck, does not reflect that the server now allows any administrator to bypass password syntax checking when modifying another user's password when the attribute is set.

6468096

Do not set LD_LIBRARY_PATH before installing from the zip distribution or using the dsadm command.

6469154

On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.

6469296

The Directory Service Control Center feature that allows you to copy the configuration of an existing server does not allow you to copy the plug-in configuration.

6469688

On Windows systems, the dsconf command has been seen to fail to import LDIF with double-byte characters in the LDIF file name.

To work around this issue, change the LDIF file name so that it does not contain double-byte characters.

6478568

The dsadm enable-service command does not work correctly with Sun Cluster.

6480753

The dsee_deploy command has been seen to hang while registering the Monitoring Framework component into the Common Agent Container.

6482378

The supportedSSLCiphers attribute on the root DSE lists NULL encryption ciphers not actually supported by the server.

6482888

Unless you start Directory Server at least once, the dsadm enable-service fails to restart Directory Server upon system reboot.

6483290

Neither Directory Service Control Center nor the dsconf command allows you to configure how Directory Server handles invalid plug-in signatures. Default behavior is to verify the plug-in signatures, but not to require that they are valid. Directory Server logs a warning for invalid signatures.

To change the server behavior, adjust the ds-require-valid-plugin-signature and ds-verify-valid-plugin-signature attributes on cn=config. Both attributes take either on or off.

6485560

Directory Service Control Center does not allow you to browse a suffix that is configured to return a referral to another suffix.

6488197

After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.

To work around this issue, change the permissions on the installations and server instance folders.

6490653

When enabling referral mode for Directory Server by using Directory Service Control Center through Internet Explorer 6, the text in the confirm referral mode window is truncated.

To work around this issue, use a different browser such as Mozilla web browser.

6490762

After creating or adding a new certificate, Directory Server must be restarted for the change to take effect.

6491849

After upgrading replica, and moving servers to new systems, you must recreate replication agreements to use new host names. Directory Service Control Center lets you delete the existing replication agreements, but does not allow you to create new agreements.

6492894

On Red Hat systems, the dsadm autostart command does not always ensure that the server instances start at boot time.

6494997

The dsconf command does not prompt for the appropriate dsSearchBaseDN setting when configuring DSML.

6495004

On Windows systems, Directory Server has been seen to fail to start when the base name of the instance is ds.

6497053

When installing from the zip distribution, the dsee_deploy command does not provide an option to configure SNMP and stream adaptor ports.

To workaround this issue,

1. Enabled Monitoring Plug-in using the web console or dpconf.

2. Using cacaoadm set-param, change snmp-adaptor-port, snmp-adaptor-trap-port and commandstream-adaptor-port.

6497894

The dsconf help-properties command is set to work properly only after instance creation. In addition, the correct list of values for the dsml-client-auth-mode command should be client-cert-first | http-basic-only | client-cert-only.

6498537

In order to use Directory Service Control Center on Windows XP systems, the guest account must be disabled. Additionally, the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest must be set to 0 in order for authentication to succeed.

6500936

In the Native patch delivery, the miniature calendar that is used to pick dates for filtering access logs is not properly localized in Traditional Chinese.

6501893

Output of the schema_push, repldisc, pwdhash, ns-inactivate, ns-activate, ns-accountstatus, mmldif, insync, fildif, entrycmp, dsrepair, dsee_deploy, dsadm show-cert, dsadm repack, and ldif commands are not localized.

6501900
6501902
6501904

Some output displayed by the dsccmon, dsccreg, dsccsetup, and dsccreg commands is not localized.

6503546

Changing the locale of the system and starting DSCC, does not display the pop-up window message in the locale that you selected.

6503558

When setting up Directory Service Control Center in a locale other than English, log messages concerning creation of the Directory Service Control Center Registry are not fully localized. Some log messages are shown in the locale used when setting up Directory Service Control Center.

6504180

On Solaris 10, the password verification fails for instances with multi-byte characters in their DN on English and Japanese locales.

6520646

Clicking Browse DSCC online help does not display the online help when you are using Internet Explorer.

6527999

The Directory Server plug-in API includes slapi_value_init()(), slapi_value_init_string()(), and slapi_value_init_berval()() functions.

These functions all require a "done" function to release internal elements. However, the public API is missing a slapi_value_done()() function.

6533281

Because of a known issue, nsslapd-idletimeout is not computed on Windows installations as documented under all conditions.

On Unix (including Solaris), nsslapd-idletimeout is computed when new connections are opened and when new data is received, as described in the documentation.

On Windows, nsslapd-idletimeout is computed the same way for secure connections or if ds-start-tls-enabled is true. However, for non-secure connections and if ds-start-tls-enabled is false, nsslapd-idletimeout is computed only when new connections are opened.

6536770

DSCC might not display long ACIs depending on the limit set by Internet Service Provider.

6538726

On Linux, If a Directory Server instance is started in a locale that is different from the locale in which the instance was created, the multi-byte characters do not display properly.

6542857

When you use Service Management Facility (SMF) in Solaris 10 to enable a server instance, the instance might not start when you reboot your system.

As a workaround, add the following lines which are marked with + to /opt/SUNWdsee/ds6/install/tmpl_smf.manifest.

... restart_on="none" type="service"> <service_fmri value="svc:/network/initial:default"/> </dependency> + <dependency name="nameservice" grouping="require_all" \ + restart_on="none" type="service"> + <service_fmri value="svc:/milestone/name-services"/> + </dependency> <exec_method type="method" name="start" exec="%%%INSTALL_PATH%%%/bin/dsadm start --exec %{sunds/path}"...

6547923

Directory Server Enterprise Edition Windows service fails to start more than one server instances when the system restarts.

6550543

You might encounter an error when DSCC is used with the combination of Tomcat 5.5 and JDK 1.6 .

As a workaround, use JDK 1.5 instead.

6551672

Sun Java System Application Server bundled with Solaris 10 cannot create SASL client connection for authenticated mechanism and does not communicate with common agent container.

As a workaround, change the JVM used by application server by editing the appserver-install-path/appserver/config/asenv.conf file and replace the AS_JAVA entry with AS_JAVA="/usr/java". Restart your Application Server domain.

6551685

The dsadm autostart can make native LDAP authentication to fail when you reboot the system.

As a workaround, reverse the order of reboot scripts. The default order is /etc/rc2.d/S71ldap.client and /etc/rc2.d/S72dsee_directory.

6554777

The DSCC Version window might display the html source code if it is configured by deploying the Web Archive (WAR) file with application server. As a workaround, add the following entries in domain-path/domain-name/config/default-web.xml.

<mime-mapping> <extension>shtml</extension> <mime-type>text/html</mime-type> </mime-mapping>

6555192

On Linux, the localized server messages shown in the DSCC progress window might display the international characters garbled in non—English locales.

6557480

On Solaris 9 and Windows, when you access the online help from the console configured using Web archive file (WAR), it displays an error.

6565893

The idsktune command does not support SuSE Enterprise Linux.

6571672

If unzip is unavailable on the system, dsee_deploy does not install any product.

6573439

In the More View Options of an instance, the date shown under the Access Logs, Error Logs, and Audit Logs tabs is not localized.

6573440

If you configure the uniqueness plug-in to work across multiple attributes in Directory Server, an error is displayed during the Directory Server startup.

6577314

If you apply the Directory Server Enterprise Edition 6.2 patch without stopping the server instances, the dsadm info and dsadm stop will display that a server is down while the server is running.

6581469

The string err= is not translated in some of the Korean and Simplified Chinese messages.

6582831

On Solaris, the instances registered as a service might not start after restarting the system.

As a workaround to this problem, run the following commands:

# /usr/sbin/svccfg svc:> select application/sun/ds svc:/application/sun/ds> delpropvalue start/timeout_seconds 60 svc:/application/sun/ds> delpropvalue stop/timeout_seconds 60 svc:/application/sun/ds> addpropvalue start/timeout_seconds 600 svc:/application/sun/ds> addpropvalue stop/timeout_seconds 600 svc:/application/sun/ds> quit

6586231

In the dsconf help, Directory Server is sometimes incorrectly translated as répertoire instead of serveur d'annuaire in the French language.

6588319

In DSCC configured using Tomcat server, the title of the Help and Version pop-up windows displays the multi-byte strings garbled.

6589603

If you set the value of the configuration property, pwd-max-history-count, or the password policy attribute, pwdInHistory, to its maximum allowed value 24, the Directory Server instance might crash.

As a workaround, the value of pwd-max-history-count or pwdInHistory should not exceed 23.

6589942

In French, German, and Spanish languages, ROLE is translated in the dsconf enable-repl -? command's syntax but it is not translated later in the ROLE = master string.

6589949

In the command line interface help, the string INSTANCE_PATH is not translated in the German and Spanish languages.

6590558

On Linux, the Directory Server instances do not start at system restart if the maximum number of files are specified in the /etc/security/limits.conf file.

As a workaround, add the following in the etc/init.d/dsee_directory file.

# ulimit -Hn 65536 # ulimit -Sn 65536

6592543

The pop-up windows prompting the confirmation for stopping or unregistering servers display the doubled apostrophes in the French locale.