389-ds-base-1.3.7.5-24.el7

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.

This update fixes the following bugs:

* On an incoming replicated session, a replicated operation must only be processed when the previous one is completed. In certain situations, the thread which processed the start session operation continued to read and process replicated operations. Consequently, two replicated operations ran in parallel that led to inconsistencies, such as an completed child "add" operation before the parent entry was added. With this update, the thread processing the start session operation no longer processes further operations, even if some are available in the read buffer. As a result, the inconsistencies no longer occur in the mentioned scenario. (BZ#1579698)

* If a Asianux Directory Server instance was installed using version 10.1.0 or earlier and subsequently updated, the update script did not enable the Password-Based Key Derivation Function version 2 (PBKDF2) plug-in. As a consequence, the PBKDF2_SHA256 password storage scheme could not be used in the nsslapd-rootpwstoragescheme and passwordStorageScheme parameter. This update automatically enables the plug-in. As a result, administrators can now use the PBKDF2_SHA256 password storage scheme. (BZ#1579700)

* Previously, if an update operation on a replication hub server triggered the memberOf plug-in to update an entry, the update failed to be logged in to the Directory Server changelog. Consequently, replication stopped working. With this update, Directory Server running as a replication hub no longer writes to the changelog if the update operation was internal. As a result, replication no longer fails when using the memberOf plug-in on replication hubs. (BZ#1579702)

* Due to a case-sensitivity problem, the ds-replcheck utility did not check correctly for conflict entries. If conflict entries existed, ds-replcheck reported errors and terminated unexpectedly. With this update, all attribute names are converted to lowercase before processing the data. As a result, ds-replcheck correctly reports conflict entries and no longer crashes. (BZ#1580257)

* Directory Server uses the nunc-stans framework to manage connection events. This framework requires that only one handler is scheduled at a time. Previously, when the server shut down, the closure handler was scheduled at the same time as a read handler. As a consequence, a "connection that is not acquired" warning was logged and, in certain situations, Directory Server terminated unexpectedly. With this update the server only schedules one handler at a time. As a result, the warning is no longer logged and the server does not crash during shutdown. (BZ#1580523)

* Previously, when Directory Server denied access to a resource because of a DENY access control instruction (ACL), the cached result for this resource was not properly updated. As a consequence, if the same operation was repeated on the same connection, the server incorrectly allowed the operation. With this update, Directory Server maintains the ACI result cache for DENY ACIs correctly. As a result, DENY ACIs work as expected. (BZ#1581588)

* Due to a restriction in Directory Server, administrators could only use RSA and Fortezza ciphers. As a consequence, certificates created with a different cipher, such as ECC certificates, were not supported. This update removes this restriction. As a result, administrators can now use certificates with all ciphers supported by the underlying Network Security Services (NSS) database when configuring TLS in Directory Server. (BZ#1584066)

Users of 389-ds-base are advised to upgrade to these updated packages, which fix these bugs. After installing this update, the 389 server service will be restarted automatically.