Issued:
2011-12-06
Updated:
2011-12-06

RHEA-2011:1711 - 389-ds-base bug fix and enhancement update

Synopsis

389-ds-base bug fix and enhancement update

Type/Severity

Product Enhancement Advisory (none)

Topic

Updated 389-ds-base packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.

Description

The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.

This update fixes the following bugs:

  • If a server sent a response to an unbind request and the client simply closed the connection, Directory Server 8.2 logged "Netscape Portable Runtime error -5961 (TCP connection reset by peer.)". (BZ#720458)

  • An incorrect SELinux context caused AVC errors in /var/log/audit/audit.log. (BZ#752155)

  • A number of memory leaks and performance errors were fixed. (BZ#697663, BZ#700665, BZ#711533, BZ#711241, BZ#726136, BZ#700215).

  • The DS could not restart after a new object class was created which used the entryUSN attribute. (BZ#711266)

  • The ns-slapd process segfaulted if suffix referrals were enabled. (BZ#712167)

  • A high volume of TCP traffic could cause the slapd process to quit responding to clients. (BZ#711513)

  • Attempting to delete a VLV index caused the server to hang. (BZ#714298)

  • Connections to the DS by an RSA authentication server using simple paged results by default would timeout. (BZ#720051)

  • Running a simple paged search against a subtree with a host-based ACI would hang the server. (BZ#735217)

  • If the target attribute list for an ACI had syntax errors and more than five attributes, the server crashed. (BZ#733443)

  • It was not possible to set account lockout policies after upgrading from RHDS 8.1. (BZ#734267)

  • Adding an entry with an RDN containing a % caused the server to crash. (BZ#720452)

  • Only FIPS-supported ciphers can be used if the server is running in FIPS mode. (BZ#709868)

  • It is possible to disable SSLv3 and only allow TLS. (BZ#711265)

  • If the changelog was encrypted and the certificate became corrupt, the server crashed. (BZ#713317, BZ#713318)

  • If the passwordisglobalpolicy attribute was enabled on a chained server, a secure connection to the master failed. (BZ#733434)

  • If a chained database was replicated, the server could segfault. (BZ#714310)

  • Editing a replication agreement to use SASL/GSS-API failed with GSS-API errors. (BZ#694571)

  • In replication, a msgid may not be sent to the right thread, which caused "Bad parameter to an LDAP routine" errors. This causes failures to propagate up and halt replication. (BZ#742611)

  • Password changes were replicated among masters replication, but not to consumers. (BZ#701057)

  • If an entry was modified on RHDS and the corresponding entry was deleted on the Windows side, the sync operation attempts to use the wrong entry. (BZ#717066)

  • Some changes were not properly synced over to RHDS from Windows. (BZ#734831)

  • RHDS entries were not synced over to Windows if the user's CN had a comma. (BZ#726273)

  • Intensive update loads on master servers could break the cache on the consumer, causing it to crash. (BZ#718351)

  • Syncing a multi-valued attribute could delete all the other instances of that attribute when a new value was added. (BZ#699458)

  • If a synced user subtree on Windows was deleted and then a user password was changed on the RHDS, the DS would crash. (BZ#729817)

This update provides the following enhancements:

  • The nsslapd-idlistscanlimit configuration attribute can be set dynamically, instead of requiring a restart. (BZ#742382)

  • Separate resource limits can be set for paged searches, independent of resource limits for regular searches. (BZ#742661)

  • The sudo schema has been updated. (BZ#720459)

  • A new configuration attribute sets a different list of replicated attributes for a total update versus an incremental update. (BZ#739959)

  • A new configuration option allows the server to be started with an expired certificate. (BZ#733440)

  • New TLS/SSL error messages have been added to the replication error log level. (BZ#720461)

Users are advised to upgrade to these updated 389-ds-base packages, which resolve these issues and add these enhancements.

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259

Affected Products

ProductVersionArch
Red Hat Enterprise Linux for Scientific Computing6x86_64
Red Hat Enterprise Linux Workstation6x86_64
Red Hat Enterprise Linux Workstation6i386
Red Hat Enterprise Linux Server6x86_64
Red Hat Enterprise Linux Server6i386
Red Hat Enterprise Linux Server from RHUI6x86_64
Red Hat Enterprise Linux Server from RHUI6i386
Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support6x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support6x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support6i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension6x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension6i386
Red Hat Enterprise Linux Desktop6x86_64
Red Hat Enterprise Linux Desktop6i386

Updated Packages

  • 389-ds-base-debuginfo-1.2.9.14-1.el6.x86_64.rpm
  • 389-ds-base-libs-1.2.9.14-1.el6.x86_64.rpm
  • 389-ds-base-debuginfo-1.2.9.14-1.el6.i686.rpm
  • 389-ds-base-1.2.9.14-1.el6.src.rpm
  • 389-ds-base-devel-1.2.9.14-1.el6.x86_64.rpm
  • 389-ds-base-libs-1.2.9.14-1.el6.i686.rpm
  • 389-ds-base-1.2.9.14-1.el6.x86_64.rpm
  • 389-ds-base-devel-1.2.9.14-1.el6.i686.rpm
  • 389-ds-base-1.2.9.14-1.el6.i686.rpm

Fixes

CVEs

(none)

References

(none)

Additional information