General

This Readme file contains important information about DirX Directory 9.1 (DirX) that are not described in the user documentation (Edition January 2025). Familiarity with the user documentation will make this readme file easier to understand.

Previous Releases

DirX V8.9

July

2020

DirX V8.10

March

2022

DirX V9.0

November

2023

DirX Directory 9.1

See the datasheet provided on the DVD for highlights and features of DirX.

New in this Release

New Features

New functionality:

  • Kubernetes deployment - From v9.1 on, DirX Directory is also delivered in form of container images. The release contains also a Kubernetes example project which could be used to evaluate and experiment with the container images. For details, please check the new DirX Directory Containerization document.

  • Code signing - verification of binaries: see Section 2.6 for details.

  • License control - verification of DirX Directory license: see Section 1.2.8 for details.

  • Time-based one-time password two-factor authentication (TOTP 2FA) for DirX Directory users: see chapter "14.8 Using Two-Factor Authentication (2FA)" in DirX Directory Administration Guide for details. Important note for shadowing configurations: TOTP 2FA should only be configured for a user, if all servers in a shadowing configuration support it (all servers are already updated to V9.1 version).

  • New dirxcp command "verify_abbr" was introduced to check the installed abbreviation files against the schema stored in the DSA. In connection with that new feature, the dirxabbr file has been synchronized to the default schema. Abbreviations that are not part of the default schema have been commented out and moved into a separate section labelled as "Historical Abbreviations". To reuse them if needed, move the selected abbreviations from this section to an application- specific dirxabbr-ext file and uncomment them there. See the section "Abbreviation Files" in the DirX Directory Administration Reference for details.

  • New DSE type checks have been introduced in dbamverify, which upon detection of errors previously unseen, will block any new backups to be made. Therefore it is highly recommended to take a backup right before switching to the new version.

  • Partial support for 4 bytes UTF-8 characters (emojis) in attributes with Directory String syntax was added. For details on limitations see Section 5.4.1 (DirX server limitations)

  • Optimized import-dbconfig Tcl procedure for attribute index configuration The old version of this procedure processed all lines in DirXDBConfig.out index configuration file sequentially and issued one 'db attrconfig' command per 'attributeIndex: …​' line, creating all requested index types for this attribute. In the new version it combines up to 200 'attributeIndex: …​' lines for one index type (e.g: INITIAL, …​) into one single 'db attrconfig' command. This new approach is much faster, than the old method.

Diagnostics and logging:

  • Software Bill of Materials file (DirX-Directory-sbom.json) containing information about delivered components and their versions was added to the DirX Directoty installation package.

Bug Fixes

DirX V9.1 includes all bug fixes applied to the latest patch 9.6.678 of the former release version DirX Directory V9.0 plus the following fixes.

  • SDX-1039: Non RFC complient Server Side Sorting
    The Server Side Sorting implementation did not behave as described in RFC-2891#section-2, point 4. It specifies that if the criticality is false and the server "for some reason cannot sort the search results", then "the server should return all search results unsorted". This is fixed now. If you want to make sure that the result is sorted, set the criticality to true.

  • SDX-1010: New restriction was introduced in the DSA for search filters
    A huge number of filter items can significantly increase the memory consumption of a DSA during the evaluation of the filter in a search operation. This could lead to consuming the whole available CTX memory, causing problems in other parallel running operations (e.g.: DISP update) as well. To avoid this situation, a limit was introduced in the DSA (controlled via environment variable DIRX_SEARCH_FILTER_ITEM_LIMIT) that sets the max upper limit for filter items contained in a search operation. If this environment variable is not set, the default limit value of 5000 filter items is used.

  • SDX-1006: DSA crash on index configuration
    A software bug in libdbam could result in a DSA crash when a db attrconfig command was executed and the database had more than 800 configured indexes.

  • SDX-991 userPassword attribute added with dirxadm visible in DSA logs in cleartext
    The command line of modify commands executed with dirxadm are logged in ADM*, DSA_EXC* and audit logs. Therefore if the UP attribute was added with dirxadm, the PW value was visible in clear text in the logged command line.
    With this modification the behavior has changed, the added PW value will be replaced with '**' in the logged command line.

  • SDX-965: Incorrect output in lob show -pretty mode
    Software bug in dirxadm. The lob show command in -pretty mode produced incorrect output, every line was left aligned. Therefore a complex specification filter containing several And/Or/Not items was incorrectly displayed. Fix: Use correct indentation according to the displayed structure.

  • internal: notes for dbamverify - related to automatic database verification
    In this patch version, the handling of binary backup header was improved. If the dbamverify is called with a subset of the components, the verification result components will not be reset, only the newly verified components will be added in addition. This means, that it is suported now to do the backup verification in individual steps. For example, the following sequence: + — Save the backup without verification using dirxbackup -n -S backup — Verify the D, S and T components by using dbamverify -DST backup — Do the rest of the verification by using dbamverify -AX backup This sequence will result in a fully verified backup file.

Discontinued Features

The dirxbackup -T option is removed. It was used in the past for doing only basic tests on binary backups. This confused users as the backup could contain errors while the -T option returned with "archive ok". As the dbamverify is used now for doing a detailed verification of binary backups, this option is removed.

The LDAP Mib interface in dirxadm is deprecated. It will not be supported in future versions of DirX Directory. Use of the LDAP extended operations is recommended starting from version DirX Directory 8.4.

Changes to the User Interface or Configuratio

No changes since DirX Directory 9.0. No new SNMP traps since DirX Directory 9.0.

Supported Platforms

DirX V9.1 is available as a native 64-bit application on the following platforms:

System Family Operating System

Intel

Windows Server 2019

Intel

Windows Server 2022

Intel

Windows Server 2025 (starting with patch 9.7.454)

Intel

Red Hat Enterprise Linux 8 (Tested up to 8.10)

Intel

Red Hat Enterprise Linux 9 (Tested up to 9.7)

Intel

Red Hat Enterprise Linux 10 (Tested up to 10.1, starting with patch 9.7.543)

Intel

SuSE Linux ES 12 (Tested up to 12 SP5)

Intel

SuSE Linux ES 15 (Tested up to 15 SP5)

Intel

VMware ESXi
with guest operating systems listed above that are supported by VMware ESXi

Intel

Kubernetes (minikube) with the host operating systems listed above

See also section Software Requirements for details about the Linux platforms.

The product is tested with all supported operating systems on VMs running on VMware ESXi6.0, ESXi6.5 and ESXi6.7 hosts.

Delivery Packages

This section provides information about DirX V9.1 delivery packages on the supported platforms.

The following software packages are available:

Name Description

DirX-SV V10.0

X.500 Directory System, Server package (1)
incl. DSA with database system and LDAP Server

DirX-CL V10.0

X.500 Directory System, Client package (2)
incl. LDAP Server

DirX Manager

Graphical administration interface (3)

(1) On Linux platforms, the Server package is combined into a tar file.

(2) The client package is not available on Linux platforms.

(3) All programs are native 64-bit applications.

Distribution Media

Software packages for all platforms are distributed on the following DVD:
DirX Directory 9.1 (Edition 01/25)

In addition to the distribution medium, you must purchase separate product licenses in order to use the software packages.

Please contact your local sales representative for details on product licenses.

User Documentation

This section provides information about DirX user documentation.

DirX User Manuals

The following manuals are available online in Adobe’s PDF format:

Title File Name

DirX Directory Introduction

DirX_Directory_Introduction.pdf

Administration Guide

DirX_Directory_Administration_Guide.pdf

Disc Dimensioning Guide

DirX_Directory_Disc_Dimensioning_Guide.pdf

Guide for CSP Administrators

DirX_Directory_Guide_for_CSP_Administrators.pdf

Administration Reference

DirX_Directory_Administration_Reference.pdf

Syntaxes and Attributes

DirX_Directory_Syntaxes_and_Attributes.pdf

LDAP Extended Operations

DirX_Directory_LDAP_Extended_Operations.pdf

External Authentication

DirX_Directory_External_Authentication.pdf

Supervisor

DirX_Directory_Supervisor.pdf

Plugins for Nagios

DirX_Directory_Plugins_for_Nagios.pdf

DirX LDAP Proxy

DirX_Directory_LDAP_Proxy.pdf

Manager Guide

DirX_Directory_Manager_Guide.pdf

Best Practices for DB Error Recovery

DirX_Directory_Recovery_Best_Practices.pdf

Containerization

DirX_Directory_Containerization.pdf

REST API

DirX_Directory_REST_API.pdf

The edition of all manuals is January 2025.

The files are located on the DVD under the folder Documentation/DirXDirectory.

You need Adobe Acrobat Reader 7.0 or newer to view the PDF files. For a free copy of Adobe Acrobat Reader please refer to

http://get.adobe.com/reader/

or to

http://www.adobe.com

Tcl V8.3 Commands

The online documentation set includes the reference pages of the Tcl V8.3 commands. Please refer to the file Documentation/tcl_V83_part/license_terms.txt for license agreements.

Hardware Requirements

This section provides information about hardware requirements.

RAM

At least 8 GB RAM is required for DirX servers.

Disk Space

For the default configuration, you need 3 GB for installation data of DirX.

Operation of DirX requires disk space for log files, LDIF files, audit files, journal files and other temporary files for post indexing, database verification and other purposes. Consider at least additionally 20 GB disk space for these files.

For calculating the required disk space for the DBAM database, you should look into the Disc Dimensioning Guide.

Virtual Machines

When running DirX Directory on a virtual hardware, it is essential for a stable and performant service that the resources assigned to the guest system are available at any time.

This applies to the assigned CPUs, the I/O throughput to persistent storage and especially to the assigned RAM, as DirX Directory uses it for its DBAM Cache and requires a performant access to the main memory.

Additionally, care must be taken to use up-to-date and correctly configured driver software implementing the VM’s network interface.

Thus, it is essential to design the virtual machine properly and perform tests to assure that the expected throughput can be achieved. Special considerations must be taken with respect to the number of cores assigned to the VM relative to the number of cores that are physically on the host system.

We highly recommend to install DirX Directory on a separate VM without any further major services running aside.

Software Requirements

DirX requires the presence of one of the supported operating systems.

On Windows, NTFS (not FAT) must be used.

On Linux, DirX is installed in the home directory of a user id. The shell interpreter "bash" must be installed.

TCP/IP must be configured and running. This is a requirement even if you work with a stand-alone system where all directory applications and the directory server run locally on your system. A DNS service must be running that allows hostname to IP address translation for all involved hosts.

DirX Directory runs by default under the control of the systemd. In case [x]inetd shall be used, this package must be installed manually. Alternatively the DirX Service may be started from a shell. See section Watchdog start without systemd on LINUX in this document for details.

On Linux platforms, gzip is required to be installed by default. The minimum version required is gzip 1.3.5. The installed gzip version is displayed by the command gzip -V. On Windows platforms, DirX ships a gzip version and installs it in the bin folder of DirX installation path.

On Red Hat Linux version 8, if the security module SELinux is used in "enforcing" mode, the SELinux policies for the DirX product must be properly configured immediately after the installation. Check the output of the "sestatus" command to see the mode of SELinux. If the SELinux mode is "disabled" or "permissive", no special SELinux configuration is necessary for DirX. In case of "enforcing" mode, a default configuration can be done by executing the following command:

$ sudo <DIRX_INST_PATH>/scripts/selinux/configure_dirx_selinux_label.sh <DIRX_INST_PATH>

This command configures the DirX product to run within the so-called "unconfined" domain. For more information on SELinux please refer to the Red Hat Linux ES 8 documentation. Note that SELinux in "enforcing" mode is supported on RHEL8 with DirX running in the "unconfined" domain only.

Packages to be installed manually on LINUX

On Linux, the following preconditions apply:

Mandatory packages:
For the DirX Directory application, the 64-bit version of the following packages are mandatory required: glibc, libgcc, libstdc++, libuuid, zlib

Recommended packages:
In order to be able to evaluate possible crashes on Linux, the DirX crashlibrary tool needs the existence of the gdb and gstack tools. Therefore, the installation of the GNU debugger package (the most recent release of GDB) is strongly recommended.

Local Port range to be checked on Linux

On Linux, the setting of the port range for local ports (ephemeral) should be:
net.ipv4.ip_local_port_range = 32768 61000
This setting prevents that the system assigns a dynamic port that is also configured as a listen port.

Red Hat 8 and later:
Edit the /etc/sysctl.conf file and add the following line:

  # Allowed local port range
  net.ipv4.ip_local_port_range = 32768 61000

You must restart your network for the change to take effect. The command to manually restart the network is:

  [root@deep] /# systemctl restart NetworkManager

License Requirements

This version of DirX Directory introduces license control for the DirX Directory Service. With this feature:

  • The license terms for using a DirX Directory service installation are defined in a configuration file supplied by the DirX Directory vendor and installed with the product.

  • At every service startup and daily on a running system, the service checks the settings in the file against the current installation for possible license violations and verifies that the license configuration file has not become corrupted.

  • The service logs the results of the check and takes additional actions depending on the "license type" setting in the license configuration file.

DirX Directory’s license control feature provides an easy way for you (the customer) to detect expired licenses and/or license limitations that have been exceeded in your installation. The next sections provide more details about this feature.

License Files

DirX Directory license control requires two files to be present in the $DIRX_INST_PATH/conf folder:

dirx.lic

a human-readable text file that uses a set of parameters to specify the terms and conditions for use of the DirX Directory product. The DirX DSA’s license validation procedure compares the settings in this file with the current installation to verify that it is in compliance with the license terms and conditions. For a description of dirx.lic file format and parameters, see the section "DirX Directory License Files" in the "DirX Directory Files" chapter of the DirX Directory Administration Reference.

dirx.lic.sig

a binary signature file generated from the dirx.lic file. The DSA’s license validation procedure compares this file to the dirx.lic file in use by the service to ensure that it has not been tampered with or corrupted. For details about code signing and verification, see section Code Signing and Verification in this document and the section "Code Signing Files" in the "DirX Directory Files" chapter of the DirX Directory Administration Reference.

Although dirx.lic is a simple text file, DO NOT CHANGE IT. Changing the file will cause code validation of dirx.lic against dirx.lic.sig to fail and your service will not start! See Section Code Signing and Verification for further details about this process.
The dirx.lic and dirx.lic.sig files are not part of DirX Directory’s regular backup procedure. You must back up these files manually.

License Types

DirX Directory license control recognizes two license types: a "trial" license and a "perpetual" license.

The license type is recorded in a parameter in the dirx.lic file and is used during license checking to determine how to handle a license violation. See section License Validation Procedure and the section "DirX Directory License Files" in the chapter "DirX Directory Files" in the DirX Directory Administration Reference for further details.

Trial License

The default dirx.lic file delivered with each installation is configured as a trial license. A trial license has the following characteristics:

  • Allows a maximum of 15000 directory entries (sufficient for running the My-Company sample database for demonstration purposes)

  • Can be used for an unlimited amount of time

  • Is only valid for a specific product version and thus cannot be used on any newer product version

  • Does not support opening trouble tickets

A DirX Directory upgrade installation installs the most recent trial dirx.lic and dirx.lic.sig files into $DIRX_INST_PATH/conf unless it finds that these files are already present. In this case, it installs the most recent trial license files in the same directory as the existing license files with the names dirx.lic.new and dirx.lic.sig.new.

Perpetual License

A "perpetual" license is a dirx.lic file with parameter settings configured to represent the terms and conditions negotiated between you (the customer) and the DirX Directory vendor for use of the DirX Directory product. If you have a larger DBAM database or initially need more than 15000 entries, or you have other specific requirements, you need to obtain a perpetual license from the DirX Directory vendor.

A perpetual license allows both you and the vendor to limit DirX Directory usage to specific environments: for example, by allowing up to two million directory entries but restricting DirX Directory service operation to specific hostnames or IP addresses.

When requesting a perpetual license, you will be asked about restrictions. You can also bring your own requirements, which in turn may influence the price and capabilities of maintenance support.

A perpetual license obtained for a major release of DirX Directory (for example, DirX Directory 9.x) is valid for minor releases (for example, 9.1, 9.2, etc.) and patches. This means you can re-use your existing perpetual license on minor version and patch releases.

Obtaining a New License

To obtain a new license, contact Eviden DirX sales or send your request using the DirX Support portal https://help.dirx.solutions/.

If you already own a perpetual license and just need new dirx.lic and signature files for your installation, send a request using the DirX Support portal https://help.dirx.solutions/.

Installing a New License

Once you receive your new license and signature files from the DirX Directory vendor, you can simply overwrite the existing dirx.lic and dirx.lic.sig files in your installation’s /conf folder and then restart the service. The license check performed at startup automatically updates the service with the information from the new dirx.lic file.

Alternatively, you can leave the service running and wait for the next automatic license check to update the service, or you can use the dirxextop LDAP extended operation dsa_license_check to trigger the license check manually. For details, see Section Triggering a License Check.

License Validation Procedure

License validation is part of the DirX DSA process. At product installation, at each service startup, and at least once a day on a running system, the DirX DSA’s license validation procedure:

  • Compares the signature file dirx.lic.sig with the dirx.lic file in the installation.

  • Compares the parameter settings in the dirx.lic file against the current installation and logs the results in the DSA’s fatal log file ($DIRX_INST_PATH/server/log/fatalDSA*).

If the signature file does not match the dirx.lic file, the DSA shuts down or does not start.

If a license violation is detected and the license is a trial, the DSA shuts down or does not start.

If a license violation is detected and the license is perpetual, the actions taken by the service depend on the type of violation:

  • If the violation is because vendor support has expired or because the installation has exceeded the maximum number of directory entries, the DSA continues to run or starts but generates warning messages in the DSA’s fatal log file. For example, if your license allows 100000 entries but your installation has 120000, the service still starts but you will find WARNING messages in the DSA’s fatal log file about the problem and you may not be able to open trouble tickets if your license settings are not met.

  • For all other types of violation, the DSA shuts down or does not start.

The license validation procedure also updates the DSA with the settings found in the dirx.lic file.

Adjusting Daily License Checking

By default, the license validation procedure runs automatically every 86400 seconds (1 day) after DSA start until the DSA is stopped. You can increase the frequency of daily license checking by setting the environment variable:

DIRX_LICENSE_CHECK_INTERVAL=xxxxx

where xxxxx is the number of seconds between the checks. Allowed values are in the range [300-86400]. See the chapter "Environment Variables" in the DirX Directory Administration Reference for details on environment variables.

Viewing Current DSA License Settings

You can view the license information currently being used by a running DSA by specifying the dsa_license_info LDAP extended operation (OID 1.3.12.2.1107.1.3.2.13.50) to the dirxextop command. For details, see the description of the dirxextop command in the DirX Directory Administration Reference.

Triggering a License Check

You can use the dsa_license_check LDAP extended operation (OID 1.3.12.2.1107.1.3.2.13.51) to the dirxextop command to perform an on-demand license check procedure. For details, see the description of the dirxextop command in the DirX Directory Administration Reference.