eFix 3.2.2-SWD-002 README for SecureWay Directory 3.2.2 Solaris Server Installations Contents 1) eFix 3.2.2-SWD-002 1a) General description 1b) Problems fixed 1b.i) New fixes in 3.2.2-SWD-002 1b.ii) Fixes in 3.2.2-SWD-001 1b.iii) Platforms 1b.iv) Dependencies 1b.v) Files replaced or added by this eFix 1b.vi) eFix contents 1b.vii) Applying the eFix 1b.viii) Confirming the eFix has been applied successfully 1b.ix) Additional usage notes 1) eFix 3.2.2-SWD-002 Date: March 31, 2002 eFix: 3.2.2-SWD-002 Component: SecureWay(R) Directory 3.2.2 (128-bit Encryption Server Installations) 1a) General description The eFix contains fixes for several problems encountered in SecureWay Directory 3.2.2. The APAR number for each problem is listed in the "Problems fixed" section. Refer to the specific APAR for more detail about each problem. For information on changes and fixes that occurred after the product documentation had been translated, see the SecureWay Directory Version 3.2.2 README Addendum. This file is in English only. This file can also be found on the IBM(R) SecureWay Directory Library Web page using a link from http://www.software.ibm.com/network/directory/library. You can get to the latest information here: http://www-4.ibm.com/software/network/directory/library/v322/addendum322.htm1b) Problems fixed 1b.i) New fixes in 3.2.2-SWD-002 APAR IR47735 (CMVC 71113) Support using { as first character in LDAP user passwords. APAR IR47802 (CMVC 70356) Doing an ldapsearch on the Root DSE or Monitor class using * or attributes to be returned is not working with 3.2.2. This fix will allow the search "ldapsearch -sbase objectclass=* *" to return all attributes in the root DSE. APAR IR48028 (CMVC 70625) Adding an attribute and modifying ACLs to an objectclass causes the ACL's to not work correctly unless slapd is rebooted. APAR IR48052 (CMVC 71113) When you modify the attribute userpassword for an existing user with a hashed value the server cores. APAR IR48137 (CMVC 71629) Using 3.2.2 efix1, you may see Memory Leak during unbind Operation (in some cases~100 bytes per unbind). APAR IR48168 (CMVC 71121) When upgrading to 3.2.2 and running changelog with peer masters, replication will not be started until replica objects are added to both peer masters. APAR IR48126 (CMVC 71523) Fixes the problem where the LDAP server will intermittently core when interacting with the iPlanet proxy Client and Directory Access Router (iDAR). APAR IR48300 (CMVC 71282) Memory Leak in acl cache. APAR IR48302 (CMVC 70876) Several errors were corrected dealing with messaged displayed when using the ldapcfg script. These could have caused the wrong error message, or no error message to be displayed. 1b.ii) Fixes in 3.2.2-SWD-001 APAR IR47193 (CMVC 68302) An entry is added to the changelog when slapd restarts. This entry must not be added. It also is not passed from peer to peer. APAR IR47323 (CMVC 68444) Slapi_Search_Internal API takes a long time to return data compared with the command line ldapsearch using the same search parameters. APAR IR47324 (CMVC 68572) Removing an attribute breaks access to aclEntrys and exportability using db2ldif. APAR IR47602 (CMVC 69302) Replication failure when performing a modify replace with no value. The request is incorrectly written into the change table. APAR IR47623 (CMVC 68531) Attempting a modify replace on an attribute with syntax integer or timestamp with the same value and is part of the RDN fails. This operation has worked in previous releases. APAR IR47624 (CMVC 68542) Performing an ldapdelete operation incurs a deadlock in the DB2(R) backend, and the LDAP server hangs. APAR IR47625 (CMVC 68545) In a high performing environment such as BluePages, the LDAP server can appear to hang for several minutes at a time. APAR IR47627 (CMVC 68733) The LDAP server encounters function sequence errors when delete operations are performed. APAR IR47629 (CMVC 68805) The LDAP server experiences a memory leak in the client controls portion of the server's operation structure. APAR IR47630 (CMVC 68935) When creating a custom database for the server's backend use, and it is configured for UTF-8 storage, the code page info is not put in slapd32.conf. APAR IR47631 (CMVC 69012) The LDAP server incurs a segmentation fault when writing an audit record with unknown-auth. APAR IR47633 (CMVC 69032) The LDAP server preoperation plugin preoperation value array is not null terminated as required by specifications. APAR IR47635 (CMVC 69277) SASL bind reports success with SSL connections even if using a keyring database label that does not reference an actual certificate. APAR IR47692 (CMVC 70361) For the ldapssl.h include file, SSL return codes must reflect same information present in the GSKIT 5 product. Equivalent items based on the GSKIT 3 product must be removed. APAR IR47874 (CMVC 70380) Bulkload utility fails if shell does not append inherited value to PATH environment variable. APAR IR47886 (CMVC 70068, 70493) Search operations fail, and dbsync process show excessive resource utilitization due to default ldap_desc.deid index. APAR IR47928 (CMVC 69750, 69774) Memory leaks occur in the server process. APAR IR47930 (CMVC 70538) LDAP clients operating on Solaris can hang performing an add operation. APAR IR48029 (CMVC 70142, 70236) Modify ldif processing to allow for sending and receipt value identified to have zero length. 1b.iii) Platforms Solaris Operating Environment(TM) Software Version 7 (Solaris 7) or later. Refer to the appropriate SecureWay Directory 3.2.2 Installation and Configuration Guide for additional patch requirements. See the SecureWay Directory 3.2.2 library at http://www-4.ibm.com/software/network/directory/library. 1b.iv) Dependencies SecureWay Directory 3.2.2 or 3.2.2 efix1 must be installed. DB2 Universal Database(TM) version 7.2 FixPack 5 or higher. 1b.v) Files replaced or added by this eFix With $INSTALL_DIR1 representing the root of the LDAP client installation, the files replaced are: $INSTALL_DIR1/bin/ldamsg $INSTALL_DIR1/bin/ldapdelete $INSTALL_DIR1/bin/ldapdeleted $INSTALL_DIR1/bin/ldapmodify $INSTALL_DIR1/bin/ldapmodifyd $INSTALL_DIR1/bin/ldapmodrdn $INSTALL_DIR1/bin/ldapmodrdnd $INSTALL_DIR1/bin/ldapsearch $INSTALL_DIR1/bin/ldapsearchd $INSTALL_DIR1/include/ldapssl.h $INSTALL_DIR1/lib/libibmldap.so $INSTALL_DIR1/lib/libibmldapd.so $INSTALL_DIR1/lib/libldapstatic.a $INSTALL_DIR1/lib/libldapstaticd.a $INSTALL_DIR1/lib/libldif.a With $INSTALL_DIR2 representing the root of the LDAP srever installation, the files replaced are: $INSTALL_DIR2/bin/ldapcfg $INSTALL_DIR2/bin/slapd $INSTALL_DIR2/bin/slapdd $INSTALL_DIR2/bin/task_dbback $INSTALL_DIR2/config/LDAPCfg.jar $INSTALL_DIR2/lib/libadmin.so $INSTALL_DIR2/lib/libback-rdbm.so $INSTALL_DIR2/lib/libcl.so $INSTALL_DIR2/lib/libldacfg.so $INSTALL_DIR2/lib/libldapaudit.so $INSTALL_DIR2/lib/libslapi.so $INSTALL_DIR2/lib/libtransys.so $INSTALL_DIR2/lib/libutils.so $INSTALL_DIR2/lib/libutlsa.so $INSTALL_DIR2/sbin/bulkload $INSTALL_DIR2/sbin/db2ldif $INSTALL_DIR2/sbin/ldif $INSTALL_DIR2/sbin/ldif2db $INSTALL_DIR2/sbin/miglen $INSTALL_DIR2/sbin/runstats $INSTALL_DIR2/web/buildno.txt $INSTALL_DIR2/web/cgi-bin $INSTALL_DIR2/web/cgi-bin/ldacgi3e.exe $INSTALL_DIR2/web/cgi-bin/ldacgie.exe $INSTALL_DIR2/web/buildno.txt The default for $INSTALL_DIR2 is /opt/IBMldaps. The default for $INSTALL_DIR1 is /opt/IBMldapc. 1b.vi) eFix contents The archive for this eFix is named 3.2.2-SWD-002-SOL.tar. The archive for this eFix includes: - This README file - The file $INSTALL_DIR1/bin/ldamsg - The file $INSTALL_DIR1/bin/ldapdelete - The file $INSTALL_DIR1/bin/ldapdeleted - The file $INSTALL_DIR1/bin/ldapmodify - The file $INSTALL_DIR1/bin/ldapmodifyd - The file $INSTALL_DIR1/bin/ldapmodrdn - The file $INSTALL_DIR1/bin/ldapmodrdnd - The file $INSTALL_DIR1/bin/ldapsearch - The file $INSTALL_DIR1/bin/ldapsearchd - The file $INSTALL_DIR1/include/ldapssl.h - The file $INSTALL_DIR1/lib/libibmldap.so - The file $INSTALL_DIR1/lib/libibmldapd.so - The file $INSTALL_DIR1/lib/libldapstatic.a - The file $INSTALL_DIR1/lib/libldapstaticd.a - The file $INSTALL_DIR1/lib/libldif.a - The file $INSTALL_DIR2/bin/ldapcfg - The file $INSTALL_DIR2/bin/slapd - The file $INSTALL_DIR2/bin/slapdd - The file $INSTALL_DIR2/bin/task_dbback - The file $INSTALL_DIR2/config/LDAPCfg.jar - The file $INSTALL_DIR2/lib/libadmin.so - The file $INSTALL_DIR2/lib/libback-rdbm.so - The file $INSTALL_DIR2/lib/libcl.so - The file $INSTALL_DIR2/lib/libldacfg.so - The file $INSTALL_DIR2/lib/libldapaudit.so - The file $INSTALL_DIR2/lib/libslapi.so - The file $INSTALL_DIR2/lib/libtransys.so - The file $INSTALL_DIR2/lib/libutils.so - The file $INSTALL_DIR2/lib/libutlsa.so - The file $INSTALL_DIR2/sbin/bulkload - The file $INSTALL_DIR2/sbin/db2ldif - The file $INSTALL_DIR2/sbin/ldif - The file $INSTALL_DIR2/sbin/ldif2db - The file $INSTALL_DIR2/sbin/miglen - The file $INSTALL_DIR2/sbin/runstats - The file $INSTALL_DIR2/web/buildno.txt - The file $INSTALL_DIR2/web/cgi-bin - The file $INSTALL_DIR2/web/cgi-bin/ldacgi3e.exe - The file $INSTALL_DIR2/web/cgi-bin/ldacgie.exe - The file $INSTALL_DIR2/web/buildno.txt 1b.vii) Applying the eFix Your replication environment must be cleaned or resynched, or both. See section 5.2 of the IBM(R) SecureWay(R) Directory Version 3.2.2 Server Readme at: http://www-4.ibm.com/software/network/directory/library/v322/server.htm1. Extract the eFix contents into a temporary directory. For the purpose of this release note, assume that the symbol $TEMP points to the following directory: # cd $TEMP # tar -xvf 3.2.2-SWD-002-SOL.tar 2. For each of the master and slave server installations targeted to receive the eFix, make sure the servers are stopped prior to applying the eFix. 3. Replace the installed version of each file with the version included in the eFix. Move the currently installed file to a location outside of the LDAP installation filesystem or rename the currently installed file. Copy the extracted files to the correct locations in the install folder. The default for $INSTALL_DIR2 is /opt/IBMldaps and for $INSTALL_DIR1 is /opt/IBMldapc. The install version locations for each file are: $INSTALL_DIR1/bin/ldamsg $INSTALL_DIR1/bin/ldapdelete $INSTALL_DIR1/bin/ldapdeleted $INSTALL_DIR1/bin/ldapmodify $INSTALL_DIR1/bin/ldapmodifyd $INSTALL_DIR1/bin/ldapmodrdn $INSTALL_DIR1/bin/ldapmodrdnd $INSTALL_DIR1/bin/ldapsearch $INSTALL_DIR1/bin/ldapsearchd $INSTALL_DIR1/include/ldapssl.h $INSTALL_DIR1/lib/libibmldap.so $INSTALL_DIR1/lib/libibmldapd.so $INSTALL_DIR1/lib/libldapstatic.a $INSTALL_DIR1/lib/libldapstaticd.a $INSTALL_DIR1/lib/libldif.a $INSTALL_DIR2/bin/ldapcfg $INSTALL_DIR2/bin/slapd $INSTALL_DIR2/bin/slapdd $INSTALL_DIR2/bin/task_dbback $INSTALL_DIR2/config/LDAPCfg.jar $INSTALL_DIR2/lib/libadmin.so $INSTALL_DIR2/lib/libback-rdbm.so $INSTALL_DIR2/lib/libcl.so $INSTALL_DIR2/lib/libldacfg.so $INSTALL_DIR2/lib/libldapaudit.so $INSTALL_DIR2/lib/libslapi.so $INSTALL_DIR2/lib/libtransys.so $INSTALL_DIR2/lib/libutils.so $INSTALL_DIR2/lib/libutlsa.so $INSTALL_DIR2/sbin/bulkload $INSTALL_DIR2/sbin/db2ldif $INSTALL_DIR2/sbin/ldif $INSTALL_DIR2/sbin/ldif2db $INSTALL_DIR2/sbin/miglen $INSTALL_DIR2/sbin/runstats $INSTALL_DIR2/web/buildno.txt $INSTALL_DIR2/web/cgi-bin $INSTALL_DIR2/web/cgi-bin/ldacgi3e.exe $INSTALL_DIR2/web/cgi-bin/ldacgie.exe $INSTALL_DIR2/web/buildno.txt (For level tracking purposes) Again, the default for $INSTALL_DIR2 is /opt/IBMldaps and for $INSTALL_DIR1 is /opt/IBMldapc. 4. Assign the correct owner, group, and permissions to the replaced files. Assume $OWNER is the owner value in the installation files, and $GROUP is the group value. The value of $OWNER for the following files is root: $INSTALL_DIR/web/cgi-bin/ldacgie.exe $INSTALL_DIR/web/cgi-bin/ldacgi3e.exe The value of $OWNER for the remaining files is ldap. The value for $GROUP for all files is ldap. # chown $OWNER # chgrp $GROUP The permissions on the files must be set according to the following guide: # chmod $INSTALL_DIR1/bin/ldamsg 755 $INSTALL_DIR1/bin/ldapdelete 755 $INSTALL_DIR1/bin/ldapdeleted 755 $INSTALL_DIR1/bin/ldapmodify 755 $INSTALL_DIR1/bin/ldapmodifyd 755 $INSTALL_DIR1/bin/ldapmodrdn 755 $INSTALL_DIR1/bin/ldapmodrdnd 755 $INSTALL_DIR1/bin/ldapsearch 755 $INSTALL_DIR1/bin/ldapsearchd 755 $INSTALL_DIR2/bin/ldapcfg 755 $INSTALL_DIR2/bin/slapd 755 $INSTALL_DIR2/bin/slapdd 755 $INSTALL_DIR2/bin/task_dbback 750 $INSTALL_DIR2/config/LDAPCfg.jar 644 $INSTALL_DIR1/include/ldapssl.h 755 $INSTALL_DIR1/lib/libibmldap.so 755 $INSTALL_DIR1/lib/libibmldapd.so 755 $INSTALL_DIR1/lib/libldapstatic.a 755 $INSTALL_DIR1/lib/libldapstaticd.a 755 $INSTALL_DIR1/lib/libldif.a 755 $INSTALL_DIR2/lib/libadmin.so 644 $INSTALL_DIR2/lib/libback-rdbm.so 755 $INSTALL_DIR2/lib/libcl.so 755 $INSTALL_DIR2/lib/libldacfg.so 644 $INSTALL_DIR2/lib/libldapaudit.so 755 $INSTALL_DIR2/lib/libslapi.so 755 $INSTALL_DIR2/lib/libtransys.so 755 $INSTALL_DIR2/lib/libutils.so 755 $INSTALL_DIR2/lib/libutlsa.so 755 $INSTALL_DIR2/sbin/bulkload 755 $INSTALL_DIR2/sbin/db2ldif 755 $INSTALL_DIR2/sbin/ldif 755 $INSTALL_DIR2/sbin/ldif2db 755 $INSTALL_DIR2/sbin/miglen 755 $INSTALL_DIR2/sbin/runstats 755 $INSTALL_DIR2/web/buildno.txt 644 $INSTALL_DIR2/web/cgi-bin 4755 $INSTALL_DIR2/web/cgi-bin/ldacgi3e.exe 4755 $INSTALL_DIR2/web/cgi-bin/ldacgie.exe 4755 It is critical that the sticky bit for the replaced files in $INSTALL_DIR2/web/cgi-bin is set. So make sure the value used in the chmod command is 4755 (as stated). 5. Start each of the replica and master servers. 1b.viii) Confirming the eFix has been applied successfully The eFix has been applied successfully if all files included in the eFix have replaced the pre-eFix files of the same names. If after applying the eFix, any facility making use of the SDK has degraded function as compared to its pre-fix operation, please notify SecureWay Directory support personnel. Below is some relevant information on the replacement files: - Filesize for $INSTALL_DIR1/bin/ldamsg is 8388 - Filesize for $INSTALL_DIR1/bin/ldapdelete is 21184 - Filesize for $INSTALL_DIR1/bin/ldapdeleted is 21236 - Filesize for $INSTALL_DIR1/bin/ldapmodify is 46108 - Filesize for $INSTALL_DIR1/bin/ldapmodifyd is 46168 - Filesize for $INSTALL_DIR1/bin/ldapmodrdn is 22108 - Filesize for $INSTALL_DIR1/bin/ldapmodrdnd is 22168 - Filesize for $INSTALL_DIR1/bin/ldapsearch is 42604 - Filesize for $INSTALL_DIR1/bin/ldapsearchd is 42664 - Filesize for $INSTALL_DIR1/include/ldapssl.h is 15677 - Filesize for $INSTALL_DIR1/lib/libibmldap.so is 918884 - Filesize for $INSTALL_DIR1/lib/libibmldapd.so is 919204 - Filesize for $INSTALL_DIR1/lib/libldapstatic.a is 750312 - Filesize for $INSTALL_DIR1/lib/libldapstaticd.a is 750636 - Filesize for $INSTALL_DIR1/lib/libldif.a is 17684 - Filesize for $INSTALL_DIR2/bin/ldapcfg is 12042 - Filesize for $INSTALL_DIR2/bin/slapd is 1053532 - Filesize for $INSTALL_DIR2/bin/slapdd is 1053532 - Filesize for $INSTALL_DIR2/bin/task_dbback is 488960 - Filesize for $INSTALL_DIR2/config/LDAPCfg.jar is 524826 - Filesize for $INSTALL_DIR2/lib/libadmin.so is 204364 - Filesize for $INSTALL_DIR2/lib/libback-rdbm.so is 1085536 - Filesize for $INSTALL_DIR2/lib/libcl.so is 34608 - Filesize for $INSTALL_DIR2/lib/libldacfg.so is 32908 - Filesize for $INSTALL_DIR2/lib/libldapaudit.so is 45268 - Filesize for $INSTALL_DIR2/lib/libslapi.so is 121156 - Filesize for $INSTALL_DIR2/lib/libtransys.so is 111752 - Filesize for $INSTALL_DIR2/lib/libutils.so is 5552420 - Filesize for $INSTALL_DIR2/lib/libutlsa.so is 66276 - Filesize for $INSTALL_DIR2/sbin/bulkload is 863212 - Filesize for $INSTALL_DIR2/sbin/db2ldif is 728932 - Filesize for $INSTALL_DIR2/sbin/ldif is 18028 - Filesize for $INSTALL_DIR2/sbin/ldif2db is 733988 - Filesize for $INSTALL_DIR2/sbin/miglen is 741692 - Filesize for $INSTALL_DIR2/sbin/runstats is 711672 - Filesize for $INSTALL_DIR2/web/cgi-bin/ldacgi3e.exe is 1997072 - Filesize for $INSTALL_DIR2/web/cgi-bin/ldacgie.exe is 6353632 - sum -r $INSTALL_DIR1/bin/ldamsg results are: 15411 xxxx - sum -r $INSTALL_DIR1/bin/ldapdelete results are: 33254 xxxx - sum -r $INSTALL_DIR1/bin/ldapdeleted results are: 02973 xxxx - sum -r $INSTALL_DIR1/bin/ldapmodify results are: 53531 xxxx - sum -r $INSTALL_DIR1/bin/ldapmodifyd results are: 37169 xxxx - sum -r $INSTALL_DIR1/bin/ldapmodrdn results are: 27350 xxxx - sum -r $INSTALL_DIR1/bin/ldapmodrdnd results are: 59513 xxxx - sum -r $INSTALL_DIR1/bin/ldapsearch results are: 63570 xxxx - sum -r $INSTALL_DIR1/bin/ldapsearchd results are: 53653 xxxx - sum -r $INSTALL_DIR1/include/ldapssl.h results are: 17457 xxxx - sum -r $INSTALL_DIR1/lib/libibmldap.so results are: 44122 xxxx - sum -r $INSTALL_DIR1/lib/libibmldapd.so results are: 24486 xxxx - sum -r $INSTALL_DIR1/lib/libldapstatic.a results are: 64763 xxxx - sum -r $INSTALL_DIR1/lib/libldapstaticd.a results are: 46081 xxxx - sum -r $INSTALL_DIR1/lib/libldif.a results are: 45253 xxxx - sum -r $INSTALL_DIR2/bin/ldapcfg results are: 01509 xxxx - sum -r $INSTALL_DIR2/bin/slapd results are: 02293 xxxx - sum -r $INSTALL_DIR2/bin/slapdd results are: 38887 xxxx - sum -r $INSTALL_DIR2/bin/task_dbback results are: 07714 xxxx - sum -r $INSTALL_DIR2/config/LDAPCfg.jar results are: 28948 xxxx - sum -r $INSTALL_DIR2/lib/libadmin.so results are: 22851 xxxx - sum -r $INSTALL_DIR2/lib/libback-rdbm.so results are: 49830 xxxx - sum -r $INSTALL_DIR2/lib/libcl.so results are: 53854 xxxx - sum -r $INSTALL_DIR2/lib/libldacfg.so results are: 37903 xxxx - sum -r $INSTALL_DIR2/lib/libldapaudit.so results are: 26415 xxxx - sum -r $INSTALL_DIR2/lib/libslapi.so results are: 41247 xxxx - sum -r $INSTALL_DIR2/lib/libtransys.so results are: 29773 xxxx - sum -r $INSTALL_DIR2/lib/libutils.so results are: 62206 xxxx - sum -r $INSTALL_DIR2/lib/libutlsa.so results are: 24768 xxxx - sum -r $INSTALL_DIR2/sbin/bulkload results are: 34963 xxxx - sum -r $INSTALL_DIR2/sbin/db2ldif results are: 53314 xxxx - sum -r $INSTALL_DIR2/sbin/ldif results are: 39690 xxxx - sum -r $INSTALL_DIR2/sbin/ldif2db results are: 29260 xxxx - sum -r $INSTALL_DIR2/sbin/miglen results are: 46376 xxxx - sum -r $INSTALL_DIR2/sbin/runstats results are: 64018 xxxx - sum -r $INSTALL_DIR2/web/cgi-bin/ldacgi3e.exe results are: 10223 xxxx - sum -r $INSTALL_DIR2/web/cgi-bin/ldacgie.exe results are: 20014 xxxx Each xxxx represents the number of blocks used by the file. This number is filesystem format dependent. The contents of the web/buildno.txt file are: SecureWay Directory Release: aus322ldap Build: 020425a (SWD 322 e-fix2) 1b.ix) Additional usage notes Remove LDAP_DESC_DEID index for improved performance In the 3.2.2 and 3.2.2 efix1 releases, if you loaded your data into a new database using bulkload or db2ldif commands, an index (LDAP_DESC_DEID) is created. Dropping the LDAP_DESC_DEID index in many cases improves performance, especially search operations performance. Starting in the 3.2.2 eFix2, this index is not created by default and it is recommended that it be removed to improve performance. To drop the LDAP_DESC_DEID index, do the following: 1. Stop slapd. 2. db2 connect to ldapb2. 3. Run the following command: db2 DROP INDEX LDAPDB2.LDAP_DESC_DEID 4. Stop and restart DB2.