What's new for V5R4
Information about the changes and improvements made to Directory Server since the last release.
Directory Server for iSeries™ has the following enhancements and new functions for V5R4:
Replication
- Gateway replication: Replication can take place across replicating networks using gateway servers. Gateway servers can more effectively collect and distribute information while reducing network traffic. See "Gateway replication"
in the Replication overview.
- cn=IBMpolicies: A new container object for entries to be shared among replicating servers. In contrast to cn=localhost, a container for entries that are not replicated, cn=IBMpolicies contains configuration-like information that might need to be replicated. See Suffix (naming context).
Security
- DIGEST-MD5 authentication: DIGEST-MD5 is a simple authentication security layer (SASL) authentication mechanism. When a client uses Digest-MD5,
the password is not transmitted in clear text and the protocol prevents replay attacks. See Authentication.
- Transport layer security (TLS): A StartTLS extended operation has been added to allow a client to upgrade a nonsecure connection to one secured by TLS. In addition, an AES 256-bit TLS ciphersuite is supported by the server. See Secure Sockets Layer (SSL) and Transport Layer Security (TLS) with the Directory Server
Search
- Subtree search on null base: All suffixes defined in the configuration file can be searched with just one search request. This eliminates the need for multiple searches (each with a different suffix as the search base) to search the entire directory. See Searching the directory entries.
- Search limit groups: This function allows an administrator to assign different search limits to specific groups in addition to the general limits imposed on all users. It provides flexibility for administrators to determine who has what search limits on a particular server. See Search parameters.
- Alias dereferencing processing enhancements: Performance of searches that use dereferencing options is significantly improved when the directory contains no aliases. In addition, configuration options now exist to override dereferencing options that are specified in client search requests. See Search parameters.
- Attribute cache: The attribute cache function is a performance enhancement for doing search filter resolution in memory rather than performing the initial resolution in the database and storing it in the filter cache. The attribute cache, unlike the filter cache, is not purged every time an LDAP add, modify, or delete operation is performed. When configured, the server automatically adjusts attribute caches at the configured time intervals and caches those attributes that would be most useful within the maximum amount of memory configured for attribute caching. See Attribute cache.
Attributes
- Unique attributes: The unique attributes function ensures that specified attributes will always have unique values within a directory. For example, an administrator might want to specify that an attribute that stores social security numbers be unique because it is not possible for two people to have the same number. See Unique attributes.
- Preservation of operational attributes: The operational attributes creatorsName, createTimestamp, modifiersName, and modifyTimestamp are now replicated to consumer servers and are now imported and exported in LDIF files.
See Operational attributes.
- Language tags: Language tags are mechanisms that enable the directory to associate natural language codes with values held in a directory and enables clients to query the directory for values that meet certain natural language requirements. See Language tags.
Groups
- Group of administrative users: Multiple user distinguished names (DNs) can have almost all of the same administrative access as the LDAP server administrator. This function allows several users to perform administrative tasks without having to share a user ID and password. See Administrative access.
- Proxy authorization: Proxy authorization provides a way for an LDAP client to bind as one user but access the target directory as another user. This allows client applications more flexibility because they can perform operations on behalf of multiple users without having to rebind for each user. See Proxy authorization.
Other
- Monitor enhancements: The Web administration tool is now used to view server and connection information. The following enhancements have been made to monitor support:
- Serviceability and Denial of Service
- New information has been added to the monitor output to include counts of completed operations by type (BIND, MODIFY, COMPARE, SEARCH, and so forth),
depth of the work queue, number of available worker threads, counts of messages added to the server log, audit log, CLI errors, counts of both the number of secure sockets layer (SSL) and TLS connections, idle connection information,
and emergency thread statistics.
- A new search base of "cn=workers,cn=monitor" is provided to return information about the worker threads.
- New information has been added to the monitor output to include counts of completed operations by type (BIND, MODIFY, COMPARE, SEARCH, and so forth),
depth of the work queue, number of available worker threads, counts of messages added to the server log, audit log, CLI errors, counts of both the number of secure sockets layer (SSL) and TLS connections, idle connection information,
and emergency thread statistics.
- Attribute cache
- Information about the cache and attributes in the cache (configured size,
total size, hit rate) will be recorded.
- A new search base of "cn=changelog,cn=monitor" will be used to return attribute cache information for the change log.
- Information about the cache and attributes in the cache (configured size,
total size, hit rate) will be recorded.
- Serviceability and Denial of Service
- Support for client applications to authenticate as the current user: The LDAP client and command line utilities are enhanced to support authenticating to the local directory server as the current user. This is particularly useful for performing administrative tasks when signed on as an i5/OS user that has administrative authority to the directory.
- Access controls on system and restricted attributes: You can now control access to system and restricted attributes related to access control and other server-managed attributes of LDAP entries.
- Copy users in a validation list to an LDAP directory: The directory server can be populated with directory objects based on the users defined in an HTTP-style validation list. In addition, the directory server can authenticate users based on credentials copied from HTTP validation lists. New application programming interfaces (APIs) facilitate this process. See Copying users from an HTTP server validation list to the Directory Server.
- Denial of service and unbind of bound DN: New enhancements enable the server to identify, recover, and survive many forms of denial of service attacks. These enhancements include giving the administrator more control and automatic adjustments by the server. See Denial of service.
- More Web administration functionality: More tasks can be accomplished using the Web administration tool. Most of the new functionality is found under the new Server administration category.
- Read access to projected users: Provides the capability to enable or disable read access to projected users. See Read access to projected users.
- IBM® Tivoli® Directory Server equivalence: The V5R4 Directory Server is equivalent to the IBM Tivoli Directory Server Version 5.2.
How to see what's new or changed
To help you see where technical changes have been made, this information uses:
- The
image to mark where new or changed information begins.
- The
image to mark where new or changed information ends.
To find other information about what's new or changed this release, see the Memo to users.