Release Notes

For details, see the Red Hat Directory Server Errata Support Policy document.

Directory Server cannot be installed on any system that has a Red Hat Enterprise Linux Identity Management (IdM) server installed. Likewise, no Red Hat Enterprise Linux IdM server can be installed on a system with a Directory Server instance.

Consider the following information if you want to migrate an existing Directory Server 10 environment to Directory Server 11.

New command-line utilities in Directory Server 11

Directory Server 11 provides new command line utilities to manage server instances and users. These utilities replace the Perl scripts used for management tasks in Directory Server 10 and earlier versions.

For a list of commands in previous versions and their replacements in Directory Server 11, see the Command-line utilities replaced in Red Hat Directory Server 11 appendix in the Red Hat Directory Server Installation Guide.

The Directory Server 11 default password storage scheme was changed to PBKDF2-SHA512

Directory Server 11 now uses the PBKDF2-SHA512 scheme as a default password storage scheme, which is more secure than SSHA, SSHA512, and other schemes. Therefore, if some of your applications, such as freeradius, do not support the PBKDF2-SHA512 scheme, and you must set a weaker password storage scheme back, note that Directory Server updates user passwords not only when an application adds or modifies the user entry, but also during a successful bind operation. However, you can disable an update on bind operations by setting the nsslapd-enable-upgrade-hash parameter in the cn=config entry to off.

Migration procedure

For a procedure about migrating Directory Server 10 to Directory Server 11, see the corresponding chapter in the Red Hat Directory Server Installation Guide.

Learn about new features and important updates in Directory Server 11.9.

Directory Server rebased to version 1.4.3.39

The 389-ds-base package has been upgraded to upstream version 1.4.3.39.

Important updates and new features in the 389-ds-base package

The Red Hat Directory Server features that are included in the 389-ds-base package are documented in the Red Hat Enterprise Linux 8.10 Release Notes:

Learn about bugs fixed in Directory Server 11.9 that have a significant impact on users.

The Directory Server web console no longer shows an exception while trying to display an entry with binary attribute in the LDAP Browser

Previously, when an LDAP entry contained a binary attribute, such as jpegPhoto, userCertificate, the web console displayed an exception when you wanted to see the entry details in the LDAP Browser. With this update, the web console handles entries with binary attributes correctly and the exception no longer appears.

(BZ#2239787)

The Directory Server web console no longer changes attribute names to lowercase characters when attributeTypes are added

Previously, when you added an attribute to an object class by using the web console, the uppercase characters in the attribute name were changed to lowercase characters. With this update, the attribute name case is no longer changed.

(BZ#2257790)

The ns-slapd binary is now linked with the thread-safe libldap_r library, no longer causing segmentation fault

An upstream change in the build system introduced a regression by linking the ns-slapd binary with the non thread-safe libldap library instead of the thread-safe libldap_r. Consequently, the ns-slapd process could fail with a segmentation fault. This update fixes the problem with the build system code and the ns-slapd binary is now linked back with the thread-safe libldap_r library. As a result, the segmentation fault no longer occurs.

(BZ#2264534)

Directory Server now flushes the entry cache less frequently

Previously, Directory Server flushed its entry cache even when it was not necessary. As a result, in certain situations, Directory Server was unresponsive and had bad performance. With this update, Directory Server flushes the entry cache only when it is necessary.

(2268177)

Bug fixes in the 389-ds-base package

The Red Hat Directory Server bug fixes that are included in the 389-ds-base package are documented in the Red Hat Enterprise Linux 8.10 Release Notes:

Learn about known problems and, if applicable, workarounds in Directory Server 11.9.

Access log displays an error message during Directory Server installation in FIPS mode

When you install Directory Server in the FIPS mode, the access log file displays the following error message:

[time_stamp]
- WARN - slapd_do_all_nss_ssl_init - ERROR: TLS is not enabled, and the
machine is in FIPS mode. Some functionality won’t work correctly (for
example, users with PBKDF2_SHA256 password scheme won’t be able to log
in). It’s highly advisable to enable TLS on this instance.

[time_stamp]
- WARN - slapd_do_all_nss_ssl_init - ERROR: TLS is not enabled, and the
machine is in FIPS mode. Some functionality won’t work correctly (for
example, users with PBKDF2_SHA256 password scheme won’t be able to log
in). It’s highly advisable to enable TLS on this instance.

Such behavior happens because at first, Directory Server finds that TLS is not initialized and logs the error message. However, later when the dscreate utility completes TLS initialization and enables security, the error message is no longer present.

(BZ#2153668)

Directory Server web console does not automatically update settings that are changed outside the web console

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if you change the configuration outside of the console window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console window.

(BZ#1654281)

The dsconf utility does not compact the changelog

Currently, the dsconf utility does not compact the replication changelog when you run the dsconf backend compact-db --only-changelog command.

To work around this problem, run the COMPACT_CL5 task manually:

ldapmodify -x -D "cn=Directory Manager" -W -H ldap://server.example.com

dn: cn=replica,cn=suffix_name,cn=mapping tree,cn=config
changetype: modify
replace: nsds5task
nsds5task: COMPACT_CL5

modifying entry "cn=replica,cn=suffix_name,cn=mapping tree,cn=config"

$ ldapmodify -x -D "cn=Directory Manager" -W -H ldap://server.example.com

dn: cn=replica,cn=suffix_name,cn=mapping tree,cn=config
changetype: modify
replace: nsds5task
nsds5task: COMPACT_CL5

modifying entry "cn=replica,cn=suffix_name,cn=mapping tree,cn=config"

(BZ#2245042)

Configuring a referral for a suffix fails in Directory Server

If you set a back-end referral in Directory Server, setting the state of the backend using the dsconf <instance_name> backend suffix set --state referral command fails with the following error:

Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state

Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state

As a consequence, configuring a referral for suffixes fails. To work around the problem:

As a result, with the workaround, you can configure a referral for a suffix.

(BZ#2063033)

Learn about new features and important updates in Directory Server 11.8.

Directory Server rebased to version 1.4.3.37

The 389-ds-base packages have been upgraded to upstream version 1.4.3.37.

Important updates and new features in the 389-ds-base packages

The Red Hat Directory Server features that are included in the 389-ds-base packages are documented in the Red Hat Enterprise Linux 8.9 Release Notes:

Learn about bugs fixed in Directory Server 11.8 that have a significant impact on users.

Directory Server now uses a backend suffix only if the suffix is defined

Previously, if a backend configuration entry was not associated with a suffix, the server failed at startup. With this update, Directory Server uses a suffix of a backend only if the suffix is defined. As a result, the server no longer fails at startup.

(BZ#2246307)

Directory Server no longer fails after the OS upgrade

Previously, when the nsslapd-conntablesize was present in the /etc/dirsrv/slapd-instance_name/dse.ldif file, Directory Server failed to start after the operating system (OS) upgrade. As a result, you had to remove the nsslapd-conntablesize setting from the dse.ldif file before starting the server. With this update, the custom configuration of the connection table size works as expected and Directory Server no longer fails at start.

(BZ#2245946)

RHDS healthcheck no longer reports misleading messages when the suffix is correctly defined

Previously, when you defined a suffix using mixed case or upper case for the nsslapd-backend and nsslapd-directory attributes, the dsctl healthcheck command could report misleading error messages, despite the suffix being correctly defined. With this update, the dsctl healthcheck command no longer reports error messages about the suffix defined using mixed case or upper case.

(BZ#2215296)

The cockpit-389-ds package upgrade now updates the 389-ds-base and python3-lib389 packages

Previously, the cockpit-389-ds package did not specify the version of the 389-ds-base package. As a result, the upgrade of the cockpit-389-ds package alone did not update the 389-ds-base and python3-lib389 packages which could lead to misalignment and compatibility issues between packages. With this update, the cockpit-389-ds package upgrades 389-ds-base and python3-lib389 packages.

(BZ#22245690)

The ds-replcheck now retrieves RUV data

Previously, the ds-replcheck tool reported an error that a supplier had no Replica Update Vector (RUV) entry, even though a direct search on the replica configuration entry showed the RUV data. With this update, the ds-replcheck tool now provides the replication state that indicates if the replication is not fully initialized.

(BZ#2211690)

The ns-slapd process no longer fails when you run the upgradednformat command

Previously, when you upgraded the DN format with the upgradednformat command, the upgradednformat command failed, leading to a problem with disk space. With this update, upgradednformat works as expected.

(BZ#2172258)

You can now select suffixes for export in the RHDS web console

Previously, when you attempted to select a suffix to export in the Database → Backups & LDIFs → LDIFs → Create LDIF, only the first suffix in the drop-down list was available. With this update, you can select the suffix to export.

(BZ#2219559)

A password change for the Directory Server replication manager account now works correctly

Previously, after a password change, Directory Server did not properly update the password cache for the replication agreement. As a consequence, when you changed the password for the replication manager account, the replication failed. With this update, Directory Server updates the cache properly and, as a result, the replication works as expected.

(BZ#2101473)

Bug fixes in the 389-ds-base package

The Red Hat Directory Server bug fixes that are included in the 389-ds-base package are documented in the Red Hat Enterprise Linux 8.9 Release Notes:

Learn about known problems and, if applicable, workarounds in Directory Server 11.8.

Access log displays an error message during Directory Server installation in FIPS mode

When you install Directory Server in the FIPS mode, the access log file displays the following error message:

[time_stamp]
- WARN - slapd_do_all_nss_ssl_init - ERROR: TLS is not enabled, and the
machine is in FIPS mode. Some functionality won’t work correctly (for
example, users with PBKDF2_SHA256 password scheme won’t be able to log
in). It’s highly advisable to enable TLS on this instance.

[time_stamp]
- WARN - slapd_do_all_nss_ssl_init - ERROR: TLS is not enabled, and the
machine is in FIPS mode. Some functionality won’t work correctly (for
example, users with PBKDF2_SHA256 password scheme won’t be able to log
in). It’s highly advisable to enable TLS on this instance.

Such behavior happens because at first, Directory Server finds that TLS is not initialized and logs the error message. However, later when the dscreate utility completes TLS initialization and enables security, the error message is no longer present.

(BZ#2153668)

Directory Server web console does not automatically update settings that are changed outside the web console

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console window.

(BZ#1654281)

The dsconf utility does not compact the changelog

Currently, the dsconf utility does not compact the replication changelog when you run the dsconf backend compact-db --only-changelog command.

To work around this problem, run the COMPACT_CL5 task manually:

ldapmodify -x -D "cn=Directory Manager" -W -H ldap://server.example.com

dn: cn=replica,cn=suffix_name,cn=mapping tree,cn=config
changetype: modify
replace: nsds5task
nsds5task: COMPACT_CL5

modifying entry "cn=replica,cn=suffix_name,cn=mapping tree,cn=config"

$ ldapmodify -x -D "cn=Directory Manager" -W -H ldap://server.example.com

dn: cn=replica,cn=suffix_name,cn=mapping tree,cn=config
changetype: modify
replace: nsds5task
nsds5task: COMPACT_CL5

modifying entry "cn=replica,cn=suffix_name,cn=mapping tree,cn=config"

(BZ#2245042)

Configuring a referral for a suffix fails in Directory Server

If you set a back-end referral in Directory Server, setting the state of the backend using the dsconf <instance_name> backend suffix set --state referral command fails with the following error:

Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state

Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state

As a consequence, configuring a referral for suffixes fail. To work around the problem:

As a result, with the workaround, you can configure a referral for a suffix.

(BZ#2063033)

Learn about new features and important updates in Directory Server 11.7.

Directory Server rebased to version 1.4.3.34

The 389-ds-base packages have been upgraded to upstream version 1.4.3.34.

Important updates and new features in the 389-ds-base packages

The Red Hat Directory Server features that are included in the 389-ds-base packages are documented in the Red Hat Enterprise Linux 8.8 Release Notes:

Learn about bugs fixed in Directory Server 11.7 that have a significant impact on users.

The ns-slapd binary is now linked with the thread-safe libldap_r library, no longer causing segmentation fault

An upstream change in the build system introduced a regression by linking the ns-slapd binary with the non thread-safe libldap library instead of the thread-safe libldap_r. Consequently, the ns-slapd process could fail with a segmentation fault. This update fixes the problem with the build system code and the ns-slapd binary is now linked back with the thread-safe libldap_r library. As a result, the segmentation fault no longer occurs.

(BZ#2268138)

Directory Server now flushes the entry cache less frequently

Previously, Directory Server flushed its entry cache even when it was not necessary. As a result, in certain situations, Directory Server was unresponsive and had bad performance. With this update, Directory Server flushes the entry cache only when it is necessary.

(BZ#2268136)

Bug fixes in the 389-ds-base packages

The Red Hat Directory Server bug fixes that are included in the 389-ds-base packages are documented in the Red Hat Enterprise Linux 8.8 Release Notes:

Learn about known problems and, if applicable, workarounds in Directory Server 11.7.

Access log displays an error message during Directory Server installation in FIPS mode

When you install Directory Server in the FIPS mode, the access log file displays the following error message:

[time_stamp]
- WARN - slapd_do_all_nss_ssl_init - ERROR: TLS is not enabled, and the
machine is in FIPS mode. Some functionality won’t work correctly (for
example, users with PBKDF2_SHA256 password scheme won’t be able to log
in). It’s highly advisable to enable TLS on this instance.

[time_stamp]
- WARN - slapd_do_all_nss_ssl_init - ERROR: TLS is not enabled, and the
machine is in FIPS mode. Some functionality won’t work correctly (for
example, users with PBKDF2_SHA256 password scheme won’t be able to log
in). It’s highly advisable to enable TLS on this instance.

Such behavior happens because at first, Directory Server finds that TLS is not initialized and logs the error message. However, later when the dscreate utility completes TLS initialization and enables security, the error message is no longer present.

(BZ#2153668)

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

(BZ#1654281)

Configuring a referral for a suffix fails in Directory Server

If you set a back-end referral in Directory Server, setting the state of the backend using the dsconf <instance_name> backend suffix set --state referral command fails with the following error:

Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state

Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state

As a consequence, configuring a referral for suffixes fail. To work around the problem:

As a result, with the workaround, you can configure a referral for a suffix.

(BZ#2063033)

Directory Server replication fails after changing password of the replication manager account

After a password change, Directory Server does not properly update the password cache for the replication agreement. As a consequence, when you change the password for the replication manager account, the replication breaks. To work around this problem, restart the Directory Server instance. As a result, the cache is rebuilt at start-up, and the replication connection binds with the new password instead of the old one.

(BZ#2101473)

Known issues in the 389-ds-base package

Red Hat Directory Server known issues that affect 389-ds-base package are documented in Red Hat Enterprise Linux 8.8 8.8 Release Notes:

This section documents new features and important updates in Directory Server 11.6.

Directory Server rebased to version 1.4.3.31

The 389-ds-base packages have been upgraded to upstream version 1.4.3.31.

LDAP browser is now fully supported

With this enhancement, you can manage LDAP entries from the LDAP Browser tab in the web console. For example, you can:

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.7 Release Notes:

This section documents known problems and, if applicable, workarounds in Directory Server 11.6.

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

(BZ#1654281)

Configuring a referral for a suffix fails in Directory Server

If you set a back-end referral in Directory Server, setting the state of the backend using the dsconf <instance_name> backend suffix set --state referral command fails with the following error:

Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state

Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state

As a consequence, configuring a referral for suffixes fail. To work around the problem:

As a result, with the workaround, you can configure a referral for a suffix.

(BZ#2063140)

Directory Server replication fails after changing password of the replication manager account

After a password change, Directory Server does not properly update the password cache for the replication agreement. As a consequence, when you change the password for the replication manager account, the replication breaks. To work around this problem, restart the Directory Server instance. As a result, the cache is rebuilt at start-up, and the replication connection binds with the new password instead of the old one.

(BZ#2101473)

Known issues in the 389-ds-base packages

Known issues in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.7 Release Notes:

This section documents new features and important updates in Directory Server 11.5.

Directory Server rebased to version 1.4.3.28

The 389-ds-base packages have been upgraded to upstream version 1.4.3.28 which provides a number of bug fixes and enhancements over the previous version:

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.6 Release Notes:

This section documents unsupported Technology Previews in Directory Server 11.5.

The Directory Server web console provides an LDAP browser as Technology Preview

An LDAP browser has been added to the Directory Server web console. Using the LDAP Browser tab in the web console, you can:

Note that Red Hat provides this feature as an unsupported Technology Preview.

Bug fixes in the 389-ds-base packages

Bug fixes in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.6 Release Notes:

This section documents known problems and, if applicable, workarounds in Directory Server 11.5.

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

Configuring a referral for a suffix fails in Directory Server

If you set a back-end referral in Directory Server, setting the state of the backend using the dsconf <instance_name> backend suffix set --state referral command fails with the following error:

Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state

Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state

As a consequence, configuring a referral for suffixes fail. To work around the problem:

As a result, with the workaround, you can configure a referral for a suffix.

Directory Server replication fails after changing password of the replication manager account

After a password change, Directory Server does not properly update the password cache for the replication agreement. As a consequence, when you change the password for the replication manager account, the replication breaks. To work around this problem, restart the Directory Server instance. As a result, the cache is rebuilt at start-up, and the replication connection binds with the new password instead of the old one.

Known issues in the 389-ds-base packages

Known issues in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.6 Release Notes:

This section documents new features and important updates in Directory Server 11.4.

Directory Server rebased to version 1.4.3.27

The 389-ds-base packages have been upgraded to upstream version 1.4.3.27, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.5 Release Notes:

This section describes bugs fixed in Directory Server 11.4 that have a significant impact on users.

The dsconf utility no longer fails when using LDAPS URLs

Previously, the dsconf utility did not correctly resolve TLS settings for remote connections. As a consequence, even if the certificate configuration was correct, using dsconf with a remote LDAPS URL failed with an certificate verify failed error. The dsconf connection code has been fixed. As a result, using remote LDAPS URLs with dsconf now works as expected.

Bug fixes in the 389-ds-base packages

Bug fixes in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.5 Release Notes:

This section documents known problems and, if applicable, workarounds in Directory Server 11.4.

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

The Directory Server Web Console does not provide an LDAP browser

The web console enables administrators to manage and configure Directory Server 11 instances. However, it does not provide an integrated LDAP browser. To manage users and groups in Directory Server, use the dsidm utility. To display and modify directory entries, use a third-party LDAP browser or the OpenLDAP client utilities provided by the openldap-clients package.

Known issues in the 389-ds-base packages

Known issues in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.5 Release Notes:

This section documents new features and important updates in Directory Server 11.3.

Directory Server rebased to version 1.4.3.16

The 389-ds-base packages have been upgraded to upstream version 1.4.3.16, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.4 Release Notes:

This section describes bugs fixed in Directory Server 11.3 that have a significant impact on users.

The lib389 library no longer fails to delete entries discovered by the Account object

Previously, the _protected flag of the Account object in the lib389 Directory Server library was enabled. As a consequence, delete operations failed. This update sets the flag to False. As a result, the library no longer fails if you delete or rename entries discovered by the Account object.

Bug fixes in the 389-ds-base packages

Bug fixes in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.4 Release Notes:

This section documents known problems and, if applicable, workarounds in Directory Server 11.3.

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

The Directory Server Web Console does not provide an LDAP browser

The web console enables administrators to manage and configure Directory Server 11 instances. However, it does not provide an integrated LDAP browser. To manage users and groups in Directory Server, use the dsidm utility. To display and modify directory entries, use a third-party LDAP browser or the OpenLDAP client utilities provided by the openldap-clients package.

This section documents new features and important updates in Directory Server 11.2.

Directory Server rebased to version 1.4.3.8

The 389-ds-base packages have been upgraded to upstream version 1.4.3.8, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.3 Release Notes:

This section describes bugs fixed in Directory Server 11.2 that have a significant impact on users.

Bug fixes in the 389-ds-base packages

Bug fixes in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.3 Release Notes:

This section documents known problems and, if applicable, workarounds in Directory Server 11.2.

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

The Directory Server Web Console does not provide an LDAP browser

The web console enables administrators to manage and configure Directory Server 11 instances. However, it does not provide an integrated LDAP browser. To manage users and groups in Directory Server, use the dsidm utility. To display and modify directory entries, use a third-party LDAP browser or the OpenLDAP client utilities provided by the openldap-clients package.

This section documents new features and important updates in Directory Server 11.1.

Directory Server rebased to version 1.4.2.4

The 389-ds-base packages have been upgraded to upstream version 1.4.2.4, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

A health check feature has been added to Directory Server

This enhancement adds a health check feature to Directory Server. The dsctl healthcheck command performs read-only operations on a Directory Server instance and reports, for example, if the instance is configured properly or if replication agreements are working correctly.

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.2 Release Notes:

This section describes bugs fixed in Directory Server 11.1 that have a significant impact on users.

Bug fixes in the 389-ds-base packages

Bug fixes in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.2 Release Notes:

This section documents known problems and, if applicable, workarounds in Directory Server 11.1.

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

The Directory Server Web Console does not provide an LDAP browser

The web console enables administrators to manage and configure Directory Server 11 instances. However, it does not provide an integrated LDAP browser. To manage users and groups in Directory Server, use the dsidm utility. To display and modify directory entries, use a third-party LDAP browser or the OpenLDAP client utilities provided by the openldap-clients package.

Known issues in the 389-ds-base packages

Known issues in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.2 Release Notes:

This section documents features that have been removed from Directory Server 11.1.

The nunc-stans framework has been removed

The nunc-stans framework has been removed from Directory Server, and the server now uses the improved core connection handling mechanism in Directory Server.

If you previously enabled the framework manually, Directory Server logs the following warning:

WARN - slapd_daemon - cn=config: nsslapd-enable-nunc-stans is on. nunc-stans has been deprecated and this flag is now ignored.
WARN - slapd_daemon - cn=config: nsslapd-enable-nunc-stans should be set to off or deleted from cn=config.

WARN - slapd_daemon - cn=config: nsslapd-enable-nunc-stans is on. nunc-stans has been deprecated and this flag is now ignored.
WARN - slapd_daemon - cn=config: nsslapd-enable-nunc-stans should be set to off or deleted from cn=config.

To prevent Directory Server from logging this warning, remove the nsslapd-enable-nunc-stans from the cn=config entry:

ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: cn=config
changetype: modify
delete: nsslapd-enable-nunc-stans

$ ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: cn=config
changetype: modify
delete: nsslapd-enable-nunc-stans

This section documents new features and important updates in Directory Server 11.0.

Directory Server introduces new command-line utilities to manage instances

Red Hat Directory Server 11.0 introduces the dscreate, dsconf, and dsctl utilities. These utilities simplify managing Directory Server using the command line. For example, you can now use a command with parameters to configure a feature instead of sending complex LDIF statements to the server.

The following is an overview of the purpose of each utility:

These utilities replace the Perl and shell scripts marked as deprecated in Directory Server 10. The scripts are still available in the unsupported 389-ds-base-legacy-tools package, however Red Hat only supports managing Directory Server using the new utilities.

Note that configuring Directory Server using LDIF statements is still supported, but Red Hat recommends using the utilities.

For further details about using the utilities, see the Red Hat Directory Server 11 Documentation.

Directory Server now provides a browser-based user interface

This enhancement adds a browser-based interface to Red Hat Directory Server that replaces the Java-based Console used in previous versions. As a result, administrators can now use the Red Hat Enterprise Linux web console to manage Directory Server instances using a browser.

For further details, see the Red Hat Directory Server 11 Documentation.

Note that the browser-based user interface does not contain an LDAP browser.

The default value of the nsslapd-unhashed-pw-switch parameter is now off

In certain situations, for example when synchronizing passwords with Active Directory (AD), a Directory Server plug-in must store the unencrypted password on the hard disk. The nsslapd-unhashed-pw-switch configuration parameter determines whether and how Directory Server stores unencrypted passwords. To improve the security in scenarios that do not require plug-ins to store unencrypted passwords, the default value of the nsslapd-unhashed-pw-switch parameter has been changed in Directory Server 11.0 from on to off.

If you want to configure password synchronization with AD, manually enable nsslapd-unhashed-pw-switch on the Directory Server instance that has the Windows synchronization agreement configured:

dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-unhashed-pw-switch=on

# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-unhashed-pw-switch=on

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.1 Release Notes:

This section documents known problems and, if applicable, workarounds in Directory Server 11.0.

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

The Directory Server Web Console does not provide an LDAP browser

The web console enables administrators to manage and configure Directory Server 11 instances. However, it does not provide an integrated LDAP browser. To manage users and groups in Directory Server, use the dsidm utility. To display and modify directory entries, use a third-party LDAP browser or the OpenLDAP client utilities provided by the openldap-clients package.