Red Hat DIRECTORY SERVER 8.1 - RELEASE NOTES, Directory Server 8.1 Release Note

Directory Server 8.1

Red Hat Directory Server

8.1 Release Notes

for Directory Server 8.1

Copyright © 2009 Red Hat, Inc.. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version of the OPL is presently available at http://www.opencontent.org/openpub/).

Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and other countries.

All other trademarks referenced herein are the property of their respective owners.

1801 Varsity Drive Raleigh, NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park, NC 27709 USA

April 28, 2009, updated September 9, 2009

1. New in Red Hat Directory Server 8.1 ....................................................................................... 1

2. System Requirements ............................................................................................................. 6

3. Installing Directory Server 8.1 .................................................................................................. 8

4. Basic Information about Red Hat Directory Server .................................................................. 12

5. Bugs Fixed in 8.1 .................................................................................................................. 14

6. Known Issues ....................................................................................................................... 22

These release notes contain important information available at the release of Red Hat Directory Server version 8.1. New features, system requirements, installation notes, known problems, resources, and other current issues are addressed here. Read this document before beginning to use Directory Server 8.1.

1. New in Red Hat Directory Server 8.1

Directory Server 8.1 has introduced many features to make managing the directory service and its data easier.

Red Hat Directory Server 8.1 Release Notes

1.1. Enhanced Server to Server Connections with Added SASL/ Digest-MD5 (Kerberos), SASL/GSSAPI (Kerberos), and Start TLS Support

Red Hat Directory Server performs a number of different connections between servers, such as replication, chaining, synchronization, and pass-through authentication. To secure these connections, Red Hat Directory Server previously supported SSL and TLS authentication. Directory Server 8.1 expands the secure connection options to include SASL/Digest-MD5 (Kerberos), SASL/GSSAPI (Kerberos), and Start TLS for these server to server operations.

Connections between Directory Server instances can be secured using SASL and Start TLS. This includes replication and chaining (database links).

Pass-through authentication now allows optional arguments to enable Start TLS. (SASL connections are not supported for pass-through authentication.)

Windows synchronization now supports Start TLS (a secure TLS connection over a standard LDAP port) for Active Directory-Directory Server connections. (SASL connections are not supported for Windows.)

The configuration attributes and Console has been updated to include these enhancements:

• For replication and synchronization, the nsds5ReplicaBindMethod and nsds5ReplicaTransportInfo attributes

• For chaining, the nsUseStartTLS, nsBindMechanism and nsActiveChainingComponents attributes

1.2. Server Task Management to LDAP with cn=tasks Entries

Directory Server 8.1 has long had the ability to launch server maintenance tasks over LDAP. Directory tasks like import, export, backup, restore, and indexing, as well as new tasks for reloading schema and updating people's group membership attributes. However, this feature has not previously been documented. In Directory Server, documentation has been added for the five original database tasks (import, export, index, backup, and restore). Additionally, two new tasks have been created for the new dynamic schema reload and memberOf tasks.

Each task has its own entry under the cn=tasks,cn=config configuration entry in the server's DSE. A new task entry can be added, with task-specific attributes, to initiate the task. As soon as the task is completed, the task entry is removed. For example, this launches a task to create a new index:

/usr/lib/mozldap/ldapmodify -a -D "cn=directory manager" -w secret -p 389 h server.example.com

dn: cn=example presence index, cn=index, cn=tasks, cn=config objectclass: nsDirectoryServerTask cn: example presence index nsIndexAttribute: "cn:pres"

All seven tasks and their allowed attributes are covered in the cn=tasks,cn=config section of the core configuration chapter in the Red Hat Directory Server Configuration, Command, and File Reference.

Improved Schema Extensions through Dynamic Schema Reloads

1.3. Improved Schema Extensions through Dynamic Schema Reloads

Previous to Red Hat Directory Server 8.1, if custom schema file was added to the Directory Server, the Directory Server instance had to be restarted to load the schema.

Directory Server 8.1 introduces a dynamic schema reload task, which allows custom schema files to be added to an instance and loaded on the fly. This simplifies extending Directory Server schema.

Dynamic schema reload is supported through the cn=tasks,cn=config entry (by adding a task entry beneath the cn=schema reload task, cn=tasks,cn=config container entry) and through a new script, schema-reload.pl.

1.4. Added Support for Unix Sockets and Autobind

Inter-process communication (IPC) is a way for processes on a Unix machine or network to communicate directly with each other. Running LDAP operations over IPC connections is called LDAPI. Directory Server 8.1 introduces LDAPI support, meaning that Directory Server's LDAP operations can run over Unix sockets.

Enabling LDAPI also allows the Directory Server to use autobind to authenticate logged in Unix users to the Directory Server automatically, based on their Unix credentials.

Both LDAPI and autobind are configured through new core configuration attributes which have been added to the Directory Server.

1.5. Added New Plug-in for Automatically Managing and Assigning Numbers for Attributes

Some entry attributes require having a unique number, such as uidNumber and gidNumber. Directory Server 8.1 introduces the Distributed Numeric Assignment (DNA) Plug-in. This plug-in assigns ranges of numbers to a server, and the server then assigns numbers to attributes, based on their subtree and a matching filter. Ranges can be reallocated among supplier servers to make sure that a server always has an adequate range without assigning duplicate numbers.

1.6. Added New Plug-in to Simplify Group Membership Management

Group membership is defined in the group entry itself. For static groups, members are identified by their DN in the member or uniqueMember attribute. However, before Directory Server 8.1, there was no way to tell by looking at a user entry what groups the user was a member of.

Directory Server 8.1 has added a new managed attribute, memberOf, and a new MemberOf Plug-in. Whenever a member is added to a static group, the MemberOf Plug-in uses the person's DN from the member or uniqueMember attribute to search for the user entry, and then adds a memberOf attribute to the user entry. This way, it's simple to tell from looking at the user entry what groups it belongs to.

memberOf attributes are initially assigned to entries by running a special task. This task can be launched by creating a task entry beneath the cn=memberof task, cn=task,cn=config container entry or by running the new fixup-memberof.pl script.

Red Hat Directory Server 8.1 Release Notes

1.7. Extended Get Effective Rights Operations with Options for Non-

Existent and Operational Attributes

A get effective rights operation is an extended ldapsearch that, along with regular search results, returns that access permissions that one directory user has to a directory entry or entries.

Directory Server 8.1 adds two additional attribute search options for get effective rights searches. One (*) returns rights for non-existent attributes for the entry, meaning attributes which could be set on the entry but currently are not. The other (+) returns access rights for operational attributes for the entry.

1.8. Added New Support for 64-Bit Integers for Performance

Counters on 32-Bit Systems

Many of the performance counters for the Directory Server — including server statistics, database statistics, and SNMP monitoring — record 32-bit integers. For large or high-traffic systems, these counters may roll over too quickly, creating quirky performance statistics and making it difficult to conduct long-term analysis.

Directory Server 8.1 introduces support for 64-bit integers for performance counters, even on 32bit systems. These 64-bit integers are enabled through a new configuration attribute on the DSE, nsslapd-counters. When 64-bit integers are enabled, all available counters support 64-bit integers.

For server statistics, there are five counters which support 64-bit integers:

• opsinitiated

• opscompleted

• entriessent

• bytessent

• totalConnections

For database statistics, there are four counters which support 64-bit integers:

• entrycachehits

• entrycachetries

• currententrycachesize

• maxentrycachesize

All of the attributes monitored by SNMP can support 64-bit integers.

1.9. Added New Parameter for Setting the Interval for Win Sync

Checks

In synchronization, updates are sent two ways, from the Directory Server to the Active Directory server and from Active Directory back to the Directory Server. The frequency which Directory Server sends updates to Active Directory is set in the synchronization schedule, handled by the nsds5replicaupdateschedule attribute. The frequency which Directory Server checked Active Directory for updates was hard coded at five minutes.

Added a New Parameter to Control How the Server Handles Unauthenticated Binds

A new attribute has been added, winSyncInterval, which sets how frequently the Directory Server should check the Active Directory peer for changes. If this attribute is not set, the default frequency is still every five minutes.

This new Win Sync interval can be used with existing sync agreements. To apply this new attribute:

1. Upgrade the software, as described in Section 3.4, “Upgrading to Directory Server 8.1”.

2. Copy the 01common.ldif from the common /etc/dirsrv/schema directory into the instancespecific directory, such as /usr/lib/dirsrv/slapd-instance_name/schema.

It is okay to overwrite the new 01common.ldif schema file because it is new and because the core configuration schema should never be modified, so there shouldn't be any custom settings.

3. Reload the schema. For example:

/usr/lib/dirsrv/slapd-instance_name/schema-reload.pl -D "cn=Directory Manager" -w secret

4. Edit the sync agreement to add the winSyncInterval attribute.

/usr/lib/mozldap/ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=ExampleSyncAgreement,cn=sync replica,cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: winSyncInterval winSyncInterval: 600

1.10. Added a New Parameter to Control How the Server Handles

Unauthenticated Binds

Users can attempt to bind to the directory using a username but without giving a password. For example, this command does not include the -w option or any other password option:

/usr/lib/mozldap/ldapsearch -D "cn=directory manager" -b "dc=example,dc=com" -s sub "(objectclass=*)"

This is called an unauthenticated bind, because the user as whom to bind is given, but without any credentials.

Before 8.1, the Directory Server allowed that unauthenticated bind to continue as an anonymous bind. However, this created a management issue for servers which did not allow anonymous binds and a security risk for ones which did.

A new configuration attribute, nsslapd-allow-unauthenticated-binds, sets whether to allow an unauthenticated bind to succeed as an anonymous bind or whether the bind attempt fails. By default, this is turned off, so that unauthenticated binds fail, which is more secure.

nsslapd-allow-unauthenticated-binds: off

Red Hat Directory Server 8.1 Release Notes

2. System Requirements

This section contains information related to installing and upgrading Red Hat Directory Server 8.1, including prerequisites and hardware or platform requirements.

2.1. Required JDK

Red Hat Directory Server 8.1 requires Sun JRE 1.6.0 or OpenJDK 1.6.0 for Red Hat Enterprise Linux 5 and HP-UX.

IMPORTANT

When the new JDK is installed for Directory Server 8.1, it is no longer possible to manage older instances of Directory Server using the Directory Server Console because the required JDKs for the different Directory Server versions are different. You must migrate any older instance to Directory Server 8.1 if you need to manage that instance with the Directory Server Console.

Red Hat Directory Server 8.1 requires Java IBM 1.6.0 for Red Hat Enterprise Linux 4.

2.2. Perl Prerequisites

Directory Server 8.1 does not package nsperl with the product. perldap should work with the version of perl pre-installed on the system.

There are some prerequisites for perl to run perldap with the pre-installed version.

• For Red Hat Enterprise Linux systems, use the Perl version that is installed with the operating

system in /usr/bin/perl for both 32-bit and 64-bit versions of Red Hat Directory Server.

• On Solaris systems, Red Hat Directory Server is installed with a Perl package, RHATperlx, that

must be used. This package contains a 64-bit version of Perl 5.8. It is not possible to use the Perl version installed in /usr/bin/perl on Solaris because it is 32 bit and will not work with Directory Server's 64-bit components.

• On HP-UX, Red Hat Directory Server uses the Perl version installed with the operating system in / opt/perl_64/bin/perl. Contact Hewlett-Packard support if this Perl version is not installed.

2.3. Directory Server Supported Platforms

Directory Server 8.1 is supported on the following platforms:

• HP-UX 11i Itanium/IPF

• Red Hat Enterprise Linux 4 i386 (32-bit)

• Red Hat Enterprise Linux 4 x86_64 (64-bit)

• Red Hat Enterprise Linux 5 i386 (32-bit)

• Red Hat Enterprise Linux 5 x86_64 (64-bit)

Directory Server Console Supported Platforms

NOTE

Red Hat Directory Server 8.1 is supported running on a virtual guest on a Red Hat Enterprise Linux 5 virtual server.

• Sun Solaris 9 (SPARC v9, 64-bit)

2.4. Directory Server Console Supported Platforms

The Directory Server Console is supported on the following platforms:

• HP-UX 11i Itanium/IPF

• Red Hat Enterprise Linux 4 i386 (32-bit)

• Red Hat Enterprise Linux 4 x86_64 (64-bit)

• Red Hat Enterprise Linux 5 i386 (32-bit)

• Red Hat Enterprise Linux 5 x86_64 (64-bit)

• Sun Solaris 9 (SPARC v9, 64-bit)

• Windows XP

• Windows 2000 Server

• Windows 2003 Server

NOTE

The Directory Server Console can be installed on additional Windows platforms at an additional cost.

2.5. Windows Sync Service Platforms

The Windows Sync tool runs on these Windows platforms:

• Windows 2003 Active Directory (32-bit)

• Windows 2000 Active Directory (32-bit)

2.6. Web Application Browser Support

Directory Server 8.1 supports the following browsers to access web-based interfaces, such as Admin Express and online help tools:

• Firefox 1.0 (Red Hat Enterprise Linux 4 and Solaris 9)

• Mozilla 1.4 (HP-UX)

• Mozilla 1.4.3 (Solaris 9)

Red Hat Directory Server 8.1 Release Notes

• Mozilla 1.7.3 (Red Hat Enterprise Linux 4)

• Microsoft Internet Explorer 6.0 (Windows)

3. Installing Directory Server 8.1

For more detailed instructions on installing Directory Server 8.1, see the Directory Server Installation Guide at http://www.redhat.com/docs/manuals/dir-server/.

3.1. Installing the JDK

Directory Server 8.1 requires Sun JRE 1.6.0 or OpenJDK 1.6.0. The appropriate Sun JDK should already be available on Sun Solaris systems, but it is necessary to install the JDK separately for other platforms. Either Sun JDK 6.0 or OpenJDK 1.6.0 is allowed.

For example, to install OpenJDK on Red Hat Enterprise Linux 5:

yum install java-1.6.0-openjdk

OpenJDK is also available for download from http://openjdk.java.net/install/ for Red Hat Enterprise Linux and HP-UX.

For Red Hat Enterprise Linux 4, subscribe to the Extras channel in Red Hat Network, and install Java IBM 1.6.0 using up2date:

up2date java-1.6.0-ibm

IMPORTANT

3.2. Obtaining Packages

Red Hat Directory Server 8.1 packages are available for download from Red Hat Network (http://

rhn.redhat.com). Downloading packages from Red Hat Network requires specific entitlements for the

account for the 8.1 release.

To download Red Hat Directory Server 8.1 packages, log into Red Hat Network, then open the Red Hat Directory Server 8.1 channel in Channels and go to the Downloads tab.

Both RPMs and ISO images are available for download through Red Hat Network. RPM packages can be downloaded and installed using rpm. The ISO images for Red Hat Enterprise Linuxand Solaris can be downloaded and burned on to a CD-recordable media using the appropriate software.

Along with the packages, there are tarball (.tar.gz file) archives for the source code.

Running setup-ds-admin.pl

NOTE

The source files are tarball (.tar.gz) archive files, not ISO images.

Red Hat Enterprise Linux customers can use Red Hat Network to obtain packages, or they can simply install or update their packages using yum or up2date, using an account with entitlements for the Red Hat Directory Server 8.1 release.

Directory Server packages are installed using native package management tools. For example, on Red Hat Enterprise Linux:

ls *.rpm | egrep -iv -e devel -e debuginfo | xargs rpm -ivh

On Sun Solaris:

for pkg in *.pkg ; do pkgadd -d $pkg all done

The Password Sync packages available for download contain the PassSync.msi installer file. Download this file to the Windows machine, and then double-click the icon and go through the installer.

IMPORTANT

Although the Password Sync packages are listed in every Directory Server channel in Red Hat Network (Solaris, Red Hat Enterprise Linux 32-bit and Red Hat Enterprise Linux 64bit), Password Sync is only supported on 32-bit Windows machines.

3.3. Running setup-ds-admin.pl

After installing the packages, run the setup-ds-admin.pl script to configure the new Directory Server and Administration Server instances. For example:

setup-ds-admin.pl

See the Directory Server Installation Guide for more information about setup-ds-admin.pl script options and the Directory Server configuration interface.

3.4. Upgrading to Directory Server 8.1

Red Hat Enterprise Linux systems support an in-place upgrade when moving from Red Hat Directory Server 8.0 to Red Hat Directory Server 8.1. To do this:

1. Back up your current Directory Server, according to your preferred backup method. For example:

cd /usr/lib/dirsrv/slapd-instance_name

Red Hat Directory Server 8.1 Release Notes

db2bak /var/lib/dirsrv/slapd-instance_name/ bak/instance_name-2009_04_30_16_27_56

2. Install or update the RPMs. For example:

yum update -y

This automatically updates the Red Hat Directory Server packages and all required packages.

Red Hat Directory Server 8.1 requires that all of the packages in the Red Hat Directory Server channel be updated. Running simply yum update updates all Red Hat Directory Server and Red Hat Enterprise Linux packages. To exclude packages from updating on your system, you can use --exclude packages, restrict the update to only the Red Hat Directory Server channel, or explicitly list the packages to update. Run man yum for a list of options.

3. Re-run the setup script with the -u option.

setup-ds-admin.pl -u

This updates the settings automatically, without having to migrate or re-configure the server.

4. Restart the Directory Server.

service dirsrv restart

5. Verify that the packages have been properly updated by checking the version number on one of

the Directory Server packages. For example:

rpm -qf /usr/sbin/setup-ds-admin.pl redhat-ds-admin-8.1.0-9.el5dsrv

Also restart the Directory Server Console to make sure that the version and build numbers are appropriately updated.

6. The Distributed Numeric Assignment and MemberOf Plug-ins are new with Directory Server 8.1.

Their configuration is not automatically added to the dse.ldif file with the in-place upgrade, so you need to add these entries to the file.

• The MemberOf Plug-in template entry is in /usr/share/dirsrv/data/template- dse.ldif.

• The DNA Plug-in template entry is in /usr/share/dirsrv/data/template- dnaplugin.ldif.

These entries can be added using ldapmodify or by editing the dse.ldif file directly. For example:

/usr/lib/mozldap/ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com

Upgrading to Directory Server 8.1

dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: nsContainer cn: Distributed Numeric Assignment Plugin nsslapd-pluginInitfunc: dna_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginPath: libdna-plugin nsslapd-plugin-depends-on-type: database nsslapd-pluginId: Distributed Numeric Assignment nsslapd-pluginVersion: 8.1.0 nsslapd-pluginVendor: Red Hat, Inc. nsslapd-pluginDescription: Distributed Numeric Assignment plugin

adding new entry cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

dn: cn=MemberOf Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: MemberOf Plugin nsslapd-pluginPath: libmemberof-plugin nsslapd-pluginInitfunc: memberof_postop_init nsslapd-pluginType: postoperation nsslapd-pluginEnabled: off nsslapd-plugin-depends-on-type: database memberofgroupattr: member memberofattr: memberOf nsslapd-pluginId: memberof nsslapd-pluginVersion: 8.1.0 nsslapd-pluginVendor: Red Hat, Inc. nsslapd-pluginDescription: memberof plugin

adding new entry cn=MemberOf Plugin,cn=plugins,cn=config

Hit Enter twice or type Ctrl-D to close the ldapmodify operation.

NOTE

If you edit the dse.ldif file directly, you need to stop the server first.

7. Restart the Directory Server. You must always restart the Directory Server after editing the plug-in configuration.

service dirsrv restart

Red Hat Directory Server 8.1 Release Notes

3.5. Migrating to Directory Server 8.1

Upgrading from Red Hat Directory Server 7.1 to Directory Server 8.1 requires a migration. The migration process has a special script, migrate-ds-admin.pl, which copies the data and configuration from the 7.1 instance to the new 8.1 instance. For example, to migrate all 7.1 instances to 8.1 on the same machine:

migrate-ds-admin.pl --oldsroot /opt/redhat-ds General.ConfigDirectoryAdminPwd=password

Additionally migration scenarios are covered in the Red Hat Directory Server Installation Guide

4. Basic Information about Red Hat Directory Server

This is some basic information for using and managing Directory Server. The Directory Server information is explained in much more detail in the Administrator's Guide.

Starting and Stopping the Directory Server and Administration Server

The Directory Server and Administration Server instances are started and stopped using basic service command line tools. For example, on Red Hat Enterprise Linux:

service dirsrv-admin start service dirsrv start

Running just service dirsrv start starts all instances of the Directory Server on the host machine. To start a single instance, use the name of the instance in the command:

service dirsrv start example

Starting the Directory Server Console

To start the Directory Server Console, run the redhat-idm-console.

redhat-idm-console

It is also possible to specify the user to log into the Console as using the -u and to give the URL to the Administration Server using the -a option.

redhat-idm-console -u "cn=Directory Manager" -a http:// ldap.example.com:9830

Default Port Numbers

These are the default port numbers for the Directory Server and Administration Server:

• The standard LDAP port is 389.

• The secure (SSL) LDAPS port is 636.

Basic Information about Red Hat Directory Server

• The Administration Server port is 9830.

Tool Locations

The Mozilla LDAP tools used to manage Directory Server, such as ldapsearch and ldapmodify, are in the following directories, depending on platform:

• /usr/lib/mozldap6 on 32-bit Red Hat Enterprise Linux systems

• /usr/lib64/mozldap on 64-bit Red Hat Enterprise Linux systems

• /opt/dirsrv/bin/mozldap/ on HP-UX systems

Some OpenLDAP tools are located in /usr/bin on Red Hat Enterprise Linux systems already; it is possible to manage Directory Server with these tools (always using -x to disable SASL by default) but this is not recommended.

Directory Server File Locations

Red Hat Directory Server 8.1 conforms to the Filesystem Hierarchy Standards. For more information on FHS, see the FHS homepage, http://www.pathname.com/fhs/. The files and directories installed with Directory Server are listed in the tables below for each supported platform.

File or Directory Location

Log files /var/log/dirsrv/slapd-instance

Configuration files /etc/dirsrv/slapd-instance

/var/lib/dirsrv/slapd-instance

Instance directory /usr/lib/dirsrv/slapd-instance on 32-bit systems

/usr/lib64/dirsrv/slapd-instance on 64-bit systems

Database files /var/lib/dirsrv/slapd-instance/db

Schema files /etc/dirsrv/slapd-instance/schema

Runtime files /var/lock/dirsrv/slapd-instance

/var/run/dirsrv/slapd-instance

Tools /usr/bin/

/usr/sbin/

Table 1. Red Hat Enterprise Linux

File or Directory Location

Log files /var/opt/log/dirsrv/slapd-instance

Configuration files /etc/opt/dirsrv/slapd-instance

Instance directory /opt/dirsrv/slapd-instance

Database files /var/opt/dirsrv/slapd-instance/db

Schema files /etc/opt/dirsrv/slapd-instance/schema

Runtime files /var/opt/dirsrv/instance

Binaries /opt/dirsrv/bin/

Red Hat Directory Server 8.1 Release Notes

File or Directory Location

/opt/dirsrv/sbin/

Libraries /opt/dirsrv/lib/

Table 2. HP-UX 11i (IA64)

UTF-8 and Language Support

Directory Server supports all international charactersets by default because directory data is stored in UTF-8. UTF-8 characters are fully supported for all DNs and DN components. Web services can be customized to display charactersets other than UTF-8, though UTF-8 and Latin-1 are the default for Directory Server web applications.

Directory Server can also use specified matching rules and collation orders based on language preferences in search operations.

The locales and charactersets supported by Directory Server are listed in more detail in Appendix D, "Internationalization," in the Administrator's Guide.

5. Bugs Fixed in 8.1

Along with new features, Directory Server 8.1 contains many bug fixes for all functional areas, features, and components in the directory service and associated tools, as well as the documentation. The complete list of bugs fixed in Directory Server 8.1 are listed in the tracking bug for this release,

Bugzilla 2496501. Many of the most important bugs are listed in Table 3, “List of Bugs Fixed in 8.1”.

Bug Number Description

158334 The Directory Server Console calculated the account logon hour times

(ntLogonHours) differently than the way Windows Active Directory handles times. This meant that any logon times set in the Console were inaccurately set in the user entry.

166230 The Administration Server Console misparsed the access log entries for any

server which had a hostname with a hyphen in it, such as first-example.com, although hyphens are allowed according to RFC 1034. The hyphen was treated as a line separator, so the remaining half of the hostname was displayed as part of the username in the Console.

170461 The Perl scripts were fixed to use a custom Term::ReadKey in order to prompt for

the password when the -w - argument is used.

174394 Searching the database using a regular expression (such as title=*es*) would

return entries with that did not have the given attributes as well as entries which matched the filter.

179193 The Directory Server Console replication page would show that consumer

initialization had started successfully, even if it had failed.

179956 There were errors when trying to migrate DNS-related schema elements because

some of the schema attributes were deprecated or not supported and others were incorrectly handled.

https://bugzilla.redhat.com/show_bug.cgi?id=ds8.1

Bugs Fixed in 8.1

Bug Number Description

184141 216522 248924

The password policy response was not returned as part of a password change extended operation. This meant that the password policies weren't being applied to password changes done through the password modify extended operation.

191779 Restarting the Administration Server immediately after starting the Configuration

Directory Server would stop the Configuration Directory Server process unexpectedly.

191834 430172 436830 459302 460381 472999

There were various memory leaks fixed in the server, including startup errors, SASL mapping, VLV indexing, CoS, and the Administration Server.

198090 The visual ACI editor would resort the targets in the Targets tab by name, but, in

reality, the original order was being used, so selecting the visual target attribute actually selected the attribute in that position in the original sort order.

199923 A subtree search would not return any entries under an ou with special characters

in the name.

201332 If a password was reset and the password policy required the password to be

reset by the user, the password could not be changed using the password change extended operation.

204626 If password syntax checking was enabled, the password policy would check the

syntax on the hashed value of the password. This could actually allow users to use trivial passwords by adding a hashed password as the userPassword value.

204966 478656

If the required Windows attributes were added to an existing Directory Server after synchronization has been set up, the user was not automatically synced over to the Windows sync peer. When the user entry was synchronized over after a total update, the account was disabled.

208076 Trying to set inheritance when using an LDAP URL in an ACI target based did not

work. For example, this ACI would fail:

userattr="parent[1].description#LDAPURL

220532 Access to the RUV used by replication was restricted to the Directory Manager, for

security. However, this meant that very high-level access had to be granted to any process used for replication monitoring.

This fix allows non-privileged users to be granted access to the RUV entry, while still preventing non-privileged access to the normal tombstone entries. Access is granted to all other users using a default ACI, which can be edited to restrict the access to a specific user or group.

230808 The basic schema used by the Directory Server itself was divided into two files. All

of the schema required to start the server are contained in 00core.ldif. All of the other configuration schema elements used by the Directory Server instances are in 01common.ldif.

238762 By default, the nsslapd-import-cache-autosize attribute for the LDBM

Database Plug-in was set to -1, which means that the cache is automatically set to half (50%) of the available memory. However, the Directory Server Console shows

Red Hat Directory Server 8.1 Release Notes

Bug Number Description

the default value as 20000000 bytes, not the auto size. And, since auto cache sizing takes priority over manually assigning the cache size, whatever was set in the Directory Server Console was ignored.

The Directory Server Console has a new checkbox to enable or disable auto cache sizing. If auto cache sizing is enabled, the value set for the cache size is ignored.

245894 Occasionally, the Directory Server's ns-slapd could shut down successfully,

but its .pid file wasn't removed. If there was an existing .pid file for a server instance, then the server could not restart, even if it wasn't running.

381361 Some cn changes on Directory Server were not synced over to Active Directory.

387851 The Directory Server would allocate as much memory as a client suggested for a

SASL operation, without any other limits being imposed. This can be restricted now in Directory Server 8.1 through the new nsslapd-maxsasliosize configuration attribute, which sets a limit on the size of incoming SASL packets.

400341 If a user was logged in as the Directory Manager and tried to change the admin

user's password in the Administration Server's Console, the server would try to change the Directory Manager's password instead.

400361 Changing the admin user's password in the Administration Server Console closed

the connection to the Console immediately when the change was saved.

426139 When a non-privileged user logged into a console and attempted to open a

configuration tab, the console would throw Java exceptions to standard output and open error dialogs.

426421 The Windows version of the Directory Server Console looked for its NSS libraries in

the wrong location.

426435 If a CRL was located in the /usr/lib/dirsrv/slapd-instance_name

directory, it could not be added to the CRL tab of the Directory Server Console's Certificate Wizard. If the CRL was located anywhere else, it could be loaded through the Certificate Wizard just fine.

428232 Performing a rename operation failed if the DN was only different in case (such as

cn=john smith to cn=John Smith) or where the new DN was identical to the old DN.

428929 The Directory Server was caching the values of attributes with DirectoryString

formats. For example, if a an attribute was added with a value in all capital letters, and then the value was deleted and replaced with all lower case letters, sometimes the Directory Server would return the correct lower-case value, and sometimes it would return the previous upper-case value. This happened because replication doesn't delete attribute values; it stores them with state information. When the attribute was re-added, the old attribute was resurrected with updated state information and, since DirectoryString is case-insensitive, the old value looked identical to the new value.

429514 The date and time fields were incorrectly parsed and displayed in the

Administration Server Console.

429631 If a virtual subtree was used to configure synchronization, the Directory Server

crashed.

429793 429799

Consumer initialization would crash the consumer server or the process would hang endlessly if there was an entry with a very large attribute.

Bugs Fixed in 8.1

Bug Number Description

430321 There was a memory leak in the collation plug-in.

430364 The setup-ds-admin.pl script did not correctly set the IP address of the

Administration Server if the Administration Server IP address was different than the Directory Server instance's IP address.

430368 432135

When configuring a new instance with setup-ds.pl, the server could fail to start because it couldn't open the /var/run/dirsrv/ directory and, therefore, open the stats file for the instance.

430568 It is possible to specify which locale to use when running an ldapsearch.

Specifying the default locale (2.16.840.1.113730.3.3.2.0.1), however, returned spurious errors to the log, saying that the collation mode and strength could not be set, even though they were.

430993 The log deletion policies set for the access, audit, and error logs could be ignored

if the two parameters defining the time amount (integer) and time unit (day, week, month, or year) are not in the proper order. In dse.ldif, the time amount had to be listed first, then the time unit next.

Changing only one of the defaults for the deletion policy in the Directory Server Console added only that one parameter to the dse.ldif file. If only one of the parameters was in the file, than the nsslapd-TYPElog-logexpirationtime defaulted to not expiring (PR_INT32_MAX) and nsslapd-TYPElog-logexpirationtimeunit to seconds.

431607 The Referential Integrity Plug-in did not ignore spaces in DNs.

So, it treated ou=groups, dc=example, dc=com as different than ou=groups,dc=example,dc=com. However, the plug-in would insert white spaces into DNs during a rename operation, so if ou=groups,dc=example,dc=com was added to the database, the Referential Integrity Plug-in would change it to ou=groups, dc=example, dc=com. This would then break referential integrity.

435774 When trying to install a new instance of Directory Server using setup-ds.pl

and specifying an input file to import to populate the databases, the script failed with an error that it could not import LDIF file. The new instance was only partially configured, and had to be removed and re-installed.

435778 The ds_removal script assumed that any instance being removed was fully

configured and running. Therefore, when trying to remove an instance where the setup had failed, the configuration had become corrupted, or that was off would fail with this error:

Error:The server '' is not reachable. Error: unknown error

437049 If the inherited object classes were not explicitly set in an entry, the supplier server

would show that the entry had the inherited object classes, but the replicated on the entry in the consumer server would not have the inherited object classes. Inherited object classes were not replicated.

438139 Rename operations failed if the RDN contained a backslash (\).

445305 Trying to create a second Directory Server instance on a server would fail if its Unix

user and group IDs were different than the first instance's Unix user and group IDs.

445602 Because schema with an empty description was treated as user-defined, some

standard schema elements were replicated into consumers' 99user.ldif files.

Red Hat Directory Server 8.1 Release Notes

Bug Number Description

Some standard schema were removed between Directory Server 7.1 and Directory Server 8.0 and 8.1. Then, during migration, some of these deprecated schema elements were migrated to the new version (because they had been replicated) but other elements mentioned in the schema definitions were still missing, so the 99user.ldif file was invalid. This caused migration to fail.

445775 474254

Many standard schema elements have empty descriptions (DESC ''). However, any schema element with an empty description was treated as a custom element and was replicated into the 99user.ldif file on a consumer server. Therefore, many standard schema elements were replicated.

447353 The Directory Server limited indexed searches to a minimum of three characters.

This meant that a substring search such as ab* was indexed and completed very quickly, but a search such as a* was unindexed and could take a long time.

In some cases, it's necessary to have indexed searches for very short strings, even though there is a performance hit. A new attribute, nsSubStrLen, was added to reset the minimum search string length for an index.

450046 If the ns-slapd process stopped uncleanly while the server was writing to

the changelog, the changelog writes would hang when the ns-slapd process restarted, unless the entire system was rebooted.

450575 If an operation was opened with unsupported critical controls, then the operation

wasn't closed with an unbind or abandon request, and the connection stayed open.

450941 The Directory Server configuration scripts check whether the requested ports are

available before continuing the installation. However, the scripts did not reset the available ports after an instance was removed, so configuring additional instance on the same server could incorrectly return that a port was unavailable when, in fact, it was free.

452007 When an instance was removed, its directories were renamed

slapd-instance.removed. However, when the start script was run without giving a specific instance (service dirsrv start), then the start script still picked up the removed instance and attempted to start it. This resulted in an error, that the removed server couldn't be started.

The removed instance directory are now named removed.slapd-instance, so the removed instance is ignored by the start scripts and there are no more confusing error messages.

452328 If a range set in an ldapsearch had a different number of digits in the lower and

upper bounds, the search would not return the right results. For example, this command would not return any entries, even though entries existed within that range:

ldapsearch -D "cn=directory manager" -w secret -b "dc=example,dc=com" "(&(uidNumber>=7)(uidNumber<=12))"

452569 By default, 64-bit Red Hat Enterprise Linux systems expected the SASL libraries

to be in /usr/lib/sasl2, rather than /usr/lib64/sasl2. This meant that it printed spurious errors to the Administration Server error logs about being unable to locate the SASL libraries.

Bugs Fixed in 8.1

Bug Number Description

454348 If tombstone entries were imported into a database, they weren't reaped. This could

happen if a database was exported using db2ldif -r and then imported into a new database.

455629 If there were multiple instances of the Directory Server created on the same server

and using different user and group IDs, then the Directory Server Console could not be used to manage certificates for the instances.

458171 Approximate searches returned a success code of 3 which was interpreted on HP-

UX as an error that the timelimit had been exceeded.

458488 When the posixAccount object class was added to an entry, if the uidNumber

attribute was set to a non-numeric value in the Directory Server Console, then the actual UID number was set to 0 and the user could log into the system as root.

459433 If replication tried to delete an attribute that had already been deleted by another

process, the Directory Server crashed.

459850 If there was a large difference in the time on two supplier servers, the change

sequence numbers (CSNs) were generated with the wrong timestamp.

460613 Running an approximate search such as description ~= term could return

results that didn't match the term filter because the phonetic parsing used by the approximate search was too general.

462411 In Directory Server 7.1SP7, the Certificate Request Wizard was broken. It would go

through the request panels, and then fail to generate the certificate request with the error Unable to convert DN to certificate name.

462922 When entries were imported from LDIF, they did not contain the

createTimestamp operational attribute.

463774 Deleting a database did not automatically delete all of the index files created and

used for that database.

463776 When configuring a new Directory Server instance with setup-ds-admin.pl, the

setup program would not accept a hostname with the string back in it.

464854 The size limit on an ldapsearch with the -z argument was ignored if the

command also included a range search and OR filter. For example:

/usr/lib/mozldap/ldapsearch -z 10 (&(uidNumber=1*)(| uidNumber=2*)(uidNumber=3*))(gidNumber>=3))

465822 Running setup-ds-admin.pl -u to update the Directory Server configuration

would lock out the Directory Server Console if SSL was enabled.

466137 The Administration Server had difficulty processing the accepted languages for its

web services like Admin Express, and it returned Error 500 messages and would not open the web service page.

468474 When migrating from Directory Server 7.1 to Directory Server 8.0.4, there was an

error in the migration script which created an incomplete Administration Server server instance entry (SIE), meaning the Administration Server wouldn't work without being separately configured or updated.

469792 If a VLV index was empty, then the server returned a series of error messages

that indicated that the VLV indexing process had failed. This message has been changed to read that the index may be empty.

Red Hat Directory Server 8.1 Release Notes

Bug Number Description

469800 The import process for large databases could be extremely slow is the databases

contained a large number of non-leaf entries because of how ling it took to create the ancestorid index.

470393 Setting the nsslapd-timelimit configuration attribute to -1 was rejected, even

though that setting should have been allowed to set an infinite time limit.

470611 The rsearch tool had pre-defined filters and passwords to use for "search then

bind" tests. Two new arguments have been added to allow users to define their own filter and password.

470918 If two supplier bind DNs were added to the database using an ldapmodify

request, then replication using the second or subsequent bind DN failed.

470946 If the Administration Server was configured to use SSL, the Console would save

its server certificate to its console.conf file without putting quotes around the certificate name. If the certificate name had spaces in it, the Administration Server was then unable to restart.

471138 The ldclt tool was enhanced to perform abandon operations.

471998 The dbverify tool could not process integer-based sorting, but it was possible

to configure an index with numeric sorting by setting nsMatchingRule: integerOrderingMatch. The dbverify tool has been extended to include numeric sorting.

472457 If a custom server-side sorting order was used and then the database was indexed,

then the Directory Server could crash or become unresponsive under certain circumstances.

474237 If a suffix was exported that had subsuffixes, then erroneous and confusing

error messages were printed during the export claiming that (parent) instance already existed as it processed the subsuffix entries. The db2ldif -s command has be modified so that it checks for the parent DN of every suffix it processes. This also enabled the script to be run on a branch point, like ou=groups,dc=example,dc=com, successfully because the script moves up the directory tree until it finds the suffix to export.

474248 If replication was set up for a backend which did not exist on the consumer, then

the consumer Directory Server would crash as soon as the supplier tried to initialize the consumer.

474621 When adding a user-specified nsUniqueID value for a new entry, the Directory

Server would reject the value and use an auto-generated nsUniqueID value. However, if nsUniqueID was used as the RDN, the original user-supplied nsUniqueID value was still used in the DN, even though that value didn't exist in the entry.

474729 Some search results which contained unindexed attributes did not contain the

notes=U message in the access log, to indicate an unindexed search.

475338 The nsslapd-*log-logmaxdiskspace, nsslapd-*log-

logminfreediskspace, and nsslapd-*log-maxlogsize configuration attributes accept sizes in megabytes, but the values were converted to bytes in the backend. Using 32-bit integers for the sizes overflowed easily. These configuration attributes have been changed to handle 64-bit integers.

475899 An extensible match filter is used as part of an LDAP that instructs

the server what kind of matching rule to use. For example,

Bugs Fixed in 8.1

Bug Number Description

ou:2.16.840.1.113730.3.3.2.46.1:=* matches any ou that uses the Swedish locale. However, using an operator with the extensible match filter, such as ou:2.16.840.1.113730.3.3.2.46.1:=>=acc*, crashed the Directory Server.

476127 If an attribute was modified and then deleted before the modification was synced to

the Windows server, the Directory Server would crash because the synchronization process was trying to sync the modified attribute, but that attribute no longer existed.

476261 Compare operations failed when trying to compare operational attributes, such as

nsAccountLock.

480259 The Certificate Request Wizard required certificate requests to have a locality and

a country. These requirements have been removed; only the cn is required now. This is because the Directory Server cannot verify or enforce certificate constraints set by the issuing certificate authority. Check with the CA first, and then generate a certificate request that matches its requirements.

480631 Trying to start the Red Hat Console with a -u argument that had spaces in its

value failed, because the script tried to treat the argument as multiple values. For example:

redhat-idm-console -u "cn=Directory Manager"

480869 It was not possible to delete a Directory Server instance from the Console. The

ds_remove process was trying to bind to the server anonymously, which is prohibited by default, so the remove process would fail.

483167 Running db2ldif with an empty -s flag (db2ldif -s "") crashed the db2ldif

utility. This has been fixed so that the server prints the appropriate error message and closes the command cleanly.

483254 Pointing the nsViewFilter value to an ou with a special character in it would

crash the Directory Server.

483256 Under some circumstances, the Directory Server crashed if it tried to sync over

user changes to Active Directory for a user which didn't exist in Active Directory.

483276 When CA certificates were imported in the Managing Certificates tab, the trust

flags were not saved for the CA certificate and had to be reset manually after the certificate was imported.

483668 The syntax plug-in did not support Western European characters so that it

incorrectly handled phonetic searches for attributes using Western European characters.

484149 If the Directory Manager's password storage scheme did not match the scheme

actually used to store the password, the server would crash and wouldn't restart.

485348 Sometimes, when running an ldapsearch with a value range and a timelimit set

in the search, the timelimit was ignored.

486402 Running setup-ds.pl and then register-ds-admin.pl to create the

Directory Server and Administration Server created different default ACIs than just running setup-ds-admin.pl.

Red Hat Directory Server 8.1 Release Notes

Bug Number Description

486495 CoS attributes with the operational qualifier were being returned in

ldapsearches even though they should have been ignored as operational

attributes, unless specifically requested.

487425 If the changelog was moved, the server would crash when it next tried to write

changes to the changelog.

488866 If a supplier was sending updates to a consumer and the connection was lost, the

supplier could crash when it tried to reconnect.

489625 If an independent process, such as db2ldif was used to rotate the error log, the

Directory Server crashed.

489763 If multiple db2ldif commands were running simultaneously, the Directory Server

could crash.

494980 Running the setup-ds-admin.pl script as an update (-u) or as a silent

installation (-s and (-f file.inf) returned errors for settings which were mapped for default values in the interactive mode but not in silent modes. For example:

The map value 'ServerIpAddress' for key 'as_addr' did not map to a value in any of the given information files.

Table 3. List of Bugs Fixed in 8.1

6. Known Issues

The following are some of the most important known issues in Directory Server 8.1. If applicable, supported workarounds are also described.

Bug Number Description Workaround

151705 The Administration Server Console is hard-

coded to set all TLS ciphers to enabled. Disabling the TLS ciphers through the Console is not saved, and the ciphers are re-enabled when the Administration Server is restarted.

Never edit the Administration Server ciphers through the Console. Instead, edit the console.conf file directly. This file is located in /etc/dirsrv/ admin-serv/ directory.

159025 Installing a certificate with the same name

as an existing certificate fails in the Directory Server Console with the error Internal error: Fail to install certificate -8169.

If it is necessary to have two certificates with the same name, install the second certificate through the command line using certutil.

certutil -importcert -v /path/to/

certificate_file

171140 Upgrading the Windows Sync service on the

Windows server from version 7.1 to version

7.1 SP1 or higher (including 8.1) requires two things:

• Rebooting the Windows machine.

Known Issues

Bug Number Description Workaround

• Performing a full manual resynchronization. To manually synchronize Active Directory and Directory Server, open the Directory Server Console, and, in the Configuration tab, click the Replication folder, select the database, and the right-click on the synchronization agreement.

182509 The changelog used for replication stores

passwords in clear text in order to replicate them. In some contexts, this could be a security risk.

Enable fractional replication and specifically exclude the userPassword attribute from being replicated, which prevents passwords from being written to the changelog. For example:

nsds5replicatedAttributeList: (objectclass=*) $ EXCLUDE userPassword

190824 By default, not all attributes are

automatically replicated to consumers in multi-master replication, including several password-associated attributes such as passwordRetryCount,

retryCountResetTime, and accountUnlockTime.

To replicate these attributes, set the passwordIsGlobalPolicy configuration attribute to 1 in the cn=config entry using ldapmodify. For example:

dn: cn=config changetype: modify replace: passwordIsGlobalPolicy passwordIsGlobalPolicy: 1

190862 Global syntax checking attributes should be

enforced if the settings aren't configured in the local password policy. However, if both global and local password policies are configured, the global policies aren't being enforced as the default.

1. Enable global syntax checking.

2. Enable fine-grained password checking.

3. Edit the local password policy to contain all password syntax attributes. Set the values to something other than the default settings, as listed in the Configuration, Command, and File Reference.

4. Re-edit the local password policy with the desired values, even if they are the defaults.

230808 In Directory Server 8.1, the 00core.ldif file

has be split so that 00core.ldif, correctly, only contains the schema directly required for starting the server. The other schema

Red Hat Directory Server 8.1 Release Notes

Bug Number Description Workaround

previously in that file have been moved to a new standard schema file, 01common.ldif.

However, on startup, the Directory Server may record schema-related errors. For example:

[02/Jan/2008:11:20:33 -0800] Entry "cn=config" has unknown object class "nsslapdConfig"

250535 On HP-UX and Solaris, the repl-

monitor.pl script returns an error that it cannot find the appropriate Mozilla/LDAP/ Conn.pm Perldap modules.

• On Solaris, edit the replmonitor.pl script directly

so that it uses the proper Perl binary (/usr/lib/sparcv9/ dirsrv/perl5x/bin/perl) instead of the one in your path.

• On HP-UX, edit the repl- monitor.pl script directly so that it uses the proper Perl binary (/opt/perl_64/bin/ perl) instead of the one in your path. Then, add the following line after the comment block describing the usage in repl- monitor.pl:

"use lib qw(/opt/dirsrv/ lib/perl /opt/dirsrv/lib/ perl/arch)"

426139 When a non-privileged user logs into the

Directory Server Console and selects the Configuration tab, the Console throws Java exception errors to standard output.

426145 When performing any import or export

database operation through a remote Console will fail with the error Cannot write to file... if a relative path is given for the file.

Import and export operations through a remote Console are successful in two scenarios:

• Using a relative path to import or export an LDIF file on the local machine (through both the Configuration and the Import and Export tasks in the Tasks).

• Using an absolute path to import or export an LDIF file to the remote machine (through

Known Issues

Bug Number Description Workaround

both the Configuration and the Import and Export tasks in the Tasks).

However, importing or exporting the database to the remote machine will fail if you supply a relative path.

When importing or exporting databases on a remote machine, do not use relative paths for the LDIF. Always supply the absolute path or use the Browse button to select a file.

426421 If both Password Sync and the Directory

Server Console are installed on the same Windows machine, then the Directory Server Console will load the Password Sync nss3.dll, and will fail when it attempts to open.

Do not install Password Sync and the Windows version of the Directory Server Console on the same machine.

426439 When using the Console to install a CRL, if

the CRL is placed in the proper directory, / etc/dirsrv/slapd-instance_name, the Console returns an error that it cannot locate the file.

Put the CRL in the Administration Server directory, /etc/ dirsrv/admin-serv, and the Console can locate the CRL file automatically.

427321 If a Directory Server instance is migrated from

a previous version to Directory Server 8.1, the nsslapd-saslpath is not migrated with the dse.ldif on the new 8.1 instance, so that the SASL libraries cannot be loaded. This configuration attribute is properly created in fresh Directory Server installations.

Use ldapmodify to edit the

8.1 dse.ldif file and add the nsslapd-saslpath set in the previous version.

433718 The nsslapd-maxbersize attribute sets

the maximum import size for LDAP entries; this is one way of improving performance and preventing denial of service attacks. This attribute is not listed as an attribute that requires a server restart after being changed. However, if the nsslapd-maxbersize attribute is increased, the old limit is still used. This is because the attribute value is applied when the connection table is created when the server is first started and the value is not reset dynamically.

Restart the server after changing the nsslapd-maxbersize attribute.

470084 When updating from Berkeley DB libdb-4.4 to

libdb-4.7, there can be problems migrating the data in the older database. This is indicated in the error logs with messages like:

Migrate to the newer Berkeley DB with this procedure:

1. Shut down the older database.

Red Hat Directory Server 8.1 Release Notes

Bug Number Description Workaround

libdb: Program version 4.7 doesn't match environment version 4.4

2. Still using the old version of

Berkeley DB, run recovery on the database environment using the DB_ENV->open method or the db_recover utility.

3. With the DB_ENV->open

method to run recovery, make sure that the Berkeley DB environment is removed using the DB_ENV->remove method or an appropriate system utility.

4. Archive the database

environment for catastrophic recovery.

5. Recompile and install the new

version of the application.

6. Force a checkpoint using the

DB_ENV->txn_checkpoint method or the db_checkpoint utility. With the db_checkpoint utility, make sure to use the new version of the utility; that is, the version that came with the release of Berkeley DB to which you are upgrading.

7. Restart the application.

NOTE

When the Directory Server restart, if it sees that the Berkeley DB version is newer than the one used for its database files, the server automatically starts the database with DBLAYER_CLEAN_RECOVER_MODE, which is similar to running the Berkeley DB db_recover utility.

Known Issues

Bug Number Description Workaround

472131 Directory Server stores entry IDs in an ID list

in a duplicate btree. If the ID list is very long, the internal database uses internal pages to sort the entries. When verifying database data, Berkeley DB's verify function returns out- of-order key errors because the database verification does not differentiate between the duplicate btree ID list and the main tree entry pages. The database, then, incorrectly tries to compare the main database page to itself rather than the duplicate ID btree. This affects Directory Server client tools such as verify- db.pl and dbverify.

476096 489558

Due to a security concern, the Perl files on Sun Solaris platforms were moved from /opt/

perl5x to /usr/lib/sparcv9/dirsec/ perl5x. However, some Perl utilities includes

with Red Hat Certificate System are hardcoded to reference /opt/perl5x. This move can cause problems if users running Red Hat Certificate System upgrade their local Directory Server to Red Hat Directory Server

8.1 on the same machine.

Create symlinks to the new Perl directory.

ln -s /usr/lib/sparcv9/dirsrv/perl5x / opt/perl5x

484472 The Windows Sync packages have links

on every Red Hat Network channel but are only available for 32-bit Windows platforms. The links on the 64-bit platforms (Red Hat Enterprise Linux 64-bit and Solaris 9) still download 32-bit Windows packages.

484929 For an in-place upgrade from Directory Server

8.0 to Directory Server 8.1, the Administration Server is also updated. However, the Administration Server console still shows the old version number, such as 8.0.4.

Restart the Administration Server. This updates the version number displayed in the console.

service dirsrv-admin start

495073 For an in-place upgrade from Directory

Server 8.0 to Directory Server 8.1, the new plug-in entries for the MemberOf and Distributed Numeric Assignment (DNA) Plugins are not automatically added to the server configuration.

Manually add the new plug-in entries to the dse.ldif file.

517905 When Windows synchronization is enabled,

if a user is moved from one subtree on Active Directory to another subtree, the user entry is not moved to the corresponding location

Delete the user on the Windows server, and then re-add it to the new subtree on the Windows server.

Red Hat Directory Server 8.1 Release Notes

Bug Number Description Workaround

on the Directory Server during the next synchronization.

Table 4. Known Issues in Directory Server 8.1

Red Hat DIRECTORY SERVER 8.1 - RELEASE NOTES, Directory Server 8.1 Release Note

Specifications and Main Features

Frequently Asked Questions

User Manual