Chapter 1 New Features in Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1)

These release notes provide current information on the date they are published. If the English version of the release notes has a more recent publication date, it might be updated with more current information that is not provided in other language versions. Consult the English version of the release notes for the most current information.

This section contains the following information:

• What's New in Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1)

• Behavioral Changes in Directory Server Enterprise Edition

What's New in Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1)

Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1) is a rebranded release of Sun Directory Server Enterprise Edition 7.0. This release is equivalent to a patch release. It contains no new functionality but does fix important security issues and certain other issues that have been integrated in previously released patches and hot fixes. For more information, see Chapter 4, Directory Server Bugs Fixed and Known Problems, Chapter 5, Directory Proxy Server Bugs Fixed and Known Problems and Bugs Fixed in Identity Synchronization for Windows 6.0 Service Pack 1 in Installation Instructions for Identity Synchronization for Windows 6.0 Service Pack 1.

This release also aligns the list of supported platforms with most other Oracle Fusion Middleware products. For details of the changes to supported platforms, see Platform Support, System Virtualization Support, and Operating System Requirements.

You can configure an Oracle Virtual Directory LDAP adaptor to work with Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1). For more information, see “LDAP Adapter Templates” in the Administrator's Guide for Oracle Virtual Directory.

Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1) can also be synchronized with other directory servers by using the Oracle Directory Integration Platform. For more information see “Configuring Directory Synchronization” in the Administrator's Guide for Oracle Directory Integration Platform.

This release incorporates the NSS 3.12.6 library, which fixes an important security bug around SSL renegotiation of security parameters. NSS 3.12.6 is, however, incompatible with previous versions of NSS regarding the renegotiation fix. Therefore, to take advantage of the safe renegotiation fix, you must upgrade to NSS 3.12.6 on all servers in your topology. A topology with mixed NSS versions will function as expected, provided renegotiation is not used. If safe renegotiation is requested in a mixed topology, however, encrypted traffic will be stopped between servers that have different versions of the NSS library.

In some instances, both in the documentation and in the product, you might still see references to Sun Microsystems. These can be read to mean Oracle Corporation in most cases. You might also see references to version 7.0.1. This was the internal version of the product, which can be read to mean 11g Release 1 (11.1.1) or version 11.1.1.3.0 in all cases.

These Release Notes no longer list the known issues in Identity Synchronization for Windows. For a complete list of known issues, and for a description of bugs fixed in the latest service pack, see Known Issues and Limitations in Installation Instructions for Identity Synchronization for Windows 6.0 Service Pack 1.

The remainder of this section refers to new features that were provided in Sun Directory Server Enterprise Edition 7.0.

New Features in Directory Server

This section describes the new features that were provided in Directory Server 7.0.

New DB Entry Format

To reduce the database entry size, the existing database entry format is changed. The internal representation of an entry changed from an ASCII LDIF format to a tagged binary format. The data stored in the database does not have the characteristic starting of dn: anymore, the first byte of an entry being a value bigger than 0xE0 (hence all values 0xE0 to 0xFF are to be considered reserved for internal use).

For compatibility reasons entries can be a mix of LDIF and binary representations, but any modification will write the entry in binary format.

Suffix entries data can be compressed when written to disk to minimize their disk footprint. Compression is enabled according to the settings of the compression-mode and compression-entries properties,

For additional information, refer to the Chapter 8, Writing Entry Store and Entry Fetch Plug-Ins, in Oracle Fusion Middleware Developer’s Guide for Oracle Directory Server Enterprise Edition.

Copyless Restore

To save disk space, you can restore a server by moving files in place of copying them. You can perform the copyless restore by setting a flag with the restore command.

For more information, see Binary Restore in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition

IPv6 Support on Windows

Server instances installed on Windows systems now support Internet Protocol version 6, as do instances installed on other supported operating systems.

New Command for Account Management

The dsutil command now performs the functions formerly provided by the ns-activate, ns-inactivate, and ns-accountstatus commands.

New Backup Feature

Backup operations perform a database verify on archived data when the --flags verify-db option is specified.

Index Filter Analyzer

The index filter analyzer identifies index lists where the number of entries exceeds the maximum number of indexable entries (the ALLID threshold) and monitors user searches using such index lists. To enable the index filter analyzer, use the dsconf enable-index-filter-analyzer command.

New Features in Directory Proxy Server

This section describes the new features that were provided in Directory Proxy Server 7.0.

Entry Aggregation

Entry aggregation enables the following:

• Optimization of queries to a secondary data view

• Searching on a secondary data view first, if required

• Improved handling of large result sets (VLV control)

• Request grouping to secondary data source

JDBC Data View

The JDBC data view now supports Date and Blob.

Optimized Monitoring and Logging

Directory Proxy Server now uses a new logging engine implementation that performs more efficiently on multi-core systems.

Connection Handlers

• New criteria based on LDAP groups

• Management of the maximum throughput per second

Coordinator Data View

New type of data view to address more use cases, for example, company mergers.

For more information, see Creating and Configuring Coordinator Data Views in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition.

Distribution Algorithm

An enhanced regex distribution algorithm is added, as described in Configuring Pattern Matching Distribution Algorithm in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition.

Join Data View Searches

To optimize the performance of searches of a join data view, Directory Proxy Server makes use of Virtual List View (vlv) indexes. It helps you to avoid the scenario where search hits the size limits due to the lots of entries from one data source and very few from the others. To use VLV indexes, see Browsing Index in Oracle Fusion Middleware Reference for Oracle Directory Server Enterprise Edition.

Behavioral Changes in Directory Server Enterprise Edition

This section describes the behavioral changes that were made in Sun Directory Server Enterprise Edition 7.0.

Change in Product Layout

The Directory Server Enterprise Edition product layout changed as follows:

• All commands are available in install-path/dsee7/bin.

• The plug-ins are available in install-path/dsee7/lib.

For a complete list of file locations, see Software Layout for Directory Server Enterprise Edition in Oracle Fusion Middleware Reference for Oracle Directory Server Enterprise Edition.

Replica Update Vector in LDIF

Starting with Directory Server 7.0, the export process (dsadm export) always places the Replica Update Vector (RUV) as the last entry in the exported LDIF file.

Load Libraries for Sun Microsystems Plug-in From the Installation Directory

Directory Server loads the libraries for Sun Microsystems plug-ins from the path where the software is installed. The libraries are no longer loaded from the path mentioned in the LDIF.

Optimized Import

Global Import Process

A new threading model improves import performance on multi-core machines.

Parallel Merging

If an import is multi-pass, merging of the indexes happens in parallel if there is enough memory for holding the index and its temporary files. The parallel merging of indexes results in improved performance.

Compliance with RFC 4522

When a search operation returns attributes whose syntax requires binary transfer, it appends the ;binary qualifier to the attribute name. To disable compliance with RFC 4522, set the compat-flag property to no-rfc4522.

Compliance with RFC 4511

New in Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1).

LDAP's RFC 4511 states that an "and" filter choice evaluates to TRUE if all its constituent (SET OF) filters evaluate to TRUE. In practice, the result for an "and" filter choice is the set of entries that match each and every constituent filter applied on its own.

In previous versions of Directory Server, filters of the form (&(attr>=v1)(attr<=v2)) were interpreted as entries with values in the range v1...v2. This interpretation is too restrictive when the attribute is multi-valued, because an entry might have values that match both constituent filters but the values themselves might be smaller than v1 and bigger than v2.

The Directory Server now implements the RFC 4511 behavior by default, unless compat-flag is set to no-rfc4511.

New Administrative Commands and Functionality

This sections describes changes in the behavior of administrative commands.

• The dsadm and dpadm commands provide the new list-running-instances and stop-running-instances options for listing and stopping locally running servers.

• The dsadm and dpadm commands provide new options for managing certificates, --validity and --keysize, described in dsadm(1M) and dpadm(1M).

• The dsadm command also provides additional options for managing certificates, --sigalg, --phone, --email, and --dns described in dsadm(1M) .

• The dpadm set-flags command supports two new flags,jvm-path and server-umask, described in dpadm(1M).

• Several commands were available in previous versions of Directory Server Enterprise Edition but whose functions are now provided by other commands, as described in Command Line Changes in Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Directory Server Enterprise Edition

• Some commands were removed from Directory Server Enterprise Edition, as described in Command Line Changes in Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Directory Server Enterprise Edition.

Binary Backup

A binary backup modifies the backup files running a database recovery and flushes backup transaction logs to the backup databases. To leave the backup as is, use the --flags no-recovery option.

Faster Re-indexing

Re-indexing is performed more efficiently, reusing some recent import techniques and speed improvements.

Index State

The dsconf info command reports which attributes need to be re-indexed (for example, after a configuration change).

Enabled SSL Ciphers in Root DSE

The root DSE contains the list of supported ciphers as reported by the security library. In release 7.0, the root DSE also contains the ciphers that are available for SSL negotiation under the enabledSSLCiphers attribute, and it is by default a subset of all the supported ciphers.