AD Bridge 24.2 release notes
November 21, 2024
- Agent: 24.2.0.745
- Windows: 24.2.0.25
Note
For installation requirements, see the following:
- For the agent, see Install Requirements for the Agent.
- For the management console, see Requirements to Use AD Bridge with Active Directory.
- For a list of supported platforms for the latest version of AD Bridge, see the Supported Platforms Guide.
- Supported Platforms Guides for previous versions of AD Bridge can be found in the AD Bridge Documentation Archive.
New features and enhancements:
-
DButilities can now send events directly to ElasticSearch without configuring SQL server.
-
A new event will be sent when only ElasticSearch is set up as a data endpoint. This can be used to get a report in ElasticSearch on the health of the collection server.
- You can see the event by filtering for:
- statusevent.CollectionServer : COLLECTORNAME
-
There is a new option to configure the local parameters when SQL is not available. The Set Local Parameters option is now available on the Reporting Database Connection Manager and allows the configuration of ElasticSearch event batch size. If SQL or BI (or combo of both) is enabled, the Set Local Parameters option is disabled and this setting will come from SQL.
-
Modify bundled ldapsearch utility to use kerberos
- Active Directory users can use any of the new binaries without providing a username or password.
-
Bundle a version of ldapmodify, ldapcompare, ldapdelete and ldapwhoami
These are additional binaries provided in /opt/pbis/bin
LDAPS support in ldapsearch:
To use TLS with the ldap binaries
- Trusted cert and client cert
- recommend configuring these for the account in an ldaprc file. See ldap.conf(5)
- Both TLS_CACERT and TLS_CERT are required
- Provide the mode and port with -H
- -H ldaps://server.domain.com:636
- -x is needed for simple authentication as GSS will not work with TLS
Before this release AD Bridge modified the system files directly after a backup(/etc/ssh/sshd_config). AD Bridge now copies the configuration into the subdirectory /etc/ssh/sshd_config.d/ so that the system files are not touched.
- Disabling ssh module restores main file and sub folder files
- On upgrade sshd_config settings use 30-ADBridge* files.
- New SSH files work with testprefix.
- Configure ssh with ADBridge files in /etc/ssh/sshd_config.d/
- If files are found in sshd_config.d the system files are no longer modified.
- Files are copied from /opt/pbis/share
- There is a common file 30-ADBridge.conf and 2 depending on gssapi preferences.
If the module is not configured before AD Bridge is upgraded it should not be enabled after the upgrade.
-
domainjoin-cli join --ignore MODULE removes entry from domainjoin.cfg
-
Added note about the module configuration being saved.
-
Detect and save if SSH was enabled on versions before 24.2
-
Detect and save if nsswitch was enabled on versions before 24.2
-
Detect and save if pam was enabled on versions before 24.2
-
Save module options on domainjoin to /var/lib/pbis/domainjoin.cfg
-
Retain nogssapi on upgrade
-
Do not enable module on upgrade if not configured.
-
Multiple nic with DHCP support with Network Manager
-
Support pam_aucore file paths
-
gdm pam files on RHEL9 platforms is now supported.
-
Update hostname in Network Manager for DHCP interfaces
-
The Status page in the BeyondTrust Management Console now displays the amount of RIDS currently in use.
Issues resolved
| Product Area | Description | Resolution |
|---|---|---|
| Agent | /etc/hosts not restored on uninstall | /etc/hosts are now restored on uninstall |
| Agent | SLES: Remove the pam-config common-xxxx-pc symlinks on initial pam modification | pam-config common-xxxx-pc symlinks has been removed on initial pam modification. Breaking the symlink avoids issues with the pam-config modifying the file and our changes being lost. |
| Agent | Do not update login.def if LOG_OK_LOGINS is mentioned in a comment | If LOG_OK_LOGINS is mentioned in a comment only login.def is not updated. |
| Agent | Uninstall purge does not remove all .orig files | Uninstall purge now removes all .orig files |
| Agent | package /opt/pbis/libexec/lwma not included in the installer | lwma is now included in the installer. |
| Agent | domainjoin-cli leave --disable ssh will not allow systems without a sshd binary to leave the domain | domainjoin-cli leave --disable ssh now allows systems without a sshd binary to leave the domain. |
| Agent | Support pam_aucore file paths | pam_aucore file paths are now supported when configuring the pam module. |
| Agent | Postinstall script error when installing/uninstalling a many times | Resolved the issue that caused a postinstall script error when installing/uninstalling a many times. |
| Agent | Amazon 2023 bad command on domain join | Resolved Amazon 2023 bad command on domain join |
| Agent | Sles15-sp5: resumable error occurred while processing a module | Resolved the issue with Sles15-sp5 that caused resumable error while processing a module. |
| Agent | AIX: SYSTEM entry is missing 'LSASS' on the upgrade install | Resolved an issue for AIX where SYSTEM entry was missing 'LSASS' on the upgrade install. |
| Agent | Backup/Restore login.def | ADBridge now has backup/restore support for login.def |
| Agent | RHEL 8: Resumable error occurred while processing PAM module | Resolved an issue on RHEL 8 where a resumable error occurred while processing PAM module. |
| Agent | uninstall purge leaves /etc/rsyslog.conf still configured | Uninstall purge no longer leaves /etc/rsyslog.conf still configured. |
| Agent | RHEL 8/9: PAM module cannot be configured for the smartcard-auth service | On RHEL 8/9, PAM module can now be configured for the smartcard-auth service. |
| Agent | Ignore options are not listed in domainjoin-cli help and man pages | Ignore options are now listed in domainjoin-cli help and man pages. |
| pbis-support.pl | pbis-support.pl: collect domainjoin.cfg | Running pbis-support.pl now collects the domainjoin.cfg file. |
| pbis-support.pl | /opt/pbis/libexec/offline-join.pl --help continues on to execute script | /opt/pbis/libexec/offline-join.pl --help no longer continues on to execute script |
| pbis-support.pl | Add loglevel to the help output for offline domainjoin script | Loglevel has been added to the help output for offline domainjoin scripts. |
| pbis-support.pl | pbis-support: Collect authselect files | Support pack now collects and packages the authselect files. |
| pbis-support.pl | pbis-support: Error adding /var/lib/pbis/grouppolicy to the tar file on AIX/Solarisx86/Sparc | Resolved issue with pbis-support package when adding /var/lib/pbis/grouppolicy to the tar file on AIX/Solarisx86/Sparc. |
| pbis-support.pl | pbis-support: domainjoin-cli logs not captured on AIX/Solarisx86/Sparc | pbis-support package domainjoin-cli logs are now captured on AIX/Solarisx86/Sparc. |
| Windows | DI Mode Cell Convertor fails to launch | Resolved and issue where DI Mode Cell Convertor would fail to launch. |
| Windows | Increase Reaper maximum record ID in the database to 2,147,483,647 | Increased Reaper maximum record ID in the database to 2,147,483,647. |
| Windows | DisableGIDValidation not working on groups in Cell Manager | DisableGIDValidation now working on groups in Cell Manager |
| Windows | DisableGIDValidation not working for default cell | DisableGIDValidation now working for default cell |
| Windows | DBReaper: Duplicate Usermonitor records break event processing | Resolved the issue where with DBReape duplicate usermonitor records broke event processing. |
| Windows | Unhandled exception when clicking a utility that isn't installed through Config Wizard | Resolved the issue with an unhandled exception that happened when clicking a utility that was not installed through Config Wizard. |
| Windows | Bad audit records break the DBReaper | Resolved the issue where bad audit records broke the DBReaper. |
| Windows | DBReaper fails with database larger then 2GB | DBReaper no longer fails with a database larger then 2GB. |