This chapter covers the status of key issues and limitations for OpenDJ and OpenDJ SDK . For details and information on other issues, see the OpenDJ issue tracker.

This release contains fixes that resolve security issues within OpenDJ. Older versions of OpenDJ contain these security issues. It is recommended that you upgrade to this release to resolve these security issues. ForgeRock customers can contact support for detials on the security issues. OpenDJ 2.6.0 also includes important improvements to replication. Replication remains fully compatible with earlier versions. However, some operations that work fine with OpenDJ 2.6.0, such as replicating large groups and replicating high volumes of adds and deletes, can cause issues for earlier versions. Make sure you upgrade all servers to 2.6.0 before allowing clients to take advantage of write operations that could cause trouble for older servers. The following important bugs were fixed in this release. OPENDJ-988: Filtering access logs by userdn doesn't work OPENDJ-982: Upgrade: SNMP Connection Handler does not start after the upgrade OPENDJ-962: Subject Attr To User Attr Cert Mapper has wrong default configuration OPENDJ-940: Import-ldif NPE if base entry contains invalid attribute values and skipDNValidation is set OPENDJ-926: SchemaBackend ignores instance dir OPENDJ-925: SchemaConfigManager tries to load files twice OPENDJ-922: Replication window size is too small on high latency networks OPENDJ-900: Cannot use backups to initialize a replica OPENDJ-899: ModDN with the same value ignored by ACIs OPENDJ-895: Document ACIs and privileges required for basic LDAP operations OPENDJ-888: Maintaining ds-sync-hist for a large group is inefficient OPENDJ-886: connected-to attributes under cn=monitor are wrong when all RSes are down OPENDJ-885: Replication replay may lose changes if it can't acquire a writeLock OPENDJ-882: NullPointerException in access log filtering code OPENDJ-875: Use of hostnames in replication protocol causes failover problems OPENDJ-868: cannot add attributes to referential integrity plugin OPENDJ-846: Intermittent Replication Failure OPENDJ-818: dsreplication status shows disabled servers as enabled OPENDJ-798: Cannot be part of 2 replication topologies if a third topology shares a common suffix OPENDJ-797: dsconfig cannot edit custom password policy after upgrade to 2.5.0-Xpress1 OPENDJ-765: Modify with replace attr=value and delete attr gets misrecorded in ds-sync-hist OPENDJ-761: Migration from deprecated password storage schemes doesn't work during a simple bind OPENDJ-680: Upgrade may change ds-cfg-base-dn to dc=example,dc=com on userRoot configuration OPENDJ-668: Cannot configure ssl-cipher-suites on admin connector OPENDJ-664: Password validator: default of check-substrings = false breaks rule of least surprise OPENDJ-652: Connections from Solaris 10 ldapclient can cause LDAPS request handler to spin OPENDJ-649: Add supportedTLSCiphers and supportedTLSProtocols to RootDSE and system monitor OPENDJ-627: ConnectionPool internal state becomes invalid when stale connections are discarded OPENDJ-625: ModifyDN does not allow the same (normalized) DN OPENDJ-622: DSML ExtendedRequest text requestValues don't work OPENDJ-621: No documentation for schema definition extensions OPENDJ-618: DSML gateway should send an AuthResponse for the initial bind OPENDJ-615: Replication silently skips entries referring to non-existent global password policies OPENDJ-608: DSML gateway NPE in response to extended requests without request values OPENDJ-602: Referrals returned when not in scope. OPENDJ-601: Syntax for offline backup is incorrect OPENDJ-590: ConnectionPool may return already closed/disconnected connections OPENDJ-587: Control-panel rebuild-index shouldn't disable the backend and use offline command OPENDJ-578: Documentation should reflect that --type is now required for `dsconfig create-password-policy` OPENDJ-568: ldiffdiff and ldifmodify documentation is incorrect OPENDJ-565: Attribute Value password validator finds password in the userPassword attribute OPENDJ-564: SSF based access controls don't seem to be working OPENDJ-561: Add operation doesn't get password policy from ds-pwp-password-policy-dn;collective OPENDJ-556: Strange ACI results OPENDJ-548: Unable to run ldap commands as any user other than root after updating java.properties OPENDJ-532: When replication is enabled cn=changelog appears in namingcontexts output OPENDJ-528: rebuild-index doesn't rebuild properly DN2ID after an upgrade from OpenDS 2.2. OPENDJ-520: Worker threads are too greedy when caching memory used for encoding/decoding entries and protocol messages OPENDJ-504: Performing Query on telephoneNumber attribute thats not a number returns all entries OPENDJ-500: Upgrade trunk (2.5.0) to JE 5.0.48 OPENDJ-494: dsreplication initialize reports negative percentage of completion OPENDJ-488: Cancel request succeeds with result code 118 (CANCELED) when it should receive result code 0 (SUCCESS) OPENDJ-487: Normal acis under cn=config are not loaded at startup OPENDJ-475: Incorrect behaviour/result code regarding non-critical controls OPENDJ-472: offline import LDIF reject entries, doesn't report the correct count of them, and store them in both rejected and skipped files. OPENDJ-464: NPE in PasswordPolicyStateExtendedResult results in eternal waiting OPENDJ-462: Spinning threads in JE backend importer OPENDJ-459: User's privileges not working with SASL EXTERNAL auth OPENDJ-456: OpenDJ schema replication fails for 3rd server of topology OPENDJ-433: Every other permissions-subjects pair in ACI is ignored OPENDJ-432: LDAPURL doesn't always url-decode baseDN OPENDJ-427: AuthenticatedConnectionFactory hides exception with NPE OPENDJ-420: Rare SSLExceptions while handling LDAPS connections and big LDAP searches OPENDJ-410: Frequent corruption in ds-sync-hist ordering index. OPENDJ-400: ControlPanel issue with values containing \n (such as sunxmlkeyvalue) OPENDJ-398: Misleading replication messages: "Replication server XXXX was attempting to connect to replication server YYYY but has disconnected in handshake phase" OPENDJ-387: dsreplication initialize-all reports negative percentage of completion OPENDJ-380: index-entry-limit=0 not working as expected OPENDJ-377: Kerberos authentication with AD KDC fails with LoginException(Client not found in Kerberos database (6)) OPENDJ-349: manage-account returns Seconds Until Idle Account Lockout: 0 (zero) if the last log on date is more than 24 days before the idle lock out interval. OPENDJ-344: Upgrade fails when there's an extension with additional JAR dependency. OPENDJ-333: Missing entryUUID attributes in "cn=admin data" backend prevent updates from being replicated. OPENDJ-323: If you attempt to rebuild an index that doesn't exist while OpenDJ is running then the backend is left offline OPENDJ-322: Binary encoding option causing problems in replace operations OPENDJ-320: log-file-permissions ignores group permissions OPENDJ-315: OpenDJ not restart when enable as automatic windows service after reboot OPENDJ-310: Replicated changes to referral entries are not applied on replicas OPENDJ-293: InternalClientConnection memory leak when performing password modify/state extended operations or SASL binds OPENDJ-282: dsreplication enable fails with duplicate server ID, while it's about the same server being referenced. OPENDJ-274: Replication mishandles a Modify operation with multiple modifications on the same attribute. OPENDJ-271: ExternalSASLBindRequestImpl throws java.lang.IllegalStateException OPENDJ-254: The show-all-attributes flag breaks schema modification, when enabled. OPENDJ-242: Password Policy State Extended Operation anomalities... OPENDJ-223: Modify operation isn't replayed on replica exactly as on original server. OPENDJ-219: Replication server and draft changelog DB code may attempt to reference closed DB OPENDJ-184: Transient errors when accessing cn=changelog DraftCN DB result in complete shutdown of the replication service. OPENDJ-173: External ChangeLog cookies content is altered by Change purging and prevents from continuing search with a previous returned cookie. OPENDJ-169: Modifying an existing object class definition requires server restart OPENDJ-159: LDAP connections use stale default schema if it is changed after factory creation. OPENDJ-156: Errors when parsing collective attribute definitions OPENDJ-150: ChangeLogEntry schema is not compliant with internet-draft OPENDJ-146: java.lang.OutOfMemoryError: Java heap space OPENDJ-136: On Windows, upgrade fails with NPE during Verify phase OPENDJ-135: upgrade -r fails on Windows OPENDJ-134: upgrade fails when server registered as Windows service OPENDJ-130: External change log, used in compliance with Internet-draft, shows a divergence between replicas under load. OPENDJ-98: Searches on cn=monitor take a long time OPENDJ-65: Host domain name lost from FQDN while enabling replication for a new replica using disreplication enable OPENDJ-57: ECL: lastChangeNumber and firstChangeNumber reset to zero when the changelog is purged to empty OPENDJ-55: Failing modify operations causing memory leak OPENDJ-21: Account Status Notifications (password changed/reset) are not sent for the Password Modify Extended Operation

Release has the following limitations, none of which are new since . OpenDJ directory server provides full LDAP v3 support, except for alias dereferencing, and limited support for LDAPv2. When you configure account lockout as part of password policy, OpenDJ locks an account after the specified number of consecutive authentication failures. Account lockout is not transactional across a replication topology, however. Global account lockout occurs as soon as the authentication failure times have been replicated. OpenDJ is not fully integrated with Microsoft Windows, yet OpenDJ directory server can be run as a service, and thus displayed in the Windows Services Control Panel. OpenDJ replication is designed to permit an unlimited number of replication servers in your topology. Project testing has, however, focused only on topologies of up to eight replication servers. OpenDJ plugin extensions must follow the guidelines set forth in the README file delivered in opendj/example-plugin.zip. When developing your extension, aim to remain loosely coupled with any particular version of OpenDJ. Libraries used must be installed in opendj/lib/extensions/ (or bundle them in your .jar). Keep your configuration separate from the server configuration. Also, unless you are reusing standard schema definitions, keep your schema definitions separate as well. This can affect how your extension works after upgrade. In particular opendj-accountchange-handler-1.0.0 does not work with OpenDJ 2.6.0 after upgrade (OPENDJ-991). See that issue for notes on how make that version of the extension work with OpenDJ 2.6.0.

When deploying for production, make sure that you follow the installation instructions on allowing OpenDJ to use at least 64K (65536) file descriptors, and on tuning the JVM appropriately. The following important issues remained open at the time this release became available. OPENDJ-1048: OpenDJ QuickSetup creates the "licenseAccepted" file in the wrong place OPENDJ-1043: Worker Thread was interrupted while waiting for new work while shutting down OPENDJ-1033: The Rest2LDAP servlet does not support SSL OPENDJ-934: Changes to RS window-size property require a server restart OPENDJ-810: Non-atomic password state updates OPENDJ-631: Modifications made by ldif-diff causes bad replication data OPENDJ-557: Identical changes recorded in duplicate changelog records OPENDJ-527: rebuild-index --rebuildAll corrupts the indexes for certain data sets OPENDJ-518: Cannot log into the administrative control panel with FIPS-140 enabled in certain cases OPENDJ-514: OpenDJ SDK SASL integrity/confidentiality violates protocol OPENDJ-452: Manual add of new schema objectclass in 99-user.ldif are not replicated OPENDJ-412: Blocked persistent searches may block all worker threads OPENDJ-365: Potential deadlock in JE backend while performing a mix of update operations OPENDJ-270: dsreplication disable takes a long time OPENDJ-49: Replication replay does not take into consideration the server/backend's writability mode.