Chapter 6. Directory Server in Red Hat Enterprise Linux

Directory Server no longer logs false positive error messages

Previously, in a Directory Server multi-master replication environment, the Failed to update RUV for unknown error message was logged multiple times when only the replica update vector (RUV) was updated without any change. This update fixes the problem and now Directory Server no longer logs the error message. (BZ#1266920)

In FIPS mode, the slapd_pk11_getInternalKeySlot() function is now used to retrieve the key slot for a token

The Red Hat Directory Server previously tried to retrieve the key slot from a fixed token name, when FIPS mode was enabled on the security database. However, the token name can change. If the key slot is not found, Directory Server is unable to decode the replication manager's password and replication sessions fail. To fix the problem, the slapd_pk11_getInternalKeySlot() function now uses FIPS mode to retrieve the current key slot. As a result, replication sessions using SSL or STTARTTLS no longer fail in the described situation. (BZ#1352109)

Directory Server now supports configuring weak DH parameters

The network security services (NSS) libraries, linked with the Red Hat Directory Server, require a minimum of 2048-bit Diffie-Hellman (DH) parameters. However, Java 1.6 and 1.7 supports only 1024-bit DH parameters. As a consequence, clients using these Java versions were unable to connect to Directory Server using encrypted connections. This update adds the allowWeakDHParam parameter to the cn=encryption,cn=config entry. As a result, if this parameter is enabled, affected clients can now connect using weak DH parameters. (BZ#1327065)

The cleanAllRUV task no longer corrupts changelog back ends

At the end of the cleanAllRUV task, Directory Server removes entries from the replication changelog that contain the cleaned replica ID. Previously, the task incorrectly ran all changelog back ends instead of only the one set in the task. As a consequence, if multiple back ends contained the same replica ID, the cleanAllRUV task corrupted them. This update fixes the problem and now the cleanAllRUV task works correctly. (BZ#1369572)

Reindexing the retro changelog no longer fails

Previously, the retrocl-plugin sets a lock in read mode on the changelog back end without releasing it. This could result in a deadlock situation. For example, an index task executed by the db2index.pl script on the retro changelog back end became unresponsive when a lock in write mode was set. This update applies a patch and as a result, reindexing the retro changelog no longer fails. (BZ#1370145)

Directory Server no longer fails when disabling the CLEAR password storage scheme plug-in

Previously, Directory Server required that the CLEAR password storage plug-in was enabled when setting userPassword attributes. As a consequence, Directory Server terminated unexpectedly when attempting to set userPassword attributes, if CLEAR was disabled. This update applies a patch and as a result, Directory Server no longer fails in the described situation. (BZ#1371678)

Directory Server no longer terminates unexpectedly when using server side sorting

Previously, when using a matching rule and server side sorting, Directory Server incorrectly frees memory multiple times and terminates unexpectedly. This update fixes the bug, and as a result Directory Server no longer fails when using server side sorting. (BZ#1371706)

Directory Server now validates macros in ACIs

Previously, the Red Hat Directory Server did not validate macros in an access control instruction (ACI). As a result, users were able to set incorrect macros in an ACI. This update improves the code underlying validation, and Directory Server rejects invalid macros and logs an error. (BZ#1382386)

Replication monitor now shows the correct date

On the replication monitor, the year of the date was not displayed in the header when the value of the day field was less than 10. The code now uses the correct API, and the year is displayed correctly. (BZ#1410645)

The memberOf fix-up task now verifies arguments

Previously, if an invalid filter or basedn parameter was provided in the memberOf fix-up task, and the task failed, no information was logged. A patch has been applied and now, if a problem occurs, an error is logged and the task status is updated. As a result, the administrator is now able to identify if a task failed. (BZ#1406835)

Directory Server no longer terminates unexpectedly when deleting a non-existent attribute

Previously, deleting a non-existent attribute from the back end configuration caused Directory Server to terminate unexpectedly. This update applies a patch to pass a NULL value to the ldbm_config_set() function if no attribute was deleted. As a result, Directory Server now rejects the operation in the described scenario. (BZ#1403754)

Directory Server no longer displays multiple error messages when importing fails

Previously, if importing data failed, multiple Unable to flush error message were be displayed, because the connection to the database was not closed. This update applies a patch and as a result, Directory Server no longer displays multiple errors in the mentioned situation. (BZ#1402012)

Virtual list view-related problems have been fixed

Previously, when removing a virtual list view (VLV) index, the dblayer_erase_index_file_nolock() function was not called. Thus, the physical index file and the back pointer set to the dblayer handle were not removed. Consequently, Directory Server terminated unexpectedly. This fix updates the code and the dblayer_erase_index_file_nolock() function is now called when removing a VLV index.
In addition, the vlv_init() function previously could be called multiple times without unregistering VLV plug-in callbacks. As a consequence, Directory Server sometimes terminated unexpectedly. With this update, callbacks are now unregistered.
As a result, Directory Server no longer terminates unexpectedly in the described situations. (BZ#1399600)

Directory Server no longer logs sensitive information

Previously, when the Trace function calls option was enabled in the nsslapd-errorlog-level parameter, Directory Server logged all attributes into the error log file, including attributes containing sensitive information. A patch has been applied to filter out values of sensitive attributes. As a result, Directory Server no longer logs sensitive information. (BZ#1387772)

Group ACIs are now correctly evaluated

Previously, if the number of members in a group in an access control instruction (ACI) exceeded the size limit of the result of the query, Directory Server incorrectly denied access. To fix the problem, the server size limit is no longer applied to the ACI group evaluation, and queries now operate correctly. (BZ#1387022)