Chapter 23. Authentication and Interoperability

Change in keep alive entry logging level

Keep alive entries are used to prevent skipped updates from being evaluated multiple times in fractional replication. If a large number of updates is skipped, these entries can be updated very frequently. Also, each entry is tested to see if it already exists before the update, so that only unique entries are created.
This test was previously logged at the Fatal level, which caused error logs to be filled with unnecessary messages that could not be filtered out. This update changes the logging level for keep alive entries from Fatal to Replication debugging (8192), and the entries can now be filtered out. (BZ#1314557)

The cleanAllRUV task no longer logs false attrlist_replace errors

A memory corruption bug in the cleanAllRUV task was causing attrlist_replace error messages to be logged by mistake. The task has been updated to use a different function for memory copying, and it no longer writes false error messages to logs. (BZ#1288229)

Connection objects no longer deadlock

Previously, an unnecessary lock was sometimes acquired on a connection object, which could then cause a deadlock. A patch has been applied to remove the unnecessary locking, and the deadlock no longer occurs. (BZ#1278755)

Abandon requests for simple paged results searches no longer cause a crash

Prior to this update, Directory Server could receive an abandon request for a simple paged results search after the abandon check was completed but before the results were fully sent. In this case, the abandon request was processed while the results were being sent, which caused Directory Server to crash. This update adds a lock which prevents abandon requests from being processed while the results are already being sent, and the crash no longer occurs. (BZ#1278567)

Simple paged results search slots are now correctly released after a failure

Previously, if a simple paged results search failed in the back end, the simple paged results slot was not released. Consequently, multiple simple paged results slots could be accumulated in a connection object. With this update, the simple paged results slot is released correctly when a search fails, and unused simple paged results slots are no longer left in a connection object. (BZ#1290242)

DES to AES password conversion must now be done manually on suffixes other than cn=config

When Directory Server starts, all present passwords which are encrypted by the Data Encryption Standard (DES) algorithm are automatically converted to use the more secure Advanced Encryption Standard (AES) algorithm. DES-encrypted passwords were previously detected using an internal unindexed search, which was too slow for very large user databases, and in some cases caused the startup process to time out and prevent Directory Server from starting. With this update, only the configuration suffix cn=config is checked for DES passwords, and a new slapi task des2aes is now available, which administrators can run after starting the server to convert passwords to AES on a specific database if needed. As a result, the server starts up regardless of the size of user databases. (BZ#1342609)

Deleting a back end database no longer causes deadlocks

Transaction information was previously not passed to one of the database helper functions during back end deletion. Consequently, a deadlock occurred if a plug-in attempted to access data in the area locked by the transaction. This update ensures that transaction information is passed to all necessary database helper functions, and the deadlock no longer occurs. (BZ#1273555)

Deleting and adding the same LDAP attribute now correctly updates the equality index

Previously, when several values of the same LDAP attribute were deleted using the ldapmodify command, and at least one of them was added again during the same operation, the equality index was not updated. As a consequence, an exact search for the re-added attribute value did not return that entry. The logic of the index code has been modified to update the index if at least one of the values in the entry changes, and the exact search for the re-added attribute value now returns the correct entry. (BZ#1290600)

Abandon requests in simple paged results searches no longer cause deadlocks

An exclusive connection lock was previously added as part of a bug fix related to abandon requests in simple paged results searches. However, in specific circumstances, this new lock causes a self-deadlock. This update makes the lock reentrant, and self-deadlocks no longer occur during simple paged results searches. (BZ#1295947)

Simple paged results searches no longer return 0 instead of the actual results

Previously, when a simple paged results slot in a connection was discarded due to an error such as SIZELIMIT_EXCEEDED, the discarded slot was not cleaned up properly. Subsequent searches which reused this slot then always returned 0. With this update, discarded simple paged results slots are cleaned up correctly, and searches return correct results even with reused slots. (BZ#1331343)

ACL plug-in no longer crashes due to missing pblock object

When a persistent search (psearch) was launched by a bind user without sufficient permissions, the access permissions object in cache failed to reset to point the initial pblock structure to the permanent structure. As a consequence, the access control list (ACL) plug-in could crash the server due to a missing pblock object. This update ensures that the initial object is reset to the permanent structure, and Directory Server no longer crashes in this situation. (BZ#1302823)

Replication changelog no longer incorrectly skips updates

A bug in the changelog iterator buffer caused it to point to an incorrect position when reloading the buffer. This caused replication to skip parts of the changelog, and consequently some changes were not replicated. This bug has been fixed, and replication data loss due to an incorrectly reloaded changelog buffer no longer occurs. (BZ#1321124)

Old schema styles can now correctly be used with single quotes

Starting with version 1.3.2, the 389-ds-base packages are compliant with the schema definition described in RFC 4512, which does not allow the schema to be used by the older versions. To ease migration from previous versions, the nsslapd-enquote-sup-oc parameter was introduced. However, the implementation of this parameter had a bug which prevented handling old schema styles in single quotes, such as:
This bug is now fixed, and you can use single quotes with older schema styles.
Additionally, this update introduces the LDAP_SCHEMA_ALLOW_QUOTES environment variable which adds support for older style schema in the schema directory. To enable this functionality, set the following variable in the /etc/sysconfig/dirsrv-INSTANCE configuration file:

Password conversion from DES to AES now works properly

During the upgrade from Red Hat Enterprise Linux 7.1 to 7.2, the encryption algorithm used by the Reversible Password Plug-in was changed from DES to AES. Directory Server automatically converted all passwords to the new algorithm upon upgrade. However, password conversion failed with an error 32 if any defined back end was missing the top entry. Additionally, even if the conversion failed, 389-ds-base still disabled the DES plug-in, which caused existing passwords to fail to decode.
This bug has been fixed, 389-ds-base now ignores errors when searching back ends for passwords to convert, and the DES plug-in is now only disabled after all passwords are successfully converted to AES. (BZ#1320715)

Keep-alive entries no longer break replication

Previously, a keep-alive entry was being created at too many opportunities during replication, potentially causing a race condition when adding the entry to the replica changelog and resulting in operations being dropped from the replication. With this update, unnecessary keep-alive entry creation has been eliminated, and keep-alive entries no longer cause missing operations during replication. (BZ#1307151)

Failed replication updates are now retried correctly in the next session

If a replica update failed on the consumer side and was followed by another update that succeeded, the consumer's replication status was updated by the successful update, which caused the consumer to seem as if it was up to date. Consequently, the failed update was never retried, leading to data loss. With this update, a replication failure closes the connection and stops the replication session. This prevents further updates from changing the consumer's replication status, and allows the supplier to retry the failed operation in the next session, avoiding data loss. (BZ#1310848)

The LICENSE file now shows correct license information

Previously, the output of the rpm -qi 389-ds-base command displayed an incorrect License field with an earlier license, GPLv2 with exceptions. This problem has been fixed and the 389-ds-base package now provides the correct license information (the GPLv3+ license) in its LICENSE file. (BZ#1315893)

Passwords reset by administrators are now stored in password history

When a user password was reset by an administrator, the old password was previously not stored in the user's password history. This allowed the user to reuse the same password after the reset. With this update, passwords reset manually by administrators are stored in password history, and the user must use a different password. (BZ#1332709)

Entries rejected by multiple plug-ins no longer show up in searches

Previously, when an entry was rejected by multiple back end transaction plug-ins (for example, Auto Membership or Managed Entry) at the same time, the entry cache was left in an inconsistent state. This allowed a search to return the entry even though it was not added. With this update, the entry cache which stores the Distinguished Name (DN) of the entry is properly cleaned up when an add operation fails, and rejected entries are no longer returned by ldapsearch. (BZ#1304682)

Running db2index with no options no longer causes replication failures

When running the db2index script with no options, the script failed to handle on-disk Replica Update Vector (RUV) entries because these entries have no parent entries. The existing RUV was skipped and a new one was generated instead, which subsequently caused the next replication to fail due to an ID mismatch. This update fixes handling of RUV entries in db2index, and running this script without specifying any options no longer causes replication failures. (BZ#1340307)

Directory Server no longer crashes when attempting to remove a busy database

Previously, attempting to remove a back end database using the console while an import was in progress caused Directory Server to crash. With this update, the removal script first checks if the back end is busy, and only proceeds if it is safe to remove. Directory Server therefore no longer crashes in this situation. (BZ#1355760)

Promoting a consumer to a master no longer fails due to duplicate ID errors

Previously, when a consumer instance was promoted to master, a new element was appended to the end of the replica update vector (RUV). However, when attempting to replicate from the newly promoted master, the remote checked the first element of the RUV instead of the last one, which caused it to abort the replication session due to a duplicate ID. With this update, the RUV is reordered when promoting a replica to a master, and replication from masters which were previously replicas no longer fails. (BZ#1278987)

nsslapd now correctly sets its working directory

A regression introduced in an earlier bug fix caused nsslapd to skip setting its working directory (the nsslapd-workingdir attribute) by default when it was started by systemd. This bug has been fixed and the working directory is being set during startup again. (BZ#1360447)

The IdM upgrade script now runs successfully

Previously, the Identity Management (IdM) server upgrade script failed to detect a version change. As a consequence, upgrading an IdM server failed. This bug has been fixed and the upgrade now succeeds. (BZ#1290142)

The libkadm5* libraries have been moved to the libkadm5 package

In Red Hat Enterprise Linux 7.3, the libkadm5* libraries have been moved from the krb5-libs to the new libkadm5 package. As a consequence, yum is not able to downgrade the krb5-libs package automatically. Before downgrading, remove the libkadm5 package manually:
# rpm -e --nodeps libkadm5
After you have manually removed the package, use the yum downgrade command to downgrade the krb5-libs package to a previous version. (BZ#1347403)

Single sign-on now works correctly in trusts with multiple AD forest root domains

Previously, if Identity Management (IdM) established a trust to two different Active Directory (AD) forests which trust each other, and IdM was set up in a DNS subdomain of one of them, the other AD forest reported a name suffix routing conflict between IdM and AD. As a consequence, single sign-on failed between IdM and the AD forest that identified the name routing conflict. A procedure now detects such conflicts when you establish the trust. If you provide the AD administrator credentials during establishing the trust, an exclusion entry is automatically created to resolve the name suffix routing conflict. As a result, single sign-on works as expected if IdM is deployed in a DNS subdomain of an AD forest. (BZ#1348560)

Upgrading from Red Hat Enterprise Linux 7.2 to 7.3 no longer fails due to certain multilib SSSD packages

The sssd-common and sssd-krb5-common packages, provided as part of the System Security Services Daemon (SSSD), no longer support multiple architectures. Previously, when the packages were installed in both 32-bit and 64-bit versions, upgrading from Red Hat Enterprise Linux 7.2 to 7.3 failed. To fix this problem, the 32-bit versions of sssd-common and sssd-krb5-common have been removed from Red Hat Enterprise Linux 7.3. This ensures that the upgrade succeeds. (BZ#1360188)

OpenLDAP now correctly sets NSS settings

Previously, the OpenLDAP server used an incorrect handling of network security settings (NSS) code. As a consequence, settings were not applied, which caused certain NSS options, such as olcTLSProtocolMin, not to work correctly. This update addresses the bug and as a result, the affected NSS options now work as expected. (BZ#1249093)

The sudo command now works correctly when using Kerberos with a smart card

Previously, the pam_krb5 module closed to many file descriptors during fork operations. As a consequence, sudo commands for users authenticating using Kerberos and smart cards failed if the password entry was not found within the first 4096 characters of the /etc/passwd file. This bug has been fixed, libraries such as nsswitch can now use the file descriptors and sudo works correctly. (BZ#1263745)

The Certificate System restores support for the PKCS#10 extension in CSRs

Previously, the certificate signing request (CSR) generated during the Certificate System installation with an externally signed certificate did not contain PKCS#10 extensions which are required by some external certificate authorities (CA). With this update, the Certificate System now creates a CSR with default extensions, including basic constraints and key usages extensions, and optional user-defined extensions. (BZ#1329365)

The IdM CA service now starts correctly on IPv6-only installations

Previously, on systems only configured for IPv6, the pki-tomcat service was incorrectly bound to the IPv4 loopback device during Identity Management (IdM) installation. As a consequence, the certificate authority (CA) service failed to start. The IdM setup now binds on systems having only the IPv6 protocol configured, to the IPv6 loopback device. As a result, the CA service starts correctly. (BZ#1082663)

The pki command now displays revocation details

With this update, the pki subcommands cert-show and cert-find now display information about revoked certificates, such as the following:
  • revocation date
  • revoked by (BZ#1224382)

ipa-replica-install --setup-dns no longer creates DNS zones for DNS names that already exist in DNS

Previously, using the --setup-dns option with the ipa-replica-install utility always created a DNS zone equal to the primary Identity Management (IdM) domain name as well as zone names for IdM servers, even if such DNS zones already existed on another DNS server. This caused certain problems on the client side if multiple DNS servers incorrectly acted as authoritative servers for a domain. To fix this problem, IdM no longer creates DNS zones if they already exist on other DNS servers. The IdM installer properly detects the conflict, and the installation fails in this situation. (BZ#1343142)

The idmap_hash module now works correctly when used with other modules

Previously, the idmap_hash module worked incorrectly when it was used together with other modules. As a consequence, user and group IDs were not mapped properly. A patch has been applied to skip already configured modules. Now, the hash module can be used as the default idmap configuration back end and IDs are resolved correctly. (BZ#1316899)

CRL now generates less messages when CA loses connection to netHSM

Previously, when a CA lost connection to Thales netHSM, the CRL generation could enter a loop caused by the unavailability of a dependent component, such as HSM or LDAP, in the middle of CRL generation. Consequently, the process generated a large amount of debug log messages until the CA got restarted. This update provides a fix to slow down the loop, significantly reducing the amount of debug messages generated in the described scenario. (BZ#1308772)

KRA no longer fails to recover keys when installed with a Gemalto Safenet LunaSA (HSM)

Previously, the Red Hat Certificate System key recovery authority (KRA) subsystem failed to recover keys if installed on a Gemalto Safenet LunaSA hardware security module (HSM). A patch was applied and now recovery works like expected, if the HSM is set to non-FIPS mode. (BZ#1331596)

Lower and more stable Directory Server's process size

Previously, Directory Server used the default memory allocator provided in the glibc library. This allocator was not efficient enough to handle the Directory Server's malloc() and free() patterns. Consequently, the Directory Server's memory usage was sometimes very high, which could cause the Out of Memory (OOM) Killer to kill the ns-slapd process. With this update, Directory Server uses the tcmalloc memory allocator. As a result, the Directory Server's process size is significantly lower and more stable. (BZ#1186512)

ns-slapd now correctly prompts for a pin when the pin.txt file is not found

In previous releases, 389-ds-base did not display a prompt asking for a pin if the pin.txt file was not found, due to the fact that systemd captures standard input and output which 389-ds-base was attempting to use. With this update, 389-ds-base detects whether systemd is running on the system during startup, and uses the correct systemd API to display the password prompt if required. Directory Server can therefore be started without a pin.txt file, which allows administrators to keep nssdb passwords away from the system. (BZ#1316580)

Replication agreement update status now includes details about replication agreement failures

The replication agreement update status previously displayed only a generic message after an error occurred, which made troubleshooting the replication agreement failure difficult. Now, the update status includes a detailed error message. As a result, all replication agreement update failures are correctly and precisely logged. (BZ#1370300)

IdM now uses larger default lock table size value

Previously, the number of locks for the Identity Management (IdM) database was to low. As a consequence, updating a large number of group membership attributes could fail. The default lock table size was increased from 10000 to 100000 to address this issue. As a result, updating a large number of group membership attributes no longer fails. (BZ#1196958)

The ipa-server-certinstall command no longer fails to install an external signed certificate

Previously, using the ipa-server-certinstall command to install an external signed certificate
  • The previous certificate was not untracked in the Certificate System.
  • The new external certificate was tracked by the Certificate System.
  • The first certificate found in the NSS database was used.
As a consequence, the ipa-server-certinstall command failed to install a new certificate for the LDAP and web server when it was signed by an external certificate authority (CA) and the services could not be started. The command has been fixed, and now only tracks certificates issued by the Identity Management (IdM) CA. As a result, the new certificate is installed correctly and the LDAP and web server no longer fail to start in the described scenario. (BZ#1294503)

sudo rules now work correctly when default_domain_suffix is set or when including a fully-qualified name

Previously, the sudo utility did not correctly evaluate a sudo rule in these situations:
  • When the default_domain_suffix option was used in the /etc/sssd/sssd.conf file
  • When the sudo rule used a fully-qualified user name
As a consequence, the sudo rule did not work. With this update, the System Security Services Daemon (SSSD) modifies sudo rules so that sudo evaluates them correctly in the described situation. (BZ#1300663)

The proxy configuration has been removed from the SSSD default configuration file

Previously, the System Security Services Daemon's (SSSD) /usr/lib64/sssd/conf/sssd.conf default configuration file used an auto-configured domain to proxy all requests to the /etc/passwd and /etc/groups files. This proxy configuration failed to integrate with other utilities like realmd or ipa-client-install. To fix the incompatibilities, the [domain/shadowutils] proxy configuration has been removed and SSSD now works correctly. (BZ#1369118)

Show, find, and export operations in the sss_override utility now work correctly

Red Hat Enterprise Linux 7.3 introduced local overrides to the System Security Services Daemon (SSSD). Due to a regression, sss_override commands failed if an override was created without the -n option. The bug has been fixed and now sss_override works correctly. (BZ#1373420)

ipa commands no longer fail when the user does not have a home directory in IdM

Previously, when Identity Management (IdM) was unable to create a cache directory at ~/.cache/ipa in the home directory, all ipa commands failed. This situation occurred, for example, when the user did not have a home directory. With this update, IdM is able to continue working even when it cannot create or access the cache. Note that in such situations, ipa commands can take a long time to complete because all metadata must be downloaded repeatedly. (BZ#1364113)

Displaying help for the IdM command-line interface no longer takes unexpectedly long

When the user executes the ipa utility with the --help option, ipa gathers the required information from plug-ins and commands. Previously, the plug-ins and commands were Python modules. With this release, ipa generates the plug-ins and commands based on a schema downloaded from the server.
Because of this, displaying the help sometimes took significantly longer than in the previous version of Identity Management (IdM), especially if the help included lists of topics and commands. This bug has been fixed, which reduces the time required to execute ipa with --help. (BZ#1356146)

Running commands on servers with an earlier version of IdM no longer takes unexpectedly long

When a user on an Identity Management (IdM) client running IdM version 4.4 executes a command, IdM checks if the server contacted by the client supports the new command schema. Because this information is not cached, the check is performed every time the client contacts the server, which previously prolonged the time required to invoke commands on servers running an earlier version of IdM. If the user executed a new command introduced in IdM 4.4, it sometimes even seemed that the operation would not complete at all, because the server did not recognize the command. This bug has been fixed, and executing IdM commands in the described situation no longer takes unexpectedly long. (BZ#1357488)

Tree-root domains in a trusted AD forest are now marked as reachable through the forest root

When an Active Directory (AD) forest contained tree-root domains (a separate DNS domain), Identity Management (IdM) sometimes failed to correctly route authentication requests to the tree-root domain's domain controllers. Consequently, users from a tree-root domain failed to authenticate against services hosted in IdM. This update fixes the bug, and users from a tree-root domain can authenticate as expected in this situation. (BZ#1318169)

The IdM web UI shows certificates issued by sub-CAs as expected

To display the certificates issued by a certificate authority (CA), the IdM web UI uses the ipa cert-find command to query the CA name, and then the ipa cert-show command. Previously, ipa cert-show did not use the CA name. As a consequence, attempting to display the details page for a certificate issued by a sub-CA failed with an error in the web UI. This bug has been fixed, and the web UI now displays the details pages for certificates as expected. (BZ#1368424)

certmonger no longer fails to request certificates from IdM sub-CAs

The certmonger service previously used incorrect API calls to request certificates from IdM sub-Certificate Authorities (sub-CAs). As a consequence, the sub-CA setting was ignored and the certificate was always issued by the IdM root CA. This update fixes the bug, and certmonger now requests certificates from IdM sub-CAs as expected. (BZ#1367683)

Adding an IdM OTP token with a custom key works as expected

When the user executed the ipa otptoken-add command with the --key option to add a new one-time password (OTP) token, the Identity Management (IdM) command line converted the token key provided by the user incorrectly. Consequently, the OTP token created in IdM was invalid, and attempts to authenticate using the OTP token failed. This update fixes the bug, and OTP tokens created in this situation are valid. (BZ#1368981)

Importing an Administrator Certificate into the web browser is now possible using the EE page

Previously, importing a Certificate System Administrator Certificate into the web browser using the EnrollSuccess.template failed with this error:
Error encountered while rendering a response.
With this update, you can import the certificate by following these steps:
1. Stop the pki-tomcatd service:
systemctl stop pki-tomcatd@pki-tomcat.service
2. Edit the /etc/pki/pki-tomcat/ca/CS.cfg file to include the following:
3. Start the pki-tomcatd service:
systemctl start pki-tomcatd@pki-tomcat.service
4. Create a new Firefox profile.
5. Go to the End Entity (EE) page, and select the Retrieval tab.
6. Import the CA certificate and configure it as a trusted certificate.
7. Within the new Firefox profile, go to, and fill out the form.
8. A new Administrator Certificate source is generated. Import it into the new Firefox profile.
To verify that the certificate was imported successfully, use it to go to the Agents page. (BZ#1274419)