IBM Support

Corrections and clarifications to IBM Tivoli Directory Server 6.3 documentation

Question & Answer


Question

This technote contains corrections and clarifications to the IBM Tivoli Directory Server 6.3 documentation.

Answer

Corrections and updates to documentation:

Administration Guide


Setting password policy - Password policy evaluation:


Modifying the description of attribute pwdFailureCountInterval from Table 13 (Determining the most restrictive attribute values) for more clarity:
    Existing description :

    The pwdFailureCountInterval attribute specifies the number of seconds after which the password failures are removed from the failure counter even if no successful authentication has happened.

    Updated description :

    The pwdFailureCountInterval attribute specifies the number of seconds after which the password failure entries are removed from the failure counter following a valid or invalid bind attempt. For a valid bind, the password failures are removed from the user entry. For an invalid bind, the password failure entries before the expiry of pwdFailureCountInterval are removed and the latest password failure entry is recorded in the user entry.


Pass-through-authentication:

Limitation with Pass-through-authentication in a proxy server environment:

Pass-through-authentication configuration works fine with a backend server but if a TDS proxy server connects to the backend server where pass-through-authentication is configured, the bind operation on the proxy server will fail.

This is due to the reason that the proxy will convert the bind operation from client into a compare and series of extended operations. The compare operation is not handled by pass-through-authentication enabled server to go to a remote server. Only bind operations will be routed to a remote server for pass-through-authentication from backend servers.

See technote #1300201: Tivoli Directory Server Proxy Server Supported Capabilities


Delete operations may fail when tombstone feature is enabled.

If the "Record Deleted Entries" i.e. "Tombstone" feature is enabled (ibm-slapdTombstoneEnabled=TRUE), delete operations may fail. When tombstone is enabled, instead of deleting entries, the server renames them by appending \0DDEL:{uuid}", where {uuid} is a 36-character uuid string. In order for tombstone feature to work, the naming attribute of the entry to be deleted must be long enough to accommodate the original entry name plus 41 additional characters for the tombstone uuid.

APAR IO13498 explains this limitation with example.


  • Server Administration ::

Logging Utilities ::

Default log paths :

Note: If you change the error log path for the Directory Server (ibmslapd.log) or the Administration Server (idsdiradm.log), messages may still be written to the default path during the interval between when the server is first started and it finishes parsing the custom ibm-slapdLog configuration.




Appendix H ::


Overriding password policy and unlocking accounts:

Modify operations against userPassword, when combined with operational attributes will cause undesired results.

Modification to userPassword regular attribute and password policy related operational attributes should not be done using the same ldap modify operation. If any password policy related operational attributes are present in the ldap modify operation, then the server carries out post-modify actions related only to the operational attributes and skips any post-modify actions related to the modification of userPassword. The post operation actions related to the userPassword would include clearing the pwdFailureTime, pwdAccountLockedTime value, which will be skipped in such a case.

APAR IO14069 explains this in details.

Password policy queries:

Because of a redesign in TDS 6.0, the pwdChangedTime attribute was changed from a regular attribute to an operational attribute (which isn't supposed to be searchable in a filter). Searching with this attribute in a filter might not return all the entries an administrator expects. It will return only those entries whose password was changed at least once in past.



Technote Limitations of pwdChangedTime describes these limitations in more detail.


Appendix N.

System Requirements Guide


For zLinux Operating System, the mentioned DB2 V9.3 FP3 ESE is incorrect; the supported version is V9.5 FP3 ESE.


The X11.adt.lib fileset is a prerequisite for installing the idsldap.cltjava63 and idsldap.webadmin63 packages on AIX systems.


Installation Guide


The Base/GOLD/GA packaging of TDS 6.3 release for Solaris SPARC operating system provided an incorrect gsk8ssl64.pkg file. The issue has been resolved by re-packaging with the corrected gsk8ssl64.pkg file. APAR IO13494 describes the problem details.

The Old and New part numbers of TDS 6.3 for Solaris SPARC operating system are given in the table below:


Package Description Old Part Number New Part Number
tds63-solaris-sparc.iso (with entitlement) CZKC2ML CZV91ML
tds63-solaris-sparc.iso (w/o entitlement) CZKB2ML CZV92ML
tds63-solaris-sparc-client.tar CZKG1ML CZV93ML
tds63-solaris-sparc-gskit.tar CZKA6ML CZV94ML



Technote # 4027376 explains how to download Information for IBM Tivoli Directory Server version 6.3 on Solaris systems

NOTE :: This problem was observed and fixed for ONLY Solaris SPARC operating system.


Appendix D. Setting up users and groups:

Additional restrictions for users and groups::

We have these statements ::
---------------------------------------------------------------
The directory server instance owner and the database instance owner must
be members of the idsldap group.

If the directory server instance owner and the database instance owner
for a given directory server instance are different users,
the directory server instance owner must be a member of the
database instance owner's primary group.

The database instance owner and the database owner for a given directory
server instance must have the same primary group.
-----------------------------------------------------------------
The above statements, may create confusion for successful TDS configuration.
Here is the clarification over it ::

If directory server instance owner, database instance owner and database owner are different, they all need to be part of the same group.


Command Reference Guide

    • In the current documentation; information on [ -k ] option is missing.
      Below details would explain its usage.

      The syntax for the idslogmgmt command is as follows:



      idslogmgmt [–I instancename] [-t threshold size]
      [-a archives][-p archive path] [-k ] [-?]

      Note :: [-k] option is missing in current description.

      -k :: Stops the Log Management feature for the specified server instance.
      Must be used in conjunction with -I option.

      The -I <instance_name> option is required when running the tool as the instance owner.
      Both -I and -k options should be specified to stop the idslogmgmt process in this case.

      The -I <instance_name> option must NOT be specified when running the tool as root user. Also no need to specify -k option when stopping the tool

    • idsdbmaint ::
      More clarification on specifying -l and -u options:

      For containers, specify the name of the directory which exists and has instance owner permissions.

      eg::

      If specified directories, like "-u /tmp/udata/" and/or "-l /tmp/ldata/"

      The udata/ and ldata/ directories should exist with instance owner permissions.
      The tool will automatically create files inside these directories.

    • Client Utilities ::
        There are corrections to the idsldapdiff command.
        • ldapdiff command is a java tool and uses .jks (java key store) files instead of .kdb files as stated in the docs.
        • Also the option -v is not valid for this command.

        The corrected information is in the following  file.

        ldapdiff.pdfldapdiff.pdf



    Performance Tuning and Capacity Planning Guide

    Tuning DB2 and LDAP caches ::

    The performance tuning tool (idsperftune)



    ... inputs from the administrator are provided to the tool using the property file, perftune_input.conf. For information about configuring and running the Performance Tuning Tool using the Configuration Tool, see the IBM Tivoli Directory Server version 6.3 Installation and Configuration Guide.

    The location to manually update the perftune_input.conf property file will be:

    On AIX, Linux, and Solaris systems

    instance_home/idsslapd-instance_name/etc/

    On Windows systems

    drive\idsslapd-instance_name\etc\

    You can also find the installed version of perftune_input.conf file (for reference only) in the following directory:

    On AIX® and Solaris systems

    The default location for the perftune_input.conf file is /opt/IBM/ldap/V6.3/etc/.

    On Linux systems

    The default location for the perftune_input.conf file is /opt/ibm/ldap/V6.3/etc/.

    On Windows systems

    The default location for the perftune_input.conf file is sys_drive\Program Files\IBM\LDAP\V6.3\etc\.

    The idsperftune tool works in two modes: basic and advanced.

    Optimization and organization (idsrunstats, reorgchk and reorg)::



    • Optimization ::

    Successful database optimization requires restarting ibmslapd; if the performance improvements not observed after flushing package cache.

    Existing Document says " After a message displays indicating the database was successfully optimized, you must restart the server for the changes to take effect."

    The modified Document read as " After a message displays indicating the database was successfully optimized, you may need to restart the server if you do not see performance benefits after flushing the package cache.

    • Database organization (reorgchk and reorg) :: Performing a reorgchk

    While performing reorgchk it is not always required to start and stop ibmslapd because ITDS caches prepared DB2 statements.

    Existing Document says " Because LDAP caches prepared DB2 statements, you must stop and restart ibmslapd for DB2 changes to take effect.

    The modified Document read as "We may or may not need to restart ITDS after performing a idsrunstats or db2 reorg. This depends on the SQL statement that have been cached by DB2 and ITDS. If you do not notice a performance benefit after running the above mentioned tools and flushing the package cache, you may need to restart ITDS to realize the benefits.


    The database maintenance tool (idsdbmaint) ::

    • Tablespace conversion ::

    The container name specified for -l and -u parameters should be existing directories with instance owner permissions.


    Problem Determination Guide

    Known limitations and general troubleshooting ::
    • Configuring Replication over SSL with External Credentials gives an error.
      Configuring replication over SSL with Authentication method to External to use the credential gives an error of "Strong authentication not supported occurred for replica".

      Example configuration:

      cn=cert_replication,ibm-replicaGroup=default,o=sample
      objectclass=ibm-replicationcredentials
      objectclass=ibm-replicationcredentialsexternal
      objectclass=top
      cn=cert_replication
      ibm-replicakeyfile=some.kdb
      ibm-replicakeylabel=<label>
      ibm-replicakeypwd=<password>

      Following error is generated in ibmslapd.log:
      GLPRPL038E Error External bind: Strong authentication not supported occurred for replica

      Solution:
      Replication over SSL requires ServerClientAuth Secure mode. Modify the Supplier and Consumer Configuration files using idsldapmodify as:

      dn: cn=SSL,cn=Configuration
      changetype: modify
      replace: ibm-slapdSslAuth
      ibm-slapdSslAuth: serverClientAuth

    Platform specific problems : For Solaris Only ::

      Following is the Know Issue ONLY on Solaris X64 OS (Solaris 10)::

      IBM Tivoli Directory Server v6.3 Interim fix 4 and higher level fixes include Java 1.6 SR9, which is used by GUI utilities such as Instance Administration Tool (idsxinst) and Configuration Tool (idsxcfg). The idsxinst and idsxcfg GUI utilities might throw exception on console when user provides wrong data in the text fields.


    Programming Reference


    API Categories :: LDAP_PAGED_RESULTS

    Current document provides a reference to RFC 2686 - LDAP Control Extension for Simple Paged Results Manipulation which is incorrect.

    The correct RFC number is RFC 2696 .

    LDAP_SSL_PKCS11 ::

    Input parameters ::

    Current document refers to SSLV3_CLIENT_TIMEOUT value however does not mention the actual value for it. The default value of SSLV3_CLIENT_TIMEOUT is 43200 .

    Currently it reads as ::

    ssl_timeout ::

    Specifies the SSL timeout value in seconds. The timeout value controls the frequency with which the SSL protocol stack regenerates session keys. If ssl_timeout is set to 0, then the default value SSLV3_CLIENT_TIMEOUT is used. Otherwise, the value specified in the parameter is used, this value should be less than or equal to 86,400 (number of seconds in a day). If ssl_timeout is greater than 86,400, then LDAP_PARAM_ERROR is returned.

    Instead it should read as ::

    ssl_timeout ::

    Specifies the SSL timeout value in seconds. The timeout value controls the frequency with which the SSL protocol stack regenerates session keys. If ssl_timeout is set to 0, then the default value 43,200 is used. Otherwise, the value specified in the parameter is used, this value should be less than or equal to 86,400 (number of seconds in a day). If ssl_timeout is greater than 86,400, then LDAP_PARAM_ERROR is returned.

    [{"Product":{"code":"SSVJJU","label":"IBM Security Directory Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.3","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

    Historical Number

    WI XX04219 WI XX04198 WI XX04260 WI XX04178 WI XX04301 WI XX04536 WI XX04702 WI XX04735 WIXX04639 XX04966

    Product Synonym

    TDS ITDS IDS LDAP DS

    Document Information

    Modified date:
    16 June 2018

    UID

    swg21459032