Powerful Open Source LDAP

From Port389

Contents

Introduction

The Directory Server project dates back to 1996, when Netscape hired the inventor of LDAP, Tim Howes, and his colleagues such as Mark Smith and Gordon Good from the University of Michigan. In 1999 AOL acquired Netscape and formed the iPlanet Alliance with Sun to jointly develop Netscape servers. From 1999 to 2001 the Netscape Directory Server team worked with Sun's Directory Server team, and later the Innosoft Directory Server (IDDS) team, in the U.S. in Santa Clara, CA and Austin, TX and in Grenoble, France on Directory Server and related products such as Meta Directory and Directory Access Router. The iPlanet alliance ended in October 2001, and Sun and Netscape forked the code base. From 2001 to 2004 the Netscape Directory Server team invested heavily on performance and multimaster replication. In December 2004, the Netscape Directory Server was acquired by Red Hat.

In the late 1990s, as Linux started to gain acceptance in companies, Netscape Directory Server was the first Netscape server to be officially released on Linux. In 2001 there was an effort at AOL's Strategic Business Solutions unit to improve Netscape server performance on Red Hat Linux. The team has a long history with Linux.

Feature History

Features Present in 2001

  • Multi-Master Replication (2-way)
  • Multiple, Disjoint Database backends (independent import, export, etc.)
  • Access control mechanism - in-tree (with data); advanced features (userattr); macro ACIs; proxy ACIs
  • SSLv3/TLSv1 - LDAP startTLS operation
  • On line configuration and management - cn=config, tasks
  • Chaining, entry distribution
  • Password Policy - password expiration/lockout, different hashes, some syntax checking
  • Account Inactivation
  • Roles
  • Class of Service
  • Resource-limits by bind DN
  • Server Side Sorting
  • Virtual List View
  • Logging - high performance, rotation
  • Plug-in interface
  • Pass Through Authentication

Features added in Netscape DS 6.1 (2002)

  • Plug-ins - Data Interoperability support
  • Virtual DIT Views

Features added in Netscape DS 6.2 (2003)

  • Multi-Master Replication (4-way)
  • Password Policy - per-user, per-subtree
  • Upgrade to Berkeley DB 4.1
  • Org Chart application

Features added in Netscape DS 6.21 (early 2004)

  • Access Control - Get Effective Rights operation (no UI)

Features added in Netscape DS 7.0 (late 2004 - unreleased)

  • Attribute Encryption
  • 64 Bit support (Solaris, HP-UX)
  • DSML Gateway
  • SASL/Kerberos
  • Write performance improvements - new IDL

Features added in Fedora DS 7.1 (June 1, 2005 - first open source release)

  • Windows Sync
  • Multi-Master Replication - WAN improvements, fractional replication (attributes), replica init from database backup
  • Password Change operation
  • Console UI support for Get Effective Rights
  • RPM packaging

Features added in Fedora DS 1.0 (December 8, 2005)

  • All open source
  • Apache HTTPD for Admin Server
  • Security - Support SHA-256, SHA-384, SHA-512, and MD5 for hashed password storage
  • Support for Fedora Core 4 (32 and 64 bit)

Features added in Fedora DS 1.0.2 (February 20, 2006)

  • Support for Fedora Core 5 (32 and 64 bit)
  • Password policy - improved syntax checking (# of uppercase, # of lowercase, etc.)

Features added in Fedora DS 1.0.3 (October 10, 2006)

  • Server can generate new password with password change extended operation
  • Upgrade to NSPR 4.6.3, NSS 3.11.3, LDAPCSDK 6.0.0 (with sasl/ipv6 support)
  • One step build uses system cyrus-sasl, net-snmp where possible

Features added in Fedora DS 1.0.4 (November 8, 2006)

  • No new features, just a couple of bug fixes

Features added in Fedora DS 1.1 (January 8, 2008)

  • Auto UID and GID number generation with the libdna plugin - Distributed Numeric Assignment - that works even with multi-master replication environments - see http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/dna/?root=dirsec for more information
  • Separate packages - each main component is in its own package - see Discrete_Packaging
  • Filesystem Hierarchy Standard file/path layout (e.g. log files are under /var/log/dirsrv) - see FHS_Packaging
  • Many of the components are now built into Fedora - see FDS_Into_FedoraCore
  • The setup command is now /usr/sbin/setup-ds-admin.pl - see FDS_Setup for more information
  • startconsole is gone - use /usr/bin/fedora-idm-console instead
  • Migration from version 1.0 and earlier is fully supported by the /usr/sbin/migrate-ds-admin.pl script provided with the package - see FDS_Setup and Migration_From_10 for more information - see note above about migration to Fedora DS 1.1 on Fedora 8 and later.
  • Binary packages are provided only for Fedora 6, 7, 8 and 9 - The Fedora 6 packages should run on Red Hat EL5.1 (not 5.0)
  • Version 1.1 does not include the phonebook, gateway, or org chart web apps - those will be provided in a following release
  • Init scripts!
service dirsrv {start|stop|restart} [instance name]
service dirsrv-admin {start|stop|restart}
edit /etc/sysconfig/dirsrv or /etc/sysconfig/dirsrv-admin to set environment
  • Bug Fixes - This link lists all of the Fedora Directory Server bugs fixed since 1.0.4

Features added in Fedora DS 1.2.0 - April 3, 2009

Features added in 389 DS 1.2.1 - August 17, 2009

NOTE: This is the first release that is branded as 389. All of the RPMs have been marked as obsoleting their Fedora DS counterparts. When upgrading via yum, you must use yum upgrade (not update) so that the obsoletes will be processed.

NOTE: 389-console is the command to run the console. This replaces fedora-idm-console.

  • Support links between two attributes (like memberOf but with other/configurable attributes)
  • Support dereferencing control - http://www.openldap.org/devel/cvsweb.cgi/~checkout~/doc/drafts/draft-masarati-ldap-deref-xx.txt
  • Simple paged results - http://www.ietf.org/rfc/rfc2696.txt
  • Entry USN - sort of like a per entry CSN
  • Use thread aware library for complex regex searches
  • Syntax validation checking
    • NOTE that syntax validation is off by default in 1.2.1
    • There is a new syntax validate task and script that can be used to validate data in an existing server
  • Support additional standard attribute syntaxes
    • Numeric String, Bit String, Delivery Method, Enhanced Guide, Facsimile Telephone Number, Fax, Guide, Name And Optional UID, Printable String, Teletex Terminal Identifier, Telex Number
    • NOTE that 1.2.1 does not change the schema to use any of these syntaxes yet. That will come when we update to the current versions of the standard schema from the LDAP RFCs.
  • Strict DN Syntax enforcement
    • The DN syntax has become more restrictive over time, and the current rules are quite strict. Strict adherence to the rules defined in RFC 4514, section 3, would likely cause some pain to client applications. Things such as spaces between the RDN components are not allowed, yet many people use them still since they were allowed in the previous specification outlined in RFC 1779.
    • To deal with the special circumstances around validation of the DN syntax, a configuration attribute is provided named nsslapd-dn-validate-strict. This configuration attribute will ensure that the value strictly adheres to the rules defined in RFC 4514, section 3 if it is set to on. If it is set to off, the server will normalize the value before checking it for syntax violations. Our current normalization function was designed to handle DN values adhering to RFC 1779 or RFC 2253
  • Security Enhancements
    • Add require secure binds switch
      • This adds a new configuration attribute named nsslapd-require-secure-binds. When enabled, a simple bind will only be allowed over a secure transport (SSL/TLS or a SASL privacy layer). An attempt to do a simple bind over an insecure transport will return a LDAP result of LDAP_CONFIDENTIALITY_REQUIRED. This new setting will not affect anonymous or unauthenticated binds.
      • The default setting is to have this option disabled.
  • Support OpenLDAP client libs - allow the use of OpenLDAP client libs in addition to mozldap
    • There is a new configure option --with-openldap that can be used to build the server with OpenLDAP instead of mozldap
    • In 1.2.1, the default is still to use mozldap, but those hardy souls adventurous enough can try to build 389 with OpenLDAP
    • More work is planned
  • Can now use SASL + TLS/SSL
    • earlier versions had a limitation in that you could not use SASL encrypted I/O over a connection encrypted with TLS/SSL
    • the SASL I/O layer has been reworked as a push-able NSPR I/O layer

Features added in 389 DS 1.2.2 - August 26, 2009

This was a bug fix release - no new features.

Features added in 389 DS 1.2.3 - October 7, 2009

  • Ability to set resource limits (sizelimit, timelimit, look through limit) specifically for anonymous connections
    • This is useful when you want to have different limits for regular users and anonymous users
    • Set the attribute nsslapd-anonlimitsdn in cn=config to the DN of the entry that you want to use as the "template" entry. This is a dummy entry that you have to create. Then you set whatever resource limits you want to apply to anonymous to that dummy entry, and those limits will apply to anonymous users.
  • Access based on the security strength of the connection
    • There is a new ACI keyword - minssf - this allows you to set access control based on how secure the connection is
    • There is a global server setting in cn=config - nsslapd-minssf - that allows you to reject operations based on how secure the connection is
  • Ability to shut off anonymous access
    • This adds a new config switch in cn=config - nsslapd-allow-anonymous-access - that allows one to restrict all anonymous access. When this is enabled, the connection dispatch code will only allow BIND operations through for an unauthenticated user. The BIND code will only allow the operation through if it's not an anonymous or unauthenticated BIND.

Features added in 389 DS 1.2.4 - November 4, 2009

  • Support for Salted MD5 (SMD5) hashes. These are supported for migration purposes only. You should not use SMD5 for new passwords - use SSHA256

Features added in 389 DS 1.2.5 - January 13, 2010

  • Named Pipe Log Script
    • provide script which allows you to replace one or all log files with a named pipe script to do circular buffering, filtering, notifications, etc.

Features added in 389 DS 1.2.6 - September 13, 2010

  • Upgrade_to_New_DN_Format
    • in order to make sure DN valued attributes can be searched correctly, an upgrade will automatically fix these values in the database
  • Managed Entries
    • Used, for example, to automatically create the user's group entry when adding a user entry
  • Matching rules
    • support for all RFC 4517 matching rules (except the FirstComponent ones)

Version 1.2.7

  • One_Way_Active_Directory_Sync - allow Windows Sync to go only from AD to DS, or only from DS to AD, instead of just the default bi-directional sync
  • Use OpenLDAP instead of Mozilla LDAP - On Fedora 14 and later, the 389 packages are built with OpenLDAP instead of Mozilla LDAP
    • On Fedora 14 and later, openldap is built with Mozilla NSS for crypto instead of OpenSSL
    • Also includes all components such as admin server, adminutil, dsgw, and perl-Mozilla-LDAP
  • Account_Policy_Design - keep track of last login, automatically disable unused accounts
  • Move_changelog - the replication changelog has been moved into the main server database environment
  • MemberOf_Multiple_Grouping_Enhancements - Member Of supports multiple membership attributes
  • Coverity bug fixes - we ran Coverity over the 389-ds-base source code and fixed many of the reported issues
  • Allow the replication functionality to be built separately from the main server
  • Allow Class of Service (CoS) values to be merged - CoS values can be merged and create multi-valued attributes. One can append "merge-schemes" to the end of the cosAttribute value in a definition entry to allow values to be merged.
  • Merge 389 SELinux policy with base OS policy - there are too many interdependencies to have a separate policy module - starting with 1.2.7, the policy for 389 will be part of the base OS policy

Version 1.2.8

Mostly bug fixes

Version 1.2.9

  • Auto Membership - This allows one to define rules that can assign newly added entries to groups
  • More Coverity fixes

Version 1.2.10

  • Latest 1.2.10 release is 1.2.10.14
  • Account Usability Control support
  • database transaction pre/post plugins
    • Changelog writes use main database transaction
  • native systemd support
  • slapi_rwlock support replaces direct NSPR PR_RWLock support

Version 1.2.11

  • Support multiple Simple Paged Result searches in a single connection Simple_Paged_Results_Design
  • Support SASL/PLAIN
  • logconv.pl improvements
  • Support for Berkeley DB version 5
  • Improved support for transactions and backend transaction plugins
    • DNA and USN use backend transaction plugins
    • Allow most plugins to be backend transaction plugins (for testing)
  • Allow internal operations triggered by external operations (referential integrity, memberof, etc.) to use modifiersName/creatorsName from original external operation
    • Added a new config attribute nsslapd-plugin-binddn-tracking to cn=config. It is off by default. If set to on, the server will update a set of new operational attributes: internalModifiersname & internalCreatorsname. These attributes will store the DN of the plugin that made the update, while modifiersname/creatorsname will now be the bind dn that initiated the original external operation. Plugin_Track_Bind_DN
  • Windows Sync API version 3 Windows_Sync_Plugin_API
    • support for multiple winsync plugins
    • support for plugin precedence
    • support for pre DS to AD user and group ADD operation callbacks
    • support for post operation callbacks
  • Ability to disable replication agreements
    • nsds5ReplicaEnabled - if this is set to "off" in the replication agreement entry, the agreement will be disabled
  • CLEANRUV improvements Howto:CLEANRUV
    • New CLEANALLRUV task
  • Disk monitoring Disk_Monitoring
    • Can enable monitoring of disk usage, particularly for databases and log files, with warnings upon reaching certain thresholds of disk usage
  • Allow setup to work with IPv6
  • Support of IPv6 addresses in plugins (acl, replication, chaining, etc)
  • Root DN Access Control Plugin RootDN_Access_Control
  • Added ability to track the time when a password was last changed Track_Password_Update
  • Added ability to disable the legacy password policy behavior. PasswordMaxFailure doesn't behave as some newer LDAP clients might expect Legacy_Password_Policy
  • Windows Sync - support for WinSync_Posix
    • NOTE: This version does not support ADD operations from DS to AD - POSIX attributes will not be synced - AD to DS works fine
  • Windows Sync - support for WinSync_Move_Action - control how winsync processes out of scope AD entries

Version 1.3.0

Version 1.3.0 of 389-ds-base adds the following new features:

The full list of tickets addressed in version 1.3.0 is available at https://fedorahosted.org/389/report/14

Initial Release

The initial release of Fedora Directory Server (version 7.1) was 6/1/2005. This included the source code to the complete Directory Server engine. It also included pre-built binaries (on selected platforms) for the admin server daemon and the console administration front-end, but not the source code for those. The entire product was open sourced on 12/1/2005 as Fedora Directory Server version 1.0 - see Release_Notes for more information about that release, which uses Apache as the admin server daemon. This was a week short of a year since Red Hat acquired the Directory Server from AOL, fulfilling the promise Red Hat made when it acquired the code to open source it within the year.