Due to CVE-2014-3566, SSLv3 and older protocol versions are disabled by default. The Admin Server now accepts more secure SSL protocols like TLSv1.1 and TLSv1.2. You can also define the SSL range that the console will use when communicating with Directory Server instances.

The Directory Manager can now add the Password Administrator role to a user or a group of users (not to be confused with general password maintenance). A password administrator can perform any user password operations which includes adding pre-hashed passwords, using different storage schemes, or setting passwords of any length or value.

For more information, see the related documentation in the Administration Guide.

When stopping the server, disabling replication, or removing a replication agreement, there is a timeout on how long to wait before stopping replication when the server is under load. The nsds5ReplicaProtocolTimeout attribute can be used to configure this timeout and its default value is 120 seconds.

For more information, see the related documentation in the Configuration, Command, and File Reference Guide.

The new nsds5ReplicaBackoffMin and nsds5ReplicaBackoffMax attributes are used in environments with heavy replication traffic, where updates need to be sent as fast as possible. By default, if a remote replica is busy, the replication protocol will go into a "back off" state, and it will retry to send it updates at the next interval of the back-off timer. The default settings maybe not be sufficient under certain circumstances and you can use these attributes to configure the minimum and maximum wait times.

For more information, see the related documentation in the Configuration, Command, and File Reference Guide.

The new -P command-line parameter is now available for Perl scripts and takes a protocol name as a parameter. The supported protocols are StartTLS, LDAPS, LDAPI, and LDAP; this sequence also defines the order the script uses if fallback is needed.

For more information, see the related documentation in the Configuration, Command, and File Reference Guide.

The new -Z command-line parameter takes one parameter, the server instance identifier. The script uses the identifier to get information such as the server location, or necessary configuration settings including port number, root DN, and security settings.

For more information, see the related documentation in the Configuration, Command, and File Reference Guide.

Replicating plug-in configuration helps maintain consistent configuration on the network, which is especially useful in large deployments. The memberOf plug-in configuration can be stored in a shared configuration entry in any back end or suffix, outside of the cn=config suffix. In the plug-in entry, the nsslapd-pluginConfigArea attribute is used to specify the location of the shared configuration.

For more information, see the related documentation in the Administration Guide.

There are two new plug-in types available in Red Hat Directory Server 10: betxnpreoperation and betxnpostoperation. These types signify that if the plug-in fails to perform its operation, or some error occurs, the entire operation is rolled back and undone, and an error message is returned to the client.

In Red Hat Directory Server 10, the memberOf plug-in, as well as most other plug-ins, is a back-end transaction plug-in and its default behavior now prevents unexpected failures if a schema is not in place.

If the memberOf plug-in fails to update a member entry with the memberOf attribute, the entire operation is aborted. This typically occurs because the entry does not have an object class that allows memberOf. Currently, there are two standard object classes that allow memberOf: inetUser and inetAdmin. Alternatively, a custom object class needs to be created that has memberOf among its allowed attributes. These object class(es) need to be present in any entry that has the potential of being a member of a group, including groups.

An additional change concerns scenarios when nested groups are created. Previously, creating nested groups always worked even if memberOf was not added to the bottom group. Now, creating a nested group fails unless the group has an object class that allows memberOf.

The new-style configuration for the Referential Integrity plug-in uses the more descriptive and convenient referint* attributes. The configuration using the pluginarg* attributes still works but is deprecated.

The second improvement allows you to define scope for handling references to deleted entries. The correctly defined scope prevents performance impacts and provides flexibility of restricting the referential integrity to selected subtrees.

For more information, see the related documentation in the Administration Guide.

Directory Server 10.0 supports dynamic plug-ins that can be enabled without restarting the Directory Server. Allowing for dynamically enabled plug-ins makes server administration significantly easier. By using dynamic plug-ins, you can avoid restarting the server multiple times to install and configure the plug-ins.

For more information, see the related documentation in the Administration Guide.

The ID scan limit (nsslapd-idlistscanlimit) can be set per attribute, instead of for the entire database. The limit can be used to pseudo-index attributes that normally could not be indexed without impacting the entire database. This feature is very useful for addressing unavoidable unindexed searches.

The new SyncRepl plug-in provides a mechanism for a client to synchronize its copy of a database with the changing content of a Directory Server, according to RFC 4533. In contrast to replication, SyncRepl is not oriented on changes or updates but on entries. Complete entries, after being updated, are sent to the client.

Previously, when an entry was deleted, a gap remained on the database page, thus growing the database files in size over time. In Red Hat Directory Server 10, the databases, including the changelog, are compacted every 30 days. This interval can also be customized by configuring the nsslapd-db-compactdb-interval and nsslapd-changelogcompactdb-interval attributes.

When performing a modify operation, you can specify pre-read and post_read controls. The pre-read control returns a copy of the entry before it was modified and the post-read control returns the entry after the modify. Both controls can be used on the same operation.

The benefit of the post-read control is that you can see the entry after any changes a plug-in applied to it, after the initial update was performed.

DN normalization is an expensive and unavoidable task that the server needs to do for most operations. Red Hat Directory Server 10 provides normalized DN cache that improves performance.

Previously, it was possible that schema definitions could get incorrectly overwritten depending on where new schema definitions were added in the replication deployment. Now, during a replication session, a supplier checks that the consumer schema is a subset of the supplier schema before sending its schema. Then, the consumer checks that the consumer schema is a subset of the supplier schema before accepting the supplier's schema.

Directory Server now supports an extension to LDAP to allow clients to read the target entry of an update operation, such as Add, Delete, Modify, or ModifyDN. The extension utilizes controls attached to update requests to request and return copies of the target entry.

Directory Server now supports the LDAP Content Synchronization Operation, or Sync Operation for short, which allows a client to maintain a synchronized copy of a fragment of a Directory Information Tree (DIT). The Sync Operation is defined as a set of controls and other protocol elements that extend the Search Operation.

Previously, in deployments using many SASL mappings or overlapping matching criteria by design, only the first matching SASL mapping was checked. If that mapping failed, the bind operation also failed even if there were other matching mappings that could work. In Red Hat Directory Server 10, the nsslapd-sasl-mapping-fallback configuration option has been implemented to keep checking all the matching mappings. The nsSaslMapPriority prioritization option has also been added to be available for each mapping.

In some environments, many SASL mechanisms are available but only certain ones are preferred. The nsslapd-allowed-sasl-mechanisms attribute allows you to define a specific mechanism on a server allowed for authentication.

Red Hat Directory Server 10.0 has the ability to produce a CLI-based report for monitoring replication. The repl-monitor.pl script accepts both command-line parameters and a configuration file to report easily parsable information, including Replica Root, Max CSN, Time Lag, or Update Status.

When using the LDAP_DEBUG_TIMING access log level to collect microsecond etime timing, logconv.pl is now able to read this data and calculate statistics with microsecond resolution.

Instead of previously used flat files for temporary storage when analyzing large access logs, logconv.pl now uses Berkeley DB files using the perl DB_File module and tied hashes and arrays, which considerably improves the script's performance on large logs.

With the new winSyncSubtreePair parameter, it is now possible to configure synchronization between multiple subtree pairs. To do this, specify winSyncSubtreePair multiple times to define the required Directory Server (DS) and Active Directory (AD) subtrees.

Two new parameters offer an easier way to configure which users or groups are synchronized with WinSync: the winSyncDirectoryFilter parameter sets a filter on DS, and the winSyncWindowsFilter parameter sets a filter on the AD server. These filters then select the data to be synchronized.

For more information, see the related documentation in the Administration Guide.

The WinSync plug-in can now be enhanced to allow more control over which users and groups are synchronized, as well as automatically converting non-POSIX users from Active Directory into POSIX users in Directory Server.

With the enhanced Access Control Instructions (ACIs), it is possible to define a source tree and a destination tree, allow or deny the MODDN and MODRDN operations, and also specify the source and destination targets in the same ACI. You can, for example, enable users to move an entry from one part of the tree to another, but at the same time forbid them to move an entry from or to other parts of the tree. You can also forbid users to delete or add entries.

Running the ldapsearch utility with the -s base -b "" options now displays only the user attributes and not the operational attributes. Previously, a root DSE search displayed all attributes by default. To ensure compatibility with earlier versions, you can use the nsslapd-return-default-opattr attribute in the root DSE.

When remove-ds-admin.pl is used to remove all Directory Servers and Admin Server, the script now replaces the following configuration files with their defaults saved in a backup directory: httpd.conf, console.conf, admserv.conf, and nss.conf. This way, a subsequent installation picks these files up seamlessly.

Additionally, when the -a (all) parameter is not used, the following files containing security information are preserved: cert8.db, key3.db, secmod.db, and password.conf.

Previously, Directory Server only supported configuring unique values for a single attribute. As a consequence, administrators were not able to enforce unique values across different attributes. The uniqueness-attribute-name is now multi-valued. As a result, you are now able to enforce unique values across sets of attributes. For further details, see the corresponding section in the Directory Server Administration Guide.