143 lines
10 KiB
HTML
143 lines
10 KiB
HTML
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow"/>
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<title>Directory Server (LDAP) - What's new for V5R4</title>
|
||
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
||
|
</head>
|
||
|
<body>
|
||
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
||
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
||
|
<img src="delta.gif" alt="Start of change" />
|
||
|
<a name="rzahyenh-rf"></a>
|
||
|
<h1 id="rzahyenh-rf">What's new for V5R4</h1>
|
||
|
<p>Directory Server for iSeries has the following enhancements and new functions
|
||
|
for V5R4:</p>
|
||
|
<p><span class="bold">Replication</span></p>
|
||
|
<ul>
|
||
|
<li><span class="bold">Gateway replication:</span> Replication can take place
|
||
|
across replicating networks using gateway servers. Gateway servers can more
|
||
|
effectively collect and distribute information while reducing network traffic.
|
||
|
See "Gateway replication" in the <a href="rzahyrepoverview.htm#rzahyrepoverview">Replication overview</a>.</li>
|
||
|
<li><span class="bold">cn=IBMpolicies:</span> A new container object for entries
|
||
|
to be shared among replicating servers. In contrast to cn=localhost, a container
|
||
|
for entries that are not replicated, cn=IBMpolicies contains configuration-like
|
||
|
information that might need to be replicated. See <a href="rzahysuffix.htm#rzahysuffix">Suffix (naming context)</a>.</li></ul>
|
||
|
<p><span class="bold">Security</span></p>
|
||
|
<ul>
|
||
|
<li><span class="bold">DIGEST-MD5 authentication:</span> DIGEST-MD5 is a simple
|
||
|
authentication security layer (SASL) authentication mechanism. When a client
|
||
|
uses Digest-MD5, the password is not transmitted in clear text and the protocol
|
||
|
prevents replay attacks. See <a href="rzahyauthentication.htm#rzahyauthentication">Authentication</a>.</li>
|
||
|
<li><span class="bold">Transport layer security (TLS):</span> A StartTLS extended
|
||
|
operation has been added to allow a client to upgrade a nonsecure connection
|
||
|
to one secured by TLS. In addition, an AES 256-bit TLS ciphersuite is supported
|
||
|
by the server. See <a href="rzahyssl-rf.htm#rzahyssl-rf">Secure Sockets Layer (SSL) and Transport Layer Security (TLS) with
|
||
|
the Directory Server</a></li></ul>
|
||
|
<p><span class="bold">Search</span></p>
|
||
|
<ul>
|
||
|
<li><span class="bold">Subtree search on null base:</span> All suffixes defined
|
||
|
in the configuration file can be searched with just one search request. This
|
||
|
eliminates the need for multiple searches (each with a different suffix as
|
||
|
the search base) to search the entire directory. See <a href="rzahysearchentry.htm#rzahysearchentry">Search the directory entries</a>.</li>
|
||
|
<li><span class="bold">Search limit groups:</span> This function allows an administrator
|
||
|
to assign different search limits to specific groups in addition to the general
|
||
|
limits imposed on all users. It provides flexibility for administrators to
|
||
|
determine who has what search limits on a particular server. See <a href="rzahysearchpar.htm#rzahysearchpar">Search parameters</a>.</li>
|
||
|
<li><span class="bold">Alias dereferencing processing enhancements:</span> Performance
|
||
|
of searches that use dereferencing options is significantly improved when
|
||
|
the directory contains no aliases. In addition, configuration options now
|
||
|
exist to override dereferencing options that are specified in client search
|
||
|
requests. See <a href="rzahysearchpar.htm#rzahysearchpar">Search parameters</a>.</li>
|
||
|
<li><span class="bold">Attribute cache:</span> The attribute cache function is
|
||
|
a performance enhancement for doing search filter resolution in memory rather
|
||
|
than performing the initial resolution in the database and storing it in the
|
||
|
filter cache. The attribute cache, unlike the filter cache, is not purged
|
||
|
every time an LDAP add, modify, or delete operation is performed. When configured,
|
||
|
the server automatically adjusts attribute caches at the configured time intervals
|
||
|
and caches those attributes that would be most useful within the maximum amount
|
||
|
of memory configured for attribute caching. See <a href="rzahyattcache.htm#rzahyattcache">Attribute cache</a>.</li></ul>
|
||
|
<p><span class="bold">Attributes</span></p>
|
||
|
<ul>
|
||
|
<li><span class="bold">Unique attributes:</span> The unique attributes function
|
||
|
ensures that specified attributes will always have unique values within a
|
||
|
directory. For example, an administrator might want to specify that an attribute
|
||
|
that stores social security numbers be unique because it is not possible for
|
||
|
two people to have the same number. See <a href="rzahyuniqueatt.htm#rzahyuniqueatt">Unique attributes</a>.</li>
|
||
|
<li><span class="bold">Preservation of operational attributes:</span> The operational
|
||
|
attributes <span>creatorsName</span>, <span>createTimestamp</span>, <span>modifiersName</span>, and <span>modifyTimestamp</span> are now replicated to consumer servers
|
||
|
and are now imported and exported in LDIF files. See <a href="rzahyoperational.htm#rzahyoperational">Operational attributes</a>.</li>
|
||
|
<li><span class="bold">Language tags:</span> Language tags are mechanisms that
|
||
|
enable the directory to associate natural language codes with values held
|
||
|
in a directory and enables clients to query the directory for values that
|
||
|
meet certain natural language requirements. See <a href="rzahylangtags.htm#rzahylangtags">Language tags</a>.</li></ul>
|
||
|
<p><span class="bold">Groups</span></p>
|
||
|
<ul>
|
||
|
<li><span class="bold">Group of administrative users:</span> Multiple user distinguished
|
||
|
names (DNs) can have almost all of the same administrative access as the LDAP
|
||
|
server administrator. This function allows several users to perform administrative
|
||
|
tasks without having to share a user ID and password. See <a href="rzahyadminaccess.htm#rzahyadminaccess">Administrative access</a>.</li>
|
||
|
<li><span class="bold">Proxy authorization:</span> Proxy authorization provides
|
||
|
a way for an LDAP client to bind as one user but access the target directory
|
||
|
as another user. This allows client applications more flexibility because
|
||
|
they can perform operations on behalf of multiple users without having to
|
||
|
rebind for each user. See <a href="rzahyproxyauth.htm#rzahyproxyauth">Proxy authorization</a>.</li></ul>
|
||
|
<p><span class="bold">Other</span></p>
|
||
|
<ul>
|
||
|
<li><span class="bold">Monitor enhancements:</span> The Web administration tool
|
||
|
is now used to view server and connection information. The following enhancements
|
||
|
have been made to monitor support:
|
||
|
<ul>
|
||
|
<li>Serviceability and Denial of Service
|
||
|
<ul>
|
||
|
<li>New information has been added to the monitor output to include counts
|
||
|
of completed operations by type (BIND, MODIFY, COMPARE, SEARCH, and so forth),
|
||
|
depth of the work queue, number of available worker threads, counts of messages
|
||
|
added to the server log, audit log, CLI errors, counts of both the number
|
||
|
of secure sockets layer (SSL) and TLS connections, idle connection information,
|
||
|
and emergency thread statistics.</li>
|
||
|
<li>A new search base of "cn=workers,cn=monitor" is provided to return information
|
||
|
about the worker threads.</li></ul></li>
|
||
|
<li>Attribute cache
|
||
|
<ul>
|
||
|
<li>Information about the cache and attributes in the cache (configured size,
|
||
|
total size, hit rate) will be recorded.</li>
|
||
|
<li>A new search base of "cn=changelog,cn=monitor" will be used to return
|
||
|
attribute cache information for the change log.</li></ul></li></ul></li>
|
||
|
<li><span class="bold">Support for client applications to authenticate as the
|
||
|
current user:</span> The LDAP client and command line utilities are enhanced
|
||
|
to support authenticating to the local directory server as the current user.
|
||
|
This is particularly useful for performing administrative tasks when signed
|
||
|
on as an i5/OS user that has administrative authority to the directory.</li>
|
||
|
<li><span class="bold">Access controls on system and restricted attributes:</span> You can now control access to system and restricted attributes related
|
||
|
to access control and other server-managed attributes of LDAP entries.</li>
|
||
|
<li><span class="bold">Copy users in a validation list to an LDAP directory:</span> The directory server can be populated with directory objects based on
|
||
|
the users defined in an HTTP-style validation list. In addition, the directory
|
||
|
server can authenticate users based on credentials copied from HTTP validation
|
||
|
lists. New application programming interfaces (APIs) facilitate this process.
|
||
|
See <a href="rzahyvldltoldap.htm#rzahyvldltoldap">Copy users from an HTTP server validation list to the Directory Server</a>.</li>
|
||
|
<li><span class="bold">Denial of service and unbind of bound DN:</span> New enhancements
|
||
|
enable the server to identify, recover, and survive many forms of denial of
|
||
|
service attacks. These enhancements include giving the administrator more
|
||
|
control and automatic adjustments by the server. See <a href="rzahydos.htm#rzahydos">Denial of service</a>.</li>
|
||
|
<li><span class="bold">More Web administration functionality:</span> More tasks
|
||
|
can be accomplished using the Web administration tool. Most of the new functionality
|
||
|
is found under the new <span class="bold">Server administration</span> category.</li></ul><img src="deltaend.gif" alt="End of change" />
|
||
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
||
|
</body>
|
||
|
</html>
|