Chapter 3. Red Hat Directory Server 11.8
Learn about new updates and new features, known issues, and deprecated functionality implemented in Directory Server 11.8.
3.1. Important updates and new features
Learn about new features and important updates in Directory Server 11.8.
Directory Server rebased to version 1.4.3.37
The 389-ds-base packages have been upgraded to upstream version 1.4.3.37.
Important updates and new features in the 389-ds-base packages
The Red Hat Directory Server features that are included in the 389-ds-base packages are documented in the Red Hat Enterprise Linux 8.9 Release Notes:
3.2. Bug fixes
Learn about bugs fixed in Directory Server 11.8 that have a significant impact on users.
Directory Server now uses a backend suffix only if the suffix is defined
Previously, if a backend configuration entry was not associated with a suffix, the server failed at startup. With this update, Directory Server uses a suffix of a backend only if the suffix is defined. As a result, the server no longer fails at startup.
(BZ#2246307)
Directory Server no longer fails after the OS upgrade
Previously, when the nsslapd-conntablesize was present in the /etc/dirsrv/slapd-instance_name/dse.ldif file, Directory Server failed to start after the operating system (OS) upgrade. As a result, you had to remove the nsslapd-conntablesize setting from the dse.ldif file before starting the server. With this update, the custom configuration of the connection table size works as expected and Directory Server no longer fails at start.
(BZ#2245946)
RHDS healthcheck no longer reports misleading messages when the suffix is correctly defined
Previously, when you defined a suffix using mixed case or upper case for the nsslapd-backend and nsslapd-directory attributes, the dsctl healthcheck command could report misleading error messages, despite the suffix being correctly defined. With this update, the dsctl healthcheck command no longer reports error messages about the suffix defined using mixed case or upper case.
(BZ#2215296)
The cockpit-389-ds package upgrade now updates the 389-ds-base and python3-lib389 packages
Previously, the cockpit-389-ds package did not specify the version of the 389-ds-base package. As a result, the upgrade of the cockpit-389-ds package alone did not update the 389-ds-base and python3-lib389 packages which could lead to misalignment and compatibility issues between packages. With this update, the cockpit-389-ds package upgrades 389-ds-base and python3-lib389 packages.
(BZ#22245690)
The ds-replcheck now retrieves RUV data
Previously, the ds-replcheck tool reported an error that a supplier had no Replica Update Vector (RUV) entry, even though a direct search on the replica configuration entry showed the RUV data. With this update, the ds-replcheck tool now provides the replication state that indicates if the replication is not fully initialized.
(BZ#2211690)
The ns-slapd process no longer fails when you run the upgradednformat command
Previously, when you upgraded the DN format with the upgradednformat command, the upgradednformat command failed, leading to a problem with disk space. With this update, upgradednformat works as expected.
(BZ#2172258)
You can now select suffixes for export in the RHDS web console
Previously, when you attempted to select a suffix to export in the
(BZ#2219559)
A password change for the Directory Server replication manager account now works correctly
Previously, after a password change, Directory Server did not properly update the password cache for the replication agreement. As a consequence, when you changed the password for the replication manager account, the replication failed. With this update, Directory Server updates the cache properly and, as a result, the replication works as expected.
(BZ#2101473)
Bug fixes in the 389-ds-base package
The Red Hat Directory Server bug fixes that are included in the 389-ds-base package are documented in the Red Hat Enterprise Linux 8.9 Release Notes:
- Changing a security parameter now works correctly in Directory Server
-
Directory Server now calculates the
dtablesizebased on the maximum number of opened descriptors -
The
dsctl healthcheckcommand now uses the password storage schemePBKDF2-SHA512by default - Paged searches from a regular user now do not impact performance
- You can now enable and disable ciphers in Directory Server as expected
3.3. Known issues
Learn about known problems and, if applicable, workarounds in Directory Server 11.8.
Access log displays an error message during Directory Server installation in FIPS mode
When you install Directory Server in the FIPS mode, the access log file displays the following error message:
[time_stamp] - WARN - slapd_do_all_nss_ssl_init - ERROR: TLS is not enabled, and the machine is in FIPS mode. Some functionality won’t work correctly (for example, users with PBKDF2_SHA256 password scheme won’t be able to log in). It’s highly advisable to enable TLS on this instance.
Such behavior happens because at first, Directory Server finds that TLS is not initialized and logs the error message. However, later when the dscreate utility completes TLS initialization and enables security, the error message is no longer present.
(BZ#2153668)
Directory Server web console does not automatically update settings that are changed outside the web console
Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if a user changes the configuration outside of the console window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console window.
(BZ#1654281)
The dsconf utility does not compact the changelog
Currently, the dsconf utility does not compact the replication changelog when you run the dsconf backend compact-db --only-changelog command.
To work around this problem, run the COMPACT_CL5 task manually:
$ ldapmodify -x -D "cn=Directory Manager" -W -H ldap://server.example.com dn: cn=replica,cn=suffix_name,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: COMPACT_CL5 modifying entry "cn=replica,cn=suffix_name,cn=mapping tree,cn=config"
(BZ#2245042)
Configuring a referral for a suffix fails in Directory Server
If you set a back-end referral in Directory Server, setting the state of the backend using the dsconf <instance_name> backend suffix set --state referral command fails with the following error:
Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state
As a consequence, configuring a referral for suffixes fail. To work around the problem:
Set the
nsslapd-referralparameter manually:# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify add: nsslapd-referral nsslapd-referral: ldap://remote_server:389/dc=example,dc=com
Set the back-end state:
# dsconf <instance_name> backend suffix set --state referral
As a result, with the workaround, you can configure a referral for a suffix.
(BZ#2063033)
