Chapter 4. Package Updates

If a server sent a response to an unbind request and the client simply closed the connection, Directory Server 8.2 logged "Netscape Portable Runtime error -5961 (TCP connection reset by peer.)".

An incorrect SELinux context caused AVC errors in /var/log/audit/audit.log.

A number of memory leaks and performance errors were fixed.

The DS could not restart after a new object class was created which used the entryUSN attribute.

The ns-slapd process segfaulted if suffix referrals were enabled.

A high volume of TCP traffic could cause the slapd process to quit responding to clients.

Attempting to delete a VLV index caused the server to hang.

Connections to the DS by an RSA authentication server using simple paged results by default would timeout.

Running a simple paged search against a subtree with a host-based ACI would hang the server.

If the target attribute list for an ACI had syntax errors and more than five attributes, the server crashed.

It was not possible to set account lockout policies after upgrading from RHDS 8.1.

Adding an entry with an RDN containing a % caused the server to crash.

Only FIPS-supported ciphers can be used if the server is running in FIPS mode.

It is possible to disable SSLv3 and only allow TLS.

If the changelog was encrypted and the certificate became corrupt, the server crashed.

If the passwordisglobalpolicy attribute was enabled on a chained server, a secure connection to the master failed.

If a chained database was replicated, the server could segfault.

Editing a replication agreement to use SASL/GSS-API failed with GSS-API errors.

In replication, a msgid may not be sent to the right thread, which caused "Bad parameter to an LDAP routine" errors. This causes failures to propagate up and halt replication.

Password changes were replicated among masters replication, but not to consumers.

If an entry was modified on RHDS and the corresponding entry was deleted on the Windows side, the sync operation attempts to use the wrong entry.

Some changes were not properly synced over to RHDS from Windows.

RHDS entries were not synced over to Windows if the user's CN had a comma.

Intensive update loads on master servers could break the cache on the consumer, causing it to crash.

Syncing a multi-valued attribute could delete all the other instances of that attribute when a new value was added.

If a synced user subtree on Windows was deleted and then a user password was changed on the RHDS, the DS would crash.

The nsslapd-idlistscanlimit configuration attribute can be set dynamically, instead of requiring a restart.

Separate resource limits can be set for paged searches, independent of resource limits for regular searches.

The sudo schema has been updated.

A new configuration attribute sets a different list of replicated attributes for a total update versus an incremental update.

A new configuration option allows the server to be started with an expired certificate.

New TLS/SSL error messages have been added to the replication error log level.

When the LDAP server was under a heavy load, and the network was congested, client connections could experience problems. If there was a connection problem while the server was sending Simple Paged Result (SPR) search results to the client, the LDAP server called a cleanup routine incorrectly. This led to a memory leak and the server terminated unexpectedly. With this update, the underlying code has been modified to ensure that cleanup tasks are run correctly and memory leaks no longer occur. The LDAP server no longer crashes in this scenario.

Previously, certain operations with the Change Sequence Number (CSN) were not very effective in 389 Directory Server. Therefore, performing a large number of the modrdn operations during Directory Server content replications led to poor performance, and the ns-slapd daemon consumed up to 100% CPU under these circumstances. With this update, the underlying code has been modified to use these CSN operations efficiently so that replications in Directory Server now work as expected in this scenario.

Previously, allocated memory was not correctly released in the underlying code for the SASL GSSAPI authentication method, when checking the Simple Authentication and Security Layer (SASL) identity mappings. This problem could cause memory leaks when processing SASL bind requests, which eventually caused the LDAP server to terminate unexpectedly with a segmentation fault. This update adds function calls that are needed to free allocated memory correctly. Memory leaks no longer occur and the LDAP server no longer crashes in this scenario.

Previously, 389 Directory Server used the Netscape Portable Runtime (NSPR) implementation of the read/write locking mechanism. This implementation allowed deadlocks to occur if 389 Directory Server was under a heavy load, which caused the server to become unresponsive. With this update, 389 Directory Server now uses the POSIX implementation of the locking mechanism, and deadlocks no longer occur under a heavy load.

Under a heavy load in replicated environments, 389 Directory Server did not handle the Entry USN index correctly. Consequently, the index could become out of sync with the main database and search operations on USN entries returned incorrect results. This update modifies the Entry USN plug-in and 389 Directory Server now handles the Entry USN index as expected.