IBM Directory Server Version 5.1 README...
Transcript of IBM Directory Server Version 5.1 README...
Note
Before using this information and the product it supports, read the general information under “Notices,” on page 37.
Nineteenth Edition (March 2006)
This edition applies to version 5, release 1, of IBM Directory Server and to all subsequent releases and modifications
until otherwise indicated in new editions.
Preface
This file contains information about changes and fixes that occurred after the
product documentation had been translated. This file is in English only. This file
can also be found by selecting Library on the IBM® Directory Server Web page,
located at http://www.software.ibm.com/network/directory.
iii
Contents
Preface . . . . . . . . . . . . . . . iii
1.0 Must read known problems . . . . . 1
1.1 New locations for the installation program . . . 1
1.2 Interrupting ldapxcfg database tasks causes an
incorrect status for the files . . . . . . . . . 1
1.3 ldapxcfg startup messages are in English . . . . 2
1.4 Web Administration Tool does not save templates
created with an object class that has no attributes . . 2
1.5 Port number error in Web Administration help
panel . . . . . . . . . . . . . . . . . 2
1.6 Translated titles might truncate . . . . . . . 2
1.7 Default value of LOGFILSIZ needs to be
increased . . . . . . . . . . . . . . . 3
1.8 Environment variables removed during migration 3
1.9 DSML file client throws exception . . . . . . 3
1.10 Nondefault log files need valid path . . . . . 4
1.11 Replication limitations . . . . . . . . . 4
1.12 Default ports for the embedded version of IBM
WebSphere Application Server - Express . . . . . 5
1.13 Clarification for ldapsearch -i <file> option . . . 5
1.14 On UNIX systems you must configure the
database in a location other than /home when
/home is an NFS mount . . . . . . . . . . 6
1.15 HTTPS for the embedded version of WebSphere
Application Server Express Version V5.0 . . . . . 8
1.16 Corrections to the Kerberos information in the
Administration Guide . . . . . . . . . . . 9
1.17 /var requirements on UNIX platforms . . . . 9
1.18 Before you configure: creating the DB2 database
owner . . . . . . . . . . . . . . . . 9
1.19 Do not unzip or untar file in directory whose
name contains spaces . . . . . . . . . . . 10
1.20 After changing ports, you must stop and restart
the administration daemon . . . . . . . . . 10
1.21 Activating the DB2 license file . . . . . . 10
1.22 Installing the embedded version of WebSphere
Application Server - Express . . . . . . . . . 11
Installing the Web Administration Tool into the
embedded version of WebSphere Application
Server - Express . . . . . . . . . . . . 12
1.23 JDK 1.3 required for GSKit . . . . . . . . 12
1.24 SQL1092N error message when configuring a
database using the ldapcfg utility . . . . . . . 12
1.25 Starting the application server on UNIX
platforms . . . . . . . . . . . . . . . 13
1.26 Create the key database certificate before
setting up SSL. . . . . . . . . . . . . . 13
1.27 Port settings cannot be changed when
configuring security settings . . . . . . . . . 13
1.28 Remote databases not supported . . . . . . 13
1.29 Before you install: setting kernel parameters for
Solaris and HP-UX . . . . . . . . . . . . 14
1.30 Before you use ldapcfg . . . . . . . . . 15
1.31 dbback command restrictions . . . . . . . 15
1.32 Migration from IBM Directory Server Version
4.1 for UNIX installations . . . . . . . . . . 15
1.33 Correction to C-Client SDK Programming
Reference: Must free memory used by res . . . . 16
1.34 Adding ibm-slapdFrontEnd objectclass to
configuration file after migration . . . . . . . 16
1.35 Upgrading DB2: invalid link in documentation 16
2.0 Must read known problems –
platform specific . . . . . . . . . . 17
2.1 For AIX only . . . . . . . . . . . . . 17
2.1.1 Supported levels of the AIX operating
system . . . . . . . . . . . . . . . 17
2.1.2 Preventing logouts on AIX 5.x systems
when InstallShield GUI is invoked . . . . . . 17
2.1.3 Locales for InstallShield GUI panels . . . 17
2.1.4 Missing titles from ldapxcfg panels in
simplified and traditional Chinese . . . . . . 17
2.1.5 Error code -1 at startup . . . . . . . . 17
2.1.6 Migrating DB2 fix pack 3 to DB2 fix pack 7 18
2.1.7 Applying DB2 8.1 fix packs on AIX 5.x
systems . . . . . . . . . . . . . . . 18
2.1.8 Enabling asynchronous IO . . . . . . . 18
2.1.9 Configuration program fails on AIX with
0509-136 errors . . . . . . . . . . . . 18
2.1.10 Error on AIX 5.1 when running db2start . 19
2.1.11 Installing the SSL client, server, or Web
Administration Tool . . . . . . . . . . 20
2.1.12 Migration from IBM Directory Server
version 4.1 for AIX installations . . . . . . 20
2.2 For Windows only . . . . . . . . . . . 21
2.2.1 Setting LANG and LC_ALL system
environment variables for nonEnglish
InstallShield GUI installation . . . . . . . 21
2.2.2 Uninstalling Version 5.1 shows Version 4.1
option . . . . . . . . . . . . . . . 21
2.2.3 Installing and uninstalling DB2 with
InstallShield GUI . . . . . . . . . . . 21
2.2.4 Tomcat Web application does not start with
IBM JDK 1.3.1 . . . . . . . . . . . . 21
2.2.5 Certain UTF-8 supplementary characters do
not display correctly . . . . . . . . . . 22
2.2.6 Configuration utilities do not work with
DB2 7.2 Fix pack 10 . . . . . . . . . . 22
2.3 For Solaris Operating Environment Software
only . . . . . . . . . . . . . . . . . 22
2.3.1 Locales for InstallShield GUI panels . . . 22
2.3.2 Command line installation using pkgadd . . 22
2.4 For Linux only . . . . . . . . . . . . 24
2.4.1 CD-ROM does not eject from Linux
machines . . . . . . . . . . . . . . 24
2.4.2 Java failure when configuring an existing
instance and database . . . . . . . . . . 24
v
| |
2.4.3 Incorrect display when installing with the
InstallShield GUI on a system set to a Japanese
locale . . . . . . . . . . . . . . . 25
2.4.4 InstallShield GUI uninstall does not remove
the appsrv directory . . . . . . . . . . 25
2.4.5 Linux S/390 client operations fail with SSL
using GSKit 6.0 . . . . . . . . . . . . 25
2.4.6 DB2 opt file requirements . . . . . . . 25
2.4.7 GSKit 6.0.3 is not supported on Intel Linux 26
2.4.8 Clarification of DB2 requirements . . . . 26
2.4.9 Correction to Installation Guide: no Java
requirements for Linux . . . . . . . . . 26
2.4.10 Removing existing versions of LDAP on
Linux . . . . . . . . . . . . . . . 26
2.4.11 Correction to Installation and
Configuration Guide: no webadmin package on
Linux systems . . . . . . . . . . . . 27
2.4.12 Uninstallation of Web Administration Tool
package fails if ldap user and group do not exist . 28
2.5 For HP-UX only . . . . . . . . . . . 28
2.5.1 HP-UX 11 client is supported . . . . . . 28
2.5.2 Directory server fails on HP-UX 11i with
DB2 8.1 with FixPak 7, 7a, 8, or 9 . . . . . . 28
3.0 General information, hints and tips 29
3.1 Peer-to-peer scenario with Web Administration
Tool . . . . . . . . . . . . . . . . . 29
3.2 Migrating a replicating environment from 3.2.x
to 5.1 . . . . . . . . . . . . . . . . 30
3.3 Support for industry standards . . . . . . 31
3.4 Password Guidelines . . . . . . . . . . 32
3.4.1 Passwords for User Entries (InetOrgPerson)
stored in the IBM Directory Server using the C or
java Software Development Kits . . . . . . 32
3.4.2 LDAP ibmslapd.conf users: . . . . . . 32
3.4.3 Using the IDS Web Administration Tool to
modify password attributes: . . . . . . . . 33
3.4.4 Additional Recommendations: . . . . . 33
3.5 Replicating Password Policy Attributes . . . . 33
3.6 Increasing secondary log files for password
policy attribute pwdchangedtime . . . . . . . 34
3.7 Disk space requirements for the embedded
version of WebSphere Application Server - Express . 35
3.8 Support on Windows 2003 operating systems . . 35
3.9 Subset of server management tasks displayed in
Web Administration Tool . . . . . . . . . . 35
3.10 Note about using reorg for database tuning . . 36
Appendix. Notices . . . . . . . . . . 37
Trademarks . . . . . . . . . . . . . . 38
vi IBM Directory Server Version 5.1 README Addendum
| |
1.0 Must read known problems
The following information applies cross-platform.
1.1 New locations for the installation program
The location of the installation programs on the CD and in the .zip and .tar files
has changed:
On Windows® platforms:
v If you are installing from a CD, on the CD, in the ids_ismp folder,
double-click setup.
v If you downloaded the .zip file, go to the directory where you unzipped
the .zip file. In the ids_ismp folder, double-click setup.
On AIX®, Solaris, and Intel Linux platforms, for InstallShield GUI installation:
v If you are installing from a CD, on the CD, change to the ids_ismp
directory and type ./setup. You must type ./setup on the command line
even if ″.″ is in your path. Otherwise, the WebSphere® Application
Server - Express, V5.0 installation does not work.
v If you downloaded the .tar file, go to the directory where you untarred
the file. Change to the ids_ismp directory and type ./setup.
On UNIX® platforms (including Linux S/390® and HP-UX), for native
installations:
v If you are installing from a CD, on the CD, change to the ids directory
and then follow the instructions in the IBM Directory Server Version 5.1
Installation and Configuration Guide.
v If you downloaded the .tar file, go to the directory where you untarred
the file. Change to the ids directory and then follow the instructions in
the IBM Directory Server Version 5.1 Installation and Configuration Guide.
1.2 Interrupting ldapxcfg database tasks causes an incorrect status for
the files
If you are using ldapxcfg to configure, unconfigure, import, export, backup,
restore, or optimize a database and the process is interrupted by, for example, a
segmentation fault, the status of the files is returned incorrectly. When you try to
restart the process the message
Task is already running.
is displayed. This is because the status output for the process is monitored through
files in the $LDAPHOME/tmp folder that were not deleted when the process was
interrupted.
To restart the interrupted process, you must first manually delete these two files:
/usr/ldap/tmp/ldapcfg.dat
/usr/ldap/tmp/ldapcfg.stat file to start configuration from starting
1
1.3 ldapxcfg startup messages are in English
Although you might have selected a different locale, when you start the ldapxcfg
utility the following startup messages are always displayed in English:
MenuManager: File ’FILE.pdml.ser’ loaded successfully
MenuManager: File ’EDIT.pdml.ser’ loaded successfully
MenuManager: File ’VIEW.pdml.ser’ loaded successfully
MenuManager: File ’HELP.pdml.ser’ loaded successfully
(-) SHOW_TOOLBAR
(+) STATUSBAR
(-) TEXT_BOTTOM
(+) NO_TEXT
(-) TASKPAD
(+) TREE
MenuManager: File ’APP_TOOLBAR.pdml.ser’ loaded successfully
CSA Toolkit Version 1 Release 2
(c) Copyright IBM Corporation 2001. All rights reserved.
1.4 Web Administration Tool does not save templates created with an
object class that has no attributes
You can create object classes for the IBM Directory Server Version 5.1 that have no
MAY or MUST attributes. Such object classes can be used to create entries using
other auxiliary object classes. However, if you attempt to create a template through
the Web Administration Tool using such an object class, you are unable to save the
template.
Note: All of the object classes included with the IBM Directory Server Version 5.1
contain MAY and MUST attributes. They can be used to create templates.
1.5 Port number error in Web Administration help panel
If performing Console administration, under Manage console servers, the Add
function has an incorrect help. Clicking Help from the Add server panel displays
the Add, modify or remove a server from the console help panel. This panel has a
link, Port/Administration port, that displays the following information:
Specify the port numbers or accept the defaults.
If SSL is enabled, the default port number is 389 and the default administration
port is 3538. If SSL is not enabled, the default port number is 636 and the
default administration port is 3539.
If SSL is enabled, make sure you select SSL enabled ports.
The correct default port numbers are:
For SSL:
The default port number is 636 and the default administration port is 3539.
For non-SSL:
The default port number is 389 and the default administration port is 3538.
1.6 Translated titles might truncate
In the ldapxcfg utility, titles in the pop-up windows might truncate depending
upon the language. If this problem occurs, depending on your display, you can
resize the the window accordingly.
2 IBM Directory Server Version 5.1 README Addendum
1.7 Default value of LOGFILSIZ needs to be increased
If you are adding a very large group (more than 50,000 members) to your 5.1
Directory, and you have migrated your database from a previous release such as
Version 4.1, you need to modify the LOGFILSIZ parameter of your DB2® database
to be at least 2000. On migrated databases, this value might currently be set to 750
or 1000.
You can verify this value by issuing the following commands. For this example the
names of the user, instance, and database are ldapdb2.
For UNIX platforms:
su -ldapdb2
db2start
db2 get database config for ldapdb2 | grep LOGFILSIZ
If you need to increase this value issue the command:
db2 update database config for ldapdb2 using LOGFILSIZ 2000
For Windows platforms:
db2cmd
set DB2INSTANCE=ldapdb2
db2 get database config for ldapdb2 ><outputfile>
Find the value for LOGFILSIZ in the output file. If you need to increase
this value issue the command:
db2 update database config for ldapdb2 using LOGFILSIZ 2000
Note: This value is already set correctly, if you created or configured your
database with the IBM Directory Server Version 5.1 configuration tools.
1.8 Environment variables removed during migration
During migration, all commented out instances of ibm-slapdSetEnv in the
slapd32.conf file are removed. Additionally all instances of the following
environment variables in slapd32.conf are also removed:
v ibm-slapdSetEnv: ACLCACHE
v ibm-slapdSetEnv: ACLCACHESIZE
v ibm-slapdSetEnv: RDBM_FCACHE_SIZE
v ibm-slapdSetEnv: RDBM_CACHE_BYPASS_LIMIT
The functions of these four environment variables are performed in Version 5.1 by
attributes under the DN:
cn:Front End, cn=Configuration
1.9 DSML file client throws exception
The DSML file client throws the following exception when it is set up to
communicate using SSL and the user tries to connect to an LDAP server that does
not use SSL.
SSL IS ON
javax.naming.CommunicationException: 9.182.21.228:389. Root exception is javax.
net.ssl.SSLProtocolException: end of file
at com.ibm.jsse.bd.a(Unknown Source)
at com.ibm.jsse.b.a(Unknown Source)
at com.ibm.jsse.b.write(Unknown Source)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:226)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:127)
1.0 Must read known problems 3
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2398)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:258)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:91)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:674)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:255)
at javax.naming.InitialContext.init(InitialContext.java:231)
at javax.naming.InitialContext.<init>(InitialContext.java:207)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:92)
at com.ibm.ldap.dsml.DsmlRequest.processRequests(DsmlRequest.java:767)
at com.ibm.ldap.dsml.DsmlServer.processDsmlRequest(DsmlServer.java:253)
at com.ibm.ldap.dsml.DsmlServer.processDsmlRequest(DsmlServer.java:402)
at com.ibm.ldap.dsml.DsmlServer.processDsmlRequest(DsmlServer.java:373)
at com.ibm.ldap.dsml.DsmlServer.processDsmlRequest(DsmlServer.java:296)
at com.ibm.ldap.dsmlClient.DsmlFileClient.main(DsmlFileClient.java:203)
The exception is not fatal and the output XML file is generated.
1.10 Nondefault log files need valid path
If you want to store your log files in a nondefault path, you must ensure that the
path is valid. Otherwise you need to create the directory before you can configure
the log files.
1.11 Replication limitations
This release supports subtree replication. Replication can be configured differently
on individual subtrees (for individual replication contexts). This enables a single
server to play different roles for different parts of the Directory Information Tree
(DIT). For example, one subtree on a server could be a leaf replica (consumer), and
another subtree could be a master (supplier) in the topology.
Directory updates, such as those to schema and password policy, do not belong to
any replication context. They are replicated to all consumers based on all the
replication contexts defined on the server. However, if the server contains one
subtree for which it is a master, and another subtree for which it is a replica, the
replication role to be assumed for schema or password policy updates cannot be
determined. Because of this mixed replication mode in the topology, these types of
global updates, schema and password policy, cannot be made. A referral result is
returned causing a replication loop among the replicas and masters. Consequently,
the client is referred between servers until the maximum referral limit is exceeded.
If an administration control is used, an unwilling to perform result is returned.
To avoid this situation, do not assign mixed roles to a single server. Ensure that the
server performs the same server role for each of its subtrees. That is, if a server is a
master for most of its subtrees, it is a master for all of its subtrees. Conversely, if
the server acts as a replica for most of its subtree, it acts as a replica for all of its
subtrees.
Another solution, depending on your situation, is to make both of the subtrees
peer-masters on each of the servers. The master that received the entry, updates the
other peer servers. As peers, the servers receive the entry update but do not
replicate it.
4 IBM Directory Server Version 5.1 README Addendum
1.12 Default ports for the embedded version of IBM WebSphere
Application Server - Express
The embedded version of IBM WebSphere Application Server - Express uses
four default port settings:
v Http Transport (port 1): 9080
v Http Transport (port 2): 9443
v Bootstrap/rmi port: 2809
v Soap connector port: 8880
If a conflict exists with another application using one or more of these default
ports, you can use a text editor to change the default ports to an unused port.
Http Transport port 1
Find the line containing the port number 9080 in the following files and
replace the 9080 with the port number that you want:
$BOBCAT_HOME\config\cells\DefaultNode\nodes\DefaultNode\servers\server1\server.xml
$BOBCAT_HOME\config\cells\DefaultNode\virtualhosts.xml
Http Transport port 2
Find the line containing the port number 9443 in the following files and
replace the 9443 with the port number that you want:
$BOBCAT_HOME\config\cells\DefaultNode\nodes\DefaultNode\servers\server1\server.xml
$BOBCAT_HOME\config\cells\DefaultNode\virtualhosts.xml
Bootstrap/rmi port
Find the line containing the port number 2809 in the following file and
replace the 2809 with the port number that you want:
$BOBCAT_HOME\config\cells\DefaultNode\nodes\DefaultNode\serverindex.html
Soap connector port
Find the line contain ing the port number 8880 in the following file and
replace the 8880 with the port number that you want:
$BOBCAT_HOME\config\cells\DefaultNode\nodes\DefaultNode\serverindex.html
1.13 Clarification for ldapsearch -i <file> option
The -i < file> option replaces the -f< file> option in this release. The -f option is still
supported, although it is deprecated.
In the command, ldapsearch -V3 -v -b ″o=ibm,c=us″ -D ″cn=admin″ -w ldap -i
filter.input %s dn, the filter.input file might contain the following filter
information:
(cn=*Z)
(cn=*Z*)
(cn=Z*)
(cn=*Z*)
(cn~=A)
(cn>=A)
(cn<=B)
Note: Each filter must be specified on a separate line.
The command performs a search of the subtree o=ibm,c=us for each of the filters
beginning with cn=*Z. When that search is completed, the search begins for the
next filter cn=*Z* and so forth until the search for the last filter cn<=B is
completed.
1.0 Must read known problems 5
1.14 On UNIX systems you must configure the database in a location
other than /home when /home is an NFS mount
If you use NFS automount, you must configure everything manually to create the
database in a location other than /home. Performing manual configuration in this
situation also avoids the problem of the ldapcfg command trying to write to
/home.
Notes:
1. The following steps assume that you want to set up a database like the default
ldapdb2 database, that is the instance owner is ldapdb2, DB2 instance is
ldapdb2, and database name is ldapdb2.
2. It is strongly recommended to save a copy of any system file before editing it. 1. Create a group named dbsysadm for the database administrators:
groupadd [-g <gid>] dbsysadm
Note: The groupadd command on some Linux distributions requires that the
group ID number (gid) be specified using the -g <gid> syntax. Type
cat /etc/group
to find an available group ID number. Red Hat automatically assigns
the next available gid if the -g option is not specified.
2. Add users root and ldap to the dbsysadm group:
usermod -G dbsysadm root
usermod -G dbsysadm ldap
3. Create a user account (ldapdb2) for the DB2 instance:
useradd -g dbsysadm -m ldapdb2
4. Set the password for the user account (ldapdb2):
passwd ldapdb2
Enter the new password when prompted. Record your password for future
reference.
5. Create the database instance:
<LDAPHOME>/db2/instance/db2icrt -u ldapdb2 ldapdb2
where <LDAPHOME> is:
v AIX, Linux operating systems- /usr/ldap
v Solaris operating systems - /opt/IBMldaps
v HP-UX operating systems- /usr/IBMldap 6. Before performing this step save a copy of /etc/services.
Update /etc/services to include a line for local loopback:
echo "ldapdb2svc 3700/tcp" >> /etc/services
echo "ldapdb2svci 3701/tcp" >> /etc/services
7. Log in as the database user id:
su - ldapdb2
8. Start the database manager:
db2start
9. Create the database under the instance:
db2 create db ldapdb2 on <location> using codeset UTF-8 territory US
6 IBM Directory Server Version 5.1 README Addendum
Note: If you omit the using codeset UTF-8 territory US the database is
created in the local code page. However, using the local code page does
affect performance. The database requires at least 80Mb of free space
available on the file system. Use df -k to verify this before creating the
database.
10. Enable multi-page file allocation:
db2empfa ldapdb2
Note: This is a performance enhancement, and cannot be undone after being
run.
11. Update some of the DB2 tuning variables:
db2 update db cfg for <databasename> using <parm> <newvalue>
DB2 Parameter Minimum value allowed
APPLHEAPSZ 2048
PCKCACHESZ 360
SORTHEAP 256
For example:
db2 update db cfg for ldapdb2 using APPLHEAPSZ 1280
Note: At this point, the database is created. However, for IBM Directory
Server, the use of a local loopback database connection is required. To
enable local loopback perform the following steps:
a. Update the database for local loopback connections:
db2 update dbm cfg using SVCENAME ldapdb2svc
db2 catalog tcpip node ldapdb2n remote localhost server ldapdb2svc
db2 catalog db ldapdb2 as ldapdb2b at node ldapdb2n authentication server
db2set DB2COMM=TCPIP
b. Restart the database manager:
db2stop
db2start
12. The database is fully configured. You can update the configuration file to use
this database. In <LDAPHOME>etc/ibmslapd.conf, in the following stanza:
dn: cn=Directory,cn=RDBM Backends,cn=IBM Directory,cn=Schemas,cn=Configuration
objectclass: top
objectclass: ibm-slapdRdbmBackend
cn: Directory
ibm-slapdPlugin: database /bin/libback-rdbm.dll rdbm_backend_init
ibm-slapdDbConnections: 15
ibm-slapdSuffix: cn=localhost
ibm-slapdReadOnly: FALSE
Add the following lines:
ibm-slapdDbInstance: ldapdb2
ibm-slapdDbAlias: ldapdb2b
ibm-slapdDbUserId: ldapdb2
ibm-slapdDbName: ldapdb2
ibm-slapdDbUserPw: <user pw>
ibm-slapdDbLocation: <user defined location>
The resulting stanza is:
ibm-slapdDbName: ldapdb2
dn: cn=Directory,cn=RDBM Backends,cn=IBM Directory,cn=Schemas,cn=Configuration
objectclass: top
objectclass: ibm-slapdRdbmBackend
cn: Directory
ibm-slapdPlugin: database /bin/libback-rdbm.dll rdbm_backend_init
ibm-slapdDbInstance: ldapdb2
1.0 Must read known problems 7
ibm-slapdDbAlias: ldapdb2b
ibm-slapdDbUserId: ldapdb2
ibm-slapdDbName: ldapdb2
ibm-slapdDbUserPw: <user pw>
ibm-slapdDbLocation: <user defined location>
ibm-slapdDbConnections: 15
ibm-slapdSuffix: cn=localhost
ibm-slapdReadOnly: FALSE
13. If you used a UTF-8 datastore as described in step 9 on page 6, in the stanza:
dn: cn=Front End, cn=Configuration, you must uncomment the line:
#ibm-slapdSetEnv: DB2CP=1208
The database is ready for the Directory server to use. The first startup takes longer
because the server must create its own tablespaces and bufferpools. For further
reading and documentation, see the IBM Directory Server Version 5.1 Tuning Guide.
1.15 HTTPS for the embedded version of WebSphere Application
Server Express Version V5.0
The Embedded Version of WAS Express, V5.0 comes with HTTPS setup by default
on port 9443. To use HTTPS, you need to change your login URL to the following:
https://<hostname>:9443/IDSWebApp/IDSjsp/Login.jsp
For non-HTTPS connections, continue to use the URL:
http://<hostname>:9080/IDSWebApp/IDSjsp/Login.jsp
Additionally, if you want to change the application server’s SSL certificate, you
create new key and trust store database files for the WebSphere Application Server
Express to use. By default, the key and trust store database files are separate and
are located in the <WASHOME>/etc directory. These files are named
DummyServerKeyFile.jks and DummyServerTrustFile.jks respectively.
After you have created your new jks files, you can change the key and trust store
database files that WAS uses by modifying the following items (highlighted in
bold) in the <WASHOME>/config/cells/DefaultNode/security.xml file to use your
new file names, passwords, and file formats:
<repertoire xmi:id="SSLConfig_1" alias="DefaultSSLSettings">
<setting xmi:id="DefaultSSLSettings"
keyFileName="${USER_INSTALL_ROOT}/etc/DummyServerKeyFile.jks"
keyFilePassword="WebAS" keyFileFormat="JKS"
trustFileName="${USER_INSTALL_ROOT}/etc/DummyServerTrustFile.jks"
trustFilePassword="WebAS" trustFileFormat="JKS"
clientAuthentication="false" securityLevel="HIGH"
enableCryptoHardwareSupport="false">
<cryptoHardware xmi:id="CryptoHardwareToken_1" tokenType=""
libraryFile="" password=""/>
<properties xmi:id="Property_4" name="com.ibm.ssl.protocol" value="SSLv3"/>
<properties xmi:id="Property_5" name="com.ibm.ssl.contextProvider"
value="IBMJSSE"/>
</setting>
</repertoire>
8 IBM Directory Server Version 5.1 README Addendum
1.16 Corrections to the Kerberos information in the Administration
Guide
To manage Kerberos settings using the Web Administration Tool, in the navigation
area you need to select Server administration, expand Manage security properties
and select the Kerberos tab. Follow the directions in the Administration Guide.
However, when you enter the Alternate administrator ID (Step 5), you must ensure
that this ID is a valid ID in your Kerberos realm.
In the Replication chapter, under ″Creating credentials″ in the section ″If you
selected Kerberos authentication:″ there is an error in the example. The corrected
text is: ″For example, if the supplier is named master.our.org.com and the realm is
SOME.REALM, the DN is ibm-Kn=ldap/[email protected].″
In this same chapter under the topic ″Adding the supplier information to the
replica″ note that in Step 1, you need to expand Server management in the
navigation area before you can click Manage replication properties. Also note that
in Step 5, the Kerberos bind DN example is missing a hyphen. The correct DN is
ibm-kn=ldap/<yourservername@yourrealm>.
1.17 /var requirements on UNIX platforms
Before you install on UNIX platforms, be sure that you have adequate space in the
/var directory. A minimum of 100 MB of free space in /var is recommended.
1.18 Before you configure: creating the DB2 database owner
Note: The information for UNIX platforms has been changed slightly from the
information in the Installation and Configuration Guide.
Before you configure the database, you must create a user ID for the user who will
own the DB2 database. The user ID you specify will own the database instance
where the DB2 database will exist, and the DB2 instance will be in the user’s home
directory. The user ID can be no longer than 8 characters. In addition:
v On Windows platforms, the user must be a member of the Administrators
group.
v On UNIX platforms:
– The user must have a home directory and must be the owner of the home
directory.
– The group ownership of the user’s home directory should be the DB2 group
created when DB2 was installed. On AIX and Solaris, this group is usually
named dbsysadm. On Linux for S/390, this group is usually named db2iadm.
For example, in the case of a user named ldapdb2, the user ID home
directory should be owned by ldapdb2:dbsysadm on AIX and Solaris or by
ldapdb2:db2iadm on Linux for S/390.
There might be some groups that do not work correctly as the user’s primary
group when configuring the database. For example, if the user’s primary
group on Linux is users, problems might occur. Use other on Linux if you
want to be sure that the primary group will work.
– The user root must be a member of the user’s primary group. If root is not a
member of this group, add root as a member of the group.
– For best results, the user’s login shell should be the Korn shell script
(/usr/bin/ksh).
1.0 Must read known problems 9
– The user’s password must be set correctly and ready to use. For example, the
password cannot be expired or waiting for a first-time validation of any kind.
(The best way to verify that the password is correctly set is to telnet to the
same computer and successfully log in with that user ID and password.)
– When configuring the database, it is not necessary, but only customary, to
specify the home directory of the user ID as the database location. However,
if you specify some other location, the user’s home directory still must have 3
to 4 MB of space available. This is because DB2 creates links and adds files
into the home directory of the instance owner (that is, the User) even though
the database itself is elsewhere.
1.19 Do not unzip or untar file in directory whose name contains
spaces
Be sure that the directory in which you unzip or untar the downloaded IBM
Directory Server file does not have any spaces in the directory name. If it does,
you might experience problems installing the embedded version of WebSphere
Application Server - Express, V5.0.
1.20 After changing ports, you must stop and restart the
administration daemon
After changing the ports that the server uses for secure or nonsecure
communications you must stop the server for changes to take effect. After stopping
the server you must also stop and start the Admin daemon to resynchronize the
ports. To stop and start the administration daemon:
v For UNIX-based systems, run the following commands:
PS -ef |grep ibmdiradm
kill -p pid_obtained_by_previous_commnand
ibmdiradm
v For Windows systems:
1. Through the Control Panel, open the Services window.
2. Click Directory Admin Daemon.
3. Click Action -> Stop.
4. Click Action -> Start.
Restart the server.
Remember, if you change the port setting for the server, you must also change the
port settings for the server in the console.
1.21 Activating the DB2 license file
In some cases, you might need to update or activate your DB2 license file.
To obtain information about your DB2 product and license, run the following
command:
db2licm -l
If the Expiry Date shown is ″Permanent″ you have a valid license. However, if the
field is ″Try and Buy″ you must activate the license file.
Other DB2 license considerations are:
10 IBM Directory Server Version 5.1 README Addendum
v If you install DB2 using native installation, you must activate the license file.
v If you install DB2 with the db2setup/db2_install script, you might need to
activate the license file.
v If you try to start the server and you do not have a valid DB2 license, the
following message is displayed:
SQL8008N The product "DB2 Workgroup Server Edition" does not have a valid
license key installed and the evaluation period has expired. Functions
specific to this product are not enabled.
SQL8000N DB2START processing failed; a valid product license was not
found.
Unable to connect to the database. Run db2start from the command line as
the database instance owner and try again.
In this case you must activate the license file.
v You can use the db2start command to find out if the license is expired. If the
license is correct, you see a message that the db2start was successful. Otherwise,
you see a message indicating that your license has expired.
To activate the license file, run the following command:
db2licm -a license_filename
Note: license_filename is the name of the license file; for example, db2udbee.lic. The
actual license file name is dependent on your DB2 installation. License files
have a file extension of lic.
For more information about DB2 licenses, see the DB2 documentation.
1.22 Installing the embedded version of WebSphere Application Server
- Express
In the Installation and Configuration Guide, Appendix D, in the sections called
″Installing the embedded version of WebSphere Application Server - Express″ and
″Installing the Web Administration Tool into the embedded version of WebSphere
Application Server - Express,″ some of the instructions are incorrect. Use the
following procedures instead.
1. After you download and unzip (or untar) the IBM Directory Server zip or tar
file, change directories to the directory where you expanded the file.
2. Type the following command at a command prompt:
v On Windows systems:
install.bat -installRoot embWASE_installpath -hostName localhost
v On AIX, Linux, Solaris, and HP-UX systems:
install.sh -installRoot embWASE_installpath -hostName localhost
where embWASE_installpath is the directory where you are installing the
embedded version of WebSphere Application Server - Express. By convention,
this directory is the appsrv subdirectory of the directory where IBM Tivoli
Directory Server is installed, but you can use any directory.
Install the Web Administration Tool, using either the InstallShield GUI or an
operating system utility for your operating system. After installing the Web
Administration Tool, copy the Web Administration Tool to the embedded
version of WebSphere Application Server - Express directory by using the
following commands:
v On Windows systems:
1.0 Must read known problems 11
md embWASE_installpath\installableApps\
copy installpath\idstools\IDSWebApp.war installpath\appsrv\installableApps\
v On AIX, Linux, Solaris, and HP-UX systems:
mkdir embWASE_installpath/installableApps/
cp installpath/idstools/IDSWebApp.war installpath/appsrv/installableApps/
where
v embWASE_installpath is the directory where you are installing the embedded
version of WebSphere Application Server - Express. By convention, this
directory is the appsrv subdirectory of the directory where IBM Tivoli
Directory Server is installed, but you can use any directory.
v installpath is the directory where IBM Tivoli Directory Server is installed.
Installing the Web Administration Tool into the embedded
version of WebSphere Application Server - Express
Install the Web Administration Tool into the embedded version of WebSphere
Application Server - Express by using the following command:
v On Windows systems:
"embWASE_installpath\bin\wsadmin.bat" -conntype NONE -c "$AdminApp
install {embWASE_installpath\installableApps\IDSWebApp.war}
{-configroot \"embWASE_installpath\config\"
-node DefaultNode -usedefaultbindings -nodeployejb -appname IDSWebApp.war
-contextroot \"IDSWebApp\"}"
Note: Type the command on one line.
v On AIX, Linux, Solaris, and HP-UX systems:
"embWASE_installpath/bin/wsadmin.sh" -conntype NONE -c "\$AdminApp
install {embWASE_installpath/installableApps/IDSWebApp.war}
{-configroot \"embWASE_installpath/config\"
-node DefaultNode -usedefaultbindings -nodeployejb -appname IDSWebApp.war
-contextroot \"IDSWebApp\"}"
embWASE_installpath is the directory where you are installing the embedded
version of WebSphere Application Server - Express. By convention, this directory is
the appsrv subdirectory of the directory where IBM Tivoli Directory Server is
installed, but you can use any directory.
Note: If you install the Web Administration Tool and the embedded version of
WebSphere Application Server - Express through the InstallShield GUI, these
commands are run automatically.
1.23 JDK 1.3 required for GSKit
To use GSKit, the JDK 1.3 is required. The version of Java™ that is installed with
IBM Directory Server 5.1 is not tested with GSKit and is not supported.
1.24 SQL1092N error message when configuring a database using the
ldapcfg utility
When attempting to configure the database using the ldapcfg utility on
UNIX-based operating systems, the following error message might be displayed:
failed to Catalog instance node:
This failure occurs after the instance is created successfully. The SQL error code in
the trace file (dbg.log) is 1092N.
12 IBM Directory Server Version 5.1 README Addendum
SQL1092N "ROOT" does not have the authority to perform
the requested command.
In order to correct this problem
1. Verify that the ″root″ user is a member of the correct db2 group (for example,
dbsysadm on AIX).
2. Verify that the /etc/passwd entry for the instance owner (for example,
ldapdb2) has the correct group membership number (for example, 400) for the
db2 group (for example, dbsysadm).
The following are examples of how the group and passwd entries might look.
The /etc/group dbsysadm entry contains something similar to:
dbsysadm:!:400:ldapdb2,root
The /etc/passwd ldapdb2 entry contains something similar to:
ldapdb2:!:239:400::/home/ldapdb2:/usr/bin/ksh
Note: This error might occur on an AIX system, if the following two operating
system attributes for the root user are set to false. Setting the attributes to
true enables the database to be configured successfully.
v User can LOGIN
v User can LOGIN REMOTELY
1.25 Starting the application server on UNIX platforms
For UNIX platforms, to start the application server to use the Web Administration
Tool (see Chapter 11 of the Installation and Configuration Guide), use the following
information:
If you are using the embedded version of WebSphere Application Server - Express,
V5.0 as your application server, go to the directory where you installed the
embedded version of WebSphere Application Server - Express, V5.0 and type
startServer.sh server1 at a command prompt.
1.26 Create the key database certificate before setting up SSL.
Before setting up SSL communications on your server, you must use the GSKit
utility, gsk6ikm, to create the necessary certificates. See ″Using gsk6ikm″ and
″Secure Sockets Layer″ in the IBM Directory Server Version 5.1 Administration Guide.
1.27 Port settings cannot be changed when configuring security
settings
In chapter 10 of the IBM Directory Server version 5.1 Administration Guide in the
section ″Configuring security settings″ the Web Administration task step 3 instructs
you to specify the secure port number to use. The port number can no longer be
specified in this task. Omit step 3. If you want to change port numbers see,
″Chapter 3. Web Administration graphical user interface (GUI)″ and ″Chapter 6.
Setting server properties″.
1.28 Remote databases not supported
IBM Directory Server does not support remote databases.
1.0 Must read known problems 13
1.29 Before you install: setting kernel parameters for Solaris and
HP-UX
The information about setting kernel parameters before installing on Solaris has
been changed from the information in the Installation and Configuration Guide. Use
the following information instead of the information in "Chapter 8. Installing using
Solaris utilities", in the section entitled ″Before you install on Solaris.″ In addition,
use this information for HP-UX also.
With the HP-UX and Solaris versions of DB2, version 8.1, a utility called db2osconf
is provided. The db2osconf utility determines the correct kernel settings for your
computer.
On the Solaris Operating Environment, there are two versions of the db2osconf
utility: one for 64-bit kernels and one for 32-bit kernels. The utility must be run as
root or with the group sys because it accesses the following special devices
(accesses are read-only):
crw-r----- 1 root sys 13, 1 Jul 19 18:06 /dev/kmem
crw-rw-rw- 1 root sys 72, 0 Feb 19 1999 /dev/ksyms
crw-r----- 1 root sys 13, 0 Feb 19 1999 /dev/mem
1. To run the utility, type db2osconf at a command prompt.
Note: To view the usage information for the utility, type db2osconf -h. The
following information is displayed:
Usage:
-c # Client only
-f # Compare to current
-h # Help screen
-l # List current
-m <mem in GB> # Specify memory in GB
-n <num CPUs> # Specify number of CPUs
-p <perf level> # Msg Q performance level (0-3)
-s <scale factor> # Scale factor (1-3)
-t <scale factor> # Number of threads
2. Use the output from the db2osconf utility to update the /etc/system file.
The following is an example of output:
set msgsys:msginfo_msgmax = 65535
set msgsys:msginfo_msgmnb = 65535
set msgsys:msginfo_msgmni = 1280
set msgsys:msginfo_msgtql = 1280
set semsys:seminfo_semmni = 1536
set semsys:seminfo_semmns = 3226
set semsys:seminfo_semmnu = 1536
set semsys:seminfo_semume = 240
set shmsys:shminfo_shmmax = 466086297
set shmsys:shminfo_shmmni = 1536
set shmsys:shminfo_shmseg = 240
Total kernel space for IPC:
0.21MB (shm) + 1.47MB (sem) + 1.22MB (msg) == 2.91MB (total)
End suggestions.
Note: If you do not use the -l or -f switches, the db2osconf utility displays the
kernel parameters using the syntax of the /etc/system file. To prevent
errors, you can cut and paste this output directly into the /etc/system
file.
For more information, see the DB2 documentation.
14 IBM Directory Server Version 5.1 README Addendum
If you make updates to your system configuration, run the utility again.
On DB2 version 7 on Solaris, look in the /opt/IBM/db2/Vdb2version/cfg
directory for files named kernel.param.memory_size. These files contain
information about updating kernel parameters with appropriate values for
computers with different amounts of memory.
1.30 Before you use ldapcfg
Before you use ldapcfg:
v On a UNIX system, log in as root.
v On a Windows system, log on as any user in the Administrators group.
1.31 dbback command restrictions
The dbback command is used to backup your database when the server is offline.
You must stop the server before using this command.
1.32 Migration from IBM Directory Server Version 4.1 for UNIX
installations
The IBM Directory Server version 5.1 Installation and Configuration Guide does not
contain information about migrating user-defined schema files in the section for
migrating from IBM Directory Server 4.1 for UNIX-based platforms. The
information has been corrected here.
The instructions in this section are for Solaris, Linux, Linux for S/390, and HP-UX.
Do not use these instructions to migrate on an AIX system. If you are migrating on
an AIX system, see “2.1.12 Migration from IBM Directory Server version 4.1 for
AIX installations” on page 20.
To migrate an existing directory server:
Pre-installation steps:
1. Back up the previous versions of the slapd32.conf and any schema files from
the install_path/etc directory to the install_path/etc/userV51 directory. (You
must create the install_path/etc/userV51 directory.) install_path is the directory
where IBM Directory Server 4.1 is installed.
These files have the following file extensions:
v .oc
v .at
v .conf
Be sure that you also back up any user-defined schema files.
2. Back up the following files:
v V3.ldapsyntaxes
v V3.matchingrules
v V3.modifiedschema3. Uninstall IBM Directory Server 4.1. (Do not uninstall on HP-UX systems.)
Installation steps:
4. Install IBM Directory Server 5.1 using one of the following:
v pkgadd for Solaris.
1.0 Must read known problems 15
v RPM for Linux (Intel) and Linux for S/390.
v swinstall for HP-UX.
See the IBM Directory Server Installation and Configuration Guide for information.
5. Migrate the configuration and schema by executing the migrate51 script. Type
the following at a command prompt:
cd install_path/etc
../sbin/migrate51
Note: You must run the migrate51 script even if you did not modify the
previous schema. There are new schema files and entries in the
ibmslapd.conf file that are not compatible with previous versions.
6. Move all user-defined schema files from the backup directory to the
install_path/etc directory.
1.33 Correction to C-Client SDK Programming Reference: Must free
memory used by res
In the C-Client SDK Programming Reference, there is a correction to the
LDAP_SEARCH API category (see ″Chapter 3. API Categories″).
In the Usage section for LDAP_SEARCH, the last sentence of the fifth paragraph
currently reads:
″The results contained in res must be freed when no longer in use by calling
ldap_msgfree().″
This sentence should instead say:
″The memory allocated for res must be freed when no longer in use, whether or
not the operation was successful, by calling ldap_msgfree().″
1.34 Adding ibm-slapdFrontEnd objectclass to configuration file after
migration
If you migrated from IBM SecureWay Directory 3.2.x, you might need to manually
add the ibm-slapdFrontEnd objectclass to the ″cn=Front End, cn=Configuration″
stanza of the ibmslapd.conf file. This might be necessary even if you migrated to
IBM Directory Server 4.1 before migrating to IBM Directory Server 5.1.
Look in the ibmslapd.conf file for the stanza that starts with
dn: cn=Front End, cn=Configuration
cn: Front End
Look for the following line in the stanza. If you do not see it, add it to the end of
the stanza:
objectclass: ibm-SlapdFrontEnd
1.35 Upgrading DB2: invalid link in documentation
In the Server README, the section called "Upgrading to a new level of DB2"
contains a link to a document that no longer exists. For information about
upgrading your level of DB2, see the DB2 documentation.
16 IBM Directory Server Version 5.1 README Addendum
|
|||
2.0 Must read known problems – platform specific
This information applies to the following operating systems:
2.1 For AIX only
The following information applies only to the AIX operating system.
2.1.1 Supported levels of the AIX operating system
The IBM Directory Server Version 5.1 is supported on the following levels of the
AIX operating system:
v On the AIX operating system Release 4.3.3 and on higher maintenance levels of
AIX Release 4.3
v On the AIX operating system Release 5.1L and on higher maintenance levels of
AIX Release 5.1
v On the AIX operating system Release 5.2A and on higher maintenance levels of
AIX Release 5.2
Note: If you are using SSL with Release 5.2A, you need to install the fix for
APAR IY33524.
2.1.2 Preventing logouts on AIX 5.x systems when
InstallShield GUI is invoked
Before installing or uninstalling the IBM Directory Server Version 5.1 using the
InstallShield GUI on AIX 5.x systems, be sure you issue the following command:
xset fp default
This command prevents logouts from occurring when InstallShield GUI is invoked.
2.1.3 Locales for InstallShield GUI panels
For the READMEs to display correctly in the InstallShield GUI panels the
following languages need to use the correct locales:
Table 1.
Language Locale
Japanese Ja_JP
Traditional Chinese Zh_TW
2.1.4 Missing titles from ldapxcfg panels in simplified and
traditional Chinese
On the AIX 5.1 operating system, the ldapxcfg panels for simplified and traditional
Chinese are missing titles. This situation is corrected by AIX 5.1 maintenance level
3 (5100–03).
2.1.5 Error code -1 at startup
If DB2 is not already started, you might see the following message when starting
the server:
17
Error code -1 from odbc string:" SQLConnect " ldapdb2b.
This occurs because the IBM Directory Server is trying to connect to DB2, before
DB2 is started. If you see the message:
SQL1063N DB2START processing was successful.
you can ignore the previous error message because the Directory Server has started
DB2 and subsequently connected to it.
2.1.6 Migrating DB2 fix pack 3 to DB2 fix pack 7
When migrating from DB2 FP 3 to DB2 FP 7 on the AIX operating system, be sure
to complete all of the ″After Installation″ steps in the FixpakReadme.txt file that is
packaged with DB2 FP7. These steps include:
v Update Instances
v Enabling scalar functions (if applicable)
v Rebinding bind files
Also, perform the ″Special Notes®″ section steps, if they are applicable to your
installation.
2.1.7 Applying DB2 8.1 fix packs on AIX 5.x systems
If you are using a AIX 5.x operating system and you have obtained DB2 Version
8.1 from the IBM Directory Server Version 5.1 package, you must use the installp
utility to apply future DB2 fix packs. The GUI installer that is provided with the
fix pack does not work in this case.
2.1.8 Enabling asynchronous IO
On AIX, if you are using DB2 8.1, you must enable Asynchronous IO before you
begin configuration. To enable Asynchronous IO, type the following at a command
prompt:
smitty aio
2.1.9 Configuration program fails on AIX with 0509-136 errors
Because of an AIX library change, ldapcfg and ldapxcfg sometimes fail with
0509-136 errors while configuring the DB2 database on AIX 5.1 or 5.2.
To avoid this error, do the following at the AIX level:
1. Run smitty chgaio.
2. Set STATE to be configured at system restart to available.
3. Press Enter.
4. Restart the system.
The following is a sample of the output of ldapcfg when the failure occurs:
Starting database manager for instance: ’ldapdb2’.
exec(): 0509-036 Cannot load program db2start because of the
following errors:
0509-130 Symbol resolution failed for
/usr/lib/threads/libc.a(aio.o) because:
0509-136 Symbol kaio_rdwr (number 0) is not exported from
dependent module /unix.
0509-136 Symbol listio (number 1) is not exported from
dependent module /unix.
0509-136 Symbol acancel (number 2) is not exported from
dependent module /unix.
18 IBM Directory Server Version 5.1 README Addendum
0509-136 Symbol iosuspend (number 3) is not exported from
dependent module /unix.
0509-136 Symbol aio_nwait (number 4) is not exported from
dependent module /unix.
0509-130 Symbol resolution failed for
/usr/opt/db2_08_01/lib/libdb2e.a(shr.o) because:
0509-136 Symbol aio_nwait (number 416) is not exported from
dependent module /usr/lib/threads/libc.a(aio.o).
0509-192 Examine .loader section symbols with the
’dump -Tv’ command.
Failed to start database manager for instance: ’ldapdb2’.
Creating database: ’ldapdb2’.
exec(): 0509-036 Cannot load program db2start because of the
following errors:
0509-130 Symbol resolution failed for
/usr/lib/threads/libc.a(aio.o) because:
0509-136 Symbol kaio_rdwr (number 0) is not exported from
dependent module /unix.
0509-136 Symbol listio (number 1) is not exported from
dependent module /unix.
0509-136 Symbol acancel (number 2) is not exported from
dependent module /unix.
0509-136 Symbol iosuspend (number 3) is not exported from
dependent module /unix.
0509-136 Symbol aio_nwait (number 4) is not exported from
dependent module /unix.
0509-130 Symbol resolution failed for
/usr/opt/db2_08_01/lib/libdb2e.a(shr.o) because:
0509-136 Symbol aio_nwait (number 416) is not exported from
dependent module /usr/lib/threads/libc.a(aio.o).
0509-192 Examine .loader section symbols with the
’dump -Tv’ command.
Failed to create database: ’ldapdb2’.
Removing database: ’ldapdb2’
2.1.10 Error on AIX 5.1 when running db2start
The following error might occur when you try to run db2start:.
0509-130 Symbol resolution failed for /usr/lib/threads/libc.a(aio.o)
because:
0509-136 Symbol kaio_rdwr (number 0) is not exported from
dependent module /unix.
0509-136 Symbol listio (number 1) is not exported from
dependent module /unix.
0509-136 Symbol acancel (number 2) is not exported from
dependent module /unix.
0509-136 Symbol iosuspend (number 3) is not exported from
dependent module /unix.
0509-136 Symbol aio_nwait (number 4) is not exported from
dependent module /unix.
0509-192 Examine .loader section symbols with the
’dump -Tv’ command.
If this occurs on AIX 5.1, you have Asynchronous I/O turned off.
To turn on Asynchronous I/O:
1. Run smitty chgaio and set STATE to be configured at system restart from
defined to available.
2. Press Enter.
3. Do one of the following:
v Restart your system.
v Run smitty aio and move the cursor to Configure defined Asynchronous
I/O. Then press Enter.
2.0 Must read known problems – platform specific 19
The db2start command now works.
2.1.11 Installing the SSL client, server, or Web Administration
Tool
If you want an SSL client, server, or Web Administration Tool, first install the
non-SSL client, server, or Web Administration Tool and then install the SSL fileset.
The SSL filesets are not documented in the IBM Directory Server version 5.1
Installation and Configuration Guide or the IBM Directory Server version 5.1 Client
Readme. (To use SSL, you must also install GSKit.)
v For the client: install ldap.client and ldap.max_crypto_client
v For the server: install ldap.server and ldap.max_crypto_server
v For the Web Administration Tool: install ldap.webadmin and
ldap.max_crypto_webadmin
2.1.12 Migration from IBM Directory Server version 4.1 for AIX
installations
The IBM Directory Server version 5.1 Installation and Configuration Guide does not
contain information about migrating user-defined schema files in the section for
migrating from IBM Directory Server 4.1 for AIX platforms. The information has
been corrected here.
The instructions in this section are for AIX installations. For Solaris, Linux, Linux
for S/390, and HP-UX, see “1.32 Migration from IBM Directory Server Version 4.1
for UNIX installations” on page 15.
To migrate an existing directory server on AIX:
Pre-installation steps:
1. Back up the previous versions of the slapd32.conf and any schema files from
the install_path/etc directory to the usr/ldap/etc/userV51 directory. (You must
create the usr/ldap/etc/userV51 directory.) install_path is the directory where
IBM Directory Server 4.1 is installed.
These files have the following file extensions:
v .oc
v .at
v .conf
Be sure that you also back up any user-defined schema files.
2. Back up the following files:
v V3.ldapsyntaxes
v V3.matchingrules
v V3.modifiedschema
Installation steps:
3. Install IBM Directory Server 5.1 using SMIT. See the IBM Directory Server
Installation and Configuration Guide for information.
Post-installation steps:
4. Migrate the configuration and schema by executing the migrate51 script. Type
the following at a command prompt:
cd install_path/etc
../sbin/migrate51
20 IBM Directory Server Version 5.1 README Addendum
Note: You must run the migrate51 script even if you did not modify the
previous schema. There are new schema files and entries in the
ibmslapd.conf file that are not compatible with previous versions.
5. Move all user-defined schema files from the backup directory to the
install_path/etc directory.
2.2 For Windows only
The following information applies only to Windows platforms.
2.2.1 Setting LANG and LC_ALL system environment variables
for nonEnglish InstallShield GUI installation
For the InstallShield GUI installation to bring up the same language that the
operating system is using, two variables need to be set in the system environment
v LANG = <locale>
v LC_ALL = <locale>
where <locale> is the locale that the operating system is using.
Go to http://www.microsoft.com/globaldev/ for a list of Microsoft® locale values.
2.2.2 Uninstalling Version 5.1 shows Version 4.1 option
If you have migrated from IBM Directory Server Version 4.1 to Version 5.1, and
you are performing an InstallShield GUI uninstall, the DMT 4.1 and Java 1.3
feature is listed as an uninstallable selection. Although this is no longer supported
in Version 5.1 this feature continues to be listed until you select and remove it
using the InstallShield GUI uninstall process.
2.2.3 Installing and uninstalling DB2 with InstallShield GUI
If you installed DB2 version 7.2 for Windows with the InstallShield GUI V4.1, you
must use the InstallShield GUI to uninstall DB2. Click Start -> Settings -> Control
Panel -> Add/Remove Programs -> IBM Directory Server and select the DB2
feature.
If instead you use the DB2 uninstall for version 7.2 without using InstallShield GUI
(Start -> Settings -> Control Panel -> Add/Remove Programs -> DB2), and later
install DB2 V 8.1 with InstallShield GUI for version 5.1, the new uninstall features
panel for the 5.1 InstallShield GUI shows DB2 V7.2, not DB2 V8.1. This occurs even
though DB2 V8.1 is the actual version installed.
Note: If you select DB2 V7.2 during an InstallShield GUI uninstall in this situation,
the InstallShield GUI does uninstall DB2 V8.1.
2.2.4 Tomcat Web application does not start with IBM JDK
1.3.1
If you are using the IBM JDK 1.3.1, you might not be able to start the Tomcat Web
application. This is a known limitation.
If you must use Tomcat, you have two alternatives:
v Obtain a copy of Sun 1.3.1 Service release 4 (1.3.1_4).
v Use the IBM JDK 1.3.0 Service release 13a.
2.0 Must read known problems – platform specific 21
2.2.5 Certain UTF-8 supplementary characters do not display
correctly
IBM Directory Server supports UTF-8 (Unicode Transformation Format, 8-bit form)
to use Unicode characters, which contains MS932 (Shift JIS) characters plus
supplementary characters not defined in MS932. Supplementary characters might
be displayed as square box in Internet Explorer running on Windows NT® and
Windows 2000. See Figure 1.
If this occurs, install one of the East Asian language kits. Depending on your
environment, install the Japanese, Korean, Simplified Chinese or Traditional
Chinese language kit which is included in your Windows NT and Windows 2000
CDs. For example, Unicode code point U+9DD7 is one of the supplementary
characters in the Japanese environment. With the correct language kit installed, the
supplementary character is displayed correctly. See Figure 2.
Note: This problem is not observed in Windows XP.
2.2.6 Configuration utilities do not work with DB2 7.2 Fix pack
10
The ldapcfg and ldapxcfg utilities do not work with DB2 7.2 Fp10.
Do not to upgrade to this level of DB2, if you want to use ldapcfg or ldapxcfg
utilities to configure the database. If you do upgrade to Fix pack 10, you are going
to have to configure the database manually.
2.3 For Solaris Operating Environment Software only
The following information applies only to the Solaris Operating Environment
Software.
2.3.1 Locales for InstallShield GUI panels
For the READMEs to display correctly in Japanese in the InstallShield GUI panels
the locale needs to be set to ja.
2.3.2 Command line installation using pkgadd
To install the IBM Directory Server Version 5.1 from a command prompt:
Figure 1. Unicode Code Point U+9DD7 displayed as a square
Figure 2. U+9DD7 displayed correctly
22 IBM Directory Server Version 5.1 README Addendum
1. Go to the ids subdirectory of the directory where you mounted the CD-ROM or
where you untarred the tar file.
2. At the command prompt, install the packages you want by typing the
following command for each package:
pkgadd -d pkgfilename
where pkgfilename is the file name of the package you want to install. Do not
use the system default of ALL. The system does not sequence the packages
correctly and the installation fails.
The packages shown in the following table are available. If you are installing
the server, you must install the client package first, and then the server
package. You can then install the documentation, the messages, and the Web
Administration Tool in any order.
Table 2. IBM Directory Server packages for Solaris
Package Package name File name
IBM Directory Client IBMldapc ldap.client_rted.pkg
IBM Directory Server IBMldaps ldap.server_rted.pkg
IBM Directory documentation IBMldixxx ldap.man.xx_XX.pkg
IBM Directory messages IBMldmxxx ldap.msg.xx_XX.pkg
IBM Directory Webadmin IBMldapw ldap.webadmin_rted.pkg
xxx and xx_XX are specific language identifiers.
Note: The English messages are automatically installed with the IBMldaps
(server) package. There is no separate package for English messages.
Examples:
v To install the client package, type:
pkgadd -d ldap.client_rted.pkg
v To install the server package, type:
pkgadd -d ldap.server_rted.pkg
v To install the documentation package, type:
pkgadd -d ldap.man.xx_XX.pkg
v To install the message package, type:
pkgadd -d ldap.msg.xx_XX.pkg
v To install the Web Administration Tool package, type:
pkgadd -d ldap.webadmin_rted.pkg
3. During installation, you are asked if you want to use /opt as the base directory.
If space permits, use /opt as the base installation directory. To accept /opt as
the base directory, press Enter.
Notes:
a. With the installation of client and server packages, the system prompts you
with the query, This package contains scripts which will be executed
with super-user permission during the process of installing the
package. Continue with installation? These scripts create the IBM
Directory Server Version 5.1 user ID. Type y to continue.
b. If you are installing the server package, you also see the prompt, Do you
want to install these as setuid and/or setgid files? The programs
need to be able to start daemons, run DB2 commands, and create the IBM
2.0 Must read known problems – platform specific 23
Directory Server Version 5.1 DB2 instance user ID and group, so they
occasionally need to run as root. Type y to continue.4. When the installation is completed, type q to return to the command prompt.
2.4 For Linux only
The following information applies only to the Linux operating systems.
2.4.1 CD-ROM does not eject from Linux machines
When installing the server from a CD-ROM using the native RPM installation
method on a Linux machine, the CD-ROM fails to eject. To eject the CD-ROM, you
must either reboot your system or stop the ibmdiradm process.
To stop the ibmdiradm process issue the following command to obtain the PID
number of the ibmdiradm process:
ps -ef |grep ibmdiradm
This command returns output similar to this example:
ldap 7048 1 0 10:26 pts/1 00:00:00 /usr/bin/ibmdiradm
ldap 7049 7048 0 10:26 pts/1 00:00:00 /usr/bin/ibmdiradm
ldap 7050 7049 0 10:26 pts/1 00:00:00 /usr/bin/ibmdiradm
ldap 7051 7049 0 10:26 pts/1 00:00:00 /usr/bin/ibmdiradm
ldap 7052 7049 0 10:26 pts/1 00:00:00 /usr/bin/ibmdiradm
ldap 7053 7049 0 10:26 pts/1 00:00:00 /usr/bin/ibmdiradm
ldap 7054 7049 0 10:26 pts/1 00:00:00 /usr/bin/ibmdiradm
ldap 7055 7049 0 10:26 pts/1 00:00:00 /usr/bin/ibmdiradm
ldap 7056 7049 0 10:26 pts/1 00:00:00 /usr/bin/ibmdiradm
ldap 7057 7049 0 10:26 pts/1 00:00:00 /usr/bin/ibmdiradm
ldap 7058 7049 0 10:26 pts/1 00:00:00 /usr/bin/ibmdiradm
ldap 7059 7049 0 10:26 pts/1 00:00:00 /usr/bin/ibmdiradm
ldap 7060 7049 0 10:26 pts/1 00:00:00 /usr/bin/ibmdiradm
In this example the PID for ibmdiradm is 7048. To stop the ibmdiradm process,
issue the following command:
kill -9 <PID>
In this example, 7084 is the PID, so the command is:
kill -9 7084
After ejecting the CD-ROM, restart the ibmdiradm process by issuing the
command:
ibmdiradm
Note: This problem does not occur if you use the InstallShield GUI installation
method.
2.4.2 Java failure when configuring an existing instance and
database
If you are using Intel Linux SuSE 7.3, SuSE 8.0, or Red Hat Advanced Server 2.1,
with DB2 v8.1 and you are configuring an existing instance and database, a Java
failure might occur after the configuration is completed. This failure, however, can
be ignored. The instance and database are successfully configured. For example, if
you issued the command:
ldapcfg -a <myuserID> -w <mypassword> -d <mydatabase> -l /home/<myuserID>
24 IBM Directory Server Version 5.1 README Addendum
the following message might be displayed after the completion of the configuration
process:
IBM Directory Server Configuration complete.
Unexpected exception has occurred:
ReportedExceptionCode = b, at ExceptionAddress = 74736574
ACCESS_VIOLATION occured outside Interpreter and JITed code
ExecMode = EXECMODE_BYTECODE
stackpointer=0xbffc7370
Writing Java core file ....
Written Java core to /var/ldap/javacore9151.1035571351.txt
Abort
2.4.3 Incorrect display when installing with the InstallShield
GUI on a system set to a Japanese locale
On Linux Red Hat 7.3, if you are using the InstallShield GUI to install on a system
with the locale set for Japanese, the list of languages displays as question marks.
Use the linux utility (RPM) instead of the InstallShield GUI for installation to avoid
this behavior. See the IBM Directory Server Version 5.1 Installation and Configuration
Guide, Chapter 7, for the installation information.
2.4.4 InstallShield GUI uninstall does not remove the appsrv
directory
On Linux systems, when uninstalling the embedded version of IBM WebSphere
Application Server - Express using the InstallShield GUI, the /usr/ldap/appsrv
directory is not removed. You are not able to reinstall the embedded version of
IBM WebSphere Application Server - Express using the InstallShield GUI until
the appsrv directory is removed.
To remove this directory manually, issue the command:
rm -rf /usr/ldap/appsrv
2.4.5 Linux S/390 client operations fail with SSL using GSKit
6.0
To perform client functions on SuSE 7.0 and Red Hat 7.2 on Linux for S/390 with
kernel level 2.4.x, you must download and install the compat-libstdc++-2.10.0-1.s390.rpm package. This package contains compatibility Standard C++ libraries
that allow older binaries (created with old versions of compilers) to execute.
You also need to set the following environment variable:
export LD_PRELOAD=/usr/lib/libstdc++-libc6.2-2.so.3
Notes:
1. You must specify the absolute path of the library.
2. When this variable is set, you are not able to start or stop the server from this
window. You must use a separate window that does not have the
LD_PRELOAD variable set if you want to start or stop the server.
2.4.6 DB2 opt file requirements
The InstallShield GUI does not verify the amount of space in the /opt directory.
Before installing DB2 V8.1 on Linux using the InstallShield GUI, ensure that you
have at least 329MB of free space in the /opt directory.
2.0 Must read known problems – platform specific 25
2.4.7 GSKit 6.0.3 is not supported on Intel Linux
GSKit 6.0.3 is not being supported on Intel Linux for this release. GSKit 5.0.4.58 is
included in the packages for the Intel Linux distributions. Consequently, the rpm
file name (gsk5bas-5.0-4.58.i386.rpm) is different than the one documented in the
IBM Directory Server Version 5.1 Installation and Configuration Guide. Ensure that you
use the correct file names when installing GSKit.
2.4.8 Clarification of DB2 requirements
The system requirement for DB2 on Linux needs to be clarified. The Installation and
Configuration Guide specifies:
DB2 Universal Database for Linux - Personal or Enterprise edition - version 7.1
with FixPak 3 or later (DB2). DB2 Version 7.2 Personal edition is included with
the IBM Directory and is installed if a supported version of DB2 is not detected
on your system. If you have a version of DB2 earlier than Version 7.1 with
FixPak 3 installed on your system, you must remove it or upgrade it before
installing the IBM Directory version 5.1.
Personal edition
is supported on Intel versions of Linux.
Enterprise edition
is supported on Linux S/390.
2.4.9 Correction to Installation Guide: no Java requirements
for Linux
In the Installation and Configuration Guide, the section called ″Linux or Linux for
S/390 operating system server requirements″ contains the following statement:
v If you plan to use the InstallShield GUI to install or the Configuration Tool for
configuration on Linux, see ″Linux operating system client requirements″ for
Java requirements.
You can ignore this statement. There are no Java requirements on Linux or Linux
for S/390.
2.4.10 Removing existing versions of LDAP on Linux
In the Installation and Configuration Guide, the section titled "Installing the IBM
Directory Server " in the chapter "Installing using Linux utilities" includes the
following note:
Note: Before installing the Installing the IBM Directory Server, you must remove
any existing versions of LDAP that might have been installed previously. If
you try to install the Installing the IBM Directory Server over an existing
version of LDAP, the Installing the IBM Directory Server does not install
correctly. If this occurs you must remove the Installing the IBM Directory
Server and then reinstall it.
One method to determine if you have a previously installed version of
LDAP is to issue the following command to query the installed packages:
rpm -qa | grep -i ldap
This command finds any installed applications containing the name ldap.
This method works only if you have a version of LDAP that contains the
string ldap in its application names.
This note applies to the InstallShield GUI installation on Linux platforms also.
26 IBM Directory Server Version 5.1 README Addendum
2.4.11 Correction to Installation and Configuration Guide: no
webadmin package on Linux systems
On Linux systems (both xSeries and zSeries), there is only one Web Administration
Tool package, and it is SSL enabled. The name of this package is:
v ldap-webadmind-5.1-1.i386.rpm for Intel-based Linux systems
v ldap-webadmind-5.1-1.s390.rpm for Linux for S/390 systems
Therefore, in the Installation and Configuration Guide:
v In the Chapter called ″Installing using Linux utilities,″ in the section called
″Installing the IBM Directory Server,″ the list of packages is incorrect for both
types of Linux systems:
– There is no ldap-webadmin-5.1-1.i386.rpm (No SSL) package for Intel-based
Linux systems. The list of packages should be:
Intel-based Linux packages:
- ldap-server-5.1-1.i386.rpm (no SSL)
- ldap-client-5.1-1.i386.rpm (no SSL)
- ldap-serverd-5.1-1.i386.rpm (SSL enabled)
- ldap-clientd-5.1-1.i386.rpm (SSL enabled)
- ldap-msg-xxx-5.1-1.i386.rpm (Where xxx is language dependent.)
- ldap-html-xxx-5.1-1.i386.rpm (Where xxx is language dependent.)
- ldap-webadmind-5.1-1.i386.rpm (SSL enabled)– There is no ldap-webadmin-5.1-1.s390.rpm (No SSL) package for Linux for
S/390 systems. The list of packages should be:
Linux for S/390 packages:
- ldap-server-5.1-1.s390.rpm (no SSL)
- ldap-client-5.1-1.s390.rpm (no SSL)
- ldap-serverd-5.1-1.s390.rpm (SSL enabled)
- ldap-clientd-5.1-1.s390.rpm (SSL enabled)
- ldap-msg-xxx-5.1-1.s390.rpm (Where xxx is language dependent.)
- ldap-html-xxx-5.1-1.s390.rpm (Where xxx is language dependent.)
- ldap-webadmind-5.1-1.s390.rpm (SSL enabled)v In the same section, the following procedure is not valid:
To install the Web Administration Tool with no SSL:
1. Type the following at a command prompt:
rpm -ihv ldap-webadmin-5.1-1.i386.rpm
v In the chapter called ″Unconfiguring the server and uninstalling IBM Directory
Server,″ in the ″Linux operating system″ section under ″Uninstalling using
operating system utilities,″ the list of commands for Intel-based Linux systems
should be:
rpm -ev ldap-server-5.1-1
rpm -ev ldap-webadmind-5.1-1
rpm -ev ldap-client-5.1-1
rpm -ev ldap-msg-xxx-5.1-1.i386.rpm (Where xxx is
language dependent.)
rpm -ev ldap-html-xxx-5.1-1.i386.rpm (Where xxx is
language dependent.)
For Linux for S/390 systems, use the following commands:
2.0 Must read known problems – platform specific 27
rpm -ev ldap-server-5.1-1
rpm -ev ldap-webadmind-5.1-1
rpm -ev ldap-client-5.1-1
rpm -ev ldap-msg-xxx-5.1-1.s390.rpm (Where xxx is
language dependent.)
rpm -ev ldap-html-xxx-5.1-1.s390.rpm (Where xxx is
language dependent.)
2.4.12 Uninstallation of Web Administration Tool package fails
if ldap user and group do not exist
On Linux systems, if you try to uninstall the ldap-webadmind-5.1-1 package and
the ldap user and group are not present on the computer, the uninstallation fails.
To successfully uninstall this package, you can do one of the following:
v Create the ldap user and group, and then uninstall.
v Run the rpm command with the --noscripts option. For example:
rpm -e ldap-webadmind-5.1-1 --noscripts
2.5 For HP-UX only
This information applies to the HP-UX operating system only.
2.5.1 HP-UX 11 client is supported
In addition to supporting the directory server and client on the HP-UX 11i
operating system, the IBM Directory Server Version 5.1 client is also supported on
the HP-UX 11 operating system.
2.5.2 Directory server fails on HP-UX 11i with DB2 8.1 with
FixPak 7, 7a, 8, or 9
If you are using IBM Directory Server 5.1 on HP-UX 11i with DB2 8.1 with FixPak
7, 7a, 8, or 9, the directory server might fail with the following message:
069:15:30:54 T1 381169 2087 usec SQLAllocConnect() => 0,henv = 1, hdbc = 1
069:15:30:54 T1 retrieving SQLERROR info
069:15:30:54 T1 henv=0,hdbc=1,native retcode = -1366; state = " "; message =
"[IBM][CLI Driver] SQL1366N A se
curity plug-in "IBMOSauthclient" processing error occurred on the client. Reason code = "7".
"
This problem will be fixed in FixPak 10 by the fix for DB2 APAR IY71676. You can
either apply FixPak 10 or return to an earlier DB2 FixPak level.
28 IBM Directory Server Version 5.1 README Addendum
3.0 General information, hints and tips
This information applies to the AIX, Windows NT, Windows 2000, the Solaris
Operating Environment Software, and Linux platforms.
3.1 Peer-to-peer scenario with Web Administration Tool
This procedure was used to set up an environment with two peer-masters and two
replicas (server1, server2, server3, and server4). All steps were performed from the
master machine.
1. Follow the directions in the IBM Directory Server Version 5.1: Administration
Guide to set up a master (server1).
2. Create a set of credentials to use for your replication topology. You can locate
these either in the replicated subtree or in cn=replication,cn=localhost. For
this scenario use a simple bind.
Note: Because this topology is being set up from the master machine the
cn=replication,cn=localhost location is not available when you set up
the replicas under the peer server. It is most important that you use the
same DN and password when you add the credentials to the subtree.
3. From your master machine use the Web Administration Tool to connect to
each of the other three servers and start each of the servers.
4. Follow the directions in the IBM Directory Server Version 5.1: Administration
Guide to set up three replicas under the master. Do not populate the replicas
or add any supplier information at this time.
5. Select the replica (server2) that you want to promote to a peer-master and
click Move.
6. Select Replication topology to promote the replica to a master. Click Move.
The peer topology is now:
v server1 (master-peer)
– server2 (replica)
– server3 (replica)
– server4 (replica)v server2 (master-peer)
7. Add server1, server3, and server4 as replicas under server2 so that the
topology looks like:
v server1 (master-peer)
– server2 (replica)
– server3 (replica)
– server4 (replica)v server2 (master-peer)
– server1 (replica)
– server3 (replica)
– server4 (replica) 8. Copy the subtree information from the original master (server1) by issuing the
command:
db2ldif -o <master.ldif> -s <subtreename>
29
9. Copy <master.ldif> to server2, server3, and server4.
10. Stop server2, server3, and server4.
11. On each of the three servers (server2, server3, and server4) issue the following
command:
ldif2db -r no -i <master.ldif>
This command has populated each server with the subtree data that was on
the master and a complete copy of the topology.
12. Add the supplier information for each of the replicas. This includes server1 in
its role as a replica to server2.
Connect the Web Administration Tool to each of the replicas and at each of
the replicas perform the following:
a. Click Manage replication properties in the navigation area.
b. Under the Supplier information field, select Default credentials and
referral.
c. Click Edit.
d. For server3 and server4 enter a referral LDAP URL to one of the
peer-master servers. For example,
ldap://server1.<mylocation>.<mycompany>.com
e. Enter the replication bindDN for the credentials you created in step 2.
f. Enter and confirm the credential password.
g. Click OK.
h. You must restart the replicas for the changes to take effect.13. Replicas are created with replication in the suspended state, you must resume
replication on each of the replicas. This must be performed at each of the
peer-master servers (server1 and server2):
a. Click Manage queues.
b. Select the replica and click Suspend/resume.
c. Repeat this process for each of the other two replicas in the queue.
After this has been completed for each of the six replicas (three under each
peer-master), the topology is ready to begin replication.
This procedure can be followed for any peer topology setup. Remember not to
populate or add supplier information to any of the replicas until after you have
completed designing your topology on the original master.
3.2 Migrating a replicating environment from 3.2.x to 5.1
When migrating from 3.2.x to 5.1, you need to unconfigure the database. Before
unconfiguring the database, you might want to ensure that all replication changes
have been completed.
Stop the master server and issue the following command to ensure that all changes
have been replicated. This example assumes that the name of the user, instance
and database are ldapdb2.
For UNIX platforms:
su -ldapdb2 -c "db2 connect to ldapdb2;
select count (id) from ldapdb2.change"
Note: If not issuing this command as the root, you need to provide the
database instance owner password.
30 IBM Directory Server Version 5.1 README Addendum
For Windows platforms:
db2cmd
In the new DB2 command window issue the following commands:
set DB2INSTANCE=ldapdb2
db2 connect to ldapdb2
select count (id) from ldapdb2.change
If the count is 0, then all changes have been replicated and the replica and master
are synchronized. You can proceed with regular migration (exporting the database
to an LDIF file, migrating and so on). Otherwise you might want to restart the
master in read only mode and wait for all of the updates to be replicated. . This is
important if you have a topology that is heterogeneous, for example, 3.2.x replicas
and 4.1 replicas with a 5.1 master.
If you are moving your whole enterprise to 5.1 from 3.2.x, you can:
1. Create an LDIF file using db2ldif on the master.
2. Unconfigure the database on all the servers.
3. Install the IBM Directory Server Version 5.1 on each server.
4. Perform the migration procedure.
5. Use the ldif2db or bulkload command to load the master’s data on to the
replicas. This ensures that the replicas are synchronized with the master.
6. Start the master and the replicas.
7. Use the Web Administration Tool Replication management ->Manage queues
to resume replication or issue the following command:
ldapexop -h <hostname> -D <binddn> -w <password>
-op controlrepl -action resume -rc <contextDN>
3.3 Support for industry standards
The following standards were implemented in this release:
v RFC 1274 The COSINE and Internet X.500 Schema
v RFC 1777 Lightweight Directory Access Protocol (V2)
v RFC 1778 String Representation of Standard Attribute Syntaxes
v RFC 1779 String Representation of Distinguished Names
v RFC 1823 LDAP Application Program Interface (V2)
v RFC 2052 A DNS RR for Specifying the Location of Services (DNS SRV)
v RFC 2219 Use of DNS Aliases for Network Services
v RFC 2222 Simple Authentication and Security Layer (SASL)
v RFC 2247 Using Domains in LDAP/X.500 Distinguished Names
v RFC 2251 Lightweight Directory Access Protocol (V3)
v RFC 2252 Lightweight Directory Access Protocol (V3): Attribute Syntax
Definitions
v RFC 2253 Lightweight Directory Access Protocol (V3): UTF-8 String
Representation of Distinguished Names
v RFC 2254 The String Representation of LDAP Search Filters
v RFC 2255 The LDAP URL Format
v RFC 2256 A Summary of the X.500(96) User Schema for use with LDAPv3
v RFC 2696 LDAP Control Extension for Simple Paged Results Manipulation
v RFC 2849 The LDAP Data Interchange Format (LDIF) - Technical Specification
3.0 General information, hints and tips 31
v RFC 2891 LDAP Control Extension for Server Side Sorting of Search Results
v The Open Group schema for liPerson and liOrganization (NAC/LIPS)
v RFC 2307 An Approach for Using LDAP as a Network Information Service. (IBM
Directory Server 5.1 ships with the schema defined in this RFC and supports
clients that need to use an LDAP server to authenticate.)
3.4 Password Guidelines
The following section provides details of the supported values of the IBM
Directory Server (IDS) password attribute for user entries in the IBM Directory
Server, as well as the accounts used to administer the LDAP environment. It also
provides guidelines of what characters to avoid to reduce confusion attempting to
run using the Directory Server command line tools and C-API interfaces.
The Directory Server has two types of user accounts:
v Administration accounts (LDAP Administrator (cn=root), or the LDAP DB2 user)
that are stored in the /etc/ibmslapd.conf file.
v User Entries (iNetOrgPerson) that have a password attribute used with Directory
Server C and java (JNDI) APIs. These are the interfaces that applications, such as
Policy Director and WebSphere use. While the Directory Server supports a wide
variety of values for password entries, you need to review the application
documentation to confirm what guidelines or restrictions apply.
The following provides details and recommendations of the supported password
values using the IBM Directory Server 5.1 release.
3.4.1 Passwords for User Entries (InetOrgPerson) stored in the
IBM Directory Server using the C or java Software
Development Kits
Using the 5.1 release, the following characters are supported for the userPassword
attribute field to be stored in the Directory Server using the C and java APIs.
Applications, such as Policy Director, WebSphere, and so on, that are using the
Directory Server might have additional restrictions on password values. Please
review these specific product documentation for additional information.
v All upper and lower case English alpha and numeric characters.
v All other ASCII English characters are supported.
v Double-byte characters are supported for languages specified in the IBM
Directory Server Version 5.1 Release Notes documentation.
v Passwords are case sensitive. (For example, if the password = TeSt, using a
password of TEST or test fails. Only the exact case, TeSt, works.)
3.4.2 LDAP ibmslapd.conf users:
Using the 5.1 release, the following are the supported passwords for users that are
in the <LDAP_DIR>/etc/ibmslapd.conf file.
v All upper and lower case English alpha and numeric characters.
v All other ASCII single-byte characters are supported.
v Passwords are case sensitive. (For example, if the password = TeSt, using a
password of TEST or test fails. Only the exact case, TeSt, works.)
Notes:
1. The Users in the ibmslapd.conf file can include the following:
v LDAP Administrator (cn=root)
32 IBM Directory Server Version 5.1 README Addendum
v Master ID for Replication (cn=MASTER)
v LDAP DB2 users for LDAP DB entry and change log databases (LDAPDB2)2. Double-byte characters in the administrator passwords are not supported.
3.4.3 Using the IDS Web Administration Tool to modify
password attributes:
Using the Web Administration Tool in the 5.1 release, the following characters are
supported for adding/modifying the password attribute field:
v All upper and lower case English alpha and numeric characters.
v All other ASCII single-byte characters are supported.
v Passwords are case sensitive. (For example, if the password = TeSt, using a
password of TEST or test fails. Only the exact case, TeSt, works.)
Notes:
1. Double-byte characters are not supported for the administrator password.
2. Double-byte characters are supported for the user password.
3.4.4 Additional Recommendations:
It is recommended that you avoid using the following characters because the
operating shell might interpret these ″special″ characters:
`
’
\
"
|
For example, Using the 5.1 Web Administration Tool to assign a user password
attribute to the value:
"\"test\’
requires the following password from the command line to be used:
-w\"\\\"test\’
Here is an example search:
ldapsearch -b" " -sbase -Dcn=newEntry,o=ibm,c=us -w\"\\\"test\’ objectclass=*
Note: This password works in the Web Administration Tool/java application using
the original password without the escape character. In the previous example,
the Web Administration Tool bind password is the same as the one that was
entered when assigning the password in the Web Administration Tool:
"\"test\’
3.5 Replicating Password Policy Attributes
The user-related elements of the password policy are stored in the entries as
operational attributes. These attributes are subject to modifications even on a
read-only replica, so replicating these attributes are carefully considered.
pwdChangedTime
The pwdChangedTime attribute is replicated on all replicas, to enable
expiration of the password.
3.0 General information, hints and tips 33
pwdReset
The pwdReset attribute is replicated on all replicas, to deny access to
operations other than bind and modify password.
pwdHistory
The pwdHistory attribute is replicated to writable replicas. This attribute
does not need to be replicated to a read-only replica, as the password is
never directly modified on this server.
pwdAccountLockedTime, pwdExpirationWarned, pwdFailureTime,
pwdGraceUseTime
The pwdAccountLockedTime, pwdExpirationWarned, pwdFailureTime and
pwdGraceUseTime attributes are replicated to writable replicas, making the
password policy global for all servers. When the user entry is replicated to
a read-only replica, these attributes are not replicated. This means that the
number of failures, the number of grace logins and the locking take place
on each replicated server. For example, the effective number of failed
attempts on a user password is:
N x M
where N is the number of servers and M is the value of pwdMaxFailure
attribute. Replicating these attributes to a read-only replica can reduce the
number of tries globally but can also introduce some inconstancies in the
way the password policy is applied.
There are times when the values of pwdAccountLockedTime,
pwdExpirationWarned, pwdFailureTime and pwdGraceUseTime are
replicated. If the user’s password is reset, thereby clearing some of these
attributes, this action is replicated to the read-only replicas. Also, if an
administrator on the master server uses the administrative control to
overwrite the values of these attributes on the master server, this forced
write of the operational attributes is also replicated to read-write and
read-only replicas.
3.6 Increasing secondary log files for password policy attribute
pwdchangedtime
The current implementation of ibm-pwdpolicy queries the database, finding all
user entries without the related password policy attributes. ibm-pwdpolicy then
builds a list of entry IDs (EIDs) and populates the pwdpolicy attribute
pwdchangedtime.
If an error is returned with rc == operations error, check <instance_home>/logs/db2cli.log. If the transaction log file is full, increase the secondary log files to a
larger size. For example, to increase the maximum number of secondary log files to
30, use the following DB2 command:
db2 update db cfg for <dbname> using LOGSECOND 30
Increasing LOGSECOND enables DB2 to open more temporary transaction log
files. These files can be freed up after the transaction is complete and reset to a
smaller number. You might have to adjust the value of LOGSECOND depending
on the size of the directory. Make sure your file system has enough room for these
files.
Related configuration values can be retrieved by calling:
34 IBM Directory Server Version 5.1 README Addendum
db2 get db cfg for <dbname> | grep log
..
Number of primary log files (LOGPRIMARY) = 3
Number of secondary log files (LOGSECOND) = 30
Changed path to log files (NEWLOGPATH) =
Path to log files =
/<home>/<user1>/NODE0000/SQL00001/SQLOGDIR/
Overflow log path
(OVERFLOWLOGPATH) =
...
3.7 Disk space requirements for the embedded version of WebSphere
Application Server - Express
For IBM Directory Server 5.1, the embedded version of WebSphere Application
Server - Express and the IDSWebApp.war file (which contains the Web
Administration Tool) require the amounts of disk space shown in the table for each
of the following operating systems:
Operating system The embedded version of
WebSphere Application
Server - Express
IDSWebApp.war
AIX 32,000,000 bytes 140,000,000 bytes
Linux 32,000,000 bytes 147,000,000 bytes
Solaris 32,000,000 bytes 155,000,000 bytes
Windows 32,000,000 bytes 145,000,000 bytes
3.8 Support on Windows 2003 operating systems
IBM Directory Server 5.1 is supported on the following Windows 2003 operating
systems:
v Microsoft Windows Server 2003, Standard Edition
v Microsoft Windows Server 2003, Enterprise Edition
Be sure that you download and install the version of IBM Directory Server 5.1 that
is for Windows 2003.
For the client, a minimum of 128 MB of RAM is required. For better results, use
256 MB or more.
For the server, a minimum of 256 MB of RAM is required. For better results, use
512 MB or more.
For more information, see the README file that is included with the product. The
file name is win2003.pdf or win2003.htm.
3.9 Subset of server management tasks displayed in Web
Administration Tool
In the Web Administration Tool, the server management tasks that are displayed in
the Navigation area vary depending on your authority, the capabilities of the
server you are logging on to, or both.
3.0 General information, hints and tips 35
For example, for a z/OS server, even if you are logged on as an administrator, you
will see only Schema management and Directory management.
3.10 Note about using reorg for database tuning
In the Performance Tuning Guide, there is a list of guidelines for performing a reorg
to improve performance. The following note should be added to the list of
guidelines:
Note: Indices marked with an asterisk in a reorgchk output are only contenders
for reorging; reorging them might or might not necessarily improve
performance.
The list of guidelines can be found in the following section of the Performance
Tuning Guide:
See ″DB2 tuning.″ Go to ″Optimization and organization (reorgchk and reorg),″
and then to ″Database organization (reorgchk and reorg),″ and then see″Performing
a reorg.″
36 IBM Directory Server Version 5.1 README Addendum
|
|||
|||
||
|||
Appendix. Notices
This information was developed for products and services offered in the U.S.A.
IBM might not offer the products, services, or features discussed in this document
in other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter in
this document. The furnishing of this document does not give you any license to
these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the information. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
information at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
37
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
Department LZKS
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurement may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
All statements regarding IBM’s future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM’s suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.
Trademarks
The following terms are trademarks of International Business Machines
Corporation in the United States, or other countries, or both:
AIX DB2 IBM S/390 WebSphere
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Sun Microsystems, Inc. in the United States and other countries.
Microsoft, Windows, and Windows NT are registered trademarks of Microsoft
Corporation.
UNIX is a registered trademark in the United States and/or other countries
licensed exclusively through X/Open Company Limited.
Other company, product, and service names may be trademarks or service marks
of others.
38 IBM Directory Server Version 5.1 README Addendum