Red Hat SummitChapter 8. Red Hat Directory Server 12.2
Learn about new system requirements, important updates and new features, known issues, and deprecated functionality implemented in Directory Server 12.2.
8.1. Important updates and new features
Learn about new features and important updates in Red Hat Directory Server 12.2.
Directory Server 12.2 rebased to upstream version 2.2.7
Directory Server 12.2 is based on upstream version 2.2.7 which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating: https://directory.fedoraproject.org/docs/389ds/releases/release-2-2-1.htmlhttps://directory.fedoraproject.org/docs/389ds/releases/release-2-2-2.htmlhttps://directory.fedoraproject.org/docs/389ds/releases/release-2-2-3.htmlhttps://directory.fedoraproject.org/docs/389ds/releases/release-2-2-4.htmlhttps://directory.fedoraproject.org/docs/389ds/releases/release-2-2-5.htmlhttps://directory.fedoraproject.org/docs/389ds/releases/release-2-2-6.htmlhttps://directory.fedoraproject.org/docs/389ds/releases/release-2-2-7.html
The dsconf utility can now set timeout for tasks
Previously, if a task took longer than four minutes, dsconf returned the following message:
DEBUG: The backup create task has failed with the error code: (None) ...
DEBUG: The backup create task has failed with the error code: (None)
...
With this enhancement, you can set the required timeout for the task by using the --timeout option. The timeout does not stop the task, however it stops the dsconf utility from waiting for the task result.
(BZ#1993124)
You can now import and export certificates using the web console
Previously, you could only import a certificate from a file on the server filesystem using the web console. With this release, you can also import a file by copy-pasting a base64-encoded certificate. Additionally, you can export certificate authority and server certificates.
(BZ#1751264)
Important updates and new features in the 389-ds-base package
Directory Server 12.2 features that are included in the 389-ds-base package are documented in Red Hat Enterprise Linux 9.2 Release Notes:
- Directory server now supports ECDSA private keys for TLS
- Directory Server now supports extended logging of search operations
-
The NUNC_STANS error logging level was replaced by the new
1048576logging level - Directory Server introduces the security log
- Directory Server now can compress archived log files
- Default behavior change: Directory Server now returns a DN in exactly the same spelling as it was added to the database
-
New
nsslapd-auditlog-display-attrsconfiguration parameter for the Directory Server audit log -
New
pamModuleIsThreadSafeconfiguration option is now available - Directory Server can now import a certificate bundle
8.2. Bug fixes
Learn about bugs fixed in Red Hat Directory Server 12.2 that have a significant impact on users.
Directory Server 12.2 bug fixes that are included in the 389-ds-base package are documented in Red Hat Enterprise Linux 9.2 Release Notes:
8.3. Known issues
Learn about known problems and, if applicable, workarounds in Directory Server 12.2.
Directory Server can import LDIF files only from /var/lib/dirsrv/slapd-instance_name/ldif/
Since RHEL 8.3, Red Hat Directory Server (RHDS) uses its own private directories and the PrivateTmp systemd directive is enabled by default for the LDAP services. As a result, RHDS can only import LDIF files from the /var/lib/dirsrv/slapd-instance_name/ldif/ directory. If the LDIF file is stored in a different directory, such as /var/tmp, /tmp, or /root, the import fails with an error similar to the following:
Could not open LDIF file "/tmp/example.ldif", errno 2 (No such file or directory)
Could not open LDIF file "/tmp/example.ldif", errno 2 (No such file or directory)To work around this problem, complete the following steps:
Move the LDIF file to the
/var/lib/dirsrv/slapd-instance_name/ldif/directory:Copy to Clipboard Copied! Toggle word wrap Toggle overflow mv /tmp/example.ldif /var/lib/dirsrv/slapd-instance_name__/ldif/
# mv /tmp/example.ldif /var/lib/dirsrv/slapd-instance_name__/ldif/Set permissions that allow the
dirsrvuser to read the file:Copy to Clipboard Copied! Toggle word wrap Toggle overflow chown dirsrv /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif
# chown dirsrv /var/lib/dirsrv/slapd-instance_name/ldif/example.ldifRestore the SELinux context:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow restorecon -Rv /var/lib/dirsrv/slapd-instance_name/ldif/
# restorecon -Rv /var/lib/dirsrv/slapd-instance_name/ldif/
For more information, see the solution article LDAP Service cannot access files under the host’s /tmp and /var/tmp directories.
(BZ#2075525)
Access log displays an error message during Directory Server installation in FIPS mode
When you install Directory Server in the FIPS mode, the access log file displays the following error message:
[time_stamp] - WARN - slapd_do_all_nss_ssl_init - ERROR: TLS is not enabled, and the machine is in FIPS mode. Some functionality won’t work correctly (for example, users with PBKDF2_SHA256 password scheme won’t be able to log in). It’s highly advisable to enable TLS on this instance.
[time_stamp]
- WARN - slapd_do_all_nss_ssl_init - ERROR: TLS is not enabled, and the
machine is in FIPS mode. Some functionality won’t work correctly (for
example, users with PBKDF2_SHA256 password scheme won’t be able to log
in). It’s highly advisable to enable TLS on this instance.
Such behavior happens because at first, Directory Server finds that TLS is not initialized and logs the error message. However, later when the dscreate utility completes TLS initialization and enables security, the error message is no longer present.
(BZ#2153668)
Known issues in the 389-ds-base package
Red Hat Directory Server 12.2 known issues that affect 389-ds-base package are documented in Red Hat Enterprise Linux 9.2 Release Notes:
8.4. Deprecated functionality
Learn about functionality that has been deprecated in Red Hat Directory Server 12.2.
Deprecated functionality in the 389-ds-base package
Directory Server 12.2 functionality that has been deprecated in the 389-ds-base package is documented in the Red Hat Enterprise Linux 9.2 Release Notes:
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}