Show Table of Contents
7. Known Issues
The following are some of the relevant known issues in Directory Server 9.1. If applicable, supported workarounds are also described.
Table 5. Known Issues in Directory Server 9.1
| Bug Number | Description | Workaround | |||
|---|---|---|---|---|---|
| 158369 | The sync attribute mapping for groups includes a number of attributes that are not actually legal on group objects, such as l, ou, and o. If someone creates an ntGroup entry with any of these attributes that is not an ou, the synced entry add will fail on Active Directory because of a schema violation. | ||||
| 190862 | Global syntax checking attributes should be enforced if the settings aren't configured in the local password policy. However, if both global and local password policies are configured, the global policies aren't being enforced as the default. |
| |||
| 191772 | If the configuration Directory Server is unavailable, Admin Express shows an internal server error. The task to access the Admin Express web page cannot be authenticated, so the attempt to open the page fails. | ||||
| 667943 | Restarting the Directory Server hangs if a pipe file is present but the ds-logpipe.py script is not running. | ||||
| 712202 | If a replication agreement is configured with an unresolvable hostname, it returns a generic error rather than an indication that the hostname cannot be resolved:
[09/Jun/2011:14:21:21 -0400] slapi_ldap_bind - Error: could not send bind request for id [(anon)] mech [EXTERNAL]: error -1 (Can't contact LDAP server) 0 (unknown) 0 (Success) | Change the password policy attributes from the command line. | |||
| 712845 | The Directory Server Console does not allow you to set password policy-related time (such as expiration time or user change time) in hours, minutes, or seconds. | Change the password policy attributes from the command line. | |||
| There are a lot of problems associated with trying to load certificates on hardware security modules (HSMs) using the Directory Server Console. Some of these are related to SELinux policies which restrict access to HSMs, and some are due to problems in the Directory Server Console or the Admin Server, which can throw exceptions or fail to generate requests or certificates. | Use NSS tools such as certutil to install certificates on HSMs rather than the Directory Server Console. | |||
| 732079 | Upgrading the server fails if the Directory Server user is root. | The Directory Server should run as the system user nobody. | |||
| 743702 | The nsslapd-counters attribute cannot be set to off or the server fails to restart with the error that the counters cannot be found:
[05/Oct/2011:10:07:28 -0400] - slapd stopped. [05/Oct/2011:10:07:42 -0400] - 389-Directory/1.2.9.12 B2011.276.2240 starting up [05/Oct/2011:10:07:42 -0400] - cache_init: slapi counter is not available. [05/Oct/2011:10:07:42 -0400] - ldbm_instance_create: cache_init failed | The nsslapd-counters attribute must be set to on. | |||
| 743703 | The Directory Server cannot run on the same machine as an NFS share. The Directory Server will stop servicing client requests. | Remove any NFS mount points on the server. | |||
| 824048 | When attempting to register a new Directory Server instance using register.pl, the operation fails because it cannot map the instance to an Admin Server ID.
[12/05/22:17:46:33] - [Setup] Info Registering new Config DS: dhcp201-194 [12/05/22:17:46:43] - [Setup] Info Registering Sub DSes:[12/05/22:17:47:05] - [Setup] Fatal The map value 'ServerAdminID' for key 'as_uid' did not map to a value in any of the given information files. [12/05/22:17:47:05] - [Setup] Fatal Exiting . . . | ||||
| 893178 | Encrypted attributes are decrypted when replicated to another master server. However, the attributes are not re-encrypted after being replicated, so they are in plaintext on the receiving server. | ||||
| 905621 | All POSIX attributes (such as uidNumber, gidNumber, and homeDirectory) are synchronized between Active Directory and Directory Server entries. However, if a new POSIX entry or POSIX attributes are added to an existing entry in the Directory Server, only the POSIX attributes are synchronized over to the Active Directory corresponding entry. The POSIX object class (posixAccount for users and posixGroup for groups) is not added to the Active Directory entry. | This issue does not affect entries or synchronization and can be ignored. | |||
| 908170 | Some changes were made to enhance the DNA plug-in performance. One effect of these changes is that there must be an interval between dynamic DNA configuration changes of 35 seconds. This includes both DNA configuration changes and any directory entry changes which would trigger a DNA plug-in operation. | ||||
| 908307 | Attempting to stop the Admin Server through the Admin Express UI fails because it cannot resolve the IP address. There are errors in the log that read ap_get_remote_host could not resolve 255.255.255.255.
[Tue Feb 05 15:47:39 2013] [notice] [client 255.255.255.255] admserv_host_ip_check: ap_get_remote_host could not resolve 255.255.255.255, referer: http://admin-server.example.com:9830/admin-serv/tasks/configuration/HTMLAdmin?op=status [Tue Feb 05 15:47:39 2013] [notice] [client 255.255.255.255] admserv_host_ip_check: ap_get_remote_host could not resolve 255.255.255.255 [Tue Feb 05 15:47:39 2013] [crit] [client 255.255.255.255] configuration error: couldn't check access. No groups file?: /tasks/operation/Stop | Disable SELinux so that the Admin Express process can properly access the stop scripts and host information. | |||
| 920597 | The ACI validation only works if a parenthesis is present in the ACI statement. If an invalid ACI is created without a parenthesis in it, then the invalid ACI is successuflly added to the Directory Server configuration. | ||||
| 927915 | The Windows version of the Directory Server Console can only manage a single instance of Directory Server. If additional instances are added to the Console, then the Console fails to open with this error:
Failed to install local copy of redhat-ds-9.1.0.jar or one of its supporting files. Please ensure that the appropriate console package is installed on the Administration Server. | ||||
| 947298 | The Save button is not always enabled on the fine-grained password policy windows in the Directory Server Console. If the policy is disabled for a user, there is a wanring box that pops up to confirm that the administrator wants to disable the policy. Acknowledging the box also saves the modification, which disables the Save button. No other edits are possible on that page because the button is disabled and, therefore, the changes cannot be saved. | Close and then re-open the user password policy window to refresh the window and re-enable the Save button. | |||
| 951708 | If FIPS mode is enabled for the Admin Server, then the Admin Server instance cannot be accessed using the Admin Server Console and the Configuration tab does not work. | Run the Directory Server in FIPS mode, but make sure that FIPS mode is disabled for the Admin Server.
modutil -dbdir /location/of/admin-srv/instance -fips false | |||
| 952517 | Argument number 4 in the 7-bit Check Plug-in configuration is required. (The argument value is a comma.) If this argument is deleted, then the server fails to restart and core dumps. | Do not remove the argument specifying the comma (,), or re-add it if it has been deleted. | |||
| 952682 | The nsslapd-db-transaction-batch-val attribute has a default value of zero (0). If this attribute is changed and then there is a modify operation to change it back to zero, the attribute value is actually set to -1 and can no longer be modified by ldapmodify. |
| |||
| 971332 | When attempting to disable a user account through the Directory Server Console, the nsAccountLockout attribute is not set on the entry. This means that the account is not actually disabled. | Set the nsAccountLockout attribute using the ldapmodify utility. | |||
| 974214 | The Admin Express UI shows a different instance creation time for the server than the Directory Server Console displays. The Admin Express time is two hours earlier than the Console time. |
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.