Netscape Directory Server 6.11 Release Notes

Netscape Directory Server Release Notes

Version: 6.11

Updated on: December 10, 2002

These release notes contain important information available at the time of the version 6.11 release of Netscape Directory Server (Directory Server). New features and enhancements, installation notes, known problems, and other late-breaking issues are addressed here. Read this document before you begin using Directory Server.

Check the Red Hat Directory Server Documentation site prior to installing and setting up your software and then periodically thereafter to obtain the latest release notes and manuals.

These release notes contain the following sections:

What's New in This (6.11) Release
What Was New in The 6.1 Release
Software/Hardware Requirements
Documentation
Documentation Supplements
Important Notes and Known Problems
For More Information
Third-Party License Acknowledgments

What's New in This (6.11) Release

This release of Directory Server is supported on the Windows 2000 operating system. For details, see Microsoft Windows Platform Requirements. The release also addresses some of the problems noted in the previous releases of Directory Server. The table below lists bugs that have been fixed in the 6.11 realease.

Bug Number	Description
Database - Indexes/Searches
611341	Directory Server would crash when index and id2entry were inconsistent. This problem has been fixed.
Installation/Uninstallation/Migration/Upgrade
556996	The messages logged during setup and uninstallation of Directory Server weren't user friendly. This has been improved. Instead of logging these messages to different log files, now all the messages are logged to a single setup/uninstallation log file.
610738	Inplace upgrade was not working properly. This problem has been fixed.
613507	On Windows, the upgrade program was failing when one tried to upgrade a Directory Server 6.01 MMR environment to Directory Server 6.11. This problem has been fixed.
Replication
610346	In a supplier-consumer replicated environment, replacing or modifying an attribute with the same values (as the current ones) resulted in the consumer deleting those values. For example, if attribute A1 had values { V1, V2 } and if the change operation of the supplier replaced A1 with { V1, V2, V3 }, after the change got pushed to the consumer, it's copy of the attribute became { V3 }. V1 and V2 were deleted. This problem, which was noted in Directory Server 6.1, has been fixed.
610948	In a replicated environment, the master server would stop working, populating the logs with many SASL bind-related error messages. This problem has been fixed.
611150 606139	A problem related to replication pausing between updates has been fixed.
613324	On Windows, in a supplier-consumer replicated environment, if the supplier and consumer servers were configured to communicate over SSL with client authentication, the supplier server logged `LDAP SDK error 91` and the consumer server logged `Netscape runtime error -5931`. This problem has been fixed.
Server
607555 611053	In Directory Server 6.1, duplicate values for the same attribute were returned for binary attributes. This problem has been fixed.

What Was New in The 6.1 Release

The 6.1 release of Directory Server contained many enhancements, including the following:

Linux Platform Support -- This release of Directory Server is supported on the Red Hat Linux operating system. For details, see Red Hat Linux Platform Requirements.

Enhancements to Multi-Master Replication The following enhancements have been made:

áFaster, more reliable Multi-Master Replication.
A new HTML-based interface for monitoring replication, accessible from the Administration Express interface. For details, see the Administrator's Guide.
Aánew scriptáfor troubleshooting replication by viewing the change log contents, template-cl-dump.pl,áis now provided. For details, see the Configuration, Command, and File Reference.

Enhancements to Logging -- Ability to rotate logs by time of the day; inclusion of port and host information in access logs for ease of archiving and exchanging log files; improved error messages, detailing supplier and consumer replication sessions.

Virtual Directory Information Tree Views --áThe new Virtual Directory Information Tree Views feature enables creation of ácustom DITs for specific applications and purposes without having to change the physical location of directory entries. For details, check the Deployment Guide.

Virtual Attribute Search -- Supportsásearches based on virtual attributes, enabling the use of these attributes in ACLs and in regular search filters. For example, you can search for (nsrole=<someDN>).

New Plug-Ins -- Includes a new plug-in, named Space Insensitive String Syntax plug-in, for supporting space and case insensitive values such as AOL Screen Names. For details, check the Configuration, Command, and File Reference.

Data Interoperability Feature -- Enables the use of a proprietary database plug-in. For details, check the Plug-In Programmer's Guide.

Extra Applications -- Includes extra applications, Who's On-line (for detecting online status of AOL Instant Messenger^(R) users) and Virtual Views demo.

Bug Fixes -- Addresses many problems noted in the previous releases.

The table below lists bugs that have been fixed in the 6.1 release.

Bug Number	Description
ACLs
558229	The limitation of not being able use virtual attributes in ACLs has been removed. You can now use virtual attributes in ACLs and in regular search filters.
Back Up/Restore
547427	During restore, only the old files corresponding to the old index configuration wereáreinstated. The index files weren't brought up to date if the index configuration changed between a backup and restore operation. This problem has been addressed. Now, the restore operation compares the backed up index information with the new information, and if any difference is found, it reports the difference and issues a warning.
606441	The problem of database getting corrupted or deleted during the restoration of a backup has been fixed.
Chaining
527792	During chaining, password expirationsá(expiring or has expired) are now checked and the appropriate messages are logged.
601191	The server used to crash while exporting a chained database using the `db2ldif` tool because db2ldif over chaining was not supported. This has been fixed. For example, assume Server1 has been set up with a root suffix and a database (with entries) and Server2 has been set up with a root suffix and a database link (dblink1) pointing to the database associated with Server1. If you use `db2ldif` to export the database link on Server2 to Server1 (as `db2ldif -n dblink1`), the server will not crash.
Command-Line Utilities
600548	The `dsml2db` import tool now enables you to work with DSML files of size greater than 2 Gigabytes. Directory Server 6.11 uses Java 1.4, which allows better XML parser classes to get around the file-size limit of 2 Gigabytes.
603378	The `dbscan` utility now provides index status, including `allidsthreshold` information (the utility analyzes and extracts information from a Directory Server database file).
604483	The LDAP command-line tools now support large files (the `-f` option, and you will be able to open files of size greater than 4GB.
605037	The `dsktune` utility has been updated to check for the Abstract Window Tool (AWT) kit, which is required for installing Netscape Console on a HP-UX machine.
605275	The `start-slapd` and `stop-slapd` scripts reported wrong status. This problem has been fixed.
607458	On HP UX, the `dsktune` utility now recommends an appropriate value for the `tcp_conn_request_max` kernel parameter, if it's set low.
Directory Server Console
603446	The Password dialog box of the Directory Server Console accepted empty password and/or user ID. This resulted in the anonymous bind; anonymous user does not have any privileges and the user must restart the console. The problem has been fixed to not except empty input fields. The OK button now remains disabled if either of the input fields is empty.
604459	The problem related to refreshing the Directory Browser has been fixed.
604884	The problem of Directory Server Console failing to create a VLV index for multi-valued DNs (for example, `cn=val1+sn=val2, o=domain.com`) has been fixed.
605029	The problem of console not responding when creating/deleting a VLV index has been fixed.
605550	The problem of not being able to disable certain plug-ins from the Directory Server Console has been fixed.
606301	When viewing an object with more than 1000 entries, the directory browser truncated the display. The problem has been corrected, and the user is now informed to create a VLV or browsing index first to see all the entries.
Logging
394699	Logging of change sequence numbers (CSN) in access logs is now optional; a new parameter named `nsslapd-csnlogging` has been defined, which enables you to turn this on/off.
465049	Error messages have been improved. Logs now include better error messages that help identify problems that are related to Directory Server components (used internally) and the operating system.
605477	The `vlvindex` command logged erroneous entries in the Error logs. This problem has been fixed.
605910	The server now records improved out-of-memory error log messages.
607899	Duplicated values were logged in the error log while adding ACIs. This problem has been fixed.
Migration/Upgrade
601770	Creation of dummy suffixes prior to migration is no longer required. The migration script now checks if the database (for example, userRoot) being imported exists in the destination Directory Server instance and, if found, gives you the choice to export or overwrite.
606263	The problem of server not restarting after an in-place upgrade of an MMR environment has been fixed.
Miscellaneous
600894 600962 604430 604446	Many memory-related problems have been fixed.
603220	Aáfew searches didn't work after `db2index.pl`, and required reimport of the database. This problem has been fixed.
604504	The outdated contact information in the server's SNMP MIB has been corrected.
605126	Search didn't yield results when an index is created on an integer or binary attribute for equality and presence. This problem has been fixed.
605456	The duplicate value checking did not work if there were 5 or more values for an attribute. This problem has been fixed.
605723	An account inactivation related problem has been fixed.
606552 609377	VLV response related problems have been fixed.
Plug-Ins and Plug-In API
379739	The name of the UID Uniqueness Plugin has been changed to Attribute Uniqueness Plugin to reflect its ability. This plug-in can be used to check uniqueness of any attribute that you may configure.
398316	A new backend state change API is now provided for use with custom plug-ins. The two new functions, `slapi_register_backend_state_change()` and `slapi_unregister_backend_state_change()` allow a plug-in to register for and unregister callbacks when the backend changes state.
603512	The Directory Server API has been enhanced to allow plug-ins to easily retrieve their config DN and config entry. The `testpreop` plug-in now includes sample code to show how to get the config DN and entry (a plug-in that retrieves configuration from its own config entry).
604708	Platform-related errors in the Makefile provided for the sample plug-ins have been fixed.
606871 538548	A new pass-in interface for value set add has been defined for use with custom plug-ins. The new function, `slapi_valueset_add_value_ext()`, enables adding of a `Slapi_Value` in the `Slapi_ValueSet` structure without having to duplicate and free the target value.
Replication
603068	A problem where the Retro Changelog plug-in trimmed (deleted) changelog entries early has been fixed.
604441	The replication tombstone reap process may run for a long time, and a problem where that process prevented other periodic tasks inside the Directory Server from running has been fixed. Now logs indicate when the reaper started and finished, and also if it did not start for some reason. Additionally, a new attribute, `nsds5ReplicaReapActive`, has been introduced in the `cn=replica` entry to indicate the active/inactive status of the background task, which removes old tombstones (deleted entries) from the database. Clients can use this to determine whether a reap is active.
604885	The problem of a supplier not reopening the connection has been fixed. The supplier will now try to keep the connection open in all but the most severe conditions.
605028	In a master-consumer replicated environment, any inactivated accounts on the master would correctly show up as inactivated on the consumer when the consumer is initialized. However, during any subsequent initialization of the consumer, these accounts would incorrectly show up as active accounts on the consumer. This problem has been fixed.
605409	The problem where deleting replication agreements caused the server to crash has been fixed.
607845	In a replicated environment, operations errors caused replication to stop converging; the second master didn't make any progress towards convergence. This problem has been fixed.
608254	In a replicated environment, renaming of entries (MODRDN operation) caused operations errors. This problem has been fixed.
Security
558405	The server now rejects proxy-authorization control for the rootdn.
600518	The Certificate Setup Wizard no longer gives error when using the certificate in PKCS#7 format. When an SSL server certificate is requested using the Certificate Setup Wizard, the CA's approval response contains the certificate in two formats: Base64 format and Base64 with the CA certificate chain in PKCS#7 format. If one tried to install the certificate using the longer format (Base 64 with the CA certificate chain in PKCS#7 format), the operation would fail with an error. The problem has been fixed.
601384	Starting Directory Server in SSL mode using an external token no longer fails with misleading error messages. The `secmod.db` file is now correctly placed in the `<server_root>/alias` directory, and you no longer need to copy the file from theáAdministration Server to theáDirectory Server.
601953	The Directory Server implementation of SASL DIGEST-MD5 authentication now properly allows an empty authorization ID to be used, more reliably compares the bind DN to the authorization DN, and accepts user id based authorization IDs that start with "u:".
603120	The problem of Directory Server crashing if a suffix is deleted while the index creation for the suffix is in progress has been fixed. For example, assume you populated the database with entries, started creating a browsing index for the suffix containing the entries, and then deleted the suffix. The server would crash because the index creation would be in progress in the background. The fix ensures that the delete operation is executed after the index creation is completed.
605457	Peer to peer (Directory Server to Directory Server) client certificate based authentication over SSL was not working if there was an SSL connection to the same peer host and port that didn't use client certificate based authentication. (For example, assume a server has two replication agreements to the same host and its secure port. Each replication agreement is for a different suffix, and one uses SSL with simple authentication and the other uses SSL with client authentication. In this type of setup, the SSL with client authentication would not work.) This problem has been fixed.
603008	When using SSL with an LDAP command-line tool such as `ldapsearch`, the default location of the key file did not default to the value specified for the certificate file. Now, if the `-P` option is used but the `-K` option is not, the tools look for a key file whose path is derived from the path specified with the `-P` option. In addition, on Linux only, command-line tools crashed if the `-P` and `-K` options were used together. This problem has also been fixed.
Server
600358	On Solaris, when the audit log is rotated at a specific time of day, the Directory Server no longer crashes.
601176	On Solaris, setting the `nsslapd-listenhost` parameter to `localhost` or IP address 127.0.0.1 resulted in an error if an IPv6 interface was not configured. This has been fixed. You no longer have to configure the IP6 interface.
604526	The server now reports clear error messages when the `dse.ldif` file is made read-only in the file system.
605410	There was a problem with closing closed database cursors that under certain circumstances, during server shutdown, caused the `slapd` process to spin constantly and write error messages to the error log. This problem has been fixed.
606250	The problem of server crashing when it ran out of disk space has been fixed. Now, when the disk gets full, the server refrains from any disk-access-related activities and gracefully shuts down.
606951	The server now gracefully shuts down when a database file reaches the file system's file-size limit.

Software and Hardware Requirements

This release of Directory Server is supported on the following operating-system platforms:

HP UX
Microsoft Windows
Red Hat Linux
Sun Solaris

HP UX Platform Requirements
OS Version	HP UX 11.i with required patches. For details about the patches, see Directory Server Installation Guide.
CPU	HP 9000 architecture with a PA-RISC 1.1 or PA-RISC 2.0 CPU.
Memory/RAM	256 MB. However, you should plan from 512 MB to 1 GB of RAM for best performance on large production systems.
Storage Space/Hard Disk	Approximately 200 MB of disk space for a minimal installation. For production systems, you should plan at least 2 GB to support the product binaries, databases, and log files (log files require 1 GB by default); 4GB and greater may be required for very large directories.
Other Requirements	You must install as `root` in order to use well-known port numbers (such as 389) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as `root`. If you plan to run as `root`, you should also install as `root` and specify `nobody,` or a similar user ID that has very few privileges, as the default run-as user and group.
Microsoft Windows Platform Requirements
OS Version	Windows 2000 Advanced Server with Service Pack 2
Machine	350 MHz or higher, Pentium-compatible.
Memory/RAM	256 MB. However, you should plan from 256 MB to 1 GB of RAM for best performance on large production systems.
Storage Space/Hard Disk	Approximately 200 MB of disk space for a minimal installation. For production systems, you should plan at least 2 GB to support the product binaries, databases, and log files (log files require 1 GB by default); 4GB and greater may be required for very large directories.
Other Requirements	You must install as Administrator or a user with `Administrator` privileges (that is, the user must be in the `Administrators` group).
Red Hat Linux Platform Requirements
OS Version	Red Hat Linux 7.2; Kernel Revision: 2.4.7-10 Red Hat Linux Advanced Server; Kernel Revision: 2.4.9-e.3
Machine	350 MHz or higher, Pentium compatible.
Memory/RAM	256 MB. However, you should plan from 256 MB to 1 GB of RAM for best performance on large production systems.
Storage Space/Hard Disk	Approximately 200 MB of disk space for a minimal installation. For production systems, you should plan at least 2 GB to support the product binaries, databases, and log files (log files require 1 GB by default); 4GB and greater may be required for very large directories.
Other Requirements	You must install as `root` in order to use well-known port numbers (such as 389) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as `root`. If you plan to run as `root`, you should also install as `root` and specify `nobody` as the default run-as user and group.
Sun Solaris Platform Requirements
OS Version	Solaris 8 with required patches; Solaris bits can run in 32-bit or 64-bit operating system mode (32 bit application certified on 64 bit mode). For details about the patches, check the Directory Server Installation Guide.
CPU	Ultra 10 or faster.
Memory/RAM	256 MB. However, you should plan from 512 MB to 1 GB of RAM for best performance on large production systems.
Storage Space/Hard Disk	Approximately 200 MB of disk space for a minimal installation. For production systems, you should plan at least 2 GB to support the product binaries, databases, and log files (log files require 1 GB by default); 4GB and greater may be required for very large directories.
Other Requirements	You must install as `root` in order to use well-known port numbers (such as 389) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as `root`. If you plan to run as `root`, you should also install as `root` and specify `nobody`,áor a similar user ID that has very few privileges, as the default run-as user and group.

Documentation

For the latest information about Directory Server, including current release notes, technical notes, and deployment information, always check this site: http://enterprise.netscape.com/docs/directory/

The complete set of Directory Server documentation for this release includes the following:

Directory Server Release Notes (this document) -- The release notes contain information on new features of this release, software/hardware requirements for installing the product, important notes and known bugs, last-minute product information, and how to send feedback.

Directory Server Deployment Guide -- This guide provides an overview for planning your deployment of Directory Server. The guide also includes deployment examples.

Directory Server Installation Guide -- This guide describes how to plan for and install Directory Server. The guide also contains procedures for migrating or upgrading from a previous installation of Directory Server. Read this guide after you have read the release notes and Directory Server Deployment Guide.

Directory Server Administrator's Guide -- This guide describes all of the administration tasks you need to perform to maintain Directory Server.

Directory Server Configuration, Command, and File Reference -- This guide provides reference information on the command-line scripts, configuration attributes, and log files shipped with Directory Server.

Directory Server Schema Reference -- This guide contains reference information about the Directory Server schema.

Directory Server Plug-In Programmer's Guide -- This guide describes how to write server plug-ins in order to customize and extend the capabilities of Directory Server.

If you obtained Directory Server on a CD, you can find the documentation in the directory named Docs at the top level of the CD. For a list of documentation, open the index.html file.

Documentation Supplements

The following items supplement the Directory Server 6.1 documentation.

Preventing Monopolization of the Consumer in Multi-Master Replication
Using Directory Server for Windows« Pass-through Authentication
Adding Very Large Attributes

Preventing Monopolization of the Consumer in Multi-Master Replication

One of the features of multi-master replication is that a supplier acquires exclusive access to the consumer for the replicated area. During this time, other suppliers are locked out of direct contact with the consumer. If a supplier attempts to acquire access while locked out, the consumer sends back a busy response and the supplier sleeps for several seconds before making another attempt.

A problem can arise if the locking supplier is under a heavy update load or has a lot of pending updates in the change log. If the locking supplier finishes sending updates and then has more pending changes to send, it will immediately attempt to reacquire the consumer and will most likely succeed, since the other suppliers usually will be sleeping. This can cause a single supplier to monopolize a consumer for several hours or longer.

To address this issue, Directory Server 6.11 introduces two new attributes that may be present in the nsds5ReplicationAgreement object class which is used to describe replication agreements:

Attribute Description

nsds5ReplicaBusyWaitTime Amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access. The default is 3 seconds.á

nsds5ReplicaSessionPauseTime Amount of time in seconds a supplier should wait between update sessions.
Set this interval so that it is at least 1 second longer than the interval specified for nsds5ReplicaBusyWaitTime. Increase the interval as needed until you reach an acceptable distribution of consumer access among the suppliers. The default is 0.á

You can set these two attributes at any time by using changetype:modify with the replace operation. The change takes effect for the next update session if one is already in progress.

Note: If you set either attribute to a negative value, Directory Server sends the client a message and an LDAP_UNWILLING_TO_PERFORM error code.

The two attributes are designed so that the nsds5ReplicaSessionPauseTime interval will always be at least 1 second longer than the interval specified for nsds5ReplicaBusyWaitTime. The longer interval gives waiting suppliers a better chance to gain consumer access before the previous supplier can reaccess the consumer.

If either attribute is specified but not both, nsds5ReplicaSessionPauseTime is set automatically to 1 second more than nsds5ReplicaBusyWaitTime.

If both attributes are specified, but nsds5ReplicaSessionPauseTime is less than or equal to nsds5ReplicaBusyWaitTime, nsds5ReplicaSessionPauseTime is set automatically to 1 second more than nsds5ReplicaBusyWaitTime.

If Directory Server has to automatically reset the value of nsds5ReplicaSessionPauseTime, the value is changed internally only. The change is not visible to clients, and it not saved to the configuration file. From an external viewpoint, the attribute value appears as originally set.

Using Directory Server for Windows Pass-through Authentication

Directory Server is capable of performing Microsoft« Windows pass-through authentication if all the proper conditions are met. Windows pass-through authentication is the process by which Directory Server makes a call to the Windows 2000 operating system to confirm a user's id and password within a Windows security domain. If the user's authentication credentials are confirmed by the Windows security domain, the user is granted access to the directory. This process occurs only for password-based authentication (LDAP simple bind)

When users authenticate to a Directory Server running on Windows 2000, Directory Server first attempts to confirm the user's identity using the normal Directory Server authentication mechanisms. If this authentication fails, Directory Server attempts to confirm authentication with the appropriate Windows 2000 primary domain controller if all the following conditions are true:

Directory Server is running in the Windows security domain where the authentication must occur, or Directory Server is running in a Windows security domain that shares a trust relationship with the Windows security domain where the authentication must occur.

The user's bind attempt provides a distinguished name that is known to the directory. This is the bind DN, and it is used to retrieve the user's bind entry.

The password that the user provides matches the password stored on the user's bind entry. This condition can also be met if the user's bind entry does not have a userPassword attribute value.
The user's bind entry includes the NTUserDomainId attribute. See Schema for ntUserDomainId Attribute, below.

In the event that the previous conditions are met, Directory Server asks Windows to verify that the user ID and password are valid within the Windows security domain. If the Windows pass-through authentication succeeds, then the user is granted access to the Directory Server. Access is granted based on the permissions granted to the user's bind entry.

Schema for ntUserDomainId Attribute

Origin
Netscape Directory Server

Definition
Identifies the Windows security domain name and user name of the entry in the format nt_ domain_name:nt_username. For example:

ntUserDomainId: workgroup:jsmith

Syntax
cis (single)

OID
2.16.840.1.113730.3.1.41

Adding Very Large Attributes

The configuration attribute nsslapd-maxbersize sets the maximum size limit for LDAP requests. The default configuration of Directory Server sets this attribute at 2MB. áLDAP add or modify operations will fail when attempting to add very large attributes that result in a request that is larger than 2MB.á

To add very large attributes, you must first change the setting for the nsslapd-maxbersize configuration attribute to a value larger than the largest LDAP request you will make.
When determining the value to set, you must consider all elements of the LDAP add and modify operations used to add the attributes, not just the single attribute. The list of what is included in determining this size is as follows:

The size of each attribute name in the request
The size of the values of each of the attributes in the request
The size of the DN in the request
Some overhead (10K should be sufficient)

For further information about theánsslapd-maxbersize attribute, and áfor information about setting this attribute, see the section "nsslapd-maxbersize (Maximum Message Size)" in Chapter 2 "Core Server Configuration Reference" of the Netscape Directory Server Configuration, Command, and File Reference.

Important Notes and Known Problems

This section lists important notes, bugs, and known issues, and provides workarounds for some of the problems that you may encounter with the product. (The problems are identified by bug numbers to help you refer to them if you need to contact technical support.)
á

Chaining
Class of Service (CoS)
Command-Line Tools
Core Server
Database
Directory Server Console
Documentation

Indexing
Installation/Uninstallation
Internationalization
Logging
Migration/Upgrade
Miscellaneous

Replication
Roles
Schema
Searching
Security
Server Plug-Ins
SNMP

Chaining

If chaining is configured between a 6.x multiplexor and a 4.x farm server, add the nsuniqueid attribute to the 4.x farm server schema. If this attribute is not added to the 4.x Directory Server schema, the 6.x multiplexor will not find the entry it expects and chaining will fail.
To add the attribute type to the 4.x schema, add the following line to the 4.x farm server's slapd-user_at.conf file under the <server_root>/slapd-<instance_id>/config directory:
attribute nsuniqueid nsuniqueid 2.16.840.1.113730.3.1.542 int single operational

If the first farm server fails and returns an operations error when using a failover server for database chaining, retry the operation to chain successfully. (531750)

Class of Service (CoS)

The behavior for negative CoS template priority values is not defined in the server and cosPriority is not supported by Indirect CoS. (539362)

cosPriority

See also Roles.

Command-Line Tools

The db2dsml export tool works with an instance of the database. For multiple database instances, you should run the db2dsml tool separately for each instance. (600919)

When using the LDAP utilities, ensure that the certificate and key database files are located in the same directory. (600324)

When using the batch scripts described in Chapter 8 "Command-Line Scripts" of the Netscape Directory Server Configuration, Command, and File Reference in an MKS korn shell, the -s option may not behave correctly because of an MKS korn shell bug. The MKS shell removes the double quotes and treats values as separate
in some cases. (601025)

Core Server

If the full path name of the error log file is long (60 characters or longer may cause the problem) removing a Directory Server instance using ds_remove or Netscape Console may fail after trying for 5 minutes. (612001)
To work around the problem, use a shorter path for the error log file (either by installing the Directory Server in a different location, using a shorter instance name, or relocating the error log file.)

The slapd process does not automatically start when the system boots. (531009)

rc

slapd

Do not stop the server during export, backup, restore, or index creation, as it can cause the server to crash. However, you can stop the server during an import without causing any problems.

Windows only. When starting Directory Server in referral mode, the -p command line option (if provided) must be placed before the -r option. If placed in another order, the server may not start at all. (612435)

Database

For database files that are larger than 2 GB, the machine must be configured to support large files. (606951)
You can do this by choosing largefile on Solaris and vxfs filesystem with largefiles option on HP UX. Linux handles large files without having to configure the filesystem.

If you get error messages indicating that the lock table is out of available locks ([26/Oct/2001:17:44:25 0200] - libdb: Lock table is out of available locks), set the value of the nsslapd-db-locks attribute in the cn=config,cn=ldbm database,cn=plugins,cn=config entry to twice its current number. For example, if the current number is 10000, set it to 20000. If the problem persists, double the number again. You can also monitor the current and maximum number of locks by doing a search on cn=database,cn=monitor,cn=ldbm database, cn=plugins,cn=config. An example of the command is given below. (561553)

ldapsearch -h <hostname> -p <port> -b"cn=database,cn=monitor,cn=ldbm database, cn=plugins,cn=config" -D"cn=directory manager" -w <password> objectclass=* | grep -- -locks: )

Directory Server Console

The UI provided for managing static/dynamic groups and roles may not display all possible selections during a search operation if there is no VLV index for users' search. (561720)
You may notice this problem only when the number of users is 1000 or more and there is no VLV index for search. To workaround the problem, create a VLV index for the users suffix with filter (objectclass=person) and scope sub-tree.

If you think the information displayed in the console is inaccurate, remember to use both the global and contextual refresh features.

It is not possible to read the logs using Directory Server Console, if the server is not running. (398837)

From your browser, access: http://<hostname>:<admin_server_port>á
At the login prompt, use the admin login ID and password.
Click the link for Netscape Administration Express.

Trailing spaces are dropped during a remote console import. (541314)

ldif2db

The continuous log refresh feature of the Directory Server Console does not work well with large (10MB plus) log files. (540085)

On Solaris, the online help for the Directory Server Console may not work properly when viewed in Netscape 6.1 EA. (600658)

Certificate-renewal process using the Certificate Request Wizard needs improvement. (600505)

The Directory Server Console does not support editing of multi-valued RDNs. (530638)
For example, assume you configured two servers in a multi-master mode, created an entry on each server with the same user ID, and changed the new entries' RDN to the nsuniqueid uid value. If you attempt to modify this entry from the console, you get the following error: Changes cannot be saved for entries with multi-valued RDNs.
When you open the entry in the advanced mode, you will be able to see that the naming attribute has been set to nsuniqueid uid. However, you cannot change or correct the entry by changing the user ID and RDN values to something different. For example, if jdoe was the user ID and if you want to change it to jdoe1, you cannot do so from the console. Instead, follow this workaround:
```
ldapmodify:
ldapmodify
changetype: modify
replace: uid
uid: jdoe

ldapmodify
changetype: modrdn
newrdn: uid=jdoe1
deleteoldrdn: 1
```

See Installation/Uninstallation and Server Plug-Ins.

Documentation

The documentation has been updated for the new features and addresses many bugs.

Indexing

VLV indexes do not work correctly if they encompass more than one database.

Installation/Uninstallation

Windows only. We strongly recommend that no other Netscape product (such as Netscape Enterprise Server) be installed on the machine in which you plan to install Directory Server, as this may disable critical functionality required for the correct operation of Directory Server. (613957)

Correct the configuration generated at installation time, if your suffix contains space characters. (533837)
If your suffix contains space characters, you must correct the suffix following installation because the suffix name will not be configured correctly. To correct the suffix:

Open Netscape Console.
In the left-hand navigation pane of the Servers and Applications tab, select the top-most entry.á
On the right-hand pane, click Edit and edit the value in the "User directory subtree" field.
Click OK to save your changes.

Installation of a new Directory Server instance from Netscape Console fails if Administration Server is configured to communicate with Directory Server over LDAPS. (600877)
If you install SSL server certificates for Directory Server and Administration Server and configure Administration Server to communicate with Directory Server over SSL, creation of a new Directory Server instance from Netscape Console will give the following error: The operation failed. Please review the output in the window to determine the cause of failure.

Even if a newer patch (one that obsoletes an older patch) is installed on the host machine, the dsktune utility may list the patch as needing to be installed. (608301)

Some problems may develop when you uninstall Directory Server and then reinstall that previously would not appear in the log files. Logging has been enhanced to report setup and uninstall problems with detailed error messages to provide you with enough information to fix the problem. The setup log file is located in the following path: <server root>/setup/setup.log. The uninstall log file is stored in your temp directory (usually /tmp or /var/tmp)áand is named uninst.log. (605608)

HP UX only. If the Directory Server shuts down due to full disk, subsequent restart of the server may take a very long time, for example, more than and hour. Ensure that the machine on which you install the server has adequate disk space and that the machine is configured appropriately to handle large files; see Database. (609054)

HP UX only. Creating a Directory Server instance using the console creates a server in a different time zone. (Bug 541918)
To synchronize the different time zone which is generated when you create a Directory Server instance using the console with existing time zones, (which is essential for replication operations), restart the server using the restart-slapd command-line script. For further information on the command-line scripts, see Chapter 8, “Command-Line Scripts” in the Directory Server Configuration, Command, and File Reference.

Linux only. The setup program may crash if you traverse back the installation-wizard screens to change your installation directory and then resume the installation steps. (604072)

Linux only. libjvm.so (from JRE 1.4), which the Administration Server uses to run servlets requires that the compat-libstdc++-6.2 package (RPM) be installed when running the server on Redhat 7.x and Advanced Server. (605966)
The RPM may or may not be installed depending on the options that were chosen when the operating system was installed. If the RPM is not installed, you will get an error similar to this:

[18/Jun/2002:10:56:39] failure ( 4322): Configuration initialization failed: Error running init function load-modules: dlopen of /export/dstest/bin/https/lib/libNSServletPlugin.so failed (libstdc++-libc6.1-1.so.2: cannot open shared object file: No such file or directory)

For more information on RPM, check the JRE's release notes at this URL: http://java.sun.com/j2se/1.4/install-linux.html

Internationalization

International collation order matching rules not behaving consistently. (600478)

./ldapsearch -p 9001 -D "uid=gfarmer,ou=people,dc=example,dc=com" -w ruling -b "dc=example,dc=com" "sn:2.16.840.1.113730.3.3.2.7.1:==passin"./ldapsearch -p 9001 -D "uid=gfarmer,ou=people,dc=example,dc=com" -w ruling -b "dc=example,dc=com" "sn:de:==passin"

However, the rules listed below will work (note the .3):

./ldapsearch -p 9001 -D "uid=gfarmer,ou=people,dc=example,dc=com" -w ruling -b "dc=example,dc=com" "sn:2.16.840.1.113730.3.3.2.7.1.3:=passin"./ldapsearch -p 9001 -D "uid=gfarmer,ou=people,dc=example,dc=com" -w ruling -b "dc=example,dc=com" "sn:de.3:=passin"

See Installation/Uninstallation.

Logging

Windows only. For each Administration Server startup, the Windows Event Log shows the following error message:
The description for EventID (0) in Source (admin61-serv) cannot be found. The local computer may not have the necessary information or message DLL files to display messages from a remote computer. The following information is part of the event: startup: server started successfully.
This message should be ignored. (612951)

Migration/Upgrade

Windows only. Migration of Directory Server 4.x or 5.x to Directory Server 6.11 requires specifying the old version number and a data directory. (613953)
When you install Directory Server 6.11 on a machine with Directory Server 4.x or 5.x, some of the DLLs in the system32 directory get overwritten. This causes the migration script to fail when it attempts to start the old Directory Server instance for exporting the data. To workaround the problem, follow this procedure:

Obtain the version number, for example, 4.16 or 5.0, of your old Directory Server installation by running the slapd -v command. The command can be found in the bin\slapd\server directory within your installation.
Archive the old Directory Server installation.
Create a data directory, and export all data to LDIF files in that directory. Do this separately for each instance of the old Directory Server. If migrating from a 5.x version, the data directory should contain one LDIF file for each backend, for example, userRoot.ldif, exampleRoot.ldif, and so on. If migrating from a 4.x version, the data directory should contain one file named data.ldif. Note that the data.ldif file will have to be imported in several passes because there is no easy way to map backend names to LDIF file names for import.
If necessary, upgrade the operating system of the machine (for example, upgrade to Windows 2000, Service Pack 2 or 3, from Windows NT).
Install Directory Server 6.11 on a different server root.
Run the migration script, specifying the old version number (-v) and the migration data directory (-d). The command syntax for running the script is shown below:
perl migrateInstance6 -D <rootDN> -w <password> -p <port> -o <oldInstancePath> -n <newInstancePath> -v <oldVersionNumber> -d <oldDataDirectoryPath>
Be sure to use a trailing / (forward slash) character with the -d option. Otherwise, the script can't find your LDIF file during the import process. An example command (to migrate from version 4.16) is shown below:
perl migrateInstance6 -D "cn=Directory Manager" -w secret -p 1389 -o c:/netscape/server4/slapd-phonebook -n c:/netscape/servers/slapd-phonebook -v 4.16 -d c:/netscape/server4/migrationData/

Windows only. If you are migrating a Directory Server 5.x MMR environment to Directory Server 6.11, note the following:
- Before you run the migration script, all exports from the old server's backend databases must be exported with the db2ldif -r option.
- For any old server instance with a changelog, the version number in the DBVERSION file is incorrrect. To fix the problem, before you migrate, change the version number from 1.0 to 2.0 in the archived old instance directory.
- During the migration of the replication agreements, the migration script will output a non-fatal error that states The filename, directory name, or volume label syntax is incorrect. Because of this error, all the replication agreements will have an invalid password configured in them after migration. To fix the problem, in the Directory Server Console, select the replication agreement and use the Connection tab to change the password. After you change the password, replication will automatically resume with no need for a reinitialization.

Windows only. During the upgrade process, the installation program does not detect the previous installation automatically. (601387)
When you upgrade an instance of Directory Server 6.0 or 6.01 to Directory Server 6.11, be sure to install the latter on the same server root on which your 6.0 or 6.01 Directory Server is installed. For example, if your Directory Server 6.0 is not installed at the default server root (c:\netscape\servers), instead of pointing to the alternate server root, the installation program points to the default server root.

Miscellaneous

Windows only. To set up the Presence demo application that's bundled with Directory Server, you need to run Netscape Enterprise Server's wdeploy. wdeploy from Enterprise Server 6.0 works fine with the Presence demo application. wdeploy from Enterprise Server 6.1 (or later versions) fails to run, resulting in a NullPointerException error. (613958)

To workaround the problem, manually edit the Enterprise Server 6.1's web-apps.xml file:

In a text editor, open the <enterprise_server_instance_root>/config/web-apps.xml file.
Insert a line similar to this:
<web-app uri="/im" dir="c:/netscape/ES61/https-works4us.example.com/im"/>
Save your changes.
Using jar.exe from Java SDK, manually unpack the online.war file to the location specified in the line you added (this is the path specified by dir="...").

Netscape Enterprise Server Release Notes

http://enterprise.netscape.com/docs/enterprise/index.html

Replication

Windows only. In a replicated environment, the Directory Server Console looses client authentication credentials if replication time is modified, causing replica updates to fail. (614136)
If a replication agreement is configured for SSL client authentication and if you change the schedule of the agreement via the supplier's console, the connection type for the agreement gets changed from SSL with client authentication to simple authentication (with empty bind DN and password), resulting in the following error in the supplier's log:
Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later.
To workaround the problem, after you modify and save the replication schedule of an agreement, refresh the console, reconfigure the connection settings (to SSL client authentication) for the agreement, and save your changes.

If you have more than 10 databases running with replication, you may see performance degradation. Also, if you have more than 20 replication agreements on a supplier, you may see performance degradation. If you need to support that many consumers, you may have to introduce one or more hub replicas between your supplier(s) and consumers.

Replica busy errors are no longer logged by default because they are usually benign. If you want to see them, turn on the replication error log level.

Roles

The nsRoleDN attribute should not be used for evaluating role membership in a user’s entry. When evaluating role membership, use the nsrole attribute instead.

See also Class of Service.

Schema

The schema provided with Directory Server 6.11 differs from that specified in RFC 2256 for the groupOfNames and groupOfUniquenames object classes.
In the schema provided, the member and uniquemember attribute types are optional, while RFC 2256 specifies that at least one value for these types must be present in the respective object class.

The LDAP RFCs (and X.500 standards) allow for an object class to have more than one superior. This behavior is not currently supported by Directory Server.

Directory Server fails to start if schema definitions include too few or too many space characters. (518315)
Use exactly one space in those places where the LDAP standards allow the use of zero or many spaces; for example, the place between the NAME keyword and the name of an attribute type.

Searching

Linux only. The Linux file system cache competes with Directory Server for physical memory, resulting in serious performance loss.
The Linux file system, a part of the operating system (OS), uses a portion of the physical memory for caching files to improve its performance. The file system is supposed to release this memory back to the OS when it runs out of memory. However, at times, the file system doesn't release enough memory to the Directory Server, which results in virtual memory (VM) thrashing and serious performance degradation. If you notice a big drop in search performance of your Directory Server, run the top command to see how much memory is used by the file system; the last item of swap: is the memory used by the file system. To workaround the problem, configure a smaller Directory Server cache, either entry cache or dbcache, or both.

Substring search filters that use DN-valued attributes, such as modifiersName or memberOf, do not always match entries correctly if the filter contains one or more space characters. (605277)
To work around this problem, use the entire DN in the filter instead of a substring, or ensure that the DN substring in the filter begins at an RDN boundary (that is, make sure it starts with a "type=" part of the DN). For example, this filter should not be used:

(memberof=*Domain Administrators*)

But either one of these will work correctly:

(memberof=cn=Domain Administrators*) (memberof=cn=Domain Administrators,ou=Groups,dc=example,dc=com)

Security

A new attribute (nsslapd-ssl-check-hostname) has been defined for configuring an SSL-enabled Directory Server (with certificate based client authentication turned on) to verify authenticity of a request by matching the hostname against the value assigned to the Common Name (CN) attribute of the subject name in the certificate being presented. The Directory Server Console also includes this option. It is recommended that you turn this feature on to prevent man-in-the-middle (MITM) attack. (603063)

Windows only. Adding an SSL server certificate with name other than server-cert results in two certificates named server-cert. (558903)
If you have an existing/old/expired certificate and if you try to add a new certificate using the Directory Server Console, the console shows two certificates, both named server-cert. In such a situation, the server fails to pick up the new/correct certificate. To workaround the problem, delete the old certificate first and then install the new certificate.

On SSL-enabled servers, check the file permissions on certificate-database files, key-databases files, and PIN files to protect the sensitive information they contain. Because the server does not enforce read-only permissions on these files, check the file modes (on UNIX) to protect the sensitive information contained in these files.

Access Control and the MODRDN operation. (541099)

MODRDN

targetattr

cn=helpDeskGroup,ou=groups,o=example.com

cn=*,ou=people,o=example.com,

aci: (target="ldap:///cn=*,ou=people,o=example.com")

á(version 3.0; acl "Deny modrdn rights to the helpDeskGroup";

ádeny(write)

ágroupdn="ldap:///cn=helpDeskGroup,ou=groups,o=example.com";)

Server Plug-Ins

The Access Control Plug-in does not use the value specified by the nsslapd-groupevalnestlevel attribute to specify the number of levels of nesting that access control will perform for group evaluation. Instead, the number of levels of nesting is hardcoded as 5. (519812)

The name of the UID Uniqueness Plugin has been changed to Attribute Uniqueness Plugin to reflect its ability as the plug-in can be used to check uniqueness of any other attribute that you may configure. (379739)

SNMP

On Solaris, you can only monitor one Directory Server instance at a time with SNMP. (84743)

For More Information

Your feedback is welcome and extremely helpful for improving the product. Before contacting us to request assistance, please check the documentation for this release. If you need further assistance or information about Directory Server or if you need to report problems with this product, contact technical support. You may also contact us through our newsgroup for support, questions, answers, and the latest information:

snews://secnews.netscape.com/netscape.dev.directory

You might also find it useful to subscribe to the following newsgroups, where security- and certificate-related topics are discussed:

snews://secnews.netscape.com/netscape.dev.ssl
snews://secnews.netscape.com/netscape.dev.security
snews://secnews.netscape.com/netscape.dev.certificate

So that we can best assist you in resolving problems, please be sure to include the following information:

Description of the problem, including the situation where the problem occurs and its impact on your operation
Machine type, operating system version, and product version, including any patches and other software that might be affecting the problem
Detailed steps on the methods you have used to reproduce the problem
Any error logs or core dumps

For problems involving the use of directory with other products, include the product name (for example, Netscape 6.2), the release number, and platform information for those products as well.

Third-Party License Acknowledgments

Copyright (c) 1989 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: This product includes software developed by the University of California, Berkeley and its contributors. 4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. =================================================================================================== Copyright (C) 1987, 1988 Student Information Processing Board of the Massachusetts Institute of Technology. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the names of M.I.T. and the M.I.T. S.I.P.B. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. and the M.I.T. S.I.P.B. make no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ==================================================================================================== This product contains software derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm. ==================================================================================================== The source code to the Standard Version of Perl can be obtained from CPAN sites, including http://www.perl.com/. ==================================================================================================== This product incorporates compression code by the Info-ZIP group. There are no extra charges or costs due to the use of this code, and the original compression sources are freely available fromhttp://www.infozip.com/ on the Internet. ====================================================================================================
This product includes software developed by the Apache Software Foundation (http://www.apache.org/).

Attribute	Description
`nsds5ReplicaBusyWaitTime`	Amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access. The default is 3 seconds.á
`nsds5ReplicaSessionPauseTime`	Amount of time in seconds a supplier should wait between update sessions. Set this interval so that it is at least 1 second longer than the interval specified for `nsds5ReplicaBusyWaitTime`. Increase the interval as needed until you reach an acceptable distribution of consumer access among the suppliers. The default is 0.á