Tru64_UNIX_Enterprise_Directory_for_eBusiness_ Release Notes Revision/Update Information: Version 5.2 Compaq Computer Corporation __________________________________________________________ Compaq Computer Corporation makes no representations that the use of its products in the manner described in this publication will not infringe on existing or future patent rights, nor do the descriptions contained in this publication imply the granting of licenses to make, use, or sell equipment or software in accordance with the description. Possession, use, or copying of the software described in this publication is authorized only pursuant to a valid written license from Compaq or an authorized sublicensor. Copyright 2002 Compaq Information Technologies Group, L.P. All Rights Reserved. The following are trademarks of Compaq Computer Corporation: DEC, DECnet, MAILbus 400, VAX, OpenVMS, and the Compaq and Digital logos. OSI is a registered trademark of CA Management, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively by X/Open Company Ltd. This document was prepared using VAX DOCUMENT, Version 3.3-1E. ________________________________________________________________ Contents 1 Before You Start............................. 1 1.1 Upgrading from Previous Versions of the Tru64 UNIX Enterprise Directory ......... 1 1.2 Installing on Tru64 UNIX DCE Systems..... 2 1.3 UNIX Cluster Support..................... 2 2 DSA Functions Not Yet in the Main Documentation Set............................ 3 2.1 Support for CAED......................... 3 2.2 Selective Shadowing...................... 4 2.3 Secure Sockets Layer..................... 5 3 Compaq Administrator for Enterprise Directory Management Utility........................... 6 3.1 Background............................... 6 3.2 CAED Utility Functions................... 6 3.3 Security................................. 7 3.4 CAED Utility Configuration (Tru64 UNIX).................................... 7 3.5 Creating the Configuration File (Tru64 UNIX).................................... 8 3.6 Editing the Configuration File (Tru64 UNIX).................................... 8 3.7 Changing the CAED Utility Password (Tru64 UNIX).................................... 9 3.8 Starting the CAED Utility (Tru64 UNIX)... 9 3.9 Shutting down the CAED Utility (Tru64 UNIX).................................... 10 3.10 Diagnosing problems with the CAED Utility (Tru64 UNIX)............................. 10 4 Lightweight Directory Access Protocol........ 10 4.1 LDAP String Syntaxes Not Implemented..... 10 4.2 Restrictions on LDAP V3 UTF-8 LDAP Strings.................................. 11 iii 5 Restrictions in DECnet-Plus.................. 11 5.1 DSA on Tru64 UNIX Systems Handling of Multiple Bind Requests................... 11 6 NCL Restrictions............................. 12 6.1 Creating and Deleting the DSA Quickly.... 12 6.2 Restriction on Using Zero Length Passwords................................ 12 6.3 Limited NCL Command Buffer Size.......... 12 6.4 NCL Command Filtering.................... 12 7 DSA Information and Known Problems........... 13 7.1 Restrictions on Removing Shadowing Agreements............................... 13 7.2 Year 2000 Conformance.................... 13 7.3 Dereferencing of Search Aliases.......... 13 7.4 Memory Exhaustion During Replication Can Cause the DSA to Terminate............... 14 7.5 DSA Handling of Temporary Files.......... 15 7.6 Length Constraints on T.61 Strings....... 15 7.7 Restriction on the Definition of Labels in the Schema............................ 15 7.8 DSA Handling of Referral Loops........... 15 7.9 Distributed Access Failure Event......... 16 7.10 Database Snapshot Failures............... 16 7.11 DSA Handling of Presentation Address Protocol Identifiers..................... 16 7.12 Displaying Entries that are Part of Your Global Prefix............................ 17 8 DXIM Problems................................ 18 8.1 Handling of Attributes that Have No Matching Rules........................... 18 8.2 Syntaxes Supported by the Directory Service.................................. 18 8.3 DXIM Command Line Interface Problems..... 19 8.3.1 Ambiguous Keyword...................... 19 8.4 DXIM Motif Interface Restrictions........ 19 8.4.1 Traversing Windows Using the Keyboard............................... 19 8.4.2 Problem Deleting Multiple Entries...... 19 8.4.3 Handling of User Passwords............. 20 8.4.4 Handling of Search Filters............. 20 8.4.5 Support of the undefinedSyntax......... 20 8.4.6 Online Help............................ 20 8.4.7 Display of the Base Object............. 21 iv 8.4.8 Deleting Entries....................... 21 8.4.9 Cut and Paste Using the Edit Menu...... 21 8.4.10 No Support for Auxiliary Object Classes................................ 21 8.4.11 Incorrect Integer Values Not Detected............................... 22 8.4.12 Usability Problems..................... 22 8.5 Application Resources.................... 23 9 Problems with the Lookup Client.............. 23 9.1 Tru64 UNIX V4.0F and the Look-Up Client................................... 23 9.2 Lookup Client GUI Help Requires Bookreader............................... 23 9.3 Lookup Client GUI Handling of Naming Attributes............................... 23 9.4 Lookup Client Display of Modified Entries.................................. 24 10 XDS Problems and Information................. 24 10.1 Documentation of Maximum Outstanding Operations Constant...................... 24 10.2 Documentation of the Search and Read Functions................................ 25 10.3 XDS Example Programs..................... 25 10.4 Primitive Syntax Attributes in Uninitialized Objects.................... 25 10.5 XDS is not Thread-safe in a Multithreading Environment............... 25 10.6 No Support for Boolean Attribute Values................................... 26 10.7 Incorrect Initial Value for Information Type..................................... 26 10.8 Primitive Values Incorrect in a Referral................................. 26 10.9 Reading the On-line Reference Pages...... 26 v 1 Before You Start Note that the product now available as the Tru64 UNIX Enterprise Directory for eBusiness V5.2 was previously available with these names: Compaq X.500 Directory Service V4.0 Digital X.500 Directory Service V3.1 and earlier This section documents important information about the Enterprise Directory for eBusiness and about installing and deinstalling the Enterprise Directory for eBusiness software. 1.1 Upgrading from Previous Versions of the Tru64 UNIX Enterprise Directory On Tru64 UNIX , Version 3.0 and later of the Directory, the DSA uses memory image files instead of snapshot files. Memory image files are specific to the version of the kit. This applies to all versions (SSB, ECO kits, and FT kits). Therefore, your current memory image files cannot be used by this kit. To use your existing database with this kit, create a snapshot file of your database before you upgrade. To create a snapshot file, disable and delete the DSA using the following NCL commands: ncl> disable dsa ncl> delete dsa to snapshot After installing this release, use the following NCL commands to recreate the DSA: ncl> create dsa from snapshot ncl> enable dsa When the DSA has been recreated and enabled successfully, you can delete the snapshot file from the DSA system as follows: # rm /var/dxd/DSA-information-tree.snapshot* The DSA does not need this file any longer, so you can save disk space by deleting it. Do not delete any of the other database files. 1 1.2 Installing on Tru64 UNIX DCE Systems If you are installing the Enterprise Directory for eBusiness on a Distributed Computing Environment (DCE) system, then you must install it after installing DCE, or reinstall the Enterprise Directory for eBusiness after installing DCE. A DCE installation overwrites some files installed with the Enterprise Directory for eBusiness without checking to see whether the existing files are more recent versions. If this happens, you need to reinstall the Directory Service to make sure that the latest versions of the files are present on the system. 1.3 UNIX Cluster Support This information applies to UNIX cluster systems only. You can run more than one DSA on a UNIX cluster provided that /var/dxd is a host-specific directory. If the directory /var/dxd is common to all hosts, you can run only one DSA on the cluster. Although you can run more than one DSA on a UNIX cluster, only one DSA can access a database at any one time. When a DSA loads the database, the database is locked to prevent another DSA accessing it. If the database is being used by another DSA, you can identify the DSA by using the following command: cat /var/dxd/DSA-information-tree.lock If you try to create a DSA when the database is being used by another DSA, the NCL create dsa command fails, for example: ncl> create dsa Node 0 DSA AT 1998-07-10-10:25:11.697+01:00I0.749 FAILED IN DIRECTIVE: Create DUE TO: Error specific to this entity's class REASON: Cannot open database Description: The DSA cannot open the database as it is being used by another DSA. 2 When this error occurs, the Create Failure event is also generated, for example: Event: Create Failure from: Node DEC:.reo.mrdsa DSA at : 1998-07-10-10:25:11.692+01:00I0.749 Reason = Database already in use by another DSA. 2 DSA Functions Not Yet in the Main Documentation Set This section deals with new functions added to the DSA since the last full release of the main documents. 2.1 Support for CAED Starting in V5.1, the Compaq Enterprise Directory for eBusiness V5.1 has been enhanced with various functions to support Compaq Administrator for Enterprise Directory (covered in Section 3) including : o LDAP support for the Critical Extension ManageDSAIT o Support for an "approximate match" when comparing attributes that have a syntax of bitstring. An approximate match is true if all the bits set in the assertion are also set in the value, and false if any of the bits set in the assertion is not set in the value. For example, the following would be considered matches: '1000'b would match '101100001'b '101'b would match '1111111'b The following would not be considered matches: '1000'b would not match '0100110110'b '101'b would not match '1101110'b Note that bit 0 is the left-most bit. 3 2.2 Selective Shadowing This release supports selective shadowing; that is, it is now possible to specify which attributes can and cannot be shadowed to a consumer DSA. The shadowing filter is controlled by the shadowingAt- tributeSelection attribute in the shadow agreement subentry. Thus every shadowing agreement has its separate filter. If a shadow agreement subentry does not have the shadowingAttributeSelection attribute then all user attributes are shadowed to the consumer DSA. The shadowing filter is performed on the supplier DSA. Time stamp and security attributes are always shadowed to the consumer DSA. See X.525 for more information. The shadowingAttributeSelection attribute is multivalued. Each value is a classAttributeSelection and consists of an object class and either an "include" or "exclude" list of attributes or "all attributes". The object class in the classAttributeSelection can either be a specific object class or all object classes. In the "exclude" form, attributes not in the exclude list are implicitly included. A classAttributeSelection is applicable to an entry if allObjectClasses is specified or if the specified object class matches an object class of the entry. If more than one classAttributeSelection filter applies to an entry, an "include" filter takes priority over an "exclude" filter and an "exclude" filter takes priority over "all attributes" and implicitly included attributes. If no classAttributeSelection is applicable to an entry then only the time stamp and security attributes are shadowed. The command-line DXIM syntax for the shadowingAttributeSe- lection value is: ::= "objectClass" "=" | "allObjectClasses" ::= "include" "=" "{" , ... "}" | "allAttributes" | "exclude" "=" "{" , ... "}" 4 ::= "[" "," "]" For example: dxim> modify /c=us/o=acme/cn="supplier /c=us/o=acme 3" - _dxim> add attribute shadowingAttributeSelection = - _dxim> [objectclass=person, exclude={description,title,telephone number}] ________________________Note ________________________ In Section A.1.35 of the V5.0 Management Guide, the attribute shadowingAttributeSelection (together with this new information) replaces shadowingAttributes. _____________________________________________________ 2.3 Secure Sockets Layer The Directory can receive commands over a secure line using LDAPv3 (provided that the client is using the Start_ TLS extension). The Directory uses the same LDAP port to receive both secure and unsecured communication. The Directory supports SSLv23, SSLv3 and TLSv1 protocols, but only one can be supported at any time. The user can select the protocol by disabling the DSA and setting the protocol using the NCL command SET DSA Security Protocol = where protocol can be SSLv23, SSLv3 or TLSv1. For example SET DSA Security Protocol = TLSv1 To use this support, you must provide a Certificate file and a Private Key for the DSA. These are stored as (/var /dxd/DSA-certificate.pem) and (/var/dxd/DSA-private- key.pem). The DSA's password must be used as the PEM passphrase. The DSA does not provide a default certificate or private key. For more information on certificates and keys, see http://www.openssl.org. The Directory can be placed in one of three security states - no security, selectable security or mandatory security. This is chosen by setting the attribute SSL 5 State to OFF, ON, or MANDATORY using the NCL command SET DSA SSL State , for example SET DSA SSL State ON . If the SSL State is set to OFF, SSL will not be available. If the SSL State is set to ON, SSL will be available to any LDAP client that can issue an ldap_tls_start request. If the SSL State is set to MANDATORY, LDAP connections will only be accepted from clients that either use anonymous credentials (and therefore have the lowest possible access level), or use SSL to encrypt the connection. 3 Compaq Administrator for Enterprise Directory Management Utility The Compaq Administrator for Enterprise Directory (CAED) GUI has a Utility for controlling certain aspects of the behaviour of a directory server (DSA) over an SSL-secured network connection. This section deals with the GUI and the Utility. 3.1 Background For the most part, the Compaq Administrator for Enterprise Directory (CAED) GUI communicates directly with the directory server (DSA) that is running in order to manage the DSA. However, there are certain extended management operations (for example, restarting the DSA) which cannot be performed by the DSA itself. In these cases, the CAED communicates with a detached process that runs on the same node as the DSA. This process is referred to as the CAED Utility. 3.2 CAED Utility Functions For this release, the GUI relies on the CAED Utility to help it perform the following operations: o displaying a list of the available schema files o creating a new schema file o editing an existing schema file o recompiling the schema o restarting the DSA 6 The system manager can decide whether or not the CAED Utility should be enabled on any given server. The GUI only requires that the CAED Utility be available in order to carry out the functions listed above; other administrative operations (such as viewing and updating the contents of the DSA) do not require the CAED Utility to be running. 3.3 Security As part of the process to configure the CAED Utility, the system manager specifies a management password: this password must be supplied to the CAED Utility by any CAED client attempting to connect to it. This means that users of the GUI do not automatically have the ability to perform extended management operations; they must first supply the CAED Utility's password. The CAED Utility's password is distinct from any DSA-based password, and should only be disclosed to trusted users of the CAED. 3.4 CAED Utility Configuration (Tru64 UNIX) If you install the CAED Utility, the directory /var/dxd /caed_native will be created. This directory will contain files used by the CAED Utility. The CAED Utility relies on a configuration file called administrator.ini which resides in /var/dxd/caed_native. This file contains an encoded version of the CAED Utility password, as well as information relating to the IP port numbers that it should use. By default, the CAED expects to use port 389 for LDAP connections to the DSA, and 907 for SSL connections between the CAED GUI and Utility process. You can override these values by editing the configuration file. To find out what port number is being used for LDAP access to the Enterprise Directory, you can use the NCL utility, for example: 7 ncl> show dsa ldap port Node 0 DSA AT 2002-01-01-10:05:02.110+00:00Iinf Characteristics LDAP Port = 389 If port 907 is already in use by an application on your system, then you will need to choose another port number in the range 1..1023. 3.5 Creating the Configuration File (Tru64 UNIX) Before starting the CAED Utility for the first time, you need to create this file, which can be done using the command: # /var/dxd/scripts/caed_utility_configure This script will prompt you to provide the password for the CAED Utility, and then create administrator.ini for you. Initially, the port numbers that will be used are 389 for LDAP connections to the DSA, and 907 for connections between the GUI and the CAED Utility. Once the command procedure has created the configuration file, it gives you the option of starting the CAED Utility. If you want to change the port numbers that the utility uses, then you can reply NO to this question. In this case, you can edit the configuration file before starting the utility. 3.6 Editing the Configuration File (Tru64 UNIX) The version of administrator.ini that is provided the first time you run the configuration command procedure looks like this: [] Ae Title= DSA Entity Name=DSA Port Number=389 [General] ServerPort=907 ---Do not edit any data below this line--- HashedPassword= 8 Where nodename will be the name of the server you are using, and some-value is a string of digits representing an encoded version of the password that you supplied. Note that the Ae Title field will not necessarily reflect the Ae Title of your DSA. To change either of the port numbers, edit the configuration file and modify the appropriate line(s). 3.7 Changing the CAED Utility Password (Tru64 UNIX) The CAED Utility's password is stored in the configuration file in an encoded form using a hashing algorithm internal to the daemon. The only way to change this password is to request that the daemon generate a new one, which is what happens when you run the configuration command procedure. You can run the caed_utility_configure script at any time to change the password. When a new password is generated, the other contents of the administrator.ini file are left unchanged. 3.8 Starting the CAED Utility (Tru64 UNIX) After running caed_utility_configure, you have the option of starting the CAED Utility. You can also start the utility using the command #/var/dxd/scripts/caed_utility_ startup. Note that this procedure will fail if you have not created a valid administrator.ini, or if the CAED Utility is already running. The system automatically invokes the CAED Utility startup script as part of the Enterprise Directory startup if you have installed the CAED Utility on your system. If you have installed the CAED Utility but do not want it to be run, then ensure that no copy of the file /var/dxd /caed_native/administrator.ini exists; if this file is not found, then the CAED Utility will not be started. 9 3.9 Shutting down the CAED Utility (Tru64 UNIX) If you wish to shut down the CAED Utility process, a script is supplied in /var/dxd/scripts, which can be invoked using the command # /var/dxd/scripts/caed_utility_ shutdown. 3.10 Diagnosing problems with the CAED Utility (Tru64 UNIX) As it runs, the CAED Utility process writes a log file at /var/dxd/caed_native/caed_utility_output.log. This log file contains information about requests from any client that attempts to make a connection, as well as messages that may help diagnose problems that occur if the utility fails to start properly. 4 Lightweight Directory Access Protocol The DSA supports the LDAP V2 and V3 protocols. This allows LDAP clients to access the Directory. 4.1 LDAP String Syntaxes Not Implemented Enterprise Directory for eBusiness implements both the LDAP protocols (V2 and V3). The following syntaxes are not supported as string syntaxes, but you can use them all as binary syntaxes: o Teletex Terminal Identifier o Presentation Address o Guide (search guide) o User Certificate o CA Certificate o Certificate Revocation List o Cross Certificate Pair o Other Mailbox o Distribution List Submit Permission 10 4.2 Restrictions on LDAP V3 UTF-8 LDAP Strings The LDAP V3 implementation only supports UTF-8 characters that can be mapped to T.61 characters. 5 Restrictions in DECnet-Plus Some restrictions in DECnet-Plus can affect the behavior of the Enterprise Directory for eBusiness. It is therefore helpful to be aware of DECnet restrictions, as listed in the DECnet-Plus release notes for your system. Particular areas of interest are NCL restrictions and restrictions related to OSI Transport. The following sections list restrictions in DECnet-Plus that are known to affect the Enterprise Directory for eBusiness. See Section 6 for information about NCL restrictions. 5.1 DSA on Tru64 UNIX Systems Handling of Multiple Bind Requests There is a known problem with the OSI transport software that the Compaq DSA uses on Tru64 UNIX systems. The problem occurs when a Compaq DSA receives multiple bind requests in quick succession from other vendors' DSAs or directory applications, or from previous versions of the products. A Compaq DSA can support multiple concurrent bindings, but when many new bind requests are received in quick succession from other vendors' products or from previous versions of the products, the DSA has a problem queuing the requests. The DSA therefore rejects some of the requests, and OSI transport congestion events are produced. For this reason, you might find that bind requests are successful intermittently, although the majority of requests will be successful. If a given bind request fails, try again. If you have problems connecting to DSAs on Tru64 UNIX systems, but the failures do not cause OSI transport congestion events, then you have encountered an unknown problem. If Enterprise Directory for eBusiness - Problem Solving does not help you solve the problem, you should report it to Compaq. 11 6 NCL Restrictions This section describes restrictions on the use of the NCL director to manage the DSA. 6.1 Creating and Deleting the DSA Quickly If you use the NCL CREATE DSA and DELETE DSA directives repeatedly in quick succession you might see the following error message in response to one of the DELETE DSA directives: No Such Entity Instance exists This occasionally happens even if the preceding CREATE DSA directive appeared to succeed. In fact, the preceding CREATE DSA directive failed, but NCL lost the error response. 6.2 Restriction on Using Zero Length Passwords The schema provided with this version of the Directory Service states that the userPassword attribute can have a minimum length of zero characters. However, the NCL commands for the DSA entity and the Accessor entity, which both have Password attributes, do not support zero length passwords. Do not assign a zero length password to a directory entry if you also need to configure the same password in either a DSA or Accessor entity. 6.3 Limited NCL Command Buffer Size The NCL command input buffer size is 2048 bytes. This limits the number of characters that can be entered in one NCL directive. When you interactively enter a long directive, the NCL command input buffer can overflow, causing the directive to fail. 6.4 NCL Command Filtering If you use a filter in an NCL command, the command fails for most of the attributes of the DSA entity. NCL does not fully support filtering for the types of attribute used by the Directory Service. 12 7 DSA Information and Known Problems 7.1 Restrictions on Removing Shadowing Agreements You should remove shadowing agreements in the reverse of the order you used to set them up. That is, the agreement at the end of the shadowing chain should be removed first. If it is not, the DSA will continue to hold shadow naming contexts that are not updated by a shadowing agreement. For example, if DSA A shadows a naming context to DSA B, which then further shadows the naming context to DSA C, you should remove the last agreement first: remove the consumer access point on DSA B before removing the consumer access point on DSA A. 7.2 Year 2000 Conformance In Version 3.1, the UTC time matching rules used by the DSA were changed so that dates beyond the year 2000 are recognized by the DSA. Time syntaxes, such as UTC Time, represent the year as a two digit number For example, 10.30am GMT on 5th November 1999 is expressed in UTC Time as 991105103000Z. With the new time matching rules, a time value with a year that is less than 50 is assumed by the DSA to be after 2000. For example, a time value containing the year 01 is assumed by the DSA to be 2001. A time value with the year equal to or greater than 50 is assumed by the DSA to be between 1950 and 1999. For example, a time value with the year 99 is assumed by the DSA to be 1999. 7.3 Dereferencing of Search Aliases There is a known problem with the dereferencing of search aliases. When a DSA is processing a search, it checks beneath the specified search base for subordinate references that it needs to follow. It is during these checks that the DSA can make an error. The following set of circumstances can cause a DSA to create an incomplete list of subordinate references: 13 i There are alias entries within the search subtree ii Those alias entries refer to entries that are held on the same DSA iii There are subordinate references beneath the entries referred to by the aliases Those subordinate references are not followed during the search. The search of subtrees beneath aliased entries can therefore be incomplete. 7.4 Memory Exhaustion During Replication Can Cause the DSA to Terminate If replication fails because of memory exhaustion, the consumer DSA will exit if it is unable to roll back the changes. The DSA exits to avoid corrupting its database. This generates a Resource Exhausted event, with a Reason of Fatal Memory Exhaustion. Another possible cause for the DSA to run out of memory is as a result of processing many thousands of entry modifications in rapid succession. If the DSA permits volatile modifications, then the last few modifications may be lost. If the DSA does not permit volatile modifications, the last modification may be lost. However, in either case, the vast majority of the modifications are safe. Restarting the DSA increases the virtual memory available to the consumer DSA. If you need to make a lot of changes to a naming context that is replicated to other DSAs, and you cannot provide more virtual memory, you can use the scheduling attributes of the shadowing agreement to make replication more frequent. For example, you might cause an unscheduled update to occur after a specific number of modifications so that the consumer DSA's memory resources are not overloaded. See Enterprise Directory for eBusiness - Management for details of shadowing agreement management. 14 7.5 DSA Handling of Temporary Files During normal operation the DSA uses temporary files. When the DSA exits, these temporary files are normally deleted. If the DSA exits abnormally, some temporary files may remain. If the DSA is not running, you can delete any temporary files that remain. Never delete temporary files while the DSA is still running. On Tru64 UNIX systems, all temporary files are created in /var/dxd/tmp. 7.6 Length Constraints on T.61 Strings When the DSA checks the lengths of T.61 strings, it counts the number of octets in the string rather than the number of characters that those octets represent. Some T.61 characters require more than one octet to represent. This may confuse users who expect the DSA to accept a string of a certain number of characters, but find that the string is rejected. 7.7 Restriction on the Definition of Labels in the Schema Enterprise Directory for eBusiness - Management states that you can specify schema definitions within your schema text files in any order. However, there is a known exception to this rule. A label can only be specified after the definition for which it provides a label. 7.8 DSA Handling of Referral Loops DSAs cannot detect referral loops. For example, a DSA can chain to a second DSA and receive a referral to a third DSA. It can then chain to the third DSA and receive a referral back to the second DSA. This type of looping is not covered by the standard loop detection model. To prevent a DSA from following such referrals indefi- nitely, the DSA stops after the tenth referral for a given user request, and instead displays the referral to the user. Looping should not occur if your DSAs are configured correctly. 15 7.9 Distributed Access Failure Event If you see the Distributed Access Failure event with the following additional information, then it is possible that the failure was caused by the remote DSA being unable to verify this DSA's password: Reason = Communications Failure Communications Problem = ACSE User Reject. No Reason Specified The remote DSA should have generated an event that indicates a failure to verify this DSA's password. Distributed operations between DSAs will fail if the DSAs are unable to verify each other's passwords. Refer to Enterprise Directory for eBusiness - Management for details of replicating information about your DSAs so that they have copies of each other's passwords. 7.10 Database Snapshot Failures The following three events can mean that the DSA has failed to create a new snapshot file. However, the events do not state explicitly that a snapshot failure has occurred. If you see any of these events without a statement of what operation failed, then you can assume that it was an attempt to create a new snapshot file. Resource Exhausted Insufficient Disk Space. Resource Exhausted Insufficient Memory. Internal Error Unexpected exception in DbMonitor. 7.11 DSA Handling of Presentation Address Protocol Identifiers If a presentation address specifies that a single network service access point (NSAP) can be used for more than one network protocol, the presentation address is not encoded properly by the DSA when it writes the information to disk. The next time you create the DSA, the presentation address is incorrect. 16 For example, the following presentation address is specified as having two identical NSAPs, but different protocol identifiers: "DSA"/"DSA"/"DSA"/NS+49002AAA004021,CLNS|NS+49002AAA004021,CONS If you delete the DSA, and then recreate the DSA, and then display the presentation address, it appears as follows: "DSA"/"DSA"/"DSA"/NS+49002AAA004021,CLNS|NS+49002AAA004021,CLNS The CONS protocol identifier has been incorrectly encoded, and is displayed as CLNS. The same encoding error applies to any presentation address attributes within the database, including those in characteristic attributes of the DSA entity and its subentities, and in any directory entries that contain presentation addresses. 7.12 Displaying Entries that are Part of Your Global Prefix When you create your DIT, you will probably have a global prefix that connects your organization's DIT to the root of the global DIT. The entries named in the global prefix are not part of your organization's DIT, and may not exist at all, except as placeholders for a future connection to a global DIT. If you try to display entries that are part of your global prefix, the Directory Service returns an error. For example, in the example used in Enterprise Directory for eBusiness - Management, the Abacus organization has a global prefix that includes the name /c=us. The entry called /c=us does not exist, so if you try to display it, you get an error. This problem also affects browsing the DIT using the DXIM Browse window; entries that are part of the global prefix cannot be displayed. Enterprise Directory for eBusiness - Management gives details of the global prefix. The immediate subordinates of the browse base must be real entries, not part of the global prefix. 17 8 DXIM Problems The information in the following sections applies to both the command line interface and the Motif interface to DXIM. 8.1 Handling of Attributes that Have No Matching Rules If you modify the schema to define an attribute that has no equality matching rule, directory applications, including DXIM, will have difficulty managing that attribute. This is because the DSA cannot tell whether the value you specify is already present in an entry. Therefore, if you try to add a value to the attribute, the DSA cannot detect value duplications, and if you try to remove a value, the DSA cannot determine whether the value actually exists. This is particularly true of the DXIM Motif interface, which attempts to add and remove values whenever you edit a value input box on the Modify window. Refer to Enterprise Directory for eBusiness - Management for advice about selecting matching rules for attributes. 8.2 Syntaxes Supported by the Directory Service Compaq DSAs support the syntaxes and matching rules documented in Enterprise Directory for eBusiness - Management and the DXIM online help. This section details known restrictions with some of the documented syntaxes and matching rules. o The following syntaxes are supported by the DSA, but are not supported by the DXIM Motif interface: - ACIitem - Integer Although this syntax is supported, the interface cannot handle the specification of values greater than 2**31-1 o The following syntaxes are supported by the DSA, but are not fully supported by either DXIM interface: - Teletex Terminal Identifier 18 Teletex Nonbasic parameters are not supported - Facsimile Telephone Number G3 Facsimile Nonbasic parameters are not supported Neither DXIM nor the DSA supports Search Guide syntax. 8.3 DXIM Command Line Interface Problems The following section describes problems and restrictions in the command line interface version of DXIM. If you create any DXIM scripts, you are recommended to keep them, to help diagnose any problems. 8.3.1 Ambiguous Keyword The keyword BINDING has two meanings in DXIM: it is used in the SHOW BINDING command and to indicate the Binding service control. This ambiguity means that you may see misleading error messages if you specify an incomplete or incorrect command that includes the keyword BINDING. See the DXIM online help information about the SHOW BINDING command and the Binding service control. 8.4 DXIM Motif Interface Restrictions 8.4.1 Traversing Windows Using the Keyboard There is a known Motif problem that affects DXIM windows on Tru64 UNIX systems. The problems does not affect DXIM on other operating systems. You should be able to move the input focus around a DXIM window using either the mouse pointer or the keyboard. In many cases, using the keyboard to move input focus does not work. 8.4.2 Problem Deleting Multiple Entries If you select a large number of entries, and then select the Delete Entry option, DXIM displays a confirmation window, asking you whether you really want to delete the selected entries. If you select too many entries, the buttons of the window are not visible on your screen. Press RETURN to cancel the operation. Select fewer entries for deletion, so that the window is small enough to fit on the screen. 19 8.4.3 Handling of User Passwords The DXIM Motif interface does not support creation or modification of password attributes, even if they are added to the window definition. 8.4.4 Handling of Search Filters A DXIM Motif interface user can use the Find window to specify details of entries to search for. If the user specifies a detail that is inappropriate for a given filter field, DXIM ignores that detail. For example, if a user specifies an alphabetic string for a field that requires integer values, DXIM ignores that particular field. Only fields that contain appropriate details are processed. In most cases, this is the user-friendly way to process user input. However, the effect might be that DXIM returns more entries than the user expects to see, including entries that the user thought would be excluded. 8.4.5 Support of the undefinedSyntax Attribute values that are of undefinedSyntax might be displayed in verbatim format, for example: '14 01 c4'v DXIM uses this format if it cannot convert the value into a user-friendly external representation. DXIM only accepts the verbatim format on input of such values. You need to know how to represent the value in verbatim format. Where possible, do not use the undefinedSyntax for attributes. 8.4.6 Online Help The online help for the DXIM Motif interface does not support the search for keywords option of the Help widget. If you select Search Keywords... from the Help window, DXIM displays an internal error. 20 8.4.7 Display of the Base Object The DXIM Browse and Find windows allow you to show the attributes of an entry by selecting the entry and double clicking on it, or by selecting the Show Attributes option from the View menu. To see the attributes of an entry you have modified, you must collapse and expand the parent entry of the modified entry. However, this does not work with the base object of the Browse or Find window. The base object is the entry that is displayed at the top of the window, and appears when you invoke the window. Whenever you use the Show Attributes option on that entry, you see the attributes and values that were in the entry when you invoked the window. To see the attributes of this object you must invoke a new Browse or Find window. 8.4.8 Deleting Entries When you use the DXIM Motif interface to delete an entry, you have to click on Yes to execute the deletion. If you double click on Yes, the deletion succeeds, but DXIM reports an internal error. You must then exit DXIM. 8.4.9 Cut and Paste Using the Edit Menu There are known problems with the Motif cut and paste functionality on Tru64 UNIX systems. If you use the Copy option of the DXIM Edit menu, and attempt to copy information from DXIM to another application, the attempt can sometimes fail. Furthermore, subsequent attempts to use cut and paste in any application can fail because Motif is maintaining a lock on behalf of DXIM. If you find that cut and paste is locked for DXIM, exit DXIM. 8.4.10 No Support for Auxiliary Object Classes The DXIM Motif interface does not support auxiliary object classes. 21 8.4.11 Incorrect Integer Values Not Detected If you specify a hyphen in an integer value when adding a value to an attribute or creating an attribute, DXIM does not return an error. For example if you try to add the value 1-2-3 to an attribute with integer syntax, no error is displayed. When you subsequently display that attribute, the value displayed is 1. 8.4.12 Usability Problems The DXIM Motif interface is known to have some usability problems. o The positioning of new input boxes is faulty. If you use the Add Value option, a new input box might be placed partially or completely off the window. To workaround this problem, only add one or two values to an attribute at a time. Click on OK. If you want to add more values, select the Modify Entry option again, and you will be able to display one or two more new input boxes. By this method you can gradually add more values. o Any modifications made to the Directory using the Create or Modify windows are not automatically reflected in the Browse and Find windows. For example, if you change the name of an entry, the Browse window still displays the old name. Similarly, if you create an entry, DXIM does not display the entry in the Browse window. If the information in the Browse and Find windows is out of date, use the collapse and expand options to refresh the window. o The DXIM Motif interface on a Tru64 UNIX system does not support some of the standard display parameters that you can specify when you invoke the utility. DXIM does support the -display parameter and the - name parameter. Other standard parameters are ignored, for example, -background, -geometry, and -iconic. 22 8.5 Application Resources The DXIM Motif interface does not currently provide an application resource file to define, for example, the colours to use in DXIM windows. You can edit your default resource file to include information that controls the DXIM display. On a Tru64 UNIX system edit $HOME/.Xdefaults and use the resource name dxd_mainwin. For example, to set the foreground colour to red, edit the file $HOME/.Xdefaults and add the following line: dxd_mainwin*Foreground: #ffff00000000 9 Problems with the Lookup Client 9.1 Tru64 UNIX V4.0F and the Look-Up Client The first time you use dxdlu on Tru64 UNIX V4.0F you may get the /sbin/loader error Unresolved symbol in /usr/bin/dxd_lookup: __cxx_call_static_dtors In this case, replace your system's C++ runtime redistri- bution kit with the one available from: ftp://ftp.compaq.com/pub/products/C-CXX/tru64/cxx/ This will prevent the error. 9.2 Lookup Client GUI Help Requires Bookreader The graphical interface of the Lookup Client requires the Bookreader software. If Bookreader is not installed on the Lookup Client system, then attempts to read the online help will have no effect. 9.3 Lookup Client GUI Handling of Naming Attributes The Lookup Client for Tru64 UNIX systems does not support the management of naming attributes. If you attempt to modify the attribute that is used for naming an entry, for example, to add a value, the Lookup Client displays an error. The error states that the operation is not allowed on an RDN. 23 The Lookup Client command line interface permits the management of naming attributes, although it does not allow you to modify the value that is actually used in the entry's name. For example, if an entry's distinguished value is John Smith, you could add a value J Smith, but you could not make that new value the distinguished value. 9.4 Lookup Client Display of Modified Entries Attribute values displayed in Lookup Client displays cannot be guaranteed to have come from master DSAs. This is particularly important when you use the Alter window of the Motif interface. The values displayed in the Alter window may have come from a shadow DSA. After changing an entry, the changes you make might not be visible in the Lookup Client. This is because the Lookup Client uses a protocol that does not enable applications to specify that master information is required. The only workaround is to make sure that the Lookup Client is connected to the master DSA for the entry you want to change. 10 XDS Problems and Information 10.1 Documentation of Maximum Outstanding Operations Constant The Directory Service programming documentation states that the value of the DS_MAX_OUTSTANDING_OPERATIONS constant is defined by the DSA implementation. In fact, the value is defined by the XDS API implementation. Compaq's XDS API defines the constant to be 32. If 32 asynchronous operations are outstanding, XDS will not accept more asynchronous operations. If you are writing an application that will use another vendor's XDS API implementation, then the constant may have a different value. It may therefore be advisable not to define this constant in your application, because it cannot be set to both values. Instead, your application can detect the Library Error: Too Many Operations if and when the XDS API returns it. If this error is returned, you can use the Receive Result function to reduce the number of outstanding operations. 24 10.2 Documentation of the Search and Read Functions Note that the programming documentation is unchanged for this release of Enterprise Directory for eBusiness. DEC X.500 Directory Service Programming Reference documents the functions of the XDS API. The discussions of the Search and Read functions, ds_search and ds_read, does not explain how to select the particular attributes that you want returned from the entry or entries to which the function applies. They only explain that you can use the Select-No-Attributes, Select-All-Types, and Select-All- Types-And-Values constants. If you want to select specific attributes to be returned from these functions, use the Entry Information Selection class. This class is documented in Section 3.12 of DEC X.500 Directory Service Programming Reference. 10.3 XDS Example Programs The API component of the Enterprise Directory for eBusiness includes a set of callable routines that illustrates how to use the XDS and OM routines. You can also use these routines, which are known as the XDSHLI routines, in your application. The set of routines also includes a simple search application, written using the XDSHLI routines. The file /usr/examples/dxd/xdshli.h contains details of the XDSHLI routines and related files. 10.4 Primitive Syntax Attributes in Uninitialized Objects The sequence OM_CREATE with the initialize argument set to FALSE, followed by OM_PUT using INSERT_AT_END, will return the error WRONG_VALUE_NUMBER, for any single valued primitive attributes. To avoid this, use REPLACE_ALL in OM_PUT. 10.5 XDS is not Thread-safe in a Multithreading Environment If you are using multithreading, you must lock calls to XDS. This version of XDS does not handle threads correctly in all cases. 25 10.6 No Support for Boolean Attribute Values XDS does not support attribute values of Boolean syntax. Such values always appear to be FALSE. 10.7 Incorrect Initial Value for Information Type The initial value for the Information Type attribute of the Entry Information Selection object should be types- and-values, as stated in the documentation and defined in the standard. However, XDS sets the initial value to types-only. 10.8 Primitive Values Incorrect in a Referral A restriction in this version of XDS and XOM means that primitive values in Referrals always appear to be present. A value that should be absent has a value of 0. 10.9 Reading the On-line Reference Pages Your first attempt to read the X.500 reference pages might fail. Repeat the command. 26