Netscape Directory Server 6.2 Release Notes

Netscape Directory Server Release Notes

Version: 6.2

Updated on: February 11, 2003

These release notes contain important information available at the time of the version 6.2 release of Netscape Directory Server (Directory Server). New features and enhancements, installation notes, known problems, and other late-breaking issues are addressed here. Read this document before you begin using Directory Server.

These release notes contain the following sections:

What's New in This Release
Software/Hardware Requirements
Documentation
Important Notes and Known Problems
For More Information

What's New in This Release

This release of Directory Server contains many new features and enhancements:

Support for 4-Way Multi-Master Replication -- The MMR feature of Directory Server has been enhanced to support four masters. A variety of deployment topologies are supported. The expanded number of masters provide better high availability. For more information, check the Deployment Guide.

The replication monitor, which used to report the total numbers of the changes sent/skipped per agreement, has been enhanced to break the number down to the total numbers of the changes sent/skipped per replica ID per agreement.

Support for Fine-Grained Password Policy -- The Password Policy feature of Directory Server has been enhanced to support policies at the subtree- and user-levels. The subtree-level password policy enables a hosting environment to have different password policies for each hosted company rather than enforcing a single policy for all the hosted companies. The user-level password policy enables administrators to tailor policies for individual users, for example, for some users to change their passwords every six month, some other users daily, and the rest of the users every two weeks. The Directory Server Console has been updated to support this feature. A new attribute, nsslapd-pwpolicy-local, has been defined for the cn=config entry, and a new script named ns-newpwpolicy.pl is included. For more information, check the Deployment Guide.

In addition, a new attribute named

passwordGraceLimit

has been introduced to permit grace logins when a user's password is expired. When set to a positive number, the user will be allowed to bind with the expired password for that many times. By default, this attribute is set to 0, which means grace logins are not permitted.

Improvements in the Installation program -- On all UNIX platforms, the setup program now allows specifying of a pre-pre-installation program to be run before the Directory Server installation begins. In the .inf files, a new field named PrePreInstall is defined for specifying the path to the executable, which must be relative to the setup program. By default, the PrePreInstall field is set to the dsktune utility path. (This enhancement enables administrators to run the dsktune utility as a part of the Directory Server installation, ensuring that the server is being installed on a machine that meets the minimum requirements.)

Improvements in the dsktune Utility -- For the supported UNIX platforms, the dsktune utility now differentiates between the hard and soft limits on the number of file descriptors (FDs) available and reports accordingly. For Linux platforms, the utility now checks the kernel versions more accurately. For details, check the Installation Guide.

Improvements in Logging. The Logging feature of Directory Server has been enhanced. All three types (Access, Error, and Audit) of log files can now be created with specific access mode or file permissions. For details, check the Directory Server Console or the Administrator's Guide.

New Applications -- Directory Server includes two new client applications called Netscape Directory Server Gateway, and Netscape Directory Server Org Chart. The Netscape Directory Server Gateway is a customizable phonebook style application used for a company directory. The Netscape Directory Server Org Chart application, when configured to work with an instance of Directory Server, enables viewing of users' organizational hierarchy and associated details, such as designation, contact information, physical location, AIM online status, and so on, in a quick and easy manner. For more information, check the Directory Server Gateway Customization Guide and Deploying Netscape Directory Server Org Chart documents.

New Configuration Attributes.

nsslapd-conntablesize -- A new configuration attribute under the cn=config node for specifying the connection table size, which determines the total number of connections supported by the server. For details, see Configuration, Command, and File Reference.

nsslapd-schema-ignore-trailing-spaces -- A new configuration attribute under the cn=config node for ignoring trailing spaces in object class names. By default, the attribute is turned off. It should be turned on if your directory contains entries with object class values that end in one or more spaces. (It is preferable to remove the trailing spaces because the LDAP standards do not allow them.) For details, see Configuration, Command, and File Reference.

Bug Fixes -- Addresses problems noted in the previous releases.

The table below lists bugs that have been fixed in this release.

Bug Number	Description
Command-Line Utilities
608301	In the 6.1-HP release, it was noted that even when a newer patch (one that obsoletes an older patch) was installed on the host machine, the `dsktune` utility would list the patch as needing to be installed. The `dsktune` utility has been enhanced to avoid such problems.
621302	In the 6.11-Windows release, it was noted that the -i charset option to the LDAP command line tools was ignored. This problem has been fixed. The allowed character sets for use with the -i option of LDAP command line tools are as follows: windows-1252; ANSI (same as the previous one); utf-8; and utf8. (The last two character sets work on all platforms, and no conversion is needed.) The LDAP command-line tools are described in Chapter 7 "Command-Line Utilities" of the Configuration, Command, and File Reference.
622984	In the 6.11-UNIX releases, it was noted that after executing the `./db2ldif -r -n <backend_instance>` command, the user wasn't able to start the `slapd` process again because the database file ownership got changed. The problem has been fixed. Running `db2ldif` with the -r option no longer changes the database file ownership.
Directory Server Console
611791	In the 6.0-Solaris release, it was noted that adding an entry to a consumer failed if there was a space in the root suffix name (for example, as in "o=example corp,c=us"). This problem has been fixed.
Installation/Migration/Upgrade
408242	When you installed Directory Server 6.x on a machine that had a previous version of the Directory Server installed, the installation would fail because of the incorrect LD_LIBRARY_PATH settings. (On the machine, the LD_LIBRARY_PATH would normally be set to the path name of the server libraries used by the previous version of the server.) This problem has been addressed. The installation program now checks whether the LD_LIBRARY_PATH (SHLIB_PATH on HP-UX) is set. If it is, the program displays an appropriate error message and prompts the user to correct the path. The program also unsets the ENV variable for the rest of the installation process. When running the installation in the silent mode, the error message gets printed only and the user is not be required to enter anything.
610740	During an in-place upgrade from the 6.1 to 6.11 release, Directory Server logged an incorrect error message: add value to attribute type aci in entry o=NetscapeRoot failed: duplicate value. This problem has been fixed; the error no longer appears in the error log.
613957	In the 6.11-Windows release, it was noted that certain features (for example, command-line utilities) of Directory Server failed to function when the server was installed on a machine that hosted another Netscape server product (for example, Netscape Enterprise Server). This problem has been fixed.
Logging
622985	In the 6.11-HP release, it was noted that when one tried to start the Administration Server on a host that is disallowed by the nsAdminAccessHosts attribute, a warning message [warning (19590)] indicating that the server configuration may require more file descriptors than the operating system provides got logged in the Administration Server's error log. This problem has been fixed.
612951	In the 6.11-Windows release, for each Administration Server startup, the Windows Event Log showed the following error message: The description for Event ID ( 7 ) in Source ( admin62-serv ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: startup: server started successfully, `.` This problem has been corrected, and the error message no longer appears in the Windows Event Log.
Miscellaneous
610413	In the 6.11 release, it was noted that the modify operations stopped functioning if the attribute size was greater than 2MB and if the `nsslapd-maxbersize` attribute was not set to a big value. (In 6.0.2 or 6.1 version, the server correctly disconnected the client for such a modify operation.) This problem has been fixed. A client such as the ldapmodify tool now returns "ldap_add : Can't contact LDAP server" and the Directory Server error log records a clear error message.
613958	In the 6.11-Windows release, it was noted that the Presence demo application that's bundled with Directory Server failed to work with Netscape Enterprise Server, version 6.1 or later. This problem has been fixed; the demo application works properly when the JDK version is compatible with the Enterprise Server version (in use).
Plug-Ins
611058	In the 6.0 release, it was noted that the UID Uniqueness and 7-Bit Check plug-ins failed when a modify operation contained two distinct operations, for example, delete UID and add UID. The problem arose from the fact that the server only looked for the first operation in the modify-operation list that contained the attribute to check. This problem has been fixed.
Replication
614136	In the 6.11 release, it was noted that when the replication schedule was modified via the Directory Server Console, the console lost the client-authentication credentials, causing replica updates to fail. This problem has been fixed.
622627	In the 6.11 release, it was noted that the multi-valued attribute order was not preserved when a replace operation got replicated. For example, if one were to replace the value of a multi-valued attribute on the master, when the change got replicated to the consumer, the order of the attribute was not preserved on the consumer. This problem has been fixed.
623867	When a parent was renamed by the replication subsystem when performing conflict resolution, its children's DNs were updated. However, their operational attribute entrydn were not updated. This defect left DN and entry DN in an inconsistent state and also caused an index error. The problem has been fixed.
624105	Purging of tombstone and state information would not occur in certain circumstances, causing the database to grow in size and perform poorly. This problem has been fixed.
624123	Deletion of a single-valued attribute on a master would not get propogated to replicas. This problem has been fixed.
624152	When configured to use legacy replication, Directory Server would add missing superior objectclasses to entries received from a legacy supplier. This would cause inconsistencies of data between replicated instances. This problem has beeen fixed.
Security and Access Control
539475	In the 6.0 release, it was noted that certificate mapping failed if the target was under cn=config. This problem has been fixed. Suffix cn=config is now included in the list of suffixes to be searched. Additionally, the search is performed for both userCertificate and userCertificate;binary attributes when retrieving a user's certificate.
558903	In the 6.0-Windows release, it was noted that adding an SSL server certificate with name other than `server-cert` resulted in two certificates named `server-cert` in the server's certificate database, and the server failed to pick up the new/correct certificate. One had to manually delete the old certificate first and then install the new certificate. This problem has been fixed -- the server picks up the correct certificate from those in the certificate database.
606344	In the 6.0 release, a new base DN used to have two ACIs for self write by default; one that allowed self write for any attribute and another that denied self write for a list of specific attributes. This allowed self write to some operational or security attributes that are not listed in the deny ACI. This problem has been fixed. Now, the base DN has one ACI to allow self write for a list of common attributes only.
608450	In the 6.1 release, it was noted that Directory Server would fail to start with the -D option if the path specified in the command ended in a slash (for example, -D /path/to/instance/). This problem has been fixed. Paths ending in / or \\ are automatically corrected now.
613903	In the 6.11-HP release, it was noted that SSL-related operations (both HTTPS and LDAPS) initiated via Netscape Console were failing due to a library dependency that was not being satisfied. This problem has been fixed.

Software and Hardware Requirements

This release of Directory Server is supported on the following operating-system platforms:

HP UX 11.0 and 11i
Microsoft Windows 2000 Advanced Server
Red Hat Linux 7.3 and Linux Advanced Server 2.1
Sun Solaris 8 and Solaris 9

For detailed system requirements, check the Installation Guide.

Documentation

For the latest information about Directory Server, including current release notes, technical notes, and deployment information, always check this site: http://enterprise.netscape.com/docs/directory/

The complete set of Directory Server documentation for this release includes the following:

Directory Server Release Notes (this document) -- The release notes contain information on new features of this release, software/hardware requirements for installing the product, important notes and known bugs, last-minute product information, and how to send feedback.

Directory Server Deployment Guide -- This guide provides an overview for planning your deployment of Directory Server. The guide also includes deployment examples.

Directory Server Installation Guide -- This guide describes how to plan for and install Directory Server. The guide also contains procedures for migrating or upgrading from a previous installation of Directory Server. Read this guide after you have read the release notes and Directory Server Deployment Guide.

Directory Server Administrator's Guide -- This guide describes all of the administration tasks you need to perform to maintain Directory Server.

Directory Server Configuration, Command, and File Reference -- This guide provides reference information on the command-line scripts, configuration attributes, and log files shipped with Directory Server.

Directory Server Schema Reference -- This guide contains reference information about the Directory Server schema.

Directory Server Plug-In Programmer's Guide -- This guide describes how to write server plug-ins in order to customize and extend the capabilities of Directory Server.

Directory Server Gateway Customization Guide -- This guide introduces Netscape Directory Server Gateway and explains how to implement a gateway instance with basic directory lookup functionality. The guide also contains information useful for implementing a more powerful gateway instance with directory authentication and administration capability.

Deploying Directory Server Org Chart -- This document introduces the Netscape Directory Org Chart application and explains how to integrate it with an instance of Directory Server.

If you obtained Directory Server on a CD, you can find the documentation in the directory named docs at the top level of the CD. For a list of documentation, open the index.htm file.

Important Notes and Known Problems

This section lists important notes, bugs, and known issues, and provides workarounds for some of the problems that you may encounter with the product. (The problems are identified by bug numbers to help you refer to them if you need to contact technical support.)

Chaining
Class of Service (CoS) and Roles
Command-Line Tools
Core Server
Database
Directory Server Console

Indexing
Installation/Uninstallation
Internationalization
Migration/Upgrade
Miscellaneous
Replication

Schema
Searching
Security and Access Control
Server Plug-Ins

Chaining

If the first farm server fails and returns an operations error when using a failover server for database chaining, retry the operation to chain successfully. Should the first farm server fail when using a failover server for database chaining, the client receives an operations error if it tries to read information from the multiplexor. The multiplexor does not process this operations error which prevents the next failover farm server from being contacted, and as a result, chaining fails. However, if you retry the exact same operation, chaining will succeed. (531750)

Class of Service (CoS) and Roles

The behavior for negative CoS template priority values is not defined in the server and cosPriority is not supported by Indirect CoS. Given that the behavior for negative CoS template priority values is not defined in Directory Server, do not enter negative values. Note that Indirect CoS does not support cosPriority. (539362)

The nsRoleDN attribute should not be used for evaluating role membership in a user’s entry. When evaluating role membership, use the nsrole attribute instead.

Command-Line Tools

When using the batch scripts in an MKS korn shell, the -s option may not function correctly because of an MKS korn shell bug. The MKS shell removes the double quotes and treats values as separate in some cases. The batch scripts are described in Chapter 8 "Command-Line Scripts" of the Configuration, Command, and File Reference. (601025)

HP UX only. If imports of smaller LDIF files are taking too long, setting the nsslapd-import-cache-autosize attribute value to off may help improve the speed. (624021)

UNIX only. The security tools (certutil, derdump, modutil, pk12util, pp, and ssltap) that get installed with Directory Server are not linked with RPATH. Before using these tools, ensure that the runtime library search path (LD_LIBRARY_PATH on most UNIX platforms, SHLIB_PATH on HP_UX) is set to <server_root>/shared/lib. (623028)

Core Server

UNIX only. You will need to write an rc script to start the slapd process, as it does not start automatically when the system boots. (531009)

Database

If you get error messages indicating that the lock table is out of available locks ([26/Oct/2001:17:44:25 0200] - libdb: Lock table is out of available locks), set the value of the nsslapd-db-locks attribute in the cn=config,cn=ldbm database,cn=plugins,cn=config entry to twice its current number. For example, if the current number is 10000, set it to 20000. If the problem persists, double the number again. You can also monitor the current and maximum number of locks by doing a search on cn=database,cn=monitor,cn=ldbm database, cn=plugins,cn=config . An example of the command is given below. (561553)

ldapsearch -h <hostname> -p <port> -b"cn=database,cn=monitor,cn=ldbm database, cn=plugins,cn=config" -D"cn=directory manager" -w <password> objectclass=* | grep -- -locks: )

Directory Server Console

You won't be able use Netscape Console, version 6.0, to monitor your 6.2 version of the Directory Server. (612197)
The reason for this is that the 6.0x version of the console is based on JDK version 1.2, and the 6.1 and later versions of the console are based on JDK version 1.4; a plug-in compiled with JDK1.4 doesn't run under JDK1.2.

The UI provided for managing static/dynamic groups and roles may not display all possible selections during a search operation if there is no VLV index for users' search. (561720)
You may notice this problem only when the number of users is 1000 or more and there is no VLV index for search. To work around the problem, create a VLV index for the users suffix with filter (objectclass=person) and scope sub-tree.

If you think the information displayed in the console is inaccurate, remember to use both the global and contextual refresh features.

Trailing spaces are dropped during a remote console import. (541314)

ldif2db

The continuous log refresh feature of the Directory Server Console does not work well with large (10MB plus) log files. (540085)

Certificate-renewal process using the Certificate Request Wizard needs improvement. (600505)

The Directory Server Console does not support editing of multi-valued RDNs. (530638)
For example, assume you configured two servers in a multi-master mode, created an entry on each server with the same user ID, and changed the new entries' RDN to the nsuniqueid uid value. If you attempt to modify this entry from the console, you get the following error: Changes cannot be saved for entries with multi-valued RDNs.
When you open the entry in the advanced mode, you will be able to see that the naming attribute has been set to nsuniqueid uid. However, you cannot change or correct the entry by changing the user ID and RDN values to something different. For example, if jdoe was the user ID and if you want to change it to jdoe1, you cannot do so from the console. Instead, follow this workaround:
```
ldapmodify:
ldapmodify
changetype: modify
replace: uid
uid: jdoe

ldapmodify
changetype: modrdn
newrdn: uid=jdoe1
deleteoldrdn: 1
```

Indexing

VLV indexes and server side sorting do not work correctly if they encompass more than one database instance.

Installation/Uninstallation

Correct the configuration generated at installation time, if your suffix contains space characters. (533837)
If your suffix contains space characters, you must correct the suffix following installation because the suffix name will not be configured correctly. To correct the suffix:

Open Netscape Console.
In the left-hand navigation pane of the Servers and Applications tab, select the top-most entry.
On the right-hand pane, click Edit and edit the value in the "User directory subtree" field.
Click OK to save your changes.

Installation of a new Directory Server fails if the install path is too long. (612001)
To work around the problem, use a shorter path for your installation.

Installation of a new Directory Server instance from Netscape Console fails if Administration Server is configured to communicate with Directory Server over LDAPS. (600877)
If you install SSL server certificates for Directory Server and Administration Server and configure Administration Server to communicate with Directory Server over SSL, creation of a new Directory Server instance from Netscape Console will give the following error: The operation failed. Please review the output in the window to determine the cause of failure.

HP UX only. If the Directory Server shuts down due to full disk, subsequent restart of the server may take a very long time, for example, more than an hour. Ensure that the machine on which you install the server has adequate disk space and that the machine is configured appropriately to handle large files. (609054)

HP UX only. Creating a Directory Server instance using the console creates a server in a different time zone. (541918)
To synchronize the different time zone which is generated when you create a Directory Server instance using the console with existing time zones, (which is essential for replication operations), restart the server using the restart-slapd command-line script. For further information on the command-line scripts, see Chapter 8, “Command-Line Scripts” in the Configuration, Command, and File Reference.

Linux only. The setup program may crash if you traverse back the installation-wizard screens to change your installation directory and then resume the installation steps. (604072)

Internationalization

International collation order matching rules not behaving consistently. (600478)

./ldapsearch -p 9001 -D "uid=gfarmer,ou=people,dc=example,dc=com" -w ruling -b "dc=example,dc=com" "sn:2.16.840.1.113730.3.3.2.7.1:==passin"./ldapsearch -p 9001 -D "uid=gfarmer,ou=people,dc=example,dc=com" -w ruling -b "dc=example,dc=com" "sn:de:==passin"

However, the rules listed below will work (note the .3):

./ldapsearch -p 9001 -D "uid=gfarmer,ou=people,dc=example,dc=com" -w ruling -b "dc=example,dc=com" "sn:2.16.840.1.113730.3.3.2.7.1.3:=passin"./ldapsearch -p 9001 -D "uid=gfarmer,ou=people,dc=example,dc=com" -w ruling -b "dc=example,dc=com" "sn:de.3:=passin"

Migration/Upgrade

In this release of Directory Server, the certificate database name has been changed from cert7.db to cert8.db. When you upgrade from an SSL-enabled, 6.0x or 6.1x version of Directory Server to the 6.2 version, the old server's cert7.db is automatically converted to cert8.db. However, after the upgrade process, the new server's dse.ldif file may not show the correct certificate database name. For example, you may still see a reference to cert7.db in your dse.ldif file:

nsCertfile: alias/slapd-testDir-cert7.db

The incorrect filename in the dse.ldif file does not effect the SSL status of the new server; in the server's file structure, if you were to delete the cert7.db file, the server will still work with SSL turned on because it's using the cert8.db file.

If you want the database filename change reflected in the dse.ldif file, manually edit the filename in the dse.ldif file. (620338)

After performing an in-place upgrade of an SSL-enabled, 6.0x or 6.1x version of Directory Server, the ownership on the new certificate database file (cert8.db) will be set to the user that ran the installer. (623859)
If Directory Server is set to run as a different effective user, for example, if nsslapd-localuser is nobody, the server won't start because it won't be able read the cert8.db file. To fix the problem, use the UNIX chown command to ensure that the files under the <server_root>/alias directory are owned by the correct user.

Windows only. During the migration of a Directory Server 5.x MMR environment, the passwords associated with the replication bind DNs don't get migrated. (614100)
Because of this, all the replication agreements will have an invalid password configured in them after migration. To work around the problem, manually reenter the passwords after the migration is complete: open the Directory Server Console and reenter the bind DN password for each replication agreement that was migrated.

An in-place upgrade of an SSL-enabled Directory Server fails. (622998)
Before performing an in place upgrade from a previous/6.x release of Directory Server, ensure that the server being upgraded can start up without manual interaction. If SSL is enabled, either a PIN file allowing the server to start up without password input must exist or security/SSL needs to be temporarily disabled. You can disable security either by unselecting "Enable SSL for this server" in the Directory Server Console or by setting the nsslapd-security attribute to off under the cn=config entry of the dse.ldif file.

Windows only. During the upgrade process, the installation program does not detect the previous installation automatically. (601387)
When you upgrade an instance of Directory Server 6.0x or 6.1x to Directory Server 6.2, be sure to install the latter on the same server root on which your 6.0x or 6.1x Directory Server is installed. For example, if your Directory Server 6.11 is not installed at the default server root (c:\netscape\servers), instead of pointing to the alternate server root, the installation program points to the default server root.

After migrating Directory Servers that are configured for replication over SSL, reinitialization of the consumers from the master may be necessary. (623156)

Miscellaneous

When using Enterprise Server to deploy the Presence demo application that's bundled with Directory Server, be sure to use the JDK version that's compatible with the version of the Enterprise Server being used. For information on compatible JDK versions, check the appropriate Netscape Enterprise Server Release Notes, which are available at this site (613958):
http://enterprise.netscape.com/docs/enterprise/index.html

Replication

If you have more than 10 databases running with replication, you may see performance degradation. Also, if you have more than 20 replication agreements on a supplier, you may see performance degradation. If you need to support that many consumers, you may have to introduce one or more hub replicas between your supplier(s) and consumers.

Replica busy errors are no longer logged by default because they are usually benign. If you want to see them, turn on the replication error log level.

Schema

The schema provided with Directory Server 6.2 differs from that specified in RFC 2256 for the groupOfNames and groupOfUniquenames object classes. In the schema provided, the member and uniquemember attribute types are optional, while RFC 2256 specifies that at least one value for these types must be present in the respective object class.

The LDAP RFCs (and X.500 standards) allow for an object class to have more than one superior. This behavior is not currently supported by Directory Server.

Directory Server fails to start if schema definitions include too few or too many space characters. (518315)
Use exactly one space in those places where the LDAP standards allow the use of zero or many spaces; for example, the place between the NAME keyword and the name of an attribute type.

Searching

Linux only. The Linux file system cache competes with Directory Server for physical memory, resulting in serious performance loss.
The Linux file system, a part of the operating system (OS), uses a portion of the physical memory for caching files to improve its performance. The file system is supposed to release this memory back to the OS when it runs out of memory. However, at times, the file system doesn't release enough memory to the Directory Server, which results in virtual memory (VM) thrashing and serious performance degradation. If you notice a big drop in search performance of your Directory Server, run the top command to see how much memory is used by the file system; the last item of swap: is the memory used by the file system. To work around the problem, configure a smaller Directory Server cache, either entry cache or dbcache, or both.

Substring search filters that use DN-valued attributes, such as modifiersName or memberOf, do not always match entries correctly if the filter contains one or more space characters. (605277)
To work around this problem, use the entire DN in the filter instead of a substring, or ensure that the DN substring in the filter begins at an RDN boundary (that is, make sure it starts with a "type=" part of the DN). For example, this filter should not be used:

(memberof=*Domain Administrators*)

But either one of these will work correctly:

(memberof=cn=Domain Administrators*) (memberof=cn=Domain Administrators,ou=Groups,dc=example,dc=com)

Security and Access Control

When adding ACIs, if you use a DN with embedded quotes and multiple commas within the quotes, you'll get a syntax error. (543094)
DNs with enquoted values are not supported in ACIs, the escaped equivalent should be used instead. For example,
cn="givenname=joe, uid=joe1", dc=example, dc=com should be cn=givenname=joe\, uid=joe1, dc=example, dc=com.

Access Control and the MODRDN operation. (541099)

MODRDN

targetattr

cn=helpDeskGroup,ou=groups,o=example.com

cn=*,ou=people,o=example.com,

aci: (target="ldap:///cn=*,ou=people,o=example.com")

(version 3.0; acl "Deny modrdn rights to the helpDeskGroup";

deny(write)

groupdn="ldap:///cn=helpDeskGroup,ou=groups,o=example.com";)

Server Plug-Ins

The Access Control Plug-in does not use the value specified by the nsslapd-groupevalnestlevel attribute to specify the number of levels of nesting that access control will perform for group evaluation. Instead, the number of levels of nesting is hardcoded as 5. (519812)

For More Information

Your feedback is welcome and extremely helpful for improving the product. Before contacting us to request assistance, please check the documentation for this release. If you need further assistance or information about Directory Server or if you need to report problems with this product, contact technical support. You may also contact us through our newsgroup for support, questions, answers, and the latest information:

snews://secnews.netscape.com/netscape.dev.directory

You might also find it useful to subscribe to the following newsgroups, where security- and certificate-related topics are discussed:

snews://secnews.netscape.com/netscape.dev.ssl
snews://secnews.netscape.com/netscape.dev.security
snews://secnews.netscape.com/netscape.dev.certificate

So that we can best assist you in resolving problems, please be sure to include the following information:

Description of the problem, including the situation where the problem occurs and its impact on your operation
Machine type, operating system version, and product version, including any patches and other software that might be affecting the problem
Detailed steps on the methods you have used to reproduce the problem
Any error logs or core dumps

For problems involving the use of directory with other products, include the product name (for example, Netscape 7.1), the release number, and platform information for those products as well.

Use of this product is subject to the License accompanying the product.
Copyright © 2001 Sun Microsystems, Inc. Portions copyright 1999, 2002-2003 Netscape Communications Corporation. All rights reserved.
Read the Full Copyright and Third-Party Acknowledgments