Child pages
  • OpenDJ 2.4.0 Release Notes
Skip to end of metadata
Go to start of metadata

Installation Notes

OpenDJ is a new LDAPv3 compliant directory service, developed for the Java platform, providing a high performance, highly available and secure store for the identities managed by enterprises. Its easy installation process, combined with the power of the Java platform makes of OpenDJ the simplest and fastest directory server to deploy and manage.

OpenDJ is a extension of the Sun Microsystems' initiated OpenDS project and offers a fully supported product for it.

For specifc information about installing OpenDJ 2.4.0 software, please see the Installation Guide .

The software can be downloaded from the OpenDJ downloads page.

What's New in OpenDJ 2.4

While OpenDJ 2.4 is the first release of the ForgeRock hosted OpenDJ project, it derives from OpenDS, a 4 years old project and continues to extend it and deliver additional value.

Compared to the latest stable release of OpenDS (2.2.1), OpenDJ fixes a number of issues and provides the following additional features:

  • Support for Collective Attributes (RFC 3671, 3672) with specific enhancements, providing a mean to share attribute and values between entries
  • Improved Import performances and reliability
  • Optimized replication traffic routing to reduce overhead and increase reliability
  • Support for MS AD Permissive Modification Control
  • Support for multiple object class inheritance in the schema
  • Support for disk space monitoring in the server for the database, import and rebuild operations, preventing unexpected behaviors on full disks
  • Support for monitoring the use of indexes in filters
  • Support for analysis of attribute indexes
  • Support for limit in the number of persistent searches
  • New resource limit policy to throttle the operation rate
  • Support for Linux MD5 encrypted password, allowing a smooth migration from Files to LDAP naming services (OPENDJ-5)
  • Improved interoperability and support SHA2 encrypted passwords with variable salt length (OPENDJ-9)
  • Updated version of the Berkeley DB JE database providing better performance and control over database cache eviction (OPENDJ-11)
  • Now only support Java 1.6 JVM or higher

Java Requirements

The OpenDJ software is written entirely in Java and therefore will run on any system matching the requirements below.

OpenDJ has been tested on Solaris Sparc, x86 and x64, various flavors of Linux, Windows, Mac OS X...

The OpenDJ directory services requires that the system have an installed version of at least Java SE 6.0 (Sun version 1.6.0_10) Java runtime environment (JRE). The preferred JRE is the latest version of Java SE 6.0 and if performances of the OpenDJ server is critical to you, we recommend at least the update 22 (which also includes a major security fix for TLS).

There are known issues with OpenDJ and OpenJDK 6 on Linux. If you are deploying on Linux, we recommend that you download and use Sun JRE.

Supported Locales

OpenDJ 2.4 has been translated into the following languages :

  • French
  • German
  • Japanese
  • Simplified Chinese
  • Spanish

Several messages are also translated into Catalan, Korean, Polish and Traditional Chinese.

Note: Certain error messages (specifically, the SEVERE and FATAL messages) are displayed in English only.

Software Environment Limitations and Recommendations

The OpenDJ 2.4.0 software has some limitations that might affect the initial deployment of your directory server. Follow the recommendations for deployments in this section.
Administrators also should appropriately tune the OpenDJ directory server and its Java Virtual Machine (JVM) to ensure that adequately sized hardware is made available to support heavy write operations. For more information, see Configuring the JVM and Java Options.

OpenDJ 2.4.0 Limitations

The OpenDJ directory server provides full LDAP v3 support, except for alias dereferencing, and limited support for LDAPv2.

Account lockout is working on a per server basis only.

OpenDJ 2.4.0 is not fully integrated with the Windows environment. However, it can be run as a service and is therefore displayed in the Windows Services Control Panel.

Although the OpenDJ software has been designed for n-way multi-master replication, testing has focused on up to eight replication servers in a topology.

Upgrade from OpenDS 2.2 or OpenDJ 2.4.0beta1 has been mostly tested on Solaris, MacOSX and Linux. For Windows, it is recommended to start with a fresh installation of the OpenDJ software.

When upgrading from OpenDS 2.2, you need to rebuild the dn2id index after the upgrade. To do so, run the rebuild-index command: bin/rebuild-index <some options> -i dn2id -b "<your suffix>". For more information regarding the rebuild-index command see rebuild-index reference documentation.

OpenDJ Software Recommendations

The default settings of the OpenDJ directory server are targeted initially at evaluators or developers who are running equipment with a limited amount of resources. For this reason, you should tune the Java virtual machine (JVM) and the directory server itself to improve scalability and performance, particularly for write operations. For more information, see Configuring the JVM and Java Options.
The OpenDJ directory server provides better performance when the database files are cached entirely into memory.

Related Documentation

OpenDJ documentation is sparse and work in progress but, most of the documentation of the OpenDS project is still applicable.
More specifically the OpenDS 2.2 Administration Guide, CommandLine Usage Guide, Deployment Guide.

Known Issues

  • OpenDJ can hang when the system is configured for LDAP then DNS (OpenDS #4593) 
  • During a Search Operation, an ACI with Targetfilter and TargetAttrs may not be evaluated properly (OpenDS #4583).
  • The RC-script generated by the create-rc-script utility doesn't work properly when trying to run as a user different than root (OPENDJ-17 )
  • During an Upgrade to OpenDJ 2.4, the upgrade process reports an error when migrating schema customization. Choose to continue. The schema will be upgrade properly.

Fixed Issues

  • OPENDJ-1 - Dsconfig throws an Exception when trying to set global acis.
  • OPENDJ-3 - Persistent Search on cn=changelog fails with Unwilling To Perform error.
  • OPENDJ-6 - OpenDJ server returns an incorrect error code to LDAPv2 clients when LDAPv2 is disabled.
  • OPENDJ-7 - After creating a custom Virtual attribute provider, the server displays Null Pointer Exceptions at startup.
  • OPENDJ-8 - Some objectclasses are incorrectly considered structural
  • OPENDJ-10 - Import displays warning and fails during phase2 when server is configured with a very large heap size, and very high cache size.
  • OPENDJ-12 - Replication global administrative account is subject to the default password policy.
  • OPENDJ-13 - Upgrade from OpenDS 2.2 to OpenDJ 2.4.0(beta1) failed.
  • OPENDJ-14 - Missing naming context after upgrade from OpenDS 2.2.1 to OpenDJ 2.4.0.
  • OPENDJ-15 - Valid schema is rejected for Invalid Attribute Syntax error when the Object Class has a AUXILIARY class as superior.
  • OPENDJ-16 - Upgrade process fails to import additional RootDNs users.
  • #4592 - Some standard schema definitions are invalid and result in Structural objectclasses when they are not.
  • #4587 - The Administration Port should only support LDAPv3.
  • #4583 - Typo in the OpenDJ configuration confuses client application.
  • #4579 - Replication initialization of a 3rd server hangs.
  • #4575 - dsreplication fails with JDK 1.6.0_21.
  • #4573 - Administrator Connector certificate should use the host name provided at installation time.
  • #4572 - Duplicated recurring tasks uppon server restarts.
  • #4560 - dsconfig reports an inappropriate error message when --reset is provided a value.
  • #4559, #4558 - Support SHA1 with variable salt length for compatibility with other servers.
  • #4556 - Password Policy skipValidationForAdministrator parameter only works for Modify not Add.
  • #4553 - Referential Integrity Plugin fails.
  • #4552 - isMemberOf attribute is not recomputed if a group is deleted as part of a Subtree delete.
  • #4546 - Exceptions in Replication causes deadlocks
  • #4544 - Backend initialization should not set DB JE environment configuration directly.
  • #4539 - exception with the DSML Gateway.
  • #4538 - Virtual attributes
  • #4537 - ECL - naming attribute must be changenumber instead of cn
  • #4531 - Control Panel creates virtual static groups using groupOfURLs as objectClass
  • #4524 - Group cache must be updated via a post-op
  • #4523 - ACI and sub-entry caches not updated on replicas
  • #4522 - ds-sync-hist syntax must handle binary content
  • #4517 - Cannot use control panel to edit entry in replicated base DN after a binary update happened in the entry
  • #4515 - control-panel entry browser does not deal well with sub-suffixes
  • #4512 - Add option in dbtest to produce only statistics of a DB
  • #4509 - Stressed replicated server sees replication.server.MessageHandler object number increase alarmingly
  • #4493 - control-panel: wrong message when modifying user entry
  • #4492 - base searches don't work
  • #4491 - Severe memory leak during after many connect/disconnect
  • #4489 - java is not detected even if the JAVA_HOME variable is defined
  • #4485 - Enhancements to improve 'Follow Referrals'
  • #4484 - Follow Referrals functionality is broken
  • #4483 - not found when using JDK7
  • #4478 - ECL in draft compat mode / search lastchangenumber can be very long
  • #4473 - import check server db-cache-size for memory usage
  • #4472 - Wrong algorithm to check if a workflow element is parent of another workflow element
  • #4471,#4470 - Default upgrade path in Webstart upgrader is not correct
  • #4468 - caseExactSubstringsMatch doesn't work as expected
  • #4467 - provide installer log location in the progress screen
  • #4464 - search of root dse long due to search on changelog
  • #4415 - Control panel connection chooser doesn't show in task bar
  • #4414 - It would be nice to have the equivalent command-line displayed in setup
  • #4413 - setup should use scroll panes in its panels
  • #4410 - dsreplication --disableAll does not remove all the references to the server in cn=admin data
  • #4401 - ldapsearch --simplePageSize incompatible with --sizeLimit
  • #4400 - Control Panel broken in OpenJDK
  • #4399 - setup cant test free port correctly because it binds it to wrong address
  • #4398 - status can be very slow: include a refresh mode
  • #4395 - ECL cookie older than server changelog db trim is not detected
  • #4394 - Quicksetup doesn't work with openJDK 1.6 64 bits (fedora core 12)
  • #4393 - control-panel: OutOfMemoryError after running some tasks
  • #4390 - ModifyDN requests shouldn't accept malformed RDNs
  • #4386 - Null Pointer Exception in Add Operation when attribute has duplicate values.
  • #4385 - NPE when using ExtensibleMatch filter without a matching rule
  • #4381 - Enabling windows service once server started fails to detect server status
  • #4379 - dsreplication sometimes not showing A.O.M.C when there are sill M.C
  • #4375 - Consider not using default certificate nick names in configuration
  • #4372 - control-panel output is on one line on copy
  • #4371 - setup throws NullPointerException when trying to use a PKCS12 certificates
  • #4366 - NullPointerException when not entering a required value in an entry
  • #4363 - dsconfig batch file mode doesn't parse commands when values contain one or more spaces.
  • #4362 - failure to detect properly installed Java
  • #4361 - ECL - draft mode: temporary fake lastChangeNumber after thousands of updates
  • #4360 - OpenDS does not answer anymore when doing 24+ simultaneous subtree searches without reading the response (Potential DoS attack.)
  • #4359 - ECL - draft mode: changenumber reset takes a long time
  • #4356 - 'Number of elements' hardcoded in the control panel
  • #4326 - Allow setup of a Server without Data suffix
  • #4324 - merge 2 replication topology cause SEVERE_ERROR
  • #4317 - When scheduling a daily task the time input should be labeled whether it is 24h based or not
  • #4315 - NotSerializableException when trying to connect to JMX with bad credentials
  • #4311 - french: typo at distribution deployment
  • #4300 - stop replication server cause OutOfMemoryError
  • #4297 - i18n: One message in Manage Entries window
  • #4292 - control panel browse entries should not use the ManageDSAIT control systematically
  • #4284 - Add ability to Duplicate an existing entry with the Control Panel.
  • #4270 - ECL Should not establish connections between RSes
  • #4266 - SMTP alert handler with no server makes dsconfig exit
  • #4262 - ECL One should be able to disable it (specially in the draft compat mode)
  • #4260 - java.lang.InterruptedException in error log when stopping replicated server
  • #4259 - Add the new import-ldif options to the control panel
  • #4236 - ds-syntax-historical-csn not declared in the schema
  • #4232 - UTF-8 LDIF generated by Windows Notepad fail to import
  • #4196 - backup hanging when using incorrect port and -A -s options
  • #4161 - some mistranslations in german
  • #4084 - Windows Service doesn't detect start-ds failure
  • #4083 - The Server Handler byte count is not correct (Fixed)
  • #3998 - total update should be resilient to broken connection
  • #3966 - Wrong return code/error message when an ldap search request is sent with an invalid filter
  • #3954 - Deadlock under heavy write load
  • #3912 - Default automatic Backup should be offered by the control panel
  • #3901 - Install pre-2.0 0 Setup fails when inserting a server in a replication topology with large umount of data
  • #3891 - Replication conflict: add child , delete parent
  • #3627 - Control Panel: add a button to refresh the content of the current page/panel
  • #3605 - Control Panel: resized panel reset moving over menu list
  • #3601 - Control Panel: unable to modify schema objects or attributes
  • #3551 - Consider proposing to initialize a topology when the user imports an LDIF in a replicated base DN
  • #3546 - Investigate improvements to DN2ID
  • #3442 - Add options -w password and -D rootDN to status-panel
  • #3404 - Replication conflict: fail to resolve two opposite mod_rdn
  • #3402 - Replication conflict: fail to resolve double mod_rdn of same entry
  • #3395 - replication initialization high trafic can penalize client operations (flow ctrl?)
  • #3376 - Command output becomes garbage in non-UTF-8 locale
  • #3256 - Add certificate settings options in setup CLI
  • #2934 - "ds-cfg-subordinate-base-dn" value not taken into account during search operations (with -b "" option)
  • #2917 - Setup should ask the user for the memory to allocate to the server, and should automatically set the appropriate parameters accordingly.
  • #2761 - ldapcompare: wrong return code when comparison is successful or unsuccessful
  • #2748 - some lines appear in disorder in the access log file
  • No labels