Release Notes
Red Hat Directory Server

Red Hat Directory Server 7.1

Updated June 2, 2005

These Release Notes contain important information available at the time of the release of Red Hat Directory Server (Directory Server) version 7.1. New features, system requirements, installation notes, known problems, resources, and other current issues are addressed here. Read this document before beginning to use Directory Server.

The following sections are included in these Release Notes:

What's New in This Release
Software and Hardware Requirements
Red Hat Network Notes
Important Notes and Known Problems
Documentation
Copyright and Third-Party Acknowledgments

IMPORTANT

Before attempting to install either the 32-bit Solaris version or the 64-bit Solaris version of this release on Solaris 9, download and install the 32-bit version of JRE 1.4.2_05 as described below under the Solaris: 32-bit JRE Installation Procedure section; this is unnecessary for Red Hat Enterprise Linux (RHEL) platforms, as the Directory Server 7.1 comes pre-bundled with the 32-bit version of IBM JRE 1.4.2 for Linux.

What's New in This Release

This release of Directory Server contains enhancements and new features for security, memory, and performance. These features are:

Windows User Synchronization
Get Effective Rights Control
Wide-Area Network Replication
Fractional Replication
Password Change Extended Operation
Filesystem Replica Initialization

Windows User Synchronization

Directory Server 7.1 introduces Windows User Sync, which synchronizes changes in groups, user entries, attributes, and passwords between Red Hat Directory Server and Microsoft Active Directory and Windows NT4 Server in a process similar to replication. Synchronization provides an efficient and effective way to maintain directory information integrity across server applications.

Get Effective Rights Control

The get effective rights control allows an LDAP client to request the access control permissions set on each attribute within an entry, allowing administrators to find and control the access rights set on an individual entry. The access control information is divided into two groups of access: rights for an entry and rights for an attribute. “Rights for an entry” mean the rights such as modify or delete that are limited to that specific entry. “Rights for an attribute” mean the access right to every instance of that attribute throughout the directory.

Wide-Area Network Replication

During regular replication, the supplier server waits for an acknowledgment from the consumer before sending the next update operation. This can dramatically slow down updates when the replicated network is spread over large geographical distances. Directory Server 7.1 achieves much higher performance over high-delay network paths by not waiting for acknowledgements before sending updates, allowing more changes to be relayed more quickly.

Fractional Replication

Directory Server 7.1 introduces fractional replication, a way of replicating a database without replicating all the information in it. This can be useful for:

A public server outside the firewall that contains a subset of corporate contact information.
A server at a satellite office with a slow network connection, where replication of the full set of attributes would use too much bandwidth.

Extra information in the replication agreement allows an adminsitrator to select a set of attributes that will not be replicated. Replication in these instances proceeds as normal except that the specified attributes are not sent to the consumer.

Password Change Extended Operation

Directory Server supports the password change extended operation as defined in RFC 3062. This allows users to change their passwords using a suitable client, according to industry standards.

Filesystem Replica Initialization

Replica initialization is a process where a new replica server is filled with data from an existing server, typically when a new server is deployed or there has been a significant change to the server's contents. In previous versions of Directory Server, replica initialization could only be done via a network connection, where the supplier sent entries, and the consumer used bulk import to rebuild its database. In cases where the database is very large, such as one with millions of entries, this process can take a long time.

Directory Server 7.1 adds the capability to initialize a replica using the database files from the supplier server, avoiding the need to rebuild the consumer database, and can be done at essentially the speed of the raw network between the two servers by transferring the files. Where the servers contain gigabytes of data, the improvement in performance is significant, minutes versus hours.

Software and Hardware Requirements

Directory Server 7.1 can perform on 32- and 64-bit platforms and architecture. An overview of the supported operating systems for 32- and 64-bit platforms is given here. The 32-bit and 64-bit applications are separate; contact Red Hat Professional Services for information on which to use for your deployment.

NOTE

Even for 64-bit platforms, it may be preferable for performance reasons to run Directory Server as a 32-bit application if the memory size is smaller than 4 Gbytes.

Supported Server Platform Requirements

This release of Directory Server is supported on the following operating system platforms:

Red Hat Enterprise Linux Platform Server Requirements

Red Hat Enterprise Linux Platform Server Requirements
OS Version	Red Hat Enterprise Linux Advanced Server 3 (Intel 32-bit) Red Hat Enterprise Linux Advanced Server 4 (Intel 32-bit) Red Hat Enterprise Linux Enterprise Server 3 (Intel 32-bit) Red Hat Enterprise Linux Enterprise Server 4 (Intel 32-bit)
CPU	Intel -- 500MHz Pentium III or faster
RAM	256Mbyte for a minimal installation. You should plan for 1Gbyte or more of RAM for best performance on large production systems.
Hard disk storage space requirements	Approximately 300Mbyte of disk space for a minimal installation. For production systems, you should plan at least 2Gbyte to support the product binaries, databases, and log files (log files require 1Gbyte by default); 4Gbyte and greater may be required for very large directories. To support database files that are larger than 2Gbyte, the machine must be configured to support large files.

Sun Solaris Platform Server Requirements

Sun Solaris Platform Server Requirements
OS Version	Solaris 9 (32-bit or 64-bit) with relevant Java 2 patches for the 32-bit JDK 1.4.2 For patches, check the "DOWNLOAD" link located under the "Solaris SPARC" title of the "Solaris OS Patches" banner located on the http://java.sun.com/j2se/1.4.2/download.html site.
CPU	UltraSPARC-IIi 300Mhz or faster
RAM	256Mbyte for a minimal installation. You should plan for 1Gbyte or more of RAM for best performance on large production systems.
Hard disk storage space requirements	Approximately 300Mbyte of disk space for a minimal installation. For production systems, you should plan at least 2Gbyte to support the product binaries, databases, and log files (log files require 1Gbyte by default); 4Gbyte and greater may be required for very large directories. To support database files that are larger than 2Gbyte, the machine must be configured to support large files.

For Solaris, you should install the latest Recommended Patch Cluster from http://sunsolve.sun.com/ as of the date of these release notes.

HP-UX Platform Server Requirements

HP-UX Platform Server Requirements
OS Version	HP-UX 11i (64-bit) with the following patches: GOLDQPK11i_11.11.depot J5849AA_B.11.11.13_HP-UX_B.11.11_32+64.depot KRB5CLIENT_C.1.3.5.01_HP-UX_B.11.11_32+64.depot PHCO_31061 PHNE_27796 PHSS_29487 PHSS_30966
CPU	PA-8500 300Mhz or faster
RAM	256Mbyte for a minimal installation. You should plan for 1Gbyte or more of RAM for best performance on large production systems.
Hard disk storage space requirements	Approximately 300Mbyte of disk space for a minimal installation. For production systems, you should plan at least 2Gbyte to support the product binaries, databases, and log files (log files require 1Gbyte by default); 4Gbyte and greater may be required for very large directories. To support database files that are larger than 2Gbyte, the machine must be configured to support large files.

Red Hat Network Notes

Red Hat Network (RHN) (http://rhn.redhat.com) is the software distribution mechanism for most Red Hat customers. You may have received account login information for RHN, including entitlements for the Red Hat Directory Server 7.1 release. If so, you need to use the RHN website to obtain your software. Once you are logged into RHN, go to Channels (view complete list if need be) and in the Red Hat Directory Server 7.1 channel, go to the Downloads tab. The Solaris 9 32-bit and 64-bit packages can be found there under the ISOs list as well as the tarball (.tar.gz file) for the source.

NOTE

These files are tarballs, not ISOs.

Customers looking for RPMs for Red Hat Enterprise Linux can access them from the RHN website or through up2date, using an account with entitlements for the Red Hat Directory Server 7.1 release. There are also ISOs containing both RPMs and SRPMs, available under downloads for the Red Hat Directory Server 7.1 channel. The RPM files can be downloaded and installed in the usual manner. The ISO images can be downloaded and burned on to a CD-ROM using the appropriate software.

For Red Hat Enterprise Linux 4, if you created a CD from an ISO and wish the install CD to autorun when inserted into the CD drive, you will need to set the appropriate settings in Applications> Preferences> Removable storage.

For Red Hat Enterprise Linux installed from the CD, it will install using the package manager. You will need to run /opt/redhat-ds/setup/setup to configure your new Red Hat Directory Server once the package is installed.

Important Notes and Known Problems

This section lists important notes and known issues for problems you may encounter with this product. The problems are identified by bug numbers to help you refer to them if you need to contact Red Hat Technical Support.

The notes are divided into the following categories:

Installation/Uninstallation
Console
Replication
Migration/Upgrade
Admin Express
Chaining
Security
Windows User Synchronization

Installation/Uninstallation

All Systems

Administration Server fails to start after installation of a new Directory Server if the install path is too long. To work around the problem, use a shorter path for your installation. (155764)

Installation of a new Directory Server instance from Red Hat Console fails if Administration Server is configured to communicate with Directory Server over LDAPS.

If you install SSL server certificates for Directory Server and Administration Server and configure Administration Server to communicate with Directory Server over SSL, creation of a new Directory Server instance from Red Hat Console will give the following error: The operation failed. Please review the output in the window to determine the cause of failure. (155766)

HP-UX

You must have the following patch installed on your system before installing Directory Server: PHSS_30966: ld(1) and linker tools cumulative patch. Without this patch, the product will fail to install.
The following two patches are required for Kerberos/GSSAPI/SASL to work on HP-UX11i systems: PHSS_29487 and the dependent patch PHSS_29486.These patches are not required if Kerberos is not to be used.
The KRB5CLIENT package version 1.3.5.01 or later is required for Kerberos features to work correctly on HP-UX11i systems. The URL for the package is http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRB5CLIENT.
In testing, a default HP-UX installation has various machine-wide kernel limits that interfere with Directory Server operating under certain conditions. If you do not change these settings, Directory Server will not install.

For instance, the kernel maxfiles' soft-limit of 60 does not allow the server to start. When installing Directory Server, at a minimum, increase it at the command-line to the default hard-limit set by maxfiles_lim, 1024, with 'ulimit -n 1024', before running setup. The dsktune utility may recommend a more appropriate setting to be configured with SAM. Other kernel limits may be set too low (such as the maximum number of threads). Refer to the output from running the dsktune utility for configuration recommendations.

HP-UX limits the amount of memory processes can use and has different limits for 32- and 64-bit applications. For both applications, the default amount of memory set by the maxdsiz is too small, roughly 256 Mbytes for 32-bit and 1Gbyte for 64-bit. These limits can prevent Directory Server from allocating memory for its cache.

If you log in as a regular user instead of the root user, dsktune gives error messages concerning patches. These warnings can be ignored; only the root user has the ability to view patches, so regular users receive the warning.
Creating a Directory Server instance using the Console creates a server in a different time zone.

To synchronize the different time zone which is generated when you create a Directory Server instance using the Console with existing time zones, (which is essential for replication operations), restart the server using the restart-slapd command-line script. For further information on the command-line scripts, see chapter 8, "Command-Line Scripts," in the Red Hat Directory Server Configuration, Command, and File Reference. (155768)

Red Hat Enterprise Linux

The Directory Server requires NPTL threading. This is the default on Red Hat installations on 486 and higher Intel processors. However, it is possible to configure a machine without NPTL threading, either by installing the 386 version of glibc or by setting the LD_ASSUME_KERNEL environment variable.

If your server fails to start on Red Hat Linux, please verify that the system has NPTL by running the getconf command shown below:

getconf GNU_LIBPTHREAD_VERSION
NPTL 0.60

Output containing NPTL indicates that the machine is correctly configured.

If getconf shows that linuxthreads are in use, like this, then the machine must be reconfigured before Directory Server will start:

$ getconf GNU_LIBPTHREAD_VERSION
linuxthreads-0.10

Solaris

Before you attempt to install this release, you must download and extract Sun's 32-bit JRE 1.4.2_05. Download and extract the 32-bit JRE from sun.com website:

Go to http://java.sun.com.

Locate the 32-bit JRE 1.4.2_05.

NOTE

Directory Server 7.1 has been tested with the 32-bit JRE 1.4.2_05. Later versions may work, but this is not guaranteed.

Download the self-extracting file into a new directory (for example, /opt/jre/) and extract it. For example:

bash-2.05# ./j2re-1_4_2_05-solaris-sparc.sh
Unpacking...
Checksumming...
Extracting...
Archive: ./install.sfx.15236
creating: j2re1.4.2_05/
...
...
Creating j2re1.4.2_05/lib/plugin.jar
Creating j2re1.4.2_05/javaws/javaws.jar
Done.

Run the setup script provided with Red Hat Directory Server 7.1 and provide the JRE installation location:

bash-2.05# ./setup

In order to run setup, you need to have version 1.4.2_05 of Sun's 32-bit Solaris Java runtime environment on your system.

Enter the path to the unpackaged JRE: /opt/jre/

NOTE

The setup script then bundles the JRE into the Directory Server package and proceeds with normal installation.

Console

When run on Unix and Linux servers, the Console help buttons look for the browser mozilla or firefox to be in the system path when opening the HTML-based help files. If mozilla or firefox is not found, either because they are not in your path or because they are not installed, the Console will not be able to bring up the help documentation. If you already have one of these browsers installed, refer to your system vendor's documentation for adding its location to the path. If neither of these browsers is available for your platform or you would like to use a different browser, symlink its name to mozilla or firefox somewhere in your default path. For example:

ln -s /opt/some/other/browser /usr/bin/mozilla

On Solaris, backup tasks will sometimes print the following error message on the terminal window: "Couldn't find X Input Context". This message is benign and can be ignored. (154737)

Changing the Directory Server port number on the Configuration Directory Server will lock you out of the console after the Directory Server is restarted.

When changing the port number, when you press Save, you will get a dialog explaining what is about to happen. If you choose to proceed with the change, and you restart the Directory Server, you will notice that the console does not work anymore. To make it work again, you will need to change the port number in the files serverroot/shared/config/ldap.conf and serverroot/shared/config/dbswitch.conf. You must do this on all systems that have a Directory Server being managed by the console. If the Configuration Directory Server is also your User/Group Directory Server, you must also update the User Directory entry in the Global Preferences. (154554)

Replication

If you are configuring a large import cache size, remember that the server allocates one import cache per online replica inititialization operation. It is possible to configure an import cache size that is so large that the server is unable to allocate the cache for replica initialization. This is especially true if more than one replica initialization operation is initiated on the same server at the same time. This problem can be avoided by either leaving the import cache size at the default settings or configuring an import cache size that is significantly smaller than the available physical memory.

To monitor replication status using Admin Express, be sure that the Administration Server has read permissions to the replication monitoring configuration file. If it does not, it will return an error message.

Migration/Upgrade

Migration is supported from Netscape Directory Server version 6.2 and later. For servers that are running Netscape Directory Server releases 6.11 and older, export your data to LDIF, install a new instance of Red Hat Directory Server, and import your data.

Not all previously-supported operating systems can be upgraded in-place because they may be no longer supported; for example, Red Hat Enterprise Linux Advanced Server 3 is supported in 7.1 while previous versions supported Red Hat Enterprise Linux Advanced Server 2.1 or Red Hat Linux 7.3. You will need to export your existing data to LDIF, and import it into your newly installed instance of Directory Server in this case.

Admin Express

Administration Express allows administrators to start or stop servers. However, Admin Express relies on both the Administration Server and the Configuration Directory Server for its operations. Therefore, if you use Admin Express to stop either of those servers, it will be necessary to restart them manually. (155761)

Chaining

If the first farm server fails when using a failover server for database chaining, the client receives an operations error if it tries to read information from the multiplexor. The multiplexor does not process this operations error, which prevents the next failover farm server from being contacted, and as a result, chaining fails. However, if you retry the exact same operation, chaining will succeed. (155762)

Security

If the server identifier, such as slapd-DirectoryServer, is configured with capital letters, the setup program creates cert8.db and key3.db files with corresponding capitalization. However, after configuring SSL, the Console will create and use cert8.db and key3.db files that are all lower case. The ns-httpd process depends on these files being capitalized, and if SSL is enabled in an Administration Server on a host with capitals in the hostname, the server will not start if the cert files do not have capitals. (155778)

There are two ways to resolve this conflict:

The lower case files can renamed with the capitals, and the values for nsCertfile and nsKeyfile can be updated in dse.ldif under cn=encryption,cn=config to match the new filenames.

The old upper case cert files can be replaced with identically named symlinks that point to the new lower case cert files.

Windows User Synchronization

After first configuring Windows User Synchronization, entries may not begin synchronizing between the Red Hat Directory Server and its Windows peer. To work around this issue, you should create a temporary entry on the Red Hat Directory Server and re-initialize the synchronization agreement. After doing this, synchronization should work fine. (155591)