Netscape Directory Server 6.21 Release Notes

Netscape Directory Server Release Notes

Version: 6.21

Updated on: June 28, 2004

These release notes contain important information available at the time of the version 6.21 release of Netscape Directory Server (Directory Server). New features and enhancements, installation notes, known problems, and other late-breaking issues are addressed here. Read this document before you begin using Directory Server.

These release notes contain the following sections:

What's New in This Release
Software/Hardware Requirements
Documentation
Important Notes and Known Problems
For More Information

What's New in This Release

This release of Directory Server contains many enhancements over Directory Server version 6.2:

Get Effective Rights -- This release supports a new LDAP control which allows you to see a user's access control rights on any given entry. For more information on this feature, see the Get Effective Rights Feature Overview.

New Configuration Attributes

nsslapd-db-import-private-mem -- A new configuration attribute under the cn=config node for storing the dbcache in private memory instead of shared memory. Setting this parameter to "on" can help to speed up the import of large LDIF files.

Updated Database -- A newer, more robust backend database is used in this release.

Bug Fixes -- Addresses problems noted in the previous releases.

The table below lists bugs that have been fixed in this release.

Bug Number	Description
Command-Line Utilities
623028	UNIX only. In previous releases, the security tools (certutil, derdump, modutil, pk12util, pp, and ssltap) were not linked with RPATH, so you had to set your runtime library path to include <server_root>/shared/lib to run them. These tools now have wrapper scripts which set the library path for you.
624286	The usage message for the db2index tool was unclear. The message was modified to provide a clearer usage example.
Directory Server Console
624030	In previous releases, Directory Server Console would hang when trying to initialize a newly created database that was stored in a non-default location. This would occur because the database creation would not create the specified directory if it didn't already exist. The errors log would show: [02/Oct/2003:17:41:49 -0700] - Can't create new directory /export/home/ds6/slapd-server/testdb/example, Netscape runtime error -5950 (File not found.) This problem has been fixed so that the directory is now automatically created if it doesn't already exist.
624234	In the 6.2 release, the Directory Server Console could hang if multiple requests were sent one after another in a very short amount of time while using the Directory Browser. This problem has been fixed.
624237	In previous releases, Directory Server Console would not inform you that the server needs to be restarted for a configuration change to take effect if you changed the configuration by modifying cn=config through the Directory tab. The Directory Server Console will now inform you that a restart is necessary.
Installation/Migration/Upgrade
624241	In the 6.2 release, the installer would not detect the machine's hostname on Linux. This problem has been fixed.
624306	When upgrading to the 6.2 release, the new ns-newpwpolicy.pl script would not be created unless you created a new instance of Directory Server. This has been fixed so that the script is created during the upgrade process.
Logging
624193	In previous releases, only the oid was logged in the access log for extended operations. This has been changed so that we now log a string describing the extended operation in addition to the oid.
Miscellaneous
623864	In the 6.2 release, stop-slapd could sometimes hang waiting for a thread to terminate. This would occur when a db checkpoint was running while another thread was trying to close the database. This problem has been fixed.
624243	In previous releases, complex nested search filters such as (\|(\|(ou=a)(ou=b))(\|(ou=c)(ou=d))) would return incorrect results because of improper filter optimization. This problem has been fixed.
624244	In the 6.2 release, a search with a scope of one would return all entries one level under the specified search base regardless of the filter. This problem has been fixed.
624269	In the 6.2 release, Directory Server would allow you to dynamically modify configuration parameters that should not be dynamically updatable. This has been changed so that the server will correctly return "DSA is unwilling to perform" when such a modification is attempted.
Replication
624096	In previous releases, searches would perform poorly if there is a large amount of replication state information built up in an entry. This has been optimized.
624205	In previous releases, a non-ascending CSN list in an entry could cause memory corruption during a purge of state information. This memory corruption could eventually lead to a crash of ns-slapd. This problem has been fixed.
624227	When using previous 6.x releases as a dedicated consumer in a legacy replication setup, the error log would falsely display "csnplCommit: can't find csn xxx". This message would not affect replication. This problem has been fixed, and this error no longer appears in the error log.
624236	When using the 6.2 release as a hub in a legacy replication setup, changes would not get propagated to the hub's consumers. This problem has been fixed.
624282	In previous releases, a miscalculation of the sizes of entries with replication state information could cause memory corruption. This problem has been fixed.
Security and Access Control
624080	In previous releases, the PasswordExpirationTime attribute could only be adjusted forward in time. This has been fixed so it can now be adjusted backward in time as well.
624303	Windows only. In previous releases, a runaway SSL search request could block other incoming requests after it hit the IO block timeout. This problem has been fixed.

Software and Hardware Requirements

This release of Directory Server is supported on the following operating-system platforms:

HP UX 11.0 and 11i
Microsoft Windows 2000 Advanced Server
Red Hat Linux 7.3 and Linux Advanced Server 2.1
Sun Solaris 8 and Solaris 9

For detailed system requirements, check the Installation Guide.

Documentation

For the latest information about Directory Server, including current release notes, technical notes, and deployment information, always check this site: http://enterprise.netscape.com/docs/directory/

The complete set of Directory Server documentation for this release includes the following:

Directory Server Release Notes (this document) -- The release notes contain information on new features of this release, software/hardware requirements for installing the product, important notes and known bugs, last-minute product information, and how to send feedback.

Directory Server Deployment Guide -- This guide provides an overview for planning your deployment of Directory Server. The guide also includes deployment examples.

Directory Server Installation Guide -- This guide describes how to plan for and install Directory Server. The guide also contains procedures for migrating or upgrading from a previous installation of Directory Server. Read this guide after you have read the release notes and Directory Server Deployment Guide.

Directory Server Administrator's Guide -- This guide describes all of the administration tasks you need to perform to maintain Directory Server.

Directory Server Configuration, Command, and File Reference -- This guide provides reference information on the command-line scripts, configuration attributes, and log files shipped with Directory Server.

Directory Server Schema Reference -- This guide contains reference information about the Directory Server schema.

Directory Server Plug-In Programmer's Guide -- This guide describes how to write server plug-ins in order to customize and extend the capabilities of Directory Server.

Directory Server Gateway Customization Guide -- This guide introduces Netscape Directory Server Gateway and explains how to implement a gateway instance with basic directory lookup functionality. The guide also contains information useful for implementing a more powerful gateway instance with directory authentication and administration capability.

Deploying Directory Server Org Chart -- This document introduces the Netscape Directory Org Chart application and explains how to integrate it with an instance of Directory Server.

Get Effective Rights Feature Overview -- This document describes the new Get Effective Rights feature of Netscape Directory Server.

If you obtained Directory Server on a CD, you can find the documentation in the directory named docs at the top level of the CD. For a list of documentation, open the index.htm file.

Important Notes and Known Problems

This section lists important notes, bugs, and known issues, and provides workarounds for some of the problems that you may encounter with the product. (The problems are identified by bug numbers to help you refer to them if you need to contact technical support.)

Chaining
Class of Service (CoS) and Roles
Command-Line Tools
Core Server
Database
Directory Server Console

Indexing
Installation/Uninstallation
Internationalization
Migration/Upgrade
Miscellaneous
Replication

Schema
Searching
Security and Access Control
Server Plug-Ins

Chaining

If the first farm server fails and returns an operations error when using a failover server for database chaining, retry the operation to chain successfully. Should the first farm server fail when using a failover server for database chaining, the client receives an operations error if it tries to read information from the multiplexor. The multiplexor does not process this operations error which prevents the next failover farm server from being contacted, and as a result, chaining fails. However, if you retry the exact same operation, chaining will succeed. (531750)

Class of Service (CoS) and Roles

The behavior for negative CoS template priority values is not defined in the server and cosPriority is not supported by Indirect CoS. Given that the behavior for negative CoS template priority values is not defined in Directory Server, do not enter negative values. Note that Indirect CoS does not support cosPriority. (539362)

The nsRoleDN attribute should not be used for evaluating role membership in a user’s entry. When evaluating role membership, use the nsrole attribute instead.

Command-Line Tools

When using the batch scripts on Windows, the -s option may not function correctly because of a bug in the Windows command line interpreter. The command line interpreter removes the double quotes and treats values as separate in some cases. The batch scripts are described in Chapter 8 "Command-Line Scripts" of the Configuration, Command, and File Reference. (601025)

HP UX only. If imports of smaller LDIF files are taking too long, setting the nsslapd-import-cache-autosize attribute value to off may help improve the speed. (624021)

Core Server

UNIX only. You will need to write an rc script to start the slapd process, as it does not start automatically when the system boots. (531009)

Database

When using autocache on Windows machines with large amounts of physical memory, you may see some db errors during startup of the Directory Server. These errors occur because the cache size cannot be allocated. It is recommended that you do not exceed a value of 80 for the nsslapd-cache-autosize setting, and a value of 75 for the nsslapd-cache-autosize-split setting on Windows machines. It is important to note that these errors do not cause any problem with the integrity of the database itself. An example of the errors is below.

	[22/Jun/2004:16:52:07 -0700] - cache autosizing: db cache: 514324k, each entry cache (2 total): 57148k
	[22/Jun/2004:16:52:07 -0700] - libdb: MapViewOfFile: Not enough space
	[22/Jun/2004:16:52:07 -0700] - libdb: PANIC: Not enough space
	[22/Jun/2004:16:52:07 -0700] - libdb: PANIC: DB_RUNRECOVERY: Fatal error, run database recovery
	[22/Jun/2004:16:52:07 -0700] - libdb: unlink: C:/DS6.21/server/slapd-test/db\__db.002: Permission denied
	[22/Jun/2004:16:52:07 -0700] - Opening database environment (C:/DS6.21/server/slapd-test/db) failed. err=
		-30978: DB_RUNRECOVERY: Fatal error, run database recovery
	[22/Jun/2004:16:52:07 -0700] - start: Failed to init database, err=-30978 DB_RUNRECOVERY: Fatal error, run database recovery
	[22/Jun/2004:16:52:07 -0700] - Failed to start database plugin ldbm database

If you get error messages indicating that the lock table is out of available locks ([26/Oct/2001:17:44:25 0200] - libdb: Lock table is out of available locks), set the value of the nsslapd-db-locks attribute in the cn=config,cn=ldbm database,cn=plugins,cn=config entry to twice its current number. For example, if the current number is 10000, set it to 20000. If the problem persists, double the number again. You can also monitor the current and maximum number of locks by doing a search on cn=database,cn=monitor,cn=ldbm database, cn=plugins,cn=config . An example of the command is given below. (561553)

ldapsearch -h <hostname> -p <port> -b"cn=database,cn=monitor,cn=ldbm database, cn=plugins,cn=config" -D"cn=directory manager" -w <password> objectclass=* | grep -- -locks: )

Directory Server Console

You won't be able use Netscape Console, version 6.0, to monitor your 6.21 version of the Directory Server. (612197)
The reason for this is that the 6.0x version of the console is based on JDK version 1.2, and the 6.1 and later versions of the console are based on JDK version 1.4; a plug-in compiled with JDK1.4 doesn't run under JDK1.2.

The UI provided for managing static/dynamic groups and roles may not display all possible selections during a search operation if there is no VLV index for users' search. (561720)
You may notice this problem only when the number of users is 1000 or more and there is no VLV index for search. To work around the problem, create a VLV index for the users suffix with filter (objectclass=person) and scope sub-tree.

If you think the information displayed in the console is inaccurate, remember to use both the global and contextual refresh features.

Trailing spaces are dropped during a remote console import. (541314)

ldif2db

The continuous log refresh feature of the Directory Server Console does not work well with large (10MB plus) log files. (540085)

Certificate-renewal process using the Certificate Request Wizard needs improvement. (600505)

The Directory Server Console does not support editing of multi-valued RDNs. (530638)
For example, assume you configured two servers in a multi-master mode, created an entry on each server with the same user ID, and changed the new entries' RDN to the nsuniqueid uid value. If you attempt to modify this entry from the console, you get the following error: Changes cannot be saved for entries with multi-valued RDNs.
When you open the entry in the advanced mode, you will be able to see that the naming attribute has been set to nsuniqueid uid. However, you cannot change or correct the entry by changing the user ID and RDN values to something different. For example, if jdoe was the user ID and if you want to change it to jdoe1, you cannot do so from the console. Instead, follow this workaround:
```
ldapmodify:
ldapmodify
changetype: modify
replace: uid
uid: jdoe

ldapmodify
changetype: modrdn
newrdn: uid=jdoe1
deleteoldrdn: 1
```

Indexing

VLV indexes and server side sorting do not work correctly if they encompass more than one database instance.

Installation/Uninstallation

Correct the configuration generated at installation time, if your suffix contains space characters. (533837)
If your suffix contains space characters, you must correct the suffix following installation because the suffix name will not be configured correctly. To correct the suffix:

Open Netscape Console.
In the left-hand navigation pane of the Servers and Applications tab, select the top-most entry.
On the right-hand pane, click Edit and edit the value in the "User directory subtree" field.
Click OK to save your changes.

Administration Server fails to start after installation of a new Directory Server if the install path is too long. (624242)
To work around the problem, use a shorter path for your installation.

Installation of a new Directory Server instance from Netscape Console fails if Administration Server is configured to communicate with Directory Server over LDAPS. (600877)
If you install SSL server certificates for Directory Server and Administration Server and configure Administration Server to communicate with Directory Server over SSL, creation of a new Directory Server instance from Netscape Console will give the following error: The operation failed. Please review the output in the window to determine the cause of failure.

If the Directory Server shuts down due to full disk, subsequent restart of the server may take a very long time, for example, more than an hour. Ensure that the machine on which you install the server has adequate disk space and that the machine is configured appropriately to handle large files. (609054)

HP UX only. Creating a Directory Server instance using the console creates a server in a different time zone. (541918)
To synchronize the different time zone which is generated when you create a Directory Server instance using the console with existing time zones, (which is essential for replication operations), restart the server using the restart-slapd command-line script. For further information on the command-line scripts, see Chapter 8, “Command-Line Scripts” in the Configuration, Command, and File Reference.

Linux only. The setup program may crash if you traverse back the installation-wizard screens to change your installation directory and then resume the installation steps. (604072)

Internationalization

International collation order matching rules not behaving consistently. (600478)

./ldapsearch -p 9001 -D "uid=gfarmer,ou=people,dc=example,dc=com" -w ruling -b "dc=example,dc=com" "sn:2.16.840.1.113730.3.3.2.7.1:==passin"./ldapsearch -p 9001 -D "uid=gfarmer,ou=people,dc=example,dc=com" -w ruling -b "dc=example,dc=com" "sn:de:==passin"

However, the rules listed below will work (note the .3):

./ldapsearch -p 9001 -D "uid=gfarmer,ou=people,dc=example,dc=com" -w ruling -b "dc=example,dc=com" "sn:2.16.840.1.113730.3.3.2.7.1.3:=passin"./ldapsearch -p 9001 -D "uid=gfarmer,ou=people,dc=example,dc=com" -w ruling -b "dc=example,dc=com" "sn:de.3:=passin"

Migration/Upgrade

As of the 6.2 release of Directory Server, the certificate database name has been changed from cert7.db to cert8.db. When you upgrade from an SSL-enabled, 6.0x or 6.1x version of Directory Server to the 6.21 version, the old server's cert7.db is automatically converted to cert8.db. However, after the upgrade process, the new server's dse.ldif file may not show the correct certificate database name. For example, you may still see a reference to cert7.db in your dse.ldif file:

nsCertfile: alias/slapd-testDir-cert7.db

The incorrect filename in the dse.ldif file does not effect the SSL status of the new server; in the server's file structure, if you were to delete the cert7.db file, the server will still work with SSL turned on because it's using the cert8.db file.

If you want the database filename change reflected in the dse.ldif file, manually edit the filename in the dse.ldif file. (620338)

After performing an in-place upgrade of an SSL-enabled, 6.0x or 6.1x version of Directory Server, the ownership on the new certificate database file (cert8.db) will be set to the user that ran the installer. (623859)
If Directory Server is set to run as a different effective user, for example, if nsslapd-localuser is nobody, the server won't start because it won't be able read the cert8.db file. To fix the problem, use the UNIX chown command to ensure that the files under the <server_root>/alias directory are owned by the correct user.

Windows only. During the migration of a Directory Server 5.x MMR environment, the passwords associated with the replication bind DNs don't get migrated. (614100)
Because of this, all the replication agreements will have an invalid password configured in them after migration. To work around the problem, manually reenter the passwords after the migration is complete: open the Directory Server Console and reenter the bind DN password for each replication agreement that was migrated.

An in-place upgrade of an SSL-enabled Directory Server fails. (622998)
Before performing an in place upgrade from a previous/6.x release of Directory Server, ensure that the server being upgraded can start up without manual interaction. If SSL is enabled, either a PIN file allowing the server to start up without password input must exist or security/SSL needs to be temporarily disabled. You can disable security either by unselecting "Enable SSL for this server" in the Directory Server Console or by setting the nsslapd-security attribute to off under the cn=config entry of the dse.ldif file.

Windows only. During the upgrade process, the installation program does not detect the previous installation automatically. (601387)
When you upgrade an instance of Directory Server 6.0x or 6.1x to Directory Server 6.21, be sure to install the latter on the same server root on which your 6.0x or 6.1x Directory Server is installed. For example, if your Directory Server 6.11 is not installed at the default server root (c:\netscape\servers), instead of pointing to the alternate server root, the installation program points to the default server root.

Upgrading a Directory Server 6.0x instance that uses SSL certificate authentication for replication may cause replication agreements to fail. As of Directory Server 6.1, there is a new configuration option for verifying the certificate hostname. This option is enabled by default. If your hostname does not match the hostname in the certificate, the connection will be rejected. Either get a new certificate that is correct, or turn this option off through the encryption panel in the Directory Server Console.

After migrating Directory Servers that are configured for replication over SSL, reinitialization of the consumers from the master may be necessary. (623156)

During an upgrade to Directory Server 6.21, you may notice a log message that says: "libdb: Ignoring log file: /usr/netscape/ds6/slapd-test/db/log.0000000001: unreadable log version 3". This message causes no problems and can be safely ignored.

Miscellaneous

When using Enterprise Server to deploy the Presence demo application that's bundled with Directory Server, be sure to use the JDK version that's compatible with the version of the Enterprise Server being used. For information on compatible JDK versions, check the appropriate Netscape Enterprise Server Release Notes, which are available at this site (613958):
http://enterprise.netscape.com/docs/enterprise/index.html

Replication

If you have more than 10 databases running with replication, you may see performance degradation. Also, if you have more than 20 replication agreements on a supplier, you may see performance degradation. If you need to support that many consumers, you may have to introduce one or more hub replicas between your supplier(s) and consumers.

Replica busy errors are no longer logged by default because they are usually benign. If you want to see them, turn on the replication error log level.

Schema

The schema provided with Directory Server 6.21 differs from that specified in RFC 2256 for the groupOfNames and groupOfUniquenames object classes. In the schema provided, the member and uniquemember attribute types are optional, while RFC 2256 specifies that at least one value for these types must be present in the respective object class.

The LDAP RFCs (and X.500 standards) allow for an object class to have more than one superior. This behavior is not currently supported by Directory Server.

Directory Server fails to start if schema definitions include too few or too many space characters. (518315)
Use exactly one space in those places where the LDAP standards allow the use of zero or many spaces; for example, the place between the NAME keyword and the name of an attribute type.

Searching

Linux only. The Linux file system cache competes with Directory Server for physical memory, resulting in serious performance loss.
The Linux file system, a part of the operating system (OS), uses a portion of the physical memory for caching files to improve its performance. The file system is supposed to release this memory back to the OS when it runs out of memory. However, at times, the file system doesn't release enough memory to the Directory Server, which results in virtual memory (VM) thrashing and serious performance degradation. If you notice a big drop in search performance of your Directory Server, run the top command to see how much memory is used by the file system; the last item of swap: is the memory used by the file system. To work around the problem, configure a smaller Directory Server cache, either entry cache or dbcache, or both.

Substring search filters that use DN-valued attributes, such as modifiersName or memberOf, do not always match entries correctly if the filter contains one or more space characters. (605277)
To work around this problem, use the entire DN in the filter instead of a substring, or ensure that the DN substring in the filter begins at an RDN boundary (that is, make sure it starts with a "type=" part of the DN). For example, this filter should not be used:

(memberof=*Domain Administrators*)

But either one of these will work correctly:

(memberof=cn=Domain Administrators*) (memberof=cn=Domain Administrators,ou=Groups,dc=example,dc=com)

Security and Access Control

When adding ACIs, if you use a DN with embedded quotes and multiple commas within the quotes, you'll get a syntax error. (543094)
DNs with enquoted values are not supported in ACIs, the escaped equivalent should be used instead. For example,
cn="givenname=joe, uid=joe1", dc=example, dc=com should be cn=givenname=joe\, uid=joe1, dc=example, dc=com.

Access Control and the MODRDN operation. (541099)

MODRDN

targetattr

cn=helpDeskGroup,ou=groups,o=example.com

cn=*,ou=people,o=example.com,

aci: (target="ldap:///cn=*,ou=people,o=example.com")

(version 3.0; acl "Deny modrdn rights to the helpDeskGroup";

deny(write)

groupdn="ldap:///cn=helpDeskGroup,ou=groups,o=example.com";)

Server Plug-Ins

The Access Control Plug-in does not use the value specified by the nsslapd-groupevalnestlevel attribute to specify the number of levels of nesting that access control will perform for group evaluation. Instead, the number of levels of nesting is hardcoded as 5. (519812)

For More Information

Your feedback is welcome and extremely helpful for improving the product. Before contacting us to request assistance, please check the documentation for this release. If you need further assistance or information about Directory Server or if you need to report problems with this product, contact technical support. You may also contact us through our newsgroup for support, questions, answers, and the latest information:

snews://secnews.netscape.com/netscape.dev.directory

You might also find it useful to subscribe to the following newsgroups, where security- and certificate-related topics are discussed:

snews://secnews.netscape.com/netscape.dev.ssl
snews://secnews.netscape.com/netscape.dev.security
snews://secnews.netscape.com/netscape.dev.certificate

So that we can best assist you in resolving problems, please be sure to include the following information:

Description of the problem, including the situation where the problem occurs and its impact on your operation
Machine type, operating system version, and product version, including any patches and other software that might be affecting the problem
Detailed steps on the methods you have used to reproduce the problem
Any error logs or core dumps

For problems involving the use of directory with other products, include the product name (for example, Netscape 7.1), the release number, and platform information for those products as well.

Use of this product is subject to the License accompanying the product.
Copyright © 2001 Sun Microsystems, Inc. Portions copyright 1999, 2002-2004 Netscape Communications Corporation. All rights reserved.
Read the Full Copyright and Third-Party Acknowledgments