Red Hat Directory Server 8.2 Release Notes Updated for Errata RHBA-2012:0064 Edition 8.2.
Red Hat Directory Server 8.2 Release Notes Updated for Errata RHBA-2012:0064 Edition 8.2.8 Landmann rlandmann@redhat.
Legal Notice Copyright © 2010 Red Hat, Inc.. T his document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Table of Contents Table of Contents . . .New 1. . . . . .Features . . . . . . . . . .in. .Red . . . . .Hat . . . .Directory . . . . . . . . . .Server . . . . . . . 8.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2. . . . . . . . . . 1.1. Setting Limits for Anonymous Users 2 1.2. Requiring Secure Connections for Simple Bind 2 1.3. Mixing SASL and T LS Connections 2 1.4. Requiring a Minimum Security Strength Factor for Server Connections 2 1.5.
Red Hat D irectory Server 8.2 Red Hat D irectory Server 8.2 Release Notes T hese release notes contain important information available at the release of Red Hat Directory Server version 8.2. New features, system requirements, installation notes, known problems, resources, and other current issues are addressed here. Read this document before beginning to use Directory Server 8.2. 1. New Features in Red Hat Directory Server 8.2 Directory Server 8.
1. New Features in Red Hat D irectory Server 8.2 the directory, and thus the most recent change number. 1.6. Generating Links Between Entry Attributes Linking attributes allows Directory Server to express and maintain relationships between entries dynamically. T he Linked Attribute Plug-in uses the DN value of an attribute to trace its way to the related entry, and then it adds a reciprocal value on that entry.
Red Hat D irectory Server 8.2 Red Hat D irectory Server 8.2 Release Notes IMPORTANT T he simple paged results are not done using MozLDAP command-line tools. T he server supports simple paged search operations; however, the client tools with Red Hat Directory Server do not. T herefore, simple paged operations must be done using OpenLDAP command-line tools version 2.4.18 or later or other clients which support simple paged results. 1.11.
1. New Features in Red Hat D irectory Server 8.2 entries, possibly even entire directory trees, that were valid in Directory Server 8.0 or 8.1 are invalid and rejected in Red Hat Directory Server 8.2. As part of the upgrade process (setup-ds-adm in.pl -u), Directory Server runs a script to normalize and update the DNs in existing directories so that they conform with RFC 4514.
Red Hat D irectory Server 8.2 Red Hat D irectory Server 8.2 Release Notes 1.16. Enhanced Start Scripts for the Directory Server, Admin Server, and SNMP Service New start scripts have been added for the Directory Server, Admin Server, and SNMP services. Additionally, a new configuration file template has been added for the SNMP service. 1.17. Support for Salted MD5 Password Hash Passwords can now be stored with the salted MD5 password hash.
2. Structural Changes in Red Hat D irectory Server 8.
Red Hat D irectory Server 8.2 Red Hat D irectory Server 8.2 Release Notes /usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 dn: cn=uid\3Djsmith1\2Cou\3DDev0\2Co\3DEngineering0+nsuniqueid=ae8c95af8fac11df-80000000-00000000,ou=People,dc=example,dc=com changetype: modrdn newrdn: cn=uid\3djsmith1\2cou\3ddev0\2co\3dengineering0 deleteoldrdn: 0 NOTE T he deleteoldrdn value must be 0 since the nsuniqueid operational attribute cannot be deleted. 3.
4. Installing D irectory Server 8.2 Red Hat Enterprise Linux 4 x86_64 (64-bit) Red Hat Enterprise Linux 5 i386 (32-bit) Red Hat Enterprise Linux 5 x86_64 (64-bit) Solaris 9 SPARC (64-bit) Windows XP Professional Windows Server 2003 Windows Server 2008 (32-bit) Windows Server 2008 (64-bit) 3.4. Password Sync Service Platforms T he Password Sync Service runs on these Windows platforms: Windows Server 2003 Windows Server 2008 (32-bit) Windows Server 2008 (64-bit) 3.5.
Red Hat D irectory Server 8.2 Red Hat D irectory Server 8.2 Release Notes Using up2date or yum to pull the packages from the Red Hat Network repository Downloading Packages from Red Hat Network Red Hat Directory Server 8.2 packages are available for download from Red Hat Network (http://rhn.redhat.com). Downloading packages from Red Hat Network requires specific entitlements for the account for the 8.2 release. 1. Log into Red Hat Network. 2. Open the Red Hat Directory Server 8.
4. Installing D irectory Server 8.2 script options and the Directory Server configuration interface. 3. Password Sync packages must be downloaded from Red Hat Network. a. Log into Red Hat Network. b. Open the Red Hat Directory Server 8.2 channel in Channels, and go to the Downloads tab. c. Download the PassSync.m si and save it to a Windows machine. d. On the Windows machine, double-click the icon and go through the installer. 4.3. Upgrading to Directory Server 8.
Red Hat D irectory Server 8.2 Red Hat D irectory Server 8.2 Release Notes NOTE Manually restarting the server should only be required for Red Hat Enterprise Linux 4 systems. Other systems should restart automatically. 5. Verify that the packages have been properly updated by checking the version number on one of the Directory Server packages. For example: rpm -qf /usr/sbin/setup-ds-admin.pl redhat-ds-admin-8.2.0-0.
5. Basic Information about Red Hat D irectory Server [...] - import userRoot: WARNING: Skipping duplicate entry "cn=uid\3Dtuser1\2Cou\3DOU0\2Co\3DO0,ou=People,dc=example,dc=com" found at line 35 of file "/opt/redhat-ds/slapd-ID/db/example.ldif" Examine any duplicate entry messages to see if the resulting entry is acceptable. T he import utility used during migration picks up the first entry and skips any subsequent duplicated entries.
Red Hat D irectory Server 8.2 Red Hat D irectory Server 8.2 Release Notes /usr/lib64/mozldap on 64-bit Red Hat Enterprise Linux systems Some OpenLDAP tools are located in /usr/bin on Red Hat Enterprise Linux systems already; it is possible to manage Directory Server with these tools (always using -x to disable SASL by default) but this is not recommended. Directory Server File Locations Red Hat Directory Server 8.2 conforms to the Filesystem Hierarchy Standards.
6. Bugs Fixed in 8.2 434914. Many of the most important bugs are listed in T able 2, “List of Bugs Fixed in 8.2”.
Red Hat D irectory Server 8.2 Red Hat D irectory Server 8.2 Release Notes T able 2. List of Bugs Fixed in 8.2 Bug Number Description 195302 T he global password policy was always in effect, even if a local password policy had been set. 196918 Some core schema elements were not compliant with the formats stated in RFC 2256. 201275 If a client bound to the server using the EXT ERNAL method and a client certificate, the server skipped checking for the nsAccountLock setting.
7. Security Updates 518112 If two threads attempted to evaluate an IP-based ACI at the same time, the server crashed with a segfault. 520483 If a new server instance attempted to register with a remote Configuration Directory Server when DHCP or DNS wasn't properly configured, the error message itself broke, which ultimately broke the installation process. 521108 Attempting to create a new role in some circumstances created an endless loop that caused the operation to fail.
Red Hat D irectory Server 8.2 Red Hat D irectory Server 8.2 Release Notes process use an excessive amount of CPU time and system memory by crafting HT T P requests with a specially-crafted Range header. Detailed information is available in Bugzilla CVE-2011-3192 and through the Apache project security advisory at http://httpd.apache.org/security/CVE-2011-3192.txt.
8. Errata Updates T able 3. Bugs Fixed in Errata Updates for Directory Server 8.2 Release Date Errata Release Bug Number Description January 24, 2012 RHBA2012:0064 758978 T he previous version of Red Hat Directory Server used the NSPR implementation of reader/writer locks (rwlocks).
Red Hat D irectory Server 8.2 Red Hat D irectory Server 8.2 Release Notes honored. February 22, 2011 January 3, 2011 November 10, 2010 20 RHSA2011:0293 RHBA2011:0003 RHBA2010:0874 520151 When the proxy authentication was used, the proxy user was unable to change the "userPassword" attribute of another user, although the proxy user had sufficient rights to do so. T his update has fixed the problem so that the proxy user is now able to change the attribute.
9. Known Issues results to be incorrect. September 9, 2010 RHBA2010:0692 612264 T he ACL processing in the Directory Server would attempt to check the password modify rights for an entry before actually pulling the entry from the database. T his meant that some userPassword modify operations failed, even if the ACLs were set to allow the operation. 9. Known Issues T he following are some of the most important known issues in Directory Server 8.2. If applicable, supported workarounds are also described.
Red Hat D irectory Server 8.2 Red Hat D irectory Server 8.2 Release Notes T able 4 . Known Issues in Directory Server 8.2 Bug Number Description Workaround 151705 T he Admin Server Console is hard-coded to set all T LS ciphers to enabled. Disabling the T LS ciphers through the Console is not saved, and the ciphers are re-enabled when the Admin Server is restarted. Never edit the Admin Server ciphers through the Console. Instead, edit the console.conf file directly.
9. Known Issues 4. 5. 6. 7. make sure that the Berkeley DB environment is removed using the DB_ENV->remove method or an appropriate system utility. Archive the database environment for catastrophic recovery. Recompile and install the new version of the application. Force a checkpoint using the DB_ENV>txn_checkpoint method or the db_checkpoint utility.
Red Hat D irectory Server 8.2 Red Hat D irectory Server 8.2 Release Notes database verification does not differentiate between the duplicate btree ID list and the main tree entry pages. T he database, then, incorrectly tries to compare the main database page to itself rather than the duplicate ID btree. T his affects Directory Server client tools such as verify-db.pl and dbverify. T his issue has been fixed in BerkeleyDB 4.8.26. However, the fix will not be available for Red Hat Enterprise Linux 4.
9. Known Issues and then restart the server. 592022 DN formats in Directory Server 8.2 must comply with RFC 4514. T his means that special characters (including quotation marks and commas) in a DN component must be escaped. T o maintain backwards compatibility, migrated Directory Server entries will have encoded special characters in the DN. On Red Hat Enterprise Linux, DNs are updated automatically as part of installing the packages on Red Hat Enterprise Linux. However, on Solaris, the setup-ds.
Red Hat D irectory Server 8.2 Red Hat D irectory Server 8.2 Release Notes adm in.pl with the -u option to complete the upgrade process. setup-ds-admin.pl -u 596521 Import operations encounter fatal failures on some environments when trying to create an index for more than 200 attributes. T he failures occur because the ulimit setting on the machine is too small to accommodate the import operation.
9. Known Issues 616598 T he console.conf file for the Admin Server is overwritten during the upgrade process on Sun Solaris. Save the original console.conf file and manually copy it in place. 1. Download the product binaries (from Red Hat Network or media) to the Directory Server installation directory. 2. Unzip the package. gunzip -dc filename.tar.gz | tar -xvof - 3. Stop the Directory Server and Admin Server. /etc/init.d/dirsrv stop /etc/init.d/dirsrv -admin stop/ 4. Back up the old console.
Red Hat D irectory Server 8.2 Red Hat D irectory Server 8.2 Release Notes cd /etc/dirsrv/adminserv ; cp -fp@ console.conf console.conf.new cp fp@console.conf.sa ve console.conf.new 8. Run setup-ds.pl with the -u option. setup-ds.pl -u 9. Restart the Directory Server and Admin Server. /etc/init.d/dirsrv start /etc/init.d/dirsrv -admin stop 10. Run setup-dsadm in.pl with the -u option to complete the upgrade process. setup-ds-admin.
9. Known Issues add description: group add for DNA Plugin test adding new entry "cn=User,ou=People,dc=e xample,dc=com" ldap_add: Operations error (1) additional info: Allocation of a new value for gidnumber failed! Unable to proceed. T he error log contains a message that the sort control used with the DNA operations could not be processed. [04/Aug/2010:11:18:59 0400] - ERROR: The sort control cannot be processed when more than one backend is involved.
Red Hat D irectory Server 8.2 Red Hat D irectory Server 8.2 Release Notes invalid value, the entry is still imported successfully and the invalid attribute value is added to the entry USN index. Additionally, the lastusn value for the server is set to 0. What should happen is that the import operation should fail and the lastusn value should be set to -1, indicating a failure.
