Compaq_X.500_Directory_Service________________ Release Notes Revision/Update Information: Version 4.0 Compaq Computer Corporation __________________________________________________________ Compaq Computer Corporation makes no representations that the use of its products in the manner described in this publication will not infringe on existing or future patent rights, nor do the descriptions contained in this publication imply the granting of licenses to make, use, or sell equipment or software in accordance with the description. Possession, use, or copying of the software described in this publication is authorized only pursuant to a valid written license from Compaq or an authorized sublicensor. © Compaq Computer Corporation 1999. All Rights Reserved. The following are trademarks of Compaq Computer Corporation: DEC, DECnet, MAILbus 400, VAX, OpenVMS, and the Compaq and Digital logos. OSF and OSF/1 are registered trademarks of Open Software Foundation, Inc. OSI is a registered trademark of CA Management, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively by X/Open Company Ltd. This document was prepared using VAX DOCUMENT, Version 2.1. ________________________________________________________________ Contents 1 Before You Start............................. 1 1.1 Upgrading from Version 3.0, 3.1, and T4.0 of the Directory Service on Tru64 UNIX... 1 1.2 Installing on Tru64 UNIX DCE Systems..... 2 1.3 UNIX Cluster Support..................... 2 1.4 VMS Cluster Support...................... 3 1.5 Upgrading the Directory Service from Pre-V2.0................................. 4 1.6 Upgrading the Directory Service from Pre-V1.3 (OpenVMS)....................... 4 2 Lightweight Directory Access Protocol........ 5 2.1 LDAP String Syntaxes Not Implemented..... 5 2.2 Restrictions on LDAP V3 UTF-8 LDAP Strings.................................. 5 2.3 LDAP Management.......................... 5 2.3.1 NCL Directives for LDAP................ 5 2.3.2 NCL Counters for LDAP.................. 6 2.3.3 Ensuring That the Directory Starts Up Listening for LDAP Requests............ 6 2.3.4 NCL Event Related to LDAP.............. 6 3 Restrictions in DECnet....................... 7 3.1 DSA on Tru64 UNIX Systems Handling of Multiple Bind Requests................... 7 3.2 DSA on OpenVMS Systems Handling of Multiple Bind Requests................... 8 4 NCL Restrictions............................. 9 4.1 Creating and Deleting the DSA Quickly.... 9 4.2 Restriction on Using Zero Length Passwords................................ 9 4.3 Limited NCL Command Buffer Size.......... 9 4.4 NCL Command Filtering.................... 9 iii 4.5 Display of DSA Attributes on OpenVMS Systems.................................. 10 5 DSA Information and Known Problems........... 11 5.1 Year 2000 Conformance.................... 11 5.2 Attribute Syntax Validation.............. 11 5.3 Dereferencing of Search Aliases.......... 12 5.4 Memory Exhaustion During Replication Can Cause the DSA to Terminate............... 12 5.5 DSA Handling of Temporary Files.......... 13 5.6 Length Constraints on T.61 Strings....... 13 5.7 Restriction on the Definition of Labels in the Schema............................ 13 5.8 DSA Handling of Referral Loops........... 14 5.9 Distributed Access Failure Event......... 14 5.10 Database Snapshot Failures............... 14 5.11 DSA Handling of Presentation Address Protocol Identifiers..................... 15 5.12 Displaying Entries that are Part of Your Global Prefix............................ 15 6 DXIM Problems................................ 17 6.1 Handling of Attributes that Have No Matching Rules........................... 17 6.2 Syntaxes Supported by the Directory Service.................................. 17 6.3 DXIM Command Line Interface Problems..... 18 6.3.1 Ambiguous Keyword...................... 18 6.4 DXIM Motif Interface Restrictions........ 18 6.4.1 Traversing Windows Using the Keyboard............................... 18 6.4.2 Problem Deleting Multiple Entries...... 18 6.4.3 Handling of User Passwords............. 19 6.4.4 Handling of Search Filters............. 19 6.4.5 Support of the undefinedSyntax......... 19 6.4.6 Online Help............................ 19 6.4.7 Display of the Base Object............. 20 6.4.8 Deleting Entries....................... 20 6.4.9 Cut and Paste Using the Edit Menu...... 20 6.4.10 No Support for Auxiliary Object Classes................................ 20 6.4.11 Incorrect Integer Values Not Detected............................... 21 6.4.12 Usability Problems..................... 21 6.5 Application Resources.................... 22 iv 7 Problems with the Lookup Client.............. 23 7.1 Tru64 UNIX V4.0F and the Look-Up Client................................... 23 7.2 Lookup Client GUI Help Requires Bookreader............................... 23 7.3 Lookup Client GUI Handling of Naming Attributes............................... 23 7.4 InfoBroker Server Handling of Large Photo Attributes............................... 23 7.5 Lookup Client Display of Modified Entries.................................. 24 8 XDS Problems and Information................. 25 8.1 Documentation of Maximum Outstanding Operations Constant...................... 25 8.2 Documentation of the Search and Read Functions................................ 25 8.3 XDS Example Programs..................... 26 8.4 Primitive Syntax Attributes in Uninitialized Objects.................... 26 8.5 XDS is not Thread-safe in a Multithreading Environment............... 26 8.6 XDS Does Not Support Calls at AST-Level on OpenVMS Systems....................... 26 8.7 No Support for Boolean Attribute Values................................... 26 8.8 Incorrect Initial Value for Information Type..................................... 26 8.9 Primitive Values Incorrect in a Referral................................. 27 8.10 Reading the On-line Reference Pages...... 27 v 1 Before You Start This section documents important information about the Directory Service and about installing and deinstalling the Directory Service software. These release notes apply to both of the operating systems that the Directory Service supports for this version: OpenVMS Alpha, and Tru64 UNIX[R]. Where a note applies to a specific operating system, this is indicated. Otherwise, all notes apply to all operating systems. 1.1 Upgrading from Version 3.0, 3.1, and T4.0 of the Directory Service on Tru64 UNIX On Tru64 UNIX , Version 3.0 and later of the Directory Service, the DSA uses memory image files instead of snapshot files. Memory image files are specific to the version of the kit. This applies to all versions (SSB, ECO kits, and FT kits). Therefore, your current memory image files cannot be used by this kit. To use your existing database with this kit, create a snapshot file of your database before you upgrade. To create a snapshot file, disable and delete the DSA using the following NCL commands: ncl> disable dsa ncl> delete dsa to snapshot After installing this release, use the following NCL commands to recreate the DSA: ncl> create dsa from snapshot ncl> enable dsa When the DSA has been recreated and enabled successfully, you can delete the snapshot file from the DSA system as follows: # rm /var/dxd/DSA-information-tree.snapshot* The DSA does not need this file any longer, so you can save disk space by deleting it. Do not delete any of the other database files. 1 1.2 Installing on Tru64 UNIX DCE Systems If you are installing the Directory Service on a Distributed Computing Environment (DCE) system, then you must install it after installing DCE, or reinstall the Directory Service after installing DCE. A DCE installation overwrites some files installed with the X.500 Directory Service without checking to see whether the existing files are more recent versions. If this happens, you need to reinstall the Directory Service to make sure that the latest versions of the files are present on the system. 1.3 UNIX Cluster Support This information applies to UNIX cluster systems only. You can run more than one DSA on a UNIX cluster provided that /var/dxd is a host-specific directory. If the directory /var/dxd is common to all hosts, you can run only one DSA on the cluster. Although you can run more than one DSA on a UNIX cluster, only one DSA can access a database at any one time. When a DSA loads the database, the database is locked to prevent another DSA accessing it. If the database is being used by another DSA, you can identify the DSA by using the following command: cat /var/dxd/DSA-information-tree.lock If you try to create a DSA when the database is being used by another DSA, the NCL create dsa command fails, for example: ncl> create dsa Node 0 DSA AT 1998-07-10-10:25:11.697+01:00I0.749 FAILED IN DIRECTIVE: Create DUE TO: Error specific to this entity's class REASON: Cannot open database Description: The DSA cannot open the database as it is being used by another DSA. 2 When this error occurs, the Create Failure event is also generated, for example: Event: Create Failure from: Node DEC:.reo.mrdsa DSA at : 1998-07-10-10:25:11.692+01:00I0.749 Reason = Database already in use by another DSA. 1.4 VMS Cluster Support This information applies to OpenVMS systems only. You can run the Directory Service software on a cluster if you follow these guidelines: o Run a DSA on only one node in a cluster. When installing on a cluster, if you select the Server component, you are asked which node is to be the server node. After installation, configure the DSA on the node where it will run. See Digital X.500 Directory Service Management for information about configuring the DSA. o If the cluster has multiple system disks, you must repeat the installation for each system disk. Always specify the same node to be server node. o You can run applications from any node in the cluster providing the directory information tree files are in a common area. You can run the DUA configuration utility on any node in the cluster, but you must specify the node where the DSA runs and not the cluster alias when prompted for the name of the DSA node. o If you want the DSA to be enabled automatically during cluster startup you must edit the file SYS$STARTUP:DXD$DSA_STARTUP.NCL to remove the comment tags before the NCL ENABLE DSA and NCL CREATE DSA commands. o Run the startup procedure SYS$STARTUP:DXD$COMMON_ STARTUP.COM on all the nodes in the cluster that have directory components installed. 3 1.5 Upgrading the Directory Service from Pre-V2.0 The V4.0 installation converts any existing pre-V2.0 database to change the object identifiers of certain attributes. These attributes had the wrong object identifiers in pre-V2.0 versions of the Directory Service. If you have already noticed and corrected these object identifiers, contact Compaq before installing V4.0. If you are upgrading from V2.0 or V2.0A or V2.0B, the conversion has already been implemented, and is not repeated. You must upgrade all pre-V2.0 components of your Directory Service on all systems as soon as possible. This is because changing object identifiers causes interworking problems between V2.* of the Directory Service and pre- V2.0 versions. If it is not possible to upgrade all systems for any reason, contact Compaq. Refer to the Read Before Installing document for further important information about upgrade installations. 1.6 Upgrading the Directory Service from Pre-V1.3 (OpenVMS) This version of the Directory Service installs some files in SYS$COMMON. Before V1.3, the Directory Service installed the equivalent files in SYS$SPECIFIC. If old copies of these files remain in SYS$SPECIFIC, they will be used instead of the new ones in SYS$COMMON. If you are upgrading from an old Directory Service, you need to remove the following files from SYS$SPECIFIC: SYS$SPECIFIC:[SYS$STARTUP]DXD$DSA_STARTUP.NCL SYS$SPECIFIC:[SYS$STARTUP]DXD$DSA_STARTUP.COM SYS$SPECIFIC:[SYS$STARTUP]DXD$DSA_SHUTDOWN.NCL SYS$SPECIFIC:[SYS$STARTUP]DXD$DSA_SHUTDOWN.NCL SYS$SPECIFIC:[SYSTEST.DXD]DXD$IVP_DSA.DAT Delete these files. If they contain customizations, incorporate those customizations into the newly installed files in SYS$COMMON, and then delete the old files in SYS$SPECIFIC. 4 2 Lightweight Directory Access Protocol The X500 DSA supports the LDAP V2 and V3 protocols. This allows LDAP clients to access the X.500 directory. 2.1 LDAP String Syntaxes Not Implemented Compaq X.500 Directory Service implements both the LDAP protocols (V2 and V3). The following syntaxes are not supported as string syntaxes, but you can use them all as binary syntaxes: o Teletex Terminal Identifier o Presentation Address o Guide (search guide) o User Certificate o CA Certificate o Certificate Revocation List o Cross Certificate Pair o Other Mailbox o Distribution List Submit Permission 2.2 Restrictions on LDAP V3 UTF-8 LDAP Strings The LDAP V3 implementation only supports UTF-8 characters that can be mapped to T.61 characters. 2.3 LDAP Management You must use the Network Command Language (NCL) available with DECnet-Plus in order to manage the LDAP functions supported by Compaq X.500 Directory Service. If you set up an LDAP port, the Compaq X.500 Directory Service listens for LDAP requests on that port when the DSA is enabled. 2.3.1 NCL Directives for LDAP This section lists the new directives you will need to use for LDAP. o ncl> set dsa ldap port 389 o ncl> show dsa ldap port 5 2.3.2 NCL Counters for LDAP This section lists the new counters that will be shown (on an ncl> show dsa counters for a system that uses LDAP. o LDAP Binds Accepted o LDAP Binds Rejected o Communication Failures 2.3.3 Ensuring That the Directory Starts Up Listening for LDAP Requests To ensure that the directory listens for LDAP requests, you must set the DSA's port number to a non-zero value. The DSA configuration script or procedure (whichever file your system uses) sets the LDAP port to the standard LDAP port number: 389. o /var/dxd/scripts/dsa_configure (Tru64 UNIX) o SYS$STARTUP:DXD$DSA_CONFIGURE.COM (OpenVMS) 2.3.4 NCL Event Related to LDAP On a system that uses LDAP, an NCL Communication Failure event may be generated. The event is not specific to the LDAP port. 6 3 Restrictions in DECnet Some restrictions in DECnet-Plus for Tru64 UNIX and OpenVMS systems can affect the behavior of the Directory Service. It is therefore helpful to be aware of DECnet restrictions, as listed in the DECnet-Plus release notes for your system. Particular areas of interest are NCL restrictions and restrictions related to OSI Transport. The following sections list restrictions in DECnet-Plus that are known to affect the Directory Service. See Section 4 for information about NCL restrictions. 3.1 DSA on Tru64 UNIX Systems Handling of Multiple Bind Requests There is a known problem with the OSI transport software that the Compaq DSA uses on Tru64 UNIX systems. The problem occurs when a Compaq DSA receives multiple bind requests in quick succession from other vendors' DSAs or directory applications, or from previous versions of Digital X.500 products. A Compaq DSA can support multiple concurrent bindings, but when many new bind requests are received in quick succession from other vendors' products or from previous versions of Digital products, the DSA has a problem queuing the requests. The DSA therefore rejects some of the requests, and OSI transport congestion events are produced. For this reason, you might find that bind requests are successful intermittently, although the majority of requests will be successful. If a given bind request fails, try again. If you have problems connecting to DSAs on Tru64 UNIX systems, but the failures do not cause OSI transport congestion events, then you have encountered an unknown problem. If Digital X.500 Directory Service Problem Solving does not help you solve the problem, you should report it to Compaq. 7 3.2 DSA on OpenVMS Systems Handling of Multiple Bind Requests On OpenVMS systems, there is a known problem with DECnet which can cause binds to fail if there are already many applications bound to the DSA. The DSA's ability to accept multiple bindings is limited by the BYTLM quota of the DSA account. This quota might be exceeded by a very busy DSA. If your DSA's binding limit is reached, an additional bind attempt can expose the DECnet problem. All subsequent binds fail, even if the total number of concurrent bindings drops below the limit. To permit the DSA to start receiving more binds, you need to stop and restart the DSA using NCL. If large numbers of concurrent bindings are likely, you can increase the BYTLM quota specified in the DSA startup procedure DXD$DSA_STARTUP.COM. Amend the /buffer_limit qualifier to increase the quota. Shut down and restart the DSA to use this increased quota. The DSA shutdown procedure is DXD$DSA_SHUTDOWN.COM. See Digital X.500 Directory Service Problem Solving for further information about resource problems. 8 4 NCL Restrictions This section describes restrictions on the use of the NCL director to manage the DSA. 4.1 Creating and Deleting the DSA Quickly If you use the NCL CREATE DSA and DELETE DSA directives repeatedly in quick succession you might see the following error message in response to one of the DELETE DSA directives: No Such Entity Instance exists This occasionally happens even if the preceding CREATE DSA directive appeared to succeed. In fact, the preceding CREATE DSA directive failed, but NCL lost the error response. 4.2 Restriction on Using Zero Length Passwords The schema provided with this version of the Directory Service states that the userPassword attribute can have a minimum length of zero characters. However, the NCL commands for the DSA entity and the Accessor entity, which both have Password attributes, do not support zero length passwords. Do not assign a zero length password to a directory entry if you also need to configure the same password in either a DSA or Accessor entity. 4.3 Limited NCL Command Buffer Size The NCL command input buffer size is 2048 bytes. This limits the number of characters that can be entered in one NCL directive. When you interactively enter a long directive, the NCL command input buffer can overflow, causing the directive to fail. 4.4 NCL Command Filtering If you use a filter in an NCL command, the command fails for most of the attributes of the DSA entity. NCL does not fully support filtering for the types of attribute used by the Directory Service. 9 4.5 Display of DSA Attributes on OpenVMS Systems The DSA on OpenVMS systems cannot display attributes if you specify a list of different types of attribute. For example, the following NCL directive is mishandled by the DSA because it requests a display of counter attributes and status attributes: NCL> SHOW DSA ALL STATUS, ALL COUNTERS 10 5 DSA Information and Known Problems 5.1 Year 2000 Conformance In Version 3.1, the time matching rules used by the DSA were changed so that dates beyond the year 2000 are recognized by the DSA. Time syntaxes, such as UTC Time, represent the year as a two digit number For example, 10.30am GMT on 5th November 1999 is expressed in UTC Time as 991105103000Z. With the new time matching rules, a time value with a year that is less than 50 is assumed by the DSA to be after 2000. For example, a time value containing the year 01 is assumed by the DSA to be 2001. A time value with the year equal to or greater than 50 is assumed by the DSA to be between 1950 and 1999. For example, a time value with the year 99 is assumed by the DSA to be 1999. Note that existing time values stored in the directory that contain a year value less than 50 will be affected by the new time matching rules used by the DSA. 5.2 Attribute Syntax Validation In Version 3.1, the DSA was changed so that it checks the syntax of fax numbers, telex terminal identifiers and telex numbers that you enter into the directory. Fax numbers and telex terminal identifiers must be a sequence begining with a printable string character followed by valid ASN1 data. Telex numbers must be a sequence of printable string characters. The syntax checking applies to the values of the following attributes: FacsimileTelephoneNumber, TelexTerminalIdentifier and TelexNumber. Note that the DSA checks the syntax only when you enter a value and does not check the syntax of the values already stored in the directory. 11 5.3 Dereferencing of Search Aliases There is a known problem with the dereferencing of search aliases. When a DSA is processing a search, it checks beneath the specified search base for subordinate references that it needs to follow. It is during these checks that the DSA can make an error. The following set of circumstances can cause a DSA to create an incomplete list of subordinate references: i There are alias entries within the search subtree ii Those alias entries refer to entries that are held on the same DSA iii There are subordinate references beneath the entries referred to by the aliases Those subordinate references are not followed during the search. The search of subtrees beneath aliased entries can therefore be incomplete. 5.4 Memory Exhaustion During Replication Can Cause the DSA to Terminate If replication fails because of memory exhaustion, the consumer DSA will exit if it is unable to roll back the changes. The DSA exits to avoid corrupting its database. This generates a Resource Exhausted event, with a Reason of Fatal Memory Exhaustion. Another possible cause for the DSA to run out of memory is as a result of processing many thousands of entry modifications in rapid succession. If the DSA permits volatile modifications, then the last few modifications may be lost. If the DSA does not permit volatile modifications, the last modification may be lost. However, in either case, the vast majority of the modifications are safe. Restarting the DSA increases the virtual memory available to the consumer DSA. If you need to make a lot of changes to a naming context that is replicated to other DSAs, and you cannot provide more virtual memory, you can use the scheduling attributes of the shadowing agreement to make replication more frequent. For example, you might cause an unscheduled update to occur after a specific number of modifications 12 so that the consumer DSA's memory resources are not overloaded. See Digital X.500 Directory Service Management for details of shadowing agreement management. 5.5 DSA Handling of Temporary Files During normal operation the DSA uses temporary files. When the DSA exits, these temporary files are normally deleted. If the DSA exits abnormally, some temporary files may remain. If the DSA is not running, you can delete any temporary files that remain. Never delete temporary files while the DSA is still running. On Tru64 UNIX systems, all temporary files are created in /var/dxd/tmp. On OpenVMS systems, the temporary files are created in SYS$SCRATCH. The DSA process defines SYS$SCRATCH to be DXD$DIRECTORY by default, and the temporary files have the .TMP file extension. 5.6 Length Constraints on T.61 Strings When the DSA checks the lengths of T.61 strings, it counts the number of octets in the string rather than the number of characters that those octets represent. Some T.61 characters require more than one octet to represent. This may confuse users who expect the DSA to accept a string of a certain number of characters, but find that the string is rejected. 5.7 Restriction on the Definition of Labels in the Schema Digital X.500 Directory Service Management states that you can specify schema definitions within your schema text files in any order. However, there is a known exception to this rule. A label can only be specified after the definition for which it provides a label. 13 5.8 DSA Handling of Referral Loops DSAs cannot detect referral loops. For example, a DSA can chain to a second DSA and receive a referral to a third DSA. It can then chain to the third DSA and receive a referral back to the second DSA. This type of looping is not covered by the standard loop detection model. To prevent a DSA from following such referrals indefi- nitely, the DSA stops after the tenth referral for a given user request, and instead displays the referral to the user. Looping should not occur if your DSAs are configured correctly. 5.9 Distributed Access Failure Event If you see the Distributed Access Failure event with the following additional information, then it is possible that the failure was caused by the remote DSA being unable to verify this DSA's password: Reason = Communications Failure Communications Problem = ACSE User Reject. No Reason Specified The remote DSA should have generated an event that indicates a failure to verify this DSA's password. Distributed operations between DSAs will fail if the DSAs are unable to verify each other's passwords. Refer to Digital X.500 Directory Service Management for details of replicating information about your DSAs so that they have copies of each other's passwords. 5.10 Database Snapshot Failures The following three events can mean that the DSA has failed to create a new snapshot file. However, the events do not state explicitly that a snapshot failure has occurred. If you see any of these events without a statement of what operation failed, then you can assume that it was an attempt to create a new snapshot file. 14 Resource Exhausted Insufficient Disk Space. Resource Exhausted Insufficient Memory. Internal Error Unexpected exception in DbMonitor. 5.11 DSA Handling of Presentation Address Protocol Identifiers If a presentation address specifies that a single network service access point (NSAP) can be used for more than one network protocol, the presentation address is not encoded properly by the DSA when it writes the information to disk. The next time you create the DSA, the presentation address is incorrect. For example, the following presentation address is specified as having two identical NSAPs, but different protocol identifiers: "DSA"/"DSA"/"DSA"/NS+49002AAA004021,CLNS|NS+49002AAA004021,CONS If you delete the DSA, and then recreate the DSA, and then display the presentation address, it appears as follows: "DSA"/"DSA"/"DSA"/NS+49002AAA004021,CLNS|NS+49002AAA004021,CLNS The CONS protocol identifier has been incorrectly encoded, and is displayed as CLNS. The same encoding error applies to any presentation address attributes within the database, including those in characteristic attributes of the DSA entity and its subentities, and in any directory entries that contain presentation addresses. 5.12 Displaying Entries that are Part of Your Global Prefix When you create your DIT, you will probably have a global prefix that connects your organization's DIT to the root of the global DIT. The entries named in the global prefix are not part of your organization's DIT, and may not exist at all, except as placeholders for a future connection to a global DIT. If you try to display entries that are part of your global prefix, the Directory Service returns an error. 15 For example, in the example used in Digital X.500 Directory Service Management, the Abacus organization has a global prefix that includes the name /c=us. The entry called /c=us does not exist, so if you try to display it, you get an error. This problem also affects browsing the DIT using the DXIM Browse window; entries that are part of the global prefix cannot be displayed. Digital X.500 Directory Service Management gives details of the global prefix. The immediate subordinates of the browse base must be real entries, not part of the global prefix. 16 6 DXIM Problems The information in the following sections applies to both the command line interface and the Motif interface to DXIM. 6.1 Handling of Attributes that Have No Matching Rules If you modify the schema to define an attribute that has no equality matching rule, directory applications, including DXIM, will have difficulty managing that attribute. This is because the DSA cannot tell whether the value you specify is already present in an entry. Therefore, if you try to add a value to the attribute, the DSA cannot detect value duplications, and if you try to remove a value, the DSA cannot determine whether the value actually exists. This is particularly true of the DXIM Motif interface, which attempts to add and remove values whenever you edit a value input box on the Modify window. Refer to Digital X.500 Directory Service Management for advice about selecting matching rules for attributes. 6.2 Syntaxes Supported by the Directory Service Compaq DSAs support the syntaxes and matching rules documented in Digital X.500 Directory Service Management and the DXIM online help. This section details known restrictions with some of the documented syntaxes and matching rules. o The following syntaxes are supported by the DSA, but are not supported by the DXIM Motif interface: - ACIitem - Integer Although this syntax is supported, the interface cannot handle the specification of values greater than 2**31-1 o The following syntaxes are supported by the DSA, but are not fully supported by either DXIM interface: - Teletex Terminal Identifier 17 Teletex Nonbasic parameters are not supported - Facsimile Telephone Number G3 Facsimile Nonbasic parameters are not supported Neither DXIM nor the DSA supports Search Guide syntax. 6.3 DXIM Command Line Interface Problems The following section describes problems and restrictions in the command line interface version of DXIM. If you create any DXIM scripts, you are recommended to keep them, to help diagnose any problems. 6.3.1 Ambiguous Keyword The keyword BINDING has two meanings in DXIM: it is used in the SHOW BINDING command and to indicate the Binding service control. This ambiguity means that you may see misleading error messages if you specify an incomplete or incorrect command that includes the keyword BINDING. See the DXIM online help information about the SHOW BINDING command and the Binding service control. 6.4 DXIM Motif Interface Restrictions 6.4.1 Traversing Windows Using the Keyboard There is a known Motif problem that affects DXIM windows on Tru64 UNIX systems. The problems does not affect DXIM on other operating systems. You should be able to move the input focus around a DXIM window using either the mouse pointer or the keyboard. In many cases, using the keyboard to move input focus does not work. 6.4.2 Problem Deleting Multiple Entries If you select a large number of entries, and then select the Delete Entry option, DXIM displays a confirmation window, asking you whether you really want to delete the selected entries. If you select too many entries, the buttons of the window are not visible on your screen. Press RETURN to cancel the operation. Select fewer entries for deletion, so that the window is small enough to fit on the screen. 18 6.4.3 Handling of User Passwords The DXIM Motif interface does not support creation or modification of password attributes, even if they are added to the window definition. 6.4.4 Handling of Search Filters A DXIM Motif interface user can use the Find window to specify details of entries to search for. If the user specifies a detail that is inappropriate for a given filter field, DXIM ignores that detail. For example, if a user specifies an alphabetic string for a field that requires integer values, DXIM ignores that particular field. Only fields that contain appropriate details are processed. In most cases, this is the user-friendly way to process user input. However, the effect might be that DXIM returns more entries than the user expects to see, including entries that the user thought would be excluded. 6.4.5 Support of the undefinedSyntax Attribute values that are of undefinedSyntax might be displayed in verbatim format, for example: '14 01 c4'v DXIM uses this format if it cannot convert the value into a user-friendly external representation. DXIM only accepts the verbatim format on input of such values. You need to know how to represent the value in verbatim format. Where possible, do not use the undefinedSyntax for attributes. 6.4.6 Online Help The online help for the DXIM Motif interface does not support the search for keywords option of the Help widget. If you select Search Keywords... from the Help window, DXIM displays an internal error. 19 6.4.7 Display of the Base Object The DXIM Browse and Find windows allow you to show the attributes of an entry by selecting the entry and double clicking on it, or by selecting the Show Attributes option from the View menu. To see the attributes of an entry you have modified, you must collapse and expand the parent entry of the modified entry. However, this does not work with the base object of the Browse or Find window. The base object is the entry that is displayed at the top of the window, and appears when you invoke the window. Whenever you use the Show Attributes option on that entry, you see the attributes and values that were in the entry when you invoked the window. To see the attributes of this object you must invoke a new Browse or Find window. 6.4.8 Deleting Entries When you use the DXIM Motif interface to delete an entry, you have to click on Yes to execute the deletion. If you double click on Yes, the deletion succeeds, but DXIM reports an internal error. You must then exit DXIM. 6.4.9 Cut and Paste Using the Edit Menu There are known problems with the Motif cut and paste functionality on Tru64 UNIX systems. If you use the Copy option of the DXIM Edit menu, and attempt to copy information from DXIM to another application, the attempt can sometimes fail. Furthermore, subsequent attempts to use cut and paste in any application can fail because Motif is maintaining a lock on behalf of DXIM. If you find that cut and paste is locked for DXIM, exit DXIM. 6.4.10 No Support for Auxiliary Object Classes The DXIM Motif interface does not support auxiliary object classes. 20 6.4.11 Incorrect Integer Values Not Detected If you specify a hyphen in an integer value when adding a value to an attribute or creating an attribute, DXIM does not return an error. For example if you try to add the value 1-2-3 to an attribute with integer syntax, no error is displayed. When you subsequently display that attribute, the value displayed is 1. 6.4.12 Usability Problems The DXIM Motif interface is known to have some usability problems. o On OpenVMS Alpha systems and Tru64 UNIX systems, the positioning of new input boxes is faulty. If you use the Add Value option, a new input box might be placed partially or completely off the window. To workaround this problem, only add one or two values to an attribute at a time. Click on OK. If you want to add more values, select the Modify Entry option again, and you will be able to display one or two more new input boxes. By this method you can gradually add more values. o Any modifications made to the Directory using the Create or Modify windows are not automatically reflected in the Browse and Find windows. For example, if you change the name of an entry, the Browse window still displays the old name. Similarly, if you create an entry, DXIM does not display the entry in the Browse window. If the information in the Browse and Find windows is out of date, use the collapse and expand options to refresh the window. o The DXIM Motif interface on a Tru64 UNIX system does not support some of the standard display parameters that you can specify when you invoke the utility. DXIM does support the -display parameter and the - name parameter. Other standard parameters are ignored, for example, -background, -geometry, and -iconic. 21 6.5 Application Resources The DXIM Motif interface does not currently provide an application resource file to define, for example, the colours to use in DXIM windows. You can edit your default resource file to include information that controls the DXIM display. On a Tru64 UNIX system edit $HOME /.Xdefaults. On an OpenVMS system edit the appropriate file in your SYS$LOGIN directory. In all cases use the resource name dxd_mainwin. For example, on a Digital UNIX system, to set the foreground colour to red, edit the file $HOME/.Xdefaults and add the following line: dxd_mainwin*Foreground: #ffff00000000 22 7 Problems with the Lookup Client 7.1 Tru64 UNIX V4.0F and the Look-Up Client The first time you use dxdlu on Tru64 UNIX V4.0F you may get the /sbin/loader error Unresolved symbol in /usr/bin/dxd_lookup: __cxx_call_static_dtors In this case, replace your system's C++ runtime redistri- bution kit with the one available from: ftp://ftp.compaq.com/pub/products/C-CXX/tru64/cxx/ This will prevent the error. 7.2 Lookup Client GUI Help Requires Bookreader The graphical interface of the Lookup Client requires the Bookreader software. If Bookreader is not installed on the Lookup Client system, then attempts to read the online help will have no effect. 7.3 Lookup Client GUI Handling of Naming Attributes The Lookup Client for Tru64 UNIX systems does not support the management of naming attributes. If you attempt to modify the attribute that is used for naming an entry, for example, to add a value, the Lookup Client displays an error. The error states that the operation is not allowed on an RDN. The Lookup Client command line interface permits the management of naming attributes, although it does not allow you to modify the value that is actually used in the entry's name. For example, if an entry's distinguished value is John Smith, you could add a value J Smith, but you could not make that new value the distinguished value. 7.4 InfoBroker Server Handling of Large Photo Attributes The InfoBroker Server can be used to translate Lookup Client requests into X.500 requests. If you use the InfoBroker Server with the Lookup Client, and you try to add a very large photo attribute to an entry, the InfoBroker Server may fail. This may cause the Lookup Client to become unusable. 23 The default size limit of the jpegPhoto attribute, as defined in the schema, is 250000 bytes. This size of attribute is handled successfully by the InfoBroker Server. Therefore, this problem can only arise if you have customized the schema to increase the size limit of the attribute. 7.5 Lookup Client Display of Modified Entries Attribute values displayed in Lookup Client displays cannot be guaranteed to have come from master DSAs. This is particularly important when you use the Alter window of the Motif interface. The values displayed in the Alter window may have come from a shadow DSA. After changing an entry, the changes you make might not be visible in the Lookup Client. This is because the Lookup Client uses a protocol that does not enable applications to specify that master information is required. The only workaround is to make sure that the Lookup Client is connected to an LDAP server that is connected to the master DSA for the entry you want to change. 24 8 XDS Problems and Information 8.1 Documentation of Maximum Outstanding Operations Constant The Directory Service programming documentation states that the value of the DS_MAX_OUTSTANDING_OPERATIONS constant is defined by the DSA implementation. In fact, the value is defined by the XDS API implementation. Compaq's XDS API defines the constant to be 32. If 32 asynchronous operations are outstanding, XDS will not accept more asynchronous operations. If you are writing an application that will use another vendor's XDS API implementation, then the constant may have a different value. It may therefore be advisable not to define this constant in your application, because it cannot be set to both values. Instead, your application can detect the Library Error: Too Many Operations if and when the XDS API returns it. If this error is returned, you can use the Receive Result function to reduce the number of outstanding operations. 8.2 Documentation of the Search and Read Functions Digital X.500 Directory Service Programming Reference documents the functions of the XDS API. The discussions of the Search and Read functions, ds_search and ds_read, does not explain how to select the particular attributes that you want returned from the entry or entries to which the function applies. They only explain that you can use the Select-No-Attributes, Select-All-Types, and Select-All- Types-And-Values constants. If you want to select specific attributes to be returned from these functions, use the Entry Information Selection class. This class is documented in Section 3.12 of Digital X.500 Directory Service Programming Reference. 25 8.3 XDS Example Programs The X.500 API component of the Compaq X.500 Directory Service includes a set of callable routines that illustrates how to use the XDS and OM routines. You can also use these routines, which are known as the XDSHLI routines, in your application. The set of routines also includes a simple search application, written using the XDSHLI routines. The file SYS$EXAMPLES:[DXD]XDSHLI.H (OpenVMS) or /usr/examples/dxd/xdshli.h (Compaq UNIX) contains details of the XDSHLI routines and related files. 8.4 Primitive Syntax Attributes in Uninitialized Objects The sequence OM_CREATE with the initialize argument set to FALSE, followed by OM_PUT using INSERT_AT_END, will return the error WRONG_VALUE_NUMBER, for any single valued primitive attributes. To avoid this, use REPLACE_ALL in OM_PUT. 8.5 XDS is not Thread-safe in a Multithreading Environment If you are using multithreading, you must lock calls to XDS. This version of XDS does not handle threads correctly in all cases. 8.6 XDS Does Not Support Calls at AST-Level on OpenVMS Systems If you call XDS routines at AST-level, XDS may behave unpredictably. 8.7 No Support for Boolean Attribute Values XDS does not support attribute values of Boolean syntax. Such values always appear to be FALSE. 8.8 Incorrect Initial Value for Information Type The initial value for the Information Type attribute of the Entry Information Selection object should be types- and-values, as stated in the documentation and defined in the standard. However, XDS sets the initial value to types-only. 26 8.9 Primitive Values Incorrect in a Referral A restriction in this version of XDS and XOM means that primitive values in Referrals always appear to be present. A value that should be absent has a value of 0. 8.10 Reading the On-line Reference Pages Your first attempt to read the X.500 reference pages might fail. Repeat the command. Reference pages are only available on Tru64 UNIX systems. 27