eFix 3.2.2-SWD-002 README for SecureWay Directory 3.2.2 Linux s390 Server Installations Contents 1) eFix 3.2.2-SWD-002 1a) General description 1b) Problems fixed 1b.i) New fixes in 3.2.2-SWD-002 1b.ii) Fixes in 3.2.2-SWD-001 1b.iii) Platforms 1b.iv) Dependencies 1b.v) Files replaced or added by this eFix 1b.vi) eFix contents 1b.vii) Applying the eFix 1b.viii) Confirming the eFix has been applied successfully 1b.ix) Additional usage notes 1) eFix 3.2.2-SWD-002 Date: April 30, 2002 eFix: 3.2.2-SWD-002 Component: SecureWay(R) Directory 3.2.2 (128-bit Encryption Server Installations) 1a) General description The eFix contains fixes for several problems encountered in SecureWay Directory 3.2.2. The APAR number for each problem is listed in the "Problems fixed" section. Refer to the specific APAR for more detail about each problem. For information on changes and fixes that occurred after the product documentation had been translated, see the SecureWay Directory Version 3.2.2 README Addendum. This file is in English only. This file can also be found on the IBM(R) SecureWay Directory Library Web page using a link from http://www.software.ibm.com/network/directory/library. You can get to the latest information here: http://www-4.ibm.com/software/network/directory/library/v322/addendum322.htm1b) Problems fixed 1b.i) New fixes in 3.2.2-SWD-002 APAR IR47735 (CMVC 71113) Support using { as first character in LDAP user passwords. APAR IR47802 (CMVC 70356) "Doing an ldapsearch on the Root DSE or Monitor class using * or attributes to be returned is not working with 3.2.2. This fix will allow the search "ldapsearch -sbase objectclass=* *" to return all attributes in the root DSE. APAR IR48028 (CMVC 70625) Adding an attribute and modifying ACLs to an objectclass causes the ACL's to not work correctly unless slapd is rebooted. APAR IR48052 (CMVC 71113) When you modify the attribute userpassword for an existing user with a hashed value the server cores. APAR IR48137 (CMVC 71629) Using 3.2.2 efix1, you may see Memory Leak during unbind Operation (in some cases~100 bytes per unbind). APAR IR48168 (CMVC 71121) When upgrading to 3.2.2 and running changelog with peer masters, replication will not be started until replica objects are added to both peer masters. APAR IR48126 (CMVC 71523) Fixes a problem that the LDAP server will intermittently core when interacting with the iPlanet proxy Client and Directory Access Router (iDAR). APAR IR48300 (CMVC 71282) Memory Leak in acl cache. 1b.ii) Fixes in 3.2.2-SWD-001 APAR IR47193 (CMVC 68302) An entry is added to the changelog when slapd restarts. This entry must not be added. It also is not passed from peer to peer. APAR IR47323 (CMVC 68444) Slapi_Search_Internal API takes a long time to return data compared with the command line ldapsearch using the same search parameters. APAR IR47324 (CMVC 68572) Removing an attribute breaks access to aclEntrys and exportability using db2ldif. APAR IR47602 (CMVC 69302) Replication failure when performing a modify replace with no value. The request is incorrectly written into the change table. APAR IR47623 (CMVC 68531) Attempting a modify replace on an attribute with syntax integer or timestamp with the same value and is part of the RDN fails. This operation has worked in previous releases. APAR IR47624 (CMVC 68542) Performing an ldapdelete operation incurs a deadlock in the DB2(R) backend, and the LDAP server hangs. APAR IR47625 (CMVC 68545) In a high performing environment such as BluePages, the LDAP server can appear to hang for several minutes at a time. APAR IR47627 (CMVC 68733) The LDAP server encounters function sequence errors when delete operations are performed. APAR IR47629 (CMVC 68805) The LDAP server experiences a memory leak in the client controls portion of the server's operation structure. APAR IR47630 (CMVC 68935) When creating a custom database for the server's backend use, and it is configured for UTF-8 storage, the code page info is not put in slapd32.conf. APAR IR47631 (CMVC 69012) The LDAP server incurs a segmentation fault when writing an audit record with unknown-auth. APAR IR47633 (CMVC 69032) The LDAP server preoperation plugin preoperation value array is not null terminated as required by specifications. APAR IR47635 (CMVC 69277) SASL bind reports success with SSL connections even if using a keyring database label that does not reference an actual certificate. APAR IR47692 (CMVC 70361) For the ldapssl.h include file, SSL return codes must reflect same information present in the GSKIT 5 product. Equivalent items based on the GSKIT 3 product must be removed. APAR IR47874 (CMVC 70380) Bulkload utility fails if shell does not append inherited value to PATH environment variable. APAR IR47886 (CMVC 70068, 70493) Search operations fail, and dbsync process show excessive resource utilitization due to default ldap_desc.deid index. APAR IR47928 (CMVC 69750, 69774) Memory leaks occur in the server process. APAR IR47930 (CMVC 70538) LDAP clients operating on Solaris can hang performing an add operation. APAR IR48029 (CMVC 70142, 70236) Modify ldif processing to allow for sending and receipt value identified to have zero length. 1b.iii) Platforms SuSE Linux 7.2 or higher, or Turbolinux 6.5 or higher. Refer to the server README file included with the ldap-serverd-3.2.2-1.s390.rpm package for complete information on supported versions of Linux. For client-only installations, refer to the client README file included with the ldap-clientd-3.2.2-1.s390.rpm package for information on supported versions of Linux. 1b.iv) Dependencies SecureWay Directory 3.2.2 or 3.2.2 efix1 must be installed. The required installation consists of the following two packages: * ldap-clientd-3.2.2-1.s390.rpm only, or * ldap-clientd-3.2.2-1.s390.rpm and ldap-serverd-3.2.2-1.s390.rpm DB2 Universal Database(TM) version 7.2 FixPack 5 or higher. 1b.v) Files replaced or added by this eFix With $INSTALL_DIR representing the root of the LDAP installation, the files replaced are: $INSTALL_DIR/bin/ldapdelete $INSTALL_DIR/bin/ldapdeleted $INSTALL_DIR/bin/ldapmodify $INSTALL_DIR/bin/ldapmodifyd $INSTALL_DIR/bin/ldapmodrdn $INSTALL_DIR/bin/ldapmodrdnd $INSTALL_DIR/bin/ldapsearch $INSTALL_DIR/bin/ldapsearchd $INSTALL_DIR/bin/slapd $INSTALL_DIR/bin/slapdd $INSTALL_DIR/include/ldapssl.h $INSTALL_DIR/lib/libslapi.so $INSTALL_DIR/lib/libback-rdbm.so $INSTALL_DIR/lib/libutils.so $INSTALL_DIR/lib/libcl.so $INSTALL_DIR/lib/libldapaudit.so $INSTALL_DIR/lib/libldapjrt.so $INSTALL_DIR/lib/libibmldap.so $INSTALL_DIR/lib/libibmldapd.so $INSTALL_DIR/lib/libldapstatic.a $INSTALL_DIR/lib/libldapstaticd.a $INSTALL_DIR/lib/libldif.a $INSTALL_DIR/lib/libutlsa.so $INSTALL_DIR/lib/libtransys.so $INSTALL_DIR/sbin/ldif $INSTALL_DIR/sbin/ldif2db $INSTALL_DIR/sbin/db2ldif $INSTALL_DIR/sbin/bulkload $INSTALL_DIR/sbin/runstats $INSTALL_DIR/sbin/miglen $INSTALL_DIR/web/readme/buildno.txt The default for INSTALL_DIR is /usr/ldap. 1b.vi) eFix contents The archive for this eFix is named 3.2.2-SWD-002-LNX390.tar. The archive for this eFix includes: - This README file - The file bin/ldapdelete - The file bin/ldapdeleted - The file bin/ldapmodify - The file bin/ldapmodifyd - The file bin/ldapmodrdn - The file bin/ldapmodrdnd - The file bin/ldapsearch - The file bin/ldapsearchd - The file bin/ldapcfg - The file bin/slapd - The file bin/slapdd - The file include/ldapssl.h - The file lib/libslapi.so - The file lib/libback-rdbm.so - The file lib/libutils.so - The file lib/libcl.so - The file lib/libldapaudit.so - The file lib/libldapjrt.so - The file lib/libibmldap.so - The file lib/libibmldapd.so - The file lib/libldapstatic.a - The file lib/libldapstaticd.a - The file lib/libldif.a - The file lib/libutlsa.so - The file lib/libtransys.so - The file sbin/ldif - The file sbin/ldif2db - The file sbin/db2ldif - The file sbin/bulkload - The file sbin/runstats - The file sbin/miglen - The file web/readme/buildno.txt 1b.vii) Applying the eFix Your replication environment must be cleaned or resynched, or both. See section 5.2 of the IBM(R) SecureWay(R) Directory Version 3.2.2 Server Readme at: http://www-4.ibm.com/software/network/directory/library/v322/server.htm1. Extract the eFix contents into a temporary directory. For the purpose of this release note, assume that the symbol $TEMP points to the following directory: # cd $TEMP # tar -xvf 3.2.2-SWD-002-LNX390.tar 2. For each of the master and slave server installations targeted to receive the eFix, make sure the servers are stopped prior to applying the eFix. 3. Replace the installed version of each file with the version included in the eFix. Move the currently installed file to a location outside of the LDAP installation filesystem or rename the currently installed file. Copy the extracted files to the correct locations in the install folder. The following are the install version locations for each file: If the base install package is ldap-clientd-3.2.2-1.s390.rpm only: $INSTALL_DIR/bin/ldapdelete $INSTALL_DIR/bin/ldapdeleted (For 128-bit version only) $INSTALL_DIR/bin/ldapmodify $INSTALL_DIR/bin/ldapmodifyd (For 128-bit version only) $INSTALL_DIR/bin/ldapmodrdn $INSTALL_DIR/bin/ldapmodrdnd (For 128-bit version only) $INSTALL_DIR/bin/ldapsearch $INSTALL_DIR/bin/ldapsearchd (For 128-bit version only) $INSTALL_DIR/include/ldapssl.h $INSTALL_DIR/lib/libldapjrt.so $INSTALL_DIR/lib/libibmldap.so $INSTALL_DIR/lib/libibmldapd.so (For 128-bit version only) $INSTALL_DIR/lib/libldapstatic.a $INSTALL_DIR/lib/libldapstaticd.a (For 128-bit version only) $INSTALL_DIR/lib/libldif.a $INSTALL_DIR/web/readme/buildno.txt (For level tracking purposes) If the base install package includes ldap-clientd-3.2.2-1.s390.rpm and ldap-serverd-3.2.2-1.s390.rpm: $INSTALL_DIR/bin/ldapdelete $INSTALL_DIR/bin/ldapdeleted (For 128-bit version only) $INSTALL_DIR/bin/ldapmodify $INSTALL_DIR/bin/ldapmodifyd (For 128-bit version only) $INSTALL_DIR/bin/ldapmodrdn $INSTALL_DIR/bin/ldapmodrdnd (For 128-bit version only) $INSTALL_DIR/bin/ldapsearch $INSTALL_DIR/bin/ldapsearchd (For 128-bit version only) $INSTALL_DIR/bin/slapd $INSTALL_DIR/bin/slapdd (For 128-bit version only) $INSTALL_DIR/include/ldapssl.h $INSTALL_DIR/lib/libslapi.so $INSTALL_DIR/lib/libback-rdbm.so $INSTALL_DIR/lib/libutils.so $INSTALL_DIR/lib/libcl.so $INSTALL_DIR/lib/libldapaudit.so $INSTALL_DIR/lib/libldapjrt.so $INSTALL_DIR/lib/libibmldap.so $INSTALL_DIR/lib/libibmldapd.so (For 128-bit version only) $INSTALL_DIR/lib/libldapstatic.a $INSTALL_DIR/lib/libldapstaticd.a (For 128-bit version only) $INSTALL_DIR/lib/libldif.a $INSTALL_DIR/lib/libutlsa.so $INSTALL_DIR/lib/libtransys.so $INSTALL_DIR/sbin/ldif $INSTALL_DIR/sbin/ldif2db $INSTALL_DIR/sbin/db2ldif $INSTALL_DIR/sbin/bulkload $INSTALL_DIR/sbin/runstats $INSTALL_DIR/sbin/miglen $INSTALL_DIR/web/readme/buildno.txt (For level tracking purposes) Again, the default for INSTALL_DIR is /usr/ldap. 4. Assign the correct owner, group, and permissions to the replaced files. Assume $OWNER is the owner value in the installation files, and $GROUP is the group value. The value of $OWNER for all files is ldap. The value for $GROUP for all files is ldap. # chown $OWNER # chgrp $GROUP The permissions on the files must be set according to the following guide: # chmod If the base install package is ldap-clientd-3.2.2-1.s390.rpm only: $INSTALL_DIR/bin/ldapdelete 755 $INSTALL_DIR/bin/ldapdeleted 755 $INSTALL_DIR/bin/ldapmodify 755 $INSTALL_DIR/bin/ldapmodifyd 755 $INSTALL_DIR/bin/ldapmodrdn 755 $INSTALL_DIR/bin/ldapmodrdnd 755 $INSTALL_DIR/bin/ldapsearch 755 $INSTALL_DIR/bin/ldapsearchd 755 $INSTALL_DIR/include/ldapssl.h 644 $INSTALL_DIR/lib/libldapjrt.so 755 $INSTALL_DIR/lib/libibmldap.so 755 $INSTALL_DIR/lib/libibmldapd.so 755 $INSTALL_DIR/lib/libldapstatic.a 755 $INSTALL_DIR/lib/libldapstaticd.a 755 $INSTALL_DIR/lib/libldif.a 755 $INSTALL_DIR/web/readme/buildno.txt 644 If the base install package includes ldap-clientd-3.2.2-1.s390.rpm and ldap-serverd-3.2.2-1.s390.rpm: $INSTALL_DIR/bin/ldapdelete 755 $INSTALL_DIR/bin/ldapdeleted 755 $INSTALL_DIR/bin/ldapmodify 755 $INSTALL_DIR/bin/ldapmodifyd 755 $INSTALL_DIR/bin/ldapmodrdn 755 $INSTALL_DIR/bin/ldapmodrdnd 755 $INSTALL_DIR/bin/ldapsearch 755 $INSTALL_DIR/bin/ldapsearchd 755 $INSTALL_DIR/bin/slapd 750 $INSTALL_DIR/bin/slapdd 750 $INSTALL_DIR/include/ldapssl.h 644 $INSTALL_DIR/lib/libslapi.so 644 $INSTALL_DIR/lib/libback-rdbm.so 644 $INSTALL_DIR/lib/libutils.so 644 $INSTALL_DIR/lib/libcl.so 644 $INSTALL_DIR/lib/libldapaudit.so 644 $INSTALL_DIR/lib/libldapjrt.so 755 $INSTALL_DIR/lib/libibmldap.so 755 $INSTALL_DIR/lib/libibmldapd.so 755 $INSTALL_DIR/lib/libldapstatic.a 755 $INSTALL_DIR/lib/libldapstaticd.a 755 $INSTALL_DIR/lib/libldif.a 755 $INSTALL_DIR/lib/libutlsa.so 644 $INSTALL_DIR/lib/libtransys.so 644 $INSTALL_DIR/sbin/ldif 755 $INSTALL_DIR/sbin/ldif2db 750 $INSTALL_DIR/sbin/db2ldif 750 $INSTALL_DIR/sbin/bulkload 750 $INSTALL_DIR/sbin/runstats 750 $INSTALL_DIR/sbin/miglen 750 $INSTALL_DIR/web/readme/buildno.txt 644 5. Start each of the replica and master servers. 1b.viii) Confirming the eFix has been applied successfully The eFix has been applied successfully if all files included in the eFix have replaced the pre-eFix files of the same names. If after applying the eFix, any facility making use of the SDK has degraded function as compared to its pre-fix operation, please notify SecureWay Directory support personnel. Below is some relevant information on the replacement files: - Filesize for bin/ldapdelete is 25397 - Filesize for bin/ldapdeleted is 25397 - Filesize for bin/ldapmodify is 46847 - Filesize for bin/ldapmodifyd is 46847 - Filesize for bin/ldapmodrdn is 26429 - Filesize for bin/ldapmodrdnd is 26429 - Filesize for bin/ldapsearch is 46163 - Filesize for bin/ldapsearchd is 46163 - Filesize for bin/slapd is 673224 - Filesize for bin/slapdd is 673224 - Filesize for include/ldapssl.h is 15677 - Filesize for lib/libslapi.so is 129180 - Filesize for lib/libback-rdbm.so is 1245624 - Filesize for lib/libutils.so is 2649472 - Filesize for lib/libcl.so is 33106 - Filesize for lib/libldapaudit.so is 64338 - Filesize for lib/libldapjrt.so is 30349 - Filesize for lib/libibmldap.so is 545506 - Filesize for lib/libibmldapd.so is 545498 - Filesize for lib/libldapstatic.a is 584716 - Filesize for lib/libldapstaticd.a is 584700 - Filesize for lib/libldif.a is 13126 - Filesize for lib/libutlsa.so is 56332 - Filesize for lib/libtransys.so is 526317 - Filesize for sbin/ldif is 19489 - Filesize for sbin/ldif2db is 267180 - Filesize for sbin/db2ldif is 263113 - Filesize for sbin/bulkload is 368627 - Filesize for sbin/runstats is 248951 - Filesize for sbin/miglen is 275992 - sum -r bin/ldapdelete results are: 63462 xxxx - sum -r bin/ldapdeleted results are: 56995 xxxx - sum -r bin/ldapmodify results are: 16676 xxxx - sum -r bin/ldapmodifyd results are: 22762 xxxx - sum -r bin/ldapmodrdn results are: 30886 xxxx - sum -r bin/ldapmodrdnd results are: 45199 xxxx - sum -r bin/ldapsearch results are: 59147 xxxx - sum -r bin/ldapsearchd results are: 42798 xxxx - sum -r bin/slapd results are: 23987 xxxx - sum -r bin/slapdd results are: 12449 xxxx - sum -r include/ldapssl.h results are: 17457 xxxx - sum -r lib/libslapi.so results are: 02729 xxxx - sum -r lib/libback-rdbm.so results are: 36149 xxxx - sum -r lib/libutils.so results are: 17708 xxxx - sum -r lib/libcl.so results are: 26303 xxxx - sum -r lib/libldapaudit.so results are: 16630 xxxx - sum -r lib/libldapjrt.so results are: 60377 xxxx - sum -r lib/libibmldap.so results are: 53181 xxxx - sum -r lib/libibmldapd.so results are: 35587 xxxx - sum -r lib/libldapstatic.a results are: 00555 xxxx - sum -r lib/libldapstaticd.a results are: 52163 xxxx - sum -r lib/libldif.a results are: 18780 xxxx - sum -r lib/libutlsa.so results are: 24982 xxxx - sum -r lib/libtransys.so results are: 22035 xxxx - sum -r sbin/ldif results are: 47255 xxxx - sum -r sbin/ldif2db results are: 26699 xxxx - sum -r sbin/db2ldif results are: 49019 xxxx - sum -r sbin/bulkload results are: 40696 xxxx - sum -r sbin/runstats results are: 45428 xxxx - sum -r sbin/miglen results are: 34579 xxxx Each xxxx represents the number of blocks used by the file. This number is filesystem format dependent. The contents of the web/readme/buildno.txt file are: SecureWay Directory Release: aus322ldap Build: 020425a (SWD 322 e-fix2) 1b.ix) Additional usage notes Remove LDAP_DESC_DEID index for improved performance In the 3.2.2 and 3.2.2 efix1 releases, if you loaded your data into a new database using bulkload or db2ldif commands, an index (LDAP_DESC_DEID) is created. Dropping the LDAP_DESC_DEID index in many cases improves performance, especially search operations performance. Starting in the 3.2.2 eFix2, this index is not created by default and it is recommended that it be removed to improve performance. To drop the LDAP_DESC_DEID index, do the following: 1. Stop slapd. 2. db2 connect to ldapb2. 3. Run the following command: db2 DROP INDEX LDAPDB2.LDAP_DESC_DEID 4. Stop and restart DB2.