History of Previous Releases

LDAPServer now supports the 'SecurityLevel' feature of OpenSSL. (see: https://www.openssl.org/docs, search for set_security_level for details) Because of this the LdapSSLConfiguration subentry was extended with 2 new attributes: ldapSecLevelA and ldapSecLevelB. For details about these new attributes please refer to the Syntaxes and Attributes Manual, chapter 3.1.15 Attributes for LDAP Server SSL Configuration.

Default schema has been extended with 3 new attribute types: dmdName, pseudonym and organizationIdentifier. For details about these new attributes please refer to the Syntaxes and Attributes Manual, chapter 3.1.2 X.500 User Application Attributes, Names in General.

dirxbackup now can generate a full LDIF dump or an LDIF dump of a specified subtree from a binary backup. For details, please check the documentation of dirxbackup’s -L command line argument in the Administration reference.

ldif_dump and create_total_ldif now can dump a subtree as well. Both commands were extended with an optional subtree parameter to be able to define the starting point of the LDIF dump in the tree.

dirxbackup’s saving functionality was extended to automatically verify the generated binary backups. To preserve the previous behavior and only create the backup without automatic verification, the -n switch can be used.

Binary backup headers were extended to contain verification information. From this version on, dbamverify and dirxbackup will write the result and some metadata of the executed verification to the backup file’s header. This verification information is checked by dirxbackup’s restore operation. If a backup was not completely verified or contains errors, then loading will be rejected.

A new server, dirxhttp was introduced to the DirX Directory service. It makes possible to access the DIT using the HTTP protocol with a custom JSON schema. An interactive API documentation can be found at https://<server_ip>:9443/dxd/ldap/v1/doc

New paging memory optimization was introduced. This optimized paging memory handling, aims to reduce the size of the paging memory context during paged search operations compared to the previous version especially in case of filters with a huge number of elements. The optimization can be disabled by setting the DIRX_PAGING_MEMORY_OPTIMIZATION environment variable to zero.

SchemaChangelog: Provides information of all schema changes ever made since the DSA was first started with the currently running DB. The log information is stored in the hidden logfile <DIRX_INST_PATH>/server/log/.schema_changes.txt The logfile will only be reset in case of a successful dbamboot or dirxbackup -R.

dirxadm RPC operations targeting the DSA are now logged in the DSA audit files. Because of this new fature the RPC interface between dirxadm and DSA has been extended, so it is not possible to use an older version of the dirxadm tool together with DirX V9.0.

new log collector scripts available for both Windows/Linux versions to ease symptom collection in case of an incident. The scripts (dxd_diag.bat/dxd_diag.sh) can be found under tools\dxd_diag folder. See readme file in that folder for more details.

a new process DirX Progsvr for secure execution of PROG policy commands was created. A PROG policy is an external command performed after creation of an LDIF file, it is defined by an LDIF policy. Moving execution of PROG policies to a separate process increases the stability of the whole system. Progsvr contains a pool of worker threads for the execution of PROG policies. It must run on the same machine as the DSA process. For more information about Progsvr please refer to the "Introduction" handbook, section "1.4 The DirX Directory Progsvr". The list of environment variables used by Progsvr can be found in the "Administration Reference" manual, section "4.2 DirX Directory Environment Variables". New dirxadm commands which are used to control the Progsvr are described in the "Administration Reference" manual, section "1.1.9 progsvr (dirxadm)". Finally, files and folders used by Progsvr are listed in the "Administration Reference" manual, section "6 File Locations".

dirxcp via LDAP supports a new command option -control to specify LDAP controls. The syntax is: -control controloid[,criticality[,value]] It allows to specify any LDAP control attached to all operations and an arbitrary control value. The control value can be even read from file, e.g. -control CONDOP,1,<C:\\path\\to\\file\\file.name> For more information refer to the "Administration Reference" manual, section "1.2.4 obj (dirxcp)" where the new option was added to several dirxcp commands. A detailed description of the -control option is then given in the subsection "-control Option".

support tunneling dirxadm RPC operations over LDAP extended operation. New LDAP extended operation dsa_dirxadm_cmd with a specific OID was implemented that indicates to the receiving DSA that an LDAP client wants to execute a dirxadm command that is given in the payload of the extended operation. For more information see the "LDAP Extended Operations" manual, section "1.3.4 dsa_dirxadm_cmd".

paged search requests on synchronous consumers was made more reliable by storing initiator DSA’s role in the query reference and executing subsequent next page requests on the initiator DSA.

Per default, LDAP server accepts TLS protocol versions 1.2 and 1.3 only

SELinux in unconfined mode: A new script was implemented which configures DirX Directory to run in unconfined mode and the Linux installer was extended, see the section "1.2.7 Software Requirements" for more information

OpenSSL update to the 1.1.1m version

LDAP Matched Value Only Filter Control: A search operation returns only those requested attribute values that match to the filter in the control’s value. For example, it can be used to retrieve one particular certificate. The OID of the control is 1.3.12.2.1107.1.3.2.12.13. For more information refer to the "DirX Directory Syntaxes and Attributes, Edition March 2022", the section "2.4.3 LDAP Matched Value Only Filter Control".

Multithreaded CheckPointing

attribute and object class names can be checked for valid characters (disabled by default), see "2.1.2.3 Enable schema LDAP name checking according to standard"

the dirxload utility rejects an LDIF file in case it finds a schema element with an empty description.

enhanced ACI logging: provides an easier way to investigate complex access control decisions. Configured with new LDAP extended operations dsa_ac_log_on and dsa_ac_log_off. For more information see the "LDAP Extended Operations" manual, sections "1.3.1 dsa_ac_log_on" and "1.3.2 dsa_ac_log_off"

new field in DSA audit records: the number of materialized entries in a search before ACI is applied

warnings in log files that server needs to be restarted after ACI changes

detailed error codes and diagnostic messages in DSA audits

CPU load measurements now being written to the DSA audit records

new filter option -Q <query-ref> in dirxauddecode and dirxaudstatistics, see the "Administration Reference" manual, the sections "1.3 dirxauddecode" and "1.4 dirxaudstatistics" for detailed description of the -Q option and its usage.

dirxaudstatistics summary extension and new top-lists for sub-durations

logging of shadow agreements: history of SOB agreement operations helps ticket analysis in systems where replication is used.

the "sob show" command of dirxadm application displays now more details about shadow agreements

DBAM preload: extend the status information text of the 'in progress' status, which is accessed via the extended operation dsa_dbam_preload_status. Some more detail is returned about the currently processed items.

improved log cleanup: not all of the log files, generated by the DSA processes were deleted after time expiration, if DIRX_DEL_TIME was configured. Now all generated log files are handled equally. See the "Administration Reference" manual, section "4.2 DirX Directory Environment Variables" for description of DIRX_DEL_TIME.

stack traces of crash dumps are now available on Windows as well as on Linux (in the past they were generated just on Linux). Refer to the ReadMe.txt file installed in the "crash" directory (on Windows) for more information.

new DIRXADM node in the DSA section of Monitoring tab. Allows to execute dirxadm operations directly from the DirX Manager. More information on this feature can be found in the "Manager Guide", in the section "5.2.7 DSA dirxadm".

Support of version TLS1.3 throughout the whole product, i.e. in IDMS, ldapserver, dirxcp and DirX Manager. Look for the description of attribute supportedEncryptionStrengthExt in the Syntaxes and Attributes Manual and for the description of the environment variables DIRX_SET_TLS_LEVEL_MIN/MAX in this ReleaseNote document.

Enhanced DBAM Cache runtime checking and consistency control: Repair inconsistent DBAM Cache by an automatic reread of the affected DBAM pages from the DBAM device.

Extension to Dynamic Groups functionality: Support root as search base in ldap url of dynamic groups

A performance profiling can enabled to trace performance issues.

For better evaluation of search requests issues the search engine trace has been introduced. With this tool it is possible to trace the internal processing of the search engine.

the information written to the DSA and LDAP audit recoreds has been extended and can be made visible using the triple -v options in dirxauddecode

LDAP_CTRL_COND_OP: Perform an modify or add operation only if the ldap filter in the control value matches the target entry of the operation

LDAP_CTRL_SEARCHRES_INFO: Return only statistics (number of entries, number of attributes and number of attrvalues) that a search operation would result in.