eFix 3.2.2-SWD-002 README for SecureWay Directory 3.2.2 AIX Server Installations Contents 1) eFix 3.2.2-SWD-002 1a) General description 1b) Problems fixed 1b.i) New fixes in 3.2.2-SWD-002 1b.ii) Fixes in 3.2.2-SWD-001 1b.iii) Platforms 1b.iv) Dependencies 1b.v) Files replaced or added by this eFix 1b.vi) eFix contents 1b.vii) Applying the eFix 1b.viii) Confirming the eFix has been applied successfully 1b.ix) Additional usage notes 1) eFix 3.2.2-SWD-002 Date: March 31, 2002 eFix: 3.2.2-SWD-002 Component: SecureWay(R) Directory 3.2.2 (128-bit Encryption Server Installations) 1a) General description The eFix contains fixes for several problems encountered in SecureWay Directory 3.2.2. The APAR number for each problem is listed in the "Problems fixed" section. Refer to the specific APAR for more detail about each problem. For information on changes and fixes that occurred after the product documentation had been translated, see the SecureWay Directory Version 3.2.2 README Addendum. This file is in English only. This file can also be found on the IBM(R) SecureWay Directory Library Web page using a link from http://www.software.ibm.com/network/directory/library. You can get to the latest information here: http://www-4.ibm.com/software/network/directory/library/v322/addendum322.htm1b) Problems fixed 1b.i) New fixes in 3.2.2-SWD-002 APAR IR47735 (CMVC 71113) Support using { as first character in LDAP user passwords. APAR IR47802 (CMVC 70356) Doing an ldapsearch on the Root DSE or Monitor class using * or attributes to be returned is not working with 3.2.2. This fix will allow the search "ldapsearch -sbase objectclass=* *" to return all attributes in the root DSE. APAR IR48028 (CMVC 70625) Adding an attribute and modifying ACLs to an objectclass causes the ACL's to not work correctly unless slapd is rebooted. APAR IR48052 (CMVC 71113) When you modify the attribute userpassword for an existing user with a hashed value the server cores. APAR IR48137 (CMVC 71629) Using 3.2.2 efix1, you may see Memory Leak during unbind Operation (in some cases~100 bytes per unbind). APAR IR48168 (CMVC 71121) When upgrading to 3.2.2 and running changelog with peer masters, replication will not be started until replica objects are added to both peer masters. APAR IR48126 (CMVC 71523) Fixes the problem where the LDAP server will intermittently core when interacting with the iPlanet proxy Client and Directory Access Router (iDAR). APAR IR48300 (CMVC 71282) Memory Leak in acl cache. APAR IR48302 (CMVC 70876) Several errors were corrected dealing with messaged displayed when using the ldapcfg script. These could have caused the wrong error message, or no error message to be displayed. 1b.ii) Fixes in 3.2.2-SWD-001 APAR IR47193 (CMVC 68302) An entry is added to the changelog when slapd restarts. This entry must not be added. It also is not passed from peer to peer. APAR IR47323 (CMVC 68444) Slapi_Search_Internal API takes a long time to return data when compared with the command line ldapsearch using the same search parameters. APAR IR47324 (CMVC 68572) Removing an attribute breaks access to aclEntrys and exportability using db2ldif. APAR IR47602 (CMVC 69302) Replication failure when performing a modify replace with no value. The request is incorrectly written into the change table. APAR IR47623 (CMVC 68531) Attempting a modify replace on an attribute with syntax integer or timestamp with the same value and is part of the RDN fails. This operation has worked in previous releases. APAR IR47624 (CMVC 68542) Performing an ldapdelete operation incurs a deadlock in the DB2(R) backend, and the LDAP server hangs. APAR IR47625 (CMVC 68545) In a high performing environment such as BluePages, the LDAP server can appear to hang for several minutes at a time. APAR IR47627 (CMVC 68733) The LDAP server encounters function sequence errors when delete operations are performed. APAR IR47629 (CMVC 68805) The LDAP server experiences a memory leak in the client controls portion of the server's operation structure. APAR IR47630 (CMVC 68935) When creating a custom database for the server's backend use, and it is configured for UTF-8 storage, the code page info is not put in slapd32.conf. APAR IR47631 (CMVC 69012) The LDAP server incurs a segmentation fault when writing an audit record with unknown-auth. APAR IR47633 (CMVC 69032) The LDAP server preoperation plugin preoperation value array is not null terminated as required by specifications. APAR IR47635 (CMVC 69277) SASL bind reports success with SSL connections even if using a keyring database label that does not reference an actual certificate. APAR IR47692 (CMVC 70361) For the ldapssl.h include file, SSL return codes must reflect same information present in the GSKIT 5 product. Equivalent items based on the GSKIT 3 product must be removed. APAR IR47874 (CMVC 70380) Bulkload utility fails if shell does not append inherited value to PATH environment variable. APAR IR47886 (CMVC 70068, 70493) Search operations fail, and dbsync process show excessive resource utilitization due to default ldap_desc.deid index. APAR IR47928 (CMVC 69750, 69774) Memory leaks occur in the server process. APAR IR47930 (CMVC 70538) LDAP clients operating on Solaris can hang performing an add operation. APAR IR48029 (CMVC 70142, 70236) Modify ldif processing to allow for sending and receipt value identified to have zero length. 1b.iii) Platforms AIX(R) Operating System versions 4.3.3 or higher, or AIX 5L(TM) Version 5.1 with the following fileset installed: X11.adt.lib 4.3.3.0 (or later)1b.iv) Dependencies SecureWay Directory 3.2.2 or 3.2.2 efix1 must be installed. DB2 Universal Database(TM) version 7.2 FixPack 5 or higher. 1b.v) Files replaced or added by this eFix With $INSTALL_DIR representing the root of the LDAP installation, the files replaced are: $INSTALL_DIR/bin/dmt $INSTALL_DIR/bin/ldamsg $INSTALL_DIR/bin/ldapdelete $INSTALL_DIR/bin/ldapdeleted $INSTALL_DIR/bin/ldapmodify $INSTALL_DIR/bin/ldapmodifyd $INSTALL_DIR/bin/ldapmodrdn $INSTALL_DIR/bin/ldapmodrdnd $INSTALL_DIR/bin/ldapsearch $INSTALL_DIR/bin/ldapsearchd $INSTALL_DIR/bin/slapd $INSTALL_DIR/bin/slapdd $INSTALL_DIR/bin/task_dbback $INSTALL_DIR/config/LDAPCfg.jar $INSTALL_DIR/include/ldapssl.h $INSTALL_DIR/lib/libadmin.a $INSTALL_DIR/lib/libback-rdbm.a $INSTALL_DIR/lib/libcl.a $INSTALL_DIR/lib/libibmldap.a $INSTALL_DIR/lib/libibmldapd.a $INSTALL_DIR/lib/libibmldapn.a $INSTALL_DIR/lib/libldacfg.so $INSTALL_DIR/lib/libldapaudit.a $INSTALL_DIR/lib/libldapjrt.a $INSTALL_DIR/lib/libldapstatic.a $INSTALL_DIR/lib/libldapstaticd.a $INSTALL_DIR/lib/libldapstaticn.a $INSTALL_DIR/lib/libldif.a $INSTALL_DIR/lib/libslapi.a $INSTALL_DIR/lib/libutils.a $INSTALL_DIR/lib/libutlsa.a $INSTALL_DIR/sbin/bulkload $INSTALL_DIR/sbin/db2ldif $INSTALL_DIR/sbin/ldif $INSTALL_DIR/sbin/ldif2db $INSTALL_DIR/sbin/ltou $INSTALL_DIR/sbin/miglen $INSTALL_DIR/sbin/runstats $INSTALL_DIR/sbin/utol $INSTALL_DIR/web/buildno.txt $INSTALL_DIR/web/cgi-bin $INSTALL_DIR/web/cgi-bin/ldacgi3d.exe $INSTALL_DIR/web/cgi-bin/ldacgi3e.exe $INSTALL_DIR/web/cgi-bin/ldacgid.exe $INSTALL_DIR/web/cgi-bin/ldacgie.exe The default for INSTALL_DIR is /usr/ldap. 1b.vi) eFix contents The archive for this eFix is named 3.2.2-SWD-002-AIX.tar. The archive for this eFix includes: - This README file - The file bin/dmt - The file bin/ldamsg - The file bin/ldapdelete - The file bin/ldapdeleted - The file bin/ldapmodify - The file bin/ldapmodifyd - The file bin/ldapmodrdn - The file bin/ldapmodrdnd - The file bin/ldapsearch - The file bin/ldapsearchd - The file bin/slapd - The file bin/slapdd - The file bin/task_dbback - The file config/LDAPCfg.jar - The file include/ldapssl.h - The file lib/libadmin.a - The file lib/libback-rdbm.a - The file lib/libcl.a - The file lib/libibmldap.a - The file lib/libibmldapd.a - The file lib/libibmldapn.a - The file lib/libldacfg.so - The file lib/libldapaudit.a - The file lib/libldapjrt.a - The file lib/libldapstatic.a - The file lib/libldapstaticd.a - The file lib/libldapstaticn.a - The file lib/libldif.a - The file lib/libslapi.a - The file lib/libutils.a - The file lib/libutlsa.a - The file sbin/bulkload - The file sbin/db2ldif - The file sbin/ldif - The file sbin/ldif2db - The file sbin/ltou - The file sbin/miglen - The file sbin/runstats - The file sbin/utol - The file web/buildno.txt - The file web/cgi-bin - The file web/cgi-bin/ldacgi3d.exe - The file web/cgi-bin/ldacgi3e.exe - The file web/cgi-bin/ldacgid.exe - The file web/cgi-bin/ldacgie.exe - The file web/buildno.txt 1b.vii) Applying the eFix Your replication environment must be cleaned or resynched, or both. See section 5.2 of the IBM(R) SecureWay(R) Directory Version 3.2.2 Server Readme at: http://www-4.ibm.com/software/network/directory/library/v322/server.htm1. Extract the eFix contents into a temporary directory. For the purpose of this release note, assume that the symbol $TEMP points to the following directory: # cd $TEMP # tar -xvf 3.2.2-SWD-002-AIX.tar 2. For each of the master and slave server installations targeted to receive the eFix, make sure the servers are stopped prior to applying the eFix. 3. Replace the installed version of each file with the version included in the eFix. Move the currently installed file to a location outside of the LDAP installation filesystem or rename the currently installed file. Copy the extracted files to the correct locations in the install folder. The install version locations for each file are: $INSTALL_DIR/bin/dmt $INSTALL_DIR/bin/ldamsg $INSTALL_DIR/bin/ldapdelete $INSTALL_DIR/bin/ldapdeleted $INSTALL_DIR/bin/ldapmodify $INSTALL_DIR/bin/ldapmodifyd $INSTALL_DIR/bin/ldapmodrdn $INSTALL_DIR/bin/ldapmodrdnd $INSTALL_DIR/bin/ldapsearch $INSTALL_DIR/bin/ldapsearchd $INSTALL_DIR/bin/slapd $INSTALL_DIR/bin/slapdd $INSTALL_DIR/bin/task_dbback $INSTALL_DIR/config/LDAPCfg.jar $INSTALL_DIR/include/ldapssl.h $INSTALL_DIR/lib/libadmin.a $INSTALL_DIR/lib/libback-rdbm.a $INSTALL_DIR/lib/libcl.a $INSTALL_DIR/lib/libibmldap.a $INSTALL_DIR/lib/libibmldapd.a $INSTALL_DIR/lib/libibmldapn.a $INSTALL_DIR/lib/libldacfg.so $INSTALL_DIR/lib/libldapaudit.a $INSTALL_DIR/lib/libldapjrt.a $INSTALL_DIR/lib/libldapstatic.a $INSTALL_DIR/lib/libldapstaticd.a $INSTALL_DIR/lib/libldapstaticn.a $INSTALL_DIR/lib/libldif.a $INSTALL_DIR/lib/libslapi.a $INSTALL_DIR/lib/libutils.a $INSTALL_DIR/lib/libutlsa.a $INSTALL_DIR/sbin/bulkload $INSTALL_DIR/sbin/db2ldif $INSTALL_DIR/sbin/ldif $INSTALL_DIR/sbin/ldif2db $INSTALL_DIR/sbin/ltou $INSTALL_DIR/sbin/miglen $INSTALL_DIR/sbin/runstats $INSTALL_DIR/sbin/utol $INSTALL_DIR/web/buildno.txt $INSTALL_DIR/web/cgi-bin $INSTALL_DIR/web/cgi-bin/ldacgi3d.exe $INSTALL_DIR/web/cgi-bin/ldacgi3e.exe $INSTALL_DIR/web/cgi-bin/ldacgid.exe $INSTALL_DIR/web/cgi-bin/ldacgie.exe $INSTALL_DIR/web/buildno.txt Again, the default for INSTALL_DIR is /usr/ldap. 4. Assign the correct owner, group, and permissions to the replaced files. Assume $OWNER is the owner value in the installation files, and $GROUP is the group value. The value of $OWNER for the following files is root: $INSTALL_DIR/web/cgi-bin/ldacgid.exe $INSTALL_DIR/web/cgi-bin/ldacgi3d.exe $INSTALL_DIR/web/cgi-bin/ldacgie.exe $INSTALL_DIR/web/cgi-bin/ldacgi3e.exe The value of $OWNER for the remaining files is ldap. The value for $GROUP for all files is ldap. # chown $OWNER # chgrp $GROUP The permissions on the files must be set according to the following guide: # chmod $INSTALL_DIR/bin/dmt 755 $INSTALL_DIR/bin/ldapdelete 755 $INSTALL_DIR/bin/ldapdeleted 755 $INSTALL_DIR/bin/ldapmodify 755 $INSTALL_DIR/bin/ldapmodifyd 755 $INSTALL_DIR/bin/ldapmodrdn 755 $INSTALL_DIR/bin/ldapmodrdnd 755 $INSTALL_DIR/bin/ldapsearch 755 $INSTALL_DIR/bin/ldapsearchd 755 $INSTALL_DIR/bin/slapd 750 $INSTALL_DIR/bin/slapdd 755 $INSTALL_DIR/bin/task_dbback 750 $INSTALL_DIR/config/LDAPCfg.jar 644 $INSTALL_DIR/include/ldapssl.h 644 $INSTALL_DIR/lib/libslapi.a 644 $INSTALL_DIR/lib/libback-rdbm.a 644 $INSTALL_DIR/lib/libutils.a 644 $INSTALL_DIR/lib/libutlsa.a 755 $INSTALL_DIR/lib/libcl.a 644 $INSTALL_DIR/lib/libadmin.a 644 $INSTALL_DIR/lib/libldacfg.so 755 $INSTALL_DIR/lib/libldapaudit.a 644 $INSTALL_DIR/lib/libldapjrt.a 755 $INSTALL_DIR/lib/libibmldap.a 755 $INSTALL_DIR/lib/libibmldapd.a 755 $INSTALL_DIR/lib/libldapstatic.a 755 $INSTALL_DIR/lib/libldapstaticd.a 755 $INSTALL_DIR/lib/libldif.a 755 $INSTALL_DIR/sbin/ldif 755 $INSTALL_DIR/sbin/ldif2db 755 $INSTALL_DIR/sbin/db2ldif 755 $INSTALL_DIR/sbin/bulkload 755 $INSTALL_DIR/sbin/runstats 755 $INSTALL_DIR/sbin/miglen 755 $INSTALL_DIR/sbin/utol 750 $INSTALL_DIR/sbin/ltou 750 $INSTALL_DIR/web/cgi-bin/ldacgid.exe 4755 $INSTALL_DIR/web/cgi-bin/ldacgi3d.exe 4755 $INSTALL_DIR/web/cgi-bin/ldacgie.exe 4755 $INSTALL_DIR/web/cgi-bin/ldacgi3e.exe 4755 $INSTALL_DIR/web/buildno.txt 644 5. Start each of the replica and master servers. 1b.viii) Confirming the eFix has been applied successfully The eFix has been applied successfully if all files included in the eFix have replaced the pre-eFix files of the same names. If after applying the eFix, any facility making use of the SDK has degraded function as compared to its pre-fix operation, please notify SecureWay Directory support personnel. Below is some relevant information on the replacement files: - Filesize for bin/dmt is 14903 - Filesize for bin/ldamsg is 13914 - Filesize for bin/ldapdelete is 23819 - Filesize for bin/ldapdeleted is 23824 - Filesize for bin/ldapmodify is 51433 - Filesize for bin/ldapmodifyd is 51436 - Filesize for bin/ldapmodrdn is 24623 - Filesize for bin/ldapmodrdnd is 24628 - Filesize for bin/ldapsearch is 51444 - Filesize for bin/ldapsearchd is 51449 - Filesize for bin/slapd is 1732881 - Filesize for bin/slapdd is 1732966 - Filesize for bin/task_dbback is 34577 - Filesize for config/LDAPCfg.jar is 788942 - Filesize for include/ldapssl.h is 15677 - Filesize for lib/libadmin.a is 227078 - Filesize for lib/libback-rdbm.a is 1808864 - Filesize for lib/libcl.a is 40579 - Filesize for lib/libibmldap.a is 525876 - Filesize for lib/libibmldapd.a is 525868 - Filesize for lib/libibmldapn.a is 500511 - Filesize for lib/libldacfg.so is 48743 - Filesize for lib/libldapaudit.a is 63314 - Filesize for lib/libldapjrt.a is 29167 - Filesize for lib/libldapstatic.a is 699015 - Filesize for lib/libldapstaticd.a is 699005 - Filesize for lib/libldapstaticn.a is 666134 - Filesize for lib/libldif.a is 16062 - Filesize for lib/libslapi.a is 122695 - Filesize for lib/libutils.a is 5123294 - Filesize for lib/libutlsa.a is 58167 - Filesize for sbin/bulkload is 535939 - Filesize for sbin/db2ldif is 392472 - Filesize for sbin/ldif is 25261 - Filesize for sbin/ldif2db is 395654 - Filesize for sbin/ltou is 25847 - Filesize for sbin/miglen is 82441 - Filesize for sbin/runstats is 373697 - Filesize for sbin/utol is 25848 - Filesize for web/cgi-bin/ldacgi3d.exe is 2936312 - Filesize for web/cgi-bin/ldacgi3e.exe is 2936312 - Filesize for web/cgi-bin/ldacgid.exe is 7623541 - Filesize for web/cgi-bin/ldacgie.exe is 7623541 - sum -r bin/dmt results are: 59528 xxxx - sum -r bin/ldamsg results are: 50773 xxxx - sum -r bin/ldapdelete results are: 55236 xxxx - sum -r bin/ldapdeleted results are: 19724 xxxx - sum -r bin/ldapmodify results are: 42653 xxxx - sum -r bin/ldapmodifyd results are: 22258 xxxx - sum -r bin/ldapmodrdn results are: 37499 xxxx - sum -r bin/ldapmodrdnd results are: 61655 xxxx - sum -r bin/ldapsearch results are: 43307 xxxx - sum -r bin/ldapsearchd results are: 18943 xxxx - sum -r bin/slapd results are: 57676 xxxx - sum -r bin/slapdd results are: 55928 xxxx - sum -r bin/task_dbback results are: 19414 xxxx - sum -r config/LDAPCfg.jar results are: 50270 xxxx - sum -r include/ldapssl.h results are: 17457 xxxx - sum -r lib/libadmin.a results are: 04234 xxxx - sum -r lib/libback-rdbm.a results are: 22413 xxxx - sum -r lib/libcl.a results are: 02946 xxxx - sum -r lib/libibmldap.a results are: 49346 xxxx - sum -r lib/libibmldapd.a results are: 39331 xxxx - sum -r lib/libibmldapn.a results are: 02288 xxxx - sum -r lib/libldacfg.so results are: 52604 xxxx - sum -r lib/libldapaudit.a results are: 47718 xxxx - sum -r lib/libldapjrt.a results are: 08624 xxxx - sum -r lib/libldapstatic.a results are: 10170 xxxx - sum -r lib/libldapstaticd.a results are: 43853 xxxx - sum -r lib/libldapstaticn.a results are: 55753 xxxx - sum -r lib/libldif.a results are: 46469 xxxx - sum -r lib/libslapi.a results are: 61496 xxxx - sum -r lib/libutils.a results are: 59812 xxxx - sum -r lib/libutlsa.a results are: 20038 xxxx - sum -r sbin/bulkload results are: 25410 xxxx - sum -r sbin/db2ldif results are: 28654 xxxx - sum -r sbin/ldif results are: 38305 xxxx - sum -r sbin/ldif2db results are: 52624 xxxx - sum -r sbin/ltou results are: 07550 xxxx - sum -r sbin/miglen results are: 21807 xxxx - sum -r sbin/runstats results are: 24798 xxxx - sum -r sbin/utol results are: 24346 xxxx - sum -r web/cgi-bin/ldacgi3d.exe results are: 44675 xxxx - sum -r web/cgi-bin/ldacgi3e.exe results are: 30125 xxxx - sum -r web/cgi-bin/ldacgid.exe results are: 03068 xxxx - sum -r web/cgi-bin/ldacgie.exe results are: 44243 xxxx Each xxxx represents the number of blocks used by the file. This number is filesystem format dependent. The contents of the web/buildno.txt file are: SecureWay Directory Release: aus322ldap Build: 020425a (SWD 322 e-fix2) 1b.ix) Additional usage notes Restricting write access to LDAP search storage file In the current 3.2.1 and 3.2.2 releases on AIX, there is a file ($INSTALL_DIR/etc/dmtSearch.obj) that is used to store searches for re-use in the DMT. This file has default read/write access to all users. It is recommended that this file be modified to be only readable/writable to the owner (ldap) and group (ldap admin group) and restrict other or world read/write access. Do the following to check and modify the file access (this example uses $INSTALL_DIR as the installation directory): On AIX, to confirm that this file exists, enter the following commands: [root]==> ls -lt $INSTALL_DIR/etc/dmtSearch.obj -rw-rw-rw- 1 ldap ldap 0 Mar 20 17:32 dmtSearch.obj [root]==> chmod 660 $INSTALL_DIR/etc/dmtSearch.obj [root]==> ls -lt $INSTALL_DIR/etc/dmtSearch.obj -rw-rw---- 1 ldap ldap 0 Mar 20 17:32 dmtSearch.obj After making this change: * Guest users can only save searches when the dmtSearch.obj file has o=rw permissions. If the dmtSearch.obj file has lesser permissions or is missing, the command prompt session that started the DMT displays an exception message, and the search save is not saved. The user is not given any direct notice that the exception has occured, other than the name the search was saved under is not added to the search tre in the DMT left panel. * When a user that does not have UNIX(R) access to the dmtSearch.obj file attempts to read the contents (by selecting Search Names in the Navigation Window) they see a "warning message of java.lang.NullPointerException in a window Dialogue that dmt was started in. * If the dmtSearch.obj file is deleted, the next time it is created, it has owner read/write access and group/other Read access (for example, file access is -rw-r--r-- ) * The LDAP user also gets exceptions for all search save attempts, except when the dmtSearch.obj file has g=rw permissions. Remove LDAP_DESC_DEID index for improved performance In the 3.2.2 and 3.2.2 efix1 releases, if you loaded your data into a new database using bulkload or db2ldif commands, an index (LDAP_DESC_DEID) is created. Dropping the LDAP_DESC_DEID index in many cases improves performance, especially search operations performance. Starting in the 3.2.2 eFix2, this index is not created by default and it is recommended that it be removed to improve performance. To drop the LDAP_DESC_DEID index, do the following: 1. Stop slapd. 2. db2 connect to ldapb2. 3. Run the following command: db2 DROP INDEX LDAPDB2.LDAP_DESC_DEID 4. Stop and restart DB2. Setting the slapd executable to run with large memory model The slapd and slapdd binaries have been configured to run on AIX using the default 256 MB process size. If you have configured local loopback and enabled the large memory model for your slapd/slapdd binary, the slapd/slapdd process can be up to 2 GB. For more information, see "Using a local loopback connection to DB2" of the IBM SecureWay Version 3.2.2 Directory Tuning Guide at the following Web address: http://www-4.ibm.com/software/network/directory/library/v322/tuning.pdf. To configure your slapdd to run using more than 256 MB of memory, do the following: 1. Make a copy of the slapdd. 2. As root, run the setmaxmem script against the slapdd executable: /usr/ldap/sbin/setmaxmem