Chapter 2. Red Hat Directory Server 11.9
Learn about new updates and new features, bug fixes, and known issues implemented in Directory Server 11.9.
2.1. Important updates and new features
Learn about new features and important updates in Directory Server 11.9.
Directory Server rebased to version 1.4.3.39
The 389-ds-base package has been upgraded to upstream version 1.4.3.39.
Important updates and new features in the 389-ds-base package
The Red Hat Directory Server features that are included in the 389-ds-base package are documented in the Red Hat Enterprise Linux 8.10 Release Notes:
2.2. Bug fixes
Learn about bugs fixed in Directory Server 11.9 that have a significant impact on users.
The Directory Server web console no longer shows an exception while trying to display an entry with binary attribute in the LDAP Browser
Previously, when an LDAP entry contained a binary attribute, such as jpegPhoto, userCertificate, the web console displayed an exception when you wanted to see the entry details in the LDAP Browser. With this update, the web console handles entries with binary attributes correctly and the exception no longer appears.
(BZ#2239787)
The Directory Server web console no longer changes attribute names to lowercase characters when attributeTypes are added
Previously, when you added an attribute to an object class by using the web console, the uppercase characters in the attribute name were changed to lowercase characters. With this update, the attribute name case is no longer changed.
(BZ#2257790)
The ns-slapd binary is now linked with the thread-safe libldap_r library, no longer causing segmentation fault
An upstream change in the build system introduced a regression by linking the ns-slapd binary with the non thread-safe libldap library instead of the thread-safe libldap_r. Consequently, the ns-slapd process could fail with a segmentation fault. This update fixes the problem with the build system code and the ns-slapd binary is now linked back with the thread-safe libldap_r library. As a result, the segmentation fault no longer occurs.
(BZ#2264534)
Directory Server now flushes the entry cache less frequently
Previously, Directory Server flushed its entry cache even when it was not necessary. As a result, in certain situations, Directory Server was unresponsive and had bad performance. With this update, Directory Server flushes the entry cache only when it is necessary.
(2268177)
Bug fixes in the 389-ds-base package
The Red Hat Directory Server bug fixes that are included in the 389-ds-base package are documented in the Red Hat Enterprise Linux 8.10 Release Notes:
-
SELinux labeling for
dirsrvfiles was moved to DEBUG log level - Directory Server no longer causes a segmentation fault when a backend is configured without a related suffix
- Directory Server no longer fails after abandoning the paged result search
- Directory Server now starts correctly after an upgrade if you configured a custom value for the connection table size
- Directory Server no longer fails when Content Synchronization plug-in is enabled dynamically
2.3. Known issues
Learn about known problems and, if applicable, workarounds in Directory Server 11.9.
Access log displays an error message during Directory Server installation in FIPS mode
When you install Directory Server in the FIPS mode, the access log file displays the following error message:
[time_stamp] - WARN - slapd_do_all_nss_ssl_init - ERROR: TLS is not enabled, and the machine is in FIPS mode. Some functionality won’t work correctly (for example, users with PBKDF2_SHA256 password scheme won’t be able to log in). It’s highly advisable to enable TLS on this instance.
Such behavior happens because at first, Directory Server finds that TLS is not initialized and logs the error message. However, later when the dscreate utility completes TLS initialization and enables security, the error message is no longer present.
(BZ#2153668)
Directory Server web console does not automatically update settings that are changed outside the web console
Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if you change the configuration outside of the console window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration using the web console on a different computer. To work around the problem, manually refresh the web console in the browser if the configuration has been changed outside the console window.
(BZ#1654281)
The dsconf utility does not compact the changelog
Currently, the dsconf utility does not compact the replication changelog when you run the dsconf backend compact-db --only-changelog command.
To work around this problem, run the COMPACT_CL5 task manually:
$ ldapmodify -x -D "cn=Directory Manager" -W -H ldap://server.example.com dn: cn=replica,cn=suffix_name,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: COMPACT_CL5 modifying entry "cn=replica,cn=suffix_name,cn=mapping tree,cn=config"
(BZ#2245042)
Configuring a referral for a suffix fails in Directory Server
If you set a back-end referral in Directory Server, setting the state of the backend using the dsconf <instance_name> backend suffix set --state referral command fails with the following error:
Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state
As a consequence, configuring a referral for suffixes fails. To work around the problem:
Set the
nsslapd-referralparameter manually:# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify add: nsslapd-referral nsslapd-referral: ldap://remote_server:389/dc=example,dc=comSet the back-end state:
# dsconf <instance_name> backend suffix set --state referral
As a result, with the workaround, you can configure a referral for a suffix.
(BZ#2063033)
