Chapter 5. Red Hat Directory Server 12.0

This section contains information related to installing Directory Server 12.0, including prerequisites and platform requirements.

5.1. System requirements

This section contains information related to installing Directory Server 12.0, including prerequisites and platform requirements.

Supported platforms for Directory Server

Red Hat supports Directory Server 12.0 only on Red Hat Enterprise Linux 9.0 built for AMD64 and Intel 64 architectures.

Directory Server 12.0 is supported running on a Red Hat Enterprise Linux virtual guest on a certified hypervisor. For details, see the Which hypervisors are certified to run Red Hat Enterprise Linux? solution article.

Supported platforms for the Directory Server user interface in the web console

Red Hat supports the browser-based Directory Server user interface in the web console in the following environments:

Operating systemBrowser

Red Hat Enterprise Linux 9.0

  • Mozilla Firefox 91.8.0 and later
  • Chrome 88 and later

Windows Server 2016 and 2019:

  • Mozilla Firefox 91.8.0 and later
  • Chrome 88 and later

Windows 10

  • Mozilla Firefox 91.8.0 and later
  • Microsoft Edge 88 and later
  • Chrome 88 and later

Supported platforms for the Windows Synchronization utility

Red Hat supports the Windows Synchronization utility for Active Directory running on:

  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016

5.2. Highlighted updates and new features

This section documents new features and important updates in Directory Server 12.0.

Directory Server 12.0 is based on upstream version 2.0.14

Directory Server 12.0 is based on upstream version 2.0.14 which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 9.0 Release Notes:

5.3. Bug fixes

This section describes bugs fixed in Directory Server 12.0 that have a significant impact on users.

Manually changing the entry cache configuration now works correctly in the web console.

By default, Directory Server uses automatic cache tuning. However, previously you could not disable the automatic cache tuning setting in the web console and set manually the desired entry cache configuration. This update fixes the problem and, as a result, you can now manually configure the entry cache in the web console.

Fixed typos in different parts of the web console

Previously, different parts of the web console contained mistakes in the text fields. As a consequence, incorrect information messages were displayed to a user. This update fixes the issue and the web console now shows the correct text messages.

Changing the configuration of several plug-ins now works correctly in the web console

Previously, when you tried to change the configuration of a plug-in using the web console, an incorrect error message was displayed, or a loading loop did not disappear. Consequently, you could not save a new configuration or did not know if the configuration was saved successfully. The following plug-in were affected:

  • Posix Winsync plug-in
  • Referential Integrity plug-in
  • RootDN Access Control plug-in
  • Retro Changelog plug-in

This update fixes the issue. As a result, you can now configure these plug-ins using the web console as expected.

Changelog export now works as expected in the web console

Previously in the web console, when exporting the changelog for debugging purposes, you could select both options: Decode Base64 changes and Only Export CSNs. However, only the Export CSNs option was taken into account. In this release, it is possible to check only one of the options, and the changelog is exported according to the selected one as expected.

Configuring credentials and naming aliases for the replication topology report now works correctly in the web console

Previously, you could not set the credentials or naming aliases for the replication topology report using the web console because fields in the pop-up windows Add Report Credentials and Add Report Alias, where you needed to enter the required information, were not writable. In this release, the fields in the pop-up windows are writable, and you can set the report credentials, or configure the naming aliases as expected.

The Directory Server web console now validates logging configuration values

Previously, the Directory Server web console accepted invalid values for different types of logs on the Logging page. As a consequence, an error occurred when the user tried to save the settings. This update adds the validation for the logging configuration values. As a result, the web console does not accept invalid input.

Attributes on the Schema page are no longer editable after using the search feature

Previously, after searching for an attribute in the Schema page of the Directory Server web console, a Cascading Style Sheet (CSS) misconfiguration caused the attribute to be editable. With this update, the edit function is now disabled.

Enabling DNA plug-in no longer fails

Previously, an attempt to enable Distributed Numeric Assignment (DNA) plug-in in the Directory Server web console failed and resulted in a browser error. With this update, enabling DNA plug-in works as expected.

Adding a configuration entry in Account Policy plug-in no longer fails

Previously, an attempt to add a configuration entry in Account Policy plug-in sometimes failed with an error. To fix the problem, this update disables the Create Config button if the Shared Config DN value is not specified.

Import from an LDIF file with replication metadata now works correctly

Previously, importing an LDIF file with replication metadata could cause the replication to fail in certain cases:

In the first case, a replication update vector (RUV) entry placed before the suffix entry in an imported LDIF file was ignored. As a consequence, the replication with the imported replica failed, because of a generation ID mismatch. This update ensures that Directory Server writes the skipped RUV entry at the end of the import.

In the second case, a changelog reinitialized after an RUV mismatch did not contain the starting change sequence numbers (CSNs). As a consequence, the replication with the imported replica failed, because of a missing CSN in the changelog. This update ensures that Directory Server creates the RUV maxcsn entries, when reinitializing the changelog.

As a result, with this update, administrators do not have to reinitialize the replication after importing from an LDIF file that contains replication metadata.

Bug fixes in the 389-ds-base packages

Bug fixes in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 9.0 Release Notes:

5.4. Technology Previews

This section documents unsupported Technology Previews in Directory Server 12.0.

The Directory Server web console provides an LDAP browser as a Technology Preview

An LDAP browser has been added to the Directory Server web console. Using the LDAP Browser tab in the web console, you can:

  • Browse the directory
  • Manage entries, such as users, groups, organizational units (OUs), and custom entries
  • Manage ACI

Note that Red Hat provides this feature as an unsupported Technology Preview.

5.5. Known issues

This section documents known problems and, if applicable, workarounds in Directory Server 12.0.

Directory Server can import LDIF files only from /var/lib/dirsrv/slapd-instance_name/ldif/

The dsconf backend import command requires that you specify the path to the LDIF file you want to import. However, due to file system and SELinux permissions, as well as other operating system restrictions, Directory Server can only import LDIF files from the /var/lib/dirsrv/slapd-instance_name/ldif/ directory. If the LDIF file is stored in a different directory, the import fails with an error similar to the following:

Could not open LDIF file "/tmp/example.ldif", errno 2 (No such file or directory)

To work around this problem:

  1. Move the file to the /var/lib/dirsrv/slapd-instance_name/ldif/ directory:

    # mv /tmp/example.ldif /var/lib/dirsrv/slapd-instance_name/ldif/
  2. Set permissions that allow the dirsrv user to read the file:

    # chown dirsrv /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif
  3. Restore the SELinux context:

    # restorecon -Rv /var/lib/dirsrv/slapd-instance_name/ldif/

Directory Server replication fails after changing password of the replication manager account

After a password change, Directory Server does not properly update the password cache for the replication agreement. As a consequence, when you change the password for the replication manager account, the replication breaks. To work around this problem, restart the Directory Server instance. As a result, the cache is rebuilt at start-up, and the replication connection binds with the new password instead of the old one.

Known issues in the 389-ds-base packages

Known issues in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 9.0 Release Notes:

5.6. Removed functionality

This section documents functionality that has been removed in Directory Server 12.0.

The nsslapd-subtree-rename-switch parameter has been removed

Previously, administrators could configure Directory Server to prevent moving entries between sub-trees in a database. Due to stability issues, this feature has been removed and, consequently, the nsslapd-subtree-rename-switch parameter no longer exists. As a result, moving entries between sub-trees can no longer be deactivated. As an alternative, if you require this feature, create an access control instruction (ACI).