What's New at a Glance

This section describes the main new features and enhancements in all of the component products of DSEEand includes the following information:

• General DSEE Enhancements

• New Features in Directory Server 6.0

• New Features in Directory Proxy Server 6.0

• New Features in Identity Synchronization for Windows

General DSEE Enhancements

General DSEE enhancements include the following:

• Web-based administration interface (Directory Service Control Center). The DSCC provides a graphical user interface for managing individual Directory Server and Directory Proxy Server instances, as well as groups of servers. The DSCC therefore enables a unified view of an entire directory service topology.

• Global account lockout. You can configure global account lockout for a directory service topology so that a user account is locked, due to consecutive failures to bind, across the entire collection of servers.

New Features in Directory Server 6.0

Directory Server 6.0 includes the following new features and enhancements:

• Service manageability command-line tools. Directory Server includes new tools to facilitate command-line management of the server.

• Replication enhancements. These enhancements include: no fixed limit to the number of replication masters, the ability to prioritize replication, a global retro changelog, replicated account lockout data, fast replication restart for recovery (minutes or less), and a fast count of pending replication changes so that you can get accurate status on replication convergence.

• Security enhancements. These enhancements include: additional connection-based access control files, rejection of binds with no password, forced password change after reset, multiple directory superusers, changes to passwords using the LDAP Password Modify Extended Operation specified in RFC 3062, last login time tracking, enhanced auditing for updates performed using proxy authorization, and improved ACI processing performance.

• Enhanced password policy. The new password policy provides a grace login limit, safe password modifications, as well as two new controls, passwordPolicyRequest and passwordPolicyResponse. These controls enable LDAP clients to obtain account status information on LDAP add, delete, modrdn, compare, and search operations. The password policy can now be applied to proxy authentication to prevent client operations when an account is locked.

• New operational attribute for group membership. Entries that are members of static groups now have the operational attribute isMemberOf, which holds the DNs of the static groups to which the members belong.

• Enhancements to static group management. These enhancements include performance improvements for large, multi-valued attributes and membership testing for group entries.

• More configuration changes while the server is online. You can change the configuration of suffixes, indexes, schema, and the replication topology while the server is running.

• Attribute syntax validation on update. When syntax checking is on, all import and update operations are checked to ensure that updated attributes adhere to the syntax definitions.

• Threshold on heap memory. When the threshold is reached, Directory Server attempts to free memory from the entry caches.

• Frozen mode for database backup. You can stop database updates on disk so that a file system snapshot can be taken safely

• Log management improvements. This version of Directory Server brings improvements to time-based log rotation, rotate now functionality for access, error, and audit logs, and configurable permissions for log files. It also provides more flexible logging of users involved in proxy authorization.

• Fine-grained all IDs threshold configuration. You can configure the all IDs threshold individually for each index, saving you disk space.

• Plug-in call ordering. For further information, see Ordering Plug-In Calls in Sun Java System Directory Server Enterprise Edition 6.0 Developer’s Guide.

• SNMP monitoring support. Directory Server now supports the Mail and Directory Management Information Base (MADMAN MIB) for use with Simple Network Management Protocol (SNMP) monitoring agents as described in RFC 2605.

• Monitoring using the Sun Java Enterprise System Monitoring Console. Directory Server supports the use of the Monitoring Console to view monitored data and to produce threshold alarms.

• LDAP utilities and character sets for passwords. The LDAP command-line utilities now convert passwords entered on the command line to UTF8 by default.

  In LDAP, userPassword values are binary. The server therefore sees a password as a string of bytes, which is often not the way that the user sees a password. By converting passwords that a user enters to UTF8, the utilities make it possible for passwords entered on one system to be entered on another system.

• More LDAP controls and extended operations. Directory Server now supports additional LDAP controls and extended operations.

  For a complete list of LDAP controls, see the controls(5dsconf) man page.

  For a complete list of extended operations, see the extended-operations(5dsconf) man page.

New Features in Directory Proxy Server 6.0

Directory Proxy Server 6.0 includes the following new features and enhancements:

• Virtual directory. The virtual directory enables you to define how data is displayed to LDAP client applications, define virtual domains that aggregate data from multiple data sources, map attribute names and values to suit LDAP application and multiple disparate data sources, access data repositories that are compliant with the JDBC^TM technology, and access flat LDAP Data Interchange Format (LDIF) file resources.

• New, richer architecture. To make new functionality possible, the Directory Proxy Server architecture has changed significantly.

• Directory data distribution. You can distribute directory data using the proxy, enabling much higher scalability for write operations.

• Operation-based routing. Directory Proxy Server can route different LDAP operations on the same client connection to different servers and enable successive requests on the same client connection to be sent to the same LDAP servers.

• Full command-line and web-based administrative capabilities. Directory Proxy Server now provides complete administrative capabilities both on the command line and through the Directory Service Control Center.

• Administrative alerts. You can configure what Directory Proxy Server does when an alert occurs, such as sending emailor running a script.

  For further information, see Chapter 28, Directory Proxy Server Monitoring and Alerts, in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide.

• DN and attribute rewriting. You can configure Directory Proxy Server to automatically modify the DN, attribute types, and attribute values of entries such that a client application view of an entry can be significantly different that what is stored in the directory.

• Fewer server restarts. Directory Proxy Server now requires fewer configuration-related restarts than ever before, making it easier to respond automatically to the need for changes in how the server behaves.

• Logging aligned with Directory Server. Directory Proxy Server log files now fit more effectively with those of Directory Server. Their formats are very similar, and they allow you to trace requests through Directory Proxy Server to Directory Server and back to client applications.

• Improved resource management. Directory Proxy Server now pools connections to data sources such as Directory Server and can use proxy authentication to further reduce resources used to establish connections, and to authenticate repeatedly.

• Schema management. Directory Proxy Server generates a single schema from multiple heterogeneous data sources, performs schema checking, and performs attribute value syntax checking.

• Access controls. Directory Proxy Server supports access control instructions (ACIs) that determine which permissions are granted to users.

New Features in Identity Synchronization for Windows

Identity Synchronization for Windows includes the following new features and enhancements:

• Group synchronization with Active Directory. Identity synchronization between Directory Server and Active Directory is simpflied because you can map a group on Directory Server to Microsoft Active Directory domain global distribution groups and domain global security groups.

• Failover support for multiple master replicas. For more information about failover support, see Appendix E, Identity Synchronization for Windows Installation Notes for Replicated Environments, in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.

• Account lockout synchronization with Active Directory. Identity Synchronization for Windows synchronizes account lockout information between Directory Server and Active Directory, improving security coherency between the two directories.

• No need for a local Directory Server. A Directory Server instance does not need to be installed on the system that is running Identity Synchronization for Windows. When the installer does not find a local Administration Server, the installer adds the Administration Server at the specified server root location, so you do not have to install the Directory Serversoftware.

• Integrated Directory Server Plug-in. The Identity Synchronization for Windows plug-in for Directory Server is now installed with Directory Server rather than Identity Synchronization for Windows. The installer provides an option to configure the plug-in while installing the Directory Server Connector. The same option is available through the command line interface.

• Support for Red Hat Linux. Identity Synchronization for Windows now supports Red Hat Linux.