Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Red Hat Directory Server 12 release notes

Red Hat Directory Server 12

Noteworthy features and updates related to Red Hat Directory Server 12 (12.6)

Red Hat Customer Content Services

Abstract

Learn about improvements and additions that have been implemented in Red Hat Directory Server 12. These include notable bug fixes, known problems, technology previews, deprecated functionality, and other details about this release.

Providing feedback on Red Hat Directory Server

We appreciate your input on our documentation and products. Please let us know how we could make it better. To do so:

  • For submitting feedback on the Red Hat Directory Server documentation through Jira (account required):

    1. Go to the Red Hat Issue Tracker.
    2. Enter a descriptive title in the Summary field.
    3. Enter your suggestion for improvement in the Description field. Include links to the relevant parts of the documentation.
    4. Click Create at the bottom of the dialogue.

  • For submitting feedback on the Red Hat Directory Server product through Jira (account required):

    1. Go to the Red Hat Issue Tracker.
    2. On the Create Issue page, click Next.
    3. Fill in the Summary field.
    4. Select the component in the Component field.

    5. Fill in the Description field including:

      1. The version number of the selected component.
      2. Steps to reproduce the problem or your suggestion for improvement.
    6. Click Create.

Chapter 1. General information

Lean about Red Hat Directory Server 12 general information that is independent of the minor versions.

1.1. Directory Server support policy and life cycle

For details, see the Red Hat Directory Server Errata Support Policy document.

1.2. Software conflicts

You cannot install Directory Server on a system that has a Red Hat Enterprise Linux Identity Management (IdM) server installed. Likewise, no Red Hat Enterprise Linux IdM server can be installed on a system with a Directory Server instance.

1.3. Migrating to Directory Server 12

1.4. Notes about migrating to Directory Server 12

Winsync and PassSync have been deprecated in 12.6

The Winsync plug-in and PassSync package that were used for synchronization with Active Directory have been deprecated in Red Hat Directory Server 12.6 and will be removed in future releases because PassSync is not maintained upstream. Consider using Identity Management (IdM) and cross-forest trust for Active Directory as an alternative.

The Directory Server 12 default password storage scheme is PBKDF2-SHA512

Directory Server 12 uses the PBKDF2-SHA512 scheme as a default password storage scheme, which is more secure than SSHA, SSHA512, and other schemes. Therefore, if some of your applications, such as freeradius, do not support the PBKDF2-SHA512 scheme, and you must set a weaker password storage scheme back, note that Directory Server updates user passwords not only when an application adds or modifies the user entry, but also during a successful bind operation. However, you can disable an update on bind operations by setting the nsslapd-enable-upgrade-hash parameter in the cn=config entry to off.

New command-line utilities starting Directory Server 11

Since version 11, Directory Server provides new command line utilities to manage server instances and users. These utilities replace the Perl scripts used for management tasks in Directory Server 10 and earlier versions.

For a list of commands in previous versions and their replacements in Directory Server 12, see the Command-line utilities replaced in Red Hat Directory Server 11 appendix in the Red Hat Directory Server Installation Guide.

Chapter 2. Hardware requirements

The hardware requirements are based on tests run with the following prerequisites:

  • The server uses default indexes.
  • Each LDAP entry has a size of 1.5 KB and 30 or more attributes.

Disk space

The following table provides guidelines for the recommended disk space for Directory Server based on the number of entries.

Table 2.1. Required disk space
Number of entriesDatabase sizeDatabase cacheServer and logsTotal disk space

10,000 - 500,000

2 GB

2 GB

4 GB

8 GB

500,000 - 1,000,000

5 GB

2 GB

4 GB

11 GB

1,000,000 - 5,000,000

21 GB

2 GB

4 GB

27 GB

5,000,000 - 10,000,000

42 GB

2 GB

4 GB

48 GB

The total disk space does not include space for backups and replication metadata. With enabled replication, its metadata can require up to 10% more of the total disk space.

A replication changelog with 1 million changes can add at least 315 MB to the total disk space requirement.

The temporary file system (tmpfs) mounted in /dev/shm/ should have at least 4 GB of available space to store RHDS temporary files.

Required RAM

Make sure your system has enough RAM available to keep the entire database in cache. The required RAM size can be higher than the recommended one depending on server configuration and usage patterns.

Table 2.2. Required RAM size
Number of entriesEntry cacheEntry cache with replication [a]Database cacheDN cacheNDN cacheTotal RAM size [b]

10,000 - 500,000

4 GB

5 GB

1.5 GB

45 MB

160 MB

7 GB

500,000 - 1,000,000

8 GB

10 GB

1.5 GB

90 MB

320 MB

12 GB

1,000,000 - 5,000,000

40 GB

50 GB

1.5 GB

450 MB

1.6 GB

54 GB

5,000,000 - 10,000,000

80 GB

100 GB

1.5 GB

900 MB

3.2 GB

106 GB

[a] Entry cache with replication includes the entry’s replication state and metadata.
[b] Total RAM size assumes you enabled replication.

Chapter 3. Software requirements

Supported platforms for Directory Server

Red Hat supports Red Hat Directory Server if it runs on the following platforms:

  • Red Hat Directory Server 12.6 runs on a Red Hat Enterprise Linux 9.6.
  • Red Hat Directory Server 12.5 runs on a Red Hat Enterprise Linux 9.5.
  • Red Hat Directory Server 12.4 runs on a Red Hat Enterprise Linux 9.4.
  • Red Hat Directory Server 12.3 runs on a Red Hat Enterprise Linux 9.3.
  • Red Hat Directory Server 12.2 runs on a Red Hat Enterprise Linux 9.2.
  • Red Hat Directory Server 12.1 runs on a Red Hat Enterprise Linux 9.1.
  • Red Hat Directory Server 12.0 runs on a Red Hat Enterprise Linux 9.0.
  • A Red Hat Enterprise Linux is built for AMD64 and Intel 64 architectures.
  • A Red Hat Enterprise Linux virtual guest runs on a certified hypervisor. For details, see the Which hypervisors are certified to run Red Hat Enterprise Linux? solution article.

Supported platforms for the Directory Server user interface in the web console

Red Hat supports the browser-based Directory Server user interface in the web console in the following environments:

Operating systemBrowser

Red Hat Enterprise Linux 9.6

  • Mozilla Firefox 128 and later
  • Chrome 88 and later

Windows Server 2016 and 2019:

  • Mozilla Firefox 128 and later
  • Chrome 88 and later

Windows 10

  • Mozilla Firefox 115 and later
  • Microsoft Edge 88 and later
  • Chrome 88 and later

Supported platforms for the Windows Synchronization utility

Red Hat supports the Windows Synchronization utility for Active Directory running on:

  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016

Chapter 4. Red Hat Directory Server 12.6

Learn about important updates and new features, known issues, and bug fixes implemented in Directory Server 12.6.

4.1. Important updates and new features

Learn about new features and important updates in Red Hat Directory Server 12.6 that are included in the 389-ds-base package and documented in Red Hat Enterprise Linux 9.6 Release Notes:

4.2. Bug fixes

Learn about bugs fixed in Red Hat Directory Server 12.6 that have a significant impact on users.

Various Directory Server web console fixed issues

In Directory Server 12.6, various web console issues and typos were fixed, including:

  • The web console now supports instances with LMDB.
  • The MemberOf plug-in configuration works as expected when deleting Shared Config Entry.
  • The web console no longer becomes unresponsive when you create an ou entry by using the LDAP Browser.
  • A database name and suffix are validated as expected.
  • More clear confirmation, alert messages.
  • Adding the person object class no longer fails.
  • The Subtrees field is no longer mandatory when configuring the Attribute Uniqueness plug-in over object classes.
  • Updating the NDN cache size no longer fails.

Directory Server 12.6 bugs fixed in the 389-ds-base package are documented in Red Hat Enterprise Linux 9.6 Release Notes:

4.3. Deprecated functionality

Learn about a functionality that has been deprecated in Red Hat Directory Server 12.6.

Winsync and PassSync have been deprecated

The Winsync plug-in and the PassSync package that were used for synchronization with Windows have been deprecated in Red Hat Directory Server 12.6 and will be removed in future releases because PassSync is not maintained upstream. Consider using Identity Management (IdM) and cross-forest trust for Active Directory as an alternative.

(Jira-DIRSRV-329)

4.4. Known issues

Learn about known problems and, if applicable, workarounds in Directory Server 12.6.

Directory Server web console does not automatically update settings that are changed outside the web console

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if you change the configuration outside of the console window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration by using the web console on a different computer.

Workaround: Manually refresh the web console in the browser.

(BZ#1654281) (BZ#1751047)

Directory Server can import LDIF files only from /var/lib/dirsrv/slapd-<instance_name>/ldif/

Since RHEL 8.3, Red Hat Directory Server (RHDS) uses its own private directories, and the PrivateTmp systemd directive is enabled by default for the LDAP services. As a result, RHDS can only import LDIF files from the /var/lib/dirsrv/slapd-<instance_name>/ldif/ directory. If the LDIF file is stored in a different directory, such as /var/tmp, /tmp, or /root, the import fails with an error similar to the following: 

Could not open LDIF file "/tmp/example.ldif", errno 2 (No such file or directory)
Copy to Clipboard

Workaround: Complete the following steps:

  1. Move the LDIF file to the /var/lib/dirsrv/slapd-<instance_name>/ldif/ directory: 

    # mv /tmp/example.ldif /var/lib/dirsrv/slapd-<instance_name>/ldif/
    Copy to Clipboard

  2. Set permissions that allow the dirsrv user to read the file: 

    # chown dirsrv /var/lib/dirsrv/slapd-<instance_name>/ldif/example.ldif
    Copy to Clipboard

  3. Restore the SELinux context: 

    # restorecon -Rv /var/lib/dirsrv/slapd-<instance_name>/ldif/
    Copy to Clipboard

For more information, see the Red Hat Knowledgebase solution LDAP Service cannot access files under the host’s /tmp and /var/tmp directories.

(BZ#2075525)

Known issues in the 389-ds-base package

Red Hat Directory Server 12.6 known issues that affect 389-ds-base package are documented in Red Hat Enterprise Linux 9.6 Release Notes:

Chapter 5. Red Hat Directory Server 12.5

Learn about important updates and new features, known issues, and bug fixes implemented in Directory Server 12.5.

5.1. Important updates and new features

Learn about new features and important updates in Red Hat Directory Server 12.5.

Directory Server now delivers the 389-ds-base component from the RHEL AppStream

Previously, the 389-ds-base component was delivered as part of RHEL and RHDS modules. With this update, because of demodularization efforts, RHDS no longer delivers its own copy of 389-ds-base and uses 389-ds-base from the RHEL AppStream instead.

(DIRSRV-6)

Important updates and new features in the 389-ds-base package

Important updates in Red Hat Directory Server 12.5 that are included in the 389-ds-base package are documented in Red Hat Enterprise Linux 9.5 Release Notes:

5.2. Bug fixes

Learn about bugs fixed in Red Hat Directory Server 12.5 that have a significant impact on users.

dsidm now prompts to create an ou entry

Previously, when you used the dsidm utility to create a user or a group but the Organizational Unit (ou) entry that the user or the group must belong to did not exist, you saw the following error: 

Error: 105 - 4 - 32 - No such object - [] - dc=example,dc=com
Copy to Clipboard

With this update, if the ou entry does not exist, the dsidm utility now prompts you to create this entry.

(DIRSRV-16)

dsctl now displays the -v option in the usage section

Previously, the verbose option (-v) for the dsctl test db2bak -h command was not displayed in the action section of the help description (--help, -h). With this update, the help description now also displays the -v option.

(DIRSRV-21)

Creating a replication agreement with dsconf now completes without a delay

Previously, when you created a replication agreement by using the dsconf utility, the command hanged for a minute and only then proceeded further. With this update, a replication agreement is now created without any delays.

(DIRSRV-35)

The Directory Server web console no longer fails to enable the audit failure logging

Previously, if you attempted to enable the audit failure logging by using the Directory Server web console, the process failed. With this update, the issue has been fixed, and you can enable the audit failure logging as expected.

(DIRSRV-47)

When starting an instance with a sub-suffix, an incorrect error is no longer logged

Previously, when starting an instance with a sub-suffix, you could see the following incorrect message in the error log: 

[time_stamp] - ERR - id2entry - Could not open id2entry err 0
[time_stamp] - ERR - dn2entry_ext - The dn "dc=example,dc=com" was in the entryrdn index, but it did not exist in id2entry of instance userRoot.
Copy to Clipboard

The root cause of the message was that during backend initialization, a subtree search was performed on the backend to determine if the subtree contained smart referrals. In addition, the issue had a minor performance impact on search operations for the first ten minutes after the server started.

With this update, the incorrect message is no longer logged and no performance impact occurs when the server starts.

(DIRSRV-53)

Directory Server now updates the password history for pre-hashed passwords as expected

Previously, when you updated your password with a hashed value, the updated password hash was not listed in your password history. With this update, the issue has been fixed, and both hashed and non-hashed password updates are now listed in the password history.

(DIRSRV-60)

Log file timestamps now have the correct time zone

Previously, the log file timestamps had the wrong timezone offset if the timezone offset was not a multiple of an hour, like America/St_johns timezone which is UTC-3:30. With this update, the timezone offset is calculated correctly.

(DIRSRV-61)

The web console now enables replication for a sub-suffix as expected

Previously, enabling replication for a sub-suffix by using the Directory Server web console failed with an error. With this update, the issue has been fixed, and you can now enable replication, and the proper replication tab is displayed in the web console.

(DIRSRV-67)

Directory Server SNMP agent now starts as expected if an SELinux policy is enforced

Previously, SELinux reported an Access Vector Cache (AVC) error when using the Directory Server SNMP agent and the agent failed to start if an SELinux policy was enforced. This was due to the SNMP agent having the incorrect permissions. With this update, the SNMP agent permissions have been changed and the SELinux policy configuration has been fixed.

(DIRSRV-76)

Directory Server 12.5 bug fixes that are included in the 389-ds-base package are documented in Red Hat Enterprise Linux 9.5 Release Notes:

5.3. Technology Previews

Learn about unsupported Technology Previews in Red Hat Directory Server 12.5 that are included in the 389-ds-base package and documented in Red Hat Enterprise Linux 9.5 Release Notes:

5.4. Deprecated functionality

Learn about deprecated functionalities in Red Hat Directory Server 12.5 that are included in the 389-ds-base package and documented in Red Hat Enterprise Linux 9.5 Release Notes:

5.5. Known issues

Learn about known problems and, if applicable, workarounds in Directory Server 12.5.

Directory Server web console does not automatically update settings that are changed outside the web console

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if you change the configuration outside of the console window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration by using the web console on a different computer.

To work around the problem, manually refresh the web console in the browser if the configuration was changed outside the console window.

(BZ#1654281) (BZ#1751047)

Directory Server can import LDIF files only from /var/lib/dirsrv/slapd-instance_name/ldif/

Since RHEL 8.3, Red Hat Directory Server (RHDS) uses its own private directories, and the PrivateTmp systemd directive is enabled by default for the LDAP services. As a result, RHDS can only import LDIF files from the /var/lib/dirsrv/slapd-instance_name/ldif/ directory. If the LDIF file is stored in a different directory, such as /var/tmp, /tmp, or /root, the import fails with an error similar to the following: 

Could not open LDIF file "/tmp/example.ldif", errno 2 (No such file or directory)
Copy to Clipboard

To work around this problem, complete the following steps:

  1. Move the LDIF file to the /var/lib/dirsrv/slapd-instance_name/ldif/ directory: 

    # mv /tmp/example.ldif /var/lib/dirsrv/slapd-instance_name__/ldif/
    Copy to Clipboard

  2. Set permissions that allow the dirsrv user to read the file: 

    # chown dirsrv /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif
    Copy to Clipboard

  3. Restore the SELinux context: 

    # restorecon -Rv /var/lib/dirsrv/slapd-instance_name/ldif/
    Copy to Clipboard

For more information, see the solution article LDAP Service cannot access files under the host’s /tmp and /var/tmp directories.

(BZ#2075525)

Known issues in the 389-ds-base package

Red Hat Directory Server 12.5 known issues that affect 389-ds-base package are documented in Red Hat Enterprise Linux 9.5 Release Notes:

Chapter 6. Red Hat Directory Server 12.4

Learn about important updates and new features, known issues, and bug fixes implemented in Directory Server 12.4.

6.1. Important updates and new features in the 389-ds-base package

Important updates in Red Hat Directory Server 12.4 that are included in the 389-ds-base package are documented in Red Hat Enterprise Linux 9.4 Release Notes:

6.2. Bug fixes

Learn about bugs fixed in Red Hat Directory Server 12.4 that have a significant impact on users.

Directory Server now flushes the entry cache less frequently

Previously, Directory Server flushed its entry cache even when it was not necessary. As a result, in certain situations, Directory Server was unresponsive and had bad performance. With this update, Directory Server flushes the entry cache only when it is necessary.

(BZ#2234613)

The web console no longer changes attribute names to lowercase characters when attributeTypes are added

Previously, when you added an attribute to an object class by using the web console, the uppercase characters in the attribute name were changed to lowercase characters. With this update, the attribute name case is no longer changed.

(BZ#2236181)

Directory Server 12.4 bug fixes that are included in the 389-ds-base package are documented in Red Hat Enterprise Linux 9.4 Release Notes:

6.3. Known issues

Learn about known problems and, if applicable, workarounds in Directory Server 12.4.

Directory Server web console does not automatically update settings that are changed outside the web console

Because of the design of the Directory Server module in the Red Hat Enterprise Linux 8 web console, the web console does not automatically display the latest settings if you change the configuration outside of the console window. For example, if you change the configuration using the command line while the web console is open, the new settings are not automatically updated in the web console. This applies also if you change the configuration by using the web console on a different computer.

To work around the problem, manually refresh the web console in the browser if the configuration was changed outside the console window.

(BZ#1654281) (BZ#1751047)

Directory Server can import LDIF files only from /var/lib/dirsrv/slapd-instance_name/ldif/

Since RHEL 8.3, Red Hat Directory Server (RHDS) uses its own private directories, and the PrivateTmp systemd directive is enabled by default for the LDAP services. As a result, RHDS can only import LDIF files from the /var/lib/dirsrv/slapd-instance_name/ldif/ directory. If the LDIF file is stored in a different directory, such as /var/tmp, /tmp, or /root, the import fails with an error similar to the following: 

Could not open LDIF file "/tmp/example.ldif", errno 2 (No such file or directory)
Copy to Clipboard

To work around this problem, complete the following steps:

  1. Move the LDIF file to the /var/lib/dirsrv/slapd-instance_name/ldif/ directory: 

    # mv /tmp/example.ldif /var/lib/dirsrv/slapd-instance_name__/ldif/
    Copy to Clipboard

  2. Set permissions that allow the dirsrv user to read the file: 

    # chown dirsrv /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif
    Copy to Clipboard

  3. Restore the SELinux context: 

    # restorecon -Rv /var/lib/dirsrv/slapd-instance_name/ldif/
    Copy to Clipboard

For more information, see the solution article LDAP Service cannot access files under the host’s /tmp and /var/tmp directories.

(BZ#2075525)

Interactive installer suggests unsupported LMDB database

When you create an instance by using the dscreate interactive command, you can select mdb as the database type that is not supported. Currently, there is no workaround available.

(DIRSRV-187)

Known issues in the 389-ds-base package

Red Hat Directory Server 12.4 known issues that affect 389-ds-base package are documented in Red Hat Enterprise Linux 9.4 Release Notes:

Chapter 7. Red Hat Directory Server 12.3

Learn about new system requirements, important updates and new features, known issues, and deprecated functionality implemented in Directory Server 12.3.

7.1. Important updates and new features

Learn about new features and important updates in Red Hat Directory Server 12.3.

Directory Server now backs up configuration files, the certificate database, and custom schema files

Previously, Directory Server backed up only databases. With this update, when you run dsconf backup create or dsctl db2bak command, Directory Server also backs up configuration files, the certificate database, and custom schema files that are stored in the /etc/dirsrv/slapd-instance_name/ directory to the backup default directory /var/lib/dirsrv/slapd-instance_name/bak/config_files/.

Directory Server also backs up these files when you perform the backup by using the web console.

(BZ#2147446)

The Alias Entries plug-in is now available in Directory Server

When you enable the Alias Entries plug-in, a search for an entry returns the entry that you set as an aliased entry. For example, Barbara Jensen, an employee in the Example company, got married and her surname changed. Her old entry uid=bjensen,ou=people,dc=example,dc=com contains the alias to her new entry uid=bsmith,ou=people,dc=example,dc=com. When the plug-in is enabled, the search for the uid=bjensen,ou=people,dc=example,dc=com entry returns the uid=bsmith,ou=people,dc=example,dc=com entry information.

Use the -a find parameter for the ldapsearch command to retrieve entries with aliases.

Currently, the Alias Entries plug-in supports only base level searches.

For more information, see the Alias Entries plug-in description.

(BZ#2203173)

The checkAllStateAttrs configuration option is now available

You can apply both account inactivity and password expiration when a user authenticates by using the checkAllStateAttrs setting. When you enable this parameter, it checks the main state attribute and, if the account information is correct, it then checks the alternate state attribute.

(BZ#2174161)

You can now save credentials and aliases for a replication report using the Directory Server web console

Previously, when you used the web console to set credentials and aliases for a replication monitoring report, these settings were no longer present after the web console reload. With this enhancement, when you set the credentials and aliases for the replication report, Directory Server saves new settings in the .dsrc file and the web console uploads saved settings after the reload.

(BZ#2030884)

Important updates and new features in the 389-ds-base package

Directory Server 12.3 features that are included in the 389-ds-base package are documented in Red Hat Enterprise Linux 9.3 Release Notes:

7.2. Bug fixes

Learn about bugs fixed in Red Hat Directory Server 12.3 that have a significant impact on users.

The cockpit-389-ds package upgrade now updates the 389-ds-base and python3-lib389 packages

Previously, the cockpit-389-ds package did not specify the version of the 389-ds-base package it depends on. As a result, the upgrade of the cockpit-389-ds package alone did not update the 389-ds-base and python3-lib389 packages which could lead to misalignment and compatibility issues between packages. With this update, the cockpit-389-ds package depends on the 389-ds-base exact version and the update of the cockpit-389-ds package also upgrades 389-ds-base and python3-lib389 packages.

(BZ#2240021)

Disabling replication on a consumer no longer crashes the server

Previously, when you disabled replication on a consumer server, Directory Server tried to remove the changelog on the consumer where it did not exist. As a consequence, the server terminated unexpectedly with the following error: 

Error: -1 - Can't contact LDAP server - []
Copy to Clipboard

With this update, disabling replication on a consumer works as expected.

(BZ#2184599)

A non-root instance no longer fails to start after creation

Previously, Rust plug-ins were incorrectly disabled in the non-root instance template and the default password scheme was moved to Rust-based hasher. As a result, the non-root instance could not be created. With this update, a non-root instance supports Rust plug-ins and you can create the instance with the PBKDF2-SHA512 default password scheme.

(BZ#2151864)

The dsconf utility now accepts only value 65535 as the replica-id when setting a hub or a consumer role

Previously, when you configured a hub or a consumer role, the dsconf utility also accepted the replica-id option with a value other than 65535. With this update, the dsconf utility accepts only 65535 as the replica-id value for a hub or a consumer role. If you do not specify this value in a dsconf command, then Directory Server assigns the replica-id value 65535 automatically.

(BZ#1987373)

The dscreate ds-root command now normalizes paths

Previously, when you created an instance under a non-root user and provided a bin_dir argument value that contained a trailing slash, dscreate ds-root failed to find the bin_dir value in the $PATH variable. As a result, the instance under a non-root user was not created. With this update, dscreate ds-root command normalizes paths, and the instance is created as expected.

(BZ#2151868)

The dsconf utility now has the fixup option to create fix-up tasks for the entryUUID plug-in

Previously, the dsconf utility did not provide an option to create fix-up tasks for the entryUUID plug-in. As a consequence, administrators could not use dsconf to create a task to automatically add entryUUID attributes to existing entries. With this update, you can use the dsconf utility with the fixup option to create fix-up tasks for the entryUUID plug-in. For example, to fix all entries under the dn=example,dc=com entry that contain a uid attribute, enter: 

# dsconf instance_name plugin entryuuid fixup -f “(uid=*)” “dn=example,dc=com"
Copy to Clipboard

(BZ#2047175)

Access log no longer displays an error message during Directory Server installation in FIPS mode

Previously, when you installed Directory Server in FIPS mode, the access log file displayed the following error message: 

[time_stamp]
- WARN - slapd_do_all_nss_ssl_init - ERROR: TLS is not enabled, and the
machine is in FIPS mode. Some functionality won’t work correctly (for
example, users with PBKDF2_SHA256 password scheme won’t be able to log
in). It’s highly advisable to enable TLS on this instance.
Copy to Clipboard

With this update, the issue has been fixed, and the error message is no longer present in the access log.

(BZ#2153668)

Directory Server 12.3 bug fixes that are included in the 389-ds-base package are documented in Red Hat Enterprise Linux 9.3 Release Notes:

7.3. Known issues

Learn about known problems and, if applicable, workarounds in Directory Server 12.3.

Directory Server can import LDIF files only from /var/lib/dirsrv/slapd-instance_name/ldif/

Since RHEL 8.3, Red Hat Directory Server (RHDS) uses its own private directories and the PrivateTmp systemd directive is enabled by default for the LDAP services. As a result, RHDS can only import LDIF files from the /var/lib/dirsrv/slapd-instance_name/ldif/ directory. If the LDIF file is stored in a different directory, such as /var/tmp, /tmp, or /root, the import fails with an error similar to the following: 

Could not open LDIF file "/tmp/example.ldif", errno 2 (No such file or directory)
Copy to Clipboard

To work around this problem, complete the following steps:

  1. Move the LDIF file to the /var/lib/dirsrv/slapd-instance_name/ldif/ directory: 

    # mv /tmp/example.ldif /var/lib/dirsrv/slapd-instance_name__/ldif/
    Copy to Clipboard

  2. Set permissions that allow the dirsrv user to read the file: 

    # chown dirsrv /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif
    Copy to Clipboard

  3. Restore the SELinux context: 

    # restorecon -Rv /var/lib/dirsrv/slapd-instance_name/ldif/
    Copy to Clipboard

For more information, see the solution article LDAP Service cannot access files under the host’s /tmp and /var/tmp directories.

(BZ#2075525)

Known issues in the 389-ds-base package

Red Hat Directory Server 12.3 known issues that affect 389-ds-base package are documented in Red Hat Enterprise Linux 9.3 Release Notes:

7.4. Deprecated functionality

Learn about functionality that has been deprecated in Red Hat Directory Server 12.3.

Deprecated functionality in the 389-ds-base package

Directory Server 12.3 functionality that has been deprecated in the 389-ds-base package is documented in the Red Hat Enterprise Linux 9.3 Release Notes:

7.5. Removed functionality

Learn about functionality that has been removed in Red Hat Directory Server 12.3.

Removed functionality in the 389-ds-base package

Removed functionality in Red Hat Directory Server, that are included in the 389-ds-base package, are documented in the Red Hat Enterprise Linux 9.3 Release Notes:

Chapter 8. Red Hat Directory Server 12.2

Learn about new system requirements, important updates and new features, known issues, and deprecated functionality implemented in Directory Server 12.2.

8.1. Important updates and new features

Learn about new features and important updates in Red Hat Directory Server 12.2.

Directory Server 12.2 rebased to upstream version 2.2.7

Directory Server 12.2 is based on upstream version 2.2.7 which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating: https://directory.fedoraproject.org/docs/389ds/releases/release-2-2-1.htmlhttps://directory.fedoraproject.org/docs/389ds/releases/release-2-2-2.htmlhttps://directory.fedoraproject.org/docs/389ds/releases/release-2-2-3.htmlhttps://directory.fedoraproject.org/docs/389ds/releases/release-2-2-4.htmlhttps://directory.fedoraproject.org/docs/389ds/releases/release-2-2-5.htmlhttps://directory.fedoraproject.org/docs/389ds/releases/release-2-2-6.htmlhttps://directory.fedoraproject.org/docs/389ds/releases/release-2-2-7.html

The dsconf utility can now set timeout for tasks

Previously, if a task took longer than four minutes, dsconf returned the following message: 

DEBUG: The backup create task has failed with the error code: (None)
...
Copy to Clipboard

With this enhancement, you can set the required timeout for the task by using the --timeout option. The timeout does not stop the task, however it stops the dsconf utility from waiting for the task result.

(BZ#1993124)

You can now import and export certificates using the web console

Previously, you could only import a certificate from a file on the server filesystem using the web console. With this release, you can also import a file by copy-pasting a base64-encoded certificate. Additionally, you can export certificate authority and server certificates.

(BZ#1751264)

Important updates and new features in the 389-ds-base package

Directory Server 12.2 features that are included in the 389-ds-base package are documented in Red Hat Enterprise Linux 9.2 Release Notes:

8.2. Bug fixes

Learn about bugs fixed in Red Hat Directory Server 12.2 that have a significant impact on users.

Directory Server 12.2 bug fixes that are included in the 389-ds-base package are documented in Red Hat Enterprise Linux 9.2 Release Notes:

8.3. Known issues

Learn about known problems and, if applicable, workarounds in Directory Server 12.2.

Directory Server can import LDIF files only from /var/lib/dirsrv/slapd-instance_name/ldif/

Since RHEL 8.3, Red Hat Directory Server (RHDS) uses its own private directories and the PrivateTmp systemd directive is enabled by default for the LDAP services. As a result, RHDS can only import LDIF files from the /var/lib/dirsrv/slapd-instance_name/ldif/ directory. If the LDIF file is stored in a different directory, such as /var/tmp, /tmp, or /root, the import fails with an error similar to the following: 

Could not open LDIF file "/tmp/example.ldif", errno 2 (No such file or directory)
Copy to Clipboard

To work around this problem, complete the following steps:

  1. Move the LDIF file to the /var/lib/dirsrv/slapd-instance_name/ldif/ directory: 

    # mv /tmp/example.ldif /var/lib/dirsrv/slapd-instance_name__/ldif/
    Copy to Clipboard

  2. Set permissions that allow the dirsrv user to read the file: 

    # chown dirsrv /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif
    Copy to Clipboard

  3. Restore the SELinux context: 

    # restorecon -Rv /var/lib/dirsrv/slapd-instance_name/ldif/
    Copy to Clipboard

For more information, see the solution article LDAP Service cannot access files under the host’s /tmp and /var/tmp directories.

(BZ#2075525)

Access log displays an error message during Directory Server installation in FIPS mode

When you install Directory Server in the FIPS mode, the access log file displays the following error message: 

[time_stamp]
- WARN - slapd_do_all_nss_ssl_init - ERROR: TLS is not enabled, and the
machine is in FIPS mode. Some functionality won’t work correctly (for
example, users with PBKDF2_SHA256 password scheme won’t be able to log
in). It’s highly advisable to enable TLS on this instance.
Copy to Clipboard

Such behavior happens because at first, Directory Server finds that TLS is not initialized and logs the error message. However, later when the dscreate utility completes TLS initialization and enables security, the error message is no longer present.

(BZ#2153668)

Known issues in the 389-ds-base package

Red Hat Directory Server 12.2 known issues that affect 389-ds-base package are documented in Red Hat Enterprise Linux 9.2 Release Notes:

8.4. Deprecated functionality

Learn about functionality that has been deprecated in Red Hat Directory Server 12.2.

Deprecated functionality in the 389-ds-base package

Directory Server 12.2 functionality that has been deprecated in the 389-ds-base package is documented in the Red Hat Enterprise Linux 9.2 Release Notes:

Chapter 9. Red Hat Directory Server 12.1

Learn about new system requirements, highlighted updates and new features, known issues, and deprecated functionality implemented in Directory Server 12.1.

9.1. Highlighted updates and new features

This section documents new features and important updates in Directory Server 12.1.

Directory Server 12.1 rebased to upstream version 2.1.3

Directory Server 12.1 is based on upstream version 2.1.3 which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

The LDAP browser is now fully supported

With this enhancement, you can manage LDAP entries from the LDAP Browser tab in the web console. For example, you can:

  • Browse the directory using Tree or Table view.
  • Manage entries, such as users, groups, roles, organizational units (OUs), and custom entries.
  • Manage Access Control Instructions (ACIs).
  • Manage classes of service definition (CoS).
  • Search for entries.

Highlighted updates and new features in the 389-ds-base package

Features in Red Hat Directory Server, that are included in the 389-ds-base package, are documented in the Red Hat Enterprise Linux 9.1 Release Notes:

9.2. Known issues

This section documents known problems and, if applicable, workarounds in Directory Server 12.1.

Directory Server can import LDIF files only from /var/lib/dirsrv/slapd-instance_name/ldif/

The dsconf backend import command requires that you specify the path to the LDIF file you want to import. However, due to file system and SELinux permissions, as well as other operating system restrictions, Directory Server can only import LDIF files from the /var/lib/dirsrv/slapd-instance_name/ldif/ directory. If the LDIF file is stored in a different directory, the import fails with an error similar to the following: 

Could not open LDIF file "/tmp/example.ldif", errno 2 (No such file or directory)
Copy to Clipboard

To work around this problem:

  1. Move the file to the /var/lib/dirsrv/slapd-instance_name/ldif/ directory: 

    # mv /tmp/example.ldif /var/lib/dirsrv/slapd-instance_name/ldif/
    Copy to Clipboard

  2. Set permissions that allow the dirsrv user to read the file: 

    # chown dirsrv /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif
    Copy to Clipboard

  3. Restore the SELinux context: 

    # restorecon -Rv /var/lib/dirsrv/slapd-instance_name/ldif/
    Copy to Clipboard

(BZ#2081352)

Directory Server replication fails after changing password of the replication manager account

After a password change, Directory Server does not properly update the password cache for the replication agreement. As a consequence, when you change the password for the replication manager account, the replication breaks. To work around this problem, restart the Directory Server instance. As a result, the cache is rebuilt at start-up, and the replication connection binds with the new password instead of the old one.

(BZ#1956987)

Known issues in the 389-ds-base package

Known issues in Red Hat Directory Server, that are included in the 389-ds-base package, are documented in the Red Hat Enterprise Linux 9.1 Release Notes:

Deprecated functionality in the 389-ds-base package

Red Hat Directory Server deprecated functionality that has been removed from the 389-ds-base package is documented in the Red Hat Enterprise Linux 9.1 Release Notes:

Chapter 10. Red Hat Directory Server 12.0

This section contains information related to installing Directory Server 12.0, including prerequisites and platform requirements.

10.1. Highlighted updates and new features

This section documents new features and important updates in Directory Server 12.0.

Directory Server 12.0 is based on upstream version 2.0.14

Directory Server 12.0 is based on upstream version 2.0.14 which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

Highlighted updates and new features in the 389-ds-base package

Features in Red Hat Directory Server, that are included in the 389-ds-base package, are documented in the Red Hat Enterprise Linux 9.0 Release Notes:

10.2. Bug fixes

This section describes bugs fixed in Directory Server 12.0 that have a significant impact on users.

Manually changing the entry cache configuration now works correctly in the web console.

By default, Directory Server uses automatic cache tuning. However, previously you could not disable the automatic cache tuning setting in the web console and set manually the desired entry cache configuration. This update fixes the problem and, as a result, you can now manually configure the entry cache in the web console.

Fixed typos in different parts of the web console

Previously, different parts of the web console contained mistakes in the text fields. As a consequence, incorrect information messages were displayed to a user. This update fixes the issue and the web console now shows the correct text messages.

Changing the configuration of several plug-ins now works correctly in the web console

Previously, when you tried to change the configuration of a plug-in using the web console, an incorrect error message was displayed, or a loading loop did not disappear. Consequently, you could not save a new configuration or did not know if the configuration was saved successfully. The following plug-in were affected:

  • Posix Winsync plug-in
  • Referential Integrity plug-in
  • RootDN Access Control plug-in
  • Retro Changelog plug-in

This update fixes the issue. As a result, you can now configure these plug-ins using the web console as expected.

Changelog export now works as expected in the web console

Previously in the web console, when exporting the changelog for debugging purposes, you could select both options: Decode Base64 changes and Only Export CSNs. However, only the Export CSNs option was taken into account. In this release, it is possible to check only one of the options, and the changelog is exported according to the selected one as expected.

Configuring credentials and naming aliases for the replication topology report now works correctly in the web console

Previously, you could not set the credentials or naming aliases for the replication topology report using the web console because fields in the pop-up windows Add Report Credentials and Add Report Alias, where you needed to enter the required information, were not writable. In this release, the fields in the pop-up windows are writable, and you can set the report credentials, or configure the naming aliases as expected.

The Directory Server web console now validates logging configuration values

Previously, the Directory Server web console accepted invalid values for different types of logs on the Logging page. As a consequence, an error occurred when the user tried to save the settings. This update adds the validation for the logging configuration values. As a result, the web console does not accept invalid input.

Attributes on the Schema page are no longer editable after using the search feature

Previously, after searching for an attribute in the Schema page of the Directory Server web console, a Cascading Style Sheet (CSS) misconfiguration caused the attribute to be editable. With this update, the edit function is now disabled.

Enabling DNA plug-in no longer fails

Previously, an attempt to enable Distributed Numeric Assignment (DNA) plug-in in the Directory Server web console failed and resulted in a browser error. With this update, enabling DNA plug-in works as expected.

Adding a configuration entry in Account Policy plug-in no longer fails

Previously, an attempt to add a configuration entry in Account Policy plug-in sometimes failed with an error. To fix the problem, this update disables the Create Config button if the Shared Config DN value is not specified.

Import from an LDIF file with replication metadata now works correctly

Previously, importing an LDIF file with replication metadata could cause the replication to fail in certain cases:

In the first case, a replication update vector (RUV) entry placed before the suffix entry in an imported LDIF file was ignored. As a consequence, the replication with the imported replica failed, because of a generation ID mismatch. This update ensures that Directory Server writes the skipped RUV entry at the end of the import.

In the second case, a changelog reinitialized after an RUV mismatch did not contain the starting change sequence numbers (CSNs). As a consequence, the replication with the imported replica failed, because of a missing CSN in the changelog. This update ensures that Directory Server creates the RUV maxcsn entries, when reinitializing the changelog.

As a result, with this update, administrators do not have to reinitialize the replication after importing from an LDIF file that contains replication metadata.

Bug fixes in the 389-ds-base package

Bug fixes in Red Hat Directory Server, that are included in the 389-ds-base package, are documented in the Red Hat Enterprise Linux 9.0 Release Notes:

10.3. Technology Previews

This section documents unsupported Technology Previews in Directory Server 12.0.

The Directory Server web console provides an LDAP browser as a Technology Preview

An LDAP browser has been added to the Directory Server web console. Using the LDAP Browser tab in the web console, you can:

  • Browse the directory
  • Manage entries, such as users, groups, organizational units (OUs), and custom entries
  • Manage ACI

Note that Red Hat provides this feature as an unsupported Technology Preview.

10.4. Known issues

This section documents known problems and, if applicable, workarounds in Directory Server 12.0.

Directory Server can import LDIF files only from /var/lib/dirsrv/slapd-instance_name/ldif/

The dsconf backend import command requires that you specify the path to the LDIF file you want to import. However, due to file system and SELinux permissions, as well as other operating system restrictions, Directory Server can only import LDIF files from the /var/lib/dirsrv/slapd-instance_name/ldif/ directory. If the LDIF file is stored in a different directory, the import fails with an error similar to the following: 

Could not open LDIF file "/tmp/example.ldif", errno 2 (No such file or directory)
Copy to Clipboard

To work around this problem:

  1. Move the file to the /var/lib/dirsrv/slapd-instance_name/ldif/ directory: 

    # mv /tmp/example.ldif /var/lib/dirsrv/slapd-instance_name/ldif/
    Copy to Clipboard

  2. Set permissions that allow the dirsrv user to read the file: 

    # chown dirsrv /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif
    Copy to Clipboard

  3. Restore the SELinux context: 

    # restorecon -Rv /var/lib/dirsrv/slapd-instance_name/ldif/
    Copy to Clipboard

Directory Server replication fails after changing password of the replication manager account

After a password change, Directory Server does not properly update the password cache for the replication agreement. As a consequence, when you change the password for the replication manager account, the replication breaks. To work around this problem, restart the Directory Server instance. As a result, the cache is rebuilt at start-up, and the replication connection binds with the new password instead of the old one.

Known issues in the 389-ds-base package

Known issues in Red Hat Directory Server, that are included in the 389-ds-base package, are documented in the Red Hat Enterprise Linux 9.0 Release Notes:

10.5. Removed functionality

This section documents functionality that has been removed in Directory Server 12.0.

The nsslapd-subtree-rename-switch parameter has been removed

Previously, administrators could configure Directory Server to prevent moving entries between sub-trees in a database. Due to stability issues, this feature has been removed and, consequently, the nsslapd-subtree-rename-switch parameter no longer exists. As a result, moving entries between sub-trees can no longer be deactivated. As an alternative, if you require this feature, create an access control instruction (ACI).

Removed functionality in the 389-ds-base package

Removed functionality in Red Hat Directory Server, that is included in the 389-ds-base package, is documented in Considerations in adopting RHEL 9:

Legal Notice

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat