Notes covering OpenDJ hardware and software requirements, fixes, known issues.

About OpenDJ


In October 2013 OpenDJ 2.5.0-Xpress1 reached End of Service Life (EOSL).

ForgeRock customers must upgrade OpenDJ in order to receive continued support.

OpenDJ is an LDAPv3 compliant directory service, developed for the Java platform, providing a high performance, highly available, and secure store for the identities managed by your organization. Its easy installation process, combined with the power of the Java platform makes OpenDJ the simplest, fastest directory to deploy and manage.

You can download OpenDJ software from the OpenDJ download page. OpenDJ is free to download, evaluate, and use. You can even check out and modify the source code to build your own version if you prefer.

These release notes are written for everyone working with the OpenDJ 2.5.0-Xpress1 release. Read these notes before you install or upgrade OpenDJ software. These notes cover hardware and software prerequisites for installing OpenDJ software. These notes list key features added and changed in this release. They also cover compatibility with previous releases and alert you to potential changes coming up that could affect your scripts and applications. Finally, these notes list both issues fixed since the previous release and known issues open at the time of release.


Upgrade from earlier versions is not supported for the OpenDJ 2.5.0-Xpress1 release.

The change to Berkeley JE 5 from Berkeley JE 4 requires changes to JE backends prior to upgrade, and this release does not include a mechanism for making such changes.

Chapter 1. What's New in OpenDJ 2.5.0-Xpress1


OpenDJ 2.5.0-Xpress1 is a milestone release from the main development branch of the product. The Xpress release contains selected key features and all current fixed issues. An Xpress release undergoes important functional testing but not the complete testing cycle that is done for a full Enterprise release.

Xpress releases are supported through ForgeRock subscriptions. Enterprise versions have long term support.

The goal of an Xpress release is to enable you to start build phases earlier, with the most recent features, instead of having to wait for the Enterprise release date. Fixes to issues that are discovered in an Xpress release are delivered as patches to ForgeRock customers, and are guaranteed to be delivered in the Enterprise release that follows. Xpress releases are supported for a grace period after the Enterprise version has been released.

ForgeRock has only published release notes for OpenDJ 2.5.0-Xpress1. ForgeRock has published complete documentation for the 2.6 release at

OpenDJ 2.5.0-Xpress1 brings you the latest features such as:

  • Capability to delegate authentication to Microsoft Active Directory (pass-through authentication)

  • Improved enforcement of referential integrity for groups, whereby OpenDJ can now ensure both that members' entries exist when they are added to groups, and also that members are removed from groups when their entries are deleted

  • Access log filtering, with additional output configuration to combine request and response messages, log control OIDs, and specify timestamp formats

  • Optimistic concurrency control through ETag attributes

  • Synchronization of Samba and OpenDJ passwords

Compared to the OpenDJ 2.4.5 release, OpenDJ 2.5.0-Xpress1 fixes a number of issues. OpenDJ 2.5.0-Xpress1 provides the following new features.

  • Performance has been significantly improved for searches with a virtual attribute in the filter (OPENDJ-508).

  • OpenDJ now includes attribute syntax validation for X.509 certificate values (OPENDJ-482).

  • Import now performs better when handling LDIF entries with attributes that have many values, such as large static group entries (OPENDJ-469).

  • The mechanism to determine during setup whether the configuration has been modified runs a more effective check (OPENDJ-446).

  • OpenDJ now provides a read-only, non-searchable operational attribute, ds-pwd-password-expiration-time, to make it easier to read the password expiration time for an account (OPENDJ-441).

  • OpenDJ now logs only fatal errors, severe errors, warnings, and notices at startup time (OPENDJ-438).

  • OpenDJ now lets you setup the server in command-line mode without creating a default backend (OPENDJ-435).

  • OpenDJ now computes last login time as UTC time when the value is expressed in GeneralizedTime syntax (OPENDJ-418).

  • OpenDJ now includes an ETag attribute for optimistic concurrency control (OPENDJ-409).

  • OpenDJ now provides the rebuild-index --rebuildDegraded command for rebuilding degraded indexes (OPENDJ-406).

  • OpenDJ schema for configuration attributes has been cleaned up (OPENDJ-393).

  • OpenDJ now exposes the je.log.fileCacheSize property through the ds-cfg-db-log-filecache-size configuration attribute (OPENDJ-383).

  • OpenDJ now exposes the je.log.fileCacheSize property through the ds-cfg-db-log-filecache-size configuration attribute (OPENDJ-383).

  • OpenDJ verify and rebuild index commands now use JE 5 disk ordered cursoring (OPENDJ-372).

  • OpenDJ now uses Berkeley JE 5, which brings many performance improvements (OPENDJ-371).

  • More OpenDJ tools now prompt for a bind password when none is provided (OPENDJ-358).

  • OpenDJ DSML gateway now allows authentication using an ID rather than a DN (OPENDJ-352).

  • OpenDJ now lets you filter access and audit logs to focus on messages that interest you. OpenDJ supports many criteria for flexible log filtering (OPENDJ-308).

  • The OpenDJ dictionary password validator can now check whether a password value contains dictionary words as substrings (OPENDJ-295).

  • OpenDJ now logs use of the proxied authorization V1 control with obsoleteProxiedAuthzV1Control (OPENDJ-283).

  • OpenDJ DSML gateway can now connect over SSL to the LDAP server (OPENDJ-269).

  • OpenDJ now lets you delegate authentication to another LDAP directory service, such as Active Directory. The feature is called pass through authentication (PTA) (OPENDJ-262). With PTA, OpenDJ replays a user's simple bind operation against the remote directory service. If the bind is successful, OpenDJ considers the user authenticated to perform subsequent operations like searches and updates in OpenDJ.

    For PTA to work, OpenDJ must be able to match its OpenDJ entry for the user with the user's entry on the remote directory service. The two entries must correspond in one of the following ways.

    • Both the OpenDJ entry and the remote entry have the same DN.

    • The OpenDJ entry has an attribute that holds the DN of the entry on the remote directory service.

    • The OpenDJ entry and the remote entry share an attribute that has exactly the same value.

    If user entries do not match originally, you can no doubt add an attribute to users' OpenDJ entries when configuring them to use pass through authentication.

    To configure PTA, you set up an LDAP pass through authentication policy in OpenDJ's configuration, and then assign the policy to users in the same way you would assign a password policy. See the Administration Guide for details.

  • OpenDJ now lets you configure attributes to be removed or renamed on update (OPENDJ-258).

  • Subordinate indexes id2children and id2subtree can now be disabled on OpenDJ JE backends to improve performance when repeated adds and deletes are performed beneath the same entry (OPENDJ-250).

  • OpenDJ now calls Account Status Notification Handlers when an account in enabled or disabled by the manage-account (OPENDJ-248).

  • OpenDJ now adds Unindexed to access log response messages for unindexed searches, making it easier to identify searches rejected by default (OPENDJ-246).

  • OpenDJ can now synchronize Samba password attribute values with the userPassword attribute value, ensuring that when users change their LDAP passwords in OpenDJ or change their LanMan or NT passwords in Samba, their password attribute values all stay in sync (OPENDJ-233, OPENDJ-511). To activate this feature, configure the OpenDJ Samba Password plugin by using the dsconfig command.

  • OpenDJ now supports checking that entries of new group members exist (OPENDJ-221).

  • OpenDJ now better supports more, and larger static groups (OPENDJ-197).

  • Change log content and configuration has been improved in this release (OPENDJ-194).

  • Default database cache size, request handler counts, and replication purge delay are now set more sensibly for default installations (OPENDJ-116, OPENDJ-186).

  • The character set password validator now supports optional character sets (OPENDJ-168).

  • Collective attributes can now be applied based on the values of virtual attributes (OPENDJ-76).

  • OpenDJ now lets you configure the access log to display LDAP controls (OPENDJ-60).

  • OpenDJ now lets you execute control-panel as any user, not only the user who installed OpenDJ (OPENDJ-19).

Chapter 2. Before You Install OpenDJ Software

This chapter covers requirements to consider before you run OpenDJ, especially before you run OpenDJ in your production environment.

If you have a special request to support a combination not listed here, contact ForgeRock at

2.1. Java Environment

OpenDJ software consists of pure Java applications. OpenDJ servers and clients therefore should run on any system with full Java support. OpenDJ is tested on a variety of operating systems, including Solaris SPARC and x86, various Linux distributions, Microsoft Windows, and Apple Mac OS X.

OpenDJ software requires Java 6, specifically at least the Java Standard Edition 6.0 (Sun version 1.6.0_10) runtime environment. ForgeRock recommends that you use at least version 1.6.0_27 due to security fixes.

To build applications with the OpenDJ LDAP SDK, you need the corresponding Java SDK.

2.2. Maximum Open Files

OpenDJ needs to be able to open many files, especially when handling many client connections. Linux systems in particular often set a limit of 1024 per user, which is too low for OpenDJ.

When setting up OpenDJ for production use, make sure OpenDJ can use at least use at least 64K (65536) file descriptors. For example when running OpenDJ as user opendj on a Linux system that uses /etc/security/limits.conf to set user level limits, you can set soft and hard limits by adding these lines to the file.

opendj soft nofile 65536
opendj hard nofile 131072

The example above assumes the system has enough file descriptors available overall. You can check the Linux system overall maximum as follows.

$ cat /proc/sys/fs/file-max

2.3. Operating System

OpenDJ software depends on the Java environment more than it depends on the underlying operating system. That said, OpenDJ 2.5.0-Xpress1 has been validated on the following operating systems.

  • Apple Mac OS X 10.7

  • Linux 2.6 and later

  • Microsoft Windows Server 2008

  • Oracle Solaris 10

2.4. Application Servers

OpenDJ directory server runs as a standalone Java service, and does not depend on an application server.

OpenDJ 2.5.0-Xpress1 DSML gateway has been validated on Apache Tomcat 6.

2.5. FQDNs For Replication

OpenDJ replication requires that you use fully qualified domain names, such as

Although you can use host names like my-laptop.local for evaluation, in production and even in your lab, you must either ensure DNS is set up correctly to provide fully qualified domain names, or set up /etc/hosts (or C:\Windows\System32\drivers\etc\hosts) to provide fully qualified domain names.

2.6. Hardware

Thanks to the underlying Java platform, OpenDJ software runs well on a variety of processor architectures. Many directory service deployments meet their service-level agreements without the very latest or very fastest hardware.

For a server evaluation installation, you need 256 MB memory (32-bit) or 1 GB memory (64-bit) available to OpenDJ, with 100 MB free disk space for the software and a small set of sample data. For installation in production, read the rest of this section. You need at least 2 GB memory for OpenDJ and 4 times the disk space needed to house initial production data in LDIF format.[1] To get a more accurate estimate of the disk space needed, import a known fraction of the initial LDIF with OpenDJ configured as for production, run tests based on the estimated rates of change and growth in directory data, and then use the actual space used in the test environment to estimate how much disk space you need in production.

OpenDJ directory servers almost always benefit from having enough system memory to cache all directory database files used. The reason is that reading from and writing to memory is typically much faster than reading from and writing to disk storage. For small data sets, you might not need extra memory. For large directories with millions of user directory entries, the system might not have enough slots to house sufficient memory to cache everything. To improve performance in such cases, one approach is to add solid state drives as an intermediate cache between memory and disk storage.

Processor architectures that provide fast single thread execution tend to help OpenDJ software deliver the lowest response times. For top end performance in terms both of sub-millisecond response times and also of throughput ranging from tens of thousands to hundreds of thousands of operations per second, the latest x86 architecture chips tend to perform better than others tested. Chip multi-threading (CMT) processors can do very well on directory servers providing pure search throughput, even though response times can be higher. Yet, CMT processors can be slow to absorb hundreds or thousands of write operations per second. Their slower threads get blocked waiting on resources, and thus are not optimal for topologies with high write throughput requirements.

On systems with fast processors and enough memory to cache directory data completely, the network can become a bottleneck. Even if a single 1 Gbit Ethernet interface offers plenty of bandwidth to handle your average traffic load, it can be too small for peak traffic loads. Furthermore, you might choose to use separate interfaces for administrative traffic and application traffic. To estimate what network hardware you need, calculate the size of the data you return to applications during peak load. For example, if you expect to have a peak load of 100,000 searches per second, each returning a full 8 KB entry, you need a network that can handle 800 MB/sec (3.2 Gbit/sec) throughput, not counting any other operations such as writes that result in replication traffic.

The storage hardware you choose must allow you to house not only directory data including historical data for replication, but also logs. If you choose to retain access logs for auditing purposes on a heavily used directory, dedicate storage for the log archives as well. Furthermore, your storage must also keep pace with the write throughput. Write throughput can arise from modify, modify DN, add, and delete operations, but it can also result from bind operations. Such is the case when the last successful bind is recorded, and when account lockout is configured, for example. In a replicated topology, not only does a directory service write entries to disk when they are changed, but a directory service also writes changelog data and historical information in order to resolve potential replication conflicts. You base your network throughput needs on peak loads. Also base your storage throughput needs on peak loads.


OpenDJ servers do not currently support network file systems such as NFS for database storage. Provide sufficient disk space on local storage such as internal disk or an attached disk array.

[1] OpenDJ stores data in Berkeley DB Java Edition, which is implemented as a rolling log. Berkeley DB appends updates to the end of the last log file, and marks old pages as deleted. Berkeley DB cleaner threads monitor the log file occupancy ratio, moving the data to get rid of old log files. Yet, with the default occupancy ratio of 50%, log files are cleaned only when they have less than 50% valid pages. As a result, the database can reach twice its initial size in the worst case.

Furthermore, when you import data from LDIF, OpenDJ stores not only the data, but also builds indexes for many of the attributes, resulting in some growth. Replication historical data and other operational attributes can also take up space.

Finally, it makes sense to leave space for growth in the database size as you modify and add entries over time.

Chapter 3. Compatibility

This chapter covers both major changes to existing functionality, and also deprecated and removed functionality.

3.1. Major Changes to Existing Functionality

OpenDJ 2.5.0-Xpress1 improves on earlier releases introducing many new features and important fixes without major, backwards-incompatible changes. Take the following into account, however.

  • Upgrade from earlier versions is not supported for the OpenDJ 2.5.0-Xpress1 release.

  • The default DB cache size is now 50%, rather than 10%.

    If you have multiple backends, configure cache sizes accordingly.

  • The number of LDAP request handlers now defaults to half the CPU count.

  • The replication purge delay default has increased from one day to three days.

  • Syntax checking has been added for certificate and country attribute values. This affects applications updating those attribute values. Applications updating country attribute values must now use Country String syntax for example, which uses two-character codes from ISO 3166 such as US instead of full names such as United States.

3.2. Deprecated Functionality

OpenDJ 2.5.0-Xpress1 makes use of new environment variables aligned with the project name to use OPENDJ. Use of the old variables is deprecated. The old variables are likely to be removed in a future release.

3.3. Removed Functionality

No functionality has been removed in OpenDJ 2.5.0-Xpress1.

No functionality is planned to be removed at this time.

Chapter 4. OpenDJ Fixes, Limitations, and Known Issues


The current list of fixes and issues reflects OpenDJ 2.5.0-Xpress1 in progress as of July 23, 2012.

OpenDJ issues are tracked at

4.1. Fixes Since Last Release

The following bugs were fixed in this release.

  • OPENDJ-538: NPE during initialization of quick upgrade

  • OPENDJ-537: Broken link from Control Panel to Admin Guide

  • OPENDJ-528: rebuild-index doesn't rebuild properly DN2ID after an upgrade from OpenDS 2.2.

  • OPENDJ-524: CME in LDAPClientConnection when writing many large responses concurrently to the same connection

  • OPENDJ-520: Worker threads are too greedy when caching memory used for encoding/decoding entries and protocol messages

  • OPENDJ-519: Exception raised when bind fails and debug logging is enabled

  • OPENDJ-507: Index may go untrusted without a message in the errors log.

  • OPENDJ-506: NoSuchElementException thrown during replication in java.util.TreeMap.key(

  • OPENDJ-504: Performing Query on telephoneNumber attribute thats not a number returns all entries

  • OPENDJ-500: Upgrade trunk (2.5.0) to JE 5.0.48

  • OPENDJ-494: dsreplication initialize reports negative percentage of completion

  • OPENDJ-488: Cancel request succeeds with result code 118 (CANCELED) when it should receive result code 0 (SUCCESS)

  • OPENDJ-487: Normal acis under cn=config are not loaded at startup

  • OPENDJ-477: Adding an entry with binary options fails during reading ldif file

  • OPENDJ-476: Manage Account fails with NPE if target DN does not exist

  • OPENDJ-475: Incorrect behaviour/result code regarding non-critical controls

  • OPENDJ-472: Offline import LDIF reject entries, doesn't report the correct count of them, and store them in both rejected and skipped files.

  • OPENDJ-471: FIFOEntryCache may leave stalled data when low in memory.

  • OPENDJ-470: AttributeBuilder's SmallSet doesn't implement the Contains method of a Set

  • OPENDJ-465: WhoAmI Extended operation code duplicates supported controls

  • OPENDJ-462: Spinning threads in JE backend importer

  • OPENDJ-459: User's privileges not working with SASL EXTERNAL auth

  • OPENDJ-456: OpenDJ schema replication fails for 3rd server of topology

  • OPENDJ-447: OpenDJ Quicksetup: Problems when hostname cannot be resolved

  • OPENDJ-439: export-ldif on jeb produces duplicate entries

  • OPENDJ-436: Inconsistency between hostname specified in setup and DIGEST-MD5 fqdn of server.

  • OPENDJ-433: Every other permissions-subjects pair in ACI is ignored

  • OPENDJ-432: LDAPURL doesn't always url-decode baseDN

  • OPENDJ-423: Single AND component filter causes an uncatch exception in ECL (

  • OPENDJ-420: Rare SSLExceptions while handling LDAPS connections and big LDAP searches

  • OPENDJ-414: Avoid displaying debug messages to stdout when running various tools

  • OPENDJ-413: verify-index with "-c" option doesn't work for certain indexes

  • OPENDJ-410: Frequent corruption in ds-sync-hist ordering index.

  • OPENDJ-401: Replication fails with Java 7.

  • OPENDJ-400: ControlPanel issue with values containing \n (such as sunxmlkeyvalue)

  • OPENDJ-398: Misleading replication messages: "Replication server XXXX was attempting to connect to replication server YYYY but has disconnected in handshake phase"

  • OPENDJ-396: Remove support for ServiceTag.

  • OPENDJ-387: dsreplication initialize-all reports negative percentage of completion

  • OPENDJ-384: Substring search on entryUUID fails with a NullPointerException

  • OPENDJ-380: index-entry-limit=0 not working as expected

  • OPENDJ-379: Improve help for the db-evictor-nodes-per-scan parameter.

  • OPENDJ-378: Remove activation.jar as it's bundled with Java 6

  • OPENDJ-377: Kerberos authentication with AD KDC fails with LoginException(Client not found in Kerberos database (6))

  • OPENDJ-363: Make it more obvious in the setup tool that the fully-qualified hostname is critical for all secured connections

  • OPENDJ-361: AttributeBuilderTest unit test fails on OpenJDK

  • OPENDJ-359: Fix typo in account status notification property name "time-unti-expiration"

  • OPENDJ-356: Task email shows as from opends-task-notification

  • OPENDJ-349: manage-account returns Seconds Until Idle Account Lockout: 0 (zero) if the last log on date is more than 24 days before the idle lock out interval.

  • OPENDJ-339: Don't register alert handler in unique attribute plugin until we are sure that the configuration is valid

  • OPENDJ-338: Referential integrity plugin updates internal state when validating configuration

  • OPENDJ-337: dsconfig allows users to create hidden components such as network group plugin

  • OPENDJ-333: Missing entryUUID attributes in "cn=admin data" backend prevent updates from being replicated.

  • OPENDJ-327: NPE in access log on clicking "Do not Accept" certificate in Control Panel

  • OPENDJ-322: Binary encoding option causing problems in replace operations

  • OPENDJ-311: setup --cli throws IllegalStateException in getConnectTimeout

  • OPENDJ-310: Replicated changes to referral entries are not applied on replicas

  • OPENDJ-306: Misleading access log error message when client resets the connection.

  • OPENDJ-304: The result code 53 (unwillingToPerform) should only be used for service errors

  • OPENDJ-298: Review screen content is wrong when using QuickSetup

  • OPENDJ-293: InternalClientConnection memory leak when performing password modify/state extended operations or SASL binds

  • OPENDJ-292: LDAP PTA NPE when base-dn or bind-dn not exist on secondary server

  • OPENDJ-290: LDAP PTA valid auth attempt rejected if AD reset connection

  • OPENDJ-288: Use INVALID_CREDENTIALS result code when disconnecting users because their entry has been deleted

  • OPENDJ-285: Unable to modify users entry after LDAP PTA Policy applied

  • OPENDJ-282: dsreplication enable fails with duplicate server ID, while it's about the same server being referenced.

  • OPENDJ-278: ldapSubentry entries should have an implicit scope of { base="" } when no subtree specification is specified

  • OPENDJ-277: Initialize GSSAPI extension after back ends and connectors

  • OPENDJ-274: Replication mishandles a Modify operation with multiple modifications on the same attribute.

  • OPENDJ-266: Extra white space in some of the schema files shipped with OpenDJ 2.4

  • OPENDJ-256: Fix regular unit test failures on 2.4 branch and trunk

  • OPENDJ-255: Incorrect dsconfig usage for setting multiple property values at once

  • OPENDJ-254: The show-all-attributes flag breaks schema modification, when enabled.

  • OPENDJ-252: ControlPanel fails with a Null Pointer Exception with Oracle JDK7.

  • OPENDJ-249: dsreplication disable --disableAll error removing contents of "cn=admin data"

  • OPENDJ-247: Rename max-entries property in JE backend to something more clearly related to index analysis

  • OPENDJ-242: Password Policy State Extended Operation anomalities...

  • OPENDJ-241: Unexpected authorization failure when using the assertion control with internal root connections

  • OPENDJ-237: Password modification by deleting the value and adding a new one fails with unwilling to perform (would result in multiple password in the entry)

  • OPENDJ-236: Support dn: and u: authid notation in SambaPasswordPlugin

  • OPENDJ-224: Replication fails when replication server is configured for a network interface which is not an alias of localhost/

  • OPENDJ-223: Modify operation isn't replayed on replica exactly as on original server.

  • OPENDJ-219: Replication server and draft changelog DB code may attempt to reference closed DB

  • OPENDJ-211: missing ";" in cookie exchange control causes StringIndexOutOfBoundsException

  • OPENDJ-209: dsframework cannot connect

  • OPENDJ-190: Look for, etc. in ~/.opendj rather than ~/.opends

  • OPENDJ-188: Change of ~/.opends to ~/.opendj directory for should be documented

  • OPENDJ-184: Transient errors when accessing cn=changelog DraftCN DB result in complete shutdown of the replication service.

  • OPENDJ-181: DirectoryException provided value has an invalid length for a UUID

  • OPENDJ-173: External ChangeLog cookies content is altered by Change purging and prevents from continuing search with a previous returned cookie.

  • OPENDJ-172: External ChangeLog Cookie varies when searching with an empty cookie. Cookie should be reproducible.

  • OPENDJ-171: OpenDJ does not support a NULL ChangeLog Cookie value

  • OPENDJ-170: External ChangeLog returns the Cookie Control even when not requested

  • OPENDJ-161: Windows services still refers to the OpenDJ server as opends.

  • OPENDJ-150: ChangeLogEntry schema is not compliant with internet-draft

  • OPENDJ-146: java.lang.OutOfMemoryError: Java heap space

  • OPENDJ-142: Message.raw() with treats first arg as format string even when there are no format arguments

  • OPENDJ-136: On Windows, upgrade fails with NPE during Verify phase

  • OPENDJ-135: upgrade -r fails on Windows

  • OPENDJ-134: upgrade fails when server registered as Windows service

  • OPENDJ-132: upgrade utility does not accept relative path

  • OPENDJ-130: External change log, used in compliance with Internet-draft, shows a divergence between replicas under load.

  • OPENDJ-126: Bad syntax for lastChangeNumber, firstChangeNumber, and lastExternalChangelogCookie

  • OPENDJ-121: Replication failure on startup due to generation ID of -1

  • OPENDJ-117: Replicated server slow to shutdown and ugly exceptions

  • OPENDJ-115: Make replication connection timeouts and various monitoring intervals configurable

  • OPENDJ-113: Permissive Modify Control fails when deleting non existing attribute

  • OPENDJ-112: The changelog virtual attribute appears in all entries, should only apply to the rootDSE

  • OPENDJ-111: Bugs in ECL changelog creation of changeInitiatorsName attribute

  • OPENDJ-107: Potential for leaking DB cursors in replication databases.

  • OPENDJ-106: QuickStart Welcome Panel calls for Java 5, although OpenDJ now requires Java 6

  • OPENDJ-105: Replication protocol error. Bad message type. org.opends.server.replication.protocol.StopMsg received, ReplServerStartMsg required

  • OPENDJ-103: Replication in 2.4 head and trunk are no longer compatible with 2.4.0 and 2.4.1

  • OPENDJ-101: NPE when processing UniqueAttributePlugin/AuthenticatedUsers ChangeListener post-sync for moddn operations with conflicts

  • OPENDJ-100: ControlPanel display schema elements as Custom schema when using remote connection a server (and standard for local)

  • OPENDJ-99: NoSuchElementExceptions while replaying replicated operations.

  • OPENDJ-98: Searches on cn=monitor take a long time

  • OPENDJ-97: Very many minor problems with the error logging for replication

  • OPENDJ-96: Replication server monitor data computation takes too long / blocks rest of server when another RS is cannot be reached

  • OPENDJ-95: Socket leak and constant disconnect/reconnect when a directory server can no longer reach its connected replication server

  • OPENDJ-94: NullPointerException when shutting down worker threads

  • OPENDJ-92: Replication thread naming is confusing and inconsistent

  • OPENDJ-91: Unique Attribute plugin rejects valid modification of unique value.

  • OPENDJ-90: DS disconnecting for more suitable RS even though this RS process is actually STOPed

  • OPENDJ-83: ECL: changeInitiatorsName and potentially changeTime are wrong for delete operations

  • OPENDJ-82: Improve dsreplication status script friendly mode.

  • OPENDJ-75: Combine RFC 3672 and relative subtree specification syntax

  • OPENDJ-73: Memory leak in DITCacheMap

  • OPENDJ-72: cn=Changelog DENY ACI is bad

  • OPENDJ-71: The "container" objectclass used by ECL top entry is missing in the schema.

  • OPENDJ-70: Build does not create the proper reference schema in the config/upgrade directory

  • OPENDJ-69: Binary option not included in userCertificate attribute in change log entries.

  • OPENDJ-65: Host domain name lost from FQDN while enabling replication for a new replica using disreplication enable

  • OPENDJ-64: Exception and stacktrace while running dsreplication

  • OPENDJ-61: Log LDAP protocol version in bind request logging

  • OPENDJ-59: search with paged result control issue

  • OPENDJ-58: cn:schema attribute stored twice in 99-user.ldif schema file

  • OPENDJ-57: ECL: lastChangeNumber and firstChangeNumber reset to zero when the changelog is purged to empty

  • OPENDJ-55: Failing modify operations causing memory leak

  • OPENDJ-51: ECL: virtual attributes are calculated twice per retrieval and gratuitously allocate memory

  • OPENDJ-50: ECL base object search operations on cn=changelog take a long time if the change log is big

  • OPENDJ-48: Draft ECL: lastChangeNumber still not calculated correctly

  • OPENDJ-46: Extensible filters which use dnAttributes are not processed correctly when there is an existing index for the named attribute

  • OPENDJ-28: Investigate why Virtual Attribute unit tests take so long.

  • OPENDJ-27: Schema parsing fails with extensions (X-xxxx) on Syntaxes, but also when spaces are missing

  • OPENDJ-26: Fix OpenDS issue 4585: ConcurrentModificationException in ReplicationBroker

  • OPENDJ-25: Over-verbose logging of LDAP compare operations in access log

  • OPENDJ-24: Fix OpenDS issue 4583: during a search op, ACI with targetfilter and targetattrs gets evaluated wrongly

  • OPENDJ-23: Exception while replaying a delete operation using assured replication.

  • OPENDJ-22: Abandon operations are not always removed from pending list on completion.

  • OPENDJ-21: Account Status Notifications (password changed/reset) are not sent for the Password Modify Extended Operation

  • OPENDJ-17: Generated RC script does not run if run as other than root.

4.2. Limitations

Release 2.5.0-Xpress1 has the following limitations, none of which are new since 2.4.5.

  • OpenDJ directory server provides full LDAP v3 support, except for alias dereferencing, and limited support for LDAPv2.

  • When you configure account lockout as part of password policy, OpenDJ locks an account after the specified number of consecutive authentication failures. Account lockout is not transactional across a replication topology, however. Global account lockout occurs as soon as the authentication failure times have been replicated.

  • OpenDJ is not fully integrated with Microsoft Windows, yet OpenDJ directory server can be run as a service, and thus displayed in the Windows Services Control Panel.

  • OpenDJ replication is designed to permit an unlimited number of replication servers in your topology. Project testing has, however, focused only on topologies of up to eight replication servers.

  • On Niagara systems such as T2000, hardware SSL crypto acceleration runs more slowly than software crypto acceleration. To work around this issue take the following actions.

    1. Add more request handlers to LDAP (for TLS) and LDAPS (for SSL) connection handlers.

    2. Disable hardware acceleration for server's JVM by removing the SunPKCS11 security provider from jre/lib/security/

4.3. Known Issues

For the latest status, query the OpenDJ bug database online at

Furthermore when deploying for production, make sure that you follow the installation instructions on allowing OpenDJ to use at least 64K (65536) file descriptors, and tuning the JVM appropriately.

The following known issues remained open at the time release 2.5.0-Xpress1 became available.

  • OPENDJ-542: ExceptionInInitializerError during upgrade with QuickSetup.jnlp

  • OPENDJ-541: Severe Warning about file permissions in error logs when starting OpenDJ

  • OPENDJ-527: rebuild-index --rebuildAll corrupts the indexes for certain data sets

  • OPENDJ-505: dsreplication enable fails when hostname contains an underscore

  • OPENDJ-502: DSML gateway not correctly forwarding modifications to userCertificate;binary attributes

  • OPENDJ-501: dsconfig advanced properties for the attribute syntaxes inconsistent

  • OPENDJ-457: Sleeping replication threads prevent server from shutting down

  • OPENDJ-454: Naming conflict of 2 adds with same DN leaves DIT inconsistent

  • OPENDJ-449: modifiersName and modifyTimestamp not included in 99-user.ldif for replica

  • OPENDJ-443: dsconfig should return wider range of error codes

  • OPENDJ-431: Server side sort control only works on result sets of less than 100000 entries

  • OPENDJ-405: Upgrade fails in many cases when configuration modified in the server to upgrade.

  • OPENDJ-399: DirectoryException thrown processing of virtual static groups during backend initialization

  • OPENDJ-340: dsreplication disable takes --bindDN, but --adminPassword instead of --bindPassword

  • OPENDJ-270: dsreplication disable takes a long time

  • OPENDJ-253: search for draft changeNumber on disabled suffix requires full resync

  • OPENDJ-202: All bind request APIs should take byte or char arrays for passwords

  • OPENDJ-180: SSL handshake failed after restarting replication server

  • OPENDJ-169: Modifying an existing object class definition requires server restart

  • OPENDJ-137: Windows Service management flakiness

  • OPENDJ-118: RS load balancing does not occur after an RS becomes available after an outage

  • OPENDJ-110: Searches on dc=replicationchanges return incomplete results for certain types of LDAP modifications.

  • OPENDJ-104: Remove Thread.sleep() synchronization design anti-pattern in replication code.

  • OPENDJ-88: Online backup of cn=config does not work

  • OPENDJ-49: Replication replay does not take into consideration the server/backend's writability mode.

Chapter 5. How to Report Problems and Provide Feedback

If you have found issues or reproducible bugs within OpenDJ 2.5.0-Xpress1, report them in

When requesting help with a problem, please include the following information:

  • Description of the problem, including when the problem occurs and its impact on your operation

  • Machine type, operating system version, web container and version, Java version, and OpenDJ release version, including any patches or other software that might be affecting the problem

  • Steps to reproduce the problem

  • Any relevant access and error logs, stack traces, or core dumps

Chapter 6. Support

Chapter 6. Support

ForgeRock provides support services, professional services, classes through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see

ForgeRock has staff members around the globe who support our international customers and partners. For details, visit, or send an email to ForgeRock at

Read a different version of :