Notes covering OpenDJ hardware and software requirements, fixes, known issues.
About OpenDJ
Important
In October 2013 OpenDJ 2.5.0-Xpress1 reached End of Service Life (EOSL).
ForgeRock customers must upgrade OpenDJ in order to receive continued support.
OpenDJ is an LDAPv3 compliant directory service, developed for the Java platform, providing a high performance, highly available, and secure store for the identities managed by your organization. Its easy installation process, combined with the power of the Java platform makes OpenDJ the simplest, fastest directory to deploy and manage.
You can download OpenDJ software from the OpenDJ download page. OpenDJ is free to download, evaluate, and use. You can even check out and modify the source code to build your own version if you prefer.
These release notes are written for everyone working with the OpenDJ 2.5.0-Xpress1 release. Read these notes before you install or upgrade OpenDJ software. These notes cover hardware and software prerequisites for installing OpenDJ software. These notes list key features added and changed in this release. They also cover compatibility with previous releases and alert you to potential changes coming up that could affect your scripts and applications. Finally, these notes list both issues fixed since the previous release and known issues open at the time of release.
Important
Upgrade from earlier versions is not supported for the OpenDJ 2.5.0-Xpress1 release.
The change to Berkeley JE 5 from Berkeley JE 4 requires changes to JE backends prior to upgrade, and this release does not include a mechanism for making such changes.
Chapter 1. What's New in OpenDJ 2.5.0-Xpress1
Important
OpenDJ 2.5.0-Xpress1 is a milestone release from the main development branch of the product. The Xpress release contains selected key features and all current fixed issues. An Xpress release undergoes important functional testing but not the complete testing cycle that is done for a full Enterprise release.
Xpress releases are supported through ForgeRock subscriptions. Enterprise versions have long term support.
The goal of an Xpress release is to enable you to start build phases earlier, with the most recent features, instead of having to wait for the Enterprise release date. Fixes to issues that are discovered in an Xpress release are delivered as patches to ForgeRock customers, and are guaranteed to be delivered in the Enterprise release that follows. Xpress releases are supported for a grace period after the Enterprise version has been released.
ForgeRock has only published release notes for OpenDJ 2.5.0-Xpress1. ForgeRock has published complete documentation for the 2.6 release at https://backstage.forgerock.com/docs/opendj/2.6.
OpenDJ 2.5.0-Xpress1 brings you the latest features such as:
Capability to delegate authentication to Microsoft Active Directory (pass-through authentication)
Improved enforcement of referential integrity for groups, whereby OpenDJ can now ensure both that members' entries exist when they are added to groups, and also that members are removed from groups when their entries are deleted
Access log filtering, with additional output configuration to combine request and response messages, log control OIDs, and specify timestamp formats
Optimistic concurrency control through ETag attributes
Synchronization of Samba and OpenDJ passwords
Compared to the OpenDJ 2.4.5 release, OpenDJ 2.5.0-Xpress1 fixes a number of issues. OpenDJ 2.5.0-Xpress1 provides the following new features.
Performance has been significantly improved for searches with a virtual attribute in the filter (OPENDJ-508).
OpenDJ now includes attribute syntax validation for X.509 certificate values (OPENDJ-482).
Import now performs better when handling LDIF entries with attributes that have many values, such as large static group entries (OPENDJ-469).
The mechanism to determine during setup whether the configuration has been modified runs a more effective check (OPENDJ-446).
OpenDJ now provides a read-only, non-searchable operational attribute,
ds-pwd-password-expiration-time
, to make it easier to read the password expiration time for an account (OPENDJ-441).OpenDJ now logs only fatal errors, severe errors, warnings, and notices at startup time (OPENDJ-438).
OpenDJ now lets you setup the server in command-line mode without creating a default backend (OPENDJ-435).
OpenDJ now computes last login time as UTC time when the value is expressed in GeneralizedTime syntax (OPENDJ-418).
OpenDJ now includes an ETag attribute for optimistic concurrency control (OPENDJ-409).
OpenDJ now provides the rebuild-index --rebuildDegraded command for rebuilding degraded indexes (OPENDJ-406).
OpenDJ schema for configuration attributes has been cleaned up (OPENDJ-393).
OpenDJ now exposes the
je.log.fileCacheSize
property through theds-cfg-db-log-filecache-size
configuration attribute (OPENDJ-383).OpenDJ now exposes the
je.log.fileCacheSize
property through theds-cfg-db-log-filecache-size
configuration attribute (OPENDJ-383).OpenDJ verify and rebuild index commands now use JE 5 disk ordered cursoring (OPENDJ-372).
OpenDJ now uses Berkeley JE 5, which brings many performance improvements (OPENDJ-371).
More OpenDJ tools now prompt for a bind password when none is provided (OPENDJ-358).
OpenDJ DSML gateway now allows authentication using an ID rather than a DN (OPENDJ-352).
OpenDJ now lets you filter access and audit logs to focus on messages that interest you. OpenDJ supports many criteria for flexible log filtering (OPENDJ-308).
The OpenDJ dictionary password validator can now check whether a password value contains dictionary words as substrings (OPENDJ-295).
OpenDJ now logs use of the proxied authorization V1 control with
obsoleteProxiedAuthzV1Control
(OPENDJ-283).OpenDJ DSML gateway can now connect over SSL to the LDAP server (OPENDJ-269).
OpenDJ now lets you delegate authentication to another LDAP directory service, such as Active Directory. The feature is called pass through authentication (PTA) (OPENDJ-262). With PTA, OpenDJ replays a user's simple bind operation against the remote directory service. If the bind is successful, OpenDJ considers the user authenticated to perform subsequent operations like searches and updates in OpenDJ.
For PTA to work, OpenDJ must be able to match its OpenDJ entry for the user with the user's entry on the remote directory service. The two entries must correspond in one of the following ways.
Both the OpenDJ entry and the remote entry have the same DN.
The OpenDJ entry has an attribute that holds the DN of the entry on the remote directory service.
The OpenDJ entry and the remote entry share an attribute that has exactly the same value.
If user entries do not match originally, you can no doubt add an attribute to users' OpenDJ entries when configuring them to use pass through authentication.
To configure PTA, you set up an LDAP pass through authentication policy in OpenDJ's configuration, and then assign the policy to users in the same way you would assign a password policy. See the Administration Guide for details.
OpenDJ now lets you configure attributes to be removed or renamed on update (OPENDJ-258).
Subordinate indexes
id2children
andid2subtree
can now be disabled on OpenDJ JE backends to improve performance when repeated adds and deletes are performed beneath the same entry (OPENDJ-250).OpenDJ now calls Account Status Notification Handlers when an account in enabled or disabled by the manage-account (OPENDJ-248).
OpenDJ now adds
Unindexed
to access log response messages for unindexed searches, making it easier to identify searches rejected by default (OPENDJ-246).OpenDJ can now synchronize Samba password attribute values with the
userPassword
attribute value, ensuring that when users change their LDAP passwords in OpenDJ or change their LanMan or NT passwords in Samba, their password attribute values all stay in sync (OPENDJ-233, OPENDJ-511). To activate this feature, configure the OpenDJ Samba Password plugin by using the dsconfig command.OpenDJ now supports checking that entries of new group members exist (OPENDJ-221).
OpenDJ now better supports more, and larger static groups (OPENDJ-197).
Change log content and configuration has been improved in this release (OPENDJ-194).
Default database cache size, request handler counts, and replication purge delay are now set more sensibly for default installations (OPENDJ-116, OPENDJ-186).
The character set password validator now supports optional character sets (OPENDJ-168).
Collective attributes can now be applied based on the values of virtual attributes (OPENDJ-76).
OpenDJ now lets you configure the access log to display LDAP controls (OPENDJ-60).
OpenDJ now lets you execute control-panel as any user, not only the user who installed OpenDJ (OPENDJ-19).
Chapter 2. Before You Install OpenDJ Software
This chapter covers requirements to consider before you run OpenDJ, especially before you run OpenDJ in your production environment.
If you have a special request to support a combination not listed here, contact ForgeRock at info@forgerock.com.
2.1. Java Environment
OpenDJ software consists of pure Java applications. OpenDJ servers and clients therefore should run on any system with full Java support. OpenDJ is tested on a variety of operating systems, including Solaris SPARC and x86, various Linux distributions, Microsoft Windows, and Apple Mac OS X.
OpenDJ software requires Java 6, specifically at least the Java Standard Edition 6.0 (Sun version 1.6.0_10) runtime environment. ForgeRock recommends that you use at least version 1.6.0_27 due to security fixes.
To build applications with the OpenDJ LDAP SDK, you need the corresponding Java SDK.
2.2. Maximum Open Files
OpenDJ needs to be able to open many files, especially when handling many client connections. Linux systems in particular often set a limit of 1024 per user, which is too low for OpenDJ.
When setting up OpenDJ for production use, make sure OpenDJ can use
at least use at least 64K (65536) file descriptors. For example when running
OpenDJ as user opendj
on a Linux system that uses
/etc/security/limits.conf
to set user level limits,
you can set soft and hard limits by adding these lines to the file.
opendj soft nofile 65536 opendj hard nofile 131072
The example above assumes the system has enough file descriptors available overall. You can check the Linux system overall maximum as follows.
$ cat /proc/sys/fs/file-max 204252
2.3. Operating System
OpenDJ software depends on the Java environment more than it depends on the underlying operating system. That said, OpenDJ 2.5.0-Xpress1 has been validated on the following operating systems.
Apple Mac OS X 10.7
Linux 2.6 and later
Microsoft Windows Server 2008
Oracle Solaris 10
2.4. Application Servers
OpenDJ directory server runs as a standalone Java service, and does not depend on an application server.
OpenDJ 2.5.0-Xpress1 DSML gateway has been validated on Apache Tomcat 6.
2.5. FQDNs For Replication
OpenDJ replication requires that you use fully qualified domain names,
such as opendj.example.com
.
Although you can use host names like my-laptop.local
for evaluation, in production and even in your lab, you must either ensure
DNS is set up correctly to provide fully qualified domain names, or set up
/etc/hosts
(or
C:\Windows\System32\drivers\etc\hosts
) to provide
fully qualified domain names.
2.6. Hardware
Thanks to the underlying Java platform, OpenDJ software runs well on a variety of processor architectures. Many directory service deployments meet their service-level agreements without the very latest or very fastest hardware.
For a server evaluation installation, you need 256 MB memory (32-bit) or 1 GB memory (64-bit) available to OpenDJ, with 100 MB free disk space for the software and a small set of sample data. For installation in production, read the rest of this section. You need at least 2 GB memory for OpenDJ and 4 times the disk space needed to house initial production data in LDIF format.[1] To get a more accurate estimate of the disk space needed, import a known fraction of the initial LDIF with OpenDJ configured as for production, run tests based on the estimated rates of change and growth in directory data, and then use the actual space used in the test environment to estimate how much disk space you need in production.
OpenDJ directory servers almost always benefit from having enough system memory to cache all directory database files used. The reason is that reading from and writing to memory is typically much faster than reading from and writing to disk storage. For small data sets, you might not need extra memory. For large directories with millions of user directory entries, the system might not have enough slots to house sufficient memory to cache everything. To improve performance in such cases, one approach is to add solid state drives as an intermediate cache between memory and disk storage.
Processor architectures that provide fast single thread execution tend to help OpenDJ software deliver the lowest response times. For top end performance in terms both of sub-millisecond response times and also of throughput ranging from tens of thousands to hundreds of thousands of operations per second, the latest x86 architecture chips tend to perform better than others tested. Chip multi-threading (CMT) processors can do very well on directory servers providing pure search throughput, even though response times can be higher. Yet, CMT processors can be slow to absorb hundreds or thousands of write operations per second. Their slower threads get blocked waiting on resources, and thus are not optimal for topologies with high write throughput requirements.
On systems with fast processors and enough memory to cache directory data completely, the network can become a bottleneck. Even if a single 1 Gbit Ethernet interface offers plenty of bandwidth to handle your average traffic load, it can be too small for peak traffic loads. Furthermore, you might choose to use separate interfaces for administrative traffic and application traffic. To estimate what network hardware you need, calculate the size of the data you return to applications during peak load. For example, if you expect to have a peak load of 100,000 searches per second, each returning a full 8 KB entry, you need a network that can handle 800 MB/sec (3.2 Gbit/sec) throughput, not counting any other operations such as writes that result in replication traffic.
The storage hardware you choose must allow you to house not only directory data including historical data for replication, but also logs. If you choose to retain access logs for auditing purposes on a heavily used directory, dedicate storage for the log archives as well. Furthermore, your storage must also keep pace with the write throughput. Write throughput can arise from modify, modify DN, add, and delete operations, but it can also result from bind operations. Such is the case when the last successful bind is recorded, and when account lockout is configured, for example. In a replicated topology, not only does a directory service write entries to disk when they are changed, but a directory service also writes changelog data and historical information in order to resolve potential replication conflicts. You base your network throughput needs on peak loads. Also base your storage throughput needs on peak loads.
Note
OpenDJ servers do not currently support network file systems such as NFS for database storage. Provide sufficient disk space on local storage such as internal disk or an attached disk array.
[1] OpenDJ stores data in Berkeley DB Java Edition, which is implemented as a rolling log. Berkeley DB appends updates to the end of the last log file, and marks old pages as deleted. Berkeley DB cleaner threads monitor the log file occupancy ratio, moving the data to get rid of old log files. Yet, with the default occupancy ratio of 50%, log files are cleaned only when they have less than 50% valid pages. As a result, the database can reach twice its initial size in the worst case.
Furthermore, when you import data from LDIF, OpenDJ stores not only the data, but also builds indexes for many of the attributes, resulting in some growth. Replication historical data and other operational attributes can also take up space.
Finally, it makes sense to leave space for growth in the database size as you modify and add entries over time.
Chapter 3. Compatibility
This chapter covers both major changes to existing functionality, and also deprecated and removed functionality.
3.1. Major Changes to Existing Functionality
OpenDJ 2.5.0-Xpress1 improves on earlier releases introducing many new features and important fixes without major, backwards-incompatible changes. Take the following into account, however.
Upgrade from earlier versions is not supported for the OpenDJ 2.5.0-Xpress1 release.
The default DB cache size is now 50%, rather than 10%.
If you have multiple backends, configure cache sizes accordingly.
The number of LDAP request handlers now defaults to half the CPU count.
The replication purge delay default has increased from one day to three days.
Syntax checking has been added for certificate and country attribute values. This affects applications updating those attribute values. Applications updating country attribute values must now use Country String syntax for example, which uses two-character codes from ISO 3166 such as
US
instead of full names such asUnited States
.
3.2. Deprecated Functionality
OpenDJ 2.5.0-Xpress1 makes use of new environment
variables aligned with the project name to use OPENDJ
.
Use of the old variables is deprecated. The old variables are likely to be
removed in a future release.
3.3. Removed Functionality
No functionality has been removed in OpenDJ 2.5.0-Xpress1.
No functionality is planned to be removed at this time.
Chapter 4. OpenDJ Fixes, Limitations, and Known Issues
Note
The current list of fixes and issues reflects OpenDJ 2.5.0-Xpress1 in progress as of July 23, 2012.
OpenDJ issues are tracked at https://bugster.forgerock.org/jira/browse/OPENDJ.
4.1. Fixes Since Last Release
The following bugs were fixed in this release.
OPENDJ-538: NPE during initialization of quick upgrade
OPENDJ-537: Broken link from Control Panel to Admin Guide
OPENDJ-528: rebuild-index doesn't rebuild properly DN2ID after an upgrade from OpenDS 2.2.
OPENDJ-524: CME in LDAPClientConnection when writing many large responses concurrently to the same connection
OPENDJ-520: Worker threads are too greedy when caching memory used for encoding/decoding entries and protocol messages
OPENDJ-519: Exception raised when bind fails and debug logging is enabled
OPENDJ-507: Index may go untrusted without a message in the errors log.
OPENDJ-506: NoSuchElementException thrown during replication in java.util.TreeMap.key(TreeMap.java:1221)
OPENDJ-504: Performing Query on telephoneNumber attribute thats not a number returns all entries
OPENDJ-500: Upgrade trunk (2.5.0) to JE 5.0.48
OPENDJ-494: dsreplication initialize reports negative percentage of completion
OPENDJ-488: Cancel request succeeds with result code 118 (CANCELED) when it should receive result code 0 (SUCCESS)
OPENDJ-487: Normal acis under cn=config are not loaded at startup
OPENDJ-477: Adding an entry with binary options fails during reading ldif file
OPENDJ-476: Manage Account fails with NPE if target DN does not exist
OPENDJ-475: Incorrect behaviour/result code regarding non-critical controls
OPENDJ-472: Offline import LDIF reject entries, doesn't report the correct count of them, and store them in both rejected and skipped files.
OPENDJ-471: FIFOEntryCache may leave stalled data when low in memory.
OPENDJ-470: AttributeBuilder's SmallSet doesn't implement the Contains method of a Set
OPENDJ-465: WhoAmI Extended operation code duplicates supported controls
OPENDJ-462: Spinning threads in JE backend importer
OPENDJ-459: User's privileges not working with SASL EXTERNAL auth
OPENDJ-456: OpenDJ schema replication fails for 3rd server of topology
OPENDJ-447: OpenDJ Quicksetup: Problems when hostname cannot be resolved
OPENDJ-439: export-ldif on jeb produces duplicate entries
OPENDJ-436: Inconsistency between hostname specified in setup and DIGEST-MD5 fqdn of server.
OPENDJ-433: Every other permissions-subjects pair in ACI is ignored
OPENDJ-432: LDAPURL doesn't always url-decode baseDN
OPENDJ-423: Single AND component filter causes an uncatch exception in ECL (ECLSearchOperation.java:1467)
OPENDJ-420: Rare SSLExceptions while handling LDAPS connections and big LDAP searches
OPENDJ-414: Avoid displaying debug messages to stdout when running various tools
OPENDJ-413: verify-index with "-c" option doesn't work for certain indexes
OPENDJ-410: Frequent corruption in ds-sync-hist ordering index.
OPENDJ-401: Replication fails with Java 7.
OPENDJ-400: ControlPanel issue with values containing \n (such as sunxmlkeyvalue)
OPENDJ-398: Misleading replication messages: "Replication server XXXX was attempting to connect to replication server YYYY but has disconnected in handshake phase"
OPENDJ-396: Remove support for ServiceTag.
OPENDJ-387: dsreplication initialize-all reports negative percentage of completion
OPENDJ-384: Substring search on entryUUID fails with a NullPointerException
OPENDJ-380: index-entry-limit=0 not working as expected
OPENDJ-379: Improve help for the db-evictor-nodes-per-scan parameter.
OPENDJ-378: Remove activation.jar as it's bundled with Java 6
OPENDJ-377: Kerberos authentication with AD KDC fails with LoginException(Client not found in Kerberos database (6))
OPENDJ-363: Make it more obvious in the setup tool that the fully-qualified hostname is critical for all secured connections
OPENDJ-361: AttributeBuilderTest unit test fails on OpenJDK
OPENDJ-359: Fix typo in account status notification property name "time-unti-expiration"
OPENDJ-356: Task email shows as from opends-task-notification
OPENDJ-349: manage-account returns Seconds Until Idle Account Lockout: 0 (zero) if the last log on date is more than 24 days before the idle lock out interval.
OPENDJ-339: Don't register alert handler in unique attribute plugin until we are sure that the configuration is valid
OPENDJ-338: Referential integrity plugin updates internal state when validating configuration
OPENDJ-337: dsconfig allows users to create hidden components such as network group plugin
OPENDJ-333: Missing entryUUID attributes in "cn=admin data" backend prevent updates from being replicated.
OPENDJ-327: NPE in access log on clicking "Do not Accept" certificate in Control Panel
OPENDJ-322: Binary encoding option causing problems in replace operations
OPENDJ-311: setup --cli throws IllegalStateException in getConnectTimeout
OPENDJ-310: Replicated changes to referral entries are not applied on replicas
OPENDJ-306: Misleading access log error message when client resets the connection.
OPENDJ-304: The result code 53 (unwillingToPerform) should only be used for service errors
OPENDJ-298: Review screen content is wrong when using QuickSetup
OPENDJ-293: InternalClientConnection memory leak when performing password modify/state extended operations or SASL binds
OPENDJ-292: LDAP PTA NPE when base-dn or bind-dn not exist on secondary server
OPENDJ-290: LDAP PTA valid auth attempt rejected if AD reset connection
OPENDJ-288: Use INVALID_CREDENTIALS result code when disconnecting users because their entry has been deleted
OPENDJ-285: Unable to modify users entry after LDAP PTA Policy applied
OPENDJ-282: dsreplication enable fails with duplicate server ID, while it's about the same server being referenced.
OPENDJ-278: ldapSubentry entries should have an implicit scope of { base="" } when no subtree specification is specified
OPENDJ-277: Initialize GSSAPI extension after back ends and connectors
OPENDJ-274: Replication mishandles a Modify operation with multiple modifications on the same attribute.
OPENDJ-266: Extra white space in some of the schema files shipped with OpenDJ 2.4
OPENDJ-256: Fix regular unit test failures on 2.4 branch and trunk
OPENDJ-255: Incorrect dsconfig usage for setting multiple property values at once
OPENDJ-254: The show-all-attributes flag breaks schema modification, when enabled.
OPENDJ-252: ControlPanel fails with a Null Pointer Exception with Oracle JDK7.
OPENDJ-249: dsreplication disable --disableAll error removing contents of "cn=admin data"
OPENDJ-247: Rename max-entries property in JE backend to something more clearly related to index analysis
OPENDJ-242: Password Policy State Extended Operation anomalities...
OPENDJ-241: Unexpected authorization failure when using the assertion control with internal root connections
OPENDJ-237: Password modification by deleting the value and adding a new one fails with unwilling to perform (would result in multiple password in the entry)
OPENDJ-236: Support dn: and u: authid notation in SambaPasswordPlugin
OPENDJ-224: Replication fails when replication server is configured for a network interface which is not an alias of localhost/127.0.0.1
OPENDJ-223: Modify operation isn't replayed on replica exactly as on original server.
OPENDJ-219: Replication server and draft changelog DB code may attempt to reference closed DB
OPENDJ-211: missing ";" in cookie exchange control causes StringIndexOutOfBoundsException
OPENDJ-209: dsframework cannot connect
OPENDJ-190: Look for tools.properties, etc. in ~/.opendj rather than ~/.opends
OPENDJ-188: Change of ~/.opends to ~/.opendj directory for tools.properties should be documented
OPENDJ-184: Transient errors when accessing cn=changelog DraftCN DB result in complete shutdown of the replication service.
OPENDJ-181: DirectoryException provided value has an invalid length for a UUID
OPENDJ-173: External ChangeLog cookies content is altered by Change purging and prevents from continuing search with a previous returned cookie.
OPENDJ-172: External ChangeLog Cookie varies when searching with an empty cookie. Cookie should be reproducible.
OPENDJ-171: OpenDJ does not support a NULL ChangeLog Cookie value
OPENDJ-170: External ChangeLog returns the Cookie Control even when not requested
OPENDJ-161: Windows services still refers to the OpenDJ server as opends.
OPENDJ-150: ChangeLogEntry schema is not compliant with internet-draft
OPENDJ-146: java.lang.OutOfMemoryError: Java heap space
OPENDJ-142: Message.raw() with treats first arg as format string even when there are no format arguments
OPENDJ-136: On Windows, upgrade fails with NPE during Verify phase
OPENDJ-135: upgrade -r fails on Windows
OPENDJ-134: upgrade fails when server registered as Windows service
OPENDJ-132: upgrade utility does not accept relative path
OPENDJ-130: External change log, used in compliance with Internet-draft, shows a divergence between replicas under load.
OPENDJ-126: Bad syntax for lastChangeNumber, firstChangeNumber, and lastExternalChangelogCookie
OPENDJ-121: Replication failure on startup due to generation ID of -1
OPENDJ-117: Replicated server slow to shutdown and ugly exceptions
OPENDJ-115: Make replication connection timeouts and various monitoring intervals configurable
OPENDJ-113: Permissive Modify Control fails when deleting non existing attribute
OPENDJ-112: The changelog virtual attribute appears in all entries, should only apply to the rootDSE
OPENDJ-111: Bugs in ECL changelog creation of changeInitiatorsName attribute
OPENDJ-107: Potential for leaking DB cursors in replication databases.
OPENDJ-106: QuickStart Welcome Panel calls for Java 5, although OpenDJ now requires Java 6
OPENDJ-105: Replication protocol error. Bad message type. org.opends.server.replication.protocol.StopMsg received, ReplServerStartMsg required
OPENDJ-103: Replication in 2.4 head and trunk are no longer compatible with 2.4.0 and 2.4.1
OPENDJ-101: NPE when processing UniqueAttributePlugin/AuthenticatedUsers ChangeListener post-sync for moddn operations with conflicts
OPENDJ-100: ControlPanel display schema elements as Custom schema when using remote connection a server (and standard for local)
OPENDJ-99: NoSuchElementExceptions while replaying replicated operations.
OPENDJ-98: Searches on cn=monitor take a long time
OPENDJ-97: Very many minor problems with the error logging for replication
OPENDJ-96: Replication server monitor data computation takes too long / blocks rest of server when another RS is cannot be reached
OPENDJ-95: Socket leak and constant disconnect/reconnect when a directory server can no longer reach its connected replication server
OPENDJ-94: NullPointerException when shutting down worker threads
OPENDJ-92: Replication thread naming is confusing and inconsistent
OPENDJ-91: Unique Attribute plugin rejects valid modification of unique value.
OPENDJ-90: DS disconnecting for more suitable RS even though this RS process is actually STOPed
OPENDJ-83: ECL: changeInitiatorsName and potentially changeTime are wrong for delete operations
OPENDJ-82: Improve dsreplication status script friendly mode.
OPENDJ-75: Combine RFC 3672 and relative subtree specification syntax
OPENDJ-73: Memory leak in DITCacheMap
OPENDJ-72: cn=Changelog DENY ACI is bad
OPENDJ-71: The "container" objectclass used by ECL top entry is missing in the schema.
OPENDJ-70: Build does not create the proper reference schema in the config/upgrade directory
OPENDJ-69: Binary option not included in userCertificate attribute in change log entries.
OPENDJ-65: Host domain name lost from FQDN while enabling replication for a new replica using disreplication enable
OPENDJ-64: Exception and stacktrace while running dsreplication
OPENDJ-61: Log LDAP protocol version in bind request logging
OPENDJ-59: search with paged result control issue
OPENDJ-58: cn:schema attribute stored twice in 99-user.ldif schema file
OPENDJ-57: ECL: lastChangeNumber and firstChangeNumber reset to zero when the changelog is purged to empty
OPENDJ-55: Failing modify operations causing memory leak
OPENDJ-51: ECL: virtual attributes are calculated twice per retrieval and gratuitously allocate memory
OPENDJ-50: ECL base object search operations on cn=changelog take a long time if the change log is big
OPENDJ-48: Draft ECL: lastChangeNumber still not calculated correctly
OPENDJ-46: Extensible filters which use dnAttributes are not processed correctly when there is an existing index for the named attribute
OPENDJ-28: Investigate why Virtual Attribute unit tests take so long.
OPENDJ-27: Schema parsing fails with extensions (X-xxxx) on Syntaxes, but also when spaces are missing
OPENDJ-26: Fix OpenDS issue 4585: ConcurrentModificationException in ReplicationBroker
OPENDJ-25: Over-verbose logging of LDAP compare operations in access log
OPENDJ-24: Fix OpenDS issue 4583: during a search op, ACI with targetfilter and targetattrs gets evaluated wrongly
OPENDJ-23: Exception while replaying a delete operation using assured replication.
OPENDJ-22: Abandon operations are not always removed from pending list on completion.
OPENDJ-21: Account Status Notifications (password changed/reset) are not sent for the Password Modify Extended Operation
OPENDJ-17: Generated RC script does not run if run as other than root.
4.2. Limitations
Release 2.5.0-Xpress1 has the following limitations, none of which are new since 2.4.5.
OpenDJ directory server provides full LDAP v3 support, except for alias dereferencing, and limited support for LDAPv2.
When you configure account lockout as part of password policy, OpenDJ locks an account after the specified number of consecutive authentication failures. Account lockout is not transactional across a replication topology, however. Global account lockout occurs as soon as the authentication failure times have been replicated.
OpenDJ is not fully integrated with Microsoft Windows, yet OpenDJ directory server can be run as a service, and thus displayed in the Windows Services Control Panel.
OpenDJ replication is designed to permit an unlimited number of replication servers in your topology. Project testing has, however, focused only on topologies of up to eight replication servers.
On Niagara systems such as T2000, hardware SSL crypto acceleration runs more slowly than software crypto acceleration. To work around this issue take the following actions.
Add more request handlers to LDAP (for TLS) and LDAPS (for SSL) connection handlers.
Disable hardware acceleration for server's JVM by removing the SunPKCS11 security provider from
jre/lib/security/java.security
.
4.3. Known Issues
For the latest status, query the OpenDJ bug database online at https://bugster.forgerock.org/jira/browse/OPENDJ.
Furthermore when deploying for production, make sure that you follow the installation instructions on allowing OpenDJ to use at least 64K (65536) file descriptors, and tuning the JVM appropriately.
The following known issues remained open at the time release 2.5.0-Xpress1 became available.
OPENDJ-542: ExceptionInInitializerError during upgrade with QuickSetup.jnlp
OPENDJ-541: Severe Warning about file permissions in error logs when starting OpenDJ
OPENDJ-527: rebuild-index --rebuildAll corrupts the indexes for certain data sets
OPENDJ-505: dsreplication enable fails when hostname contains an underscore
OPENDJ-502: DSML gateway not correctly forwarding modifications to userCertificate;binary attributes
OPENDJ-501: dsconfig advanced properties for the attribute syntaxes inconsistent
OPENDJ-457: Sleeping replication threads prevent server from shutting down
OPENDJ-454: Naming conflict of 2 adds with same DN leaves DIT inconsistent
OPENDJ-449: modifiersName and modifyTimestamp not included in 99-user.ldif for replica
OPENDJ-443: dsconfig should return wider range of error codes
OPENDJ-431: Server side sort control only works on result sets of less than 100000 entries
OPENDJ-405: Upgrade fails in many cases when configuration modified in the server to upgrade.
OPENDJ-399: DirectoryException thrown processing of virtual static groups during backend initialization
OPENDJ-340: dsreplication disable takes --bindDN, but --adminPassword instead of --bindPassword
OPENDJ-270: dsreplication disable takes a long time
OPENDJ-253: search for draft changeNumber on disabled suffix requires full resync
OPENDJ-202: All bind request APIs should take byte or char arrays for passwords
OPENDJ-180: SSL handshake failed after restarting replication server
OPENDJ-169: Modifying an existing object class definition requires server restart
OPENDJ-137: Windows Service management flakiness
OPENDJ-118: RS load balancing does not occur after an RS becomes available after an outage
OPENDJ-110: Searches on dc=replicationchanges return incomplete results for certain types of LDAP modifications.
OPENDJ-104: Remove Thread.sleep() synchronization design anti-pattern in replication code.
OPENDJ-88: Online backup of cn=config does not work
OPENDJ-49: Replication replay does not take into consideration the server/backend's writability mode.
Chapter 5. How to Report Problems and Provide Feedback
If you have found issues or reproducible bugs within OpenDJ 2.5.0-Xpress1, report them in https://bugster.forgerock.org.
When requesting help with a problem, please include the following information:
Description of the problem, including when the problem occurs and its impact on your operation
Machine type, operating system version, web container and version, Java version, and OpenDJ release version, including any patches or other software that might be affecting the problem
Steps to reproduce the problem
Any relevant access and error logs, stack traces, or core dumps
Chapter 6. Support
Chapter 6. Support
ForgeRock provides support services, professional services, classes through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see https://www.forgerock.com.
ForgeRock has staff members around the globe who support our international customers and partners. For details, visit https://www.forgerock.com, or send an email to ForgeRock at info@forgerock.com.