Chapter 11. Red Hat Directory Server 11.0

This section documents new features and important updates in Directory Server 11.0.

Directory Server introduces new command-line utilities to manage instances

Red Hat Directory Server 11.0 introduces the dscreate, dsconf, and dsctl utilities. These utilities simplify managing Directory Server using the command line. For example, you can now use a command with parameters to configure a feature instead of sending complex LDIF statements to the server.

The following is an overview of the purpose of each utility:

These utilities replace the Perl and shell scripts marked as deprecated in Directory Server 10. The scripts are still available in the unsupported 389-ds-base-legacy-tools package, however Red Hat only supports managing Directory Server using the new utilities.

Note that configuring Directory Server using LDIF statements is still supported, but Red Hat recommends using the utilities.

For further details about using the utilities, see the Red Hat Directory Server 11 Documentation.

Directory Server now provides a browser-based user interface

This enhancement adds a browser-based interface to Red Hat Directory Server that replaces the Java-based Console used in previous versions. As a result, administrators can now use the Red Hat Enterprise Linux web console to manage Directory Server instances using a browser.

For further details, see the Red Hat Directory Server 11 Documentation.

Note that the browser-based user interface does not contain an LDAP browser.

The default value of the nsslapd-unhashed-pw-switch parameter is now off

In certain situations, for example when synchronizing passwords with Active Directory (AD), a Directory Server plug-in must store the unencrypted password on the hard disk. The nsslapd-unhashed-pw-switch configuration parameter determines whether and how Directory Server stores unencrypted passwords. To improve the security in scenarios that do not require plug-ins to store unencrypted passwords, the default value of the nsslapd-unhashed-pw-switch parameter has been changed in Directory Server 11.0 from on to off.

If you want to configure password synchronization with AD, manually enable nsslapd-unhashed-pw-switch on the Directory Server instance that has the Windows synchronization agreement configured:

# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-unhashed-pw-switch=on

Highlighted updates and new features in the 389-ds-base packages

Features in Red Hat Directory Server, that are included in the 389-ds-base packages, are documented in the Red Hat Enterprise Linux 8.1 Release Notes:

This section documents known problems and, if applicable, workarounds in Directory Server 11.0.

Directory Server settings that are changed outside the web console’s window are not automatically visible

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console’s window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console’s window.

The Directory Server Web Console does not provide an LDAP browser

The web console enables administrators to manage and configure Directory Server 11 instances. However, it does not provide an integrated LDAP browser. To manage users and groups in Directory Server, use the dsidm utility. To display and modify directory entries, use a third-party LDAP browser or the OpenLDAP client utilities provided by the openldap-clients package.