The following limitations are inherent to the design, not bugs to be fixed.
When you configure account lockout as part of password policy, DS servers lock an account after the specified number of consecutive authentication failures. Account lockout is not transactional across all replicas in a deployment. Global account lockout occurs as soon as the authentication failure times have been replicated.
DS servers provide full LDAP v3 support, except for alias dereferencing, and limited support for LDAPv2.
When the global server property
invalid-attribute-syntax-behavioris set to
warn, a search on group membership using a value with invalid syntax returns nothing.
Directory servers store passwords prefixed with the storage scheme in braces, as in
To prevent users from effectively attempting to choose their own password storage scheme, directory servers do not support passwords that strictly match this format.
Specifically, directory servers do not support passwords that match
Requests to update
userPasswordvalues with such passwords fail with result code 19 (Constraint Violation), and an additional message that passwords may not be provided in pre-encoded form.
The Password Policy control (OID:
184.108.40.206.220.127.116.11.18.104.22.168) is supported for add, bind, and modify operations.
It is not supported for compare, delete, search, and modify DN operations.
Configuring a server with both local backends and proxy backends is not supported.
Access control models for directory servers and proxy servers do not function at the same time in the same server.
The policy-based access control handler used in proxy servers:
Does not support the Get Effective Rights control.
Does not check the
modify-aclprivilege when global access control policies are changed.
config-writeprivilege is sufficient to change global access control policies.
Does not send alert notifications when global access control policies change.
When using ACIs or collective attributes with the proxy server data distribution feature, the ACI and entries having collective attribute values must be located at or above the
partition-base-dn. When changing this data, make the change behind the proxy to one directory server replica in each shard. Your changes are not replicated outside the shard.
The proxy server data distribution feature does not currently support the following:
Importing distributed data with the
Changes to the number of partitions after data has been deployed.
Modify DN operations to distributed entries.
Updates to entries at or above the
Virtual static groups.
Data distribution does not support these virtual attributes:
isMemberOfvirtual attribute works as expected as long as you replicate the group entries on every shard.
Data distribution does not support these LDAP controls:
Server-Side Sort controls:
Simple Paged Results control:
Virtual List View controls:
dsrepl statuscommand cannot read status information from DS 6.5 and earlier servers.
During upgrade, use the
dsreplication statuscommand for 6.5 and earlier servers, and the
dsrepl statuscommand for 7.0 and later servers.
REST to LDAP does not support modify RDN operations.
REST to LDAP query filters do not work with properties of subtypes.
For example, the default example configuration describes a user type, and a POSIX user type. If your query filter is based on a POSIX user type property that is not a property of the user type, such as
gidNumber, the filter always evaluates to false, and the query returns nothing.
When applying a Common REST patch operation to a
Jsonsyntax attribute, you cannot patch individual fields of the JSON object. You must change the entire JSON object instead.
As a workaround, perform an update of the entire object, changing only the desired fields in your copy.
Due to a Java issue on Windows systems (JDK-8057894), when configuring DS servers with data confidentiality enabled, you might see an error message containing the following text:
Unexpected CryptoAPI failure generating seed
If this happens, try running the command again.