Centrify(R) DirectControl(R) 5.0.3 Release Notes (C) 2004-2012 Centrify Corporation. This software is protected by international copyright laws. All Rights Reserved. Table of Contents 1. About This Release 2. New Features in DirectControl 5.0.3 2.1. New Features in DirectControl 5.0.2 2.2. New Features in DirectControl 5.0.1 2.3. New Features in DirectControl 5.0.0 3. Bugs Fixed 3.1. Bugs Fixed in DirectControl 5.0.3 3.2. Bugs Fixed in DirectControl 5.0.2 3.3. Bugs Fixed in DirectControl 5.0.1 4. Known Issues 5. Additional Information and Support 1. About This Release Centrify DirectControl centralizes authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and single sign-on. With DirectControl, enterprises can easily migrate and manage complex UNIX-based environments, rapidly consolidate identities into the directory, organize granular access and simplify administration. DirectControl, through Centrify's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on legacy systems, separate identity from access management and delegate administration. DirectControl's non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs. An upgrade application note (/Documentation/UpgradeGuide.pdf) is provided with this release to guide customers who have installed multiple Centrify packages. The document describes the correct order to perform updates such that all packages continue to perform correctly once upgraded. This document is also available in the Centrify DirectControl Knowledge Base. 2. New Features in DirectControl 5.0.3 * DirectControl for Mac OS X has been updated to version 5.0.3. See the Centrify DirectControl for Mac OS X release notes in in the Documentation directory for more information. * Support has been added for Mac OS X 10.8. * NOTE: only Mac platforms have been updated to DirectControl 5.0.3 in this release. All other platforms are at 5.0.2. 2.1. New Features in DirectControl 5.0.2 * FIPS 140-2 - Red Hat Enterprise Linux Server and Mac OS X support FIP 140-2 standard. * 0.9.8s OpenSSL - DirectControl and Centrify OpenSSH are integrated with 0.9.8s OpenSSL. * Centrify 4.5.3 OpenSSH - Centrify DirectControl includes Centrify 4.5.3 OpenSSH, which is based on 5.9p1 OpenSSH in this release. Refer to Centrify 4.5.3 OpenSSH release notes for details. * Centrify 4.5.3 Samba - Centrify 4.5.3 Samba is based on 3.5.11 Open Samba code. Centrify 4.5.3 Samba can be downloaded from Centrify web site. Previous Centrify Samba does not work with Centrify DirectControl in this release. * SQLite - DirectControl does not provide SQLite shared library in its package that avoids conflict with the SQLite shared library used by other applications. * Support is added for the following new operating systems: - Red Hat Enterprise Linux 5.8, 6.2 (32- and 64-bit) - Red Hat Enterprise Linux Desktop 5.8, 6.2 (32- and 64-bit) - Scientific Linux 5.7 (32- and 64-bit) - Fedora 17 (32- and 64-bit) - CentOS 5.7, 6.1 (32- and 64-bit) - Mandriva Enterprise Server 5 (32- and 64- bit) - Linux Mint 12 (32- and 64- bit) - Solaris 11 (x86_64 and SPARC) * Support is removed for the following new operating systems: - All OpenSolaris versions - AIX 5.1, 5.2 - VMware ESX 3.0.1, 3.0.2 - Fedora 13 and below (32- and 64-bit) - Ubuntu 6.06, 8.10, 9.04, 9.10 (32 and 64 bit) - Mac OS X 10.5 2.2. New Features in DirectControl 5.0.1 * Express mode - Express mode is now supported and HPUX 11.31 and AIX 7.1 are added to the platform support list for Express. * DirectControl for Mac OS X - DirectControl 5.0.1 is the first release on the Macintosh platform that provides support for Next Generation Zones. - Support for OS X 10.7.x, including support for Apple's FileVault full disk encryption and Microsoft's Distributed File System (DFS) capabilities. - Automated Certificate Enrollment for 802.1x and VPN services - Improved support for Printer Management on the Mac using _lpadmin and _lpoperator printer groups on the local mac - Simplified Group Policies for automatically mounted fileservers and home directories. - Smart Card support for 10.6 and 10.7 for all CAC, CACNG, and PIV cards, including the Oberthur ID One 128 v 5.5 Dual Smart Card. - New OCSP Enhancements and GUI for Smart Card configuration * User password expiration - Fine-grained password policy is queried to determine user password expiration. * DirectControl MMC Snapin - Now implemented in user mode rather than in author mode in order to co-exist better with group policies. * Support is added for the following new operating systems: - Citrix XenServer 6.0 - Fedora 16 (32- and 64-bit) - OpenSuSE 12.1 (32- and 64-bit) - Ubuntu 11.10 Desktop (32 and 64 bit) - Ubuntu 11.10 Server (32 and 64 bit) - Solaris 11 Express 2010.11 (x86_64 and SPARC) 2.3. New Features in DirectControl 5.0.0 * Hierarchical zoning * NIS map support added to NSS The following NIS maps are supported: - networks - rpc - auth_attr - prof_attr - user_attr - exec_attr - auuser - protocols - networks - bootparams - netmasks - netgroup - hosts - printers - project - services - ethers - aliases - ipnodes - AIX * Centrify Zone Provisioning Agent Zone Provisioning Agent (ZPA) is now included with DirectControl. It has been updated to support heirarchical zoning, new in DirectControl 5.0.0. * Group Policies * New group policy: Enable Auto Zone user home directory This group policy adds the auto.schema.use.adhomedir property to /etc/centrifydc/centrifydc.conf. * adm files are now shipped for Centrify group policies as well as xml. * Configuration parameters * New configuration parameter: krb5.cache.clean.exclusion This parameter defines an exclusion list for when adclient cleans users' cache files. For users in this list, adclient will not clean their krb5cc_* file. UNIX names of AD users should be used. The default value is empty. * New configuration parameter: adclient.krb5.use.addresses This parameter controls the MIT Kerberos HostAddresses option. If the parameter is set to true, adclient will add "noaddresses = false" to krb5.conf. The parameter is set to false by default. * New configuration parameter: adclient.altupns This parameter tells adclient to allow an otherwise unknown Kerberos realm as UPN suffix. The default is unconfigured. For example, to allow "mil" as a UPN suffix: adclient.altupns: mil * New CLI features - adcheck - adcheck now does a DNS TCP port check as well as a UDP port check in the "net" set of checks. - New --tmp_path (-m) parameter to use the given path for temporary files during check. If not specified the default is /tmp. - adfixid - New --undo (-U) parameter to back out changes made since the last change marker. The log for undo is accumulated in /etc/centrifydc/adfixid.log - adinfo - New --debugcache command line parameter added to tar up /var/centrifydc cache files. - -y parameter now accepts parameters. "config" dumps all property values, "dns" dumps the dns cache and "all" dumps all system information. - --support parameter now includes contents of /etc/irs.conf, /etc/netsvc.conf and shows the ldd output for /usr/lib/netsvc/dynload/nss_cdc.so. - New -G option to report the current GC. - adjoin - New --upn (-U) paramter for adjoin sets user's upn. - adquery - New parameter --attribute mail (-b mail) to return the email address of a user. Note that this can only be used users, it does not work for groups. - adupdate - New --principal (-P) parameter for adupdate user allows setting of user's upn. - New --foreign-sid (-i) parameter allows setting / retrieving of a sid for a foreign user. - Adupdate now allows changes to users from one-way trusted forests. To use it, retrieve the SID for the user to be changed via adquery user's -Z option, then use that SID in adupdate using the --foreign-sid option. - New --userWorkstations (-W) option for adquery user shows the user's userWorkstations attribute. The -all (-A) option has been extended to include this attribute too. * Windows Console * An option has been added to the import Wizard to add a prefix or suffix to the name of a group or user, allowing name clashes to be avoided with already existing users and groups. * New DirectAuthorize reports Two new reports have been added to report on user roles and rights grouped by zone. The new reports are: - User Role Assignments Grouped by Zone - User Privileged Command Rights Grouped by Zone * Miscellaneous * The DirectControl NIS server (adnisd) now derives the mail.byaddr map. * Support is added for the following operating systems: - CentOS 4.9, 5.6, 6.0 (32- and 64-bit) - Debian 6 (32- and 64-bit) - Fedora 15 (32- and 64-bit) - Mandriva 2011 One - Oracle Linux 6 (32- and 64-bit) - Red Hat Enterprise Linux 5.7, 6.1 (32- and 64-bit) - Red Hat Enterprise Linux Desktop 5.7, 6.1 (32- and 64-bit) - Scientific Linux 4.9, 5.6, 6.1 (32- and 64-bit) - Ubuntu Desktop 11.04 (32- and 64-bit) - Ubuntu Server 11.04 (32- and 64-bit) 3. Bugs Fixed 3.1 Bugs Fixed in Centrify DirectControl 5.0.3: * See the Centrify DirectControl for Mac OS X release notes in in the Documentation directory for more information. 3.2 Bugs Fixed in Centrify DirectControl 5.0.2: * User can login to Active Directory with sid in sidHistory in the tokenGroups attribute. * User can login to Active Directory through local cache after the machine is disconnected and restarted. * NTLM can login Active Directory domain through local cache when the machine cannot access the domain controller. * adedit create_zone API works for FIPS compliant license. * AD user will expire in cache if it is marked force expired even though AD user in cache is queried frequently. * Overridden AD user is visible although its name in cache has been flushed. * adsmb can successfully get a file. * Centrify 4.5.3 OpenSSH X11 forwarding works in IPv4 network. * Centrify 4.5.3 OpenSSH does not stall a few seconds when it logins Solaris SPARC machines. * Centrify 4.5.3 OpenSSH can coexist with Solaris SSH. * Imported users and groups from passwd and group files do not show "Incomplete user UNIX data" error message. * Deployment Manager can work with interactive prompt after ssh connection. 3.3 Bugs Fixed in Centrify DirectControl 5.0.1: * SuSE 11 won't crash if tilde is used in ksh. * DirectControl can now be upgraded via Ubuntu apt-get. * adsmb is able to use the current Active Directory user's credentials. * Upper case netgroup names are supported in LDAPProxy. * adnisd reads the correct NIS maps even if the DirectControl agent switches to another domain controller while adnisd is reading the NIS maps. * ZPA does not truncate the UNIX name to 8 characters if the "Truncate the UNIX name to eight characters" check box is not selected. * ZPA can collect debug log if "Turn on debug logging" is checked in the ZPA Configuration Panel. * When searching for users in a remote forest, the remote forest is shown in a separate tree. * Find Users now works even if orphans exist in zones. 4. Known Issues The following sections describe common known issues or limitations associated with this Centrify DirectControl release; They are categorized as follows: - DirectControl Administrator Console - Report Center - Group policies - Zone Conversion - Zone Provisioning Agent - DirectControl agents - Centrify NIS server (adnisd) - Centrify LDAP Proxy - DirectControl auto-zone mode In addition to the known issues described in these sections, you should review the details in the appropriate platform-specific release-notes-agent.txt file for the operating environments you support. DirectControl Administrator Console * Uninstalling Administrator Console while it is open on Windows 2008 If you attempt to uninstall the Administrator Console on Windows 2008 while the Console is still open, Installshield will report twice that that files are still in use. If you want to continue the uninstall, you should click Retry each time and the uninstall will complete correctly. * Delegating zone administration permissions for SFU zones Although you may delegate permissions to add, remove or modify users in all types of zone in the Zone Delegation Wizard, the permissions do not take effect in an SFU zone. This means that you cannot delegate these administrative permissions for SFU zones. * UID does not automatically increment if adding users through Welcome page When adding users to a zone, the UID used is automatically incremented each time. However, if you use the Add User to Zone feature on the Administrator Console welcome page, the UID is not incremented after the user is added. In this case you should remember to check the UID and reset as necessary when adding subsequent users. * NIS domain name with adnisd The NIS domain name in the DirectControl Administrator Console zone properties page is currently ignored by adnisd. The NIS domain name defaults to the name of the zone, or can be overridden in /etc/centrifydc/centrifydc.conf via the property "nisd.domain.name". This will be fixed in a future release. * Cannot add groups from child domains to SFU zone DirectControl does not support adding objects from a child domain into an SFU zone. You should choose only objects from the local zone. * Users delegated to import into a zone also gain rights modify profiles Any users who are given the right to "Import users and groups to zone" are automatically also given the right to "Modify user/group profiles". * Secondary groups not imported from XML files Using the Import Wizard to import user information from XML files does not import secondary group membership. * Using domain local groups to manage resources Domain local groups can only be used to manage resources in the same domain as the group. So, for instance, a domain local group in domain A may be used to manage a computer in domain A but not one in domain B, despite a trust relationship between the two domains. * Domain local groups from other domains shown in search dialog When using the search dialog in the Administrator Console to delegate zone control to a group, domain local groups from child domains will be incorrectly shown in the results and should be ignored. The search results when using the ADUC extension do not show these domain local groups. * Analyse forest and SFU zones The analyse forest feature in the Administrator Console does not report on empty zones or duplicated users or groups in the zone. * Uninstalling Console component uninstalls help If you uninstall the Group Policy Object Editor Extension, the NIS maps extension or the Centrify Zone Generator, this also uninstalls the online help feature, the Quickstart Guide and the Administrator Guide. To avoid this, you should uninstall the entire Directcontrol Administrator Console package and then install the components that you need. * Using the Administrator Console and NetIQ GPA There are some minor user interface behavioral changes in the right hand pane of the Centrify Administrator Console when running with NetIQ GPA: - Cannot double-click to open properties However, right clicking on an object and choosing Properties will open the property page in the usual way. - Administrator Console icons are replaced by default Windows icons. * Working with users that have more than one UNIX mapping DirectControl supports Active Directory users that have more than one UNIX profile in a zone. However, if you are upgrading from DirectControl 4.x or earlier and have existing users with >1 UNIX mapping, you should use a DirectControl 5.0.0 or later Administrator Console to remove all but one of the UNIX users for each of these AD users and then re-add them. In addition, you should always use a DirectControl 5.0.0 or later console when modifying these users. * In the Centrify Profile tab of the Properties page of a computer joined to a hierarchical zone, you cannot move this computer to a classic zone. Nor can you move it to a zone in another domain. There are no such problems with a computer joined to a classic zone. * Cannot run the DC Console and DA Console in the same process It is not possible to run both the DirectControl Administrator Console and the DirectAudit Administrator or Auditor Console in the same MMC window. They can be run on the same computer, but they should be run in different MMC instances. * Using the 32-bit Administrator Console on 64-bit OSes While it is possible to run the 32-bit Administrator Console on 64-bit Microsoft Windows, the installer will not recognize that the 32-bit Console is installed, it will not offer any maintenance mode options and will assume a new installation. To upgrade a 32-bit Console on a 64-bit OS, you should uninstall the old version and install the new version. Report Center * Cannot delegate control of an SFU zone from the Report Center It is not possible to delegate the control of an SFU zone from within the report center. To delegate SFU zone control, right click on the SFU zone node in the left pane. * Color and font change in Report Center occasionally fails Changing the font or colors in a report occasionally fails, even though the Format dialog shows the chosen font and color choices when they are made. Re-opening the Format dialog and changing color and/or font again will correctly set the choices for the report. * Extra results when analyzing duplicate service principal names When running the Analyze / Duplicate Service Principal Names report kadmin/changepw is incorrectly returned as a duplicate. The SPN is actually found multiple times, but this is by Microsoft design as it is the default account for the Key Distribution Center service in all domains. * The Console is unresponsive when running the "Classic Zone - User Privilege Command Rights" report. This is expected behavior due to a Microsoft library used to determine user rights and the Console should resume being responsive once the report is completed. Group policies * There are four group policies that can merge the lines of different GPOs to a resulting group policy. The precedence rules that are used to merge these multi-line policies has changed. For the policies to merge, the policy in each GPO must be enforced. Policies with higher precedence will be placed lower in the resulting multi-line policy. * Disable does not function with Allow Groups group policy Disabling the group policy Computer Configuration > Centrify Settings > Centrify SSH Settings > Allow Groups does not disable the policy. To effectively disable groups of users, the group should be removed from the Group Policy Object. * Entering multi-line password prompt group policies Multi-line group policies are supported, however an escaped newline character "\\n" must be used. * Default value for the NIS daemon update interval In the Administrator Guide the default for this value is shown as 5 minutes, but in the Group Policy user interface it is shown as 4 minutes. The correct value is 5 minutes and the Group Policy user interface will be updated to reflect this in a future release. Zone Conversion * Using zone conversion with orphan groups Before using zone conversion you should ensure that you have fixed all orphan groups in the zone. * Cannot select Zone Settings after zone conversion After converting a standard zone to an RFC 2307 zone you should close the zone and then reopen. If you attempt to open Zone Settings for the converted zone without closing and reopening, the Zone Settings dialog will not open. * Agent does not automatically recognize in-place zone conversion If a standard zone is in-place converted to an RFC 2307 zone using the Administrator Console, UNIX agents do not automatically become aware of the change and the following should be run on each agent connected to the zone: echo -n CDC_RFC_2307 > /var/centrifydc/kset.schema and then adclient should be restarted. Zone Provisioning Agent * Install's "repair" option reports files in use When using the repair install option, the installer may pop up a Files in Use dialog that does not contain any entries. It is safe to simply click the Ignore button and continue the repair operation. This may happen on all supported platforms, except Windows Server 2003 and Windows Server 2003, R2. DirectControl agents * Default zone not used in DirectControl 5.x In DirectControl 4.x, and earlier, there was a concept of the default zone. When DirectControl was installed a default zone could be created that would be the default zone used when none was specified. If no zone was specified when joining a domain with adjoin, the default zone would be used. This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with heirarchical zones. In zoned mode, a zone must now always be specified. A zone called "default" may be created, and default zones created in earlier versions of DirectControl may be used, but the name must be explicitly used. * Cross forest groups are not supported in the pam.allow.group or pam.deny.groups property setting. * Working with large Active Directory groups Centrify recommends a practical maximum of 200 users per Active Directory-enabled group. Groups with more than 10,000 users have been tested with DirectControl and found to function, however larger groups will slow login performance to what may be considered an unacceptable level. * Using the --notime option with adjoin If the --notime option is used when running adjoin, the centrifydc.conf parameter, adclient.sntp.enabled, is not updated to false. This means that subsequent adjoin operations also need to specify the --notime option if required. * Attempted logins by non-zone members If an AD user that is not a member of the zone attempts to log in, they will be unsuccessful logging in on future attempts for a period of 15 minutes from the time of their last unsuccessful log in, even if they are made members of the zone. This lockout may be worked around by running adflush or logging in using the user's UNIX name (if different from the AD name), or by logging in using the computer's GUI rather than ssh or telnet. * RSA Authentication Agent for Windows Computers using DirectControl software are not able to authenticate to domain controllers running RSA Authentication Agent for Windows. To use DirectControl on these computers, it is necessary to disable the RSA Authentication Agent. * Use of rsh and rcp with DirectControl rsh and rcp are considered archaic methods and should not be used with DirectControl as their behavior cannot be guaranteed in all circumstances. * Change password and rsh / rlogin When using rsh or rlogin to access a computer that has DirectControl installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted and the password is successfully changed. * Finding global catalog information with adfinddomain When the global catalog is located in the root domain and the computer where a user is running adfinddomain is joined to a child domain, it is possible that adfinddomain will report that it is unable to find the global catalog when it is run with: adfinddomain If adfinddomain is run from a computer that is joined to the root domain, it will correctly find the global catalog. * Working with /var mounted via NFS If /var is mounted via NFS then, in order for DirectControl to function correctly, it is necessary to use the adclient.clients.socket parameter in /etc/centrifydc/centrifydc.conf to point to a local directory. In addition, you should make a symlink from /var/centrifydc/daemon to the local directory you have chosen. * Changing the password of an orphan user with adpasswd adpasswd should not be used to change the password of an orphan user. If it is used, an error will be generated as follows: Error: Unsuccessful IPC execute: system error * Use of pam.allow.users When using pam.allow.users in /etc/centrifydc/centrifydc.conf to specify users that are allowed to log in to a particular computer, either the SAMAccountName or the UNIX name should be used to identify the users. * Working with adclient.client.idle.timeout This property is only read at startup, so if it is changed adclient must be restarted. There is a Group Policy setting for this property but changing it has no effect until adclient is restarted on affected machines. * Use of adpasswd with cross domain users The use of adpasswd with cross domain users is not supported in this release. Use the passwd command to change the password of cross domain users. * Use of adupdate by non-administrators adupdate uses the current user's Kerberos credentials when -a is not specified on the command line. To run the command as an administrator you should do one of the following: - use "-a " on the command line - use "-p " on the command line - run "kinit " before using adquery - Give the current AD user rights to create users * Using adkeytab to change account passwords To change a service account password using adkeytab, you should ensure that there is at least one Service Principal Name (SPN) associated with that service account. Attempting to change the service account password for an account without an SPN is not supported in this release. * PAM messages depend on operating system Configurable PAM messages will be shown inconsistently depending on the login method, daemon version and operating system version. * Adquery merges results for groups with no members Groups that have no members do not have a newline after the GID when output by adquery. * nss.minuid and nss.mingid are no longer used These have been replaced by user.ignore and group.ignore. DirectControl will ignore the local uid and gid values which correspond to the users and groups in the .ignore file and generate a uid.ignore and gid.ignore file. The values from nss.minuid and nss.mingid will be added to this file during the upgrade process. * adclient -c no longer supported To modify core dump behavior you should edit the adclient.dumpcore property in /etc/centrifydc/centrifydc.conf * Logging-in in disconnected mode In disconnected mode the UNIX name or the Windows login name should be used for logging-in. The Active Directory display name is not guaranteed to be unique and may not allow the user to authenticate. * Invalid argument reported when id-ing a user whose uid or gid are zero If you use the id command to display user and group information about a user whose uid or gid are zero, a message is displayed warning of an invalid argument, for example: bash-3.1# id user1 setgroups: Invalid argument uid=4294967294(nobody) gid=4294967294(nogroup) groups=3(sys),0(root),1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users) This message is a side effect of the nss.squash.root feature and can be safely ignored. * Use of addns on computers that act as network gateways UNIX computers that act as gateways between different networks may require specification of the addns command line such that the correct network adapter IP address is registered in Active Directory's DNS. Set the adclient.dynamic.dns.command property in /etc/centrifydc/centrifydc.conf to the addns command line necessary to select the correct network interface and IP address. * Working with users defined in a Kerberos realm DirectControl supports users defined in a Kerberos realm as long as the Kerberos domains / realms are resolvable by DNS. Kerberos realm names are case sensitive, so care should be taken to check the spelling / case of any realm used. * Using DirectControl 4.x agents with DirectControl 5 DirectControl 4.x agents can join classic zones created by DirectControl 5. It is possible to join a DirectControl 4.x agent to a hierarchical zone as well, but this should be avoided as the behavior is undefined. * Adclient and asymmetric DNS servers adclient expects all DNS servers to have the same information (i.e. they are symmetric), it has no concept of asymmetric DNS servers. This means that if multiple DNS servers are defined and the information in each is not the same, it is possible that the information in some domains may be inaccessible some or all of the time, depending on the speed of response of the DNS servers and the information they hold. The /etc/centrifydc/centrifydc.conf parameter dns.sort will turn off the random nature of the accessibility and allow specification of the order in which to attempt to use DNS servers. Note, however, that it will still not use the DNS servers as a "path", the highest placed DNS server will win. * Change in behavior of users to ignore In DirectControl 4.x the nss.user.ignore and pam.ignore.users lists were treated separately and adclient only checked nss.user.ignore. In DirectControl 5.0.0 and later, both nss.user.ignore and pam.ignore.users are checked and the ignore list is the logical "or" of the two. * Some non-alphanumeric characters are valid for Windows user or group names and are converted to underscore ("_") when changed to be UNIX names and can be manipulated in the Administrator Console, but cannot be used in adedit. The list is: \ ( ) + ; " , < > = * adedit cannot create AIX extended attributes in an SFU zone. Centrify NIS server (adnisd) * Parent and child zones must be in the same domain for adnisd In this release of the Centrify NIS server, the parents of the child zone you are joined to must be in the same domain as the child zone. This restriction will be lifted in a future release of adnisd. Centrify LDAP Proxy * If an automount map created with a 4.x or earlier version of the DirectControl Console does not start with the string "auto" (i.e. auto.home, auto_master, auto_net, etc), it will not be recognized by this release of the DirectControl LDAP Proxy as an automount map. Automount maps which do not start with the string "auto" must be exported and imported using this version of the DirectControl Console or adedit. * Wildcard use not supported with LDAP Proxy This release of the LDAP Proxy does not support searches using wildcards in rfc2307 mode. DirectControl auto-zone mode * One-way cross forest trusts not supported in auto-zone mode Users from a remote forest that is trusted via a one-way cross forest trust are not supported in auto-zone mode in this version of DirectControl. For the most up to date list of known issues, please refer to the Knowledge Base article in the Centrify Support Portal, KB-2485 for the latest known issues with this release of DirectControl. 5. Additional Information and Support In addition to the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base. The Centrify Resource Center provides access to a wide range of packages and tools that you can download and install separately. For more information, see the Centrify Resource Center Web site: http://www.centrify.com/resources/application_notes.asp You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify DirectControl, send email to support@centrify.com or call 1-408-542-7500, option 2. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.