Tuesday, September 29, 2009

Problem with Sun Directory Server 5.2 caused by Solaris Patch 119213-19


Sun recently released a patch 119213-19. It is a NSS/JSS related patch.



My customer has a pair of Solaris 10 running 1 instance of Sun Directory Server 5.2 Patch 6 and 1 instance of Sun Directory Server 6.3.1 on each node. The 5.2 instance replicates one-way to the 6.3.1 instance.

The moment patch 119213-19 is applied, we encountered something weird with the 5.2 instances: 
  1. Replication ceases to work
  2. ldapsearch with administrative/user accounts always return "Invalid Credential" error even though the passwords are 100% valid

I find it very strange. 
  1. Why is this happening to the 5.2 instances only? 
  2. How come the same is not happening on the 6.3.1 instances?

So I read the patch release note in detail. I realized there is a Special Install Instructions section right at the bottom of the page:


IMPORTANT NOTE:
** This version of NSS is known to be incompatible with certain versions of Sun Directory Server version 5.2. **
** Installing it without corrective action will result in directory service stopped. **
** Newer versions of Directory Server are not affected by this incompatibility issue. **
** Please see http://docs.sun.com/source/820-3003/index.html for detailed information on this issue, including the availability
of a related Directory Server version 5.2 patch.**


The workaround is mentioned in Sun Directory Server 5.2 release notes:


Installation Information for Network Security Services 3.12

Network Security Services (NSS) release 3.12 (as of release 3.12.3) introduces a compatibility issue that prevents Directory Server 5.2 from restarting.

:

For Sun Java System Directory Server Enterprise Edition, only version 6.3.1 (and later versions) is compliant with this requirement. No release of Directory Server 5.2 complies, including its initial release through the 5.2 Patch 6 releases.

:
Otherwise, to disable the requirement, Directory Server 5.2 administrators who applied NSS 3.12.3 patch must set the following environment variable:

export NSS_STRICT_NOFORK=DISABLED

After the NSS_STRICT_NOFORK=DISABLED environment variable is set, the Directory Server, Admin Server, and Console can be restarted.

Directory Server 5.2 administrators must also set symbolic links to the new libraries delivered in NSS 3.12.3 patch as shown here. Note that the default value of the SERVER_ROOT pathname is /var/opt/mps/serverroot.

cd /lib
cd /var/opt/mps/serverroot/lib
ln -s /usr/lib/mps/secv1/libnssdbm3.so libnssdbm3.so
ln -s /usr/lib/mps/secv1/libnssutil3.so libnssutil3.so
ln -s /usr/lib/mps/secv1/libsqlite3.so libsqlite3.so

cd /var/opt/mps/serverroot/lib/sparcv9
ln -s /usr/lib/mps/secv1/sparcv9/libnssdbm3.so libnssdbm3.so
ln -s /usr/lib/mps/secv1/sparcv9/libnssutil3.so libnssutil3.so
ln -s /usr/lib/mps/secv1/sparcv9/libsqlite3.so libsqlite3.so

This was a painful experience for not reading the fine print before the patch is applied. We lost 2 working weeks reinstalling many copies of Sun Directory Server 5.2 and retesting each time.



PS: Read here in Sun forum regarding the Replication Error Issue.




No comments:

Post a Comment