For details, see the Red Hat Directory Server Errata Support Policy document.

The hardware requirements are based on tests run with the following prerequisites:

Directory Server cannot be installed on any system that has a Red Hat Enterprise Linux Identity Management (IdM) server installed. Likewise, no Red Hat Enterprise Linux IdM server can be installed on a system with a Directory Server instance.

Consider the following information if you want to migrate an existing Directory Server 10 environment to Directory Server 11.

New command-line utilities in Directory Server 11

Directory Server 11 provides new command line utilities to manage server instances and users. These utilities replace the Perl scripts used for management tasks in Directory Server 10 and earlier versions.

For a list of commands in previous versions and their replacements in Directory Server 11, see the Command-line utilities replaced in Red Hat Directory Server 11 appendix in the Red Hat Directory Server Installation Guide.

The Directory Server 11 default password storage scheme was changed to PBKDF2-SHA512

Directory Server 11 now uses the PBKDF2-SHA512 scheme as a default password storage scheme, which is more secure than SSHA, SSHA512, and other schemes. Therefore, if some of your applications, such as freeradius, do not support the PBKDF2-SHA512 scheme, and you must set a weaker password storage scheme back, note that Directory Server updates user passwords not only when an application adds or modifies the user entry, but also during a successful bind operation. However, you can disable an update on bind operations by setting the nsslapd-enable-upgrade-hash parameter in the cn=config entry to off.

Migration procedure

For a procedure about migrating Directory Server 10 to Directory Server 11, see the corresponding chapter in the Red Hat Directory Server Installation Guide.

Learn about new features and important updates in Directory Server 11.8.

Directory Server rebased to version 1.4.3.37

The 389-ds-base packages have been upgraded to upstream version 1.4.3.37.

Important updates and new features in the 389-ds-base packages

The Red Hat Directory Server features that are included in the 389-ds-base packages are documented in the Red Hat Enterprise Linux 8.9 Release Notes:

Learn about bugs fixed in Directory Server 11.8 that have a significant impact on users.

(BZ#2246307)

(BZ#2245946)

(BZ#2215296)

(BZ#22245690)

(BZ#2211690)

(BZ#2172258)

(BZ#2219559)

(BZ#2101473)

Bug fixes in the 389-ds-base packages

The Red Hat Directory Server bug fixes that are included in the 389-ds-base packages are documented in the Red Hat Enterprise Linux 8.9 Release Notes:

Learn about known problems and, if applicable, workarounds in Directory Server 11.8.

[time_stamp]
- WARN - slapd_do_all_nss_ssl_init - ERROR: TLS is not enabled, and the
machine is in FIPS mode. Some functionality won’t work correctly (for
example, users with PBKDF2_SHA256 password scheme won’t be able to log
in). It’s highly advisable to enable TLS on this instance.

Such behavior happens because at first, Directory Server finds that TLS is not initialized and logs the error message. However, later when the dscreate utility completes TLS initialization and enables security, the error message is no longer present.

(BZ#2153668)

(BZ#1654281)

To work around this problem, run the COMPACT_CL5 task manually:

$ ldapmodify -x -D "cn=Directory Manager" -W -H ldap://server.example.com

dn: cn=replica,cn=suffix_name,cn=mapping tree,cn=config
changetype: modify
replace: nsds5task
nsds5task: COMPACT_CL5

modifying entry "cn=replica,cn=suffix_name,cn=mapping tree,cn=config"

(BZ#2245042)

Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state

As a consequence, configuring a referral for suffixes fail. To work around the problem:

As a result, with the workaround, you can configure a referral for a suffix.

(BZ#2063033)

Learn about new features and important updates in Directory Server 11.7.

Directory Server rebased to version 1.4.3.34

The 389-ds-base packages have been upgraded to upstream version 1.4.3.34.

Important updates and new features in the 389-ds-base packages

The Red Hat Directory Server features that are included in the 389-ds-base packages are documented in the Red Hat Enterprise Linux 8.8 Release Notes:

Learn about bugs fixed in Directory Server 11.7 that have a significant impact on users.

The ns-slapd binary is now linked with the thread-safe libldap_r library, no longer causing segmentation fault

An upstream change in the build system introduced a regression by linking the ns-slapd binary with the non thread-safe libldap library instead of the thread-safe libldap_r. Consequently, the ns-slapd process could fail with a segmentation fault. This update fixes the problem with the build system code and the ns-slapd binary is now linked back with the thread-safe libldap_r library. As a result, the segmentation fault no longer occurs.

(BZ#2268138)

Directory Server now flushes the entry cache less frequently

Previously, Directory Server flushed its entry cache even when it was not necessary. As a result, in certain situations, Directory Server was unresponsive and had bad performance. With this update, Directory Server flushes the entry cache only when it is necessary.

(BZ#2268136)

Bug fixes in the 389-ds-base packages

The Red Hat Directory Server bug fixes that are included in the 389-ds-base packages are documented in the Red Hat Enterprise Linux 8.8 Release Notes:

Learn about known problems and, if applicable, workarounds in Directory Server 11.7.

[time_stamp]
- WARN - slapd_do_all_nss_ssl_init - ERROR: TLS is not enabled, and the
machine is in FIPS mode. Some functionality won’t work correctly (for
example, users with PBKDF2_SHA256 password scheme won’t be able to log
in). It’s highly advisable to enable TLS on this instance.

Such behavior happens because at first, Directory Server finds that TLS is not initialized and logs the error message. However, later when the dscreate utility completes TLS initialization and enables security, the error message is no longer present.

(BZ#2153668)

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

(BZ#1654281)

Configuring a referral for a suffix fails in Directory Server

If you set a back-end referral in Directory Server, setting the state of the backend using the dsconf <instance_name> backend suffix set --state referral command fails with the following error:

Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state

As a consequence, configuring a referral for suffixes fail. To work around the problem:

As a result, with the workaround, you can configure a referral for a suffix.

(BZ#2063033)

Directory Server replication fails after changing password of the replication manager account

After a password change, Directory Server does not properly update the password cache for the replication agreement. As a consequence, when you change the password for the replication manager account, the replication breaks. To work around this problem, restart the Directory Server instance. As a result, the cache is rebuilt at start-up, and the replication connection binds with the new password instead of the old one.

(BZ#2101473)

Known issues in the 389-ds-base packages

Red Hat Directory Server known issues that affect 389-ds-base packages are documented in Red Hat Enterprise Linux 8.8 8.8 Release Notes:

Here you can find recommended hardware and software requirements for Directory Server 11.6.

This section documents new features and important updates in Directory Server 11.6.

Directory Server rebased to version 1.4.3.31

The 389-ds-base packages have been upgraded to upstream version 1.4.3.31.

LDAP browser is now fully supported

With this enhancement, you can manage LDAP entries from the LDAP Browser tab in the web console. For example, you can:

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.7 Release Notes:

This section documents known problems and, if applicable, workarounds in Directory Server 11.6.

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

(BZ#1654281)

Configuring a referral for a suffix fails in Directory Server

If you set a back-end referral in Directory Server, setting the state of the backend using the dsconf <instance_name> backend suffix set --state referral command fails with the following error:

Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state

As a consequence, configuring a referral for suffixes fail. To work around the problem:

As a result, with the workaround, you can configure a referral for a suffix.

(BZ#2063140)

Directory Server replication fails after changing password of the replication manager account

After a password change, Directory Server does not properly update the password cache for the replication agreement. As a consequence, when you change the password for the replication manager account, the replication breaks. To work around this problem, restart the Directory Server instance. As a result, the cache is rebuilt at start-up, and the replication connection binds with the new password instead of the old one.

(BZ#2101473)

Known issues in the 389-ds-base packages

Known issues in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.7 Release Notes:

This section contains information related to installing Directory Server 11.5, including prerequisites and platform requirements.

This section documents new features and important updates in Directory Server 11.5.

Directory Server rebased to version 1.4.3.28

The 389-ds-base packages have been upgraded to upstream version 1.4.3.28 which provides a number of bug fixes and enhancements over the previous version:

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.6 Release Notes:

This section documents unsupported Technology Previews in Directory Server 11.5.

The Directory Server web console provides an LDAP browser as Technology Preview

An LDAP browser has been added to the Directory Server web console. Using the LDAP Browser tab in the web console, you can:

Note that Red Hat provides this feature as an unsupported Technology Preview.

Bug fixes in the 389-ds-base packages

Bug fixes in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.6 Release Notes:

This section documents known problems and, if applicable, workarounds in Directory Server 11.5.

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

Configuring a referral for a suffix fails in Directory Server

If you set a back-end referral in Directory Server, setting the state of the backend using the dsconf <instance_name> backend suffix set --state referral command fails with the following error:

Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state

As a consequence, configuring a referral for suffixes fail. To work around the problem:

As a result, with the workaround, you can configure a referral for a suffix.

Directory Server replication fails after changing password of the replication manager account

After a password change, Directory Server does not properly update the password cache for the replication agreement. As a consequence, when you change the password for the replication manager account, the replication breaks. To work around this problem, restart the Directory Server instance. As a result, the cache is rebuilt at start-up, and the replication connection binds with the new password instead of the old one.

Known issues in the 389-ds-base packages

Known issues in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.6 Release Notes:

This section contains information related to installing Directory Server 11.4, including prerequisites and platform requirements.

This section documents new features and important updates in Directory Server 11.4.

Directory Server rebased to version 1.4.3.27

The 389-ds-base packages have been upgraded to upstream version 1.4.3.27, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.5 Release Notes:

This section describes bugs fixed in Directory Server 11.4 that have a significant impact on users.

The dsconf utility no longer fails when using LDAPS URLs

Previously, the dsconf utility did not correctly resolve TLS settings for remote connections. As a consequence, even if the certificate configuration was correct, using dsconf with a remote LDAPS URL failed with an certificate verify failed error. The dsconf connection code has been fixed. As a result, using remote LDAPS URLs with dsconf now works as expected.

Bug fixes in the 389-ds-base packages

Bug fixes in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.5 Release Notes:

This section documents known problems and, if applicable, workarounds in Directory Server 11.4.

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

The Directory Server Web Console does not provide an LDAP browser

The web console enables administrators to manage and configure Directory Server 11 instances. However, it does not provide an integrated LDAP browser. To manage users and groups in Directory Server, use the dsidm utility. To display and modify directory entries, use a third-party LDAP browser or the OpenLDAP client utilities provided by the openldap-clients package.

Known issues in the 389-ds-base packages

Known issues in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.5 Release Notes:

This section contains information related to installing Directory Server 11.3, including prerequisites and platform requirements.

This section documents new features and important updates in Directory Server 11.3.

Directory Server rebased to version 1.4.3.16

The 389-ds-base packages have been upgraded to upstream version 1.4.3.16, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.4 Release Notes:

This section describes bugs fixed in Directory Server 11.3 that have a significant impact on users.

The lib389 library no longer fails to delete entries discovered by the Account object

Previously, the _protected flag of the Account object in the lib389 Directory Server library was enabled. As a consequence, delete operations failed. This update sets the flag to False. As a result, the library no longer fails if you delete or rename entries discovered by the Account object.

Bug fixes in the 389-ds-base packages

Bug fixes in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.4 Release Notes:

This section documents known problems and, if applicable, workarounds in Directory Server 11.3.

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

The Directory Server Web Console does not provide an LDAP browser

The web console enables administrators to manage and configure Directory Server 11 instances. However, it does not provide an integrated LDAP browser. To manage users and groups in Directory Server, use the dsidm utility. To display and modify directory entries, use a third-party LDAP browser or the OpenLDAP client utilities provided by the openldap-clients package.

This section contains information related to installing Directory Server 11.2, including prerequisites and platform requirements.

This section documents new features and important updates in Directory Server 11.2.

Directory Server rebased to version 1.4.3.8

The 389-ds-base packages have been upgraded to upstream version 1.4.3.8, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.3 Release Notes:

This section describes bugs fixed in Directory Server 11.2 that have a significant impact on users.

Bug fixes in the 389-ds-base packages

Bug fixes in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.3 Release Notes:

This section documents known problems and, if applicable, workarounds in Directory Server 11.2.

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

The Directory Server Web Console does not provide an LDAP browser

The web console enables administrators to manage and configure Directory Server 11 instances. However, it does not provide an integrated LDAP browser. To manage users and groups in Directory Server, use the dsidm utility. To display and modify directory entries, use a third-party LDAP browser or the OpenLDAP client utilities provided by the openldap-clients package.

This section contains information related to installing Directory Server 11.1, including prerequisites and platform requirements.

This section documents new features and important updates in Directory Server 11.1.

Directory Server rebased to version 1.4.2.4

The 389-ds-base packages have been upgraded to upstream version 1.4.2.4, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

A health check feature has been added to Directory Server

This enhancement adds a health check feature to Directory Server. The dsctl healthcheck command performs read-only operations on a Directory Server instance and reports, for example, if the instance is configured properly or if replication agreements are working correctly.

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.2 Release Notes:

This section describes bugs fixed in Directory Server 11.1 that have a significant impact on users.

Bug fixes in the 389-ds-base packages

Bug fixes in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.2 Release Notes:

This section documents known problems and, if applicable, workarounds in Directory Server 11.1.

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

The Directory Server Web Console does not provide an LDAP browser

The web console enables administrators to manage and configure Directory Server 11 instances. However, it does not provide an integrated LDAP browser. To manage users and groups in Directory Server, use the dsidm utility. To display and modify directory entries, use a third-party LDAP browser or the OpenLDAP client utilities provided by the openldap-clients package.

Known issues in the 389-ds-base packages

Known issues in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.2 Release Notes:

This section documents features that have been removed from Directory Server 11.1.

The nunc-stans framework has been removed

The nunc-stans framework has been removed from Directory Server, and the server now uses the improved core connection handling mechanism in Directory Server.

If you previously enabled the framework manually, Directory Server logs the following warning:

WARN - slapd_daemon - cn=config: nsslapd-enable-nunc-stans is on. nunc-stans has been deprecated and this flag is now ignored.
WARN - slapd_daemon - cn=config: nsslapd-enable-nunc-stans should be set to off or deleted from cn=config.

To prevent Directory Server from logging this warning, remove the nsslapd-enable-nunc-stans from the cn=config entry:

$ ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: cn=config
changetype: modify
delete: nsslapd-enable-nunc-stans

This section contains information related to installing Directory Server 11.0, including prerequisites and platform requirements.

This section documents new features and important updates in Directory Server 11.0.

Directory Server introduces new command-line utilities to manage instances

Red Hat Directory Server 11.0 introduces the dscreate, dsconf, and dsctl utilities. These utilities simplify managing Directory Server using the command line. For example, you can now use a command with parameters to configure a feature instead of sending complex LDIF statements to the server.

The following is an overview of the purpose of each utility:

These utilities replace the Perl and shell scripts marked as deprecated in Directory Server 10. The scripts are still available in the unsupported 389-ds-base-legacy-tools package, however Red Hat only supports managing Directory Server using the new utilities.

Note that configuring Directory Server using LDIF statements is still supported, but Red Hat recommends using the utilities.

For further details about using the utilities, see the Red Hat Directory Server 11 Documentation.

Directory Server now provides a browser-based user interface

This enhancement adds a browser-based interface to Red Hat Directory Server that replaces the Java-based Console used in previous versions. As a result, administrators can now use the Red Hat Enterprise Linux web console to manage Directory Server instances using a browser.

For further details, see the Red Hat Directory Server 11 Documentation.

Note that the browser-based user interface does not contain an LDAP browser.

The default value of the nsslapd-unhashed-pw-switch parameter is now off

In certain situations, for example when synchronizing passwords with Active Directory (AD), a Directory Server plug-in must store the unencrypted password on the hard disk. The nsslapd-unhashed-pw-switch configuration parameter determines whether and how Directory Server stores unencrypted passwords. To improve the security in scenarios that do not require plug-ins to store unencrypted passwords, the default value of the nsslapd-unhashed-pw-switch parameter has been changed in Directory Server 11.0 from on to off.

If you want to configure password synchronization with AD, manually enable nsslapd-unhashed-pw-switch on the Directory Server instance that has the Windows synchronization agreement configured:

# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-unhashed-pw-switch=on

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.1 Release Notes:

This section documents known problems and, if applicable, workarounds in Directory Server 11.0.

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

The Directory Server Web Console does not provide an LDAP browser

The web console enables administrators to manage and configure Directory Server 11 instances. However, it does not provide an integrated LDAP browser. To manage users and groups in Directory Server, use the dsidm utility. To display and modify directory entries, use a third-party LDAP browser or the OpenLDAP client utilities provided by the openldap-clients package.