Highlighted features and updates related to Red Hat Directory Server 9.0
Copyright © 2011 Red Hat, Inc.
1. Deprecated Documentation
2. New in Red Hat Directory Server 9.0
2.1. New: Renaming Subtrees and Moving to a New Parent
2.2. New: Introducing the Managed Entries Plug-in to Create Pairs of Entries
2.3. New: Introducing the Account Policy Plug-in to Define Time-Based Account Inactivation
2.4. Enhanced: 20-Way Multi-Master Replication
2.5. Enhancement: Separate Resource Limits for Simple Paged Results
2.6. New: Attributes for Samba Interoperability with the Retro Changelog
nsslapd-attribute, have been added to the Retro Changelog Plug-in to better integrate Directory Server with other applications, like Samba. The
nsslapd-attributeattribute explicitly includes Directory Server attributes in the retro changelog entries; this enables operational attributes (normally excluded from replication) to be included in changelog entries and available to other servers.
2.7. Enhanced: Added Global Entry USN Count
entryusnattribute on the entry was updated.
2.8. Enhanced: DNA Plug-in Handles Multiple Attributes in Same Range
2.9. Enhanced: Added Option to Have Separate Fractional Replication List for Total Updates
nsDS5ReplicatedAttributeListTotal, which sets a second list of attributes to exclude from replication, specifically from a total update. This allows different attributes to be excluded from a regular, incremental update than a total update. Very large attributes — like certificates or binary attributes — can be excluded from a regular update, but included in total updates when data consistency is more important than performance.
memberofplug-in. memberOf fixup tasks are run after every replication update, and this causes negatively affects server performance.
memberofattribute to being replicated only for total updates improves the performance of replica initialization and replication.
2.10. Enhanced: New Options and Procedures to Set up Secure Connections
- Procedures have been added to allow administrators how to disable selected SASL mechanisms.
- Procedures have been added to disable SSLv3 and require TLS connections only.
- A new attribute has been added to allow the Directory Server to be restarted with an expired certificate. This means that the server can still run and operate until the expired certificate is replaced.
2.11. New: Added Support for the CoS merge-schemes Qualifier
2.12. New: Added SELinux Policies
2.13. New: Replication Session Hooks
3. System Requirements
3.1. Required JDK
3.2. Perl Prerequisites
/usr/bin/perlfor both 32-bit and 64-bit versions of Red Hat Directory Server.
3.4. Software Conflicts
3.5. Directory Server Supported Platforms
- Red Hat Enterprise Linux 6 x86 (32-bit)
- Red Hat Enterprise Linux 6 x86_64 (64-bit)
3.6. Directory Server Console Supported Platforms
- Red Hat Enterprise Linux 6 i386 (32-bit)
- Red Hat Enterprise Linux 6 x86_64 (64-bit)
- Microsoft Windows Server 2008 R2 (32-bit)
- Microsoft Windows Server 2008 R2 (64-bit)
3.7. Windows Sync Service Platforms
- Active Directory on Microsoft Windows Server 2008 R2 (32-bit)
- Active Directory on Microsoft Windows Server 2008 R2 (64-bit)
3.8. Web Application Browser Support
- Firefox 3.x
- Microsoft Internet Explorer 6.0 and higher
4. Installing Directory Server 9.0
4.1. Installing the JDK
yum install java-1.6.0-openjdk
4.2. Obtaining Packages
yum install redhat-ds* redhat-idm-console
- Go to http://access.redhat.com.Downloading packages from Red Hat Network requires specific entitlements for the account for the 9.0 release.
- Click the Downloads tab, and select the Red Hat Enterprise Linux channels.
- Set the product to filter for Red Hat Directory Server.
- Select the architecture.
- Open the Downloads tab, and begin downloading the ISO.
- Install the packages using
ls *.rpm | egrep -iv -e devel -e debuginfo | xargs rpm -ivh
PassSync.msiinstaller is available in the WinSync package in the Directory Server channel, through the Downloads tab, same as the ISO image. Download this file to the Windows machine, and then double-click the icon and go through the installer.
4.3. Running setup-ds-admin.pl
setup-ds-admin.plscript to configure the new Directory Server and Admin Server instances. For example:
setup-ds-admin.plscript options and the Directory Server configuration interface.
4.4. Upgrading to Directory Server 9.0
- Stop the Directory Server and Admin Server.
service dirsrv-admin stop service dirsrv stop
- Back up all the Directory Server user and configuration data. For example:
cd /usr/lib/dirsrv/slapd-instance_name db2bak /var/lib/dirsrv/slapd-instance_name/bak/instance_name-2011_04_30_16_27_56
- Tar (almost) all of the files and directories for the original Directory Server 8.2 instance.The
httpd.conffiles should not be included since the new versions of these files should always be used. Additionally, these tar files don't contain the error and access log files. These files are not necessary for upgrading an instance but can be stored separately.
ImportantMake sure that partition where the tar file is created has enough space to store all of the configuration and data.
[root@server1 ~]# cd / [root@server1 ~]# tar cpjf rhds-upgrade.tar.bz2 -C / --no-recursion --exclude httpd.conf --exclude admserv.conf etc/sysconfig/dirsrv* etc/dirsrv/slapd-* etc/dirsrv/slapd-*/* etc/dirsrv/slapd-*/schema/* var/run/dirsrv var/lock/dirsrv/slapd-* var/log/dirsrv/slapd-* var/lib/dirsrv/slapd-* var/lib/dirsrv/slapd-*/* var/lib/dirsrv/slapd-*/ldif/* var/lib/dirsrv/slapd-*/db/* var/lib/dirsrv/slapd-*/db/*/* etc/dirsrv/admin-serv etc/dirsrv/admin-serv/* var/log/dirsrv/admin-serv var/lib/dirsrv/slapd-*/cldb/* usr/lib/dirsrv/slapd-*
cldblocation assumes that the changelog is located in the default changelog directory. If the changelog is in a different location, use the appropriate directory. If replication is not enabled, this directory can be omitted.
- On the new machine which will host Directory Server, install or upgrade the Directory Server 9.0 packages. For example:
yum install redhat-ds
- Copy over the tar file to the new machine.
- Open the root directory, and then unpack the tar file. For example:
cd / tar xfjp /path/to/rhds-upgrade.tar.bz2
- Make sure that the new Directory Server instance is not running.
service dirsrv-admin stop service dirsrv stop
- Run the
setup-ds.plcommand in offline mode to upgrade only the Directory Server configuration. This performs all of the basic setup required to perform any schema or data changes.For example:
setup-ds.pl -u -s General.UpdateMode=offline
- Start the servers.
service dirsrv-admin start service dirsrv start
- Run the
setup-ds-admin.pl -uscript to update the configuration. Make sure that the Directory Server and Admin Server are running when the script is run.
- Update syntaxes and the enable syntax checking.In 8.2, syntax checking is available, but disabled by default, while a new 9.0 instance has syntax checking enabled by default. Syntax validation checks every modification to attributes to make sure that the new value has the required syntax for that attribute type, so this is a beneficial configuration attribute to use to ensure data quality.
- Run the
syntax-validate.plPerl script to validate and, if necessary, correct any syntax errors in the migrated 8.2 data.
/usr/lib64/dirsrv/instance_name/syntax-validate.pl -D "cn=directory manager" -w secret -b "dc=example,dc=com"
- Enable syntax checking for the migrated server.
/usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 dn: cn=config changetype: modify replace: nsslapd-syntaxcheck nsslapd-syntaxcheck: on
- Verify that the directory databases have been successfully migrated. Directory Server 9.0 normalizes DN syntax during the upgrade import process. Make sure that the upgraded database is functional and contains all the data before deleting the backups.Search an entry which could contain escaped characters; the DNs should be updated. For example, for a DN which was previously
/usr/lib64/mozldap/ldapsearch -b "dc=example,dc=com" '(cn=\"*\")' entrydn dn: cn=If the search results are correctly escaped, the original database backend instance directory can be removed.
a\3Dabc\2Cx\3Dxyz,dc=example,dc=com entrydn: cn=a\3dabc\2cx\3dxyz,dc=example,dc=com
5. Basic Information about Red Hat Directory Server
The Directory Server and Admin Server instances are started and stopped using basic service command line tools. For example, on Red Hat Enterprise Linux:
service dirsrv-admin start service dirsrv start
service dirsrv startstarts all instances of the Directory Server on the host machine. To start a single instance, use the name of the instance in the command:
service dirsrv start example
To start the Directory Server Console, run the
-woptions and to give the URL to the Admin Server using the
redhat-idm-console -u "cn=Directory Manager" -w secret -a http://ldap.example.com:9830
These are the default port numbers for the Directory Server and Admin Server:
- The standard LDAP port is
- The secure (SSL) LDAPS port is
- The Admin Server port is
Red Hat Directory Server 9.0 conforms to the Filesystem Hierarchy Standards. For more information on FHS, see the FHS homepage, http://www.pathname.com/fhs/. The files and directories installed with Directory Server are listed in the tables below for each supported platform.
Table 1. Basic Directory Locations
|File or Directory||Location|
|Configuration files|| |
|Instance directory|| |
/usr/lib/dirsrv/slapd-instance on 32-bit systems
/usr/lib64/dirsrv/slapd-instance on 64-bit systems
|Certificate and key databases||/etc/dirsrv/slapd-instance|
|Runtime files|| |
Directory Server supports all international charactersets by default because directory data is stored in UTF-8. UTF-8 characters are fully supported for all DNs and DN components. Web services can be customized to display charactersets other than UTF-8, though UTF-8 and Latin-1 are the default for Directory Server web applications.
6. Bugs Fixed in 9.0
Table 2. List of Bugs Fixed in 9.0
|151705||The Admin Server Console is hard-coded to set all TLS ciphers to enabled. Disabling the TLS ciphers through the Console is not saved, and the ciphers are re-enabled when the Admin Server is restarted.|
Directory Server stores entry IDs in an ID list in a duplicate btree. If the ID list is very long, the internal database uses internal pages to sort the entries. When verifying database data, Berkeley DB's verify function returns out-of-order key errors because the database verification does not differentiate between the duplicate btree ID list and the main tree entry pages. The database, then, incorrectly tries to compare the main database page to itself rather than the duplicate ID btree. This affects Directory Server client tools such as
This issue has been fixed in BerkeleyDB 4.8.26. However, the fix will not be available for Red Hat Enterprise Linux 4 and is not yet available for Red Hat Enterprise Linux 5. It will be addressed for Red Hat Enterprise Linux 5 systems in later errata.
|494944|| If a |
|505722||An Active Directory group with a mail attribute could not be synced over to Directory Server.|
|522055||If an entry was moved outside the scope of the Linked Attributes Plug-in, the linked attributes were still updated.|
|596521||Import operations encounter fatal failures on some environments when trying to create an index for more than 200 attributes.|
|616850|| An |
|618897||The Directory Server Console could not manage certificates if there were several instances configured on a machine with different system user IDs, even if they used the same group account.|
|623118||A simple paged search went into an infinite loop if the search base had a subsuffix.|
|668619||A high volume of TCP traffic could cause the slapd process to quit responding to clients.|
|694336|| When synchronizing groups, Directory Server added the |
|694571||Editing a replication agreement to use SASL/GSS-API could fail with GSS-API errors in the error log.|
|695779|| Adding a |
|697694||In multi-master replication with a hub, the update operation is async, done in separate threads. The msgid corresponding to a request may not be sent to the right thread, which caused "Bad parameter to an LDAP routine" errors. This causes hard failures to eventually propagate up and halt replication with fatal errors.|
|706179|| If an administrator created a new object class and selected the |
|711679||Attempting to delete a VLV on a consumer could cause the server and the Directory Server Console to hang.|
|711906||The ns-slapd process segfaulted if suffix referrals were enabled.|
|714310||If a chained database was replicated, the server could segfault during the import operation of replication setup.|
|716980||If an entry was modified on RHDS and the corresponding entry was deleted on the Windows side, the sync operation attempts to pull an old version of the entry from a private file, resulting in sync using the wrong entry.|
|718303||Intensive update loads on master servers could break the cache on the consumer server, causing it to crash.|
|720059||Adding an entry with an RDN containing a percent sign (%) can caused the server to crash.|
|725953||Directory Server user entries with a comma in the CN failed to sync over to Active Directory.|
|729817||If a synced user subtree on Windows was deleted and then a user password was changed on the RHDS, the DS would crash.|
|735217||Doing a simple paged results search against a subtree that used IP- or DNS-based ACIs hung the server.|
|740959||Importing a CA certificate through the Directory Server Console imported the certificate into the Admin Server certificate database, not the Directory Server certificate database.|
7. Known Issues
Table 3. Known Issues in Directory Server 9.0
|158369||The sync attribute mapping for groups includes a number of attributes that are not actually legal on group objects, such as l, ou, and o. If someone creates an ntGroup entry with any of these attributes that is not an ou, the sync'ed entry add will fail on Active Directory because of a schema violation.|
|182509||The changelog used for replication stores passwords in clear text in order to replicate them. In some contexts, this could be a security risk.|| |
Enable fractional replication and specifically exclude the
nsds5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE userPassword
|190862||Global syntax checking attributes should be enforced if the settings aren't configured in the local password policy. However, if both global and local password policies are configured, the global policies aren't being enforced as the default.|| |
|191772||If the configuration Directory Server is unavailable, Admin Express shows an internal server error. The task to access the Admin Express web page cannot be authenticated, so the attempt to open the page fails.|
|510182||If the DNA Plug-in was triggered during an account creation or update operation but that operation fails, the DNA counter is still incremented. This means that there is a gap in the range, where the number is used up but not assigned to an entry attribute.|
|628911|| If a subtree-level rename operation is performed on a subtree which contains either groups or group member entries, the || Run a memberof fixup task or the |
|667943|| Restarting the Directory Server hangs if a pipe file is present but the |
|712202|| If a replication agreement is configured with an unresolvable hostname, it returns a generic error rather than an indication that the hostname cannot be resolved:
[09/Jun/2011:14:21:21 -0400] slapi_ldap_bind - Error: could not send bind request for id [(anon)] mech [EXTERNAL]: error -1 (Can't contact LDAP server) 0 (unknown) 0 (Success)
|Change the password policy attributes from the command line.|
|712845||The Directory Server Console does not allow you to set password policy-related time (such as expiration time or user change time) in hours, minutes, or seconds.||Change the password policy attributes from the command line.|
|727659|| If a || Remove the space from the DN in the |
|There are a lot of problems associated with trying to load certificates on hardware security modules (HSMs) using the Directory Server Console. Some of these are related to SELinux policies which restrict access to HSMs, and some are due to problems in the Directory Server Console or the Admin Server, which can throw exceptions or fail to generate requests or certificates.|| Use NSS tools such as |
|732079|| Upgrading the server fails if the Directory Server user is || The Directory Server should run as the system user |
|737144|| At least one font must be installed on a system before the Directory Server Console can be launched. Otherwise, the Console fails to open, with a fatal error:
Exception in thread "main" java.lang.Error: Probable fatal error:No fonts found. at sun.font.FontManager.getDefaultPhysicalFont(FontManager.java:1088)However, because no specific font is required, no font package is listed as a dependency for the Directory Server Console packages.
|Install any font package before installing the Directory Server Console packages.|
|743702|| The |
[05/Oct/2011:10:07:28 -0400] - slapd stopped. [05/Oct/2011:10:07:42 -0400] - 389-Directory/22.214.171.124 B2011.276.2240 starting up [05/Oct/2011:10:07:42 -0400] - cache_init: slapi counter is not available. [05/Oct/2011:10:07:42 -0400] - ldbm_instance_create: cache_init failed
| The |
|743703||The Directory Server cannot run on the same machine as an NFS share. The Directory Server will stop servicing client requests.||Remove any NFS mount points on the server.|
|757773||If two Directory Server instances are installed on the same machine and both have SSL enabled, the Directory Server Console cannot be used to managed certificates and can lead to a state where any LDAP operations performed through the Directory Server Console are applied to both instances. The Directory Server Console only accepts the standard SSL port, 636, but the instances must have unique ports. When the Directory Server Console is used for the instance with the non-standard port, it resets the server's port number to 636, and eventually begins applying changes to both instances because the Console connects to both over the same port.|| |
|757836|| The |