Copyright © 2008 Red Hat, Inc.
Copyright © You need to override this in your local ent file Red Hat. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0 or later with the restrictions noted below (the latest version of the OPL is presently available at http://www.opencontent.org/openpub/).
Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder.
Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder.
Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and other countries.
All other trademarks referenced herein are the property of their respective owners.
The GPG fingerprint of the security@redhat.com key is:
CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E
1801 Varsity Drive
Raleigh, NC 27606-2072
USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
PO Box 13588
Research Triangle Park, NC 27709
USA
These Release Notes contain important information available at the time of the release of Red Hat Directory Server 8.0. New features, system requirements, installation notes, known problems, resources, and other current issues are addressed here. Read this document before beginning to use Directory Server 8.0.
Directory Server 8.0 includes several new features for enhanced authentication and password security, changed platform support, and support for IPv6 clients. Directory Server 8.0 also introduces a new, standards-based filesystem architecture.
Directory Server 8.0 components have been split into multiple, separate components. Rather than being installed into a single installation directory, Directory Server follows the Filesystem Hierarchy Standard (FHS), which distributes the libraries and files. This new FHS layout more closely integrates Directory Server with its base operating system and leverages existing platform components, such as the Apache web server. The FHS layout will also minimize the overhead of creating and deploying patches and updates.
The existing SHA support in Directory Server has been extended to support for SHA-256, SHA-384, SHA-512, and MD5 algorithms. These algorithms are used for hashed password storage to offset any potential insecurities in the existing SHA-1 hashing algorithm.
Directory Server 8.0 extends and strengthens its support for SASL authentication using the GSS-API to a Kerberos domain. Additional SASL tools have been added to the Mozilla LDAP C SDK.
Password syntax checking enforces rules for password strings, so that any password has to meet or exceed certain criteria. Directory Server 8.0 adds password syntax checking to better enforce its password policies. All password syntax checking can be applied globally, per subtree, or per user.
In changes to the default password policies, the default minimum password length in Directory Server 8.0 has been set to eight characters, and checks for trivial words has been improved. A trivial word is any value stored in the uid, cn, sn, givenName, ou, or mail attributes of the user's entry. Additionally, Directory Server 8.0 includes more password enforcement options, providing different optional categories for the password syntax:
Minimum number of digit characters (0-9)
Minimum number of ASCII alphabetic characters, both upper- and lower-case
Minimum number of uppercase ASCII alphabetic characters
Minimum number of lowercase ASCII alphabetic characters
Minimum number of special ASCII characters, such as !@#$
Minimum number of 8-bit characters
Maximum number of times that the same character can be immediately repeated, such as aaabbb
Minimum number of character categories required per password; a category can be upper- or lower-case letters, special characters, digits, or 8-bit characters
Directory Server 8.0 accepts incoming connections from IPv6 clients. Additionally, IPv6 support has been added to the LDAP SDK, so many command-line tools and scripts included with Directory Server 8.0 can understand and use IPv6 addresses.
Directory Server will not interpret IPv6 addresses in access control instructions or use IPv6 connections for operations such as replication and chaining.
Directory Server 8.0 is supported on the following platforms:
HP-UX 11i Itanium/IPF
Red Hat Enterprise Linux 4 i386 (32-bit)
Red Hat Enterprise Linux 4 x86_64 (64-bit)
Red Hat Virtualization Server 5 i386 (32-bit)
Red Hat Virtualization Server 5 x86_64 (64-bit)
Red Hat Directory Server 8.0 is supported running on a virtual guest on Red Hat Virtualization Server 5.
Sun Solaris 9 (SPARC v9, 64-bit)
This section contains information related to installing and upgrading Red Hat Directory Server 8.0, including prerequisites and hardware or platform requirements.
Directory Server 8.0 does not package nsperl with the product. perldap should work with the version of perl pre-installed on the system.
There are some prerequisites for perl to run perldap with the pre-installed version.
For Red Hat Enterprise Linux systems, use the Perl version that is installed with the operating system in /usr/bin/perl for both 32-bit and 64-bit versions of Red Hat Directory Server.
On Solaris systems, Red Hat Directory Server is installed with a Perl package, RHATperlx, that must be used. This package contains a 64-bit version of Perl 5.8. It is not possible to use the Perl version installed in /usr/bin/perl on Solaris because it is 32 bit and will not work with Directory Server's 64-bit components.
On HP-UX, Red Hat Directory Server uses the Perl version installed with the operating system in /opt/perl_64/bin/perl. Contact Hewlett-Packard support if this Perl version is not installed.
Directory Server 8.0 is supported on the following platforms:
HP-UX 11i Itanium/IPF
Red Hat Enterprise Linux 4 i386 (32-bit)
Red Hat Enterprise Linux 4 x86_64 (64-bit)
Red Hat Virtualization Server 5 i386 (32-bit)
Red Hat Virtualization Server 5 x86_64 (64-bit)
Red Hat Directory Server 8.0 is supported running on a virtual guest on Red Hat Virtualization Server 5.
Sun Solaris 9 (SPARC v9, 64-bit)
The Directory Server Console is supported on the following platforms:
HP-UX 11i Itanium/IPF
Red Hat Enterprise Linux 4 i386 (32-bit)
Red Hat Enterprise Linux 4 x86_64 (64-bit)
Red Hat Virtualization Server 5 i386 (32-bit)
Red Hat Virtualization Server 5 x86_64 (64-bit)
Sun Solaris 9 (SPARC v9, 64-bit)
Windows XP
Windows 2000 Server
Windows 2003 Server
The Directory Server Console can be installed on additional Windows platforms at an additional cost.
The Windows Sync tool runs on these Windows platforms:
Windows 2003 Active Directory
Windows 2000 Active Directory
Directory Server 8.0 supports the following browsers to access web-based interfaces, such as Admin Express and online help tools:
Firefox 1.0 (Red Hat Enterprise Linux 4 and Solaris 9)
Mozilla 1.4 (HP-UX)
Mozilla 1.4.3 (Solaris 9)
Mozilla 1.7.3 (Red Hat Enterprise Linux 4)
Microsoft Internet Explorer 6.0 (Windows)
Red Hat Directory Server web tools like Admin Express and Org Chart are not supported on Netscape browsers or any browser running on Mac.
For instructions on installation of Directory Server 8.0, see the Directory Server Installation Guide, available at http://www.redhat.com/docs/manuals/dir-server/.
Red Hat Network (RHN) (http://rhn.redhat.com) is the software distribution mechanism for Red Hat customers. You may have received account login information for RHN, including entitlements the Red Hat Directory Server 8.0 release. If so, you need to use the RHN website to obtain your software. Once are logged into RHN, go to Channels (view complete list if needed) and in Red Hat Directory Server 8.0 channel, go to the Downloads tab. The Solaris 9 64-bit packages can be found there under the ISOs list, as well as the tarball (.tar.gz file) archive for the source code.
The files are tarball (.tar.gz) archive files, not ISO images.
Customers looking for RPMs for Directory Server 8.0 can access these files from the RHN website or through yum or up2date, using an account with entitlements for the Red Hat Directory Server 8.0 release. There are also ISO images containing both RPM and SRPM package files, available as downloads for the Red Hat Directory Server 8.0 channel. The RPM packages can be downloaded and installed in the usual manner. The ISO images can be downloaded and burned on to a CD-recordable media using the appropriate software.
After installing the packages, run the setup-ds-admin.pl script to configure the new Directory Server and Administration Server instances. See the Directory Server Installation Guide for more information about setup-ds-admin.pl script options and the Directory Server configuration interface.
The following are some of the most important bugs fixed for Directory Server 8.0.
| Bug Number | Description |
|---|---|
| 207567 | When Windows Sync was initiated, existing entries in subfolders were not synchronized, only the immediate children of the specified subtree. The synchronization has been fixed so that the scope is for the entire subtree, not one-level. |
| 207893 | Windows Sync inappropriately synchronized existing hashed passwords in Directory Server with Active Directory, which assumed that the hash was the plain text password, which reset the user's password. This has been fixed. |
| 212671 |
The street in Directory Server is multi-valued, while the corresponding streetAddress on Active Directory is single-valued. Synchronization for a Directory Server entry with multiple street values would fail on Active Directory. In Directory Server 8.0, only the first Directory Server streetAddress value is synchronized.
|
| 231221 |
The default equality index for the nsds5ReplConflict attribute did not return information about the attribute in a search. A default presence index has been added in Directory Server 8.0.
|
| 231507 |
If an entry had a null attribute indexed in a VLV index, then Directory Server would crash when that entry was modified. For example, a browsing index was created which sorted entries by cn and then givenName, and one of the entries had a cn attribute but no givenName attribute. The Directory Server would crash when that entry was modified. This has been fixed.
|
| 242551 | If there was a large backlog of tombstone (deleted) entries on Directory Server, synchronization performance between Directory Server and Active Directory was severely degraded because of how long Directory Server took scanning tombstone entries for potential changes. This has been fixed. |
| 243221 |
Synchronization would fail if an initials attribute for a Directory Server entry had too many characters. Directory Server allows an unlimited number of characters, while Active Directory has a limit of six characters. This has been fixed so that the initials attribute for Directory Server entries is truncated to six characters when it is synchronized.
|
| 243227 |
If a synchronized entry was deleted from Directory Server, then added back to a different part of the directory tree, the resurrected entry was deleted from both Directory Server and Active Directory. This is because of the way Active Directory handles tombstone entries. When the entry was added back to the Directory Server, it was added back with its original In Directory Server 8.0, Windows Sync has been enhanced to better deal with resurrecting tombstone entries in Active Directory. On Active Directory 2000, the entry is resurrected with a new GUID; on Active Directory 2003, the entry is resurrected with the original GUID. In both cases, the resurrected entry retains all of its original attributes and values. |
| 243820 |
When Directory Server was shut down, the active browsing index was interrupted; rather than closing cleanly, the file was corrupted. Trying to delete the index failed because the Directory Server did not recognize the corrupt file, but trying to recreate the index also failed because the corrupt file caused the process to hang. Directory Server 8.0 shuts down the active browsing index, it closes cleanly, and if an error occurs, it removes the index file successfully. |
| 247725 |
If the RDN of an entry ended in a double backslash (\\), then Directory Server would crash when an LDIF containing that entry was imported. This has been fixed.
|
| 249366 |
If an attribute with Directory Server 8.0 disallows range searches on indexed integer-valued attributes by default. There are two ways this can be enabled:
WARNINGRed Hat strongly recommends that you do not change the default or standard schema used by Directory Server.
For example, to perform range searches on an attribute with See the Directory Server Administration Guide for more information about configuring database indexes and re-generating indexes. |
| 268101 |
If a password was changed, the modifiersname setting was always set to cn=server,cn=plugins,cn=config, regardless of which user changed the password. This has been fixed.
|
| 297221 | A malformed member URL for dynamic groups, such as leaving off a closing parenthesis, made Directory Server crash. For example, the entry "ldap:///o=example.com??sub?(&(objectclass=inetorgperson)(status=ACTIVE)(role=DSAdmin)" would make Directory Server crash because it is missing the terminal parenthesis. This has been fixed. |
| 371771 |
In previous releases of Directory Server, it was possible to create a Directory Server instance with a period (.) in the server ID, such as slapd-ldap.example. However, two important functions failed if a server ID has that format:
.) in the server ID.
|
| 383141 |
Directory Server crashed if the nsslapd-listenhost attribute, which gave the Directory Server hostname, had a value associated with multiple addresses. This has been fixed.
|
The following are some of the most important known issues in Directory Server 8.0. If applicable, supported workarounds are also described.
| Bug Number | Description | Workaround |
|---|---|---|
| 151705 | The Administration Server Console is hard-coded to set all TLS ciphers to enabled. Disabling the TLS ciphers through the Console is not saved, and the ciphers are re-enabled when the Administration Server is restarted. |
Never edit the Administration Server ciphers through the Console. Instead, edit the console.conf file directly. This file is located in /etc/dirsrv/admin-serv/ directory.
|
| 159025 | Installing a certificate with the same name as an existing certificate fails in the Directory Server Console with the error Internal error: Fail to install certificate -8169. |
If it is necessary to have two certificates with the same name, install the second certificate through the command line using certutil.
certutil -importcert -v
|
| 171140 |
Upgrading the Windows Sync service on the Windows server from version 7.1 to version 7.1 SP1 or higher (including 8.0) requires two things:
| |
| 190824 |
By default, not all attributes are automatically replicated to consumers in multi-master replication, including several password-associated attributes such as passwordRetryCount, retryCountResetTime, and accountUnlockTime.
|
To replicate these attributes, set the passwordIsglobalPolicy configuration attribute to 1 in the cn=config entry using ldapmodify. For example:
dn: cn=config changetype: modify replace: passwordIsGlobalPolicy passwordIsGlobalPolicy: 1 |
| 230808 |
In Directory Server 8.0, the However, on startup, the Directory Server may record schema-related errors. For example: [02/Jan/2008:11:20:33 -0800] - Entry "cn=config" has
unknown object class "nsslapdConfig"
| |
| 250535 |
On HP-UX and Solaris, the repl-monitor.pl script returns an error that it cannot find the appropriate Mozilla/LDAP/Conn.pm PerLDAP modules.
|
"use lib qw(/opt/dirsrv/lib/perl
/opt/dirsrv/lib/perl/arch)"
|
| 426139 | When a non-privileged user logs into the Directory Server Console and selects the Configuration tab, the Console throws Java exception errors to standard output. | |
| 426145 | When performing any import or export database operation through a remote Console will fail with the error Cannot write to file... if a relative path is given for the file. |
Import and export operations through a remote Console are successful in two scenarios:
However, importing or exporting the database to the remote machine will fail if you supply a relative path. When importing or exporting databases on a remote machine, do not use relative paths for the LDIF. Always supply the absolute path or use the Browse button to select a file. |
| 426421 |
If both Password Sync and the Directory Server Console are installed on the same Windows machine, then the Directory Server Console will load the Password Syncnss3.dll, and will fail when it attempts to open.
| Do not install Password Sync and the Windows version of the Directory Server Console on the same machine. |
| 426439 |
When using the Console to install a CRL, if the CRL is placed in the proper directory, /etc/dirsrv/slapd-, the Console returns an error that it cannot locate the file.
|
Put the CRL in the Administration Server directory, /etc/dirsrv/admin-serv, and the Console can locate the CRL file automatically.
|
| 427321 |
If a Directory Server instance is migrated from a previous version to Directory Server 8.0, the nsslapd-saslpath is not migrated with the dse.ldif on the new 8.0 instance, so that the SASL libraries cannot be loaded. This configuration attribute is properly created in fresh Directory Server installations.
|
Use ldapmodify to edit the 8.0 dse.ldif file and add the nsslapd-saslpath set in the previous version.
|