server.txt IBM eNetwork (1) LDAP Directory Server Version 2.1 This README file contains a description of the eNetwork LDAP Directory Server Version 2.1. This product is available on AIX, Solaris and Windows NT/Intel platforms. A separate README describing the V2.1 client application development package can be found in the same directory as this server readme file: for AIX: "/usr/ldap/readme//client.txt" (e.g. where is en_US for the English version.) for NT: "\web\readme\\client.txt" (e.g. on NT, where is enus437 for the English version.) for Solaris: "/opt/IBMldapc/readme//client.txt (On Solaris, server.txt is in /opt/IBMldaps/readme/.) _________________ Table of Contents 0. Additional Documentation 0.1. Installation and Configuration Guide 0.2. Administration Helps 0.3. Programming References 1. Product Description 1.1. Hardware Requirements 1.2. Software Requirements 1.2.1. Operating Systems 1.2.2. IBM Universal Database 1.2.3. Web Servers 1.2.4. Java 1.2.5. Web Browsers 1.2.6. GSKIT 2. Functional Description 3. Security Considerations 4. Performance Considerations 4.1. LDAP Directory Server 4.2. DB2 4.2.1. DB2 Tuning Parameters 4.2.2. BUFFPAGE and DBHEAP 5. Functional Notes and Restrictions 5.1. Notes for All Platforms (AIX, NT and Solaris) - Unable To Start Server While ldif2db Is Running - Unable To Start The Server After Adding New Object Classes - Attribute Name Length Restriction - Unable to Re-install LDAP/DB2 - Restart The Master Server After Adding Entries From An ldif File - Moving ldif Files Across Platforms - A Bulkload Tool Limitation - Transaction Log Is Full - DB2 Column Name Restrictions - Chasing Referrals - Multiple aclentry Values - Binary Attributes - One Instance Of The LDAP Server - Restricted Attribute Types - Removal Of ACL Attribute "inherit On Create" - Only GBK Locale Support For Chinese Version 5.2. AIX Notes - Cannot Open Message Catalog File and See NLS Messages - AIX File Descriptors Limit - Increase Memory Use Limits - Start slapd At Boot Time On AIX 5.3. Windows NT Notes - Additional privileges for the Administrators group - Problem With A Manual SSL Installation - Unable To Re-start The Replication Master Server - Replication Fails On A Single Processor MP Machine - Do Not Remove Write Permission From The Key Database File 5.4. Solaris Notes - Cannot Open Message Catalog File and See NLS Messages - DB2 Documented Changes To /etc/system - GUI Configuration Is Not Supported 5.5. Web Browser Notes 5.5.1. Microsoft Internet Explorer Setup - Cache - HTTP Level 5.5.2. Microsoft Internet Explorer Problems - Scroll Bars In Navigational Area 5.5.3. Netscape Communicator/Navigator Setup - Cache 5.5.4. Netscape Communicator/Navigator Problems - Resizing windows - Disappearing fields - Shift/Reload - Font size problems on Solaris 2.6 - Displays with 16 colors - Shutdown 5.6. Web Server Notes 5.6.1. Notes for All Servers - Account to use for the web server to run under - Ignore A Java Error In The FastTrack Server Error Log 5.6.2. Microsoft IIS - Fail to Re-configure The IIS Webserver For ldap 6. Appendix 6.1. Referrals in LDAP/DB2 V2.1 6.2. Improvements to the Bulkload Tool 6.3. Web Server Configuration Changes 6.3.1. AIX 6.3.2. Windows NT 6.3.2. Solaris ___________________________ 0. Additional Documentation Additional on-line documentation includes the Installation and Configuration Guide, Administration Helps and Programming References. 0.1. Installation and Configuration Guide The Installation and Configuration Guide can be accessed using - AIX: "file:/usr/share/man/info//ldap/config/aparent.htm" (e.g. where is en_US for the English version) - NT: "file://NLS/html//config/wparent.htm" (e.g. on NT, where is enus437 for the English version) You must select both the "Install the LDAP documentation" and "install the LDAP server and client" during "setup" to include the Installation and Configuration Guide. - Solaris: "file:/opt/IBMldapi/info//config/sparent.html" 0.2. Administration Helps The Administration Helps can be accessed via a web browser using URL - AIX: "file:/usr/ldap/web//help/parent.htm" - NT: "file://web//help/parent.htm" - Solaris: "file:/opt/IBMldaps/web//help/parent.htm" Or it can be accessed remotely via a web browser from the LDAP Web Administration page "http:///ldap" by clicking on the question mark of the top-right corner and the help index. Refer to Section 5.1, "The LANG Variable And Webservers" for additional information. 0.3. Programming References The Programming References can be accessed using URL: - AIX: "file:/usr/share/man/info//ldap/program/progref.htm" - NT: "file://NLS/html//program/progref.htm" You must select both "Install the LDAP documentation" and "install the LDAP server and client" when install the server using "setup" in order to have the Programming References installed. - Solaris: "file:/opt/IBMldapi/info//program/progref.htm" ______________________ 1. Product Description The eNetwork LDAP Directory Server V2.1 consists of the following components: - slapd: the server executable - Command line import/export utilities - A server administration tool with a web-browser based interface for configuration and administration of the directory - An on-line Administrator's Helps - An LDAP client toolkit (including runtime libraries) - An on-line LDAP Programming Reference The LDAP server provides a native, scaleable directory based on the IETF LDAP Version 2 (RFC 1777) plus some extensions for IETF LDAP Version 3. IBM Universal Database Version 5 is packaged with the LDAP server and used as the directory storage facility. **************************************************************************** NOTE: You may only use this DB2 component in association with your licensed use of the eNetwork LDAP Directory. **************************************************************************** 1.1. Hardware Requirements RAM: 64 MB or more is recommended Disk space: - If you already have DB2 installed, approximately 25 MB is needed to install the product. - If you DO NOT have DB2 installed, approximately 70 MB is needed to install the product. The disk space required for data storage is dependent on the number and size of entries, attributes, etc. For this reason on AIX it is a good idea to use a separate file system for your local database directory. The default location for the database directory is /home/ldapdb2 (AIX). (Solaris filesystems are determined at the OS install-time.) 1.2. Software Requirements 1.2.1. Operating Systems The product supports three operating systems AIX: Version 4.2.1 with APAR IX72127 or Version 4.3.0 and 4.3.1 with APAR IX72439, IX74821, IX75022 and PTF U457544 or Version 4.3.2 (2) NT: Windows NT (3) Workstation/Server Version 4.0 with service pack 3 or later, NTFS file system is required for security support Solaris: Version 2.5.1 (SunOS 5.5.1) or Version 2.6 (SunOS 5.6) (4) 1.2.2. IBM Universal Database AIX: UDB V5.0 for AIX with fixpak U457227f or UDB V5.2 for AIX NT: UDB V5.0 for Windows NT with fixpak US9044f or UDB V5.2 for Windows NT Solaris: UDB V5.0 for Solaris with fixpak U457228f or UDB V5.2 for Solaris 1.2.3. Web Servers LDAP Server configuration and administration requires one of the following webservers - Apache 1.2.5 or 1.3 - Lotus Domino Go 4.6.2 or later - Netscape FastTrack 2.01 or 3.01 - Netscape Enterprise 3.5.1 - Microsoft IIS 2.0 1.2.4. Java LDAP Server configuration requires JDK 1.1.6 installed. For NT, the PATH must be set to include java such as "c:\jdk1.1.6\bin". For AIX and Solaris, the PATH must include either java or jre. In addition, either the classes.zip file or the rt.jar file must be located in the lib directory of the java installation root. Examples on Solaris: /opt/jdk1.1.6/bin includes both java and jre /opt/jdk1.1.6/lib includes classes.zip /opt/jre1.1.6/bin includes jre only /opt/jre1.1.6/lib includes rt.jar Users on AIX 4.3.1 or earlier need to obtain JDK 1.1.6 from the Bonus Pack or from the web. 1.2.5. Web Browsers A web browser must be frame-enabled and support Java 1.1.6 features including jdk 1.1 AWT events and HTML V3.0. The following web browsers support this specification: - Microsoft Internet Explorer (MS IE) 4.0 plus service pack 1 - Netscape Navigator/Communicator 4.06 for Windows NT, AIX or Solaris - Netscape Navigator 4.04.1 or 4.06 for AIX (Netscape Navigator 4.04.1 is distributed on the AIX 4.3.0 Bonus Pack CDs.) (Netscape Navigator 4.06.0 is distributed on the AIX 4.3.2 Bonus Pack CDs.) 1.2.6. GSKIT To obtain the SSL capability, the system must install IBM GSkit 3.0 packages or later. On AIX, the GSkit packages can be found in the Bonus Pack CD. On NT and Solaris, the GSkit 3.0 will be bundled with LDAP/DB2 in the software bundles and suites from IBM. Refer to Section 3, "Security Considerations". _________________________ 2. Functional Description The IBM eNetwork LDAP Directory V2.1 includes an LDAP Version 2 server that additionally supports SSL, referrals, replication and access control. SSL provides encryption of data and authentication using X.509v3 public-key certificates. The server may be configured to run with or without SSL support. The server supports LDAP referrals, allowing directories to be distributed across multiple LDAP servers. Replication is supported which makes additional read-only copies of the directory available, improving performance and reliability of access to the directory information. A powerful, easy-to-manage access control model is supported. Configuration and administration of the LDAP Directory is accomplished through an improved web-based interface. This product is available on AIX, Windows NT/Intel and Solaris platforms and supports ten languages including English, French, German, Japanese, Simplified Chinese, Traditional Chinese, Korean, Italian, Spanish and Brazilian Portuguese. Catalan is also supported on AIX. __________________________ 3. Security Considerations The eNetwork LDAP Directory Server V2.1 alone does not provide the capability for SSL connections from LDAP clients. The SSL feature is added by installing IBM GSkit packages. The GSkit packages include Secure Socket Layer (SSL) Version 3 support and associated RSA (6) technology. There are two GSkit packages available: US and Export. They come with different encryption strength. For AIX, the appropriate GSKit packages are included in the AIX 4.3.2 Bonus Pack Domestic and Bonus Pack Export. To install a secure LDAP directory, the eNetwork LDAP Directory client and server packages should first be installed from the AIX 4.3.2 base operating system CD's. This includes the following filesets: ldap.client.rte LDAP Client Runtime ldap.client.adt LDAP Client Application Development Toolkit ldap.server.rte LDAP Directory Server Runtime ldap.server.com LDAP Directory Server Framework ldap.server.admin LDAP Directory Server Administrative Interface ldap.html.en_US.man LDAP HTML man Pages - U.S. English ldap.html.en_US.config LDAP HTML Install/Configuration Guide - U.S. English ldap.msg. LDAP Directory Messages - Then, the GSkit/SSL support may be installed from the IBM AIX 4.3.2 Bonus Pack. Within the USA and Canada, the fileset name is "GSKRU301.pkg". For export, the fileset name is "GSKRF301.pkg". For Windows NT and Solaris, LDAP/DB2 is bundled with IBM Software suites and Websphere bundles. The suites and bundles contain appropriate GSkit packages for domestic and export and will install the packages to enable SSL connections from LDAP clients. Note that the LDAP Server will work without GSkit installed. In this case it will only accept non-SSL connections from LDAP clients. _____________________________ 4. Performance Considerations 4.1. LDAP Directory Server - To improve search performance, "index"es should be specified for all attributes which will be searched. For a description of "index"es and how to set them for your directory, see the "Indexing Rules" section of the Administration Helps. - The "optimizing" action should be used whenever the database has been modified significantly. It should also be used after the Directory is initially populated. To locate the optimize action, from the Administration Help page select "index" folder, select "Database" and then select "optimizing". - If your LDAP server receives such a high volume of client requests that the CPU utilization is unacceptably high, or clients are receiving "connection refused" errors, you may see better results by increasing the setting of the ODBCCONN environment variable. The ODBCCONN environment variable controls the number of connections to DB2 made by the server. On AIX, the maximum supported is 8. So, for instance, if your directory on AIX is under heavy load, you may "export ODBCCONN=8" in the process from which you are starting the server (/bin/slapd). For Windows NT, you need to set the system environment variable ODBCCONN, reboot the system and restart the LDAP server. On Solaris, do "setenv ODBCCONN 8" for csh or "export ODBCCONN=8" for ksh. Further information is available on the web. Load the eNetwork directory page from "http://www.software.ibm.com/enetwork/directory/library/" to find general announcements and information. 4.2. DB2 You may wish to allocate as much as 75% of the machine's memory to the DB2 database buffer pool. You may use the DB2 database system monitor to calculate the buffer pool hit ratio, which can help you tune your bufferpool for your specific environment. The "runstats" tool must be run after changing any db2 configuration parameters. The DB2 Database System Monitor Guide and Reference is a good reference for overall db2 tuning information. 4.2.1. DB2 Tuning Parameters There are two types of database configuration parameters - Database manager configuration parameters determine the amount of system resources that affect all databases and applications using DB2. - Database configuration parameters apply to a specific database, and specify the amount of resources allocated to that database. While some database configuration parameters have been specifically customized for the LDAP product by product defaults, others may need to be tuned for your specific hardware and database. To look at the database manager configuration parameters, use the command db2 get database manager configuration To look at the database configuration parameters for a specific database, use the command db2 get database configuration for If you have chosen to allow the server administration interface to create the default database for you, the database name is "ldapdb2". Using the default database is the recommended path for DB2 configuration. 4.2.2. BUFFPAGE and DBHEAP Two database configuration parameters which have an important effect on performance are the BUFFPAGE and DBHEAP settings. The default BUFFPAGE shipped with DB2 is 1000 (4 KB pages) which may not be big enough for a large database. Also, if you increase the BUFFPAGE parameter, you should also increase the DBHEAP size by 1 for every 30 incremented in the BUFFPAGE.* DB2 supports multiple buffer pools. Unless you are an experienced DB2 user, it is recommended that you use a single buffer pool. This can be specified using the command: db2 alter bufferpool ibmdefaultbp size -1 To update the database configuration parameters for a database, use the command: db2 update database configuration for using For example, to increase the BUFFPAGE and DBHEAP size, use the command: db2 update database configuration for using BUFFPAGE 20000 DBHEAP 1866 NOTE: If you have any trouble executing the "db2 ... " commands, check the following - These commands must be executed by a user in the "dbsysadm" group. On AIX or Solaris, this should include the db2 instance owner (ldapdb2 by default) and root. On NT, ldapdb2 is a member of the administrator group. The id/group ldap/ldap is created during install. - If running as root, the DB2INSTANCE environment variable must be set and exported to the LDAP DB2 Instance ID (the LDAP default is ldapdb2). DB2 utilities are not normally available via the PATH environment variable. DB2 provides a (unix specific) utility script for the database instance that will correctly set the environment for performing DB2 operations. The script db2profile can be found in the sqllib directory in the instance owners home directory. For the default database, the location is /home/ldapdb2/sqllib/db2profile on AIX, and /export/home/ldapdb2/sqllib/dbd2profile on Solaris. The file may need to be tailored for your system. If so, follow the comments inside the file to set your instance name, user paths, and default database name. - For more information on tuning DB2, see "http://www.software.ibm.com/data/db2/library". ____________________________________ 5. Functional Notes and Restrictions 5.1. Notes for All Platforms (AIX, NT and Solaris) - Unable To Start Server While ldif2db Is Running Do not start the slapd server while LDAP entries are being added via the ldif2db tool. If you need to add data via the administration interface or using ldif2db directly, stop slapd server first and restart it later. - Unable To Start The Server After Adding New Object Classes If you experienced a problem with server startup after adding new object class definitions to the configuration files, make sure that no comment lines present in the object class definition: e.g. between the "objectclass" line and the "requires" line. - Attribute Name Length Restriction The attributes defined in ldap configuration files are significant to the first 18 characters only. Names longer than 18 are truncated to meet the DB2 restriction. If the attribute is to be indexed, the limit is further restricted to 16 characters long. Name collisions due to adding new attributes prevent the server from being started. - Unable to Re-install LDAP/DB2 The re-installation of LDAP/DB2 will fail if the webserver configured for LDAP is still running. This is because installation can not replace some files in the directory while they are busy. To resolve this problem, stop the webserver before re-installing LDAP/DB2. - Restart The Master Server After Adding Entries From An ldif File If you have replication enabled, caution is advised when adding entries to the master server via the administrative interfaces (either the web-based GUI "Add entries" option, or the command line tool ldif2db). In order to insure that the additions get propagated to the replicas, you should "restart" the master server after adding the entries. It is also very IMPORTANT that you "restart" the master server after you have added entries and before defining any additional replicas. Or the master and new replica will become out-of-sync. The server restart is not necessary if you use the recommended tool "ldapadd" to add entries. - Moving ldif Files Across Platforms If db2ldif is used to create a file on an NT, and the data is ftp-copied to AIX or Solaris in binary, then each line will end with an extraneous carriage return character (Ctrl-M when viewed in an editor such as vi). If the file is used by ldif2db on unix, only the first one or none of the entries will be loaded. This may come up while populating replicas on different platforms. To avoid the problem, copy the text file in ascii mode. - A Bulkload Tool Limitation For performance reason, the Bulkload tool does not take an input ldif file with duplicate entries. It will fail with the following error message when the ldif file contains duplicate entries: Parsing entry failed. dn: ou=People, o=University of Michigan, c=US To avoid the problem, remove the duplicate entries. - Transaction Log Is Full The following messages may appear at slapd start-up if the configuration file contains, in addition to the default attributes, 250 or more new attributes defined by users. SQL0964C The transaction log for the database is full SQLSTATE=57011 slapd unable to start because all backends failed to configure. You need to increase the DB2 transaction log sizes by db2 update db cfg for ldaptest using logprimary 5 db2 update db cfg for ldaptest using logsecond 5 - DB2 Column Name Restrictions If a DB2 column name of a new user attribute in the configuration file causes problem, a DB2 reserved word may have been picked. To resolve the problem, use a different name. - Chasing Referrals When performing searches, the same DN that was used to bind to the original server is used to bind to the referred-to server. Therefore the proper access must be set up for the same DN to be able to bind to both servers for chasing the referrals. Or perform the search based on an anonymous bind. - Multiple aclentry Values When multiple aclentry values of the same DN added to an object, in V1.1.1, the last aclentry is taken for the object. However, in V2.1 release, the permissions of all aclentry attribute values are 'OR'ed together for the object. - Binary Attributes Binary attribute values of up to 200 MB are supported. - One Instance Of The LDAP Server Only one instance of the LDAP server (slapd) should be run on any one host system. - Restricted Attribute Types The restricted attribute types (entryOwner, aclSource, OwnerSource) are not allowed in a search filter. - Removal Of ACL Attribute "inherit On Create" This attribute will not be supported in future releases. - Only GBK Locale Support For Chinese Version In the previous LDAP/DB2 for AIX release, two Chinese locales GBK and EUC are supported. Since the browsers only support the GBK codepage and most of LDAP administration work are done through a browser, only GBK locale is supported in this release due to the limitations of the browsers. 5.2. AIX Notes - Cannot Open Message Catalog File and See NLS Messages AIX uses the environment variable NLSPATH to specify the paths to be searched to look for messages to be displayed. If your slapd error log contains errors like: "Cannot open message catalog file .cat", you may fix the problem by setting your NLSPATH variable to include the path "/usr/lib/nls/msg/%L/%N" and setting LANG variable properly (e.g. to "en_US", the locale name for English). - AIX File Descriptors Limit AIX 4.3.1 and later versions have the capability of supporting more than 2000 file descriptors per process. We DO NOT recommend using a limit higher than 2000. The AIX LDAP client will not work with a higher limit. The limit for a process may be displayed with the "ulimit -n" command. If the limit is higher than 2000, it may be reset to 2000 using "ulimit -n 2000". The system default limit is set in the file "/etc/security/limits", as "nofiles = nnnn". - Increase Memory Use Limits It may be necessary to increase the memory use limits of the process running the LDAP server. "ulimit -d unlimited" will ensure that "soft" memory limits do not cause problems for the server. "ulimit -a" will display all the current limit settings for the process. - Start slapd At Boot Time On AIX The configuration currently does not provide an option for starting the LDAP server at system boot time. However, this can be achieved by manually adding a line to inittab: ldapd:2:once: /bin/slapd > /dev/console 2>&1 #autostart LDAP/DB2 Services 5.3. Windows NT Notes - Additional privileges for the Administrators group Additional privileges must be added to the Administrators group since the web administration cgi programs need to perform system-type operations. From the NT User Manager, select Policies->User Rights Policy. Select the Administrators group from the list displayed and check the box "Show advanced user rights". A new list of user rights is displayed. From this list, add 3 additional rights to the Administrators group, including: Act as part of the operating system Increase quotas Replace a process level token - Problem With A Manual SSL Installation If you install the GSKIT package manually, "setup" will not install anything. Instead, please use command "setup - ldap". - Unable To Re-start The Replication Master Server If you have a problem with starting a replication master server on an NT multiprocessor, look at the cli.errors and slapd.errors files in /tmp directory. If you find the following messages in slapd_errors: Error code -1 from odbc string:" SQLFetch " Error code -1 from odbc string:" SQLGetData " and in cli.errors: native retcode = -973; state = "57011"; message = "[IBM][CLI Driver] [DB2/NT] SQL0973N Not enough storage is available in the "APP_CTL_HEAP" heap to process the statement. SQLSTATE=57011" native retcode = -99999; state = "24000"; message = "[IBM][CLI Driver] CLI0115E Invalid cursor state. SQLSTATE=24000" The problem is that DB2 is running out of heap size - Fetch is returning a msg about APP_CTL_HEAP_SZ being too small. This problem could be due to a large number of updates (e.g. 5,000 change entries) to be replicated to the replica servers, possibly after a replica server shutdown and re-start followed by a master server shutdown and re-start. Increasing the heap size (e.g. from 64 to 256) solves the problem. Please refer to the DB2 part of the "Performance Considerations" section. - Replication Fails On A Single Processor MP Machine The LDAP replication will fail on a single processor MP machine if the machine has a multiprocessor NT kernel installed and originally configured with two or more processors. - Do Not Remove Write Permission From The Key Database File The slapd server will not start if it cannot open this file with both read and write permissions. 5.4. Solaris Notes - Cannot Open Message Catalog File and See NLS Messages Solaris uses the environment variable NLSPATH to specify the paths to be searched to look for messages to be displayed. If your slapd error log contains errors like: "Cannot open message catalog file .cat", you may fix the problem by setting your NLSPATH variable to include the path "/usr/lib/locale/%L/%N" and setting your LANG properly (e.g. to "en_US", the locale name for English). Of course the locale name should be replaced by your appropriate locale. - DB2 Documented Changes To /etc/system DB2 documents several alterations to the /etc/system file on Solaris. Without these changes, the db2icrt command which is used to create a DB2 database instance will hang and/or fail. The db2icrt command is executed by the Web Administration programs. Database configuration may fail if DB2 settings in the /etc/system file are not set correctly. However with all of the recommended changes, DFS clients may not operate correctly. Caution should be used when making these modifications. Refer to DB2 Documentation. - GUI Configuration Is Not Supported Only command line (CLI) configuration is provided on Solaris. 5.5. Web Browser Notes 5.5.1 Microsoft Internet Explorer Setup - Cache In View->Internet Options, select the General folder. Then select "Settings" button. Set "Check for newer versions of stored pages" to "Every visit to the page". If you are getting unpredictable results using the browser, the cache can be causing problems because it may be storing pages with errors. Thus, on the General folder page mentioned above, use both the "Delete files" and the "Clear History" button options to clear the cache. Note that these options can be used as often as necessary. Shutting down and restarting the browser can also improve some intermittent problems. - HTTP Level In View->Internet Options, select Advanced folder. Under "HTTP 1.1 settings", if you are NOT using the Netscape Fastrack Server, check the box for "Use HTTP 1.1" which will set the feature on (this is the current default). If you are using the Netscape Fastrack Server, remove the check in both boxes which will cause the browser to use HTTP 1.0. Note that if you change this option, it will not become effective until you shut down the browser and start again. 5.5.2. Microsoft Internet Explorer Problems - Scroll Bars In Navigational Area If you see small scroll bars in the LDAP Directory Entry area on the left side frame of the browser, double click in the area as if you are going to select a menu item. Then the menu area in the left side frame will be correctly displayed. 5.5.3. Netscape Communicator/Navigator Setup - Cache In Edit->Preferences select the Advanced Category. Under the "Cache" option, set "Document in cache is compared to document on network" to "Every time". On this same page, if you are getting unpredictable results using the browser, select the "Clear Memory Cache" and "Clear Disk Cache" options to clear the cache. Note that this option can be used as often as necessary. Shutting down and restarting the browser can also improve some intermittent problems. 5.5.4. Netscape Communicator/Navigator Problems - Resizing windows If you resize the window that the browser is running in, the java applets on the left side and top frame will not be painted to the new size. In addition, a "Data Missing" browser error may occur. For these reasons, we do not recommend resizing the Netscape browser windows. - Disappearing fields The fields in the work area on the right side of the screen will sometimes appear momentarily then disappear due to a bug in the Netscape browser. Should this occur, minimizing the browser window and then maximizing it will cause the browser to repaint the form properly. - Shift/Reload If you use the 'Shift' key and Reload button functions to bypass the cache, a problem occurs between the frames. Repeating the Shift/Reload function generally does not fix the problem. For this reason, we don't recommend using this optional feature in the Netscape browser. Using the Reload button without the 'Shift' key occasionally causes similar problems. - Font size problems on Solaris 2.6 There are font size problems using the Netscape browser with Solaris 2.6. The problem is described at http://help.netscape.com:80/kb/client/980502-3.html This information references Open Windows 3.6 patch 105633-05. - Displays with 16 colors Displays which only allow 16 colors will cause errors like crashes in the Netscape browser so they are not recommended. - Shutdown The Netscape browser takes some time to shut down java so you have to give it some time before restarting it. For NT, the NT Task Manager will show the processes running. If you have more than one "netscape.exe" then you have probably started the browser before allowing the previous instance to complete. If you find multiple "netscape.exe" processes running at the same time, stop all of them and then start the browser again. 5.6. Web Server Notes 5.6.1. Notes for All Servers - The LANG Variable And Webservers To view the on-line documentation via the Web Admin GUI, the desired language must be set in the web server's environment. For example, if you are using a Domino Go Web server on AIX, and want to view the U.S. English documents, you would first set the LANG environment variable to the desired locale and restart the web server. 1) using startsrc export LANG=es_ES startsrc -e"LANG=$LANG" -s httpd 2) without startsrc export LANG=en_US /usr/sbin/httpd (On Windows NT, LANG should be set to enus437 for the US English locale.) If you are using an Apache web server, the LANG and NLSPATH variables must be made available to the Web Admin cgi programs as well. To do this, add the PassEnv directive to the srm.conf configuration file. Example: PassEnv LANG PassEnv NLSPATH - Account to use for the web server to run under The "Log On As" option must be set to an account for the service to execute. For Apache, DominoGo, Netscape Fastrack and Netscape Enterprise servers, this account ID must be 8 characters or less. Do not use the LocalSystem account which is the default. The ID must be set up in the NT User database which is a member of both the Administrator group and the LDAP group. In the service window, select the option to set "This Account" and enter the ID and its password. For the Microsoft web server, an id is created automatically which is IUSR_ where machine name is the host name. This id must be a part of the Administrators group and the LDAP group. Thus, these two groups must be added to the id in the NT User Manager. - Ignore A Java Error In The FastTrack Server Error Log The Netscape 3.01 FastTrack Server error log will occasionally contain the following errors: [] warning: for host trying to GET /ldap/cgi-bin/java/lang.class, send-cgi reports: cannot find CGI program e:/ldap/web/cgi-bin/java/lang.class (File Not Found Error) [] failure: cgi_send:cgi_start_exec e:/ldap/web/cgi-bin/java/lang.class failed Since nothing goes wrong on the browser side, the java errors should be ignored. 5.6.2. Microsoft IIS - Fail to Re-configure The IIS Webserver For ldap The Microsoft Personal Web Manager does not always correctly update the registry for the MS IIS virtual roots. If LDAP is re-installed and re-configured for MS IIS to a different location, but the http:///ldap URL fails to work, remove the /ldap virtual root from the Microsoft Personal Web Manager by clicking the 'Advanced' icon, selecting the /ldap virtual root and clicking 'Remove'. 6. Appendix 6.1. Referrals in LDAP/DB2 V2.1 A few aspects of the referral support in LDAP/DB2 V2.1 are noted. - First Value of Multi-Valued Referral Attributes Returned Given this example HostA dn: o=abc, c=us ref: ldap://hostB/o=abc,c=us ref: ladp://hostC/o=abc,c=us objectclass: referral dn: o=def, o=abc, c=us ref: ldap://hostD/o=def, o=abc, c=us ref: ldap://hostE/o=def, o=abc, c=us If a search hits these referral entries in HostA, the V2.1 server will only return the first referral attribute value of each referral entry to the client (i.e. only HostB, HostD) in the form of LDAPResult. This is different from the LDAP V3 Specs., in which the server will return all referral attribute values including HostC and HostE to the client. - Client Chasing the Referrals If multiple referral objects are found during a search, the first referral attribute value for each object will be returned to the client as described above. The client will attempt to chase every each referral returned by the server. - One Level Search From an Immediately Superior Object Given this example Server A Server B dn: o=ibm, c=us dn: l=texas, o=ibm, c=us o: ibm l: texas objectclass: organization objectclass: locality dn: l=texas, o=ibm, c=us dn: ou=sws, l=texas, o=ibm, c=us ref: ldap://hostB/l=texas,o=ibm,c=us ou: sws objectclass: referral objectclass: organizational role If a search with scope "one" is run with "o=ibm, c=us" as the base, the referral object immediately subordinate to the base object will be ignored and no referral LDAPResult will be returned to the client for this entry. This results in a "no such object". This is different from the LDAP Spec v3, in which HostA will return the referral to the client with the requirement that it runs the search on HostB with a scope of "base". Therefore, the search will return "l=texas, o=ibm, c=us". - Adding an Object Underneath a Referral It is allowed to add and delete an object underneath a referral object. For example dn: o=ibm, c=us ref: ldap://hostB/o=ibm,c=us objectclass: referral dn: l=texas, o=ibm, c=us l: texas objectclass: locality - When to Apply the Filter Consider the following scenario dn: o=ibm, c=us o: ibm objectclass: organization dn: cn=texas, o=ibm, c=us cn: texas ref: ldap://hostB/l=texas, o=ibm, c=us objectclass: referral dn: cn=maryland, o=ibm, c=us cn: maryland ref: ldap://hostB/l=maryland, o=ibm, c=us objectclass: referral An 'ldapsearch -b "o=ibm, c=us" "cn=texas"' will chase both referrals. The filter "cn=texas" is used as a search criteria for all the entries under "o=ibm,c=us" including the referraled entries under "i=maryland,o=ibm,c=us" on hostB. - The base dn for search may get changed for chasing referral Before constructing a URL for a referral object, the server will compare the original request's base dn to the dn held within the ref attribute of the referral object. The dn which is deeper in the namespace will be use as the search base dn for the client to chase the referral. 6.2. Improvements to the Bulkload Tool Bulkload tool is improved as follows. - The environment variable STRING_DELIMITER is used to specify different character string delimiter than the default '|' for character strings in the SQL LOAD statements. This allows LDAP entry data to contain '|' characters. A valid delimiter character is one of "%&'()*,./:;<>?| - If the input file has entries that contain the currently specified delimiter or the default delimiter, the Bulkload tool will write the entries to a temporary file. These entries can be added to the database later using the ldif2db tool. However if there are many such entries in the input ldif file, bulkload performance will be badly impacted. To avoid this problem, users may either select a different string delimiter or remove the special entries from the ldif file before using the bulkload tool. 6.3. Web Server Configuration Changes The ldapcfg program makes the following modifications to the web server configuration files. 6.3.1. AIX - Netscape: adds to the obj.conf Init fn="init-cgi" timeout=0 NameTrans from=/ldap/cgi-bin fn=pfx2dir dir="/usr/ldap/web/cgi-bin" name="cgi" NameTrans from=/ldap fn=pfx2dir dir="/usr/ldap/web" - Domino Go: adds to the httpd.conf Exec /ldap/cgi-bin/* /usr/ldap/web/cgi-bin/* Pass /ldap/* /usr/ldap/web/* - Apache: adds to the srm.conf ScriptAlias /ldap/cgi-bin/ /usr/ldap/web/cgi-bin/ Alias /ldap /usr/ldap/web 6.3.2. Windows NT In the following, "c:\PROGRA~1\IBM\LDAP" may vary depending installation location. - Netscape: adds to the obj.conf Init fn="init-cgi" timeout=0 NameTrans from=/ldap/cgi-bin fn=pfx2dir dir="/opt/IBMldaps/web/cgi-bin" name="cgi" NameTrans from=/ldap fn=pfx2dir dir="/opt/IBMldaps/web" - Domino Go: adds to the http.cnf Exec /ldap/cgi-bin/* c:\PROGRA~1\IBM\LDAP\web\cgi-bin\* Pass /ldap/* c:\PROGRA~1\IBM\LDAP\web\ - Apache: adds to the srm.conf ScriptAlias /ldap/cgi-bin/ c:/PROGRA~1/IBM/LDAP/web/cgi-bin/ Alias /ldap c:/PROGRA~1/IBM/LDAP/web - MSIIS: adds to the registry (use regedit to manually modify) Key = "My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots" Name Data /ldap "c:\PROGRA~1\IBM\LDAP\web,,1" /ldap/cgi-bin "c:\PROGRA~1\IBM\LDAP\web\cig-bin,,4" 6.3.2. Solaris - Netscape: adds to the obj.conf Init fn="init-cgi" timeout=0 NameTrans from=/ldap/cgi-bin fn=pfx2dir dir="/opt/IBMldaps/web/cgi-bin" name="cgi" NameTrans from=/ldap fn=pfx2dir dir="/opt/IBMldaps/web" - Domino Go: adds to the httpd.conf Exec /ldap/cgi-bin/* /opt/IBMldaps/web/cgi-bin/* Pass /ldap/* /opt/IBMldaps/web/* - Apache: adds to the srm.conf ScriptAlias /ldap/cgi-bin/ /opt/IBMldaps/web/cgi-bin/ Alias /ldap /opt/IBMldaps/web _____________________________________________________________________________________ (1) eNetwork is a registered trademark of International Business Machines Corporation (2) AIX is a registered trademark of International Business Machines Corporation (3) Windows NT, Internet Explore and Microsoft IIS are registered trademark of Microsoft Corporation. (4) Solaris is registered trademark of Sun Microsystems Inc. (5) Netscape FastTrack Server, Enterprise Server, Navigator and Commounicator are registered trademarks of Netscape Communications Corporation (6) RSA is a registered trademark of RSA Data Security, Inc.