Red Hat SummitChapter 6. Red Hat Directory Server 12.3
Learn about new system requirements, important updates and new features, known issues, and deprecated functionality implemented in Directory Server 12.3.
6.1. Important updates and new features
Learn about new features and important updates in Red Hat Directory Server 12.3.
Directory Server now backs up configuration files, the certificate database, and custom schema files
Previously, Directory Server backed up only databases. With this update, when you run dsconf backup create or dsctl db2bak command, Directory Server also backs up configuration files, the certificate database, and custom schema files that are stored in the /etc/dirsrv/slapd-instance_name/ directory to the backup default directory /var/lib/dirsrv/slapd-instance_name/bak/config_files/.
Directory Server also backs up these files when you perform the backup by using the web console.
(BZ#2147446)
The Alias Entries plug-in is now available in Directory Server
When you enable the Alias Entries plug-in, a search for an entry returns the entry that you set as an aliased entry. For example, Barbara Jensen, an employee in the Example company, got married and her surname changed. Her old entry uid=bjensen,ou=people,dc=example,dc=com contains the alias to her new entry uid=bsmith,ou=people,dc=example,dc=com. When the plug-in is enabled, the search for the uid=bjensen,ou=people,dc=example,dc=com entry returns the uid=bsmith,ou=people,dc=example,dc=com entry information.
Use the -a find parameter for the ldapsearch command to retrieve entries with aliases.
Currently, the Alias Entries plug-in supports only base level searches.
For more information, see the Alias Entries plug-in description.
(BZ#2203173)
The checkAllStateAttrs configuration option is now available
You can apply both account inactivity and password expiration when a user authenticates by using the checkAllStateAttrs setting. When you enable this parameter, it checks the main state attribute and, if the account information is correct, it then checks the alternate state attribute.
(BZ#2174161)
You can now save credentials and aliases for a replication report using the Directory Server web console
Previously, when you used the web console to set credentials and aliases for a replication monitoring report, these settings were no longer present after the web console reload. With this enhancement, when you set the credentials and aliases for the replication report, Directory Server saves new settings in the .dsrc file and the web console uploads saved settings after the reload.
(BZ#2030884)
Important updates and new features in the 389-ds-base package
Directory Server 12.3 features that are included in the 389-ds-base package are documented in Red Hat Enterprise Linux 9.3 Release Notes:
- RHEL 9.3 provides 389-ds-base 2.3.4
-
Directory Server can now close a client connection if a
bindoperation fails - Automembership plug-in improvements. It no longer cleans up groups by default
-
New
passwordAdminSkipInfoUpdate: on/off configuration option is now available -
New
slapi_memberof()plug-in function is now available for Directory Server plug-ins and client applications -
Directory Server now replaces the virtual attribute
nsRolewith an indexed attribute for managed and filtered roles -
New
nsslapd-numlistenersconfiguration option is now available
6.2. Bug fixes
Learn about bugs fixed in Red Hat Directory Server 12.3 that have a significant impact on users.
The cockpit-389-ds package upgrade now updates the 389-ds-base and python3-lib389 packages
Previously, the cockpit-389-ds package did not specify the version of the 389-ds-base package it depends on. As a result, the upgrade of the cockpit-389-ds package alone did not update the 389-ds-base and python3-lib389 packages which could lead to misalignment and compatibility issues between packages. With this update, the cockpit-389-ds package depends on the 389-ds-base exact version and the update of the cockpit-389-ds package also upgrades 389-ds-base and python3-lib389 packages.
(BZ#2240021)
Disabling replication on a consumer no longer crashes the server
Previously, when you disabled replication on a consumer server, Directory Server tried to remove the changelog on the consumer where it did not exist. As a consequence, the server terminated unexpectedly with the following error:
Error: -1 - Can't contact LDAP server - []
With this update, disabling replication on a consumer works as expected.
(BZ#2184599)
A non-root instance no longer fails to start after creation
Previously, Rust plug-ins were incorrectly disabled in the non-root instance template and the default password scheme was moved to Rust-based hasher. As a result, the non-root instance could not be created. With this update, a non-root instance supports Rust plug-ins and you can create the instance with the PBKDF2-SHA512 default password scheme.
(BZ#2151864)
The dsconf utility now accepts only value 65535 as the replica-id when setting a hub or a consumer role
Previously, when you configured a hub or a consumer role, the dsconf utility also accepted the replica-id option with a value other than 65535. With this update, the dsconf utility accepts only 65535 as the replica-id value for a hub or a consumer role. If you do not specify this value in a dsconf command, then Directory Server assigns the replica-id value 65535 automatically.
(BZ#1987373)
The dscreate ds-root command now normalizes paths
Previously, when you created an instance under a non-root user and provided a bin_dir argument value that contained a trailing slash, dscreate ds-root failed to find the bin_dir value in the $PATH variable. As a result, the instance under a non-root user was not created. With this update, dscreate ds-root command normalizes paths, and the instance is created as expected.
(BZ#2151868)
The dsconf utility now has the fixup option to create fix-up tasks for the entryUUID plug-in
Previously, the dsconf utility did not provide an option to create fix-up tasks for the entryUUID plug-in. As a consequence, administrators could not use dsconf to create a task to automatically add entryUUID attributes to existing entries. With this update, you can use the dsconf utility with the fixup option to create fix-up tasks for the entryUUID plug-in. For example, to fix all entries under the dn=example,dc=com entry that contain a uid attribute, enter:
# dsconf instance_name plugin entryuuid fixup -f “(uid=*)” “dn=example,dc=com"
(BZ#2047175)
Access log no longer displays an error message during Directory Server installation in FIPS mode
Previously, when you installed Directory Server in FIPS mode, the access log file displayed the following error message:
[time_stamp] - WARN - slapd_do_all_nss_ssl_init - ERROR: TLS is not enabled, and the machine is in FIPS mode. Some functionality won’t work correctly (for example, users with PBKDF2_SHA256 password scheme won’t be able to log in). It’s highly advisable to enable TLS on this instance.
With this update, the issue has been fixed, and the error message is no longer present in the access log.
(BZ#2153668)
Directory Server 12.3 bug fixes that are included in the 389-ds-base package are documented in Red Hat Enterprise Linux 9.3 Release Notes:
- Paged searches from a regular user now do not impact performance
- The LMDB import now works faster
- Schema replication now works correctly in Directory Server
- Referral mode is now working correctly in Directory Server
-
The
dirsrvservice now starts correctly after reboot - Changing a security parameter now works correctly
6.3. Known issues
Learn about known problems and, if applicable, workarounds in Directory Server 12.3.
Directory Server can import LDIF files only from /var/lib/dirsrv/slapd-instance_name/ldif/
Since RHEL 8.3, Red Hat Directory Server (RHDS) uses its own private directories and the PrivateTmp systemd directive is enabled by default for the LDAP services. As a result, RHDS can only import LDIF files from the /var/lib/dirsrv/slapd-instance_name/ldif/ directory. If the LDIF file is stored in a different directory, such as /var/tmp, /tmp, or /root, the import fails with an error similar to the following:
Could not open LDIF file "/tmp/example.ldif", errno 2 (No such file or directory)
To work around this problem, complete the following steps:
Move the LDIF file to the
/var/lib/dirsrv/slapd-instance_name/ldif/directory:# mv /tmp/example.ldif /var/lib/dirsrv/slapd-instance_name__/ldif/Set permissions that allow the
dirsrvuser to read the file:# chown dirsrv /var/lib/dirsrv/slapd-instance_name/ldif/example.ldifRestore the SELinux context:
# restorecon -Rv /var/lib/dirsrv/slapd-instance_name/ldif/
For more information, see the solution article LDAP Service cannot access files under the host’s /tmp and /var/tmp directories.
(BZ#2075525)
Known issues in the 389-ds-base package
Red Hat Directory Server 12.3 known issues that affect 389-ds-base package are documented in Red Hat Enterprise Linux 9.3 Release Notes:
6.4. Deprecated functionality
Learn about functionality that has been deprecated in Red Hat Directory Server 12.3.
Deprecated functionality in the 389-ds-base package
Directory Server 12.3 functionality that has been deprecated in the 389-ds-base package is documented in the Red Hat Enterprise Linux 9.3 Release Notes:
6.5. Removed functionality
Learn about functionality that has been removed in Red Hat Directory Server 12.3.
Removed functionality in the 389-ds-base package
Removed functionality in Red Hat Directory Server, that are included in the 389-ds-base package, are documented in the Red Hat Enterprise Linux 9.3 Release Notes:
