Chapter 8. Directory Server in Red Hat Enterprise Linux

About Directory Server for Red Hat Enterprise Linux

This section describes changes in the main server component for Red Hat Directory Server - the 389-ds-base package, which includes the LDAP server itself and command line utilities and scripts for its administration. This package is part of the Red Hat Enterprise Linux base subscription channel and therefore available on all Red Hat Enterprise Linux Server systems due to Red Hat Identity Management components which depend on it.
Additional Red Hat Directory Server components, such as the Directory Server Console, are available in the rhel-x86_64-server-6-rhdirserv-9 additional subscription channel. A subscription to this channel is also required to obtain support for Red Hat Directory Server. Changes to the additional components in this channel are not described in this document.
Red Hat Directory Server version 9 is available for Red Hat Enterprise Linux 6. See for information about getting started with Directory Server 9, and for full documentation. (BZ#1333801)

Large amounts of skipped updates in fractional replication no longer cause performance loss

During fractional replication, if a large number of skipped updates was present, the supplier could previously acquire a replica for a long time and fail to update the Replica Update Vector (RUV) at the end of the session. This then caused the next session to evaluate the same skipped updates, resulting in poor performance. This bug has been fixed by adding a system subentry which is occasionally updated even if there are no applicable changes to be replicated, and the problem no longer occurs. (BZ#1259383)

Fixed a crash while trimming the retro changelog

When trimming the retro changelog (retroCL), entries are first deleted from the changelog itself and then also from the cache. The 389-ds-base server was, however, missing a check to verify that the entries are actually present in the cache, which could lead to the server attempting to delete nonexistent entries and subsequently crash on systems where not all changelog entries could fit in the cache due to its small size. A check has been added to make sure only entries actually present in the cache are being deleted, and the server no longer crashes when trimming the retro changelog. (BZ#1244970)

Fixed a crash in the backend add function

When a callback at BE_TXN in the backend add function failed on a cached entry, the function was attempting to free the entry twice instead of removing it from the cache and then freeing it. This update adds remove and free code to the backend add function and the function no longer attempts to free cached entries twice. (BZ#1265851)

389-ds-base server no longer crashes when attempting to replace a nonexistent attribute

When a replace operation for a nonexistent attribute was performed without providing new values, the entry was stored with incorrect metadata: an empty deleted value without an attribute deletion change state number (CSN). This entry could then result in memory corruption and cause the server to terminate unexpectedly. To fix this bug, additional space to store metadata is now allocated and the server no longer crashes in this scenario. (BZ#1298496)

389-ds-base no longer hangs due to modified entry remaining locked

During a modify operation, the modified entry is inserted into entry cache and locked until the modified entry is returned. In cases where the entry is removed from the entry cache after it is committed but before the return operation, the modified entry previously remained locked, and any subsequent write operations on the same entry then caused the server to hang. This bug has been fixed by adding a flag so that the entry can be unlocked whether it is present in the entry cache or not, and the server no longer hangs in this situation. (BZ#1273552)

Fixed a deadlock during backend deletion in Directory Server

Previously, transaction information was not passed to one of the database helper functions during backend deletion. This could result in a deadlock if a plug-in attempted to access data in the area locked by the transaction. With this update, transaction info is passed to all necessary database helper functions, and a deadlock no longer occurs in the described situation. (BZ#1278585)

ns-slapd no longer crashes on multiple asynchronous searches if a request is abandoned

When multiple simple paged results searches were requested asynchronously in a persistent connection and one of the requests was abandoned, contention among the asynchronous requests could occur and cause the ns-slapd service to crash. This bug has been fixed and ns-slapd no longer crashes due to abandoned requests. (BZ#1247792)

Simple paged results slots are now being correctly released after search failure

Previously, if a simple paged results search failed in the Directory Server backend, its slot was not released, which caused the connection object to accumulate unreleased slots over time. This problem has been fixed, and slots are now correctly released in the event of a search failure. (BZ#1290243)

ns-slapd no longer crashes when freeing a search results object

Previously, when Directory Server freed a search results object, there was a brief period of time before the freed information was set to the pagedresults handle. If the paged-results handle was released due to a timeout in during this period, a double free event occured, causing ns-slapd to crash. This problem has been eliminated and double free no longer occurs when freeing search results objects. (BZ#1267296)

Fixed a deadlock in asynchronous simple paged results requests

A previous fix to deadlock in the asynchronous simple paged results requests caused another self deadlock due to a regression. To address this problem, a simple PR_Lock on a connection object has been replaced with a re-entrant PR_Monitor. As a result, the deadlock no longer occurs. (BZ#1296694)

Deletion of attributes without a value on the master server now replicates correctly

Previously, when an attribute which does not have a value on the master server was deleted, the deletion was not replicated to other servers. The regression that caused this bug has been fixed and the change now replicates as expected. (BZ#1251288)

Directory Server no longer logs false attrlist_replace errors

Previously, Directory Server could in some circumstances repeatedly log attrlist_replace error messages in error. This problem was caused by memory corruption due to a wrong memory copy function being used. The memory copy function has been replaced with memmove, which prevents this case memory corruption, and the server no longer logs these error messages. (BZ#1267405)

cleanAllRUV now clears the changelog completely

Previously, after the cleanAllRUV task finished, the changelog still contained entries from the cleaned rid. As a consequence, the RUV could contain undesirable data, and the RUV element could be missing the replica URL. Now, cleanAllRUV cleans changelog completely as expected. (BZ#1270002)

Replication failures no longer result in missing changes after additional updates

Previously, if a replicated update failed on the consumer side, it was never retried due to a bug in the replication asynchronous result thread which caused it to miss the failure before another update was replicated successfully. The second update also updated the consumer Replica Update Vector (RUV), and the first (failed) update was lost. In this release, replication failures cause the connection to close, stopping the replication session and preventing any subsequent updates from updating the consumer RUV, which allows the supplier to retry the operation in the next replication session. No updates are therefore lost. (BZ#1294770)

Unnecessary keep alive entries no longer cause missing replication

Previously, a keep alive entry was being created at too many opportunities during replication, potentially causing a race condition when adding the entry to the replica changelog and resulting in operations being dropped from the replication. With this update, unnecessary keep alive entry creation has been eliminated, and missing replication no longer occurs. (BZ#1307152)

nsMatchingRule is now correctly applied to attribute information

Previously, when nsMatchingRule was dynamically updated in an index entry, the value was not applied to the attribute information. This caused the dbverify utility to report database corruption in error. In this release, nsMatchingRule changes are correctly applied to attribute information, and dbverify no longer falsely reports database corruption. (BZ#1236656)

Tombstone entries no longer create unnecessary index entries

When an entry is deleted, its indexed attribute values are also removed from each index file. However, if the entry is turned into a tombstone entry, reindexing previously added the removed attribute value back into the index. This bug has been fixed, and index files no longer contain unnecessary key-value pairs generated by tombstone entries. (BZ#1255290)

Index is now updated properly when several values of the same attribute are deleted

Previously, when several values of the same attribute were deleted using the ldapmodify command, and at least one of them was added again during the same operation, the equality index was not updated. As a consequence, an exact search for the re-added attribute value did not return the entry. The logic of the index code has been modified to update the index if at least one of the values in the entry changes, and the exact search for the re-added attribute value now returns the correct entry. (BZ#1282457)

COS cache now correctly adds all definitions

A previous bug fix related to the Class of Service (COS) object cache introduced a regression which caused it to stop adding definitions after the first one, instead of adding all definitions. This problem has been fixed and the COS cache now correctly adds all definitions as designed. (BZ#1259546)

Improved ACL performance

Previously, unnecessarily complicated regular expressions were used in the Access Control List (ACL) implementation in Directory Server. These regular expressions have been removed and the ACL implementation reworked, resulting in improved performance. (BZ#1236156)

ntUserlastLogon and ntUserlastLogoff attributes are now synchronized between Directory Server and Active Directory

Previously, WinSync account synchronization could not update the ntUserlastLogon and ntUserlastLogoff attributes in Directory Server when synchronizing with Active Directory. This bug has been fixed and these attributes are now being updated correctly based on the lastLogonTimestamp and lastLogoffTimestamp attributes in Active Directory. (BZ#1245237)