| Note |
|---|
|
Before using this information and the product it supports, read the general information under Notices. |
This README file contains a description of the IBM Directory Server Version 5.1. This product is available on the AIX(R), Linux, HP-UX, Solaris, Windows NT(R), and Windows(R) 2000 platforms. The server README (server.pdf, server.htm, or server.txt) and separate README files describing the IBM Directory Server Client SDK (client.pdf , client.htm, or client.txt) and the IBM Directory Server Web Administration Tool (gui_readme.pdf, gui_readme.htm, or gui_readme.txt) can be found in the following directories:
Additional hardware and software requirements
Installation, configuration, and migration
Restrictions, known problems, troubleshooting, and additional information
Additional performance considerations
The IBM Directory Server Version 5.1 consists of the following components:
It includes an LDAP Version 3 server that supports IETF LDAPv3 (RFC 2251) protocol, schema, RootDSE, UTF-8, referrals, Simple Authentication and Security Layer (SASL) authentication mechanism and related specifications. In addition, it includes support for Secure Sockets Layer (SSL), replication, access control, client certificate authentication, CRAM MD5 authentication, change log, password encryption, server plug-ins, password policy, Web-based server administration GUI, LDAP V3 schema definitions, IBM common schema definitions, schema migration and performance improvements.
This version translates messages for Group 1 national languages on Windows NT, AIX, Linux, and Solaris operating systems including Brazilian Portuguese, French, German, Italian, Spanish, Japanese, Korean, Simplified Chinese, Traditional Chinese. In addition, this product on AIX also translates messages for Czech, Polish, Hungarian, Russian, Catalan and Slovakian.
The directory provides scalability by storing information in the IBM DB2 Universal Database(TM) (UDB). DB2(R) Version 8 is packaged with the directory product.
The following enhancements have been made for this release:
For a detailed list of new and changed function, see the IBM Directory Server Version 5.1 Installation and Configuration Guide
In addition to the READMEs, on-line documents including the QuickStart, the Installation and Configuration Guide, the Administration Guide, the Performance Tuning Guide, the C-Client SDK Programming References, the Server Plug-in Reference are provided in pdf and html formats. The Web Administration Tool and Configuration Tool online helps are provided in html format.
The IBM Directory Server Version 5.1 supports the use of the JNDI client from Sun Microsystems. For information about the JNDI client, go to the Sun Microsystems Web site at http://java.sun.com/
For Windows systems:
For AIX systems:
For Solaris systems:
For Linux systems:
For HP-UX systems:
Further information is available on the Web. Find the IBM Directory Server page at http://www.software.ibm.com/network/directory/ for general information and announcements.
At this time there are no additional requirements. See the IBM Directory Server Version 5.1 Installation and Configuration Guide for system requirements.
See the IBM Directory Server Version 5.1 Installation and Configuration Guide for information about the installation of individual components and the migration from Version 3.1.1.5, Version 3.2, Version 3.2.X or Version 4.1 server to a Version 5.1 server. This guide is separately provided in the package to be viewed before the product is installed. This guide is also available from the IBM Directory Web site http://www.ibm.com/software/network/directory/library/.
Follow the steps described in the IBM Directory Server Version 5.1 QuickStart document for a quick setup of the server, loading a sample database and managing the directory content.
The following items apply to the InstallShield Multi Platform (ISMP) tool: The InstallShield GUI is not available on the UnitedLinux, Linux S/390(R) or the HP-UX platforms.
Before installing the IBM Directory Server using InstallShield GUI on AIX platforms:
xset fp default
xset fp default
The following items apply to the IBM Directory Server Configuration Tool:
You might not be able to use the Space, Enter or arrow keys on the keyboard to view the contents of the Look in menu on a Browse window. This is a limitation of Sun's JFileDialog boxes. To work around this problem, press Alt+the down arrow key to display the Look in menu, and use the arrow keys to select a drive.
If you exit the IBM Directory Server Configuration Tool after entering an invalid database name, a NullPointer exception occurs in the command window where the ldapxcfg command was executed. The exception does not affect the configuration process.
When using the IBM Directory Server Configuration Tool, if you click File, and then click File again to close the File menu, exceptions are generated in the Directory Configuration command window. The Configuration Tool continues to run, and you can ignore these exceptions.
The following information applies to the IBM Network Authentication Service (formerly referred to as Kerberos):
When running IBM Directory Server 5.1 with the IBM Network Authentication Service on Windows 2000 servers, you must be using the latest 1.1 release of the Network Authentication Service code, otherwise the directory server (ibmslapd) does not start after installation.
To check the level of Network Authentication Service code:
If you are running a Windows 2000 server as a domain controller and you want to use a different KDC, you need to follow these steps:
[domain_realm]
.mymachine.company.com = MYREALM.COMPANY.COM
Note the additional dot in front of the domain name.
The following information applies to the IBM Universal Database (DB2):
To replace the existing directory database in a particular instance with a new directory database in a different instance using ldapcfg or ldapxcfg:
Users should not put anything in to the default database directory (for AIX and Linux platforms: /home/ldapdb2, for Windows NT and Windows 2000 platforms: c:\ldapdb2, for Solaris platforms: /export/home/ldapdb2). This directory as well as the ldapdb2 ID are reserved by the IBM Directory Server. User files in this database directory might be deleted.
Currently an entry with a large binary attachment might generate an 'Operations Error' error message.
If your entries need to include large binaries (for example up to 3 MB), you need to increase the size of the query heap. Use the DB2 update command to increase the query heap size. Issue the following command:
db2 update dbm cfg using query_heap_sz 2000
Stop and restart DB2 to initialize the change.
If you need to include binary attachments larger than 3 MB, you will need to increase the query heap size accordingly.
The following information applies to the bulkload utility:
If an attempt to load a database using bulkload fails and you decide to drop the database, before you can try bulkload again with a new database, you must do two things:
The following information applies to the AIX operating system only:
The IBM Directory Server Version 5.1 C-API has a 64-bit enabled library for building 64-bit LDAP applications. This library is named libibmldap64n.a and is located in directory /usr/ldap/lib with the soft link, /usr/lib/libibmldap64.a -> /usr/ldap/lib/libibmldap64n.a for the AIX 4.3.3 platform or in the directory /usr/ldap/lib/aix5 with with the soft link /usr/lib/libibmldap64.a -> /usr/ldap/lib/aix5/libibmldap64n.a for AIX 5L(TM) Version 5.1 or greater platform .
Two libraries are needed because AIX platforms use different 64-bit XCOFF formats for executables or object modules on AIX 4.3.3 and AIX 5L Version 5.1 platforms . An application built with an AIX 4.3.3 64-bit XCOFF format does not run on an AIX 5L Version 5.1 system. Likewise a 64-bit application built to run on an AIX 5L Version 5.1 system does not run on an AIX 4.3.3 system.
At this time, the CRAM-MD5 SASL plug-in is a separate dynamically loadable shared object for 32 and 64 bit LDAP applications. To correctly select and load the appropriate 64-bit module, the environmental variable IBMLDAP_CONF must be set to a location other than /etc. At this new location, you need to create a copy of the /etc/ldap.conf file and replace the following entry:
plugin sasl CRAM-MD5 ldap_plugin_sasl_cram-md5 ldap_plugin_init
with:
plugin sasl CRAM-MD5 ldap_plugin_sasl_cram-md5_64 ldap_plugin_init
Additional information for building 64-bit applications for AIX can be found in the documentation for VisualAge(R) C/C++ Professional for AIX Version 5.0.
You might need to adjust the UNIX ulimit settings for the process running the IBM Directory Server (ibmslapd). The "nofiles" (descriptors) setting limits the number of concurrent connections to the server, because each connection requires an open socket descriptor. If your clients receive a "DSA Busy" error message from the server, try increasing the nofiles limit. You can reset the limit with the ulimit command. For example, to set the limit to 32,000 use:
ulimit -n 32000
To view all of the current limits, use:
ulimit -a
Another limit to consider when configuring the IBM Directory Server is the memory limit. On AIX platforms, this setting limits the ability of the process to use physical memory. Setting this limit higher allows the directory server to allocate more memory to caching data. When setting the memory limit, keep in mind that the server process cannot be larger than 2 GB.
ulimit -m 240000
Set the ulimit for coredump (blocks) to a large enough value to ensure that a complete core file can be dumped in the event of a problem with the server. The AIX platform default setting, 2097151, in most cases is sufficient.
The configuration currently does not provide an option for starting the LDAP server at system boot time. However, this can be achieved by manually adding a line to inittab:
ldapd:2:once: /bin/ibmslapd > /dev/console 2>&1 #autostart LDAP/DB2 Services
For a IBM Directory Server created on an AIX system that has a double byte code set (DBCS) primary locale and has its database created in a local code page, the IBM Directory Server can be automatically started at boot time by creating an executable ibmslapd start script (example /etc/rc.ldap) with the following contents:
#!/bin/ksh
export LANG=<Primary Locale>
export LC_ALL=<Primary Locale>
/bin/ibmslapd -f /usr/ldap/etc/ibmslapd.conf
Add an appropriate entry into /etc/inittab using the mkitab command as root user:
mkitab "ldap:2:once:<script name> >/dev/console 2>&1"
chitab "ldap:2:once:<script name> >/dev/console 2>&1"
The following information applies to the Windows NT and Windows 2000 operating systems:
The ibmslapd server does not start if it cannot open this file with both read and write permissions.
To upgrade your level of DB2 follow the directions in Upgrading to a new version of DB2 UDB, located on the IBM Directory Server Web site (http://www.ibm.com/software/network/directory/library).
Attention: Before removing or upgrading to a new level of DB2, read the the Migration from previous releases chapter in the IBM Directory Server Version 5.1 Installation and Configuration Guide.
The problem is caused by remote drives being referenced in the PATH statement before local drives. The cause of the problem appears to be the inability of processes running as a SYSTEM service to properly access remote drives. The solution to this problem is to make sure that in the PATH statement the directories on local drives are specified before any directories that are located on remote drives.
In order to use SSL with Sun's JDK (version 1.3.1_04 required) and Tomcat 4.0.3, you must perform the following steps:
The following information applies to the Solaris operating system only:
To run the IBM Directory Server in the zh_TW.BIG5 locale on the Solaris Operating Environment Software(TM), you must set the following after configuring your database:
/export/home/ldapdb2/sqllib/adm/db2set DB2CODEPAGE=950 /export/home/ldapdb2/sqllib/adm/db2set DB2COUNTRY=88
To view the following documentation for zh_TW.BIG5 locale, replace zh_TW.BIG5 with zh_TW in the path specification:
The following information applies to the Linux operating systems only:
To launch a task from the Configuration Tool on a Linux platform using keyboard commands, you must select the task using the up and down arrows and then press the Space bar.
Installing DB2 V7.1 requires a system library file called libncurses.so.4 that is needed by the db2setup command. RedHat 7.0 has a later version of that file, but because db2setup requires version 4, you must do the following to create a symbolic link:
cd /usr/lib ln -sf libncurses.so libncurses.so.4
The following information applies to the HP-UX platform.
ldapxcfg is not available in Traditional Chinese (zh_TW) on the HP-UX platform. To work around this problem, use ldapcfg to configure IBM Directory Server 5.1.
The Shift+Tab keyboard command for navigating backwards is not available in ldapxcfg on the HP-UX platform.
When you install the Java Virtual Machine using swinstall, you need to supply the full path to it as /cdrom/java/rte_13102os11.depot.
You can install DB2 directly from the CD by going into the udb81 subdirectory and issuing the db2setup command. You can also follow the DB2 installation information located at http://www.developer.ibm.com/library/data/install_HP-UX.html.
Follow the instructions in the IBM Directory Server Version 5.1 Installation and Configuration Guide.
You can install the following packages:
After you have completed the installation process, you need to set the following environment variable:
NLSPATH = /usr/lib/nsl/%L/%N
The following items apply to the IBM Directory Server and are not platform specific.
Editing the ibmslapd.conf file while the IBM Directory Server is running can result in unpredictable results. Make sure you stop the server before editing the configuration file.
DBCS Characters in the Administrator Passwords are not supported.
If db2ldif is used to create a file on a Windows NT machine, and the data is copied to AIX or Solaris platforms in binary using FTP, then each line ends with an extraneous carriage return character (Ctrl-M when viewed in an editor such as vi).
If the file is provided to ldif2db on UNIX, the utility loads only the first entry or none of the entries. This might occur when populating replicas on different platforms. To avoid the problem, copy the text file in ASCII mode.
If a DB2 column name of a new user attribute in the schema configuration file causes a problem, a DB2 reserved word might have been picked. To resolve the problem, use a different name.
If you encounter the following error when using an extremely complex filter in a ldapsearch operation:
Error code -1 from odbc string:" SQLFetch "
ldap_search: Operations error
and find this message from the database error log file
installation directory\tmp\cli.errors:
12/02/98 15:11:28 native retcode = -973; state = "57011";
message = "[IBM][CLI Driver][DB2/NT] SQL0973N Not enough storage
is available in the "APP_CTL_HEAP" heap to process the statement.
SQLSTATE=57011: Virtual storage or database resource is not available.
Increase the database heap size needs from a command window (on Windows NT, from a DB2 command window by typing db2cmd first):
db2 update db cfg for databasename using APP_CTL_HEAP_SZ 256
where databasename is the database name for ldap. The default size is 64 (of 4k blocks).
These files on the following platforms contain the date of the product build:
installation directory/web/readme/buildno.txt
The LDIF files generated by earlier (pre-v3.2) versions of db2ldif contains operational ACL attributes and can not be used by ldapadd. ldapadd does not recognize the old inherit-on-create operational attribute and so cannot be used in place of the ldif2db to load the data dumped from a V2 server. Use the ldif2db utility as described in the migration documentation.
The IBM Directory Server does not support approximate matching for double-byte languages (Korean, Japanese, Chinese, and so forth). At this time this is a permanent restriction.
The gecos attribute, previously multi-valued, is a single-valued attribute in IBM Directory Server Version 5.1. Follow the steps below to determine whether your system contains entries that use gecos as a multi-valued attribute and make the necessary modifications to those entries:
ldapsearch -b <your suffix> -s subtree gecos=* dn gecos objectclass
The entries returned will show if there is more than one value for the gecos attribute. An entry with a multi-valued gecos attribute resembles the following:
dn: cn=bad: <your suffix> gecos: 123 gecos: 456 gecos: 789
dn: cn=bad: <your suffix> changetype: modify delete: gecos gecos: 456 gecos: 789
This deletes the extra values for gecos, leaving only gecos: 123
ldapmodify -D<your admin DN> -w <your admin DN password> -k -c -v -i <correction file name>
At this time there are no additional performance considerations. See the IBM Directory Server Version 5.1 Performance Tuning Guide for information about tuning the IBM Directory Server.
This information was developed for products and services offered in the U.S.A. IBM might not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of LicensingFor license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation LicensingThe following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the information. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this information at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:
IBM CorporationSuch information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary.
The following terms are trademarks of International Business Machines Corporation in the United States, or other countries, or both:
AIX
AIX 5L
DB2
DB2 Universal Database
IBM
S/390
VisualAge
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.
Lotus(R) and Domino(TM) are trademarks of Lotus Development Corporation in the United States, other countries, or both.
Microsoft(R), Windows, and Windows NT are registered trademarks of Microsoft Corporation.
UNIX is a registered trademark of The Open Group.
Other company, product, and service names may be trademarks or service marks of others.