Copyright © 2008 Red Hat
Copyright © 2008 Red Hat. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0 or later with the restrictions noted below (the latest version of the OPL is presently available at http://www.opencontent.org/openpub/).
Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder.
Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder.
Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and other countries.
All other trademarks referenced herein are the property of their respective owners.
The GPG fingerprint of the security@redhat.com key is:
CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E
1801 Varsity Drive
Raleigh, NC 27606-2072
USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
PO Box 13588
Research Triangle Park, NC 27709
USA
This is a service pack release for bug fixes and patches for the 7.1 version of Red Hat Directory Server. These Release Notes contain important information available at the time of the release of Red Hat Directory Server 7.1 SP5. System requirements, installation notes, known problems, resources, and other current issues are addressed here. Read this document before beginning to use Directory Server 7.1 SP5.
There are no new features in Directory Server 7.1 SP5.
This section contains information related to installing and upgrading Red Hat Directory Server 7.1 SP5, including prerequisites and hardware or platform requirements.
Directory Server 7.1 SP5 is supported on the following platforms:
HP-UX 11i (PA-RISC, 64-bit)
Red Hat Enterprise Linux 3 Update 4 (i386, 32-bit)
Red Hat Enterprise Linux 4 (i386, 32-bit)
Sun Solaris 9 (SPARC, 32-bit)
Sun Solaris 9 (SPARC, 64-bit)
The Directory Server Console is supported on the following platforms:
HP-UX 11i (PA-RISC, 64-bit)
Red Hat Enterprise Linux 3 Update 4 (i386, 32-bit)
Red Hat Enterprise Linux 4 (i386, 32-bit)
Sun Solaris 9 (SPARC, 32-bit)
Sun Solaris 9 (SPARC, 64-bit)
Windows XP
Windows 2000 Server
Windows 2003 Server
The Directory Server Console can be installed on additional Windows platforms at an additional cost.
The Windows Sync tool runs on these Windows platforms:
Windows 2003 Active Directory
Windows 2000 Active Directory
Windows NT SAM Registry
Directory Server 7.1 SP5 supports the following browsers to access web-based interfaces, such as Admin Express and online help tools for administrators and Org Chart and Phonebook for all users:
Firefox 1.0 (Red Hat Enterprise Linux 3 and 4 and Solaris 9)
Mozilla 1.4 (HP-UX)
Mozilla 1.4.3 (Red Hat Enterprise Linux 3 and Solaris 9)
Mozilla 1.7.3 (Red Hat Enterprise Linux 4)
Microsoft Internet Explorer 6.0 (Windows; supported only for Org Chart and Phonebook)
Red Hat Directory Server web tools like Admin Express and Org Chart are not supported on Netscape browsers or any browser running on Mac.
To install Directory Server 7.1 SP5 on Red Hat Enterprise Linux, simply download the RPM and either upgrade the existing installation with the rpm -U flag, as described in Section 2.2, “Installing Directory Server 7.1 SP5 on Red Hat Enterprise Linux”, or install a new Directory Server using the RPM package with the rpm -i flag, and configure the server.
To install Red Hat Directory Server 7.1 SP5 on Solaris and HP-UX, Red Hat Directory Server 7.1 must already be installed. It is not necessary to install any other service packs first, nor is it necessary to remove previous service packs.
For instructions on installing and configuring Directory Server 7.1 SP5, see the Directory Server Installation Guide, available at http://www.redhat.com/docs/manuals/dir-server/install/7.1/index.html.
If an instance of Red Hat Directory Server already exists, then the issues addressed in 7.1 SP5 are not corrected by simply installing the 7.1 SP5 RPM. The affected files were created when the Directory Server instance was first set up, and the setup script again (as root) to apply the fix:
# cd /opt/redhat-ds # ./setup/setup -r
Red Hat Network (RHN) (http://rhn.redhat.com) is the software distribution mechanism for Red Hat customers. When purchasing the entitlements for Red Hat Directory Server 7.1 SP5, you will also have received account login information for Red Hat Network.
Log into Red Hat Network.
Go to the Channels tab, and select the Red Hat Directory Server 7.1 channel. Browse through the complete channel list if needed.
Go to the Downloads tab in the Red Hat Directory Server 7.1 channel, and download the Red Hat Directory Server packages.
The files are tarball (.tar.gz) archive files, not ISO images.
ISO images containing both RPM and SRPM package files are available as downloads through the Red Hat Directory Server 7.1 channel. The RPM packages can be downloaded and installed in the usual manner. The ISO images can be downloaded and burned on to a CD-recordable media using the appropriate software.
The Solaris 9 64-bit packages can be found there under the ISOs list, as well as the tarball (.tar.gz file) archive for the source code.
On Red Hat Enterprise Linux, it is possible to upgrade an existing installation with the rpm -U flag or install a new Directory Server using the RPM package with the rpm -i flag.
RPMs for Directory Server 7.1 SP5 are also available to Red Hat Enterprise Linux users by running up2date using an account with entitlements for the Red Hat Directory Server 7.1 SP5 release.
To upgrade Red Hat Directory Server 7.1 (or 7.1 service pack 1, 2, or 3) on a Red Hat Enterprise Linux 3 or 4 system:
Log in as root.
Run rpm to upgrade the Directory Server using the package appropriate for your version of Red Hat Enterprise Linux.
For Red Hat Enterprise Linux 3:
rpm -U redhat-ds-7.1SP5-8.RHEL3.i386.rpm
For Red Hat Enterprise Linux 4:
rpm -U redhat-ds-7.1SP5-8.RHEL4.i386.rpm
Run the setup script again.
If an instance of Red Hat Directory Server already exists, then the issues addressed in 7.1 SP5 are not corrected by simply installing the 7.1 SP5 RPM. The affected files were created when the Directory Server instance was first set up, and the setup script again (as root) to apply the fix:
# cd /opt/redhat-ds # ./setup/setup -r
To install a new installation of Red Hat Directory Server 7.1 SP5:
Log in as root.
Run rpm to install the Directory Server using the package appropriate for your version of Red Hat Enterprise Linux.
For Red Hat Enterprise Linux 3:
rpm -i redhat-ds-7.1SP5-8.RHEL3.i386.rpm
For Red Hat Enterprise Linux 4:
rpm -i redhat-ds-7.1SP5-8.RHEL4.i386.rpm
Go through the configuration process as described in the Directory Server Installation Guide.
Red Hat Directory Server 7.1 must already be installed before installing version 7.1 SP5. It is not necessary to install any other service packs first, nor is it necessary to remove any previous service packs.
After installing Red Hat Directory Server 7.1 on a Sun Solaris or HP-UX server, upgrade to Red Hat Directory Server 7.1 SP5.
Log in as root.
Create a new directory for the new Directory Server service pack version.
mkdir ds71sp5
Open the new directory.
cd ds71sp5
Download the Directory Server product binaries file to this directory.
Unpack the product binaries.
gzip -dc filename.tar.gz | tar -xvof -
filename is the product binaries file; the exact name depends on your platform.
Locate the setup program, and run it from the installation directory.
If an instance of Red Hat Directory Server already exists, then the issues addressed in 7.1 SP5 are not corrected by simply installing the 7.1 SP5 RPM. The affected files were created when the Directory Server instance was first set up, and the setup script again (as root) to apply the fix:
# cd /opt/redhat-ds # ./setup/setup -r
Supply the configuration information as prompted by the installer. An upgrade usually requires this information:
Agreeing to the setup and licensing terms.
The full path to the server root directory (the installation directory) where Directory Server 7.1 is located; by default, this is /opt/redhat-ds/servers.
The Configuration Administrator's password for the Directory Server 7.1 instance.
The upgrade process beings after all of the 7.1 instance information is given.
If Windows synchronization will be used on a Windows server in conjunction with a Red Hat Directory Server 7.1 server, then install the 7.1 SP5 Windows Sync services on the Windows machine:
Uninstall the Password Sync services. If the Windows sync peer is an NT server, then also uninstall the User Sync service. This is described in the Directory Server 7.1 Administrator's Guide, available at http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2878810.
The SSL databases or keystore are preserved and can be re-used after upgrade is complete.
Copy the the updated msi files from /opt/redhat-ds/winsync/ to the Windows system.
Double-click the new msi files to install them.
Reboot the Windows system after re-installing the Password Sync and, on NT, User Sync services.
Perform a full resynchronization between the Directory Server and Windows sync servers.
In the Directory Server Console, click the Configuration tab.
Expand the Replication folder in the left navigation window.
Click the name of the Directory Server database which is synchronized with the Windows directory, and select the sync agreement.
Select manual synchronization from the drop-down menu.
The security fixes included in Directory Server 7.1 SP5 are listed in Table 1, “Directory Server 7.1 SP5 Errata”. See the Directory Server Errata updates in Red Hat Network for complete descriptions for these security patches.
| Errata Number | Description |
|---|---|
| RHSA-2008:0199 |
A shell command injection flaw in the Red Hat Administration Server replication monitor CGI script could be exploited by an attacker to execute arbitrary shell commands with
If an instance of Red Hat Directory Server already exists, then this issue is not corrected by simply installing the 7.1 SP5 RPM. The affected Administration Server file was created when the Directory Server instance was first set up. To resolve the issue, run the setup script again (as # cd /opt/redhat-ds # ./setup/setup -r |
The following are some of the most important known issues in Directory Server 7.1 SP5. When possible, supported workarounds are also described.
| Bug Number | Description | Workaround |
|---|---|---|
| 171140 |
Upgrading the Windows Sync service on the Windows server from version 7.1 to version 7.1 SP1 or higher (including 7.1 SP5) requires two things:
|
|
| 200799 | The Directory Server Console allows the internal user SIE to authenticate to login. This account should be prohibited. | Log into the Console only as the proper admin user, not the SIE user. |
| 311851 | SASL mapping entries are dynamically created and stored in the configuration file at the instance generation. The mapping entries are associated with the primary suffix. If a second root suffix is added and entries under the second suffix need to be mapped by SASL mapping, there are no mapping entries created for them. The original SASL mapping entries point to the first suffix. | Manually create SASL mapping entries that are associated with the second suffix. |
| 429631 | If a Windows directory is synchronized with a virtual directory tree in Red Hat Directory Server, then the Red Hat Directory Server crashes when synchronization is initiated. | Do not use virtual branch entries as the synchronization database. |