Authentication Service and Privilege Elevation Service 6.1.1 Release Notes (Server Suite 2024.1)

Release Date: November 20, 2024

The Authentication and Privilege Elevation release notes describe changes to the following feature areas:

Access Manager DirectControl Agent for *NIX Report Services
Access Module for PowerShell DirectControl Command Line Utilities Roles and rights
Active Directory environment Endpoint enrollment RunAsRole
ADedit Agent for Windows Group Policy Management Smart Card
Application Manager Licensing Service Windows configuration and environment
Audit Trail Events Network manager Windows installation
Compatibility with third party products NIS Windows Installer
Configuration parameters OpenLDAP Proxy Windows SDK
Desktop with elevated privileges OpenSSH Zone Provisioning Agent

Be sure to also review the Authentication Service and Privilege Elevation Service Limitations that apply to multiple releases.

Changes in Release 2024.1.3 Rolling Update (2024.1.3 / April 2025)

  • DirectControl and DirectAudit are now supported on AlmaLinux 9.5, Oracle Linux 9.5, Red Hat Enterprise Linux 9.5, and Rocky Linux 9.5. (635861)

  • Server Suite OpenSSH fix: Patched Server Suite OpenSSH 9.9p1 with the fixes for CVE-2025-26466 and CVE-2025-26465 (635863).

  • DirectControl ldapproxy fixes:

    • Fixed an issue where slapd fails to properly handle non-zone searches for AD Groups. (635859)

    • Fixed an invalid access freed memory issue that might have caused a core dump in slapd. (635860)

    • Fixed a double free ldapSearchHandle issue that may cause core dump in slapd. (637740)

Changes in Release 2024.1.2 Rolling Update (2024.1.2 / March 2025)

  • Server Suite agents now support the new MFA mechanism 'Device Code'. (622010)

  • Fixed one issue where the Windows agent was not routing login requests to the correct callback when the AlwaysPermitLsaLogin setting was enabled. (635862)

  • Fixed install.sh so that it now passes the --dns_cache option in bundle mode (620621).

Changes in Release 2024.1 Rolling Update (2024.1.1 / December 2024)

  • Added a new parameter adclient.set.cpus that specifies whether adclient will inherit the CPU affinity from its parent process (for example, init or systemd). (614554) 

  • Changed the default value of the configuration parameter dzdo.timestamp_timeout to 0. (611784)

  • Fixed an issue where MFA doesn't work with automatically-generated IWA connector host certificates. (613952)

  • Fixed the backward compatibility of install.sh so that it can recognize package files from previous releases. (609325)

New Features

This section describes new features included in this release.

General

  • DirectControl now supports IPv6 (only on Linux), and it can be controlled by enable.ipv6, which is false by default. (590118)

Server Suite Agent for Windows

The agent installer no longer needs to perform a preflight check/warning for services using UPN service account names. (584844)

Server Suite DirectControl Agent for *NIX

  • Password hashing now uses PBKDF2 as the default algorithm, enhancing security by making brute-force attacks more difficult. (569145)

Configuration Parameters

  • A new parameter lam.attributes.security has been added for the AIX platform. When the parameter is set to 'true', a normal user will only get the non-security attributes (for example, id, home) from the AD user or group using the lsuser command. This parameter is disabled by default. (568406)

  • Added a new parameter adclient.use.cpus where you can specify a list of processor IDs for adclient to use.(601724)

Server Suite Report Services

  • Edge browser can be launched to display reports. (557464)

Improvements

This section provides an overview of the product improvements in this release.

Server Suite OpenLDAP Proxy

  • Upgraded OpenLDAP to 2.5.18. (551470)

Server Suite cURL

  • Upgraded cURL to v8.10.1. (578102)

Server Suite OpenSSH

  • Upgraded OpenSSH to 9.9p1. (582253)

Server Suite OpenSSL

  • Upgrade OpenSSL to 3.3.2 (578099)

Server Suite DirectControl Agent for *NIX

  • Server Suite package installation fails when missing required perl modules. (575825)

  • Removed chkconfig dependency for RPM package. (575828)

  • Removed chkconfig dependency check for adcheck. (575828)

  • Exposed the configuration item adclient.unix.user.name.validity.check which determines whether adclient will check and ignore Unix usernames that do not conform to standard Unix naming conventions. (578413)

  • The libstdc++6 library is no longer shipped in our Redhat and Debian x86_64 packages. Instead, libstdc++6 is now a dependency for the packages . (587687)

  • Improved krb5.conf [domain_realm] section update logic. (603090)

DirectControl Command Line Utilities

  • Added new options -s and -g for adflush to force adclient to switch its domain controller and global catalog connection to the specified server respectively. (580129)

Fixed Issues

This section lists notable issues that have been fixed in this release.

Server Suite DirectControl Agent for *NIX

  • Fixed the issue where some compressed log files were missing during the collection of support information. (578070)

DirectControl Command Line Utilities

  • Resolved a minor issue where the principal_to_dn ADEdit function failed to correctly process userPrincipalName or samAccountName values that contain the special @ character in the name part. (589601)

  • Resolved a minor issue where the ADEdit script adsyncignore failed to retrieve all effective zone users and groups due to inconsistencies in the host's FQDN and domain name. (590463)

  • Fixed an issue where sctool -D crashed if the public key in the certificate was not of RSA type. (604819)

  • Fixed an issue where sctool -D showed the expiration datetime of the certificate incorrectly. (604881)

Server Suite OpenLDAP Proxy

  • Fixed an issue where ldapsearch could not get shadow attributes when ldapproxy cache was enabled. (599691)

Known Issues

This section lists notable issues that have been found in this release. For known issues related to multiple releases, see Authentication Service and Privilege Elevation Service Limitations.

  • Custom adclient.use.cpu settings will be lost when you reinstall the release 2024 package. (610805)

  • On Alpine Linux 3.19 and later systems, upgrading to 2024.1 may fail. The workaround is to uninstall the older version (or just leave the domain) before installing release 2024.1. For more information, please see this KB article (611443).

Version Information

This section covers version information that pertains to this release. The Upgrade Guide describes the correct order to perform updates such that all packages continue to perform correctly once upgraded.

Compatibility

If you upgrade the Server Suite DirectControl Agent to 2024.1, you need to upgrade Server Suite OpenSSH to 2024 or later.