These Release Notes contain important information available at the time of the release for Netscape Directory Server (Directory Server) version 7.0. New features, system requirements, installation notes, known problems, resources, and other current issues are addressed here. Read this document before beginning to use Directory Server.
Directory Server 7.0 no longer comes with the Sun Java libraries; these libraries must be obtained prior to installation of Directory Server, or installation will fail.
This release of Directory Server contains enhancements and new features for security, memory, and performance.
A 64-bit version of Directory Server 7.0 is available on Solaris and HP-UX 64-bit platforms, allowing very large caches to be configured. In previous versions of the Directory Server, the maximum cache size that could be configured was between 1 and 4 Gbytes. The new 64-bit Directory Server allows cache sizes functionally limited only by available memory.
Directory Server 7.0 introduces SASL client authentication via the GSS-API mechanism. Clients using Kerberos v5 credentials can authenticate to the server, and, in addition, the server supports the negotiation of SASL data encryption, using GSS-API for clients that perform a successful SASL bind operation. SASL data encryption is not supported for SSL/TLS client connections.
In the 7.0 release of Directory Server, the design of the database secondary indexes has been changed. This change greatly improves the performance of LDAP operations that modify indexed data, such as ldapadd, ldapdelete, and ldapmodify operations. It also allows fine-grained control over directory data and index structure management and delivers scalable and efficient ID insertion, enhancing both write and search performance.
Start TLS (Transport Layer Security) extended operation allows a regular LDAP connection to enable SSL after the connection has been established. Previous versions of Directory Server supported Start TLS, but the client tools and libraries for C did not. In version 7.0, the C SDK code has been modified to support Start TLS. In addition to the LDAP library function, the command-line utilities ldapsearch, ldapmodify, ldapcompare, and ldapdelete have been enhanced to support Start TLS.
For the Directory Server 7.0 release, DSMLv2 services have been added, implemented as a Java gateway that can be hosted by the Admin Server or any suitable application servers. DSML version 2.0 is a Web Services protocol that closely mirrors LDAP. It allows content stored in a Directory Server to be easily accessed by standard Web Service applications and development tools, making it easier for developers to utilize LDAP SDK libraries.
Directory Server 7.0 adds support for encryption of selected attributes within a database. The Directory Server stores data relating to users and other entities, some of it sensitive. Typically, this information is protected by access controls. For sensitive information such as government identification numbers and passwords, access control alone may not offer sufficient protection. By allowing the encryption of selected attributes when stored in the server's database, an extra level of protection is now available.
Directory Server 7.0 can perform on 32- and 64-bit platforms and architecture. An overview of the supported operating systems for 32- and 64-bit platforms is given here. The 32-bit and 64-bit applications are separate; contact Netscape Professional Services for information on which to use for your deployment.
Even for 64-bit platforms, it may be preferable for performance reasons to run Directory Server as a 32-bit application if the memory size is smaller than 4 Gbytes.
Directory Server 7.0 does not come with the Sun Java libraries; these libraries must be obtained prior to installation of Directory Server, or installation will fail.
For detailed system requirements, refer to the chapter titled "Computer System Requirements," in the Netscape Directory Server Installation Guide.
Microsoft Windows 2000 Server SP4
Red Hat Enterprise Linux 3 AS
Sun Solaris 9 (32-bit)
This section lists important notes and known issues and provides work-arounds for problems you may encounter with this product. The problems are identified by bug numbers to help you refer to them if you need to contact Netscape Technical Support.
Administration Express allows administrators to start or stop servers. However, Admin Express relies on both the Administration Server and the Configuration Directory Server for its operations. Therefore, if you use Admin Express to stop either of those servers, it will be necessary to restart them manually. (624343)
If the first farm server fails when using a failover server for database chaining, the client receives an operations error if it tries to read information from the multiplexor. The multiplexor does not process this operations error, which prevents the next failover farm server from being contacted, and as a result, chaining fails. However, if you retry the exact same operation, chaining will succeed. (531750)
The Resource Kit utility dbscan, a command-line tool used for low-level database access, which is supplied with 64-bit versions of Directory Server for HP-UX and Solaris, is a 32-bit version of the tool, and compatible 32-bit libraries are not included. A 64-bit version of dbscan is available upon request to correct the issue. (624471)
For 64-bit versions of Directory Server, the default CA certificates do not appear in the CA Certs tab of the Managing Certificates window of the Task tab. The certificates do exist, however, and can be viewed manually with the certutil utility.
Go to shared/bin/ in your Directory Server installation. Run certutil with the -L option for the list of CA certificates, as follows:
cd /export/netscape/servers/shared/bin ./certutil -L
(624344)
When run on Unix and Linux servers, the Console help buttons look for the browser netscape to be in the system path when opening the HTML-based help files. If netscape is not found, either because it is not in your path or because a Netscape browser is not installed, the Console will not be able to bring up the help documentation. If you already have a Netscape browser installed, refer to you system vendor's documentation for adding its location to the path. If Netscape is not available for your platform or you would like to use a different browser, symlink its name to netscape somewhere in your default path. For example:
ln -s /opt/mozilla/mozilla /usr/bin/netscape
The Java JRE libraries are no longer bundled with Directory Server. They must be downloaded and extracted separately, prior to installation. If they are not, installation cannot proceed.
t is recommended that you use the test versions of the Java jre package; HP was tested with j2re1.4.2_04; Sun, Linux, and Windows were tested with j2re1.4.2_05.
Obtain the OS-appropriate Java libraries from either of the following URLs:
http://www.hp.com/products1/unix/java/
Use the Solaris 9 32-bit package for both 32-bit and 64-bit Sun installations. It is recommended that you extract these files in a separate directory from your Directory Server installation, such as /export/netscape/jre.
Make sure the jre package is executable, then run the file. For example:
chmod a+x j2re-1_4_2_05-solaris-sparc.sh ./j2re-1_4_2_05-solaris-sparc.sh
This will extract a new jre directory called j2re1.4.2_05.
When you first run setup, it will ask for the jre path. Fill in the absolute path as follows:
/export/netscape/jre/j2re1.4.2_05
If you are doing a silent installation, set the jre path as an environment variable before running setup:
export NSJRE=/tmp/java/jre/j2re1.4.2_05
or
set NSJRE=C:\Program Files\Java\j2re1.4.2_05
Correct the configuration generated at installation time if your suffix contains space characters because the suffix name will not be configured correctly. To correct the suffix:
Open Netscape Console.
In the left-hand navigation pane of the Servers and Applications tab, select the top-most entry.
On the right-hand pane, click Edit, and edit the value in the User directory subtree field.
Click OK to save your changes.
(533837)
Administration Server fails to start after installation of a new Directory Server if the install path is too long. To work around the problem, use a shorter path for your installation. (624242)
Installation of a new Directory Server instance from Netscape Console fails if Administration Server is configured to communicate with Directory Server over LDAPS.
If you install SSL server certificates for Directory Server and Administration Server and configure Administration Server to communicate with Directory Server over SSL, creation of a new Directory Server instance from Netscape Console will give the following error: The operation failed. Please review the output in the window to determine the cause of failure. (600877)
You must have the following patch installed on your system before installing Directory Server: PHSS_30966: ld(1) and linker tools cumulative patch. Without this patch the product will fail to install.
The following two patches are required for Kerberos/GSSAPI/SASL to work on HP-UX11i systems:PHSS_29487 and the dependent patch PHSS_29486. These patches are not required if Kerberos is not to be used.
In testing, a stock HP-UX installation has various machine-wide kernel limits that interfere with Directory Server operating under certain conditions. If you do not change these settings, Directory Server will not install.
For instance, the kernel maxfiles soft-limit of 60 does not allow the server to start. When installing Directory Server, at a minimum, increase it at the command-line to the default hard-limit set by maxfiles_lim, 1024, with ulimit -n 1024, before running setup. dsktune may recommend a more appropriate setting to be configured with SAM. Other kernel limits may be set too low (such as the maximum number of threads); refer to dsktune to configure these.
HP-UX limits the amount of memory processes can use and has different limits for 32- and 64-bit applications. For both applications, the default amount of memory set by the maxdsiz is too small, roughly 256 Mbytes for 32-bit and 1Gbyte for 64-bit. These limits can prevent Directory Server from allocating memory for its cache.
If you log in as a regular user instead of the root user, dsktune gives error messages concerning patches. These warnings can be ignored; only the root user has the ability to view patches, so regular users receive the warning.
Creating a Directory Server instance using the Console creates a server in a different time zone.
To synchronize the different time zone which is generated when you create a Directory Server instance using the Console with existing time zones, (which is essential for replication operations), restart the server using the restart-slapd command-line script. For further information on the command-line scripts, refer to the chapter titled, "Command-Line Scripts," in the Netscape Directory Server Configuration, Command, and File Reference. (541918)
The Directory Server requires NPTL threading. This is the default on Redhat installations on 486 and higher Intel processors. However, it is possible to configure a machine without NPTL threading, either by installing the 386 version of glibc or by setting the LD_ASSUME_KERNEL environment variable.
If your server fails to start on Red Hat Linux, please verify that the system has NPTL by running the getconf command shown below:
getconf GNU_LIBPTHREAD_VERSION NPTL 0.60
Output containing NPTL indicates that the machine is correctly configured.
If getconf shows that linuxthreads are in use, like this, then the machine must be reconfigured before Directory Server will start:
getconf GNU_LIBPTHREAD_VERSION linuxthreads-0.10
Upgrade is not supported in Directory Server 7.0. Migration is supported for version 6.11 and later. For servers that are running Directory Server releases older than 6.11, export your data to LDIF, install a new instance of Directory Server 7.0, and import your data.
Not all previously-supported operating systems can be migrated to 7.0 because those OSs may be no longer supported; for example, Red Hat Linux Advanced Server 3 is supported in 7.0 while previous versions supported Red Hat Linux Advanced Server 2.1 or Red Hat Linux 7.3.
If you are configuring a large import cache size, remember that the server allocates one import cache per online replica inititialization operation. It is possible to configure an import cache size that is so large that the server is unable to allocate the cache for replica initialization. This is especially true if more than one replica initialization operation is initiated on the same server at the same time. This problem can be avoided by either leaving the import cache size at the default settings or configuring an import cache size that is significantly smaller than the available physical memory.
To monitor replications status using Admin Express, be sure that the Administration Server has read permissions to the replication monitoring configuration file. If it does not, it will return an error message.
In Windows, reset the permissions by right-clicking on the configuration file that you created when you set up replication. Select Properties from the drop-down menu, and go to the Security tab. By default, the Admin Server is run as the special user SYSTEM; permissions should be set on the file to allow read access for the user account used by the Admin Server.
If the server identifier, such as slapd-DirectoryServer, is configured with capital letters, the setup program creates cert8.db and key3.db files with corresponding capitalization. However, after configuring SSL, the Console will create and use cert8.db and key3.db files that are all lower case. The ns-httpd process depends on these files being capitalized, and if SSL is enabled in an Administration Server on a host with capitals in the hostname, the server will not start if the cert files do not have capitals.
There are two ways to resolve this conflict:
The lower case files can renamed with the capitals, and the values for nsCertfile and nsKeyfile can be updated in dse.ldif under cn=encryption,cn=config to match the new filenames.
The new lower case cert files can be symlinked to allow the Administration Server to manage the certificates, and the old upper case cert files can be removed.
(624181)
To use an SNMP service on Windows deployments, different installation and configuration is necessary to make sure that the service interacts properly with MIB browsers, trap watchers, and other SNMP applications.
Install the SNMP service from the Add/Remove Program applet in the Control Panel. The service is located under Add/Remove Windows Components>Management and Monitoring Tools. The SNMP service must be installed and started before installing the Directory Server.
Install the Directory Server.
Adjust the system Path variable. The SNMP extension agent requires certain files to be in the system path; to ensure that they are available, add the directory ServerRoot\bin\slapd\admin\bin to the end of the path, where ServerRoot is the folder in which you installed the Directory Server. For example:
C:\Netscape\Servers\bin\slapd\admin\bin
The Path variable is a list of directories separated by semi-colons. Change this variable by right-clicking on the My Computer icon, selecting Properties, and choosing the Advanced tab. After clicking the Environment Variables button, look for the item Path in the bottom list, and select it. Click the Edit button, and append your location to the end of the path.
Configure the SNMP Service. Using the Computer Managment tool, go to the Services pane, and select the SNMP Service. Double-click it to open its properties. Under the Log On tab, change the service to logon as Administrator. Continue through the tabs to configure the contact, location, community name, and so forth, reflecting your environment. Read-only access to the community is sufficient for monitoring the Directory Server. If you plan to use SNMP traps, make sure to configure a community name and trap destination on the Traps tab. Restart the SNMP Service.
Configure the SNMP information in the Configuration => SNMP tab of the Directory Server.
For the latest information about Directory Server, including current Release Notes, technical notes, and deployment information, refer to the following URL:
http://www.redhat.com/docs/manuals/netscape/
The complete set of Directory Server documentation for this release includes the following:
Netscape Directory Server Release Notes (this document) -- Contains information on new features of this release, software and hardware requirements for installing the product, important notes and known bugs, up-to-the-minute product information, and how to send feedback.
Netscape Directory Server Deployment Guide -- Provides an overview for planning your deployment of Directory Server. Includes deployment examples.
Netscape Directory Server Installation Guide -- Contains procedures for installing your Directory Server as well as procedures for migrating your Directory Server.
Netscape Directory Server Administrator's Guide -- Contains procedures for the day-to-day maintenance of your directory service. Includes information on configuring server-side plug-ins.
Netscape Directory Server Configuration, Command, and File Reference -- Provides information about using the command-line scripts shipped with Directory Server.
Netscape Directory Server Schema Reference -- Provides reference information about the Netscape Directory Server schema.
Netscape Directory Server Plug-in Programmer's Guide -- Describes how to write server plug-ins in order to customize and extend the capabilities of Directory Server.
Netscape Directory Server Gateway Customization Guide -- Introduces Directory Server Gateway and explains how to implement a gateway instance with basic directory look-up functionality. Also contains information useful for implementing a more powerful gateway instance with directory authentication and administration capability.
Netscape Directory Server DSML Gateway Guide -- Introduces the Netscape Directory Server DSML Gateway function and explains how to customize it for use as a Java Gateway.
If you obtained Directory Server on a CD, you can find the documentation in the directory named docs at the top level of the CD. For a list of documentation, open the index.htm file.
Your feedback is welcome and extremely helpful in improving the product. Before contacting us to request assistance, please check the documentation for this release. If you need further assistance or information about Directory Server or if you need to report problems with this product, contact Netscape Technical Support. You may also contact us through our newsgroup for support, questions, answers, and the latest information at:
snews://secnews.netscape.com/netscape.dev.directory
For security and certificate-related topics, you might also find it useful to subscribe to the following newsgroups:
snews://secnews.netscape.com/netscape.dev.ssl
snews://secnews.netscape.com/netscape.dev.security
snews://secnews.netscape.com/netscape.dev.certificate
In order to ensure the best assistance possible, please be certain to include the following information:
Description of the problem, including the situation where the problem occurs and its impact on your operation.
Machine type, operating system and version, architecture, and product version, along with any patches and other software that might be affecting the problem.
Detailed steps on the method to reproduce the problem.
Any error logs or core dumps.
For problems involving the use of the Directory Server with other products, include the name and release number (e.g., Netscape Communicator 7.1) with platform and architecture information for those products, as well.