eFix 3.2.2-SWD-002 README for SecureWay Directory 3.2.2 Linux i386 Server Installations Contents 1) eFix 3.2.2-SWD-002 1a) General description 1b) Problems fixed 1b.i) New fixes in 3.2.2-SWD-002 1b.ii) Fixes in 3.2.2-SWD-001 1b.iii) Platforms 1b.iv) Dependencies 1b.v) Files replaced or added by this eFix 1b.vi) eFix contents 1b.vii) Applying the eFix 1b.viii) Confirming the eFix has been applied successfully 1b.ix) Additional usage notes 1) eFix 3.2.2-SWD-002 Date: March 31, 2002 eFix: 3.2.2-SWD-002 Component: SecureWay(R) Directory 3.2.2 (128-bit Encryption Server Installations) 1a) General description The eFix contains fixes for several problems encountered in SecureWay Directory 3.2.2. The APAR number for each problem is listed in the "Problems fixed" section. Refer to the specific APAR for more detail about each problem. For information on changes and fixes that occurred after the product documentation had been translated, see the SecureWay Directory Version 3.2.2 README Addendum. This file is in English only. This file can also be found on the IBM(R) SecureWay Directory Library Web page using a link from http://www.software.ibm.com/network/directory/library. You can get to the latest information here: http://www-4.ibm.com/software/network/directory/library/v322/addendum322.htm1b) Problems fixed 1b.i) New fixes in 3.2.2-SWD-002 APAR IR47735 (CMVC 71113) Support using { as first character in LDAP user passwords. APAR IR47802 (CMVC 70356) Doing an ldapsearch on the Root DSE or Monitor class using * or attributes to be returned is not working with 3.2.2. This fix will allow the search "ldapsearch -sbase objectclass=* *" to return all attributes in the root DSE. APAR IR48028 (CMVC 70625) Adding an attribute and modifying ACLs to an objectclass causes the ACL's to not work correctly unless slapd is rebooted. APAR IR48052 (CMVC 71113) When you modify the attribute userpassword for an existing user with a hashed value the server cores. APAR IR48137 (CMVC 71629) Using 3.2.2 efix1, you may see Memory Leak during unbind Operation (in some cases~100 bytes per unbind). APAR IR48168 (CMVC 71121) When upgrading to 3.2.2 and running changelog with peer masters, replication will not be started until replica objects are added to both peer masters. APAR IR48126 (CMVC 71523) Fixes a problem that the LDAP server will intermittently core when interacting with the iPlanet proxy Client and Directory Access Router (iDAR). APAR IR48300 (CMVC 71282) Memory Leak in acl cache. 1b.ii) Fixes in 3.2.2-SWD-001 APAR IR47193 (CMVC 68302) An entry is added to the changelog when slapd restarts. This entry must not be added. It also is not passed from peer to peer. APAR IR47323 (CMVC 68444) Slapi_Search_Internal API takes a long time to return data compared with the command line ldapsearch using the same search parameters. APAR IR47324 (CMVC 68572) Removing an attribute breaks access to aclEntrys and exportability using db2ldif. APAR IR47602 (CMVC 69302) Replication failure when performing a modify replace with no value. The request is incorrectly written into the change table. APAR IR47623 (CMVC 68531) Attempting a modify replace on an attribute with syntax integer or timestamp with the same value and is part of the RDN fails. This operation has worked in previous releases. APAR IR47624 (CMVC 68542) Performing an ldapdelete operation incurs a deadlock in the DB2(R) backend, and the LDAP server hangs. APAR IR47625 (CMVC 68545) In a high performing environment such as BluePages, the LDAP server can appear to hang for several minutes at a time. APAR IR47627 (CMVC 68733) The LDAP server encounters function sequence errors when delete operations are performed. APAR IR47629 (CMVC 68805) The LDAP server experiences a memory leak in the client controls portion of the server's operation structure. APAR IR47630 (CMVC 68935) When creating a custom database for the server's backend use, and it is configured for UTF-8 storage, the code page info is not put in slapd32.conf. APAR IR47631 (CMVC 69012) The LDAP server incurs a segmentation fault when writing an audit record with unknown-auth. APAR IR47633 (CMVC 69032) The LDAP server preoperation plugin preoperation value array is not null terminated as required by specifications. APAR IR47635 (CMVC 69277) SASL bind reports success with SSL connections even if using a keyring database label that does not reference an actual certificate. APAR IR47692 (CMVC 70361) For the ldapssl.h include file, SSL return codes must reflect same information present in the GSKIT 5 product. Equivalent items based on the GSKIT 3 product must be removed. APAR IR47874 (CMVC 70380) Bulkload utility fails if shell does not append inherited value to PATH environment variable. APAR IR47886 (CMVC 70068, 70493) Search operations fail, and dbsync process show excessive resource utilitization due to default ldap_desc.deid index. APAR IR47928 (CMVC 69750, 69774) Memory leaks occur in the server process. APAR IR47930 (CMVC 70538) LDAP clients operating on Solaris can hang performing an add operation. APAR IR48029 (CMVC 70142, 70236) Modify ldif processing to allow for sending and receipt of value identified to have zero length. 1b.iii) Platforms Red Hat Linux 7.1 or higher, SuSE Linux 7.2 or higher, or Turbolinux 6.5 or higher. Refer to the appropriate SecureWay Directory 3.2.2 Installation and Configuration Guide for additional patch requirements. See the SecureWay Directory 3.2.2 library at http://www-4.ibm.com/software/network/directory/library. 1b.iv) Dependencies SecureWay Directory 3.2.2 or 3.2.2 efix1 must be installed. The required installation consists of the following two packages: * ldap-clientd-3.2.2-1.i386.rpm only, or * ldap-clientd-3.2.2-1.i386.rpm and ldap-serverd-3.2.2-1.i386.rpm DB2 Universal Database(TM) version 7.2 FixPack 5 or higher. 1b.v) Files replaced or added by this eFix With $INSTALL_DIR representing the root of the LDAP installation, the files replaced are: $INSTALL_DIR/bin/ldapdelete $INSTALL_DIR/bin/ldapdeleted $INSTALL_DIR/bin/ldapmodify $INSTALL_DIR/bin/ldapmodifyd $INSTALL_DIR/bin/ldapmodrdn $INSTALL_DIR/bin/ldapmodrdnd $INSTALL_DIR/bin/ldapsearch $INSTALL_DIR/bin/ldapsearchd $INSTALL_DIR/bin/slapd $INSTALL_DIR/bin/slapdd $INSTALL_DIR/include/ldapssl.h $INSTALL_DIR/lib/libslapi.so $INSTALL_DIR/lib/libback-rdbm.so $INSTALL_DIR/lib/libutils.so $INSTALL_DIR/lib/libcl.so $INSTALL_DIR/lib/libldapaudit.so $INSTALL_DIR/lib/libldapjrt.so $INSTALL_DIR/lib/libibmldap.so $INSTALL_DIR/lib/libibmldapd.so $INSTALL_DIR/lib/libldapstatic.a $INSTALL_DIR/lib/libldapstaticd.a $INSTALL_DIR/lib/libldif.a $INSTALL_DIR/lib/libutlsa.so $INSTALL_DIR/lib/libtransys.so $INSTALL_DIR/sbin/ldif $INSTALL_DIR/sbin/ldif2db $INSTALL_DIR/sbin/db2ldif $INSTALL_DIR/sbin/bulkload $INSTALL_DIR/sbin/runstats $INSTALL_DIR/sbin/miglen $INSTALL_DIR/web/readme/buildno.txt The default for INSTALL_DIR is /usr/ldap. 1b.vi) eFix contents The archive for this eFix is named 3.2.2-SWD-002-LNX86.tar. The archive for this eFix includes: - This README file - The file bin/ldapdelete - The file bin/ldapdeleted - The file bin/ldapmodify - The file bin/ldapmodifyd - The file bin/ldapmodrdn - The file bin/ldapmodrdnd - The file bin/ldapsearch - The file bin/ldapsearchd - The file bin/ldapcfg - The file bin/slapd - The file bin/slapdd - The file include/ldapssl.h - The file lib/libslapi.so - The file lib/libback-rdbm.so - The file lib/libutils.so - The file lib/libcl.so - The file lib/libldapaudit.so - The file lib/libldapjrt.so - The file lib/libibmldap.so - The file lib/libibmldapd.so - The file lib/libldapstatic.a - The file lib/libldapstaticd.a - The file lib/libldif.a - The file lib/libutlsa.so - The file lib/libtransys.so - The file sbin/ldif - The file sbin/ldif2db - The file sbin/db2ldif - The file sbin/bulkload - The file sbin/runstats - The file sbin/miglen - The file web/readme/buildno.txt 1b.vii) Applying the eFix Your replication environment must be cleaned or resynched, or both. See section 5.2 of the IBM(R) SecureWay(R) Directory Version 3.2.2 Server Readme at: http://www-4.ibm.com/software/network/directory/library/v322/server.htm1. Extract the eFix contents into a temporary directory. For the purpose of this release note, assume that the symbol $TEMP points to the following directory: # cd $TEMP # tar -xvf 3.2.2-SWD-002-LNX86.tar 2. For each of the master and slave server installations targeted to receive the eFix, make sure the servers are stopped prior to applying the eFix. 3. Replace the installed version of each file with the version included in the eFix. Move the currently installed file to a location outside of the LDAP installation filesystem or rename the currently installed file. Copy the extracted files to the correct locations in the install folder. The following are the install version locations for each file: If the base install package is ldap-clientd-3.2.2-1.i386.rpm only: $INSTALL_DIR/bin/ldapdelete $INSTALL_DIR/bin/ldapdeleted (For 128-bit version only) $INSTALL_DIR/bin/ldapmodify $INSTALL_DIR/bin/ldapmodifyd (For 128-bit version only) $INSTALL_DIR/bin/ldapmodrdn $INSTALL_DIR/bin/ldapmodrdnd (For 128-bit version only) $INSTALL_DIR/bin/ldapsearch $INSTALL_DIR/bin/ldapsearchd (For 128-bit version only) $INSTALL_DIR/include/ldapssl.h $INSTALL_DIR/lib/libldapjrt.so $INSTALL_DIR/lib/libibmldap.so $INSTALL_DIR/lib/libibmldapd.so (For 128-bit version only) $INSTALL_DIR/lib/libldapstatic.a $INSTALL_DIR/lib/libldapstaticd.a (For 128-bit version only) $INSTALL_DIR/lib/libldif.a $INSTALL_DIR/web/readme/buildno.txt (For level tracking purposes) If the base install package includes ldap-clientd-3.2.2-1.i386.rpm and ldap-serverd-3.2.2-1.i386.rpm: $INSTALL_DIR/bin/ldapdelete $INSTALL_DIR/bin/ldapdeleted (For 128-bit version only) $INSTALL_DIR/bin/ldapmodify $INSTALL_DIR/bin/ldapmodifyd (For 128-bit version only) $INSTALL_DIR/bin/ldapmodrdn $INSTALL_DIR/bin/ldapmodrdnd (For 128-bit version only) $INSTALL_DIR/bin/ldapsearch $INSTALL_DIR/bin/ldapsearchd (For 128-bit version only) $INSTALL_DIR/bin/slapd $INSTALL_DIR/bin/slapdd (For 128-bit version only) $INSTALL_DIR/include/ldapssl.h $INSTALL_DIR/lib/libslapi.so $INSTALL_DIR/lib/libback-rdbm.so $INSTALL_DIR/lib/libutils.so $INSTALL_DIR/lib/libcl.so $INSTALL_DIR/lib/libldapaudit.so $INSTALL_DIR/lib/libldapjrt.so $INSTALL_DIR/lib/libibmldap.so $INSTALL_DIR/lib/libibmldapd.so (For 128-bit version only) $INSTALL_DIR/lib/libldapstatic.a $INSTALL_DIR/lib/libldapstaticd.a (For 128-bit version only) $INSTALL_DIR/lib/libldif.a $INSTALL_DIR/lib/libutlsa.so $INSTALL_DIR/lib/libtransys.so $INSTALL_DIR/sbin/ldif $INSTALL_DIR/sbin/ldif2db $INSTALL_DIR/sbin/db2ldif $INSTALL_DIR/sbin/bulkload $INSTALL_DIR/sbin/runstats $INSTALL_DIR/sbin/miglen $INSTALL_DIR/web/readme/buildno.txt (For level tracking purposes) Again, the default for INSTALL_DIR is /usr/ldap. 4. Assign the correct owner, group, and permissions to the replaced files. Assume $OWNER is the owner value in the installation files, and $GROUP is the group value. The value of $OWNER for all files is ldap. The value for $GROUP for all files is ldap. # chown $OWNER # chgrp $GROUP The permissions on the files must be set according to the following guide: # chmod If the base install package is ldap-clientd-3.2.2-1.i386.rpm only: $INSTALL_DIR/bin/ldapdelete 755 $INSTALL_DIR/bin/ldapdeleted 755 $INSTALL_DIR/bin/ldapmodify 755 $INSTALL_DIR/bin/ldapmodifyd 755 $INSTALL_DIR/bin/ldapmodrdn 755 $INSTALL_DIR/bin/ldapmodrdnd 755 $INSTALL_DIR/bin/ldapsearch 755 $INSTALL_DIR/bin/ldapsearchd 755 $INSTALL_DIR/include/ldapssl.h 644 $INSTALL_DIR/lib/libldapjrt.so 755 $INSTALL_DIR/lib/libibmldap.so 755 $INSTALL_DIR/lib/libibmldapd.so 755 $INSTALL_DIR/lib/libldapstatic.a 755 $INSTALL_DIR/lib/libldapstaticd.a 755 $INSTALL_DIR/lib/libldif.a 755 $INSTALL_DIR/web/readme/buildno.txt 644 If the base install package includes ldap-clientd-3.2.2-1.i386.rpm and ldap-serverd-3.2.2-1.i386.rpm: $INSTALL_DIR/bin/ldapdelete 755 $INSTALL_DIR/bin/ldapdeleted 755 $INSTALL_DIR/bin/ldapmodify 755 $INSTALL_DIR/bin/ldapmodifyd 755 $INSTALL_DIR/bin/ldapmodrdn 755 $INSTALL_DIR/bin/ldapmodrdnd 755 $INSTALL_DIR/bin/ldapsearch 755 $INSTALL_DIR/bin/ldapsearchd 755 $INSTALL_DIR/bin/slapd 750 $INSTALL_DIR/bin/slapdd 750 $INSTALL_DIR/include/ldapssl.h 644 $INSTALL_DIR/lib/libslapi.so 644 $INSTALL_DIR/lib/libback-rdbm.so 644 $INSTALL_DIR/lib/libutils.so 644 $INSTALL_DIR/lib/libcl.so 644 $INSTALL_DIR/lib/libldapaudit.so 644 $INSTALL_DIR/lib/libldapjrt.so 755 $INSTALL_DIR/lib/libibmldap.so 755 $INSTALL_DIR/lib/libibmldapd.so 755 $INSTALL_DIR/lib/libldapstatic.a 755 $INSTALL_DIR/lib/libldapstaticd.a 755 $INSTALL_DIR/lib/libldif.a 755 $INSTALL_DIR/lib/libutlsa.so 644 $INSTALL_DIR/lib/libtransys.so 644 $INSTALL_DIR/sbin/ldif 755 $INSTALL_DIR/sbin/ldif2db 750 $INSTALL_DIR/sbin/db2ldif 750 $INSTALL_DIR/sbin/bulkload 750 $INSTALL_DIR/sbin/runstats 750 $INSTALL_DIR/sbin/miglen 750 $INSTALL_DIR/web/readme/buildno.txt 644 5. Start each of the replica and master servers. 1b.viii) Confirming the eFix has been applied successfully The eFix has been applied successfully if all files included in the eFix have replaced the pre-eFix files of the same names. If after applying the eFix, any facility making use of the SDK has degraded function as compared to its pre-fix operation, please notify SecureWay Directory support personnel. Below is some relevant information on the replacement files: - Filesize for bin/ldapdelete is 23013 - Filesize for bin/ldapdeleted is 23013 - Filesize for bin/ldapmodify is 39835 - Filesize for bin/ldapmodifyd is 39835 - Filesize for bin/ldapmodrdn is 23821 - Filesize for bin/ldapmodrdnd is 23821 - Filesize for bin/ldapsearch is 39495 - Filesize for bin/ldapsearchd is 39495 - Filesize for bin/slapd is 551204 - Filesize for bin/slapdd is 551204 - Filesize for include/ldapssl.h is 15677 - Filesize for lib/libslapi.so is 90060 - Filesize for lib/libback-rdbm.so is 1003283 - Filesize for lib/libutils.so is 2068573 - Filesize for lib/libcl.so is 28279 - Filesize for lib/libldapaudit.so is 52502 - Filesize for lib/libldapjrt.so is 29165 - Filesize for lib/libibmldap.so is 465339 - Filesize for lib/libibmldapd.so is 465339 - Filesize for lib/libldapstatic.a is 509984 - Filesize for lib/libldapstaticd.a is 509952 - Filesize for lib/libldif.a is 11254 - Filesize for lib/libutlsa.so is 48081 - Filesize for lib/libtransys.so is 378898 - Filesize for sbin/ldif is 16897 - Filesize for sbin/ldif2db is 244281 - Filesize for sbin/db2ldif is 240787 - Filesize for sbin/bulkload is 349421 - Filesize for sbin/runstats is 224699 - Filesize for sbin/miglen is 248940 - sum -r bin/ldapdelete results are: 09323 xxxx - sum -r bin/ldapdeleted results are: 49490 xxxx - sum -r bin/ldapmodify results are: 53677 xxxx - sum -r bin/ldapmodifyd results are: 30245 xxxx - sum -r bin/ldapmodrdn results are: 53971 xxxx - sum -r bin/ldapmodrdnd results are: 11691 xxxx - sum -r bin/ldapsearch results are: 29418 xxxx - sum -r bin/ldapsearchd results are: 08428 xxxx - sum -r bin/slapd results are: 32474 xxxx - sum -r bin/slapdd results are: 24051 xxxx - sum -r include/ldapssl.h results are: 17457 xxxx - sum -r lib/libslapi.so results are: 03629 xxxx - sum -r lib/libback-rdbm.so results are: 32602 xxxx - sum -r lib/libutils.so results are: 22624 xxxx - sum -r lib/libcl.so results are: 11543 xxxx - sum -r lib/libldapaudit.so results are: 23849 xxxx - sum -r lib/libldapjrt.so results are: 19370 xxxx - sum -r lib/libibmldap.so results are: 44626 xxxx - sum -r lib/libibmldapd.so results are: 40852 xxxx - sum -r lib/libldapstatic.a results are: 61703 xxxx - sum -r lib/libldapstaticd.a results are: 61127 xxxx - sum -r lib/libldif.a results are: 53410 xxxx - sum -r lib/libutlsa.so results are: 03052 xxxx - sum -r lib/libtransys.so results are: 38409 xxxx - sum -r sbin/ldif results are: 22700 xxxx - sum -r sbin/ldif2db results are: 52148 xxxx - sum -r sbin/db2ldif results are: 03770 xxxx - sum -r sbin/bulkload results are: 02608 xxxx - sum -r sbin/runstats results are: 27872 xxxx - sum -r sbin/miglen results are: 04379 xxxx Each xxxx represents the number of blocks used by the file. This number is filesystem format dependent. The contents of the web/readme/buildno.txt file are: SecureWay Directory Release: aus322ldap Build: 020425a (SWD 322 e-fix2) 1b.ix) Additional usage notes Remove LDAP_DESC_DEID index for improved performance In the 3.2.2 and 3.2.2 efix1 releases, if you loaded your data into a new database using bulkload or db2ldif commands, an index (LDAP_DESC_DEID) is created. Dropping the LDAP_DESC_DEID index in many cases improves performance, especially search operations performance. Starting in the 3.2.2 eFix2, this index is not created by default and it is recommended that it be removed to improve performance. To drop the LDAP_DESC_DEID index, do the following: 1. Stop slapd. 2. db2 connect to ldapb2. 3. Run the following command: db2 DROP INDEX LDAPDB2.LDAP_DESC_DEID 4. Stop and restart DB2.