Release Notes
Version 7.0.2
The following changes were made between the 7.0.1 and 7.0.2 releases:
-
Added support for using the 2.x version of the Bouncy Castle FIPS-compliant
security provider, which offers support for FIPS 140-3 compliance. Previously,
the LDAP SDK only supported the 1.x version of the library, which offers FIPS
140-2 compliance. The necessary jar files must already be in the CLASSPATH.
-
Added a new PropertyManager class that can be used to retrieve the values of
system properties or environment variables, optionally parsing the values as
Booleans, numbers, or comma-delimited lists. Most uses of system properties
within the LDAP SDK have been updated to use the PropertyManager, so those
properties can now be set as environment variables as an alternative to Java
system properties.
-
Fixed a bug in the SSLUtil.certificateToString method that prevented it from
including notBefore and notAfter timestamp values in the resulting string
representation of the provided certificate.
-
Updated client-side support for the Ping Identity Directory Server's get subtree
accessibility and set subtree accessibility extended operations to include a new
to-be-deleted accessibility state.
-
Updated the MoveSubtree utility class to provide an option to use the new
to-be-deleted subtree accessibility state when removing entries from the source
server.
-
Added a SubtreeAccessibilityState.isMoreRestrictiveThan method that can be used
to determine whether one state is more restrictive than another.
-
Updated the documentation to include the latest revisions of
draft-coretta-ldap-subnf-01, draft-coretta-oiddir-radit,
draft-coretta-oiddir-radsa, draft-coretta-oiddir-radua,
draft-coretta-oiddir-roadmap, and draft-coretta-oiddir-schema in the set of
LDAP-related specifications.
Version 7.0.1
The following changes were made between the 7.0.0 and 7.0.1 releases:
-
Added a new LDAP connection pool health check that can be used to replace
connections that have remained idle for longer than a specified length of time.
This is primarily useful in cases where the associated directory servers (or
intermediate networking equipment) may terminate connections that have remained
idle for too long. Note that in connection pools that may contain connections
across multiple servers, you should probably set a maximum connection age for the
pool rather than using this health check, as this will better allow the pool to
return to a balanced state more quickly after a failure has caused connections to
migrate away from one or more servers. Also note that health checks that attempt
to actually communicate with the associated server over LDAP may be preferred
over this health check because not only will they do a better job of ensuring
that connections are actually usable, but the communication that they perform
will also prevent the connections from being seen as idle.
-
Updated the in-memory directory server to improve its concurrency when performing
operations that don't need to make changes to the data.
-
Added createSubstringAssertion methods to the filter class, which make it easier
to construct the string representation of a substring assertion with a given
combination of subInitial, subAny, and/or subFinal elements. This can be helpful
for creating the assertion value for an extensible matching filter for use with a
substring matching rule.
-
Updated the KeyStoreKeyManager and TrustStoreTrustManager classes to make it
possible to use alternative security providers when accessing key store files. It
is also possible to indicate whether non-FIPS 140-2-compliant key stores may be
accessed in applications running in FIPS-compliant mode.
-
Fixed an issue in which the parallel-update tool would buffer data written to the
reject file. This could prevent information from appearing in that file until
enough reject records were written to cause the buffer to be flushed to disk, or
until the tool completed its processing.
-
Fixed a manage-certificates issue that could arise in cases where it is invoked
programmatically in cases in which an application is using the LDAP SDK in FIPS
140-2-compliant mode and the tool needs to try to locate an issuer certificate in
the JVM's default trust store.
-
Added client-side support for a new verify password extended request that may be
used in the Ping Identity Directory Server to determine whether a provided
password is correct for a given user without performing any other password policy
processing. This extended operation may only be used under a limited set of
circumstances.
-
Updated the command-line tool framework to make it possible to include arguments
that allow the tool to generate a log file containing any debug messages
generated while the tool was running. The new --helpDebug argument can be used to
obtain usage information for arguments related to debug logging in any tools that
support it. All of the tools included with the LDAP SDK have been updated to
provide support for debug logging.
-
Updated the debug logging framework to make it possible to format debug messages
as multi-line strings. Debug messages will be generated as JSON objects, but
they use a single-line string representation by default. It is now possible to
generate those messages as multi-line strings, which may be easier for humans to
read, but may be more difficult for some applications to parse.
-
Added a StaticUtils.setSystemPropertyIfNotAlreadyDefined method that can be used
to set the value of a system property, but only if that property is not already
set. If the property already has a value, then the existing value will be
retained regardless of whether it is the same as or different from the provided
value.
-
Updated the OID registry to include records for a number of collation matching
rules.
Version 7.0.0
The following changes were made between the 6.0.11 and 7.0.0 releases:
-
Updated the LDAP SDK to require Java SE 8 or later. As of the 7.0.0 release,
Java 7 is no longer supported.
-
Updated the LDAPConnectionPool behavior in the case that an attempt to check out
a connection from the pool first encounters an existing connection that is deemed
not valid by the configured health check. Previously, it would close that
connection as defunct and try to create a new connection to replace it, but if
that attempt was successful, the newly created connection would be added to the
end of the pool's set of potentially available connections, and it would continue
iterating through the set of connections to try to find one that is valid. Now,
if the pool is able to successfully create a new connection to replace the
existing defunct connection, it will immediately return that new connection
without checking any of the other existing connections. This should
substantially improve performance in the case that the pool has several
connections that are already established but have become invalid for some reason
in a way that does not prevent successfully establishing new connections.
-
Added a compare-ldap-schemas command-line tool that can be used to identify
differences between the schemas of two LDAP servers.
-
Added the ability to reuse automatically generated JAAS configuration files if
possible when attempting a SASL GSSAPI bind. Previously, if the caller didn't
explicitly provide a JAAS config file, the LDAP SDK would generate one based on
the provided bind request properties. It would do this for every GSSAPI bind
attempt, even if they all used the same properties, which means that it could
generate many copies of the same JAAS config file, which could unnecessarily
waste disk space and memory. It will now detect when a bind request would use a
JAAS configuration that matches one that has already been generated, and will
reuse the previously generated file rather than creating a new one.
-
Added client-side support for the LDAP relax rules request control as defined in
draft-zeilenga-ldap-relax-03. Note that this support is currently classified as
experimental because this most recent version of the Internet Draft (which
expired in 2008 without being renewed or standardized as an RFC) does not specify
an official OID for the control. However, some servers (including OpenLDAP and
ForgeRock Directory Services) appear to have implemented support for the control
with an OID of 1.3.6.1.4.1.4203.666.5.12, and that is the OID used in this
implementation.
-
Added client-side support for the transaction ID request control as used in the
ForgeRock Directory Server. This control may be included in an operation request
to provide a transaction ID that will appear in the access log message for that
operation.
-
Added client-side support for the replication repair request control as used in
the ForgeRock Directory Server. This control may be included in an add, delete,
modify, or modify DN request to indicate that the associated change should only
be processed in the local server and not replicated to other servers in the
topology. It is primarily intended for use in manually resolving replication
conflicts and other replication-related issues.
-
Added client-side support for the change sequence number request and response
controls as used in the ForgeRock Directory Server. The request control may be
included in an add, delete, modify, or modify DN request to indicate that the
server should return a corresponding response control containing the replication
change sequence number (CSN) that the server has assigned to that operation.
-
Added client-side support for the affinity request control as used in the
ForgeRock Directory Proxy Server, which allows explicitly routing multiple
related requests to the same backend server.
-
Added a new "lockdown mode" LDAP connection pool health check that can be used to
determine whether a Ping Identity Directory Server instance is currently in
lockdown mode.
-
Added a new "active alerts" LDAP connection pool health check that can retrieve
the set of active alert types from a Ping Identity Directory Server instance to
determine whether the server considers itself to be in a degraded or unavailable
state. You can configure it to only care about unavailable alert types, or to
ignore a specific set of degraded or unavailable alert types.
-
Added a new "replication backlog" LDAP connection pool health check that can be
used to evaluate a Ping Identity Directory Server instance based on the number or
age of changes that have been made in other replicas but have not yet been applied
in the local server.
-
Updated support for the replica monitor entry in the Ping Identity Directory
Server to include support for a number of additional attributes.
-
Updated the CryptoHelper class to add convenience methods for generating
cryptographic message digests from byte arrays, strings, and files. Specific
methods are provided for the SHA-256, SHA-384, and SHA-512 digest algorithms, as
well as more general methods in which you must specify the desired algorithm.
-
Added methods for normalizing JSON values and JSON object filters.
-
Updated the BouncyCastleFIPSHelper class to add a constant with the name of a
system property that can be used to enable support for the MD5 digest algorithm
if necessary.
-
Updated the documentation to include the latest revisions of
draft-ietf-kitten-scram-2fa, draft-melnikov-scram-bis,
draft-melnikov-scram-sha-512, and draft-melnikov-scram-sha3-512 in the set of
LDAP-related specifications.
-
Updated the documentation to include draft-coretta-oiddir-radit,
draft-coretta-oiddir-radsa, draft-coretta-oiddir-radua,
draft-coretta-oiddir-roadmap, and draft-coretta-oiddir-schema in the set of
LDAP-related specifications.
Version 6.0.11
The following changes were made between the 6.0.10 and 6.0.11 releases:
-
Note that this is the last release that will support Java 7. The next release
(expected to have a version number of 7.0.0) will only support Java 8 and later.
-
Updated the ldapsearch and ldapmodify command-line tools to provide better
validation for the value of the --proxyAs argument. The tools will now reject
attempts to use the argument with a value that doesn't start with either "dn:" or
"u:", and they will also reject attempts to use a value that starts with "dn:"
but is not followed by a valid LDAP DN.
-
Updated the Filter methods for creating substring filters to better support empty
components. In LDAP filters, filters are transmitted using a binary encoding,
and substring components may be absent but not empty. However, because
developers creating LDAP-enabled applications are more likely to be familiar with
the string representations of filters, it is understandable if someone were to
try to provide an empty string instead of null to indicate that the component is
not needed. The methods for creating substring filters will now interpret empty
components as equivalent to being null, causing them to be omitted from the
resulting encoded LDAP filter.
-
Updated the logic that the LDAP SDK uses in the in-memory directory server and
the ldifsearch tool to pare matching entries based on a set of requested
attributes in the in-memory. If an entry included an attribute with an invalid
name, then the logic used to parse an attribute description into the base
attribute type name and a set of attribute options would result in a null pointer
exception. It now uses more lenient logic for parsing attribute descriptions,
and it can handle malformed attribute descriptions in a more graceful manner.
-
Updated the TimestampArgument class to allow it to accept timestamps in the ISO
8601 format described in RFC 3339.
-
Updated the JSONBuffer class to add an appendField method that can be used for a
field object that already encapsulates a name and value.
-
Added new BinarySizeUnit and DecimalSizeUnit enums that can be used when working
with data sizes in a variety of units, including bytes, kilobytes, megabytes,
gigabytes, terabytes, petabytes, exabytes, zettabytes, and yottabytes. These
enums provide methods for determining the number of bytes in a specified number
of instances of the given unit, determining the number of instances of a unit
represented by a given number of bytes, and generating a human-readable string
representation of a given number of bytes using the unit deemed most appropriate.
The BinarySizeUnit enum assumes that each unit is 1024 times larger than the next
smaller unit (e.g., so one kilobyte is 1024 bytes, one megabyte is 1024
kilobytes, etc.), while the DecimalSizeUnit enum assumes that each unit is 1000
times larger than the next smaller unit (e.g., so one kilobyte is 1000 bytes, one
megabyte is 1000 kilobytes, etc.).
-
Updated client-side support for the LDIF export administrative task in the Ping
Identity Directory Server to allow requesting that the server invoke one or more
post-LDIF-export task processors after the data is successfully exported.
Version 6.0.10
The following changes were made between the 6.0.9 and 6.0.10 releases:
-
Added a new ReusableRefeerralConnector interface that can be used to provide a
way of following referrals using a mechanism that doesn't automatically close
connections after they are used. This allows for the possibility that
connections created for the purpose of following referrals could be used for
multiple referrals, rather than always closing them after their first use as was
previously the case. Also, added a new PooledReferralConnector implementation
that uses connection pools to maintain connections for following referrals.
-
Fixed an issue in which parallel-update did not properly handle multiple
concurrent attempts to write to the reject file, which could cause its contents
to be unparseable or otherwise incorrect.
-
Updated the PLAINBindRequest class to add an encodeCredentials method that can be
used to retrieve a properly encoded representation of the SASL credentials for a
PLAIN bind request with the given authentication ID, authorization ID, and
password.
-
Updated the JSONNumber class to add getValueAsInteger and getValueAsLong methods
that will return the value of the number as an Integer or Long, respectively, but
only if it can do so losslessly. These methods will return null if the value has
a fractional component or if it is outside the range of the associated data type.
-
Updated the JSONNumber class to add a getValueAsDouble method that will return
the value of the number as a double. This method will never return null,
although the value that is returned may have less precision than the internal
BigDecimal value, or it may be converted to positive or negative infinity if the
BigDecimal value is outside the range that can be represented by a double.
-
Added a StaticUtils.getBacktrace method that can be used to retrieve a compact
single-line string representation of a stack trace of the code from which the
method was called.
-
Added client-side support for the access log field request control that can be
used in an upcoming version of the Ping Identity Directory Server to include a
specified set of additional fields in the access log message for the associated
operation. Also, updated the ldapsearch and ldapmodify tools to add support for
an --accessLogField argument that can be used to include the access log field
request control to in requests.
-
Added client-side support for new generate access token request and response
controls that can be used in an upcoming version of the Ping Identity Directory
Server to request that the server provide an access token in a bind response (for
example, in response to a request using a one-time password that cannot be
replayed) that can be used to authenticate subsequent bind operations using the
OAUTHBEARER SASL mechanism. Also, updated the ldapsearch and ldapmodify tools to
add support for a --generateAccessToken argument that can be used to include the
control in bind requests and display information from the corresponding response
control.
-
Updated support for the Ping Identity Directory Server's ds-pwp-state-json
virtual attribute to include fields pertaining to support for passwords encoded
in a manner that doesn't reflect the current configuration for the associated
password storage scheme.
-
Updated the documentation to include the latest versions of
draft-ietf-kitten-scram-2fa, draft-melnikov-scram-bis, and
draft-melnikov-scram-sha3-512 in the set of LDAP-related specifications.
Version 6.0.9
The following changes were made between the 6.0.8 and 6.0.9 releases:
-
The LDAP SDK source code will now only be updated on GitHub and will no longer
be maintained on SourceForge. The SourceForge repository will still be
available for historical releases, but the trunk has been replaced with a README
file indicating that updated code is now only on GitHub. It required effort to
keep both repositories in sync, and GitHub is removing its support for acting as
a Subversion repository, which that synchronization process relied upon. The
SourceForge project will still be updated with downloads for new releases, and
the discussion forums and mailing lists will remain available.
-
Added an option for customizing the set of result codes that the LDAP SDK may
use to determine whether a connection may no longer be usable. Previously, it
used a hard-coded set of result codes for this purpose, and that set is still
the default, but it is now possible to override that with a provided set of
result codes.
-
Added a new HTTPProxySocketFactory class that can be used to allow establishing
LDAP and LDAPS connections through an HTTP proxy server, and added a new
SOCKSProxySocketFactory class that can be used to allow establishing connections
through a SOCKSv4 or SOCKSv5 proxy server. Communication with the proxy server
itself must be unencrypted (although communication with the target LDAP server
may optionally be end-to-end encrypted with TLS), and the proxy server must not
require authentication.
-
Updated the ldif-diff tool to add a --byteForByte argument that can be used to
indicate that it should not ignore differences between source and target entries
that would otherwise be considered insignificant based on the associated
matching rules (for example, values that differ only in capitalization for
attributes that use case-ignore matching). Byte-for-byte matching was
previously always used when comparing source and target entries, but it should
be a configurable option, and it is better to use schema-aware matching by
default.
-
Fixed an issue in which a non-default channel binding type was not preserved when
duplicating a GSSAPI bind request. Also, added a method to retrieve the channel
binding type in use for a GSSAPI bind request.
-
Added a ResultCode.getStandardName method that can be used to retrieve the name
assigned to the associated result code in the relevant specification. This may
not be available for result codes that are not defined in known specifications.
-
Updated support for passphrase-encrypted input and output streams to provide a
mechanism for caching the derived secret keys so that it's not necessary to
re-derive the key each time it's used. This can dramatically improve
performance when the same key is used multiple times.
-
Updated the StaticUtils.isLikelyDisplayableCharacter method to add additional
character types that are believed to be displayable. While most types of
symbols were already considered displayable, modifier symbols had previously
been overlooked but are now included. In addition, non-spacing marks,
enclosing marks, and combining spacing marks are also considered displayable
because even though they aren't displayable on their own, they are likely to
be combined with other characters that makes them displayable.
-
Added a new StaticUtils.getCodePoints method that can be used to retrieve an
array of the code points that comprise a given string.
-
Added a StaticUtils.unicodeStringsAreEquivalent method that can be used to
determine whether two strings represent an equivalent sequence of Unicode
characters. Also, added a StaticUtils.utf8StringsAreEquivalent method that can
be used to determine whether two byte arrays represent UTF-8 strings with an
equivalent set of Unicode characters. Unicode may offer multiple ways of
encoding the same character or sequence of characters, and these methods take
those alternative encodings into account.
-
Added a StaticUtils.isValidUTF8WithNonASCIICharacters method that can be used to
determine if a provided byte array represents a valid UTF-8 string that contains
at least one non-ASCII character. This new method can be more efficient than
calling both the existing isValidUTF8 and isASCIIString methods when that
combination is needed.
-
Updated the client-side support for the administrative task used to invoke the
collect support data tool in a Ping Identity Directory Server to make it possible
to specify the start and end times for the set of log messages to include in the
support data archive.
-
Updated the documentation to include the latest versions of draft-melnikov-sasl2
and draft-melnikov-scram-sha-512 in the set of LDAP-related specifications.
Version 6.0.8
The following changes were made between the 6.0.7 and 6.0.8 releases:
-
Added a DN.getDNRelativeToBaseDN method that may be used to retrieve the portion
of a DN that is relative to a given base DN (that is, the portion of a DN with
the given base DN stripped off).
-
Updated the LDAPConnectionPool and LDAPThreadLocalConnectionPool classes to add
getServerSet methods that can be used to retrieve the server set used to
establish new connections for the pool.
-
Added convenience methods with shorter names for constructing search filters
from their individual components. For example, instead of calling
Filter.createANDFilter(components), you can now use Filter.and(components), and
instead of Filter.createEqualityFilter(attributeName, assertionValue), you can
now use Filter.equals(attributeName, assertionValue). The existing methods with
longer names will remain available for backward compatibility.
-
Added support for encrypted PKCS #8 private keys. Private keys can now be
formatted in encrypted PEM when provided with an encryption password and a set
of encryption properties, and the PKCS #8 PEM file reader can read encrypted
private keys when provided with the encryption password. The
manage-certificates export-private-key command has been updated to support
writing an encrypted representation of the private key in either PEM or DER
form, and manage-certificates import-certificate has been updated to support
obtaining the private key when it is encrypted form.
-
Updated the passphrase-encrypted output stream to use a higher key factory
iteration count by default. When using the strongest available 256-bit AES
encryption, it now follows the latest OWASP recommendation of 600,000 PBKDF2
iterations. The key factory iteration count can still be explicitly specified
when creating a new output stream if an alternative iteration count is desired,
and the default iteration count can now be overridden with a system property.
-
Updated the passphrase-encrypted output stream to make it possible to create a
new output stream with the encryption header from a previously created
encryption header. This will make it possible to reuse the previously derived
key (with a different initialization vector), which will be substantially faster
when using the same passphrase to encrypt multiple output streams than needing
to re-derive the key for each stream.
-
Added a new ObjectTrio utility class that can be useful in cases where only a
single object is allowed but three typed objects are needed (e.g., when you want
to return three typed items from a method).
-
Updated the set of LDAP-related specifications to include RFC 9371, which
describes the procedures for registering private enterprise numbers (PENs),
which may be used when defining your own object identifiers for custom schema
elements or other purposes. The OID registry document has also been updated to
provide a link to this RFC and to the IANA PEN registry.
-
Updated the documentation to include the latest versions of
draft-howard-gssapi-aead, draft-ietf-kitten-scram-2fa, draft-melnikov-scram-bis,
and draft-reitzenstein-kitten-opaque in the set of LDAP-related specifications.
Version 6.0.7
The following changes were made between the 6.0.6 and 6.0.7 releases:
-
Fixed a bug in the SearchResultEntry.equals method that could prevent a
SearchResultEntry object (which is a subclass of Entry) from being considered
equal to an Entry that is not a SearchResultEntry.
-
Fixed an issue with the Entry.applyModifications method in which it could fail
with a NOT_ALLOWED_ON_RDN result if the provided entry was missing one or more
attribute values used in its RDN.
-
Fixed a bug in the argument parser's support for mutually dependent arguments.
In a mutually dependent argument set, if any one of the arguments is provided,
then all of the other arguments in the set must also be provided, but there was
a problem with support for sets containing three or more elements. In such
cases, the argument parser would only enforce that at least two arguments from
the set were present.
-
Added JSONObject methods for retrieving fields by name using case-insensitive
matching. By default, JSON field names are treated in a case-sensitive manner,
but new methods allow them to be retrieved in a case-insensitive manner.
Because a JSON object may have multiple fields with names differing only by
case, there are a few options for handling the possibility of conflicts,
including returning only the first match found and ignoring subsequent matches,
throwing an exception if multiple matches are found, or returning a map
containing all matching name-value pairs.
-
Updated the set of LDAP-related specifications to include the latest version of
draft-schmaus-kitten-sasl-ht.
Version 6.0.6
The following changes were made between the 6.0.5 and 6.0.6 releases:
-
Fixed an issue that could cause request failures when closing a connection that
has outstanding operations in the default asynchronous mode, immediately
re-establishing the connection (to the same or a different server), and sending
a request on the newly established connection. However, we generally recommend
creating a new connection object (or using a connection pool) in these cases,
rather than closing and re-establishing the same connection object.
-
Fixed an issue that could interfere with the ability to get a default SSLContext
on modern versions of Java (e.g., Java 17) when using the LDAP SDK in FIPS
140-2-compliant mode.
-
Updated the LDAPConnectionOptions class to add support for a new
com.unboundid.ldap.sdk.LDAPConnectionOptions.defaultVerifyCertificateHostnames
system property that can be used to enable certificate hostname verification by
default. This verification was previously available by calling the
LDAPConnectionOptions.setSSLSocketVerifier method with a
HostNameSSLSocketVerifier instance, but the new system property can be used to
enable this verification by default without any code changes. Even though
hostname verification is strongly recommended, it is disabled by default in the
LDAP SDK for backward compatibility purposes, and for compatibility with a wide
range of development, test, and even production environments that are not
properly set up with certificates that allow for hostname verification.
-
Updated the LDAP command-line tool framework to add a new
"--verifyCertificateHostnames" argument that can be used to enable hostname
verification when performing TLS negotiation.
-
Significantly improved the class-level Javadoc documentation for the SSLUtil
class to provide a better overview of TLS protocol versions, TLS cipher suites,
key managers, trust managers, and certificate host name verification, and to
provide examples that better illustrate best practices for establishing secure
connections. Also made Javadoc improvements in the LDAPConnection and
StartTLSPostConnectProcessor classes, and improved documentation for creating
secure connections in the FAQ and getting started guide.
-
Fixed an issue in the JNDI compatibility support for controls, extended
requests, and extended responses. Although the JNDI documentation states that
the byte array returned by the getEncodedValue method for these types of objects
will include the BER type and length, that does not actually appear to be the
case. Since the LDAP SDK used the documented behavior for those methods rather
than the apparent actual behavior, conversion of those elements between the LDAP
SDK and JNDI representations would not yield the expected results. To address
this, the LDAP SDK now uses the actual behavior that JNDI exhibits rather than
the documented behavior. The former behavior can be obtained using system
properties in the event that a JNDI implementation actually does exhibit the
documented behavior.
-
Updated the SearchRequest class to add constructors that allow you to specify
the base DN with a DN object rather than a string.
-
Updated the command-line tool framework to better handle the possibility of
encountering a Java Error (e.g., OutOfMemoryError) in the course of tool
processing. The framework previously handled any unexpected Exception that may
have been thrown during processing by displaying an error message and exiting
with an error, but if an Error was thrown instead of an Exception, then that
could trigger a NullPointerException that would mask the original Error. Errors
are now handled in the same way as exceptions.
-
Fixed an issue in the IA5 argument value validator that could allow an
associated argument to incorrect accept values with non-ASCII characters.
-
Updated the DNS hostname argument value validator to fix an issue that could
prevent it from performing all necessary validation for the last component in a
fully qualified name, or for the only component in an unqualified name.
-
Updated the identify-references-to-missing-entries example tool to add an option
to write an LDIF file with modify change records that can be used to clean up
any identified references to missing entries.
-
Updated the SelfSignedCertificateGenerator class (which may be used to
dynamically create self-signed certificates for testing and is used by tools
like the in-memory directory server and ldap-debugger) to perform better
validation for the subject alternative DNS names that it includes in a
certificate. It will now exclude values that are identified as system hostnames
but aren't actually technically valid hostnames (e.g., values with non-ASCII
characters).
-
Updated the manage-certificates generate-self-signed-certificate command to
rename the --replace-existing-certificate argument to be
--use-existing-key-pair. The latter is more clear, and can help avoid confusion
in cases where someone may mistakenly think that the command performs more
processing than it actually does (for example, all the processing necessary to
fully replace a certificate that is actively being used by a Ping Identity
Directory Server). The former name is still available to use and will result in
exactly the same behavior so backward compatibility will not be affected, but
that name is hidden in favor of the new name.
-
Updated the summarize-access-log tool that can be used to report on the contents
of one or more Ping Identity Directory Server access logs. The tool will now
report the most common IP addresses for failed bind attempts. It will now
report work queue wait times, both as an average and a histogram. It will now
report the most common request and response controls, the most common privileges
used and missing, and the most common filter sizes in terms of number of
components. If the tool is invoked with the --doNotAnonymize option, then it
will also report on the target bind DNs with the most consecutive failed
authentication attempts, and on search filters that may potentially indicate
unsuccessful injection attempts based on suspicious content in an assertion
value (including parentheses, ampersands, pipes, quotes, or the words "select"
and "from").
-
Updated support for the Ping Identity Directory Server's "audit data security"
administrative task to add the ability to specify either or both the number or
age of previous reports to retain after the new report has been generated.
-
Fixed issues with the join request control and administrative operation request
control in which it was not possible to specify the criticality to use for the
control.
-
Updated the LDAP SDK to include a native-image/resource-config.json file in the
jar file manifest. When using the GraalVM native-image tool to generate a
self-contained executable version of a Java program that uses the LDAP SDK, this
file helps ensure that all of the appropriate resource files (including message
property files, a default standard schema, and a registry file used by the
oid-lookup tool) are included as part of the generated image.
Version 6.0.5
The following changes were made between the 6.0.4 and 6.0.5 releases:
-
Fixed a bug in which the ldapcompare tool did not properly close its output file
if one was configured. This is primarily an issue if the tool is invoked
programmatically rather than running it from the command line (or a shell script
or batch file).
-
Improved support for validating and comparing values using the telephone number
syntax. Previously, telephone number matching always used a loose
interpretation of the specification, which would consider any valid printable
string (including strings without any digits) to be a valid telephone number,
and it would only ignore spaces and hyphens when comparing values. It still
uses the same validation policy by default, but it can now be configured to
either at least require at least one digit, or to require strict adherence to
the X.520 specification (which will require values to start with a plus sign and
a country code, followed by only digits, spaces, and hyphens). The default
comparison policy has also been updated to ignore all non-digit characters
(except the leading plus sign), but it can still be configured to use the
former default behavior. The default validation and comparison behaviors can be
set either programmatically or using system properties.
-
Fixed an issue that could occasionally cause the LDAP SDK to hide the cause of a
StartTLS failure with a second, less useful exception.
-
Fixed an issue in which the --generatePropertiesFile option provided by some
command-line tools did not properly escape backslashes, carriage return,
newline, or form feed characters.
-
Fixed an issue in the ldifsearch tool in which it could display a malformed
message when invoking the tool in which the first unnamed trailing argument was
expected to be the search filter but could not be parsed as a valid filter.
-
Added support for encoding controls to JSON objects, and for decoding JSON
objects as controls. There is a generic JSON representation that works for all
controls (in which the JSON object includes just an OID, criticality, and a
base64-encoded representation of the raw value, if there is a value), but most
controls that take a value have a more user-friendly encoding with the value
expressed as a JSON object with fields for each of the elements of the control
value.
-
Added client-side support for a new JSON-formatted request control that can be
used to send request controls to a server encoded as JSON objects rather than
using their native LDAP encodings. Also, added client-side support for a new
JSON-formatted response control that can be used to receive JSON-encoded
response controls from the server.
-
Updated the ldapsearch and ldapmodify command-line tools to add support for
JSON-formatted request and response controls. If the
--useJSONFormattedRequestControls argument is provided, requests sent to the
server will include a JSON-formatted request control with appropriate encodings
for any other request controls to be included in the request. Any
JSON-formatted response control received from the server will automatically have
its embedded controls extracted and processed as if they had been returned with
their regular LDAP encodings.
-
Fixed an issue with the way the parallel-update tool created assured replication
request controls when an explicit local or remote assurance level was specified.
Previously, it would only specify a minimum assurance level without specifying a
maximum level. If the server was already configured to use assured replication
with a higher assurance level than the client requested, then the server's
higher level would have overridden the level requested by the client. The tool
will now specify both minimum and maximum levels to ensure that the requested
assurance level is used, regardless of the server configuration.
-
Updated the topology registry trust manager to allow trusting a certificate
chain if either the peer certificate or any of its issuers is found in the
server's topology registry. Previously, it would only trust certificate chains
in which the peer certificate itself was found in the topology registry, and
having an issuer certificate present in the topology registry was not sufficient
to allow certificates signed by that issuer to be trusted. The former behavior
is still available via a configuration option.
-
Updated the topology registry trust manager to make it possible to ignore the
certificate validity window for peer and issuer certificates. The certificate
validity window is still respected by default, but if the trust manager is
configured to ignore that window, then a certificate chain may be trusted even
if the peer or an issuer certificate is expired or not yet valid.
Version 6.0.4
The following changes were made between the 6.0.3 and 6.0.4 releases:
-
Fixed an issue in the Filter.matchesEntry method that could cause it to throw an
exception rather than an appropriate Boolean response when evaluating an AND or
an OR filter in which one of the nested components is not valid (for example, if
the assertion value does not conform to the syntax for the associated attribute
type). This could cause problems for other LDAP SDK components that may rely on
filter matching, like the in-memory directory server or the ldifsearch
command-line tool.
-
Addressed a potential conflict in the way that decodeable controls are
registered with the LDAP SDK that may have caused issues when trying to
instantiate a control.
-
Fixed an issue in the JVM-default trust manager implementation in which it did
not properly look for a trust store file named "jssecacerts" in accordance with
the JSSE specification. It had previously only looked for a file named
"cacerts".
-
Updated the logic used to select the default set of supported cipher suites to
no longer exclude suites starting with "SSL_" by default on JVMs with a vendor
string that includes "IBM". IBM JVMs appear to use the "SSL_" prefix for some
or all cipher suites, including those that are not associated with a legacy SSL
protocol. Also, added a TLSCipherSuiteSelector.setAllowSSLPrefixedSuites
method that can be used to override the default behavior as needed.
-
Updated the LDIF reader to support reading modifications with values read files
referenced by URL. This was previously supported when reading LDIF entries or
add change records, but support for reading modification values from files had
been overlooked.
-
Updated the LDIF writer so that it no longer generates comments attempting to
clarify the contents of base64-encoded values for values that are larger than
1,000 bytes.
-
Added a new version of an API that can be used for parsing access log messages
from the Ping Identity Directory Server and other related server products. The
initial version of the logging API only supports text-formatted log messages in
the default "name=value" format, but the new API supports both those
text-formatted message and messages formatted as JSON objects. A common API can
be used to parse log messages of either type, although there may be slight
differences where the different log formats represent information in somewhat
different ways.
-
Updated the summarize-access-log tool (which can be used to perform basic
analysis of Ping Identity Directory Server access logs) to support
JSON-formatted log files.
-
Added client-side support for the refresh certificate monitor administrative
task in the Ping Identity Directory Server and related products. The server
will automatically refresh any cached certificate monitor data once a minute,
but this task can cause a refresh to happen immediately.
-
Added support for retrieving and parsing X.509 certificate monitor entries as
provided by the Ping Identity Directory Server and other related server
products.
-
Added draft-ietf-kitten-scram-2fa-00 to the set of LDAP-related specifications.
-
Updated the set of LDAP specifications to include the latest versions of
draft-behera-ldap-password-policy, draft-coretta-x660-ldap, and
draft-ietf-kitten-scram-2fa.
Version 6.0.3
The following changes were made between the 6.0.2 and 6.0.3 releases:
-
Fixed an issue with the round-robin server set that could arise if any of the
servers in the set became temporarily unavailable. In such cases, the server
set could have connected to some of the remaining available servers with a
higher frequency than others instead of balancing requests evenly across
those servers.
-
Fixed a potential race condition that could leave a background Timer thread
running when a connection was closed while waiting for a response to one or more
asynchronous operations.
-
Fixed an issue in the in-memory directory server that could cause it to include
a matched DN in certain bind response messages. Bind responses should not
include a matched DN, as that may disclose information about the presence or
absence of the target entry. Further, there were cases in which the server
could have included a matched DN even in cases where the target entry existed
but the bind failed for some other reason (for example, because of a wrong
password).
-
Improved support for SSL/TLS debugging for SSLUtil operations. If the
javax.net.debug system property is set to "all" or "ssl" (which causes the JVM
to write a lot of SSL-related debugging output to the JVM's standard error
stream), then many SSLUtil methods will now also write debug information to
standard error.
-
Fixed an issue that could cause the manage-account tool to fail if it receives a
response with an unrecognized password policy state operation type. This is
most likely to occur when the version of the manage-account tool does not align
with the version of the Ping Identity Directory Server instance from which the
response was retrieved.
-
Added client-side support for four new extended operations meant to help manage
listener and inter-server certificates in the Ping Identity Directory Server and
other related Ping Identity server products. The new operations provide the
ability to replace a listener certificate, replace an inter-server certificate,
purge expired listener certificates, and purge retired inter-server
certificates.
-
Updated the JSONLDAPResultWriter class to add static methods for encoding
entries, search result references, and LDAP results to JSON objects.
-
Updated the Authentication Failure Reason class (used to classify authentication
failures in the Ping Identity Directory Server) to add constant values to be
used in response to a problem in pass-through authentication processing.
-
Added a CryptoHelper.inferKeyStoreType method that attempts to determine the key
store type for a specified file that is expected to represent a key store. This
method supports JKS, PKCS #12, and BCFKS key store types.
-
Updated the TaskManager class to add support for using LDAPInterface objects as
an alternative to LDAPConnection objects for interacting with the directory
server. This makes it easier to interact with tasks from a connection pool or
other types of LDAP interfaces.
-
Added StaticUtils convenience methods that can be used to generate random bytes,
integers, and strings, optionally using a cryptographically secure random number
generator.
-
Updated the documentation to add draft-melnikov-scram-bis and to update
draft-melnikov-scram-sha-512 and draft-melnikov-scram-sha3-512 in the set of
LDAP-related specifications.
Version 6.0.2
The following changes were made between the 6.0.1 and 6.0.2 releases:
-
Fixed an issue that could prevent the JVM-default trust manager from properly
trusting a certificate chain that relies on a cross-signed certificate, which
may include those signed by the Let's Encrypt service. Previously, the trust
manager would only check for a cross-signed certificate if the current time was
outside the validity window for one or more of the certificates in the presented
chain, but that could prevent a chain from being properly trusted if all of its
certificates were within their respective validity windows, but still could not
be directly trusted using certificates in the JVM's default trust store (for
example, if they are using a new root that is not itself in the default trust
store). The trust manager will now fall back to checking for cross-signed
certificates if the chain cannot be validated as provided, even if all
certificates in the provided chain are within their validity window.
-
Added the ability to use the tls-server-end-point channel binding type when
using GSSAPI authentication. This feature is dependent on support from the
underlying JVM and will likely require running on Java 13 or later.
-
Fixed an issue in the in-memory directory server in which it would only return
search result references for smart referral entries within the scope of the
search if those entries matched the search filter. It will now correctly return
the reference regardless of whether the smart referral entry matches the filter.
-
Updated the LDAP command-line tool framework to add a --defaultTrust argument
that can be used to use a default set of non-interactive trust managers
(including at least the JVM's default trust store, and potentially other
mechanisms for tools included with the Ping Identity Directory Server) when
determining whether to trust a certificate chain presented during TLS
negotiation. This uses the same logic that the tool would employ when it is
invoked without any trust-related arguments, except that it will not
interactively prompt about whether to trust the certificate chain if it is not
trusted by any of the default mechanisms.
-
Updated the documentation to include the latest version of
draft-ietf-kitten-password-storage in the set of LDAP-related specifications.
Version 6.0.1
The following changes were made between the 6.0.0 and 6.0.1 releases:
-
Added a new ldap-diff command-line tool that can be used to compare the contents
of two LDAPv3 servers to identify any differences between them. Any differences
will be written as LDIF change records to a specified output file, and the
changes in that file can be applied to the source server (using a tool like
ldapmodify or parallel-update) to bring it in sync with the target server. It
can also use multiple passes when examining differences to avoid potential false
positives that result from delays in replication or changes that are made while
the tool is running.
-
Updated the ldifsearch tool to add support for using alternative output formats.
ldifsearch now supports the same output formats as ldapsearch, including LDIF,
JSON, CSV, tab-delimited text, DNs only, and values only.
-
Updated the LDIF reader to make it possible to override the default 10MB size
limit that will be imposed when reading an attribute value from a file
referenced by a URL. The 10MB size limit will continue to be enforced by
default, but the com.unboundid.ldif.LDIFReader.maxURLFileSizeBytes system
property can now be used to specify an alternative limit if desired.
-
Added support for a new "com.unboundid.ldap.sdk.debug.file" property that can be
used to indicate that LDAP SDK debug log messages should be written to a
specified file. This is intended to be used in conjunction with other
debugging-related properties that can enable and configure debug logging without
a code change in the underlying application. Previously, the output was always
written to the JVM's standard error stream, but this property will cause it to
be written to a file instead.
-
Lowered the debug level for exception messages that may be logged as a result of
a SocketTimeoutException caught internally in the course of trying whether to
determine whether a pooled connection operating in synchronous mode is still
valid. If the connection pool is configured to attempt a synchronous read as
part of each connection during health checking (which is the default), then we
expect a timeout for that read attempt if the connection is still valid.
Previously, a debug message created in response to that timeout was logged at a
WARNING level, which is not appropriate for an expected condition when
everything is operating normally, and it could make it harder to see debug
messages for legitimate problems. The debug message is now logged at the FINEST
level so that it will only appear if debugging is enabled at the highest level of
verbosity.
-
Fixed an issue with the LDAP SDK's wrapper for the Ping Identity Directory
Server's collect-support-data command-line tool that prevents it from passing
the keyStoreFormat and trustStoreFormat arguments to the server tool.
-
Updated the LDAP SDK's support for the Ping Identity Directory Server's generate
profile administrative task to clarify that all provided include paths must be
relative rather than absolute paths, that the paths will be interpreted as
relative to the server root, and that only paths to files beneath the server
root will be allowed.
-
Updated support for the Ping Identity Directory Server's matching entry count
request and response controls to make it possible to request that the server
return extended response data. If this is requested, then the server may return
additional information like whether the server short-circuited during index
processing, whether the search is fully indexed, whether all the identified
candidate entries are known to be within the scope of the search, and any
remaining filter that is either unindexed or unevaluated during search
processing.
-
Updated to the latest revision of draft-coretta-x660-ldap in the set of
LDAP-related specifications.
Version 6.0.0
The following changes were made between the 5.1.4 and 6.0.0 releases:
-
Fixed an issue that could cause the LDAP SDK to use the JVM's default set of
TLS cipher suites instead of the recommended set as determined by the
TLSCipherSuiteSelector class. This could have allowed certain less-desirable
suites to have been enabled, and could have prevented certain desirable
suites from being enabled. In some cases, this could have also affected the set
of TLS protocols that were available for use (for example, in cases where the
JVM supports TLSv1.3 but does not enable TLSv1.3 cipher suites by default).
-
Updated the logic used to select the set of TLS protocol versions so that only
the TLSv1.2 and TLSv1.3 (if supported by the JVM) will be enabled by default,
with the higher protocol version being the preferred version. As per RFC 8996,
the older TLSv1 and TLSv1.1 protocol versions are no longer considered secure
and will not be enabled by default. If necessary or desired, you can override
the enabled set of TLS protocol versions through the
com.unboundid.util.SSLUtil.enabledSSLProtocols system property or by calling the
SSLUtil.setEnabledSSLProtocols method. You can override the preferred TLS
protocol version using the com.unboundid.util.SSLUtil.defaultSSLProtocol system
property or the SSLUtil.setDefaultSSLProtocol method.
-
Updated the logic used to select the set of TLS cipher suites so that suites
that use the SHA-1 digest algorithm are no longer enabled by default. The SHA-1
digest is no longer considered secure, and cipher suites that use it are only
needed by older TLS protocol versions (like TLSv1 and TLSv1.1) that are no
longer enabled by default. If necessary or desired, you can override the
enabled set of TLS cipher suites using the
com.unboundid.util.SSLUtil.enabledSSLCipherSuites system property or by calling
the SSLUtil.setEnabledSSLCipherSuites method. You can also use the
com.unboundid.util.ssl.TLSCipherSuiteSelector.allowSHA1 property or the
TLSCipherSuiteSelector.setAllowSHA1 method to override just the restriction on
the use of the SHA-1 digest algorithm.
-
Updated the logic used to select the set of TLS cipher suites so that suites
that use the RSA key exchange algorithm are no longer enabled by default. The
RSA key exchange algorithm does not provide forward secrecy, and if a
certificate's private key is compromised, then it may be used to decrypt any TLS
communication in which the RSA key exchange algorithm was used. If necessary or
desired, you can override the enabled set of TLS cipher suites using the
com.unboundid.util.SSLUtil.enabledSSLCipherSuites system property or by calling
the SSLUtil.setEnabledSSLCipherSuites method. You can also use the
com.unboundid.util.ssl.TLSCipherSuiteSelector.allowRSAKeyExchange property or the
TLSCipherSuiteSelector.setAllowRSAKeyExchange method to override just the
restriction on the use of the RSA key exchange algorithm.
-
Improved the logic used to decide which types of optional escaping should be used
when generating the string representation of a DN or RDN. If a DN or RDN was
created from a string representation, then that string representation will
generally be preserved. However, if a DN or RDN is created from its component
parts, then the string representation will be generated, and the LDAP SDK may
choose to escape more characters than are required by RFC 4514. Previously, the
LDAP SDK always escaped all ASCII control characters and all non-ASCII
characters. It will now still escape all ASCII control characters, but it will
only escape non-ASCII characters if it does not believe that they are
displayable. If it believes that a non-ASCII character is displayable
(including Latin characters with diacritics and letters, digits, spacing,
punctuation, and symbols from languages that use non-Latin characters), that
character now be left unescaped. The default behavior can be overridden either
programmatically or through a system property. The logic used to generate
normalized representations of DNs and RDNs has not changed.
-
Updated the LDIF writer to make it possible to customize the logic that it uses
when deciding which whether values should be base64-encoded. Previously, it
would always base64-encode values with non-ASCII characters, regardless of
whether those characters may be suitable for display, but it would not
necessarily encode values with ASCII control characters (other than NUL, LF, or
CR, which are required to always be encoded by the LDIF specification). It will
now always base64 encode values with any ASCII control characters. It also
provides an option to skip base64 encoding for different classes of non-ASCII
data, which would technically violate the LDIF specification but may be more
user-friendly for cases in which the value is to be displayed. The default
behavior can be overridden programmatically or through a system property.
-
Updated the LDIF reader to add decodeLDIFRecord methods that can be used to
decode a set of LDIF lines as a generic LDIF record, which may represent either
an entry or an LDIF change record. There were already methods for decoding an
array of lines as an entry or as a change record if you knew what type of record
that it represented, and it was already possible to read a generic LDIF record
from an LDIF file, but there was not a public method for decoding an array of
lines as a generic LDIF record.
-
Updated the LDIF reader to make it possible to disable support for LDAP controls
in LDIF records. By default, the LDAP SDK will handle controls in accordance
with RFC 2849, so that if the first unwrapped line after the DN starts with
"control", then that record will be treated as an LDIF change record with one or
more LDAP controls. However, this may cause a problem when the LDIF record
represents an entry rather than a change record, and when the first attribute in
the LDIF representation of that entry is named "control". In such cases,
attempting to read that record as a generic LDIF record or as an LDIF change
record with defaultAdd set to true (rather than trying to read it as an LDIF
entry) will cause the LDIF reader to attempt to treat that control element as an
LDAP control rather than an attribute named "control". It is now possible to
disable support for controls to handle this corner case in cases where you may
have an LDAP attribute named "control" that may be the first attribute of an
entry, and in which LDIF change records do not contain LDAP controls.
-
Updated the PKCS #11 key manager to make it easier to interact with PKCS #11
tokens without needing to alter the JVM configuration. The key manager can now
dynamically instantiate the provider (either using a class specified by the
caller or one inferred by the LDAP SDK) and optionally configure it with
information from a specified provider configuration file.
-
Updated the manage-certificates tool to add support for interacting with
PKCS #11 key stores. The --keystore-type argument must be provided with a
value of PKCS11, and the --keystore argument must be provided with a value of
the path to the provider configuration file. The types of operations that can
be performed in PKCS #11 key stores may depend on what is allowed by the token
being used.
-
Updated the LDAP command-line tool framework to add support for using PKCS #11
key stores. The --keyStoreFormat argument must be provided with a value of
PKCS11, and the --keyStorePath argument must be provided with a value of the
path to the provider configuration file.
-
Updated the in-memory-directory-server command-line tool to add a new
--doNotGenerateOperationalAttributes argument that can be used to prevent the
server from maintaining operational attributes like entryDN, entryUUID,
subschemaSubentry, creatorsName, createTimestamp, modifiersName, and
modifyTimestamp).
-
Updated support for running in a FIPS 140-2-compliant mode using the Bouncy
Castle FIPS provider to reduce the chance that uses of SecureRandom will
encounter severe performance issues as a result of lack of entropy on the
underlying system.
-
Updated the LDAP SDK to make it possible to customize the providers that will be
allowed when it is running in FIPS 140-2-compliant mode. This can be customized
either through a system property or a method call.
-
Updated the command-line tool framework so that it will check to determine
whether the LDAP SDK is running in FIPS 140-2-compliant mode upon invoking the
tool constructor. This can help prevent cases in which the tool may
inadvertently perform operations with a non-FIPS-compliant provider.
-
Updated the manage-certificates tool to add a new copy-keystore subcommand.
This subcommand can be used to copy all or some of the certificates from one key
store to another, creating the destination key store if necessary. The source
and destination key stores can be of different types, allowing you to convert
one type of key store to another (for example, converting a JKS key store to a
PKCS #12 key store).
-
Updated the manage-certificates tool to add optional --output-file and
--output-format arguments to the generate-self-signed-certificate subcommand.
This allows you to obtain a PEM or DER representation of the certificate in the
same command used to generate it, whereas it was previously necessary to use a
separate command to export the certificate.
-
Updated the manage-certificates tool to provide improved support for managing
key stores in the BCFKS (Bouncy Castle FIPS 140-2-compliant key store) format.
Previously, this only worked if the LDAP SDK was running in FIPS-compliant mode.
It will now work as long as the necessary Bouncy Castle provider classes are
found in the classpath, even if the LDAP SDK is not operating in FIPS-compliant
mode.
-
Updated the manage-certificates tool to display the keystore type when listing
certificates.
-
Updated the manage-certificates tool to add additional alternative long
identifiers for the keystore-type argument. It was formerly possible to refer
to the argument as either keystore-type or keystoreType. It is now also
possible to use key-store-type, keystore-format, key-store-format, or
keystoreFormat.
-
Updated the FileArgument class to provide better support for interacting with
files that are potentially encrypted or compressed. The getFileLines,
getNonBlankFileLines, and getFileBytes methods have been updated so that they
can transparently handle reading from files that are gzip-compressed. Further,
for tools that are associated with a Ping Identity server instance, these
methods can transparently handle reading from files that are encrypted with a
key from the server's encryption settings database. In addition, a new
getFileInputStream method has been added that can retrieve an input stream for
reading from the file, and that also handles compressed and encrypted files.
-
Added a ThreadLocalSecureRandom class that can be used to maintain a set of
per-thread SecureRandom instances that can be used without synchronization or
contention.
-
Updated the collect-support-data tool so that the keyStoreFormat and
trustStoreFormat arguments are allowed when invoking the server-side version of
the tool. Formerly, these arguments were only available when
collect-support-data was run with the useRemoteServer option because the
server-side version of the tool didn't support the arguments used to specify the
key/trust store format, but that will no longer be the case in the next release
of the server.
-
Added client-side support for a new remove object class task that can be used to
safely remove an object class definition from a Ping Identity Directory Server's
schema. It will make sure that the object class is not in use in the server
before removing it.
-
Updated to the latest revisions of draft-coretta-x660-ldap,
draft-ietf-kitten-password-storage, and draft-melnikov-scram-2fa in the set of
LDAP-related specifications.
Version 5.1.4
The following changes were made between the 5.1.3 and 5.1.4 releases:
-
Fixed a potential issue that could affect the fewest connections and round-robin
server sets. Under certain circumstances (when a server associated with the
server set is no longer available), the LDAP SDK could have left a background
thread running until that server became available again. If the server was
permanently unavailable, then that background thread would have remained alive
until the JVM was shut down.
-
Improved support for running in a JVM that has been configured to operate in a
FIPS 140-2-compliant mode using the Bouncy Castle BCFIPS provider. The LDAP SDK
does not include the Bouncy Castle libraries, but if they are available in the
classpath, and if the com.unboundid.crypto.FIPS_MODE system property is set to
"true" (ideally at the time the JVM is launched, but at the very least before
any LDAP SDK classes are loaded), then the Bouncy Castle FIPS provider will be
used for cryptographic operations. In addition, the manage-certificates tool
has been updated to add support for interacting with BCFKS key stores, and the
LDAP listener and command-line tool frameworks have been updated to support
using key and trust store files in the BCFKS format when explicitly requested.
-
Updated the TLS cipher suite selector to improve compatibility with JVMs that
report all cipher suite names starting with "SSL_". Previously, the LDAP SDK
assumed that modern TLS cipher suite names would always start with "TLS_" and
only legacy SSL suite names would start with "SSL_". However, some JVMs (like
the one maintained by IBM) use the "SSL_" prefix for all TLS cipher suite names,
regardless of the protocol with which they are intended to be used. In such
cases, the LDAP SDK would previously not identify any recommended suites, which
would prevent the SSLUtil helper class from establishing secure connections, but
it will now fall back to allowing suite names that start with "SSL_" as long as
they do not meet any other criteria for exclusion. Further, if the cipher suite
selector is still unable to identify any recommended suites, it will now fall
back to using the JVM-default set of enabled suites.
-
Updated the TLS cipher suite selector so that cipher suites that rely on the
SHA-1 digest are excluded by default in FIPS 140-2-compliant mode.
-
Improved the order in which the LDAP SDK returns the names of the recommended
cipher suites chosen by the TLS cipher suite selector. It now uses more
fine-grained ordering based on the key agreement for cipher suites with the
"SSL" protocol. It will also order suites that use null encryption after those
that do not, will order suites that use anonymous authentication after those
that do not, and will order suites that use export-grade encryption after those
that do not.
-
Updated the TLS cipher suite selector to provide a way to recompute the sets of
supported, recommended, and non-recommended cipher suites. This may be
necessary after performing some action that changes the set of cipher suites
available for use in the JVM, like enabling FIPS 140-2-compliant mode or
installing a new cryptographic provider into the running JVM.
-
Added a new PEMFileKeyManager class that can be used as a Java X.509 key manager
that reads the certificate chain and private key from PEM files.
-
Added a new PEMFileTrustManager class that can be used as a Java X.509 trust
manager that reads information about trusted certificates from PEM files.
-
Added new X509PEMFileReader and PKCS8PEMFileReader classes that can be used to
read PEM-formatted X.509 certificates and PKCS #8 private keys.
-
Improved an error message that could be used in an exception if a connection
becomes invalid in the course of trying to send a request to the server.
-
Updated the ldifmodify command-line tool to add support for ignoring duplicate
attempts to delete the same entry, as well as attempts to delete or modify
entries that do not exist in the source LDIF file.
-
Updated support for the get user resource limits request control to allow
clients to request that the server not return information about the user's group
membership in the response control. This can help improve performance,
especially in servers with large numbers of dynamic groups.
-
Added draft-coretta-x660-ldap to the set of LDAP-related specifications.
-
Updated to the latest revision of draft-ietf-kitten-password-storage in the set
of LDAP-related specifications.
Version 5.1.3
The following changes were made between the 5.1.2 and 5.1.3 releases:
-
Fixed an issue in the LDAP listener framework that caused listeners to use a
maximum message size of two gigabytes, which could allow malicious or errant
clients to cause the server to allocate large amounts of memory. The listener
will now default to a maximum message size of twenty megabytes (which is the
same as the maximum message size for LDAP client connections), and the LDAP
listener configuration and in-memory directory server configuration have been
updated to allow configuring the maximum message size that should be used.
-
Updated OID support to add methods that leverage hierarchy. It is now possible
to create an OID that is a child of a provided OID, to retrieve the parent of a
provided OID, and to determine whether an OID is an ancestor or descendant of a
provided OID.
-
Updated the oid-lookup tool to add an --exact-match argument that will cause it
to only return items in which the OID, name, type, origin, or URL exactly
matches the provided search string (ignoring differences in capitalization). By
default, the tool uses substring matching.
-
Updated the ldap-result-code tool to add support for an --output-format argument
that can cause the output to be formatted as a user-friendly table (the default
output), CSV, tab-delimited text, or JSON objects. The former --script-friendly
argument (which would cause the tool to format the output as tab-delimited text)
has been hidden in favor of the new --output-format argument, but is still
available and supported for the purpose of backward compatibility.
Version 5.1.2
The following changes were made between the 5.1.1 and 5.1.2 releases:
-
Added a parallel-update command-line tool that can be used to apply changes read
from an LDIF file against an LDAP server using multiple concurrent threads for
higher throughput than single-threaded tools like ldapmodify. It properly
handles dependencies between concurrent operations (for example, it will delay
adding a child entry if the add for its parent is still in progress), and it
also supports retrying operations that fail in a way that indicates that the
operation might succeed if attempted after all other operations have completed.
Any changes that cannot be processed successfully will be written to a reject
file for later examination.
-
Updated the ldapmodify and ldapdelete tools so that they will now retry failed
operations by default on a newly established connection if the failure indicates
that the underlying connection may no longer be valid. This behavior was
previously available if the --retryFailedOperations argument was provided, and
that argument is still available (but hidden) to preserve backward compatibility
with scripts that use it, but it now has no effect. A new --neverRetry argument
has been added that can disable this feature if the retry functionality should
be disabled.
-
Added a new OIDRegistry class that provides a registry of object identifiers
used by LDAP schema elements, controls, extended operations, and other sources.
Each item has an OID, name, and type, and it may optionally have an origin
string and a URL to content that can provide additional information about the
item.
-
Added a new oid-lookup command-line tool that can be used to search the OID
registry to find items with a given OID, name, type, or other content.
-
Added a new ldap-result-code command-line tool that can be used to list defined
result codes or search for result codes with a given name or integer value.
-
Updated the LDAP listener framework and the in-memory directory server to
provide support for mutual TLS authentication. in which the server requests a
certificate chain from the client and validates any chain that is provided).
The server may be configured to request that a client certificate chain, and it
may optionally choose to continue with or reject the TLS negotiation attempt if
the client does not present a certificate chain.
-
Updated the logic used to generate temporary self-signed certificates for use by
the in-memory-directory-server and ldap-debugger tools so that the certificates
will be more acceptable to a wide range of TLS clients. The certificates will
now have a validity duration of one year rather than the former duration of ten
years, as some TLS clients balk at certificates with long lifetimes. Further,
the subject alternative name extension will now default to only using canonical
host names and IP addresses associated with non-loopback interfaces, and it will
only include loopback addresses if no non-loopback values can be identified.
-
Added a new DNS host name argument value validator that can be used to determine
whether a string represents a valid DNS host name. It can optionally accept or
reject values that are numeric IP addresses rather than host names, can
optionally accept or reject values that represent unqualified names, and can
optionally accept or reject values that represent unresolvable names.
-
Added a SASLClientBindHandler class that can be used to invoke SASL bind
operations that use a javax.security.sasl.SaslClient object to perform the
actual SASL processing. This includes support for updating the underlying
connection with a negotiated security layer if the SASL mechanism supports and
uses a quality of protection (QoP) value of auth-int or auth-conf. Also added
an LDAPConnection.applySASLSecurityLayer method that can be used to add a
security layer negotiated with a SaslClient object to an established, clear-text
connection.
-
Updated the HostNameSSLSocketVerifier to automatically trust any certificate
when the client connected to the peer using an IP address that referenced a
loopback interface on the system. As per the W3C Secure Contexts Candidate
Recommendation (https://www.w3.org/TR/secure-contexts/) section 3.2, connections
established with a loopback IP address should be considered potentially
trustworthy.
-
Updated the HostNameSSLSocketVerifier and TrustAllSSLSocketVerifier classes to
implement the javax.net.ssl.HostnameVerifier interface so they may be used in
contexts where that interface is accepted.
-
Updated the LDIF writer to improve the human readability for the comments that
it generates beneath base64-encoded values. It would previously only include
printable ASCII characters, with all other characters (and ASCII characters that
would normally require base64 encoding, like leading and trailing spaces, and
leading colons and less-than signs) displayed as the hexadecimal-escaped bytes
that comprise them. It will now also include printable non-ASCII characters
that are identified as letters, numbers, punctuation, and select symbols. For
other characters, it will look up the name in the Unicode character table and if
a name is found then it will be displayed, enclosed in curly braces. For all
other characters, it will use the hexadecimal representation of the bytes that
comprise it.
-
Added a "dns-only" output format for the ldapsearch command-line tool. If this
output format is selected, only the DNs of matching entries will be included in
the output, with one DN per line, no blank lines between DNs, and no prefix
(like "dn:") before each DN.
-
Added a null X.509 trust manager that will never trust any certificate chain.
This is primarily useful for testing purposes.
-
Updated the LDAP SDK's support for the OAUTHBEARER SASL mechanism to make it
possible to include arbitrary additional key-value pairs in the SASL
credentials.
-
Updated the manage-certificates tool to add a new retrieve-server-certificate
subcommand. When this subcommand is used, the tool will retrieve the
certificate chain for a specified remote server and write information about the
certificates to standard output. It may also optionally write a PEM-encoded or
DER-encoded representation of that chain (or just the peer certificate, if
desired) to a specified file.
-
Fixed an issue with the manage-certificates trust-server-certificate command
that caused it to wait for a maximum of 60 milliseconds rather than the intended
60 seconds when trying to establish a connection to the target server.
-
Fixed an issue in the command-line tool framework in which the output stream
that the tool creates when writing output to a file (for tools that support the
outputFile argument, and when that argument is used to send the output to a
file) was never explicitly closed. It was implicitly closed when the tool
exited, but this could cause problems in cases where a program programmatically
invoked the tool and then tried to do something with the output file in the same
JVM process.
-
Added a StaticUtils.isIANAReservedIPAddress method that can be used to determine
whether a provided IPv4 or IPv6 address is contained in an IANA-reserved range,
optionally including ranges that are reserved for private-use networks (for
example, home networks, corporate LANs, etc.).
-
Updated the ChangeLogEntry class so that it will fall back to using
includedAttributes if the deletedEntryAttrs attribute does not exist. This can
help parse deleted attributes from OpenDJ changelog entries.
-
Updated the LDAP SDK's support for passphrase-based encryption to provide better
support for explicitly specifying the type of cipher that should be used.
Previously, you could request either a baseline level of protection (which would
have always been based on 128-bit AES) or the strongest supported level of
protection (which would have either been based on 128-bit or 256-bit AES,
depending on what the underlying JVM supported). It is now possible to
explicitly request 128-bit or 256-bit AES, with attempts to use the latter
failing if the JVM doesn't support it. This framework will provide even more
flexibility if we add support for additional cipher types in the future.
-
Added client-side support for a new ds-pwp-modifiable-state-json operational
attribute that may be used to manipulate a select set of password policy state
properties in the Ping Identity Directory Server.
-
Added client-side support for a new remove attribute type task that can be used
to safely remove an attribute type definition from a Ping Identity Directory
Server's schema. It will make sure that the attribute type is not in use in the
server before removing it.
-
Added client-side support for interacting with AES256-encoded passwords in the
Ping Identity Directory Server.
-
Updated the Filter.matchesEntry method to add limited support for extensible
matching filters that contain both an attribute type and matching rule ID,
whose matching rule ID targets the jsonObjectFilterExtensibleMatch matching
rule, and whose dnAttributes flag is not set. These filters can be used to
identify entries with attribute values that are JSON objects matching a given
JSON object filter.
-
Updated support for the proprietary uniqueness request control to make it
possible to indicate whether the server should raise an administrative alert if
an un-prevented conflict is detected during post-commit validation, and to
indicate whether the server should create a temporary conflict prevention
details entry to provide better support for preventing conflicts that arise from
other concurrent updates.
-
Deprecated the client-side code related to support for interactive transactions
in the Ping Identity Directory Server, including the MoveSubtree option for
using interactive transactions when moving a subtree. The classes for starting
and ending an interactive transaction and for using the interactive transaction
specification control have also been excluded from the Javadoc documentation.
The server-side functionality has been deprecated and hidden in the server for
many releases (including all currently supported versions) and should no longer
be used.
-
Updated the documentation to include the latest versions of
draft-melnikov-scram-sha-512, draft-melnikov-scram-sha3-512, and
draft-ietf-kitten-password-storage in the set of LDAP-related specifications.
Version 5.1.1
The following changes were made between the 5.1.0 and 5.1.1 releases:
-
Added new @NotNull and @Nullable annotation types and updated the LDAP SDK
codebase to mark all non-primitive fields, parameters, and return values to
indicate whether they may or may not be null. These annotations will appear in
the generated Javadoc documentation, and they will be available for runtime
introspection by IDEs and other tools.
-
Improved the logic used to validate certificate hostnames. The previous
implementation handled certificates that used wildcards in hostnames, but only
in the CN attribute of the subject DN or in the dNSName element of a subject
alternative name extension, and only for cases in which the leftmost component
of the hostname was comprised entirely of a wildcard. It now handles the case
in which the wildcard is combined with additional text, and it also handles
wildcards in hostnames in uniformResourceIndicator elements of a subject
alternative name extension. It also does a better job of handling IP address
matching in URI elements of the subject alternative name extension or in the CN
attribute of the subject DN. Further, there is now an option that allows you to
indicate whether to match a hostname against the CN attribute of a certificate
even if that certificate has a subject alternative name extension with at least
one dNSName, iPAddress, or uniformResourceIdentifier element. Even though this
is not permitted by RFC 6125 section 6.4.4, LDAP clients historically treat both
sources as equally valid.
-
Fixed issues in the code used to format strings in the comma-separated values
(CSV) format. Previously, all ASCII control characters and all non-ASCII
characters were silently dropped from the output. They are now included, but
the value will be in quotes (and may span multiple lines if the value to format
includes line breaks). Further, it had previously used a backslash to escape
any double quotes in the data (like '\"'), but RFC 4180 states that each double
quote should be escaped by preceding it with another double quote (like '""').
The LDAP SDK now uses the RFC-specified behavior for escaping double quotes, but
the former behavior can be requested by either using the
FormattableColumn.setCSVQuoteEscapeCharacter method, or by setting the
com.unboundid.util.FormattableColumn.csvQuoteEscapeCharacter system property to
a value that contains only the backslash character.
-
Fixed an issue that prevented command-line tools from performing all necessary
validation when run in interactive mode. For tools that support subcommands,
the interactive mode processor did not attempt to validate required, dependent,
and exclusive argument sets for the selected subcommand. This could cause the
tool to run with an inappropriate set of arguments, which may result in
unexpected errors. This was only an issue for commands run in interactive mode,
and all appropriate validation was already being performed for tools run in
non-interactive mode.
-
Updated ldapsearch to add multi-valued-csv and multi-valued-tab-delimited output
formats for ldapsearch. These are like the existing csv and tab-delimited
output formats, but whereas those formats only include the first value for
multivalued attributes, the new formats include all values with the vertical bar
(|) character as the delimiter between values.
-
Updated the ldappasswordmodify tool to default to using the password modify
extended operation if the attempt to retrieve the root DSE fails for some reason
(e.g., because of an access control problem, or because the requester's account
is in a "must change password" state). The tool would previously exit with an
error if it couldn't retrieve the root DSE.
-
Updated the authrate tool so that the --filter argument is not required if the
--bindOnly argument is provided.
-
Updated the ldapcompare tool so that it always uses an exit code of zero
(corresponding to the LDAP SUCCESS result code) by default if all compare
operations are processed successfully, regardless of whether the compare
assertions matched or did not match the target entries. Previously, the tool
would use an exit code of 5 (corresponding to the COMPARE_FALSE result code) or
6 corresponding to the COMPARE_TRUE result code) if only a single compare
operation was processed and completed with that result code, but this may cause
issues with scripts that invoke the tool and expect that a nonzero exit code
indicates that the tool did not complete successfully. The
--useCompareResultCodeAsExitCode argument can be used to explicitly indicate
that the tool should use an exit code of 5 or 6 if only a single compare
operation was attempted and it completed with a result code of COMPARE_FALSE or
COMPARE_TRUE, respectively.
-
Updated the ldapcompare tool to allow reading the raw assertion value from a
file. If this option is used, then the attribute name or OID should be followed
by a single colon, a less-than sign, and the path to the file from which the
value should be read. Note that if this option is used, then the exact bytes of
the specified file, including any line breaks, will be used as the assertion
value.
-
Updated ldifsearch so that all non-LDIF output is written as LDIF comments so
that output will not interfere with the ability to parse the remaining output as
LDIF.
-
Added support for the OAUTHBEARER SASL mechanism as described in RFC 7628.
-
Updated the LDAP command-line tool framework to add support for authenticating
with additional SASL mechanisms, including OAUTHBEARER, SCRAM-SHA-1,
SCRAM-SHA-256, and SCRAM-SHA-512.
-
Added support for a new get recent login history control that will be supported
in an upcoming release of the Ping Identity Directory Server. The request
control may be included in a bind request to indicate that a successful bind
result should include information about other recent successful and failed
authentication attempts for that account. The ldapsearch and ldapmodify
command-line tools have been updated to include support for this control.
-
Updated support for the password policy state extended operation and the
manage-account command-line tool (both of which are specific to the Ping
Identity Directory Server) to provide support for retrieving and clearing a
user's recent login history.
-
Updated support for the Ping Identity Directory Server's ds-pwp-state-json
virtual attribute to handle additional fields related to a user's recent login
history. This includes fields that can be used to retrieve the history, the
maximum number of successful and failed login attempts the server should
maintain, and the maximum age in seconds of successful and failed login attempts
that the server should maintain.
-
Updated the password policy state extended operation and the manage-account
command-line tool (both of which are specific to the Ping Identity Directory
Server) to provide support for a property (that can be retrieved, set, and
cleared) that specifies the last time that password validators were invoked
during a bind operation for the user, and for a property (that can be retrieved
and set) that indicates whether the account is locked because it contains a
password that does not satisfy all of the configured password validators.
-
Updated support for the Ping Identity Directory Server's ds-pwp-state-json
virtual attribute to handle additional fields related to password validation for
bind operations. This includes fields for the time that validation was last
performed, the minimum length of time between validations, the action the server
should take for a bind operation in which the provided password fails to satisfy
one or more of the configured password validators, and whether the account is
currently locked because it contains a password that does not satisfy all of the
configured password validators.
-
Updated support for the Ping Identity Directory Server's ds-pwp-state-json
virtual attribute to handle additional fields related to the quality
requirements that must be satisfied for passwords included in add, self change,
administrative reset, and bind operations.
-
Updated the set of potential authentication failure reasons for the Ping
Identity Directory Server to include an additional failure type for use in cases
in which a password used in a bind request failed to satisfy all of the
configured password validators.
-
Added a new password policy state account usability error that the Ping Identity
Directory Server can use if an account is locked because it contains a password
that does not satisfy all of the configured password validators.
-
Added a new password policy state account usability warning that the Ping Identity
Directory Server can use if an account is locked because it contains a password
that is encoded with a deprecated password storage scheme.
-
Updated support for the collect-support-data functionality offered by the Ping
Identity Directory Server to include the ability to specify the amount of data
to capture from the beginning and end of each log file. This includes the
collect-support-data command-line tool as well as the administrative task and
extended operation that can be used to invoke the tool.
-
Fixed an issue with the ldifsearch, ldifmodify, and ldif-diff tools that could
arise if they were run in a manner that would case the output to be both
compressed and encrypted. The data should have been compressed before it was
encrypted, but instead the compression was applied after encryption. This makes
the compression ineffective, and it also makes the output less compatible with
tools that rightfully expect compression to be applied before encryption.
-
Fixed an issue with the ldifsearch tool in which it could fail to properly
finalize the output file when using compression or encryption, potentially
leaving buffered data unwritten.
-
Updated the ldifmodify tool so that it no longer reports an error when it is
only used to add one or more entries to an empty source LDIF file.
-
Updated the ldifmodify tool to use lenient mode by default for modifications.
In this mode, the tool will ignore attempts to update an entry to add an
attribute value that already exists or to remove an attribute value that does
not exist. This mode was previously available when using the
--lenientModifications argument, but the default lenient mode was found to cause
compatibility issues with other versions of the ldifmodify tool. A new
--strictModifications argument has been added to allow the tool to run in the
former strict mode if desired. The existing --lenientModifications argument
still exists for the purpose of backward compatibility with scripts that try to
use it, but it is hidden so that it doesn't appear in the usage.
-
Updated the LDAP SDK so that when displaying a command that is split across
multiple lines, it will use an appropriate continuation character for the
underlying platform. It previously always used the backslash character (also
known as a reverse solidus) for this purpose, which is appropriate for Linux and
UNIX-based systems, but it now uses the caret (or circumflex accent) character
on Windows.
-
Fixed an issue with the ldifsearch tool that caused its usage output to include
example arguments and descriptions from the ldif-diff tool.
-
Fixed a typo in the manage-certificates usage output for the
generate-certificate-signing-request subcommand. The key-size-bits argument
inadvertently reused the description for the key-algorithm argument instead of
including the appropriate text.
-
Updated the documentation to include the latest versions of
draft-ietf-kitten-gss-sanon, draft-melnikov-scram-2fa, and
draft-melnikov-scram-sha3-512 in the set of LDAP-related specifications.
Version 5.1.0
The following changes were made between the 5.0.1 and 5.1.0 releases:
-
Fixed an issue in which the JVM-default trust manager did not always properly
handle cross-signed certificates. If the presented certificate chain included
an issuer certificate that was outside of its validity window, then that chain
would have always been rejected. The trust manager will now check to see
whether it is possible to construct an alternate path to a different trusted
root that is currently valid, and if so, then the presented chain will be
considered trusted.
-
Added a new SchemaValidator class and an accompanying validate-ldap-schema
command-line tool that can examine schema definitions in one or more LDIF files
to identify potential issues like unparseable definitions, elements with
references to other elements that aren't defined in the schema, invalid names or
OIDs, empty descriptions, and invalid object class inheritance. The types of
validation to perform can be customized to allow the validator to be more strict
or lenient as desired.
-
Added an ldappasswordmodify tool that can be used to update passwords for users
in an LDAP directory server. It supports changing passwords using the password
modify extended operation, a a regular LDAP modify operation, or an Active
Directory-specific modify operation.
-
Added a new version of the ldapcompare tool that provides a lot of additional
functionality. It supports performing multiple compare assertions, a number of
bind and compare request controls, and tab-delimited text, CSV, and JSON output
formats.
-
Added an ldifsearch tool that can be used to find entries in one or more LDIF
files that match given sets of criteria.
-
Added an ldifmodify tool that can be used to apply add, delete, modify, and
modify DN updates read from a changes file to entries read from a source LDIF
file, writing the updated entries to a target LDIF file.
-
Added an ldif-diff tool that can be used to compare the contents of two LDIF
files. The differences will be written as the set of LDIF add, delete, and
modify change records needed to convert the set of entries in the source LDIF
file into the set of entries contained in the target LDIF file.
-
Updated the in-memory directory server to allow adding custom attributes to the
otherwise dynamically generated root DSE. It was already possible to override
the root DSE entry with a static entry provided in the configuration, but that
would prevent certain state-maintaining attributes (for example,
firstChangeNumber and lastChangeNumber) from being accurately reflected. It is
now possible to provide a set of custom attributes to include in the root DSE
while allowing the server to dynamically generate any other attributes that the
server normally maintains. Note that if the server is configured with any
custom root DSE attribute that has the same name as an attribute that would
normally be dynamically generated, the custom attribute will take precedence
over the dynamically generated version.
-
Updated the in-memory directory server so that it can return entries with the
ldapSubEntry object class if the filter includes an "(objectClass=ldapSubEntry)"
component. The server may also return entries without the ldapSubEntry object
class if the filter matches them. For example, to return all entries that do
and do not contain the ldapSubEntry object class, you may now search with a
filter of "(|(objectClass=*)(objectClass=ldapSubEntry))".
-
Updated the command-line tool that may be used to launch an instance of the
in-memory directory server so that it will validate any schema definitions
provided via the --useSchemaFile argument and report error or warning messages
for any problems that it identifies with those definitions. Note that other
than potentially displaying additional messages at startup, this will not
actually change the behavior of the server in any way. It will still attempt
to use those schema definitions to the best of its ability, but it will now be
easier to detect problems that could affect their use whereas such issues had
previously been silently ignored. These messages may be suppressed using the
new --doNotValidateSchemaDefinitions if they are not wanted.
-
Added support for the LDAP subentries request control as described in RFC 3672.
The LDAP SDK already provided support for the version of the LDAP subentries
request control described in draft-ietf-ldup-subentry, but these are different
controls with different OIDs and slightly different behaviors; the draft version
of the control will cause only matching entries with the ldapSubEntry object
class to be included in search results, while the RFC version of the control
includes a Boolean value indicating whether to only return entries with the
ldapSubEntry object class or to return both regular entries and subentries.
-
Deprecated the existing SubentriesRequestControl class (which implemented
support for the control described in draft-ietf-ldup-subentry) in favor of two
new classes, DraftLDUPSubentriesRequestControl and
RFC3672SubentriesRequestControl. This will help avoid confusion and ambiguity
over which version of the control is to be used. The deprecated class remains
a fully functional implementation of the draft specification and will be
retained for the purpose of backward compatibility, but all new uses should
choose either the DraftLDUPSubentriesRequestControl class or the
RFC3672SubentriesRequestControl class to make it clearer which version of the
control should be used.
-
Updated the ldapsearch command-line tool to include support for the RFC 3672
version of the subentries request control. The existing --includeSubentries
argument is still supported for the purpose of backward compatibility, but the
public identifier for that argument is now --draftLDUPSubentries, and the
--includeSubentries identifier has been hidden. A new --rfc3672Subentries
argument is available to indicate that the RFC version of the control should
be used, and this argument takes a value of either "true" (to indicate that
only subentries should be returned) or "false" (to indicate that both subentries
and regular entries should be returned).
-
Updated the in-memory directory server with support for the RFC 3672 version of
the subentries request control. It already provided support for the
draft-ietf-ldup-subentry version of the control.
-
Added a "values-only" output format for the ldapsearch command-line tool. If
this output format is selected, only attribute values will be included in the
output, without output names, entry DNs, or blank lines between entries. This
output format makes it easier to extract raw attribute values from a directory
server.
-
Added a "--requireMatch" argument to the ldapsearch command-line tool. If this
argument is provided and the search operation completes successfully but does
not return any matching entries, then the tool will complete with an exit code
of 94 (noResultsReturned), rather than the usual exit code of 0 (success).
This argument only affects the tool exit code; it will not have any visible
effect on the output.
-
Updated the round-robin and fewest connections server sets to expose the
blacklist manager. Clients may use this to obtain information about servers
that are temporarily considered unavailable.
-
Updated the manage-certificates tool make it easier to list and export
certificates from the JVM's default trust store. The new
--use-jvm-default-trust-store argument can be used as an alternative to the
existing --keystore argument to indicate that it should use the JVM's default
set of trusted issuer certificates without the need to provide the path to the
appropriate cacerts file.
-
Improved the logic that the LDAP SDK uses when selecting ordering and substring
matching rules for the case in which the attribute type is defined in a schema
that is available to the LDAP SDK, but the attribute type definition does not
specify the ordering or substring rule to use for that attribute. In such
cases, the LDAP SDK would previously try to determine an appropriate default
based on the attribute syntax, and failing that, just use a default rule with
case-insensitive matching. It will may now try to select a more appropriate
ordering or substring rule based on the equality matching rule for the attribute
type before checking the syntax. This can help provide more expected behavior
for an attribute type with an equality matching rule that the LDAP SDK supports
but is not the default rule for its associated syntax.
-
Added a new TopologyRegistryTrustManager class that can read the configuration
file for a Ping Identity Directory Server instance to obtain information about
certificates for that instance and other instances in the topology.
-
Updated the LDAP command-line tool framework so that if it detects that the tool
is running as part of a Ping Identity Directory Server installation, and if no
trust-related arguments are provided for that tool, then it will include the
server's default trust store and topology registry in the set of sources that
that it will consider (which already included the JVM-default trust manager)
before resorting to interactively prompting the user about whether to trust the
presented certificate chain. In most cases, this will allow these tools to
trust the local instance, and other instances in the same topology, for secure
communication without the need for providing trust-related arguments on the
command line.
-
Streamlined and improved the behavior that LDAP command-line tools exhibit when
run in interactive mode. The interactive process will now prefer secure
communication over unencrypted connections, with LDAPS preferred over LDAP with
StartTLS. It will no longer prompt for trust-related arguments by default,
automatically trusting certificates signed by an issuer in the JVM's default
trust store or falling back to interactive confirmation, although it is still
possible to specify an alternate trust configuration if desired. It will now
prefer LDAP simple authentication over unauthenticated connections, and it will
no longer ask you to confirm the bind password (although it will allow you to
re-enter settings if it can't authenticate with the given password). Finally,
if the tool is part of a Ping Identity Directory Server installation, it will
now select the default port and communication security type based on options
defined in the server configuration, and it can automatically trust certificates
that the server considers trusted.
-
Made several improvements to the summarize-access-log tool, which may be used to
analyze and provide a summary of the contents of Ping Identity, UnboundID, or
Nokia/Alcatel-Lucent 8661 server access logs. You can now customize the maximum
number of values to display for each item (the tool previously used a hard-coded
limit of 20 values), and it will now tell you how many values were omitted. You
can also choose to de-anonymize the output to obtain more specific values,
whereas filters and DNs were previously always generified by replacing attribute
values with question marks. The summary will now also include information about
the most common TLS protocols and cipher suites, the most common successful and
failed bind DNs, the most common alternate authorization DNs, the most common
authentication mechanisms, the most common filters used for unindexed searches,
the most common base DNs for searches with non-base scopes, the filters used for
the searches taking the longest to complete, and the most common filters for
searches returning zero, one, and multiple entries. Finally, when summarizing
the most commonly invoked types of extended operations, the tool will now try to
provide a human-readable name for the extended operation in addition to its OID.
-
Added client-side support for password policy state information from the
ds-pwp-state-json virtual attribute that may be generated by the Ping Identity
Directory Server.
-
Added client-side support for a new populate composed attribute values task for
use in conjunction with the Ping Identity Directory Server.
-
Added client-side support for a new generate server profile task for use in
conjunction with the Ping Identity Directory Server.
-
Added an OID.parseNumericOID method that can be used to parse a provided string
as a valid numeric object identifier, optionally performing strict validation.
If the provided string is not a valid numeric OID, this method will throw an
exception that provides the reason the string is considered invalid. While the
LDAP SDK previously made it possible to determine whether a given string
represented a valid numeric OID, that method only returned a boolean value and
did not provide a way to obtain the reason it was invalid.
-
Updated the LDAP SDK to provide more useful error messages for problems that may
arise while parsing schema definitions. While the previous error messages
specified what the problem was, the updated message will make it easier to
pinpoint the problem in the schema definition by including the name of the
component in which the problem was identified. For example, if an attribute
type definition contained an empty description, the previous error message would
simply say that the element was invalid because it contained an empty quoted
string, but it will now say that it was in the value for the DESC element.
-
Updated the code used to parse schema elements to allow the DESC component to be
an empty string. While empty quoted strings are not allowed in schema elements
as per RFC 4512 section 4.1, some servers permit the DESC element to violate
this restriction, and it may therefore be necessary to parse schema elements
with empty descriptions. Empty descriptions are still not allowed by default,
but this can be now overridden with a code change or by setting a system
property.
-
Added an IA5 string argument value validator that can be used to ensure that
values for associated arguments are only allowed to contain ASCII characters
(that is, characters from the IA5 character set). It may optionally be
configured to accept or reject empty strings.
-
Updated the manage-certificates tool to improve the validation that it performs
for DNS names and email addresses provided for use in the subject alternative
name or issue alternative name extensions. These fields are declared with an
IA5 string syntax, which means that their values are only allowed to contain
ASCII characters. Previously, attempts to use a value with a non-ASCII
character would fail with an internal error when attempting to create the
extension. The tool will now report a more user-friendly error message.
-
Added StaticUtils methods that can be used to determine if a provided string is
comprised only of ASCII characters, or only of printable ASCII characters. The
LDAP SDK already provided variants of these methods that operated on byte
arrays, but it now also offers versions that work for strings.
-
Added StaticUtils methods for encoding and decoding timestamps in the ISO 8601
format described in RFC 3339.
-
Fixed an issue with StaticUtils.isASCIIString(String) in which it could fail to
properly identify all non-ASCII characters because it only looked at the lower
byte for each character.
-
Added new ByteStringBuffer utility methods, including convenience methods for
getting individual bytes or sets of bytes at a specified position, for
determining whether the buffer starts with or ends with a given set of bytes,
and for reading the contents of a file or input stream into the buffer.
-
Added new StaticUtils utility methods for reading and writing files as bytes,
strings, or lists of lines.
-
Added new password policy state account usability warning and notice types for
use in conjunction with the Ping Identity Directory Server to indicate that the
user's account has too many outstanding failed authentication attempts, but that
the user will not actually be prevented from authenticating as a result of their
password policy configuration.
-
Updated the support for the version monitor entry in the Ping Identity Directory
Server to provide a getRevisionID method that can be used to retrieve a string
that identifies the source revision from which the server was built. The former
getRevisionNumber method has been deprecated, as the server may not have been
checked out from a version control system that uses numeric revision IDs.
-
Fixed an issue in debug logging that could prevent a debug message including an
exception with an underlying cause from being parsed as a valid JSON object.
-
Updated command-line tools so that if the --help-sasl argument is used in
conjunction with a --saslOption argument that provides a "mech" option that
specifies a mechanism name, then only the options for that mechanism will be
displayed. If no mechanism is specified, or if the specified mechanism is not
recognized, then information will be displayed for all available mechanisms.
-
Fixed an issue in the command-line tool framework that could arise when setting
the value of a usage argument through a properties file. In some cases, the
tool could exit with an error if the usage argument was set through a properties
file even though it would have succeeded if that same argument had been provided
directly on the command line.
-
Updated the default standard schema provided with the LDAP SDK to include
additional attribute syntaxes, matching rules, attribute types, and object
classes.
-
Updated the documentation to include draft-ietf-kitten-gss-sanon,
draft-ietf-kitten-password-storage, and draft-melnikov-scram-sha-512 in the set
of LDAP-related specifications.
Version 5.0.1
The following changes were made between the 5.0.0 and 5.0.1 releases:
-
Added an LDAP connection logger API that can be used to keep a record of
processing performed by the LDAP SDK, including successful and failed connection
attempts, operation requests and responses (including search result entries,
search result references, and intermediate responses), and disconnects. The
LDAP SDK includes a logger capable of formatting these messages as JSON objects,
but the API is extensible, so custom implementations may be created to use
alternate formats if desired.
-
Fixed an issue that prevented the collect-support-data tool from running
properly in local mode when using a secure connection.
-
Updated LDAP command-line tools to allow "--host" or "--address" as an
alternative to "--hostname" as the name of the argument used to specify the
address of the target server.
-
Applied minor updates to the usage output for several command-line tools to
improve wording and fix typos.
Version 5.0.0
The following changes were made between the 4.0.14 and 5.0.0 releases:
-
As of the 5.0.0 release, the UnboundID LDAP SDK for Java is available under the
terms of the Apache License, Version 2.0. This is a very permissive
OSI-approved open source license that should be suitable for just about any use
case. We recommend choosing this license for all new users of the LDAP SDK, but
it remains available under the terms of the former GPLv2, LGPLv2.1, and
UnboundID LDAP SDK Free Use License options.
-
Fixed an issue that could interfere with GSSAPI authentication in cases where
a JAAS login module configuration was loaded and cached by the JVM before all
the appropriate system properties had been set for the login attempt. The
configuration is now refreshed before attempting to create the login context
so that the system property changes will be applied.
-
Updated the LDAP SDK's support for defining the properties needed to create LDAP
connections or connection pools in a JSON file to add an option to use the
JVM-default trust store. It may be used either on its own or in conjunction
with a trust store file.
-
Updated the key store key manager to provide support for validating that the
provided key store can actually be used. If enabled and no alias is provided,
this validation will ensure that the key store contains at least one private key
entry in which all certificates in the chain are currently within their validity
window. If an alias is provided, then that alias must reference a private key
entry in which all certificates in the chain are within their validity window.
The LDAP command-line tool framework has been updated so that validation will be
performed if the keyStorePath argument is provided.
-
Updated the trust store trust manager to remove unnecessary synchronization and
improve concurrency.
-
Fixed an issue that could cause the LDAP debugger request handler (used used by
the ldap-debugger tool and by the in-memory directory server's LDAP debug
logging) to hold messages in an internal buffer rather than make them
immediately available. In some cases, this could significantly delay the
appearance of the messages or prevent them from appearing at all (if there
weren't enough messages generated to fill the buffer).
-
Updated the LDAP SDK's support for parsing information in the Ping Identity
Directory Server's general monitor entry to include support for the clusterName,
locationName, locationDN, and serverUUID attributes.
-
Fixed an issue that prevented the LDAP SDK from properly decoding 384-bit
elliptic curve public keys in X.509 certificates. This did not affect the
LDAP SDK's ability to use such certificates for TLS communication, but it
did prevent the manage-certificates tool from displaying detailed information
about the key when listing a certificate.
-
Fixed an issue that could prevent the LDAP SDK from properly decoding an X.509
certificate extension that made use of a general names element with a
directoryName component. This did not affect the LDAP SDK's ability to use
certificates containing such extensions for TLS communication, but it did
prevent the manage-certificates tool from displaying detailed information
about the extension when listing a certificate.
-
Added a JSON access log request handler that can be used with the LDAP listener
framework to record JSON-formatted information about the operations that have
been processed. The in-memory directory server has been updated to make it
easy to use this request handler.
-
Updated the debugging framework to format debug messages as JSON objects.
-
Added client-side support for an extended operation that may be used to invoke
the collect-support-data utility in the Ping Identity Directory Server and
stream the resulting output and support data archive back to the client through
intermediate response messages.
-
Added client-side support for an administrative task that may be used to invoke
the collect-support-data utility in the Ping Identity Directory Server.
-
Added a new collect-support-data command-line tool that can be used to obtain a
range of useful information about an instance of the Ping Identity Directory
Server (or related product, like the Directory Proxy Server, Synchronization
Server, or Data Governance Server) that can help support personnel troubleshoot
problems or better understand the server configuration and the environment in
which it is running. All of the data collection logic is actually provided by
server-side code, but the tool is included in the LDAP SDK so that it can be
invoked from a client system that does not have a full server installation.
-
Updated the Version class to add methods that can be used to obtain LDAP SDK
version information. The version information could previously only be obtained
by directly referencing the public static final constant values that the Version
class exposes, but referencing those constant values from an external class
could cause the Java compiler to compile those hard-coded values directly into
that external class. If the LDAP SDK library was replaced with a new version
without recompiling the source code, the compiled-in constant values could no
longer accurately reflect the version of the LDAP SDK being used. Obtaining
LDAP SDK version information using the new method calls rather than the
constants can help avoid this problem.
Version 4.0.14
The following changes were made between the 4.0.13 and 4.0.14 releases:
-
Fixed an issue in which LDAP URLs with consecutive percent-encoded bytes were
not decoded correctly.
-
Fixed an issue that could cause the LDAP SDK to incorrectly handle data read
from a server when the communication is protected with SASL integrity or
confidentiality.Thanks to Boris Danilovich for reporting this problem and
identifying the cause.
-
Fixed an issue that prevented the searchrate tool from running if neither a base
DN pattern nor an LDAP URL pattern was provided.
-
Improved the logic that the LDAP SDK uses when choosing the cipher suites to
offer when establishing a TLS-secured connection. Weaker suites are disabled,
and the enabled suites are prioritized so that those offering forward secrecy
and the strongest encryption are preferred.
-
Added a new FullLDAPInterface interface that extends LDAPInterface and adds
support for the close, bind, and processExtendedOperation methods. The existing
LDAPConnection, AbstractConnectionPool, and InMemoryDirectoryServer classes have
been updated to implement this interface rather than its LDAPInterface
superclass.
-
Added a new non-final MockableLDAPConnection class that makes it easier to mock
an LDAPConnection instance. It implements FullLDAPInterface and wraps a
provided LDAPConnection instance. If you create a MockableLDAPConnection
subclass, then you may override any of the FullLDAPInterface methods to
implement your own behavior. Any non-overridden methods will simply invoke the
corresponding method on the provided LDAPConnection instance.
-
Fixed a minor typo in the ldapsearch usage information.
Version 4.0.13
The following changes were made between the 4.0.12 and 4.0.13 releases:
-
Added connection pool debugging support. The debugging covers checking out,
releasing, establishing, and closing connections for use in the pool, as well as
closing the pool itself.
-
Updated the passphrase-encrypted output stream to provide an option to override
the default key factory iteration count (16,384 rounds when using the baseline
encryption strength and 131,027 rounds when using the strong encryption option).
-
Updated support for the exec task to make it possible to specify the path to the
working directory to use when executing the command. Previously, the server
would always use the instance root directory as the working directory, and that
will still be the default if no working directory is specified.
-
Fixed an issue in the prompt trust manager that could cause it to display an
incorrect warning for some certificates with a basic constraints extension with
a path length constraint.
-
Fixed an issue in the encoding and decoding of X.509 certificates that
included an authority key extension that included the optional
authorityCertIssuer element.
-
Fixed an issue in manage-certificates when displaying verbose information about
a certificate that included the key usage extension. It failed to properly
indicate when the key agreement flag was set in the extension.
-
Updated the manage-certificates check-certificate-usability command to add an
additional check to see whether the certificate at the root of the chain is
found in the JVM's set of trusted issuer certificates. If the CA certificate
is not found in the JVM's default trust store, a notice will be displayed, but
the tool will still complete with a success result.
-
Made the ManageCertificates.readCertificatesFromFile method public so that it
can be used outside of the LDAP SDK. This method can be used to read a set of
PEM-encoded or DER-encoded X.509 certificates from a specified file.
-
Made the ManageCertificates.readCertificateSigningRequestFromFile method public
so that it can be used outside of the LDAP SDK. This method can be used to read
a PEM-encoded or DER-encoded PKCS #10 certificate signing request from a file.
-
Added an additional StaticUtils.getEnvironmentVariable method that allows you to
provide a default value that should be used if the requested environment
variable is not set.
-
Updated StaticUtils to add a getStackTrace method variant that allows you to
limit the number of stack trace frames to include from code before the call into
the LDAP SDK. Also updated the StaticUtils.getExceptionMessage behavior for a
NullPointerException so that it now shows all frames from the LDAP SDK (and
anything that the LDAP SDK calls), and up to three frames from code before the
call into the LDAP SDK.
Version 4.0.12
The following changes were made between the 4.0.11 and 4.0.12 releases:
-
Fixed an issue that could cause the write timeout handler (used to ensure that
connections are terminated if a write attempt is blocked for longer than the
maximum allowed length of time) to leave a thread running after all connections
had been closed. The timeout handler had previously used a single timer that is
shared by all connections for the life of the JVM. It will now share a timer
across all connections that are established concurrently, but the timer instance
will be destroyed when the last active connection is closed. If a new
connection is established after the timer has been destroyed, a new timer will
be created, and that timer may be shared by any other connections created after
that as long as at least one connection remains active.
-
Fixed an issue that could cause the LDAP SDK to leak a write timeout timer task if
it is unable to establish successfully establish a connection.
-
Fixed an issue with the JVM-default trust manager that could arise if the
certificate chain presented during TLS negotiation was not a complete chain, and
in which the last certificate in the chain is not in the JVM's list of trusted
issuers. If the last certificate in the chain is not self-signed and not found
in the set of trusted issuers, the trust manager will now check to see if that
certificate has an authority key identifier extension, and if so, whether any of
the trusted issuers has a subject key identifier extension with a matching key
ID. If so, and if that trusted issuer signed the last certificate in the
provided chain, then the chain will be trusted.
-
Fixed an issue in the code for parsing schema element definitions in which an
attempt to parse a malformed schema definition could incorrectly result in an
LDAPException with an INVALID_DN_SYNTAX result code instead of the more
appropriate INVALID_ATTRIBUTE_SYNTAX result code.
-
Fixed an issue in the persistence framework logic used to create LDAP attributes
from Java objects. While it was intended to select an appropriate matching rule
from the corresponding Java data type, this code was only used when generating
attribute type definitions to be added to the server schema, and the attribute
objects created by the persistence framework always used a default matching rule
intended for case-insensitive strings. The created attributes now use a
matching rule selected from the corresponding Java data type.
-
Updated manage-certificates to use the SHA-1 digest algorithm instead of 256-bit
SHA-2 when generating the subject key identifier for certificates and
certificate signing requests. It appears that the Microsoft CA cannot handle
256-bit subject key identifiers, and therefore could not sign the CSRs with
256-bit subject key identifiers that manage-certificates had generated.
-
Added client-side support for the SCRAM-SHA-1, SCRAM-SHA-256, and SCRAM-SHA-512
SASL mechanisms.
-
Added client-side support for the generate password request and response
controls, which may be used in an add operation to have the server generate a
password for the new entry. Support for this control will be included in an
upcoming version of the Ping Identity Directory Server.
-
Added client-side support for the generate password extended request and
response, which may be used to request that the server generate one or more
passwords that may be suggested to an end user when creating or updating
an entry. Support for this extended operation will be included in an upcoming
version of the Ping Identity Directory Server.
-
Updated the ldapmodify command-line tool to provide an option to include the
generate password request control in add requests, and to display information
from a corresponding generate password response control if it is present in the
add result.
-
Updated the transform-ldif tool to add options for excluding LDIF records by
change type, and for excluding LDIF records that do not have a change type (and
are therefore considered entries).
-
Added a CommandLineTool.requestToolArgumentsInteractively method that can be
used to override the LDAP SDK's default interactive mode processing for a tool.
If a tool supports interactive mode and overrides this method, then the
processing performed by that method will be used to obtain the command-line
arguments that should be used to actually run the tool.
-
Added ArgumentParser.addMutuallyDependentArgumentSet methods that can be used to
define a set of arguments that are mutually dependent such that if any of the
arguments is provided, then all of them must be provided.
-
Added StaticUtils.linesToString convenience methods that can convert a list or
array of strings to a single string that includes line breaks (using the
platform-appropriate end-of-line sequence) after each line.
-
Updated the command-line tool interactive mode processor so that when it prompts
for a password, PIN, or other sensitive argument that does not get echoed to the
terminal, it will now prompt to confirm the value to help ensure that the user
entered it correctly.
-
Updated the command-line tool's interactive mode processor to change the
behavior that it exhibits when displaying what will be invoked. Previously, it
only displayed a list of the arguments to be provided to the tool. It will now
include the name of the command, and it will end all but the last line with a
backslash as an indicator that the command continues onto the next line. This
makes it easier to copy and past the command without needing to edit it (or it
at least reduces the amount of editing required).
-
Improved the error message that would be returned by the argument parser when
the value provided for a string or Boolean argument was not included in the set
of allowed values for that argument. It would previously just tell you that the
provided value was not allowed. It will now also provide a list of the allowed
values.
-
Fixed an issue in the search-and-mod-rate tool in which the search duration
times reported included not only the time required to process the search, but
also the time required to process the associated modify operations as well. If
rate limiting was used, then the search duration would also include the wait
before each modify attempt.
-
Fixed an issue in the manage-certificates tool in which the usage information
for the --key-size-bits argument to the generate-self-signed-certificate
subcommand inadvertently used the description for the --key-algorithm argument.
-
Added StaticUtils methods to obtain all addresses associated with all interfaces
on the local system, and to get the canonical host names associated with
addresses, but only if they can be resolved (that is, excluding those that just
resolve to the IP addresses).
Version 4.0.11
The following changes were made between the 4.0.10 and 4.0.11 releases:
-
Improved the LDAP SDK's protection against socket write attempts that block for
an indefinite length of time. This is only likely to occur when sending a large
number of asynchronous requests over a connection, and only in the case that the
server stops reading requests from the client, or if a networking problem
prevents the request from reaching the server and prevents the client from
receiving any information about that failure.
-
Added InMemoryDirectoryServer.applyChangesFromLDIF methods that can be used to
read LDIF change records and apply them to data in the server. The changes will
be applied atomically, and if any of the changes cannot be applied successfully,
then the server data will remain unchanged.
-
Added a new SubtreeDeleter utility class that can make it easier to delete a
specified subtree, optionally including or excluding the base entry for that
subtree. It provides a good client-side alternative to the subtree delete
request control, which isn't supported by all servers, and can sometimes be
problematic in servers that do support it.
-
Updated the in-memory directory server to improve the diagnostic message that is
returned when it rejects an add attempt because the provided entry is not within
any of the configured base DNs.
-
Improved the exception message that is generated if a failure occurs while
trying to create a TLS-based connection. If the JVM supports creating an
unconnected SSLSocket and then connecting it after the fact (which makes it
possible to specify a connect timeout), and that connection attempt failed (for
example, because the client did not trust the certificate presented by the
server), the LDAP SDK could think that the connection was still established.
Subsequent attempts to use the connection would fail, but the failure message
would not accurately reflect the true cause of the problem.
-
Updated the ldapsearch and ldapmodify command-line tools to use an unlimited
response timeout, which will prevent the tool from giving up on an operation if
it takes the server a long time to return any kind of response. Previously,
the tools used the LDAP SDK's default timeout of 5 minutes for searches and 30
seconds for add, delete, modify, and modify DN operations.
-
Updated the ldapmodify command-line tool to add a --clientSideSubtreeDelete
argument that can be used to cause each delete operation to be converted to a
client-side subtree delete operation, in which the tool will search for entries
to delete and then delete them individually. This makes it easier to delete
entries with subordinates on servers that either do not support the subtree
delete request control, or in which the client may not have permission to use
that control.
-
Updated the searchrate utility to allow specifying the base DN, scope, filter,
and requested attributes using LDAP URLs rather than individual attribute values
(note that any addresses and ports in the URLs will be ignored; the --hostname
and --port arguments will still be used to identify which servers to use). The
LDAP URL can be a fixed URL or it can be a value pattern (including the ability
to include variable content in the URLs, or to load URLs from a file). Using
LDAP URLs allows for more precise control over the combination of base DN,
scope, filter, and requested attributes on a per-request basis.
-
Updated the round-robin and fewest connections server sets to improve
concurrency. In previous implementations, these sets could only create one
connection at a time, which could limit the rate at which connection pools
using them could establish new connections. This is no longer the case, and
any number of threads will be able to create connections in parallel using the
server sets. This change also updated the ServerSet API to make it possible
for a server set to be notified whenever a connection created with that set has
been closed.
-
Updated the round-robin and fewest connections server sets so that they can
temporarily blacklist a server that was found to be offline. If an attempt to
create a connection to a server fails, or if that connection is found to be
unacceptable for some reason (e.g., it does not pass the associated health
check), subsequent connection attempts will avoid that server until a background
thread determines that it is available again. Blacklisted servers will still be
tried as a last resort if it is not possible to get an acceptable connection to
a non-blacklisted server. These server sets now use the blacklist by default,
but that can be disabled programmatically through the constructor or by setting
a system property before creating the server set.
-
Added a new indent-ldap-filter command-line tool that can help make it easier to
visualize complex filters with a lot of components, and especially a lot of
nesting. If possible, it can also try to simplify the filter (for example, to
remove unnecessary levels of nesting, like an AND inside an AND).
-
Added an ldapdelete command-line tool that can be used to delete entries from an
LDAP directory server. The DNs of the entries to delete can be provided on the
command line, read from a file, or read from standard input. Alternately, the
server can search for and delete all entries matching one or more filters. It
offers a number of options, including support for client-side and server-side
subtree deletes, rate limiting, and a variety of standard and proprietary
controls.
-
Updated the LDAPCommandLineTool API to add an option to expose an
--enableSSLDebugging argument. If this argument is available, and if it is
provided in the set of command-line arguments when the tool is run, then the
JVM's SSL/TLS debugging support will be enabled by setting the
"javax.net.debug" property to "all", and the JVM will write a large amount of
TLS-related debugging information to standard error. This can help troubleshoot
problems with or provide detailed information about any TLS communication that
the tool attempts.
-
Fixed an issue in generating the normalized representation of a multivalued RDN
when one or more of those components referenced an attribute type by its OID or
a name other than the first of its names. The normalized string representation
would have simply used an all-lowercase representation of the provided attribute
name rather than an all-lowercase representation of the primary name. Also
updated the logic used to determine whether an RDN has a specified name or
name-value pair to handle the use of alternate names, and exposed the
RDN.getNameValuePairs method to make it easier to work with an RDN's name-value
pairs.
-
Fixed a bug in the ByteStringBuffer.append(CharSequence,int,int) method in which
the final integer argument could be interpreted as the number of characters to
append rather than the end position at which to stop appending, which could
yield incorrect results when the method was called with a nonzero start
position. Also, updated the ByteStringBuffer.append methods that take
CharSequence arguments to eliminate the creation of an intermediate character
array, thereby improving performance and reducing garbage creation.
-
Updated the LDAP SDK to add protection against JVM security managers that may
prevent calls to certain methods, like attempts to interact with system
properties, environment variables, or logger levels.
-
Updated the password reader so that it will generate a more user-friendly error
message if it is run in a context when no console is available. A tool could
encounter this error if its output has been redirected, or if it's not running
in an interactive shell (for example, in a cron job or system startup script).
-
Dramatically improved the performance of the streamfile value pattern, which
operates like the sequentialfile value pattern in that it can iterate through
values in a file in sequential order, except that streamfile doesn't need to
hold the whole file in memory whereas sequentialfile does.
-
Updated the Filter.simplifyFilter method to simplify an AND filter containing an
LDAP false filter (an OR filter with zero components, which will never match
anything) to just that LDAP false filter, and to simplify an OR filter
containing an LDAP true filter (an AND filter with zero components, which will
match any entry) to just that LDAP true filter.
-
Added a PasswordValidationDetailsResponseControl.get(LDAPException) method that
makes it more convenient to get the response control from an unsuccessful
operation.
-
Enabled concurrent socket factory use for all versions of Java. In the past,
we have observed that at least some IBM JVMs had a thread safety issue with
SSL socket factory implementations, so we only allowed a socket factory to be
used concurrently by multiple threads on a whitelisted set of JVMs. We no
longer believe that the IBM JDK socket factory thread safety is an issue, and
there are now many more JVM vendors (e.g., Apple, Azul, Amazon Coretto,
AdoptOpenJDK, and potentially Red Hat), so concurrent socket factory use will
be enabled by default. If an issue is found ona particular JVM, then concurrent
access can be disabled programmatically or with a system property.
-
Updated the LDAP SDK's command-line tool framework to fix an issue with the
tool's validation for required, exclusive, and dependent argument sets. If an
argument was configured with a default value, then that value could have been
mistakenly treated as if it had been explicitly provided by the user. This
could cause problems for arguments that are part of an exclusive argument set
(in which only one of the arguments in that set may be provided) or a dependent
argument set (in which an argument can only be used if at least one of a
specified set of additional arguments is present). In such cases, the tool
could not have been used in interactive mode. The modrate tool was affected by
this issue.
-
Updated the argument parser to fix a problem with the way that it handles
backslash characters in argument properties files. It previously only correctly
handled backslashes if they were at the end of a line to indicate that the
content continued on to the next line, or if they were followed by the letter
'u' and the hexadecimal representation of the desired Unicode character. It did
not handle a backslash in front of other characters used to force that character
to be treated as a literal (for example, a backslash followed by an equal sign
should be treated as just the equal sign, but was instead being treated as a
backslash followed by an equal sign).
-
Updated the LDAP SDK build process to automatically generate documentation for
all of the command-line tools included with the SDK. Usages are provided in
both plain text and HTML, and the HTML documentation is linked from the main
documentation index page.
Version 4.0.10
The following changes were made between the 4.0.9 and 4.0.10 releases:
-
Fixed a bug in generating the normalized representation of an RDN with multiple
values that have the same attribute type (for example, "cn=foo+cn=bar"). In
such cases, the normalized representation of that RDN would have incorrectly had
only one value with that attribute type, and any other values with that same
attribute type would have been omitted. Further, because the normalized string
representation of an RDN is used for other purposes (like determining equality
and comparator ordering), this may fix other related issues as well.
-
Added additional methods for improved DN and RDN validation that make it
possible to require attribute names to strictly comply with the specification.
Previously, the methods for creating and validating DNs and RDNs from strings
were always lenient with what they would allow in attribute names because some
servers are lenient. That leniency is still the default for the sake of
backward compatibility, but there is now an option to require strict compliance
with the specification.
-
Improved support for TLSv1.3 in JVMs that support it (Java 11 and later). The
LDAP SDK will now automatically enable support for TLSv1.3 if it is available,
and will prefer that protocol if the server also supports it, but can still
transparently fall back to an earlier protocol version (TLSv1.2, TLSv1.1, or
TLSv1, whichever is the highest version that the server supports) if the server
does not support it. As before, the default and enabled set of TLS protocols
can be overridden programmatically by calling methods in the
com.unboundid.util.ssl.SSLUtil class, or by setting the
com.unboundid.util.SSLUtil.defaultSSLProtocol and
com.unboundid.util.SSLUtil.enabledSSLProtocols system properties when launching
the JVM.
-
Updated the process for establishing a secure connection to immediately start
the TLS handshake on the socket, rather than waiting for it to happen on the
first attempt to communicate over the connection. This can help ensure that the
connection is ready to use more quickly, and can help avoid timing issues in
certain cases where the prompt trust manager is used in other interactive
applications that prompt for user input.
-
Updated the in-memory directory server to reject search requests that include
filters with approximate-match or extensible-match components. The LDAP SDK
does not support client-side evaluation for these filter types, but the
in-memory directory server would previously just not return any matching entries
in response to a search request using either of these filter types. The new
behavior is more correct and makes it easier to troubleshoot unexpected behavior
for searches involving these filter types.
-
Updated the in-memory-directory-server command-line tool to add support for a
number of new arguments, including --generateSelfSignedCertificate,
--maxConcurrentConnections, --sizeLimit, --passwordAttribute,
--defaultPasswordEncoding, --allowedOperationType, and
--authenticationRequiredOperationType.
-
Updated the ldap-debugger tool to add a --generateSelfSignedCertificate
argument. If the tool is configured to listen using SSL, then this argument can
be given as an alternative to the --keyStorePath argument to indicate that
ldap-debugger should generate its own self-signed certificate instead of using
one provided by the user.
-
Updated the ResultCode.isConnectionUsable methods so that UNWILLING_TO_PERFORM
is no longer included in the set of result codes that will cause the LDAP SDK to
suspect that the connection may no longer be usable. Although it's possible
that the connection may have become invalid, there are plenty of reasons that an
LDAP server may return an UNWILLING_TO_PERFORM response for a connection that
remains completely usable. Since isConnectionUsable is often used to decide
whether to keep the existing connection or to throw it away and replace it with
a new one, being too prone to indicate that a connection is no longer usable
can adversely impact application performance and increase load on the directory
server.
-
Added a new API that can be used to change the way that the LDAP SDK resolves
names to IP addresses, and IP addresses to names. The default implementation
simply uses the JVM's standard name resolution methods, but a caching name
resolver is also provided that can offer better performance and better
resilience against name service outages.
-
Added a new PasswordFileReader class that makes it easier to read a password
from a file. The password files may optionally be gzip-compressed and/or
passphrase-encrypted, and the reader validates that the file contains exactly
one line and that the line is now non-empty. All command-line tools now have
access to a password file reader, and LDAP SDK tools that can read passwords
from files have been updated to take advantage of this new reader.
-
Updated the command-line tool framework so that tools that support reading
argument values from properties files now handle files that are optionally
gzip-compressed and/or passphrase-encrypted.
-
Fixed a potential null pointer exception in ArgumentParser.toString that could
arise if the parser was created through serialization and there were no
additional description paragraphs. Also, eliminated an unnecessary quotation
mark in the generated string representation.
-
Updated the ldapsearch and ldapmodify tools to add support for the get backend
set ID and get server ID request controls (which can be used to obtain
information from a Ping Identity Directory Server or Directory Proxy Server
about which entry-balancing backend sets or which server instances were used in
processing the request), and for the route to backend set and route to server
request controls (which can be used to request that the Ping Identity Directory
Proxy Server route the request to a specific group of entry-balancing backend
sets or to a specific backend server).
-
Updated LDAP command line tools to support authentication with the
UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism.
-
Added StaticUtils convenience methods for creating maps and sets.
-
Updated the LDIF writer to make its user-friendly display of base64-encoded
values more filter-friendly. The LDIF writer has a feature that allows it to
automatically include a comment below a base64-encoded value that tries to
display a more human-readable version of that value. In most cases, the value
in that comment could simply be copied and pasted into a search filter intended
to target that value, but some of the escaping wasn't very filter-friendly. For
example, if the base64-encoded value included an ASCII tab, carriage return or
line feed character, it was previously escaped as "\t", "\r", or "\n",
respectively, but those escapes aren't valid in the string representation of an
LDAP filter. Also, some characters that must be escaped in the string
representation of filters (like the open parenthesis, close parenthesis, and
asterisk) weren't being escaped. The escaping has now been updated so that it
should be more suitable for copying into a search filter.
-
Updated the UniquenessResponseControl class to add convenience methods to help
make it easier to interpret the response, and updated the
UniquenessRequestControl class to add an example to the class-level Javadoc.
Version 4.0.9
The following changes were made between the 4.0.8 and 4.0.9 releases:
-
Updated the command-line tool framework to allow tools to have descriptions
that are comprised of multiple paragraphs.
-
Updated the support for passphrase-based encryption to work around and apparent
bug in the JVM support for some implementations of MAC algorithms. It seems
that under certain rare circumstances, some versions of the JVM can compute an
incorrect MAC, which could lead to a failure in the passphrase-based encryption
code. To account for this, the LDAP SDK now generates the MAC multiple times
and only uses the value if it is able to reliably produce a consistent result.
-
Updated all existing ArgumentValueValidator instances to implement the
Serializable interface to avoid errors when trying to serialize an argument
configured with one of those validators (or when trying to serialize an argument
parser with any such arguments). The ArgumentValueValidator abstract class
itself has not been altered to maintain backward compatibility.
-
Updated code used to create HashSet, LinkedHashSet, HashMap, LinkedHashMap, and
ConcurrentHashMap instances with an initial capacity to use a better algorithm
for computing the correct initial capacity based on the expected number of
elements that the set or map is expected to have. The new algorithm takes the
load factor into account so that it is less likely that there will be a need to
re-hash or re-balance the set or map. This should improve performance in such
cases.
-
Updated the LDIF change record API to make it possible to obtain a copy of a
change record with a provided set of controls.
-
Added additional methods for obtaining a normalized string representation of
JSON objects and value components with more control over case sensitivity of
field names and string values, and also over array order.
-
Improved support for running in an environment in which a security manager
prevents calls to setting system properties (which also prevents access to the
System.getProperties method because its return value is mutable). It is
expected that System.getProperty can still be used to retrieve individual
property values.
Version 4.0.8
The following changes were made between the 4.0.7 and 4.0.8 releases:
-
Fixed an issue in the modrate tool in which if the --valuePattern argument was
not used to specify the desired value pattern, the pattern generated by the tool
would mistakenly result in a fixed string rather than one that was randomized,
causing all of the generated modifications to be the same.
-
Fixed an address caching bug in RoundRobinDNSServerSet in which an inverted
comparison caused the cache to be used for expired addresses instead of
non-expired addresses.
-
Updated the ldapmodify tool to remove the restriction preventing the use of
arbitrary controls with an LDAP transaction or the multi-update operation.
-
Updated a number of locations in the code that caught Throwable to re-throw the
original Throwable instance (after performing appropriate cleanup) if that
Throwable instance was an Error or perhaps a RuntimeException.
-
Added a number of convenience methods to the JSONObject class that make it
easier to get the value of a specified field as a string, Boolean, number,
object, array, or null.
-
Added a StaticUtils.toArray method that can be used to convert a collection to
an array in a generic manner. Although this is usually not any more convenient
than calling Collection.toArray, it can be useful in certain contexts where it
isn't feasible to make more than one call (for example, in a call to this or
super in a constructor) or when the type of collection element is not known at
compile time.
-
Added support for parsing audit log messages generated by the Ping Identity
Directory Server version 7.1 and later, including support for generating
LDIF change records that can be used to revert changes recorded in the audit
log in a reversible form.
Version 4.0.7
The following changes were made between the 4.0.6 and 4.0.7 releases:
-
Fixed an issue in the LDAPConnectionPool and LDAPThreadLocalConnectionPool
classes when created with a connection that is already established and
authenticated (as opposed to being created from a server set and bind request).
Internally, the LDAP SDK created its own server set and bind request from the
provided connection's state information, but it incorrectly included bind
credentials in the server set. Under most circumstances, this would merely
cause the LDAP SDK to send two bind requests (the second a duplicate of the
first) when establishing a new connection as part of the pool. However, it
caused a bigger problem when using the new setBindRequest methods that were
introduced in the 4.0.6 release. Because the server set was created with bind
credentials, the pool would create a connection that tried to use those old
credentials before sending a second bind request with the new credentials,
and this would fail if the old credentials were no longer valid.
-
Fixed an issue with the behavior that the LDAP SDK exhibited when configured to
automatically follow referrals. If the server returned a search result
reference that the LDAP SDK could not follow (for example, because none of the
URLs were valid, none of the servers could be reached, none of the searches
succeeded, in those servers, etc.), the LDAP SDK would assign a result code of
"referral" to the search operation, which would cause it to throw an exception
when the search completed (as is the case for most non-success result codes).
The LDAP SDK will no longer override the result code for the search operation,
but will instead use whatever result code the server returned in its search
result done message. Any search result references that the LDAP SDK could not
automatically follow will be made available to the caller through the same
mechanism that would have been used if the SDK had not been configured to
automatically follow referrals (that is, either hand them off to a search result
listener or collect them in a list to include in the search result object).
The LDAP SDK was already making the unfollowable search result references
available in this manner, but the client probably wouldn't have gotten to the
point of looking for them because of the exception resulting from the overridden
operation result code.
-
Added a new LDAPConnectionPoolHealthCheck.performPoolMaintenance method that can
be used to perform processing on the pool itself (rather than on any individual
connection) at regular intervals as specified by the connection pool's health
check interval. This method will be invoked by the health check thread after
all other periodic health checking is performed.
-
Added a new PruneUnneededConnectionsLDAPConnectionPoolHealthCheck class that can
be used to monitor the size of a connection pool over time, and if the number of
available (that is, not currently in use) connections is consistently greater
than a specified minimum for a given length of time, then the number of
connections in the pool can be reduced to that minimum. This can be used to
automatically shrink the size of the pool during periods of reduced activity.
-
Updated the Schema class to provide additional constructors and methods that can
be used to attempt to retrieve the schema without silently ignoring errors about
unparsable elements. Previously, if a schema entry contained one or more
unparsable elements, they would be silently ignored. It is now possible to more
easily obtain information about unparsable elements or to have the LDAP SDK
throw an exception if it encounters any unparsable elements.
-
Added createSubInitialFilter, createSubAnyFilter, and createSubFinalFilter
methods to the Filter class that are more convenient to use than the existing
createSubstringFilter methods for substring filters that only have one
type of component.
-
Updated the Entry.diff method when operating in reversible mode so that when
altering the values of an existing attribute, the delete modifications will be
ordered before the add modifications. Previously, the adds came before the
deletes, but this could cause problems in some directory servers, especially
when the modifications are intended to change the case of a value in a
case-insensitive attribute (for example, the add could be ignored or rejected
because the value already exists in the entry, or the delete could end up
removing the value entirely). Ordering the deletes before the adds should
provide much more reliable results.
-
Updated the modrate tool to add a new "--valuePattern" argument that can be used
to specify the pattern to use to generate new values. This argument is an
alternative to the "--valueLength" and "--characterSet" arguments and allows for
more flexibility in the types of values that can be generated.
-
Updated the manage-account tool so that the arguments related to TOTP secrets
are marked sensitive. This will ensure that the value is not displayed in the
clear in certain cases like interactive mode output or tool invocation logging.
-
Added a new "streamfile" value pattern component that operates like the existing
"sequentialfile" component except that it limits the amount of the file that is
read into memory at any given time, so it is more suitable for reading values
from very large files.
-
Added a new "timestamp" value pattern component that can be used to include
either the current time or a randomly selected time from a given range in a
variety of formats.
-
Added a new "uuid" value pattern component that can be used to include a
randomly generated universally unique identifier (UUID).
-
Added a new "random" value pattern component that can be used to include a
specified number of randomly selected characters from a given character set.
-
Added a StaticUtils.toUpperCase method to complement the existing
StaticUtils.toLowerCase method.
-
Added Validator.ensureNotNullOrEmpty methods that work for collections, maps,
arrays, and character sequences.
-
Added LDAPTestUtils methods that can be used to make assertions about the
diagnostic message of an LDAP result or an LDAP exception.
-
Added client-side support for a new exec task that can be used to invoke a
specified command in the Ping Identity Directory Server (subject to
security restrictions imposed by the server).
-
Added client-side support for a new file retention task that can be used to
examine files in a specified directory, identify files matching a given pattern,
and delete any of those files that do not match count-based, age-based, or
size-based criteria.
-
Added client-side support for a new delay task that can be used sleep for a
specified period of time, until the server work queue reports that all
worker threads are idle and there are no pending operations, or until a
given search or set of searches match at least one entry. The delay task is
primarily intended to be used as a spacer between other tasks in a dependency
chain.
-
Updated support for the ignore NO-USER-MODIFICATION request control to make it
possible to set the criticality when creating an instance of the control.
Previously, new instances were always critical.
-
Updated the ldapmodify tool to include the ignore NO-USER-MODIFICATION request
control in both add and modify requests if the --ignoreNoUserModification
argument was provided. Previously, that argument only caused the control to be
included in add requests. Further, the control will now be marked non-critical
instead of critical.
-
Updated the task API to add support for a number of new properties, including
the email addresses of users to notify on task start and successful
completion (in addition to the existing properties specifying users to email
on error or on any type of completion), and flags indicating whether the
server should alert on task start, successful completion, or failure.
-
Updated the argument parser's properties file support so that it expects the
file to use the ISO 8859-1 encoding, and to support Unicode escape sequences
that are comprised of a backslash followed by the letter u and four hexadecimal
digits.
-
Updated the tool invocation logger to add a failsafe mechanism for preventing
passwords from being included in the log. Although it will already redact the
values of any arguments that are declared sensitive, it will now also redact the
values of any arguments whose name suggests that their value is a password.
Version 4.0.6
The following changes were made between the 4.0.5 and 4.0.6 releases:
-
Fixed a number of issues with the way the LDAP SDK handled characters whose
UTF-8 representation requires more than two bytes (and therefore requires two
Java chars to represent a single character). Issues related to these characters
were found in code for matching rules, RDNs (and therefore DNs), and filters.
-
Fixed a bug in the ldapsearch tool that could cause it to use an incorrect scope
when constructing search requests from LDAP URLs read from a file.
-
Fixed a bug that could prevent certain client-side state information from being
properly updated when processing a bind request using either the
LDAPConnection.processOperation or the AbstractConnectionPool.processRequests
methods. This could cause the LDAP SDK to incorrectly believe that a connection
was not authenticated when it
actually was.
-
Fixed a bug in schema handling that could arise if an object class definition
did not specify the object class type (STRUCTURAL, AUXILIARY, or ABSTRACT).
In some cases, the type could be incorrectly inherited from the superclass
rather than assuming the default type of STRUCTURAL.
-
Added a new setBinRequest method to the LDAPConnectionPool and
LDAPThreadLocalConnectionPool classes. This makes it possible to change the
credentials that will be used to authenticate newly created connections, and for
existing connections that are re-authenticated with either the
bindAndRevertAuthentication or the releaseAndReAuthenticateConnection methods.
-
Added a new setServerSet method to the LDAPConnectionPool and
LDAPThreadLocalConnectionPool classes. This makes it possible to change the way
that the pool establishes new connections.
-
Added a LDAPRequest.setReferralConnector method that makes it possible to set a
custom referral connector on a per-request basis. Also added a
RetainConnectExceptionReferralConnector class that makes it easier to obtain the
exception (if any) that was encountered on the last attempt to establish a
connection for the purpose of following a referral.
-
Updated the in-memory directory server so that it can better handle instances of
java.lang.Error (and its subclasses) that may be thrown in the course of
processing associated with a client connection. These kinds of errors should not
happen under normal circumstances, but it is possible for third-party code (for
example, code associated with an InMemoryOperationInterceptor) to generate them,
and it is possible for the JVM to throw them in extraordinary circumstances like
out of memory error. In such cases, the thread responsible for processing
requests from that client would exit without returning a response for the
operation being processed and without closing the connection.
-
Updated manage-certificates to fix an incorrect interpretation of the path
length element of a basic constraints extension. It was mistakenly
interpreted to mean the maximum number of certificates that are allowed in a
certificate chain containing that certificate, but it actually specifies the
maximum number of intermediate certificates that are allowed between that
issuer certificate and the subject certificate at the head of the chain.
-
Updated manage-certificates to add support for importing PEM-encoded RSA private
keys that are not wrapped in a PKCS #8 envelope (that is, from a file whose
header contains "BEGIN RSA PRIVATE KEY" instead of "BEGIN PRIVATE KEY").
Previously, it was only possible to import private keys using the PKCS #8
format.
-
Updated manage-certificates to add an
--allow-sha-1-signature-for-issuer-certificates argument to the
check-certificate-usability subcommand. If this argument is provided, then the
tool will continue to call out issuer certificates with a certificate whose
signature is based on the weak SHA-1 message digest, but it will not cause the
tool to exit with an error just because of that issue. This argument has no
effect for certificates that use a signature based on the extremely weak MD5
digest, and it also does not have any effect if the server certificate at the
head of the chain has a SHA-1-based signature.
-
Added client-side support for a new reload HTTP connection handler certificates
task that may be used in some Ping Identity server products to request that the
server dynamically reload the certificate key and trust stores used by all HTTP
connection handler instances that provide support for HTTPS.
Version 4.0.5
The following changes were made between the 4.0.4 and 4.0.5 releases:
-
Fixed a bug in simple bind request processing in which the LDAP SDK would only
reject a bind request that contains a DN but no password (subject to the
LDAPConnectionOptions.bindWithDNRequiresPassword() setting) when using the
default asynchronous mode, but not when configured to operate in synchronous
mode. In applications that use a simple bind operation to authenticate users,
that do not ensure that the user provided a non-empty password, and that
communicate with a server that does not follow the RFC 4513 section 5.1.2
recommendation to reject binds with a DN but no password, this bug could have
allowed an attacker to impersonate any legitimate user by identifying themselves
as the desired user and leaving the password field empty.
(CVE-2018-1000134).
-
Updated the command-line argument parser so that it will not assign a value from
a properties file to an argument if that argument is part of an exclusive
argument set and another argument in that set was provided on the command line.
-
Fixed a manage-certificates bug in which the validity start time and validity
duration values would be ignored when generating a self-signed certificate
intended to replace an existing certificate. In that case, the tool would have
always used the current time as the start time and a duration of one year.
-
Updated the manage-certificates tool to change the primary name for the existing
--replace-existing-certificate argument in the
generate-certificate-signing-request subcommand to be --use-existing-key-pair,
and updated the usage information to make it clearer that using this option will
not cause the keystore to be updated. The former --replace-existing-certificate
identifier can still be used and will behave in exactly the same way as before,
so there is no change in functionality.
-
Improved the usability of the ldap-debugger tool when using the --listenUsingSSL
argument by ensuring that the --keyStorePath argument is also provided, along
with one of the --keyStorePassword, --keyStorePasswordFile, and
--promptForKeyStorePassword arguments.
-
Fixed a number of cases in which there was a mismatch between the arguments
provided to a message format string and the arguments expected by that format
string. Unit tests have been added to help prevent this from recurring.
-
Added a new PassphraseEncryptedOutputStream class that can be used to write
encrypted data with a key generated from a provided passphrase. Also added a
new PassphraseEncryptedInputStream class that can be used to read encrypted data
written with the PassphraseEncryptedOutputStream when provided with the correct
passphrase.
-
Added new RateLimitedInputStream and RateLimitedOutputStream classes that can be
used to impose a maximum rate (in bytes per second) at which data can be read
from a wrapped input stream or written to a wrapped output stream.
-
Added new CloseableLock and CloseableReadWriteLock classes that provide the same
basic functionality as Java's ReentrantLock and ReentrantReadWriteLock classes,
but that can also be used with Java's try-with-resources facility.
-
Added a new FixedBarrier.await(int) method that can be used to request rate
limiting for the specified number of occurrences, rather than just a single
occurrence. This can be used to make it easier to impose rate limiting in
instances where the event that you're limiting doesn't fit into the existing
paradigm. For example, it could be used to implement a rate-limited output
stream in which you want to be able to specify the number of bytes being written
at a time, instead of requiring a separate await() call for each byte being
written.
-
Updated the ldapsearch, ldapmodify, split-ldif, transform-ldif, and
validate-ldif tools to add support for encrypted LDIF files. The passphrase
used to generate the encryption key can be provided interactively or read from a
file.
-
Added support for two new UnboundID/Ping-proprietary request controls that can
help clients prevent inadvertently requesting unindexed searches. The reject
unindexed search request control can be used to indicate that the server should
reject a search request if it cannot be efficiently processed using server
indexes, even if the requester has the unindexed-search privilege. The permit
unindexed search request control can be used to indicate that the server should
process the search request even if it is unindexed, as long as the requester has
the unindexed-search-with-control privilege. The ldapsearch tool has also been
updated allow these controls to be included in the search requests that it
generates.
-
Added support for a new UnboundID/Ping-proprietary request control that can be
included in a search request to indicate that the client wishes to override an
internal limit that might otherwise be in effect for that operation. The
ldapsearch tool has been updated to allow this control to be included in the
search requests that it generates.
-
Updated the summarize-access-log tool to add support for encrypted log files.
The passphrase used to generate the encryption key can be provided interactively
or read from a file.
Version 4.0.4
The following changes were made between the 4.0.3 and 4.0.4 releases:
-
Updated the way that the LDAP SDK generates exception messages to make them more
user-friendly. They are now less likely to include stack traces, and they are
less likely to include repeated information like LDAP SDK build information and
information duplicated from an exception's cause. Ideally, suppressing stack
trace information in exception messages will not significantly impact the
ability to troubleshoot problems, but stack traces remain available through the
LDAP SDK's debugging framework, and either or both the
com.unboundid.ldap.sdk.debug.includeStackTraceInExceptionMessages and
com.unboundid.ldap.sdk.debug.includeCauseInExceptionMessages system
properties can be set to "true" to cause the corresponding information to be
included in exception messages when applicable.
-
Fixed an issue that could cause multiple application threads to block in the
course of closing a connection pool. When calling the connection pool's close
method, the health check thread will be shut down, and the calling thread will
block until it has actually stopped. Once the health check thread has stopped,
then any idle connections in the pool will be closed. Connections that are
actively being used will not be directly affected by this but will instead be
closed when they are released back to the pool. Previously, if the health check
thread had not yet been stopped (for example, if it's in the middle of an
expensive or stalled health check operation), then any thread releasing a
connection back to the pool that was in the shutdown process would also be
blocked until the health check thread had exited. This is no longer the case,
and only the first thread to call a connection pool's close method has the
potential to block.
-
Updated the way that the LDAP SDK sends messages so that it is more resilient to
stalls in the TLS negotiation process. Java's SSLSocket implementation has the
potential to block indefinitely until TLS negotiation has completed, and the
only way to break out of that stall is to use the SO_TIMEOUT socket option.
This was primarily an issue for connections operating in non-synchronous mode,
as connections using synchronous mode already used the SO_TIMEOUT option to
enforce response timeouts.
-
Updated the LDAP SDK's ServerSet implementations so that they can perform
authentication and post-connect processing. This can improve resiliency against
certain types of certain types of processing failures, and can allow health
checks against newly established connections to succeed in certain cases in
which they might have previously failed (for example, if the server is
configured to reject requests from unauthenticated clients).
-
Updated the GetEntryLDAPConnectionPoolHealthCheck class to provide support for
invoking the health check after a pooled connection has been authenticated.
This will primarily be used when creating a new connection for use in
the connection pool, but it also applies to calls to the connection pool's
bindAndRevertAuthentication and releaseAndReAuthenticateConnection methods.
-
Fixed a bug in the GetEntryLDAPConnectionPoolHealthCheck class that caused it to
behave incorrectly when checking the validity of a connection after an
LDAPException. The intended behavior was to only perform a search to retrieve
the target entry if the exception's result code indicated that the connection
may no longer be valid. Instead, it erroneously of always failing the health
check if the result code indicated that the connection may no longer be valid,
and always performing the search if the result code suggested that the
connection should still be valid.
-
Updated the Attribute.hasValue method to be more efficient for attributes with
multiple values, and especially for attributes with a large number of values
and/or attributes with more complicated matching rules (like attributes with a
distinguished name or generalized time syntax). This should also provide a
similar improvement for the Filter.matchesEntry method for equality filters that
target attributes with multiple values.
-
Updated the prompt trust manager (which can interactively prompt the user about
whether to trust a server certificate chain) to provide better output
formatting and more warnings about potential reasons that the presented
certificate chain might be considered non-trustworthy.
-
Updated the LDAPConnectionOptions class to make a number of changes.
-
The initial default connect timeout has been reduced from 60,000
milliseconds (one minute) to 10,000 milliseconds (10 seconds). This timeout
only covers the length of time required to establish the TCP connection
between the client and the server, and does not include the time required to
perform any operations on that connection (for example, an initial bind
request to authenticate the connection), nor does it include the time
required to perform TLS negotiation if the connection is to be secure. Ten
seconds should be more than enough time for this to happen even on the
slowest of network links, and a shorter timeout can help reduce the
appearance of unresponsiveness if there is no response to the connection
attempts. This initial connection timeout can still be overridden using the
LDAPConnectionOptions.setConnectTimeoutMillis method.
-
The initial default response timeout has been reduced from 300,000
milliseconds (five minutes) to 30,000 milliseconds (30 seconds) for most
types of operations, including add, bind, compare, delete, modify, and
modify DN operations, as well as for certain types of extended operations.
Search operations and non-whitelisted extended operations will continue to
use the original default response timeout of 300,000 milliseconds. Using a
shorter response timeout for operations that should complete quickly helps
avoid blocking for an unreasonably long period of time if the server is
unresponsive. A long default timeout is still required for search
operations because it is possible for very expensive searches to take a
very long time before returning any kind of response messages. It is still
possible to set a default response type that applies to all types of
operations, but it is now also possible to customize the default response
timeout separately for each type of operation, and per request OID for
extended operations. It also remains possible to set a custom response
timeout for each individual request using the
LDAPRequest.setResponseTimeoutMillis method.
-
A number of system properties have been defined that can be used to override
the LDAP SDK's default value for a number of settings in the
LDAPConnectionOptions class, including the default connect and response
timeouts. All of these new system properties are defined in String
constants in the LDAPConnectionOptions class and are listed in the Javadoc
documentation for that class.
Version 4.0.3
The following changes were made between the 4.0.2 and 4.0.3 releases:
-
Fixed a bug in the way that signatures were generated and verified for X.509
certificates and PKCS #10 certificate signing requests.
Version 4.0.2
The following changes were made between the 4.0.1 and 4.0.2 releases:
-
Added a new manage-certificates tool that can be used to simplify the management
of client and server certificates in Java keystores. It serves as a
user-friendly replacement for the Java keytool utility, and it offers features
that keytool does not, including support for importing and exporting private
keys, a simplified interface for trusting a TLS server certificate, and a
mechanism for reporting on the suitability of a specified certificate for use as
a TLS server certificate. The com.unboundid.util.ssl.cert package includes a
number of utility classes that can also be used to interact with keys,
certificates, and certificate signing requests.
-
Updated the Entry.diff method to make it possible to perform a byte-for-byte
comparison of attribute values instead of using the matching rule associated
with each attribute type. This makes it possible to detect changes that result
in a logically-equivalent value, like replacing the value of a case-insensitive
attribute with a value that differs only in capitalization.
-
Added a new PasswordReader.readPasswordChars method that can be used to read a
password as a character array. It was previously only possible to read a
password as a byte array.
-
Added a new LDAPConnection.closeWithoutUnbind method that can be used to close a
connection without first sending an LDAP unbind request. This practice is
generally discouraged, but it can be useful in cases where it is known that the
connection is no longer valid, and especially in cases where an attempt to send
a request over the connection could cause the client to block. Connection pool
implementations have been updated to use this method whenever they are closing a
connection that is believed to be invalid.
-
Improved support for validating object identifiers. While the LDAP SDK offered
some support for determining whether a string represented a valid numeric OID,
there were some types of validation that it did not perform. In particular, it
did not check to ensure that the numeric OID had at least two components, that
the first component had a value between zero and two, or that the second
component had a value between zero and thirty-nine if the first component had a
value of zero or one. The OID class now provides an option for performing this
more strict validation. There is also a new OIDArgumentValueValidator class
that can be used to ensure that a command-line argument represents a valid OID,
and this validator can operate either with or without this new strict
validation.
-
Fixed a bug that could cause the LDAP SDK to leak a connection if it is
configured with an SSLSocketVerifier and that verifier rejects the connection
for some reason.
-
Fixed a bug that could cause the LDAP SDK to unnecessarily block for the full
response timeout duration if an error occurred while attempting to send a
simple bind request on a connection configured to operate in synchronous mode.
At present, the only known circumstance in which the problem might appear is the
case in which the connection is configured with an SSLSocketFactory and the
server does not provide any response whatsoever to the attempt to begin TLS
negotiation.
-
Added support for new ASN.1 element types, including bit string, object
identifier, generalized time, UTC time, UTF-8 string, IA5 string, printable
string, and numeric string. Also, added support for a new integer variant that
is backed by Java's BigInteger class and allows for integer values of any
magnitude.
-
Updated the ASN1Element class to add methods to make it easier to determine the
BER type class for an element and to determine whether the primitive/constructed
bit is set.
-
Added support for a new uniqueness request control that can be used to indicate
that the associated add, modify, or modify DN request should be rejected if the
server detects that it would introduce a value that is already in use in the
server. This is a nonstandard control that is currently only supported by the
Ping Identity Directory Server. The ldapmodify tool has been updated to make it
possible to send requests that include this control.
-
Updated the searchrate tool to support setting the size limit, time limit, alias
dereferencing policy, and typesOnly flag in search requests.
-
Updated the in-memory directory server to include support for the
UnboundID-proprietary ignore NO-USER-MODIFICATION request control. This
control can be included in an add request to permit the client to set values for
attributes that are typically only allowed to be set by the server.
-
Updated the password policy state extended operation to add new operation types
that make it possible to determine whether the target user has a static
password, and the manage-account tool has been updated to support this
operation. In addition, a new account usability notice has been added that can
be included in an account usability response if the target user does not have a
static password.
-
Updated the argument parser to add the ability to hide subcommand names and
argument identifiers. For convenience, you can assign multiple names to the
same subcommand, and you can assign multiple identifiers to the same argument.
In the past, all subcommand names and argument identifiers would be displayed in
the usage information, but this could result in a lot of clutter. There may be
cases in which you want to allow multiple values but not display them all in the
usage. When adding an additional subcommand name or argument identifier, you
can now indicate whether it should be omitted from the tool's generated usage
information.
-
Improved the quality of LDAP request debug messages. The messages will now
include the internal connection ID, connection name, connection pool name, the
address and port of the server to which the request is being sent, and the LDAP
message ID for the request. The debug messages for abandon and unbind requests
are now more consistent with the debug messages for other types of requests,
and the LDAP SDK now does a better job of debugging SASL bind requests.
-
Updated the OID reference to include the OID for the UnboundID-proprietary
password update behavior request control.
-
Updated the set of LDAP-related specifications to include RFC 8284, which
defines an LDAP schema for supporting XMPP in white pages. The former
draft-kille-ldap-xmpp-schema draft has been removed because the new RFC
supersedes it.
-
Updated the set of LDAP-related specifications to include specifications for
certificate-related RFCs, including 2986 (PKCS #10), 5208 (PKCS #8),
5280 (X.509), 7292 (PKCS #12), and 8017 (PKCS #1).
-
Updated the set of LDAP-related specifications to include the most recent
revision of the draft-seantek-ldap-pkcs9 draft.
Version 4.0.1
The following changes were made between the 4.0.0 and 4.0.1 releases:
-
Added a new JVMDefaultTrustManager class that can be used to automatically trust
any certificate signed by an authority that the JVM considers trusted by
default. The command-line tool framework has been updated so that if you don't
explicitly specify a trust behavior, it will now check the JVM-default trust
manager before prompting about whether to trust the server certificate.
-
Updated the in-memory directory server to add support for encoding clear-text
passwords using a pluggable mechanism. For example, you can automatically have
clear-text passwords transformed so that they are stored as the base64-encoded
representation of a salted message digest.
-
Updated the in-memory directory server to indicate which attributes will be
treated as password attributes. Any password attribute can be used to provide
credentials for a bind operation, and the values of password attributes will be
encoded with the configured password encoder (if any). The server was formerly
hard-coded to use userPassword as the password attribute, and this is still the
default configuration, but it is now possible to configure the server to use one
or more other attributes instead of or in addition to userPassword.
-
Added support for a new password update behavior request control. This control
can be used in an upcoming release of the Ping Identity Directory Server to
override the behavior the server would otherwise have used for a number of
password-related properties (e.g., whether the password update is a self change
or an administrative reset, whether to allow a pre-encoded password, which
password storage scheme to use, etc.). The ldapmodify tool has been updated to
make it easy to include this control in add and modify requests.
-
Updated the identify-unique-attribute-conflicts example tool to provide support
for identifying conflicts between combinations of attributes. For example, you
can use this feature to identify cases in which there may be duplicate uid
values within the same organization, but ignore duplicate uid values for users
in different organizations.
-
Fixed an OSGi problem in the jar file manifest. When the LDAP SDK supported
Java 1.5 or later, the correct value for the Bundle-RequiredExecutionEnvironment
property was "J2SE-1.5". When we updated the LDAP SDK to require Java 7 or
later, the value of this property was updated to be "J2SE-1.7" instead of the
correct new value of "JavaSE-1.7".
-
Fixed a problem that prevented the complete set of argument validation from
being performed when running a tool in interactive mode. In particular, the
interactive mode framework did not perform validation related to required,
exclusive, and dependent argument sets.
-
Fixed an issue with the way that command-line tools handled trailing arguments
in interactive mode. If the tool didn't require any trailing arguments but
allowed any number of them to be provided, then interactive mode did not allow
trailing argument values to be provided.
-
Fixed an issue with the way that relative paths were handled in command-line
tools run in interactive mode. When a Java File object is created from a
relative path rather than an absolute path, the getParentFile() method may
return null, and this could cause the LDAP SDK to incorrectly believe that the
file's parent didn't exist. To avoid this, the LDAP SDK now uses
getAbsoluteFile().getParentFile() in order to get the parent for any File that
may have been created from a relative path.
-
Fixed an issue with command-line tools that default to interactive mode that
could arise if the tool is invoked without any arguments, but if it tries to use
a properties file referenced by an environment variable or JVM property. If the
properties file contained some but not all of the arguments needed to invoke the
tool, the command-line tool framework would still try to invoke the tool with
just the arguments from the properties file, which could result in erratic
behavior, unexpected errors, or uncaught exceptions. The tool will now launch
in interactive mode to allow the missing arguments to be specified.
-
The ldapsearch tool has been updated so that the base DN argument is now
optional in all circumstances. Previously, you had to explicitly provide either
a base DN or an LDAP URL file, but this created a usability problem if you ran
ldapsearch in interactive mode and wanted to search with a null base DN (that
is, the DN with the empty string representation). Now, if you don't provide
either a base DN or an LDAP URL file, then ldapsearch will assume a null base
DN.
-
Updated the class-level Javadoc documentation for a number of classes that
implement controls and extended requests and responses. If it takes an
encoded value, the Javadoc documentation now describes the encoding for that
value.
-
Fixed a couple of problems with message format strings that had incorrect
property references (for example, they referenced "{1}" when they should have
referenced "{0}" as the first argument). The LDAP SDK build process has been
updated to better catch these kinds of problems.
-
Improved the ByteStringBuffer.append(CharSequence) method so that it will be
much more efficient for CharSequence implementations in which iterating through
the characters using the charAt(int) method is expensive.
Version 4.0.0
The following changes were made between the 3.2.1 and 4.0.0 releases:
-
The LDAP SDK now requires Java SE 7 or later. It was previously possible to
build and run the LDAP SDK with Java SE 1.5 or later, but now neither Java SE
1.5 nor Java SE 1.6 are supported. We officially support Java SE 7 and 8.
There are known issues with building the LDAP SDK in early access versions of
Java SE 9, but a version of the LDAP SDK built on Java SE 7 or 8 should run
without problems under Java SE 9.
-
We no longer maintain separate editions of the LDAP SDK. Previously, we had
three different editions: Standard Edition, Commercial Edition, and Minimal
Edition. While there were valid reasons for them in the past, those reasons no
longer apply, and it is simpler to maintain just a single edition. The new
edition is simply called "UnboundID LDAP SDK for Java", and it contains all of
the content that had previously been in the Commercial Edition (which was itself
a superset of the Standard Edition, which was a superset of the Minimal Edition).
-
The GitHub repository for the UnboundID LDAP SDK for Java has been moved into
the Ping Identity organization. The URL to the repository has changed from
https://github.com/unboundid/ldapsdk
to https://github.com/pingidentity/ldapsdk,
but a redirect is in place to ensure that clients using the old URL are
automatically transferred to the new location.
-
The content in the open source repositories for the LDAP SDK (on GitHub at
https://github.com/pingidentity/ldapsdk
and on SourceForge at
https://sourceforge.net/p/ldap-sdk/code/HEAD/tree/)
now matches the content in the internal repository. The full source code for
all LDAP SDK unit tests is now available, along with some supporting build
components.
-
Fixed a bug in the logic for parsing DNs with RDN values that used a raw BER
encoding, which is indicated in the string representation by starting an
attribute value with the octothorpe (#) character. The LDAP SDK would
incorrectly use the entire set of bytes (representing the BER type, length, and
value of the BER element) following the octothorpe character as the attribute
value instead of just the BER value.
-
Fixed a bug in the LDAP connection pool that could cause the pool to lose a
connection if createIfNecessary is false and if the replaceDefunctConnection
method was called but could not successfully create a new connection. If this
happened enough times, the pool could run out of connections, and it would
refuse to create new ones.
-
Fixed a bug that could cause the LDAP SDK to use the same message ID for all
stages of a multi-stage SASL bind instead of using a different message ID for
each stage.
-
Fixed a bug in the in-memory directory server LDIF import code that prevented
imported entries from being subjected to the configured schema.
-
Fixed a bug in the in-memory directory server's handling of LDAP subentries.
The server could incorrectly return entries that are not LDAP subentries in
response to a search request that included the LDAP subentries request control.
-
Fixed a bug that could cause tools to incorrectly launch in interactive mode
even if default values for some tool arguments were provided through a
properties file.
-
Updated the ldapmodify tool to fix a bug that could cause it to use an exit code
of zero even if an error was encountered while reading LDIF data. It would have
always used a nonzero exit code for unrecoverable LDIF parsing errors, but the
exit code may not have indicated a problem if the error was recoverable and the
tool was able to continue parsing subsequent LDIF records.
-
Updated the ldapmodify tool to fix a bug that could cause it to incorrectly use
an exit code of zero when processing operations as part of a transaction but the
attempt to commit the transaction was unsuccessful.
-
Updated the ldapsearch tool so that the -T argument is associated with the
tool-specific --dontWrap argument rather than the generic --trustStorePassword
argument that is normally the case for other LDAP tools. This provides better
backward compatibility with other versions of the ldapsearch tool.
-
Updated the ldapsearch tool to add support for the --skipResolvingExplodedIndexes,
--fastShortCircuitThreshold, and --slowShortCircuitThreshold options for the
matching entry count request control. These options had previously been
overlooked.
-
Fixed a bug in the ldapsearch tool that caused it to omit all attributes when
run with the --typesOnly argument, indicating that attributes should be returned
without any values.
-
Fixed a bug in the LDAP SDK argument parser that involved reading Boolean
arguments from a properties file. If a Boolean argument were assigned a value
of false in a properties file, that argument would incorrectly be listed among
the command-line arguments obtained from the properties file.
-
Updated all copyright notices to reference Ping Identity rather than UnboundID.
-
Updated the LDAP SDK documentation to use Ping Identity branding.
-
Updated the LDAP SDK documentation to include an LDAPv3 wire protocol reference
document that provides in-depth coverage of the ASN.1 Basic Encoding Rules (BER)
and all kinds of LDAP request and response messages with annotated examples.
-
Updated the LDAP SDK documentation to include a new LDAP result code reference
document.
-
Updated the LDAP SDK documentation to include a new LDAP OID reference document.
-
Updated the set of LDAP-related specifications to include RFC 2926 (Conversion
of LDAP Schemas to and from SLP Templates), RFC 2985 (PKCS #9: Selected Object
Classes and Attribute Types Version 2.0), RFC 4226 (HOTP: An HMAC-Based One-Time
Password Algorithm), and RFC 6238 (TOTP: Time-Based One-Time Password
Algorithm).
-
Updated the set of LDAP-related specifications to include the latest revisions
of the draft-kille-ldap-xmpp-schema, draft-seantek-ldap-pkcs9, and
draft-wibrown-ldapssotoken drafts.
-
Updated the build-time collection of information about the source repository to
include support for git in addition to the existing support for subversion. If
the LDAP SDK is checked out from a git repository, the generated
com.unboundid.ldap.sdk.Version class will now include the repository URL and
revision ID associated with that git repository.
Version 3.2.1
The following changes were made between the 3.2.0 and 3.2.1 releases:
-
Updated the documentation to indicate that non-public feedback, feature
enhancements, support requests, and other kinds of communication should now be
sent to ldapsdk-support@pingidentity.com instead of
ldapsdk-support@unboundid.com. We also now recommend using the GitHub issue
tracker over the SourceForge mailing lists and discussion forums for bug
reports and feature requests.
-
Fixed a bug in the RDN parsing code that could cause multiple consecutive spaces
in the middle of an attribute value to be condensed down to a single space. The
string representation of the RDN was preserved correctly, but the methods used
to retrieve attribute values as strings or byte arrays returned the values
without all of the spaces.
-
Provided better handling for InterruptedException exceptions. A thread's
interrupted state will now be preserved for cases in which the LDAP SDK consumes
an InterruptedException without doing something to handle it.
-
Fixed a bug in the support for the ANONYMOUS SASL mechanism that could cause the
trace string to be omitted from the encoded bind request sent to the directory
server.
-
Updated the searchrate tool to provide support for generic controls, as well as
specific support for the assertion, simple paged results, and server-side sort
request controls.
-
Updated the authrate tool to add a new --bindOnly argument allows you to
indicate that the tool should only perform bind operations, and should omit the
initial search used to find the entry for the target user. The base DN pattern
will be used to construct the bind DN.
-
Updated the authrate tool to provide support for generic search and bind
controls, as well as specific support for the authorization identity and
password policy request controls.
-
Updated the search-and-mod-rate tool to provide support for generic search and
modify controls, as well as specific support for the assertion, simple paged
results, permissive modify, pre-read, and post-read request controls.
-
Added a Schema.getSchema method that can read schema information (in LDIF form)
from an input stream. This is in addition to the existing getSchema methods
that can be used to read schema from an LDAP server and from one or more LDIF
files.
-
Updated the support for the GSSAPI SASL mechanism to make it possible to
explicitly indicate whether the client should be a GSSAPI initiator or acceptor
in the generated configuration file.
-
Updated the support for the server-side sort request control to add constructors
that allow the sort keys to be provided in a list as an alternative to the
existing varargs version that allows them to be provided in an array.
-
Updated the support for the matched values request control to add constructors
that allow the matched values filters to be provided in a list as an alternative
to the existing varargs version that allows them to be provided in an array.
-
Updated the identify-unique-attribute-conflicts tool to include a time limit in
search requests intended to determine whether a unique attribute value may also
be in use in any other entries. This can help limit the effect of running the
tool against a server that is not configured with the appropriate indexes to
ensure that equality searches targeting the unique attributes can be processed
efficiently.
-
Updated the in-memory directory server to respect the client-requested time
limit if that limit is exceeded because of a processing delay that has been
configured for the server.
-
Improved the Javadoc documentation for the argument parser to indicate that
arguments provided to the addDependentArgumentSet, addExclusiveArgumentSet, and
addRequiredArgumentSet methods must have already been registered with the
argument parser.
-
Improved the Javadoc documentation for the JSON support to better describe the
behavior of the toString, toSingleLineString, and toNormalizedString methods,
and to make it clear that the JSONString.toString method includes the
surrounding quotation marks and may have special characters escaped, and the
stringValue method should be used to obtain the unquoted and unescaped value.
-
Updated the set of LDAP-related specifications to include a reference to the
draft-ietf-ldapext-ldap-c-api specification.
-
Added a new version of the ldapsearch tool that provides a lot of additional
functionality. It includes much better output formatting (including support for
alternate output formats, including JSON, CSV, and tab-delimited text), support
for a number of data transformations, more robust connection handling, support
for referrals, support for a large number of search and bind controls, support
for administrative sessions, support for unsolicited notifications, the ability
to process multiple searches with search criteria provided in filter files or
LDAP URL files, rate limiting, and the ability to send results to a specified
output file (or a separate output file per search).
-
Added a GetUserResourceLimitsResponseControl.getOtherAttribute method that makes
it more convenient to get an "other" attribute by name.
-
Implemented caching for the matching rule instance used when the
jsonObjectExactMatch matching rule is requested. This matching rule only
exists in the Commercial Edition and needs to be loaded via reflection, but that
can be expensive if it's done a lot. Caching the result means that we only need
to pay that cost once.
-
Updated the access and error log parsing APIs to include support for the
triggeredByConn and triggeredByOp fields used to indicate that the message is
associated with a given operation.
Version 3.2.0
The following changes were made between the 3.1.1 and 3.2.0 releases:
-
Added a new transform-ldif tool that can be used to apply a number of
transformations to data in an LDIF file, and to make these transformations
available for programmatic use. This includes:
-
The ability to scramble, replace, redact, or exclude a specified set of
attributes.
-
The ability to replace existing values with a specified attribute, or with a
generated value that includes a sequential counter.
-
The ability to add a given set of attribute values to entries matching a
specified set of criteria.
-
The ability to exclude entries matching a specified set of criteria.
-
The ability to rename attributes.
-
The ability to replace the base DN for entries in a specified subtree.
-
The ability to flatten a DIT, to ensure that all entries more than one level
below a specified base DN are moved so that they are directly below that
base DN.
-
Updated the EntryValidator class and the validate-ldif tool to provide
additional options. It can now check to see if all attribute values contained
in an entry's RDN are also present in the entry attributes, can ignore attribute
syntax violations on a per-attribute basis, and can check attribute values for
compliance with a number of UnboundID-specific attribute type constraints,
including X-ALLOWED-VALUE, X-VALUE-REGEX, X-MIN-VALUE-LENGTH,
X-MAX-VALUE-LENGTH, X-MIN-VALUE-COUNT, X-MAX-VALUE-COUNT, X-MIN-INT-VALUE, and
X-MAX-INT-VALUE.
-
Updated all classes that offer a public void close() method that doesn't throw
any exceptions other than a possible IOException so that they implement the
java.io.Closeable interface. This includes classes like LDAPConnection,
LDAPConnectionPool, LDIFReader, LDIFWriter, all EntrySource implementations, and
others. This allows code using these classes to take advantage of the
try-with-resources facility introduced in Java SE 7.
-
Added support for parsing entries that contain information about the operations
processed in the server, using the syntax described in the
draft-chu-ldap-logschema-00 draft.
-
Updated the modrate tool to make a number of improvements, including:
-
The --valueCount argument can be used to specify the number of values to use
for replace modifications.
-
The --increment argument can be used to indicate that the tool should
perform increment modifications rather than replace modifications. The
--incrementAmount argument can specify the amount by which values should be
incremented (or decremented, in the case of a negative value).
-
The --assertionFilter argument can be used to include an LDAP assertion
request control in modify requests so that the change will only be applied
if the target entry matches the specified filter.
-
The --permissiveModify argument can be used to include a permissive modify
request control in modify requests.
-
The --preReadAttribute and --postReadAttribute arguments can be used to
include the pre-read or post-read request control in modify requests.
-
The --control argument can be used to include arbitrary controls in modify
requests.
-
Added a new JSONBuffer class that can be used to efficiently construct the
string representation of a JSON object, and a JSONObjectReader class that can be
used to read JSON objects from an input stream.
-
Added the ability to generate formatted, multi-line string representations of
JSON objects with better human readability.
-
Updated the in-memory directory server to add support for the LDAP no-operation
control as described in draft-zeilenga-ldap-noop-12.
-
Dramatically improved the robustness for both the
identify-references-to-missing-entries and identify-unique-attribute-conflicts
tools. They now use connection pools with automatic retry in the event of an
error that indicates the connection may no longer be valid.
-
Added a new base64 command-line tool that can be used to encode and decode data
using the base64 format.
-
Updated the LDIF reader to make it possible to specify the character set to use
when reading LDIF data. Previously, the character set was always assumed to be
UTF-8.
-
Updated the LDIF writer to make it possible to automatically include a comment
below any base64-encoded values that provides a non-base64-encoded
representation (with special characters escaped) of the preceding value.
-
Dramatically simplified the exception message used if it is not possible to
establish a connection to the directory server.
-
Updated the command-line argument parser to provide support for subcommands
with their own distinct sets of arguments.
-
Updated the command-line argument parser to add support for timestamp arguments,
whose values are either timestamps in generalized time format (which explicitly
specifies the time zone), or timestamps in the form YYYYMMDDhhmm,YYYYMMDDhhmmss,
or YYYYMMDDhhmmss.uuu (generalized time without a time zone specifier) that will
be assumed to be in the local time zone. A new timestamp range argument value
validator can be used to ensure that timestamp values are only permitted to be
within a specified range.
-
Updated the command-line argument parsing framework to add support for an IP
address argument value validator. This can be used to configure an argument to
only accept properly-formed IPv4 or IPv6 addresses.
-
Updated the command-line tool API to provide the ability to default to
interactively prompting for bind passwords when appropriate. Tools would
previously only prompt for a password if explicitly requested to do so using the
--promptForBindPassword argument.
-
Updated the command-line tool API to provide the ability for tools to
offer an --outputFile argument that causes them to send their output to a
specified file. It can be paired with the --teeOutput argument to cause the
output to be sent to both the specified file and to the console. The
--appendToOutputFile argument will cause the tool to append to an existing
output file rather than overwriting it.
-
Updated the LDAP command-line tool API to make the --bindDN and --saslOption
arguments are mutually exclusive. None of the supported SASL mechanisms make
use of a bind DN, and combining these options is only likely to cause confusion.
-
Updated the SSLUtil methods for creating SSL server sockets so that their
enabled protocols will be set more intelligently. This was already in place for
SSL client sockets, but had been overlooked for server sockets.
-
Updated the aggregate trust manager to provide a more useful error message when
none of the nested trust managers accept a presented certificate.
-
Updated the rate adjustor so that when using a rate tool to generate a sample
rate data file, the resulting file will now include a number of additional
examples of common rate patterns, including square, stairstep, sine, sawtooth,
triangle, and hockey stick.
-
Updated the command-line tool API so that if any tool registers a shutdown hook
(to allow it to perform cleanup in the event of an unexpected graceful JVM
termination), that shutdown hook will be de-registered if the tool completes its
processing without an unexpected JVM shutdown.
-
Added a utility class for reading a file containing entry DNs. Blank lines and
lines containing comments will be ignored. Each DN must be on a line by itself,
and it may optionally be prefixed by "dn:". It is also possible to include
base64-encoded DNs prefixed by "dn::".
-
Added a utility class for reading a file containing search filtersNs. Blank
lines and lines containing comments will be ignored. Each filter must be on a
line by itself.
-
Updated the code used to parse a search filter from its string representation to
support up to 100 levels of nesting rather than the previous maximum of 50
levels.
-
Added new convenience methods and constructors for use when programmatically
creating schema elements.
-
Updated the LDAPBindException.toLDAPResult and
LDAPExtendedOperationException.toLDAPResult methods so that they return the
underlying BindResult or ExtendedResult rather than creating a new generic
LDAPResult.
-
Updated the Netscape Directory API migration support to make it possible to
abandon a search operation with an LDAPSearchResults object.
-
Updated the JNDI migration support to make it possible to specify a context base
DN when converting between an LDAP SDK entry and a JNDI search result.
-
Updated the LDAP SDK documentation to include the latest revisions of updated
IETF drafts, including draft-seantek-ldap-pkcs9 and draft-wibrown-ldapssotoken.
-
Added a version of the ldapmodify tool with support for a wide range of
features, including a wide range of controls, LDAP transactions and multi-update
operations, following referrals, bulk operation processing, rate limiting, and
automatically retrying operations that fail in a manner that indicates the
connection may no longer be usable.
-
Added a new manage-account tool that can be used to perform a large number of
password policy state operations on a specified user entries, or on sets of user
entries. This tool is completely backwards-compatible with the manage-account
tool formerly provided with UnboundID server products (and in fact, that tool
has now been replaced with the version included in the LDAP SDK), but the new
tool provides support for many more operations, and much better support for bulk
operations that target multiple users instead of just one. The LDAP SDK's
support for the password policy state extended operation has also been updated
to make it possible to take advantage of a number of new operation types.
-
Added a new split-ldif tool that can be used to split a single LDIF file so that
entries below a given base DN are split into multiple distinct sets. This may
be useful for preparing data for use with the Directory Proxy Server in an
entry-balancing deployment. The data may be split according to a number of
types of criteria.
-
Added support for a new task that can be used to trigger the rotation of one
or more server log files.
-
Added support for "generate TOTP shared secret" and "revoke TOTP shared secret"
extended operations, which can be used to help automate the process of
configuring a user account to support two-factor authentication with the
UNBOUNDID-TOTP SASL mechanism. A new generate-totp-secret command-line tool is
also provided, which can be used to invoke these extended operations from the
command line.
-
Added support for the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL
mechanism, which can be used to indicate that a user has attempted to
authenticate through some mechanism that is external to the Directory Server,
but allows the server to override a successful authentication attempt to
indicate a failure (e.g., if the user's account is in an unusable state, like
being disabled or locked, or having an expired password), or to perform any
appropriate state processing (e.g., to update the last login time and IP address
for a successful authentication, or the failure count for a failed attempt).
-
Added support for parsing the new index monitor attributes used for counting
keys near and over the index entry limit that have been accessed while
processing search and update operations. Also updated the log parsing API to
support parsing the corresponding elements from access log messages.
-
Fixed a bug in the summarize-access-log tool that could cause it to take a very
long time to process log messages for search operations with certain types of
very deeply-nested filters.
Version 3.1.1
The following changes were made between the 3.1.0 and 3.1.1 releases:
-
Updated the AddRequest constructor that allows you to create an add request from
lines that compose the LDIF representation so that you can use an LDIF add
change record (including the "changetype: add" line, and optionally including
one or more controls) as an alternative to providing the LDIF representation of
an entry.
-
Added two new LDAP listener request handler implementations that can be used to
limit the load that LDAP clients are able to impose on the server. The
concurrent request limiter implementation imposes a limit on the number of
requests that may be processed simultaneously. The rate limiter implementation
imposes a limit on the maximum rate of operations that may be processed in a
particular time period.
-
Fixed a bug in which the LDAP connection pool statistics were not always
properly updated after an unsuccessful attempt to establish a new connection for
use in the pool.
-
Updated LDAP command-line tools to provide a new "--helpSASL" argument that can
be used to display information about the supported SASL mechanisms and the SASL
options available for each mechanism.
-
Updated the command-line argument parser to the use of a properties file for
obtaining default values for a specified set of arguments. This can help
administrators define a properties file with commonly-used argument values
(e.g., LDAP server address, port, TLS settings, bind DN, etc.) so that they do
not need to be explicitly specified in the set of arguments when running a tool.
Command-line tools can choose to enable or disable this feature, and tools that
enable it will also have an option to generate a template file that makes it
easier to specify the desired properties for that file.
-
Updated the command-line argument parser to support assigning group names to
arguments. This allows related arguments to be grouped together in the usage
information obtained with the "--help" argument.
-
Updated command-line tools to provide alternate long identifiers for a number of
arguments. This primarily covers the difference between camelCase versus
dash-separated words (e.g., what was previously only available as "--bindDN" can
now alternately be specified as "--bind-dn").
-
Updated the documentation to include the most recent versions of a number of
LDAP-related specifications.
-
Added client-side support for a new UNBOUNDID-YUBIKEY-OTP SASL mechanism that
can be used to perform single-factor or two-factor authentication using a
one-time password generated by a YubiKey device.
-
Added client-side support for a pair of extended operations that can be used to
register or deregister YubiKey OTP devices for use by a specified user.
-
Updated the matching entry count request control to provide support for new
options that allow the client to have some control over the balance between how
quickly the matching entry count estimate should be obtained versus how accurate
that estimate should be. In particular, it is now possible for the client to
control the short-circuit threshold, and to indicate whether to actually
retrieve entry ID sets from exploded indexes in the case that the number of
entries in the set is already known.
Version 3.1.0
The following changes were made between the 3.0.0 and 3.1.0 releases:
-
Updated the command-line tool API to make it possible to run tools in an
interactive mode. This mode, which is enabled by default in most of the example
tools that ship with the LDAP SDK, allows the tool to prompt the user for the
values of all the connection and authentication details, as well as for any
tool-specific required properties. It will then display a menu that can be used
to edit the arguments, run the tool with the specified settings, and display the
command-line arguments to run the tool with those settings in non-interactive
mode.
-
Updated the ldap-debugger tool to add the ability to generate source code that
can be used to process all of the operations passing through it. The
in-memory directory server has also been updated to provide a similar
capability. This can help make it easier to migrate applications written using
other APIs to the UnboundID LDAP SDK.
-
Updated the LDAP connection pool to make it possible to configure a minimum
available connection goal. If set, the connection pool will try to maintain at
least this many connections available for immediate use. This can help avoid
application performance problems that can result if the pool is empty and
connections must be created on-demand for new requests.
-
Added support for LDIF translators that can be used to transform LDIF change
records when reading from or writing to LDIF. These translators are especially
useful when using multiple threads to read or write multiple change records in
parallel.
-
Updated the GSSAPI bind request implementation to add the ability to obtain
credentials from a keytab, and to indicate that the configuration should be
refreshed before attempting the JAAS login.
-
Updated the in-memory directory server to make it possible to use a specific
entry as the root DSE instead of the dynamically-generated version.
-
Updated the LDAP listener framework and the in-memory directory server to make
it possible to limit the number of connections that may be established at any
given time.
-
Added new Entry.applyModifyDN methods that can be used to retrieve a new entry
that reflects the changes associated with processing a modify DN operation
against that entry. In addition to updating the DN for the entry, it will also
apply any appropriate attribute changes for the entry's new RDN.
-
Improved support for the LDAP SDK's automatic selection of enabled TLS protocols
to improve compatibility with TLS implementations that do not support the most
recent TLS protocol offered by the JVM and also don't properly handle a TLS
client hello message that references the newer protocol.
-
Updated the LDAP SDK so that it will always throw an LDAPException if the server
returns a non-success result for a StartTLS extended operation. It was
previously possible for the LDAP SDK to return a non-success result without
throwing an exception (as is the case for other types of extended operations),
but that could potentially cause the client to continue using a connection that
it incorrectly believed to be secure.
-
Added the ability to create a StartTLSPostConnectProcessor with an
SSLSocketFactory instead of an SSLContext. Using a socket factory created with
the SSLUtil.createSSLSocketFactory will provide better support for a the full
range of enabled TLS protocols.
-
Added a new LDAPBindException class that is a subclass of LDAPException and can
provide access to the server SASL credentials returned to the client in a bind
failure.
-
Added a new LDAPExtendedOperationException class that is a subclass of
LDAPException and can provide access to the OID and value returned to the client
in an extended operation failure.
-
Improved the LDAP SDK's handling of connect timeouts to ensure that a connection
attempt is less likely to block for longer than the configured connect timeout.
-
Updated the LDAP connection pool health check to add the ability to perform
validation after the pool performs a bind, either at the time a connection is
created or when the pool re-authenticates a connection as a result of a call to
bindAndRevertAuthentication or releaseAndReAuthenticateConnection.
-
Added a new password expiration LDAP connection pool health check that can be
used to warn about or reject connections in which the bind result indicates a
current or upcoming password-policy-related problem like password expiration or
account lockout.
-
Added a new aggregate LDAP connection pool health check that can be used to
invoke multiple health checks as a single unit.
-
Added a new aggregate post-connect processor that can be used to invoke multiple
post-connect processors as a single unit.
-
Updated the LDAP command-line tool API to make it possible to specify more
options when creating a connection pool using the settings provided via
command-line arguments.
-
Updated the LDAP SDK to include Java implementations from Azul Systems in the
whitelist of JVMs that permit concurrent socket factory use by default.
-
Fixed a potential thread safety problem in the
LDAPConnectionPool.releaseAndReAuthenticateConnection method.
-
Deprecated the LDAPConnectionOptions support for auto-reconnect. It has always
been inherently fragile and only useful under limited circumstances. Using a
connection pool, even when only a single connection is expected at any given
time, is a much more reliable and feature-rich way to achieve the same benefits.
-
Updated the LDIF reader to be more permissive when encountering mismatches
between the declared attribute description for a modification and the
attribute description provided with the set of values. It will now accept
differences in the order of attribute options, and, if a schema is available,
will accept equivalent names (or the numeric OID) for an attribute type. It
can also handle the case in which the binary transfer option was not included
in the initial attribute description but is used in one or more values.
-
Updated the LDIF reader to make it possible to specify the trailing space
behavior when using static methods to decode LDIF entries and change records.
-
Added minimal constructors for a number of argument types that assume common
values for a number of properties. Also added default placeholder strings for
arguments so that it is not always necessary to provide a non-null value when
creating an argument.
-
Improved the argument descriptions for arguments in performance testing tools
(including searchrate, modrate, authrate, and search-and-modrate) to provide the
URL to online documentation that describes complete details for the value
pattern syntax.
-
Updated the methods used to retrieve schema information from the directory
server so that they use the correct "(objectClass=subschema)" filter and will
request all user attributes in addition to the schema-related operational
attributes. Also, ensure that schema entries read from LDIF files always
include at least the top, ldapSubentry, and subschema object classes.
-
Removed the @ThreadSafety annotation from the ThreadSafetyLevel enum class,
since an enum should not be marked with an annotation whose argument list
includes a value of that enum. This will also eliminate a compile warning when
building a Scala application that uses the LDAP SDK.
-
Updated the way that the LDAP SDK maintains thread-local buffers used for
building LDAP messages. Previously, the LDAP SDK would create thread-local
buffers and maintain them for the life of the threads used to construct LDAP
messages. It will now only maintain these buffers as long as there is at least
one connection established. Once all connections are closed, any buffers that
may have been created will be freed.
-
Updated the documentation to include the most recent versions of a number of
LDAP-related specifications.
-
Added support for a new "name with entryUUID" control that can be included in an
add request to indicate that the resulting entry should use the server-generated
entryUUID as the naming attribute.
-
Added support for a new get password policy state issues request control that
may be included in a bind request under certain circumstances to obtain
detailed information about notices, warnings, and errors pertaining to the
password policy state for the user trying to authenticate.
-
Updated support for the password policy state extended operation to provide
access to additional information, including the last authentication time,
the account activation time, and summaries of the notice, warning, and error
conditions for the user's password policy state.
-
Added support for a new task that can be used to synchronize encryption settings
definitions between server instances within the same topology.
-
Added new result codes that may be used to obtain information about the status
of an attempt to deliver a one-time password, a password reset token, or a
single-use token.
-
Added a new start administrative session post-connect processor that can be used
to create a connection pool in which the connections are part of an
administrative session.
Version 3.0.0
The following changes were made between the 2.3.8 and 3.0.0 releases:
-
Make the UnboundID LDAP SDK for Java available via GitHub at
https://github.com/UnboundID/ldapsdk.
The SourceForge subversion repository, mailing lists, and discussion forums will
continue to be maintained in addition to the new GitHub support.
-
The LDAP SDK now includes support for using a JSON-based configuration to
specify a number of settings that can be used to create LDAP connections and
connection pools. This includes options for connecting to a single server or
selecting from a group of servers using a number of algorithms, securing
communication with SSL or StartTLS, and authenticating connections using simple
or SASL mechanisms. Basic support for creating, parsing, and interacting with
general-purpose JSON objects is also available.
-
Fix a bug in the LDIF reader's attribute parsing code that could prevent it from
using the correct matching rule for attributes read from LDIF.
-
Fix a bug that could cause the Schema class to throw a null pointer exception
when attempting to get the set of required or optional attribute type
definitions for an object class in the event that any of the superclasses were
not defined in the schema.
-
Add the ability to manually invoke a synchronous health check against an
LDAP connection pool, optionally with a different health check mechanism than
is otherwise configured for the pool.
-
Update the default LDAP connection pool configuration so that it no longer has
the possibility of blocking for up to five seconds while waiting for a
connection to be released if one is needed but none are immediately available.
-
Ensure that connection pool statistics are properly updated when a connection is
closed as a result of a health check failure.
-
Update support for parsing command-line arguments to add special support for
arguments that describe LDAP controls, and to add improved support for
ensuring that argument values match a number of common formats.
-
Improve support for establishing connections with a connect timeout to try to
separate the process of creating a socket and connecting it to the target
server whenever possible.
-
Add the ability to specify an alternate key or trust store type when running the
in-memory directory server via the command line.
-
Update the value pattern support to make it possible to access the contents of
files in sequential order. It was previously only possible to access file
contents in random order.
-
Update the identify-unique-attribute-conflicts example tool to make it possible
to only identify conflicts in entries that match a given filter.
-
The Commercial Edition of the UnboundID LDAP SDK for Java is now open source
under the terms of the GNU General Public License version 2 and the GNU Lesser
General Public License version 2.1. The Commercial Edition source code is
available in the GitHub repository at
https://github.com/UnboundID/ldapsdk.
-
Add support for a new JSON object filter mechanism, which can be used to perform
advanced matching against JSON objects stored in the Directory Server.
-
Add support for a new deliver password reset token extended operation that can
generate a single-use token and deliver it to a specified user through some
out-of-band mechanism (e.g., email, SMS, voice call, etc.). This password reset
token can be provided to the password modify extended operation as an
alternative to the user's current password in order to allow that user to choose
a new password.
-
Add support for a new get password quality requirements extended operation that
can be used to retrieve information about the constraints that the server will
impose on user passwords. A new set of password validation details request and
response controls can be used to obtain information about the result of any
validation performed against a password included in the associated request.
-
Add support for a new deliver single-use tokens extended operation that can be
used to generate and deliver single-use tokens for arbitrary purposes (e.g., for
validating a provided email address or phone number). The new consume
single-use tokens extended operation can be used to consume those tokens after
they have been delivered.
-
Add support for a new get supported OTP delivery mechanisms extended operation
that can be used to determine which out-of-band mechanisms can be used to
deliver one-time passwords, password reset tokens, and other single-use tokens
to a specified user.
-
Add support for creating and interacting with the Directory Proxy Server's
reload global index task.
-
Update the matching entry count control to add the ability to determine whether
the associated search is considered indexed.
-
Add a new get changelog batch change selection criteria that can be used to
target only changelog entries that match a specific notification destination.
-
Update access log parsing support to provide the ability to get information
about any privileges used, or any required privileges that were missing, in the
course of processing an operation.
-
Update the javadoc documentation for all Commercial Edition classes to add a
note to help clarify that they are part of the Commercial Edition and are not
available in the Standard Edition of the LDAP SDK.
Version 2.3.8
The following changes were made between the 2.3.7 and 2.3.8 releases:
-
Fix a synchronization bug in the in-memory directory server that could
potentially cause a concurrent modification exception under concurrent load from
multiple connections.
-
Add a new Filter.simplifyFilter method that can be used to simplify a search
filter in a manner that may allow some directory servers to process the search
more efficiently. Some searches used within the persistence framework have been
updated to use this method to simplify the filters generated for those searches.
-
Add a utility class that can be used to work with OIDs.
-
Update the documentation to include a number of LDAP specification documents,
including LDAP-related RFCs and Internet Drafts, as well as an OID reference and
a result code reference.
-
Updated the UnboundIDChangelogEntry class to add support for the upcoming
ds-changelog-target-attribute attribute, which will indicate which attributes
were included in the associated change.
-
Updated the access log parsing framework to add support for the usedPrivileges
and missingPrivileges access log elements.
Version 2.3.7
The following changes were made between the 2.3.6 and 2.3.7 releases:
-
Update the logic used to control the default set of enabled SSL protocols.
SSLv3 is now disabled by default (in response to the recent POODLE bug that
could cause SSLv3 connections to be decrypted by a network observer), and the
set of enabled protocols is more broadly compatible than was previously the
case when running on IBM VMs.
-
Add the ability to perform validation on an SSLSocket immediately after its
establishment (regardless of whether the connection was initially secured via
SSL/TLS or secured after the fact with the StartTLS extended operation). This
can be used to better perform hostname validation in a more secure manner than
was otherwise available through the trust manager framework. Also, add the
ability to get access to the SSLSession associated with a connection that has
been secured via SSL/TLS or StartTLS.
-
Make a number of updates to GSSAPI support, including the ability to specify the
JAAS client name (which allows the use of a single JAAS configuration file with
a number of different configurations), the ability to customize the use of a
property indicating whether to allow credentials from outside the current
subject, and to suppress the alteration of a specified set of system properties
in the event that they had already been set by some other mechanism.
-
Add a new server set that can use round-robin DNS configurations to support
hostnames that resolve to multiple IP addresses. The selection of which IP
address to use for a given connection may be made at random, in round-robin
order, or based on the order in which the addresses were returned from the name
service.
-
Update the connection pool to add a method that can be used to shrink the
current size of the pool to a specified number of connections. This will have
no effect on the maximum size of the pool, but can reduce the number of
established connections if an earlier spike in utilization resulted in the
creation of a number of extra connections that are no longer needed.
-
Update the persistence framework to improve support for classes marked with
@LDAPObject that are subclasses of other classes marked with @LDAPObject. If a
subclass does not define any RDN fields or getters, they will now be inherited
from a superclass. If a subclass does not define any default parent DN, then it
will be inherited from a superclass. DN fields and entry fields defined in
superclasses will now be properly handled. The set of attributes to request for
inclusion in search result entries will also be properly aggregated from all
superclasses.
-
Update the in-memory directory server to make it possible to reject anonymous
binds, whether via simple or SASL authentication. Note, however, that the
effect net effect on the authenticated state of the connection will be the same
as if it were successful, since a failed bind always results in an
unauthenticated connection.
-
Update the in-memory directory server to add a new interceptor API. This API
can be used to alter client requests before they are processed by the server,
and to alter responses before they are returned to the client.
-
Update the DNS SRV record server set to make it possible to customize the set of
properties used to initialize the JNDI context to use when interacting with the
DNS server.
-
Add a new rate adjustor utility class that can be used in conjunction with the
fixed-rate barrier to adjust the rate over time based on a specified definition.
The searchrate, modrate, authrate, and search-and-mod-rate tools have been
updated to provide a new "--variableRateData" argument that makes it possible to
use this feature in conjunction with those tools.
-
Add the ability to programmatically interrupt the searchrate, modrate, authrate,
and search-and-mod-rate tools.
-
Add a new "database lock conflict" result code that may be returned by the
UnboundID Directory Server.
-
Expose the LDAPConnection.getStartTLSRequest method so that it can be used by
third-party code that might want to be able to process StartTLS operations in
the same way as had been performed for the associated connection.
-
Update the logic used for automatic referral following so that if a referral is
received over a connection secured via StartTLS, then the connection established
to follow that referral will also be secured via StartTLS.
-
Fix a bug in the code responsible for automatically re-establishing a connection
if it becomes disconnected (which is only attempted if auto-reconnect is enabled
in the connection options). If the connection had been secured with StartTLS,
the re-established connection was previously not secured in the same way.
-
Fix a bug in the Entry.applyModifications method that could cause it to reject a
valid modifications that targets an attribute used in the entry's RDN even if
the modification would not alter the entry RDN.
-
Fix a bug in the Entry.diff method when given a specific set of attributes to
process. Attributes with options would be incorrectly excluded from the
attributes that were processed.
-
Fix a bug that could prevent active asynchronous operations from being notified
if the connection becomes disconnected. Also, fix a bug that could prevent the
connection reader thread from waiting on a response to an asynchronous operation
that has timed out or been abandoned.
-
Fix a bug that could prevent parsing a DN or RDN that contains a zero-length
attribute value.
-
Fix a bug in the way that a connection retained a handle to the last bind
request processed on that connection. This could be incorrect in some cases if
the bind was processed using the UnboundID-proprietary retain identity request
control.
-
Fix a bug in the prompt trust manager that could cause it to enter an infinite
loop if the end of the input stream was reached while waiting for confirmation
about whether to trust the certificate.
-
Eliminate a potential null pointer exception that could arise from a race
condition in the course of closing a connection.
-
Eliminate a potential illegal argument exception that could be thrown if an
attempt is made to close the pool using multiple threads if there are currently
no connections in the pool.
-
Make it easier to build the LDAP SDK with an external version of Apache ant
rather than the one included in the repository. Also, make it possible to
build without invoking the checkstyle tool.
-
Add support for a get backend set ID control, which can be used to request that
the Directory Proxy Server return information about which entry-balancing
backend set(s) were used to process the associated operation.
-
Add support for a route to backend set control, which can be used to influence
the entry-balancing backend set(s) to which the Directory Proxy Server forwards
a request for processing.
-
Add support for a matching entry count control, which can be used to request
that the Directory Server or Directory Proxy Server return information about the
number of entries that match the search criteria rather than returning the
matching entries themselves.
-
Add support for a transaction settings request control that may be included in
an end transaction or atomic multi-update extended request to specify a number
of transaction-related settings that should be used when processing and
committing the transaction.
-
Add support for a number of extended operations that may be used to interact
with notification destinations and subscriptions in the UnboundID Directory
Server.
-
Update support for the set subtree accessibility extended request to make it
possible to atomically alter the accessibility of multiple subtrees in a single
request.
-
Add support for parsing alarm entries as exposed in the alarms backend.
-
Add support for retrieving and parsing the group cache monitor entry.
-
Add support for retrieving and parsing the recent CPU and memory usage monitor
entry.
-
Add support for retrieving and parsing the result code monitor entry.
-
Add support for retrieving and parsing gauge monitor entries.
-
Update the support for the processing time histogram monitor entry to make it
possible to retrieve information about extended operations, and to support an
upcoming format change for aggregate percent values.
-
Update the support for the load-balancing algorithm monitor entry to make it
possible to retrieve information about aggregate local and non-local health
check states, as well as the name of the load-balancing algorithm.
-
Update the deliver-one-time-password tool so that it provides a more useful
error message if the underlying extended request does not complete successfully.
Version 2.3.6
The following changes were made between the 2.3.5 and 2.3.6 releases:
-
Update the LDAPConnectionPool class to make it possible to specify a health
check that should be used for the initial set of connections established when
the pool is created.
-
Update the LDIF change record implementations to include support for change
records with request controls.
-
Update the GSSAPI and DIGEST-MD5 SASL mechanisms to provide support for the
auth-int and auth-conf quality of protection modes.
-
Update the DIGEST-MD5 SASL mechanism so that if the caller does not explicitly
specify a realm but the server suggests a default realm, the default realm will
be used.
-
Update the framework for processing asynchronous operations to make it more
convenient to invoke an add, compare, delete, modify, or modify DN operation in
cases in which the result will be obtained through the
java.util.concurrent.Future API and no async result listener is desired.
-
Add a new processRequestsAsync method to connection pool implementations that
can be used to cause multiple asynchronous add, compare, delete, modify, modify
DN, and/or search operations to be processed concurrently on the same pooled
connection.
-
Update the LDAPThreadLocalConnectionPool.getConnection method to use the
LDAPConnection.isConnected method to provide additional verification that the
connection is still established before returning it to the caller.
-
Fix a bug in the in-memory directory server support for the post-read response
control that caused the post-read entry to be generated before some updates
(e.g., those for operational attributes like modifiersName and modifyTimestamp)
had been processed.
-
Fix a potential thread safety bug in the get entry connection pool health check.
-
Add convenience constructors to make it easier to create a bind result, compare
result, or extended result from an LDAPException.
-
Add a convenience method that can be used to extract a password expired control
from an LDAPException just as easily as from an LDAPResult.
-
Add support for the retire password and purge password request controls. Also
update the password policy state extended request to support a number of
operations for interacting with retired passwords, and update the access log
parser to support the new retiredPasswordUsed element that may appear in bind
response messages.
-
Add support for load-balancing algorithm monitor entries.
-
Update the class-level documentation for the start interactive transaction
extended request to indicate that it is no longer recommended for use, and to
suggest alternative means of achieving atomicity and/or bulk operations.
Version 2.3.5
The following changes were made between the 2.3.4 and 2.3.5 releases:
-
Fix a bug in the LDIF writer that could cause it to write the original entry
rather than a new entry generated by an LDIFWriterEntryTranslator.
-
Fix a bug that could cause the LDAP SDK to enter an infinite loop when attempting
to read data from a malformed intermediate response.
-
Fix a bug in the parsing and generation of the string representation of search
filters that contain non-UTF-8 data.
-
Ensure that the LDIF representation of modify change records includes a trailing
dash after the last change, in strict accordance with the LDIF specification in
RFC 2849.
-
Update the LDIF writer to add a new writeVersionHeader method that can be used
to ensure that the "version: 1" header is written to the LDIF output. In
addition, the LDIF reader's static decodeEntry and decodeChangeRecord methods
have been updated to handle the case in which the provided entry or change
record has a first line that is the version header. The LDIF reader already
handled this header in normal parsing, but the static methods that could be used
for decoding individual records did not properly support this capability.
-
Update the in-memory directory server to provide support for enforcing a maximum
search size limit.
-
Improve debugging support for response messages for connections operating in
synchronous mode.
-
Dramatically improve code examples included in class-level javadoc comments. All
code examples are now covered by unit tests to ensure that the code is valid, and
many of the examples have been improved to be more useful and production quality.
-
Add a new FewestConnectionServerSet class that can be used to cause connections
to be established to the server with the fewest number of established
connections (based only on connections already created by that server set
instance). This can help ensure that the distribution of connections across
multiple servers remains relatively even.
-
Update the FailoverServerSet to make it possible to specify an alternate maximum
connection age that will be used for "failover" connections (i.e., connections
established to any server except the first server in the list, or that are
created using any server set other than the first set in the list). This will
only have any effect if the server set is used to create an LDAPConnectionPool,
but it can be used to help ensure a faster fail-back to a "preferred"
configuration after a connection failure is encountered.
-
Add a new LDAPConnection.getLastCommunicationTime method that can be used to
determine the time that the connection was last used to send a request or read a
response (and therefore determine how long the connection has been idle).
-
Add a new LDAPConnectionPool.getConnection method that can be used to request a
connection to a particular server by providing the address and port of the
target server. This is primarily useful when the connection pool may contain
connections to multiple servers, but a specific server is desired for handling a
particular request.
-
Add a new LDAPConnectionPool.discardConnection method that can be used to
indicate that the provided connection is no longer needed and should be closed
without creating a new connection to take its place. This can be used to reduce
the number of connections in the pool if desired.
-
Update the connection pool so that by default, connections will be closed and
re-established as a result of the maximum connection age only by the background
health check. Previously, the pool would also check the age of a connection
whenever that connection was released back to the pool, but in busy applications
this could result in multiple connections being closed and re-established
concurrently, which could have a significant performance impact on the directory
server.
-
Update the connection pool so that it is possible to set a different maximum
connection age for connections that were created to replace defunct connections
than connections that were created under normal conditions. This can help
ensure a faster fail-back to a more normal allocation of connections in a pool
that may have connections balanced across multiple servers.
-
Add new addAttribute and setAttribute methods to the entry class that make it
possible to specify multiple string values for the attributes using a
collection.
-
Add two new example tools: identify-references-to-missing-entries (which can be
used to identify any entries which contain attributes whose values are DNs that
reference nonexistent entries), and identify-unique-attribute-conflicts (which
can be used to identify any values for an attribute or set of attributes that
appear in multiple entries).
-
Provide a more useful error message if a client-side timeout is encountered while
waiting for the response to a request. Previously, this message would only
include the type of operation that timed out. It now also includes the LDAP
message ID for the operation, as well as additional operation-specific
information about the request.
-
Provide a more useful error message if a problem is encountered during SASL bind
processing when one or more unhandled callbacks were encountered during
processing.
-
Update the GSSAPI bind request to make it possible to specify a server name that
is different from the address used to establish the connection to that server.
-
Define a new system property that can be used to specify the default SSL/TLS
protocol that should be used for secure communication. It is still possible to
programmatically specify the default protocol using the
SSLUtil.setDefaultSSLProtocol method.
-
Add the ability to provide an SSLSocketFactory as an alternative to an
SSLContext when creating a StartTLS extended request.
-
Update the StartTLS post-connect processor to include a client-side timeout in
the StartTLS extended request if appropriate.
-
Update the prompt trust manager to make it possible to determine whether the
trust manager would interactively prompt the user about a certificate.
-
Omit the "entriesReturned" and "referencesReturned" elements from the string
representation of a search result if those values are not known. Previously,
these elements would be included with a value of "-1" in such cases.
-
Add support for a new list configurations extended operation, which may be used
to request information about active, baseline, and archived configurations
available to the server, and a get configuration extended operation, which may
be used to retrieve a specific version of the configuration. These are primarily
intended for use in processing performed by the new config-diff tool, but may be
useful in other contexts as well.
-
Add support for a get backup compatibility descriptor extended operation, and for
an identify backup compatibility problems extended operation. These operations
may be used to help determine whether a backup taken from one server instance can
be successfully restored into another server instance.
Version 2.3.4
The following changes were made between the 2.3.3 and 2.3.4 releases:
-
A bug in the Oracle javadoc tool (as described in
VU#225657) could cause
javadoc documentation generated by vulnerable versions of that tool to include a
javascript flaw that could allow an attacker to craft a URI that could cause an
arbitrary page to be displayed. The LDAP SDK javadoc documentation is now
generated with an updated version of the javadoc tool that no longer contains
this vulnerability.
-
Fix a connection pool bug that could cause a connection to be unnecessarily
closed and re-established in the course of processing a simple bind operation if
the connection was configured to operate in synchronous mode.
-
Fix a bug in the LDAP SDK schema parser that could prevent it from properly
decoding schema elements in which the closing parenthesis immediately followed an
OBSOLETE, SINGLE-VALUE, or NO-USER-MODIFICATION token without a space between the
token and the parenthesis.
-
Change the way the LDAP SDK maintains disconnect information to eliminate a
potential code flow that could allow multiple disconnect notifications for a
single disconnect.
-
Add support for the Microsoft DirSync control that may be used with Active
Directory in order to obtain information about changes that have been processed
in the server.
-
Fix a bug in the entry validator class that could cause it to incorrectly
classify entries with multiple structural object classes as entries that were
missing a structural object class.
-
The LDAP command-line tool API has been updated so to provide new
"--promptForBindPassword", "--promptForKeyStorePassword", and
"--promptForTrustStorePassword" arguments. These arguments may allow the
associated password to be interactively provided by the end user in a secure
manner as an alternative to requiring the password to be provided as a
command-line argument or stored in a clear-text file.
-
The LDAP command-line tool API has been updated to make it possible to create
tools that do not offer arguments for simple or SASL authentication. This can
allow creating tools that may need to establish only unauthenticated connections.
-
Improve the argument validation used by LDAP command-line tools to help
avoid problems that result from arguments provided when they are not needed.
-
Add support for an extended operation and a SASL mechanism that can be used to
support multifactor authentication using a one-time password delivered to the
end user through some out-of-band mechanism (e.g., e-mail, SMS messages, etc.).
A command-line tool has also been provided that can be used to easily test the
ability to deliver one-time passwords to users, and the LDAP command-line tool
API has been updated to provide support for this new SASL mechanism.
-
Update the summarize-access-log tool to provide additional information, including
a breakdown of selected client connection policies and their relative
percentages, a breakdown of disconnect reasons and their relative percentages,
and information about the number and relative percentage of operations that
resulted in access to uncached data.
Version 2.3.3
The following changes were made between the 2.3.2 and 2.3.3 releases:
-
Fix a problem with the CSS file used to generate javadoc documentation that could
cause it to appear malformed when built with Java SE 7, even though it looked
fine when built with Java SE 6.
Version 2.3.2
The following changes were made between the 2.3.1 and 2.3.2 releases:
-
Update the LDAPConnectionPool class to make it possible to successfully create a
connection pool even if a failure is encountered while attempting to establish
one or more of the initial connections.
-
Update the LDAPConnectionPool class to make it possible to use multiple threads
to establish the initial set of connections more quickly. This can dramatically
reduce the length of time required to create a pool, especially when
establishing a large number of connections and/or when connecting to a remote or
slow-to-respond server. It is also now possible to use multiple threads to
close connections in parallel and optionally skip sending an unbind request
before closing the connections.
-
Update connection pooling support when connections are configured to
automatically retrieve schema information from the server. In a connection
pool, it is now possible to cache the schema so that it will not be retrieved
for every connection that is established.
-
Update connection pool support to a method that can be used to process a bind,
and then immediately re-bind with the credentials that were initially used when
the connection was established. Also add a method that can be used to release a
connection and have it be re-authenticated using the credentials that were
initially used when the connection was established.
-
Update the in-memory directory server to make it possible to specify multiple
schema files that will all be combined to generate the server schema.
-
Update the persistence framework so that the default object encoder includes
support for serialized objects. This may result in attribute values that aren't
useful to non-Java clients, but may still provide a convenient way to store some
complex information in LDAP entries.
-
Update the persistence framework to provide a new getAll method that makes it
possible to retrieve all objects of the associated type below a given base DN.
-
Update the generate-schema-from-source tool so that it will include default
values for the equality, ordering and/or substring matching rules for all
attribute types that it creates.
-
Update the generate-schema-from-source tool so that it provides a new
"--modifyFormat" argument that will cause the tool to generate new schema
elements as LDIF modify change records instead of as attributes in an LDIF
entry.
-
Update the javadoc for getter methods in the Filter class to make it clearer
which methods may be used with which filter types.
-
Update the javadoc for methods that may be used for performing searches, as well
as for methods that may be used to set search size and time limits, to make it
clear that if an LDAPSearchException is thrown, it may include information about
any entries and/or references that were returned before the exception was
thrown.
-
Update the SSLUtil class to the ability to specify the default SSL/TLS protocol
string that will be used for creating SSL contexts when the caller doesn't
explicitly specify a protocol.
-
Update the LDAP listener canned response request handler to add the ability to
return a specified set of entries and/or references for every search operation.
-
Ensure that disconnect information is always set for a connection that is being
closed. If the connection is closed through an unexpected code path, then it
will now include a stack trace that provides information about the call path
that resulted in the connection closure.
-
Add a new MultiServerLDAPCommandLineTool API that can be used to easily create
command-line tools that need to interact with multiple LDAP servers.
-
Update the LDAP SDK command-line tool API to add convenience methods for
registering a JVM shutdown hook that will be invoked when the JVM in which the
tool is running is shut down (e.g., when all non-daemon threads have completed
running the JVM receives a break or kill signal).
-
Add a convenience method to the LDIFAddChangeRecord class that makes it easy to
get the entry to be added.
-
Add a new SASLBindInProgressException that extends LDAPException and will be
thrown instead of a generic LDAPException if the server returns a "SASL bind in
progress" result. This will most likely occur when processing a SASL bind using
the GenericSASLBindRequest class.
-
Add a new LDIFWriterEntryTranslator class that can be used to transform or
suppress entries to be written to an LDIF file.
-
Update the LDAP debugger tool so that it can be used to accept SSL-based
connections from clients.
-
Improve the Attribute.equals method to make it much more efficient for
attributes with multiple values.
-
Add a new LDAPTestUtils.assertDNsEqual method that can be used to ensure that
two strings represent equivalent LDAP DNs.
-
Improve the amount of detail provided by the assertValueExists and
assertAttributeMissing methods in the LDAPTestUtils class if the assertion
fails.
-
Fix a bug in the LDIF reader that could prevent it from properly handling
comment lines that had been wrapped.
-
Fix a synchronization bug in the round-robin server set that could cause it to
throw an exception under highly concurrent load.
-
Fix a bug in the in-memory directory server that could cause it to send an
incorrectly-formatted search result done message for the case in which the size
size limit was exceeded.
-
Fix a bug in the LDAPThreadLocalConnectionPool that could cause it to establish
an extra connection if a health check is configured for the pool and the
ensureConnectionValidForCheckout method indicates that the existing connection
is not valid.
-
Fix a bug that could prevent connections from using the referral behavior
specified in the LDAP connection options that were set after the connection was
already established.
-
Fix a number of bugs that could interfere with the ability for a connection to
be automatically re-established if it becomes invalid.
-
Update the DurationArgument class to eliminate its dependency on the MINUTES,
HOURS, and DAYS values for the TimeUnit enum. These values were not added until
Java SE 6, and attempts to use the DurationArgument class in a Java SE 5
environment could result in errors.
-
Fix a bug in the persistence framework in which the inModify element of
LDAPField and LDAPGetter annotations may not be honored if the object being
modified was retrieved from a directory and references a copy of the original
entry in a field marked with LDAPEntryField.
-
Fix a bug in the persistence framework that can interfere with the ability to
generate search filters when using annotated objects that extend other annotated
objects.
-
Fix a potential null pointer exception that could arise in some cases when
trying to use a connection that was not established. An LDAP exception will now
be thrown instead.
-
Fix a potential null pointer exception that could be thrown when creating a
connection pool and a problem was encountered while attempting to establish one
of the initial connections after at least one connection had already been
established.
-
Fix a problem with the LDAP SDK build process that prevented building it with
Java SE 7, and clean up the code to remove a number of warnings generated when
building with Java SE 7.
-
Add support for a new multi-update extended operation that can be used to
request multiple updates in a single request. The updates may optionally be
processed as a single atomic unit so that any failure encountered while
processing any of the operations will prevent any of the changes from being
applied.
-
Add support for a new UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism handler
that can be used to perform multifactor authentication using both a client
certificate and a password.
-
Add support for a new set of controls that can be used with a bind operation to
request information about a number of user resource limits, including the user's
size limit, time limit, idle time limit, lookthrough limit, group membership,
assigned privileges, default entry balancing authorization DN, and the name of
the client connection policy that would have been assigned to the user.
-
Add support for extended operations that can be used to get and set information
about restricted subtree accessibility in the server. This makes it possible to
indicate that a specified subtree should be hidden or read-only except for
access by a specified user. A command-line tool has been provided that can be
used to get and set the accessibility of a specified subtree in the server.
-
Add support for a control that can be used to indicate that updates for certain
operational attributes (e.g., last access time, last login time, last login IP
address, and lastmod attributes) should be suppressed for the associated
operation.
-
Add support for a set of controls that can be used in conjunction with assured
replication, in order to request the desired assurance level and receive
feedback about the level of assurance that was attained.
-
Add support for a control that can be used in conjunction with a delete or
modify DN operation to indicate that no referential integrity processing should
be performed for the associated operation.
-
Add support for a task that can be used to cause the server to re-encode
entries within a specified branch. This can help transition existing data to
use encryption, compression, uncached content, or other altered encodings
without the need to export data to LDIF and re-import.
-
Add a class and command-line tool that can be used to help move a single entry
or a tree of entries from one server to another. The move can be accomplished
using either interactive transactions or via restricted subtree accessibility.
-
Update support for the get changelog batch extended request to make it possible
to indicate whether to return modifications to and/or deletes of soft-deleted
entries.
-
Update the MonitorManager class so that methods for retrieving monitor entries
now allow LDAPInterface objects as an alternative to LDAPConnection.
-
Update the SASLUtils class so that if the Commercial Edition classes are
available, then any Commercial Edition SASL mechanisms will be supported.
-
Update the log parsing API to add support for the new security negotiation,
entry rebalancing, and assured replication access log message types, and for the
uncachedDataAccessed element.
Version 2.3.1
The following changes were made between the 2.3.0 and 2.3.1 releases:
-
Fix a bug that could result in memory pressure with a high volume of
asynchronous operations. This was a regression introduced by a change which
made it possible for timeouts to be honored for asynchronous operations.
-
Made a number of improvements to SSL support, including the addition of a new
aggregate trust manager (which can combine the result of multiple trust managers
when deciding whether to trust a certificate), a validity date trust manager
(which can reject a certificate based on its validity time period), and a
hostname trust manager (which can reject a certificate based on a conflict
between the expected server hostname and the value of the certificate's CN
subject attribute or a subjectAltName extension). In addition, the prompt trust
manager now displays additional information, including MD5 and SHA-1
fingerprints, to allow the user to make more informed decisions about whether to
trust a certificate.
-
Updated support for the SASL EXTERNAL bind request so that it is now possible
to request an authorization identity element in the SASL credentials. It is
now possible to create a SASL EXTERNAL bind request which does or does not
include SASL credentials.
-
Update the persistence framework to provide more complete support for modify
processing when the resulting entry may be altered via a post-encode method. If
the object has a field marked with @LDAPEntryField, then the updated object will
be encoded and compared with the original entry to determine the appropriate set
of modifications.
-
Add a connection option that controls whether multiple threads will be allowed
to make concurrent use of the same socket factory instance to create multiple
connections. A change introduced in the 2.3.0 release made all socket factory
interaction synchronized because it was observed that some IBM VMs do not
support concurrent use of an SSL socket factory instance. The default behavior
is now to allow concurrent socket factory use for Sun and Oracle VMs, but to
require synchronized use in other VMs. However, this default can be overridden
in the LDAPConnectionOptions class.
-
Add a new fastest connect server set implementation which attempts to connect to
all associated servers in parallel and will return the first connection to be
established. This may increase the connect-time load across all servers, but
will minimize the length of time required to establish a connection in the event
that any of the servers is having a problem.
-
Update the LDIF reader to add new options which can be used to have more control
over the treatment of trailing spaces in non-base64-encoded values (reject,
strip, or retain) and the treatment of duplicate attribute values (reject,
strip, or retain).
-
Update the LDIF reader to add support for file URLs with relative paths. By
default, these paths will be relative to the JVM's current working directory,
but it is possible to specify a custom base directory for relative paths.
-
Update the searchrate, modrate, and search-and-mod-rate tools to provide a new
"--iterationsBeforeReconnect" argument, which makes it possible to periodically
close and re-establish each connection. The default behavior, in which each
thread will create its own connection that it will continue to use for the
entire run, has not changed.
-
Update the base64 encoding and decoding capabilities to support the base64url
encoding as described in RFC 4648 section 5. Also, add support for base32
encoding and decoding as described in RFC 4648 section 6.
-
Updated the LDAPCommandLineTool class to provide a new
getUnauthenticatedConnection method that can be used to obtain a connection to
the target server (including the use of SSL or StartTLS if so configured) but
without performing any authentication on that connection. Also make the
createSSLUtil and createBindRequest methods public so that they can be used by
third-party code.
-
Updated the DurationArgument class to provide a public static method that can be
used to parse a duration string to a numeric value based on a given time unit.
-
Update the ResultCode class to make it possible to provide a user-friendly name
for result codes not defined in the out-of-the-box set included with the LDAP
SDK.
-
Change the way that localization message files are stored and referenced within
the code. Some users have reported problems with their own applications having
properties files with names that conflict with properties file names used by
the LDAP SDK (e.g., "ldap.properties", "util.properties", etc.). To avoid this
problem, all LDAP SDK property files now have names starting with
"unboundid-ldapsdk-". In addition, the code has been updated to make even this
unlikely conflict less troublesome.
-
Updated the source for the Android LDAP client to use positional indicators in
format strings with multiple substitutions. It appears this is now required for
recent versions of the Android SDK.
-
Add support for HMAC-based one-time passwords (HOTP, as described in RFC 4226)
and time-based one-time passwords (TOTP, as described in RFC 6238). Also, add
support for a new UNBOUNDID-TOTP SASL mechanism, which can be used to perform
multifactor authentication (combining a TOTP code with a username and password)
to UnboundID Directory Server instances which support this mechanism, and a
validate TOTP password extended request that can be used to validate a TOTP
password without performing a bind on the connection.
-
Add a number of changes in support for soft delete and undelete functionality
in the UnboundID Directory Server. This includes a soft delete request control
(to request a soft delete operation) and a corresponding response control, a
hard delete request control (to request an entry be completely removed), an
undelete request control (to request that a soft-deleted entry be restored), and
a soft-deleted entry access request control (to request that search results
include soft-deleted entries). It also includes updates to access log parsing,
changelog entry parsing, and monitor entry parsing to expose information about
soft delete and undelete processing, and a new SoftDeletedEntry object that can
obtain information about a soft-deleted entry stored in the server.
Version 2.3.0
The following changes were made between the 2.2.0 and 2.3.0 releases:
-
Add a new DNSSrvRecordServerSet class, which is a ServerSet implementation that
can use DNS SRV records (as described in RFC 2782) to discover available
directory servers. This new implementation can consider defined priorities and
weights for SRV records so that some servers may be preferred over based on
information contained in the DNS server.
-
Add a new SASLUtils class that can be used to more easily work with command-line
tools that don't inherit from LDAPCommandLineTool but may still need to perform
SASL binds. It provides methods for getting access to supported SASL mechanisms
and the options that they support.
-
Add a new com.unboundid.ldap.sdk.experimental package with classes that may be
used to support certain features that may still be works in progress and have
the potential to change significantly (including in incompatible ways) in the
future. At present, this includes support for controls from
draft-behera-ldap-password-policy-10 and draft-zeilenga-ldap-noop-12.
-
Update the connection support for schema caching so that if multiple connections
reference equivalent schemas, then they will reference the same object rather
than separate equivalent objects. This can dramatically reduce memory
consumption if schema caching is enabled.
-
Fix a bug that could cause the output of ByteStringBuffer.toByteString to be
unstable and reflect subsequent changes in the content of the associated
ByteBuffer.
-
Update support for asynchronous operations so that it is possible for them to
respect a configured timeout. Previously, operation timeouts were ignored for
asynchronous operations.
-
Update the LDAP SDK persistence framework to add support for attributes with
options. It is now possible to use attribute names with options.
-
Update the LDAP SDK persistence framework to make it possible to specify
superior object classes in the @LDAPObject annotation type. If specified, these
object classes will be included in generated entries. The
generate-source-from-schema tool has been updated to populate this element if
appropriate.
-
Update the in-memory directory server to make it possible to alter the server
schema using LDAP modify operations. Only add and delete modifications will be
allowed for the attributeTypes, objectClasses, nameForms, dITContentRules,
dITStructureRules, and matchingRuleUse attributes. No modifications will be
allowed for the ldapSyntaxes and matchingRules attributes.
-
Update the in-memory directory server to make it possible to customize schema
enforcement. It is now possible to allow values which violate the associated
attribute syntax, and/or to allow entries which do not have exactly one
structural object class.
-
Update the in-memory directory server so that it is possible to indicate that
equality indexes should be maintained for specified attributes. If enabled, the
server may exhibit better performance for certain kinds of searches (those using
an equality component targeting an indexed attribute, including those which may
be included in AND or OR filters).
-
Update the in-memory directory server to make it possible to perform simple and
SASL PLAIN binds directly against the server itself without the need to
establish a connection to it.
-
Update the in-memory directory server to make a number of logging-related
improvements. A race condition which could cause incorrect entry counts to be
included in log messages has been fixed. Log messages now include timestamps.
Access and/or LDAP debug messages can now be written to standard output.
-
Update the in-memory directory server to make it possible to customize the
values included in the vendorName and vendorVersion attributes of the server
root DSE. This can help make it easier for the in-memory server to impersonate
another type of directory to fool applications which will only work with certain
types of servers and which use these attributes to make that determination.
-
Update the in-memory directory server so that the authorization identity
response control will always use the "dn:" form of the authorization identity,
even for PLAIN binds that initially used the "u:" form. Also, fix a bug in
which it would incorrectly return "dn:" instead of just "" for an anonymous
authorization identity.
-
Update connection pool health checking support to make it possible to more
quickly recognize server-initiated disconnects and unsolicited notifications for
connections operating in synchronous mode.
-
Update connection pool support for retrying failed operations to make it
possible to control the types of operations that should be retried. It was
previously only possible to configure it on an all-or-nothing basis.
-
Update the default standard schema (which will be used by the in-memory
directory server unless configured to do otherwise) so that it includes
information about supported syntaxes and matching rules. These ldapSyntaxes and
matchingRules values will be included in the schema exposed by the in-memory
directory server.
-
Update the LDIF reader to add static methods that make it easy to read entries
from an LDIF file and return them as a list. This is a convenient way to read
entries from small LDIF files (e.g., for use in unit tests).
-
Improve the efficiency of the Entry.diff method when using reversible form and
working with entries with attributes that have a large number of values.
-
Update the CommandLineTool class to provide an optional getToolVersion method
that may be used to retrieve the version string for the associated tool. If a
version string is made available, then a new "--version" argument may be
automatically added to the tool to cause it to display the version string.
-
Update the support for LDAP URLs to provide support for URLs with the "ldapi"
scheme. Note that the LDAP SDK does not directly support LDAPI (although it may
be possible to use with a third-party library that provides support for UNIX
domain sockets), but it can now parse LDAP URLs with a scheme of "ldapi".
-
Update value pattern implementations to make it possible to specify a seed to
use for the random number generator, which can provide for more reproducible
results. The searchrate, modrate, authrate, and search-adn-mod-rate tools have
been updated to add a --randomSeed argument that can be used to specify a random
seed if one is desired.
-
Update the validate-ldif tool to add support for working with gzip-compressed
LDIF files.
-
Update the LDAPException.toLDAPResult method so that it will use the exception
message as the diagnostic message for the resulting LDAPResult object if the
exception does not have a specific diagnostic message.
-
Update the ObjectPair class to provide hashCode, equals, and toString methods.
-
Update all uses of SocketFactory.createSocket methods are synchronized on the
associated socket factory. In some implementations (including those used by the
IBM JVM), unsynchronized calls to these methods may result in unexpected
exceptions or other strange behavior.
-
Update support for the GSSAPI SASL mechanism to provide the ability to operate
in IBM JVMs.
-
Add support for new start and end administrative session extended operations.
-
Update changelog entry support to reflect a number of changes, including
information about suppressed attributes and virtual attributes.
-
Update support for the get changelog batch extended operation to make it
possible to indicate that the set of changelog entries to retrieve should be
filtered based on target attributes, and to indicate whether changelog entries
should be pared based on access control and sensitive attribute constraints
(optionally using the identity of another target user).
-
Add support for the new audit data security task, which can be used to examine
all entries in a specified set of backends for potential security-related
issues.
-
Update the support for the enter and leave lockdown mode tasks to make it
possible to specify a reason that the server is being placed in or taken out of
lockdown mode.
-
Update monitor entry support for the new FIFO entry cache and per-application
processing time histogram monitor entries.
-
Update monitor entry support for the general monitor entry to add support for
the new thirdPartyExtensionDN attribute.
-
Update monitor entry support for the UnboundID work queue to add support for new
attributes regarding the use of a separate thread pool for administrative
operations.
-
Update monitor entry support for the replication server monitor entry to add
support for the new ssl-encryption-available attribute.
-
Update the summarize-access-log tool to add support for working with
gzip-compressed access log files.
-
Update access log parsing support to add support for a number of new log fields,
including the use of an administrative session worker thread, add and modify
attribute names, search entry attributes returned, and search request size
limit, time limit, typesOnly, and dereference policy values.
-
Improve documentation for UnboundID-proprietary controls and extended
operations, and provide examples for elements that were missing them.
Version 2.2.0
The following changes were made between the 2.1.0 and 2.2.0 releases:
-
Introduced a new way of packaging the LDAP SDK in a way that results in a
significantly smaller jar file. The Minimal Edition provides full support for
LDAP communication and LDIF parsing, but strips out a number of optional
features (e.g., SASL authentication, support for many controls and extended
operations, examples, the LDAP listener package and in-memory directory server,
the LDAP SDK persistence framework, migration support for JNDI and the Netscape
SDK, command-line argument parsing). The Minimal Edition is primarily intended
for use in space-constrained environments (e.g., Android applications) in which
the smallest possible jar file is desired.
-
Updated connection pool implementations to make it possible to configure the
pools to automatically retry operations if the first attempt fails in a manner
that indicates the connection may no longer be valid. In such cases, a new
connection will be created (which may be established to a different server if a
server set is used) and used to retry the failed operation.
-
Add the ability to make use of schema information when generating the normalized
representation of DNs and RDNs, and for more operations when interacting with
entries.
-
Updated the in-memory directory server to add support for referential integrity
for delete and modify DN operations. This can be used to remove or update
references to an entry if that entry is deleted or renamed.
-
Updated the in-memory directory server to add support for LDAP transactions as
described in RFC 5805. This can be used to add, delete, and/or modify multiple
entries as a single atomic unit.
-
Updated the in-memory directory server to add the ability to insert an arbitrary
delay before processing operations. This can be useful in simulating
environments with slower response times or higher network latencies.
-
Improved support for GSSAPI authentication to add a number of new options,
including: the ability to indicate whether a ticket cache should be used, the
ability to specify an alternate path to the ticket cache file, the ability to
require the use of cached credentials, and the ability to request that the TGT
be renewed. It is also easier to obtain GSSAPI debugging information.
-
Update the default standard schema to include a definition for the aci attribute
type, which is not standard but is supported by a number of directory servers
and may commonly appear in many data sets. Also, update the groupOfNames and
groupOfUniqueNames object classes to make it possible to have groups without any
members which is nonstandard but allowed by many servers. Finally, make it more
efficient to retrieve the default standard schema for subsequent calls.
-
Updated the LDAPConnectionOptions object to add an option that can be used to
send an abandon request to the server whenever a client-side response timeout
has occurred. Previously, the client would stop waiting for a response but
would not attempt to prevent the server from completing processing on the
operation.
-
Updated the LDIF reader to provide an option to read from multiple LDIF files.
If this option is used, then the contents of the files will be read in the order
they were provided (e.g., all the records will be read from the first file, then
all the records from the second file, etc.). That is, this provides a way to
treat multiple LDIF files as if they were a single file.
-
Introduced new methods to make it much easier to work with response controls.
Each response control class now includes one or more static get methods that can
be used to retrieve and decode the control from a response message.
-
Updated the LDAP SDK persistence framework so that the
generate-source-from-schema tool will now generate methods that can make it
easier to search for objects using arbitrary criteria. The persistence
framework previously only provided support for equality searches, but it is now
possible to perform more advanced types of searches, including presence,
substring, greater-or-equal, less-or-equal, and approximate matching.
-
Updated the LDAP SDK entry validator to make it possible to reject entries that
were missing superior object classes. This also fixed a bug in the in-memory
directory server that made it possible for clients to perform modify operations
to remove superior object classes from an entry.
-
Fixed a bug in the filter evaluation logic that caused it to return the wrong
result for greater-or-equal and less-or-equal filters.
-
Fixed a bug in the in-memory directory server that could cause some superior
object classes to appear twice in an entry if the superior class was specified
after its subordinate class when the entry was added.
-
Fixed a bug in the persistence framework that caused it to throw an exception
when trying to perform a modify an object that had not been altered. The code
has been updated so that it will now return null (as an alternative to the
LDAPResult that would be returned if a modification was actually attempted)
rather than throwing an exception.
-
Update the javadoc documentation for controls and extended operations to make
the OIDs used for those purposes more visible.
-
Fixed a bug in the command-line tool that may be used to interact with the
in-memory directory server that made it impossible to run the server with no
schema.
-
Updated the access log parsing code to add support for the new
intermediateResponsesReturned element that can appear in result messages for
operations in which one or more intermediate responses were returned.
-
Updated the LDIF import task to provide support for the new strip trailing
spaces option.
-
Added support for the new operation purpose request control, which may be
included in any kind of LDAP request to identify the reason for that operation.
The log parsing framework has also been updated to provide a mechanism for
accessing operation purpose information in server access log messages.
Version 2.1.0
The following changes were made between the 2.0.1 and 2.1.0 releases:
-
Added the ability to easily create a simple memory-based LDAP server that
supports a wide range of LDAP functionality (including a number of controls and
extended operations). It may be used as a server for testing or demonstrating
directory-enabled applications, and it provides a number of convenience methods
for interacting with and verifying the contents of that server.
-
Added a new LDAPTestUtils class that provides a number of convenience methods
that can be usd to help write test cases for directory-enabled applications and
make determinations about the content of an LDAP directory server.
-
Added a new LDAPConnection.processOperation method that can be used to process a
generic request without needing to know the type of operation that it
represents.
-
Added a new Schema.getDefaultStandardSchema method that can be used to obtain a
schema object populated with a number of standard attribute type and object
class definitions from various RFCs and IETF drafts.
-
Added a new GenericSASLBindRequest class that can be used to process any kind of
SASL bind request if the caller is capable of properly encoding and decoding
request and response credentials.
-
Added a new PasswordProvider API which can be used when performing simple bind
operations in order to minimize the length of time that the clear-text password
remains in memory. If a password provider is used rather than explicitly
including the password in the bind request, then the memory containing that
password will be overwritten as soon as the password is no longer needed. A
ReadFromFilePasswordProvider implementation of this API is also included in the
LDAP SDK, which makes it possible to obtain the password from a file whenever it
is needed.
-
Added support for the LDAP don't use copy request control as defined in RFC 6171
and can be used to request that only an authoritative directory server be used
to process the associated search or compare operation.
-
Added a new Entry.mergeEntries method that can be used to create a new entry
containing all of the attribute values present in at least one of the provided
entries, and a new Entry.intersectEntries method that can be used to create a
new entry containing only those attribute values present in all of the given
entries.
-
Fixed a bug in the LDAPPersister.modify method that prevented it from including
controls in the request sent to the directory server.
-
Fixed a bug that could prevent a configured ReferralConnector from being used.
In addition, it is now possible to use the LDAPConnectionOptions class to
configure a referral connector that will be used for all connections created
with those options rather than requiring each connection to be explicitly
assigned a custom referral connector if one was needed.
-
Updated the FixedRateBarrier class to use a much more efficient process for
dealing with low operation rates that can consume significantly less CPU.
Previously, it would always spin, but it will now try to sleep if there is a
long enough interval before the next operation can be processed.
-
Updated the FailoverServerSet class to provide an option to re-order the
internal list of servers so that if a failover does occur, any unavailable
servers are moved to the end of the list so that the server to which the
connection was successfully established is now at the top of the list and will
be the first server tried for subsequent attempts. The same behavior is
available for failing over between server sets rather than individual servers.
Note that the previous behavior of preserving the original order is still
available, and will continue to be used unless the server set is explicitly
configured to allow re-ordering the list.
-
Updated the LDIF reader to provide better handling for illegal trailing spaces.
Previously, such spaces would be simply included in the content being read,
which is always the wrong thing to do. Now, there is an option to either reject
entries and change records containing trailing spaces (which is the default) or
to silently strip them out.
-
Updated the AsyncRequestID class so that it implements the
java.util.concurrent.Future API. This can make it easier to wait for and
retrieve the response to asynchronous operations requested through the LDAP SDK.
-
Updated the LDAPConnection.processExtendedOperation methods so that they are
more likely to throw an exception in the event that the connection is no longer
valid. Because extended operation responses may often include result codes
other than "success" even when the operation completed successfully, and because
it is undesirable to throw an exception when the operation completed
successfully, the LDAP SDK is more likely to return an ExtendedResult object
even for an unsuccessful operation in cases where it would have thrown an
LDAPException for other types of operations. However, it was previously too
hesitant to throw an exception in cases where there clearly was a failure,
including when the associated connection was no longer valid, and this could
sometimes cause problems. The LDAP SDK will now throw an exception in cases
where the operation was clearly not successful, and particularly in cases where
the connection may no longer be valid.
-
Improved the behavior of many of the command-line tools that can be used to
issue repeated requests against a directory server (e.g., searchrate, modrate,
etc.) so that they exhibit better behavior in the event that the connection is
lost or becomes no longer usable. In some rare conditions, the previous
approach would attempt to re-establish connections which were no longer
authenticated, which could lead to failures or unexpected behavior in the
operations that had been attempted.
-
Updated the behavior of connections operating in asynchronous mode so that they
are less likely to encounter SO_TIMEOUT exceptions (or at least, will encounter
them with much less frequency) when connections remain idle for extended periods
of time. These exceptions are harmless and are handled entirely by the LDAP SDK
so that the underlying application does not need to deal with them, but having
them occur too frequently has been observed to cause unnecessarily high CPU
utilization in some client systems.
-
Updated support for the GSSAPI SASL bind request so that it is possible to
specify an alternate protocol for use in the Kerberos service principal. The
bind request previously always used a protocol of "ldap", and this is still the
default, but it is now possible to request that an alternate protocol be used in
the server's service principal.
-
Updated the ldap-debugger tool so that it can be used for some kinds of SASL
authentication. In addition, the format of the output that the tool generates
has been improved, particularly when dealing with binary data such as may be
present in control and extended operation values or SASL bind credentials. In
such cases, the hex representation of the binary data may be accompanied by a
text representation of any printable ASCII characters contained in that binary
data.
-
Added an LDIFWriter.flush method, which can be used to flush any buffered LDIF
content to disk or the underlying output stream without the need to close the
writer.
-
Updated the SSLUtil class to provide convenience methods for creating
SSLServerSocketFactory objects.
-
Updated the LDAPConnectionOptions class-level documentation to indicate that the
auto-reconnect option doesn't apply to connections that are part of a connection
pool. Connections in a connection pool will be closed and replaced rather than
attempting to re-establishing the existing connections.
-
Added a new UnboundIDChangeLogEntry class which provides access to a number of
attributes which are specific to changelog entries included in the UnboundID
Directory Server, including the full set of previous and resulting values for
attributes altered by the associated operation, as well as the values of other
specified key attributes from the target entry.
-
Updated the access log parsing code to add support for the serversAccessed and
replicationChangeID elements which may appear in result log messages.
Version 2.0.1
The following changes were made between the 2.0.0 and 2.0.1 releases:
-
Updated the persistence framework to support inheritance. If a class marked
with the @LDAPObject annotation type has a superclass which is also annotated,
then the annotated fields and methods of the superclass will be used in the
course of converting between entries and instances of the subclass.
-
Updated the ValuePattern class to provide support for back-references, in which
it is possible to have a generated substring repeated later in the generated
value. Also, fix a bug in its support for obtaining values from files that
could interfere with the ability to use Windows absolute paths containing a
drive letter.
-
Updated the formatter used to generate output for tools like searchrate,
modrate, and authrate so that they will use a string of "inf" for a numeric
value of infinity, and "NaN" for a numeric value of "not a number". Also,
fix a couple of potential conditions that could cause divide by zero
errors.
-
Updated the argument parsing support to add a new "argument list" argument type,
in which values may themselves be parsed as argument strings, validated with
their own argument parser. Also, updated string arguments to make it possible
to use a regular expression to restrict the set of values that may be used for
that argument.
-
Fixed a potential bug in the entry validator that could cause it to throw an
exception when attempting to parse an entry that does not have all of the
superior classes for the object classes it does include.
-
Updated the LDAP connection pool implementation so that it is possible to
request that zero connections be initially created, so that the first connection
will only be created when the first operation is attempted.
-
Added static Filter.encodeValue methods that may be used to properly escape a
value for use in the string representation of a search filter.
-
Updated the intermediate response API to add a valueToString method, which may
be used to obtain a human-readable representation of the intermediate response
value.
-
Improved the quality of debugging information so that it can be more useful in
cases in which there may be multiple connections active at the same time.
Messages about LDAP communication will include a connection ID and LDAP message
ID, and result messages will include the protocol op type.
-
Updated the LDAP SDK jar file manifest to include new attributes with
additional metadata about the LDAP SDK build, including the build time and
source repository path and revision number.
-
Added support for a new task which may be used to cause the server to reload the
set of defined encryption settings definitions.
-
Updated the support for parsing UnboundID server log files to handle timestamps
with millisecond accuracy, and to add support the new intermediate response
access log message type.
-
Updated the summarize-access-log example tool so that it can differentiate
between unindexed searches that were completed successfully and those that were
rejected by the server.
-
Updated the LDAP SDK monitor parsing capabilities to support the new index
monitor entry type. Also, update the version monitor entry type to provide
methods for accessing version information for several libraries used by the
server, and to update the replication summary monitor entry to support the
new term "replication backlog" rather than the old and potentially confusing
term "missing changes".
-
Added support for an exclude branch request control, which can be used to
request that entries at or below one or more base DNs be excluded from search
results.
Version 2.0.0
The following changes were made between the 1.1.6 and 2.0.0 releases:
-
Added a new persistence API which can be used to make it easy to represent LDAP
entries as Java objects, and vice-versa. Java annotation types may be used to
mark fields and methods within a class to provide information about the way that
instances of that object should be represented in LDAP entries.
-
Added a generate-source-from-schema tool that can be used to generate the source
code for a Java class based on information contained in a directory server
schema. The generated Java source will have all of the necessary annotations to
allow that object to be used in conjunction with the LDAP SDK persistence
framework.
-
Added a generate-schema-from-source tool that can be used to generate LDAP
schema from a Java class configured for use with the LDAP SDK persistence
framework. The generated schema may be added to a directory server to be able to
store objects of the specified type in the directory.
-
Added a new listener API which can be used to develop applications which accept
connections and manage communication with LDAP clients. It may be used to help
develop applications which support interaction with LDAP clients.
-
Added a new ldap-debugger tool which uses the listener API and other components
of the LDAP SDK to intercept communication from LDAP clients and write details
of the LDAP communication to standard output or a specified log file. The
received LDAP requests will then be forwarded on to a target directory server
and any responses returned will be decoded and written to the same location as
the decoded requests before the responses are returned to the client. This tool
acts as a simple LDAP proxy server that can be used to help better understand
exactly what communication occurs between an LDAP client and server.
-
Added new argument types, including a BooleanValueArgument (in which the
provided value must be either "true" or "false", which is more useful in some
cases than the BooleanArgument in which the Boolean value is inferred based on
whether the argument was provided), a DurationArgument (in which the value
contains both an integer portion and a time unit, like "50ms", to indicate a
length of time), and a ScopeArgument (in which the value should represent an LDAP
search scope).
-
Updated the LDAP command-line tool interface to make it possible to specify the
format to use for the Java key store and trust store files. The default
format will be JKS, but you can indicate that an alternate format (e.g., JCEKS
or PKCS12) if desired.
-
Updated the support for the LDAP assertion control to add a new generate
convenience method that can be used to easily generate an assertion request
control from some or all of the attributes in a provided entry. This can be
used when updating an entry to help ensure that it has not been altered by
something else since it was last read.
-
Updated the support for the FileArgument class in which allows you to specify
the base directory to use for relative paths. If no relative base path is
defined, then relative paths will be relative to the current working directory
(which has always been the case), but if a relative base path is defined, then
any relative paths will be relative to that base directory.
-
Fixed a bug that could cause problems when attempting to process operations which
return one or more intermediate response messages on a connection operating in
synchronous mode.
-
Updated the LDAP join control support to include the ability to use the reverse
DN join type which has recently been added to the UnboundID Directory Server.
-
Added support for Java-based and Groovy-scripted third-party tasks that will be
supported in an upcoming version of the UnboundID Directory Server.
-
Added support for get a server ID request control, get server ID response
control, and route to server request control, which may be used in an upcoming
version of the UnboundID Directory Server and/or Directory Proxy Server to
retrieve information about which server was used to process a request, and to
request that an operation be processed by a specific server.
-
Added support for a get changelog batch extended operation which will be
supported in an upcoming version of the UnboundID Directory Server in order to
retrieve a set of changes processed within the server.
Version 1.1.6
The following changes were made between the 1.1.5 and 1.1.6 releases:
-
Fixed an error in the documentation for the ContentSyncRequestControl that
indicated a response timeout of -1 should be used instead of the correct
recommendation of 0. A value of 0 indicates that no timeout should be used,
while -1 indicates that the connection-level timeout (5 minutes by default)
should be used.
-
Fixed the way that RDNs are created when decoding a DN from a string.
Previously, RDNs created in this way were treated in a way that could cause
extra spaces to be removed from their string representation. While the resulting
RDN was technically equivalent to the expected version, the user-provided string
representation should have been retained.
-
Updated the source code for the Android LDAP client to match the 1.1 version
published in the Android market.
Version 1.1.5
The following changes were made between the 1.1.4 and 1.1.5 releases:
-
Added support for the content synchronization operation as defined in RFC 4533,
including the various controls and the intermediate response needed to interact
with servers supporting this feature.
-
Fixed a couple of bugs in the way that SSL handshaking is performed to make it
more robust, particularly when used over higher-latency network links.
-
Fixed a bug that could prevent an unbind request from being sent to the server
when closing a connection that had previously been closed and re-established.
Version 1.1.4
The following changes were made between the 1.1.3 and 1.1.4 releases:
-
Fixed a bug in the way that the LDAP SDK performed SSL or StartTLS negotiation
when using synchronous mode. As a result of this bug, a race condition created a
condition in which the connection could be terminated with an error if any part
of the negotiation process took longer than 50 milliseconds.
-
Added a new search-and-mod-rate tool that can be used to perform searches as
quickly as possible while also modifying each entry returned from those
searches.
-
Added a new Launcher class that can be used to invoke the various command-line
utilities without needing to use the associated shell scripts. This is primarily
a convenience that makes it possible to use the tools when only the LDAP SDK jar
file is available. The tools can be invoked using a command like:
java -jar unboundid-ldapsdk.jar {tool-name} {tool-args}
-
Updated the ldapsearch tool to add the ability to perform the same search
multiple times using a specified interval. This can be useful, for example, to
repeatedly retrieve a server monitor entry at regular intervals.
-
Updated the ldapsearch tool to add a terse mode that can be used to minimize the
output that it generates to include only minimal content. It will exclude the
connect message, and entry and reference counts. Further, all such messages
written in non-terse mode will be prefixed with "#" characters so that the entire
output will be valid LDIF.
-
Updated the traditional and thread-local connection pool implementations to
provide the ability to define the minimum length of time that should pass between
connection closures because they have been established for longer than the
maximum connection age. This can help avoid cases in which a large number of
connections are closed and re-established in a short period of time.
-
Updated the LDAP SDK to provide a more useful exception in the event that the
connection is terminated as a result of an error encountered while trying to read
a response from the server.
-
Improved the searchrate, modrate, and authrate tools so that they are better able
to handle the case in which the connection to the server is lost or the server
becomes unavailable. The tools will attempt to re-establish the connections
when the server again becomes available.
-
Updated several parts of the LDAP SDK to reduce the amount of memory allocation
performed and the amount of garbage created during processing.
-
Added a missing space between the numeric value and name in the string
representation of a result code.
-
Added support for a new dump DB details task which can be used to cause the
UnboundID Directory Server to write a summary of the contents of the databases in
a JE backend.
-
Added support for a new administrative alert task which can be used to cause the
UnboundID Directory Server to generate an arbitrary administrative alert and/or
to alter the set of degraded and unavailable alert types.
-
Improved support for replication server monitor entries to provide the ability to
parse additional replication server content, including the last known status for
the server, the last successful connect time, the last failed attempt time, and
the number of failed connection attempts.
-
Updated the support for the UnboundID work queue monitor entry to include access
to the recent-average-queue-size and current-worker-thread-percent-busy
attributes.
Version 1.1.3
The following changes were made between the 1.1.2 and 1.1.3 releases:
-
Added support for LDAP transactions as defined in RFC 5805. This includes
support for the start and end transaction extended requests and results, the
transaction specification request control, and the aborted transaction
unsolicited notification.
-
Added a new LDAPConnection.getActiveOperationCount method, which can be used to
obtain the number of operations that have been started but not yet completed on
that connection. This will only be valid for connections that are established
and not operating in synchronous mode.
-
Added a new searchForEntry method to the LDAPInterface interface (and therefore
for individual connections and connection pools) that can be used to perform a
search expected to return a single entry in a manner that is more convenient
than other search methods.
-
Added a number of convenience methods that make it easier to manipulate the
content of an add request request like an entry.
-
Updated the schema parsing code to be more lenient when attempting to parse
definitions which violate the specification. In particular, it will now accept
OIDs surrounded in single quotes or OID lists not followed by spaces. Even
though these are not allowed according to the LDAP specification, Active
Directory generates schema elements exhibiting these problems. With these
changes, the LDAP SDK can now parse Active Directory schema elements.
-
Updated the CommandLineTool API to provide methods for getting access to the
output and error streams to allow for more complex use than simply printing
messages to the terminal.
-
Fixed a potential bug in the value normalization code which could cause a string
index out of range exception when attempting to normalize a value containing only
non-ASCII space characters.
-
Fixed a bug in the EntryValidator class that could cause it to throw a null
pointer exception when attempting to process an entry that does not have any
object classes.
-
Fixed a bug in which a debug message for an LDIF read is inadvertently written as
if it were an LDIF write.
-
Updated the searchrate tool so that it provides an asynchronous mode that can be
used to have multiple outstanding requests on a single connection. When
operating in this mode, it is necessary to use either the existing
"--ratePerSecond" or the new "--maxOutstandingRequest" argument to restrict the
number of concurrent outstanding requests. The total number of connections to
establish will still be controlled by the number of client threads.
-
Updated the source for the Android LDAP client to reflect the code used for the
1.0 release available in the Android Market.
-
Added a new example tool that uses the stream directory values extended operation
to dump a list of the DNs of all entries located at or below a specified base DN.
-
Updated the system info monitor entry to add support for the new userName,
jvmPID, systemProperty, and environmentVariable attributes.
-
Updated the join request control to support the new "contains" join rule, which
makes it possible to have a generated filter using a subAny substring filter
rather than an equality filter.
-
Updated the access log parsing code to add support for parsing forward
information contained in result messages, and for parsing client certificate log
messages.
Version 1.1.2
The following changes were made between the 1.1.1 and 1.1.2 releases:
-
Improved the behavior of the AttributeTypeDefinition class so that it can better
deal with attribute type definitions whose syntax element contains the optional
minimum upper bound component. The getSyntaxOID() method still returns the
complete syntax OID (including the minimum upper bound, if present), but a new
getBaseSyntaxOID() method has been added that can be used to obtain the syntax
OID without the minimum upper bound, and a getSyntaxMinimumUpperBound() method
has been added that can be used to obtain the minimum upper bound (or -1 if no
minimum upper bound is defined). In addition, the Schema.getAttributeSyntax
method has been updated so that it will ignore any minimum upper bound portion
that may be included in the provided OID.
-
Added a new Entry.diff method that makes it possible to indicate whether you
want the resulting modifications to be reversible. If the modifications should
be reversible (which was always the case in the past), then the resulting list
will contain only modifications with the ADD and DELETE modification types,
which could be played in reverse to recreate the source entry from the target
entry, but is more likely to fail if the entry has been altered in some way
since attempting to apply the modifications. If the modifications should not
be reversible, then they will all use the REPLACE modification type, which is
not reversible but more likely to succeed even if the entry has been altered.
-
Improved the way that the LDAP SDK generates string representations of DNs and
RDNs. When creating a DN from a set of RDNs (or from an RDN and parent DN), it
will now use the string representations of the provided RDNs (and optionally DN)
rather than reconstructing the entire string representation. This can help
preserve a user-supplied string representation if you do something like
"new DN(existingDN.getRDNs())", particularly if the existing DN had characters
that may be escaped but don't have to be. In addition, a new
toMinimallyEncodedString method has been added to both the DN and RDN classes
that will construct a string representation of the DN or RDN with a minimal set
of escaped characters (e.g., non-ASCII characters and non-printable ASCII
characters will not be escaped).
-
Fixed a bug in the LDIF reader in which it would refuse to decode an entry
containing only a DN but no attributes (e.g., like might be the case with a
search result entry where the requested attribute set contained only "1.1").
-
Fixed a bug in the way that LDAP URLs were generated for URLs containing the
subordinate subtree search scope. Previously, the string representation of
such URLs would have a scope of "subord" instead of the correct "subordinates"
as specified in draft-sermersheim-ldap-subordinate-scope. It will still accept
URLs containing "subord", but will no longer generate them.
-
Fixed a bug in the LDAPCommandLineTool class that prevented the
--bindPasswordFile argument from being used in conjunction with the --bindDN
argument. Due to an oversight, --bindPasswordFile could only be used when
performing SASL authentication when no bind DN was given.
-
Added support for a new extended schema info request control, which can be
included in a search request targeting the schema subentry to cause it to
return extended information (including elements like X-SCHEMA-FILE and
X-READ-ONLY) in the schema elements that are returned.
-
Updated the UnboundID work queue monitor entry to include support for the new
num-busy-worker-threads, average-operation-queue-time-millis, and
recent-operation-queue-time-millis attributes.
-
Updated the access log parsing code to provide the ability to access the new
qtime element if it is present.
-
Added support for the search task, which can be used to perform an internal
search in the UnboundID Directory Server and write the results to an LDIF file
on the server filesystem.
Version 1.1.1
The following changes were made between the 1.1.0 and 1.1.1 releases:
-
Updated the searchrate, modrate, and authrate tools to change the way that they
signal the processing threads to start. The previous approach could lead to
resource starvation causing the system to run with 100% CPU utilization for a
period of time.
-
Improved the accuracy of the searchrate, modrate, and authrate tools. The
overall rates were accurate, but the recent rates could be slightly off.
In addition, the recent and overall rates for the first interval often didn't
match up. These problems have been resolved.
-
Updated the searchrate and modrate tools to support the use of the proxied
authorization v2 control. The authorization ID may be specified as a value
pattern, which makes it possible to specify a range of alternate authorization
identities.
-
Added isClosed methods to the connection pool implementations which can be used
to determine whether the connection pool has been closed.
-
Updated the value pattern implementation to provide support for reading values
from files. Files should be referenced by URL, and it supports both local files
(using a URL like "file:///path/to/file") and remote files via HTTP (using a URL
like "http://server.example.com/path/to/file"), and that URL should be enclosed
in square brackets. For example, a value pattern of "[file:///tmp/filters.txt]"
will cause the individual lines of the file "/tmp/filters.txt" to be read and
randomly substituted for that portion of the value pattern.
-
Updated the searchrate, modrate, and authrate tools so that they provide the
ability to display information about the result codes for operations that don't
complete successfully. If any errors are encountered during processing, then
the result codes for those failures will be displayed along with the number of
times that result was returned. The "--suppressErrorResultCodes" argument may
be provided to disable this capability.
-
Improved the behavior exhibited by the LDAP SDK when interacting with a server
that is completely unresponsive (e.g., as in the case in which the network cable
has been removed, or the server process has been halted with a command like
pstop). This includes improved support for honoring any configured connect
timeout, even for SSL-based connections which did not previously support it.
Bind and extended requests can now have an explicit timeout assigned to them,
like was already possible for all other types of requests. When duplicating a
request, any assigned timeout is also duplicated along with the other details of
that request.
-
Improved the error message in the exception thrown if a client-side timeout
occurs. The updated message now includes the type of operation and the length
of time the client waited before considering the operation to have timed out.
-
Updated the RootDSE and Schema classes so that their constructors which take
Entry objects are made public, since they can be useful in code outside of the
LDAP SDK.
-
Made the SearchRequest.getSearchResultListener method public so that code
outside of the LDAP SDK can determine whether a search result listener has been
configured for the search.
-
Updated the message properties files to use better format strings for messages
containing numbers. Previously, large numbers could be formatted awkwardly
(e.g., including commas as grouping separators, like "12,345" instead of just
"12345").
-
Updated the LDAP SDK so that the thread-local ASN1Buffer object used for
connections is made static rather than per-instance. This can dramatically
reduce the amount of memory consumed for applications with large numbers of
connections that can be used by multiple threads.
-
Added methods that can be used to determine whether an attribute value needs to
be base64-encoded when represented in LDIF. Also, updated the
Attribute.toString methods so that values will be base64-encoded in that string
representation if they should be base64-encoded in LDIF.
-
Updated the LDAP SDK so that it allows working with ASN.1 elements whose values
are contained in a portion of a byte array rather than always requiring them to
be the full array. The sequence and set parsing code now takes advantage of
this, and elements decoded from them no longer require allocation of new arrays
for holding their values.
-
Improved support for client-side use of matching rules. All matching rule
classes now provide the ability to retrieve the name and OID of the equality,
ordering, and substring matching rules that they implement. The MatchingRule
class now provides the ability to select a matching rule instance from the OID
of the desired matching rule. The EntrySorter class has been updated so that if
a sort key contains a matching rule ID, then it will be used to select the
matching rule to use for the client-side sorting.
-
Updated the schema parsing code so that when reading schema definitions from
LDAP or LDIF, any leading and trailing spaces will be trimmed before attempting
to parse the elements. Technically, leading and trailing spaces are illegal
and should not be present in such definitions, but some servers are lenient and
allow them so the LDAP SDK should attempt to accommodate such definitions. It
will still never generate schema element definitions containing leading or
trailing spaces.
-
Updated the LDAP SDK so that any debug messages or string representations of
exception stack traces that it generates will include the revision number of the
source repository from which the LDAP SDK was built. This can help make it
easier to troubleshoot problems, since it is easier to identify the version of
the source used to generate the LDAP SDK build being used.
-
Fixed a bug that can cause problems for clients operating in the default
asynchronous mode if the server sends response messages broken up into small
pieces rather than all a once. In particular, if a response message contains
only the BER type, or only the BER type and a portion (but not all of) the
length, then the LDAP SDK may not be able to properly decode the full message if
there is a delay between the first and second packets with portions of the type
and length. If this problem occurs, then the client would terminate the
connection to the server.
-
Updated the access log parsing classes to add support for the FORWARD-FAILED
messages which may be logged by the UnboundID Directory Proxy Server.
-
Added support for the administrative operation request control that may be
included in client requests sent to the UnboundID Directory Server to indicate
that the associated operation is administrative in nature rather than part of a
normal client request.
-
Updated the monitor entry parsing code to provide support for the
num-operations-in-progress and num-persistent-searches-in-progress attributes
exposed in the active operations monitor entry.
Version 1.1.0
The following changes were made between the 1.0.0 and 1.1.0 releases:
-
A new license has been added to the UnboundID LDAP SDK for Java. In addition
to the previous GNU General Public License (GPLv2) and UnboundID LDAP SDK Free
Use License, the LDAP SDK is now available under the terms of the GNU Lesser
General Public License (LGPLv2.1). This is an OSI-approved open source license
which allows the SDK to be used in a very wide range of applications (including
proprietary and commercial applications).
-
The LDAP SDK is now available in a SourceForge project at
http://sourceforge.net/projects/ldap-sdk/.
This includes a subversion repository containing the source code, as well as a
new set of project mailing lists and a forum.
-
The LDAP SDK is now available for use with Maven. It is available at
http://ldap-sdk.sourceforge.net/maven/
with a groupId of "com.unboundid", an artifactId of "unboundid-ldapsdk", and a
version of "1.1.0". In the near future, it will also be included in the Central
Repository.
-
Updated the LDAPCommandLineTool class to provide support for handling connections
to multiple servers. If this capability is enabled, then it will allow multiple
occurrences of the "--hostname" and "--port" arguments to be provided. If
multiple addresses and ports are provided, then the same number of each must be
given, and a RoundRobinServerSet will be used when creating connections so that
each subsequent connection will be established to the next server in the list,
looping back to the beginning of the list when all servers have been used. The
searchrate, modrate, and authrate tools have been updated to take advantage of
this capability, so they may now be used to process operations concurrently
against multiple servers.
-
Updated the build process so that the manifest for the generated jar file
contains an appropriate set of attributes to make the LDAP SDK more suitable for
use in an OSGi environment. The added attributes include: Bundle-Name,
Bundle-Version, Bundle-Vendor, Bundle-Copyright, Bundle-ManifestVersion,
Bundle-RequiredExecutionEnvironment, Bundle-Category, Bundle-DocURL, and
Export-Package.
-
Updated the ResultCode.isConnectionUsable() method to be more conservative so
that it is more likely to return a false positive (i.e., the connection will be
considered unusable when it may still be usable) than a false negative (the
connection will be considered usable when it that is not the case). Also,
non-static versions of the isClientSideResultCode() and isConnectionUsable()
methods have been added for convenience.
-
Added finalize() methods for the connection pool implementations so that the
pool will be closed when it is reaped by the garbage collector if that was not
already done.
-
Added support to make it easier to migrate applications written to use the
Netscape Directory SDK for Java to the UnboundID LDAP SDK for Java. This
includes wrappers for a number of commonly-used classes in the Netscape API so
that in many cases it may be sufficient to simply change the import statements
of the application so that they reference
"com.unboundid.ldap.sdk.migrate.ldapjdk" instead of "netscape.ldap". This is
not a complete re-implementation of the Netscape API (e.g., it does not directly
support applications written to use asynchronous operations), but in the common
case it should help significantly reduce the code change required to migrate an
application from the Netscape API to the UnboundID LDAP SDK for Java.
-
Added support to make it easier to migrate applications written to use the Java
Naming and Directory Interface (JNDI) to the UnboundID LDAP SDK for Java, or to
allow applications which use functionality provided by both APIs concurrently.
A new JNDIConverter class has been added which provides support for converting
between corresponding JNDI and LDAP SDK implementations of common data
structures, including attributes, controls, extended requests and responses,
modifications, and search result entries.
-
Added a new "use schema" LDAP connection option which can be used to cause
operations on the connection to make use of schema information when reading
data from the directory server. In particular, the schema will be used to
select the appropriate matching rule for each attribute included in search
result entries. The Attribute class has been updated to provide new
constructors which take Schema objects that allow that schema to be used to
select the appropriate matching rule for that attribute.
-
Added a set of Attribute.nameIsValid methods which can be used to determine
whether a provided string is a valid attribute name.
-
Added additional Attribute.hasValue and Entry.hasAttributeValue methods which
allow an alternate matching rule to be provided which will be used when making
the determination rather than the matching rule with which that attribute type
is associated.
-
Added support for the case-ignore list equality and substring matching rules,
as used by the postal address syntax.
-
Updated the searchrate, modrate, and authrate tools to include new command-line
options. The "--timestampFormat" argument may be used to indicate whether
timestamps should be included in the output, and if so what format should be
used (either the time only or both the date and the time). The
"--warmUpIntervals" argument may be used to indicate that the tool should be
allowed to run for a specified number of intervals before beginning overall
statistics collection to allow the client and the server to warm up.
Version 1.0.0
The following changes were made between the 0.9.10 and 1.0.0 releases:
-
Updated the code used to read server responses so that it uses a result code of
"server down" rather than "protocol error" whenever an I/O error occurs while
reading the response.
-
Added support for the permissive modify control, which may be used to request
that the directory server accept modify requests which attempt to add an
attribute value that already exists in the target entry, or to remove an
attribute value which does not exist in the target entry.
-
Updated the code used to parse schema elements to be more lenient and
standards-compliant when handling optional spaces in definitions.
-
Added a new LDAPThreadLocalConnectionPool class, which is very similar to the
existing LDAPConnectionPool class, except that it uses a thread-local mechanism
to maintain a separate connection for each client thread that attempts to
communicate with the server. This can help eliminate some thread contention,
and can help avoid the need to define an explicit size for the pool, since it
will have as many connections as threads attempting to use the pool.
-
Added the ability to create a Schema object by reading schema definitions from
one or more LDIF files. It was previously only possible to read schema
information from a directory server over LDAP.
-
Updated the LDIF reader to provide the ability to reject entries containing
duplicate values for the same attribute. Previously, if an entry had multiple
occurrences of the same value for the same attribute, the LDIF reader would
simply silently ignore the duplicate values. This is still the default
behavior, but it is now possible to configure the LDIF reader to reject
entries with duplicate attribute values.
-
Updated the LDIF reader to provide the ability to use schema information when
reading entries and change records. This can be used to help better handle
treatment of different values which might have otherwise been considered
duplicates using the default case-ignore string matching rule (e.g., attributes
that should use case-exact matching and have values that differ only in
capitalization).
-
Updated the validate-ldif tool provided with the LDAP SDK so that it offers the
ability to use schema definitions read from files rather than over LDAP (so that
it can be used in a completely offline manner). It will also now reject entries
with duplicate attribute values by default, but provides an option to ignore such
errors.
-
Updated the EntryValidator class so that it properly handles entries with the
extensibleObject object class.
-
Fixed a bug that could prevent LDAP connection statistics from being updated for
asynchronous search operations.
-
Added convenience methods to the Attribute and Entry classes that may be used to
retrieve attribute values as DNs.
-
Added convenience methods to the DN and Entry classes which may be used to
determine whether a given DN or entry is within the range of a specified
search base and scope.
-
Added an example tool that may be used to analyze and summarize the contents of
one or more UnboundID Directory Server access logs. A number of useful items
are included, including information about the number, rate, and duration of
operations processed, the most common result codes returned, and the most common
types of filters used.
Version 0.9.10
The following changes were made between the 0.9.9 and 0.9.10 releases:
-
Updated the schema parsing code so that schema elements will be held in ordered
maps so that they can be accessed in the order they were returned by the server.
This can help ensure that order-based dependencies (e.g., an object class which
inherits from a superior class) may be properly maintained if they are returned
from the server in that order.
-
Fixed a bug in the schema parsing code that incorrectly selected a generalized
time matching rule when it should have chosen an integer matching rule. This
could cause the validate-ldif tool to incorrectly report syntax violations for
data using an integer syntax, along with other failures for code relying on this
capability in the LDAP SDK.
-
Updated the LDAP SDK to add an option to operate in synchronous mode. For
connections which do not need to invoke asynchronous operations and which will
not be used concurrently by multiple threads, then the application can use the
LDAPConnectionOptions.setUseSynchronousMode(true) method to enable synchronous
mode for the connection options before connecting to the directory server. When
in this mode, responses will be read by the same thread which sent the request,
rather than by a separate reader thread. This can significantly improve
performance when communicating with the server.
Other performance improvements have also been made in the LDAP SDK which may
benefit both the default asynchronous mode as well as the new synchronous
mode.
-
Fixed a bug that could cause intermittent failures with a "server down" result
in which the connection was terminated. The problem would be triggered if the
client could not read an entire LDAP message at once and there was a significant
delay of greater than 50 milliseconds when attempting to read additional data as
part of the message. This could cause the SDK to attempt to read the middle of
an LDAP message as if it were the beginning, which would cause a decoding
failure that would trigger the SDK to terminate the connection.
-
Fixed a bug in the ObjectClassDefinition class that caused it to ignore the
recursive argument. Previously, it would always recursively get all superior
classes even if the recursive argument was set to false.
-
Fixed a bug that prevented entries returned by automatically following a
referral from being included in the search result entry count.
-
Updated the LDAPSearch example tool to include an option for following referrals
encountered during processing.
Version 0.9.9
The following changes were made between the 0.9.8 and 0.9.9 releases:
-
Updated the javadoc documentation to make the EntrySource API (and in particular
the LDAPEntrySource class) more visible. References to LDAPEntrySource are now
present in the class-level documentation for the SearchRequest class and
SearchResultListener interface.
-
Created a new SearchResultReferenceEntrySourceException as a subclass of
EntrySourceException that will be thrown if a search result reference is returned
when using the LDAPEntrySource class. This makes it easier to access the
contents of any search result references returned through this API.
-
Added LDAPException.hasControl methods that mirror the LDAPResult.hasControl
methods and provide additional convenience when working with controls in results
for operations that returned with a non-successful result.
-
Placed a maximum size on the blocking queue used to hold search result entries
and references while waiting for them to be processed. This can help prevent
problems in which a client could be potentially overwhelmed or required to use a
lot of memory for a search that returns a large number of entries when a search
result listener is used and the client cannot process entries as quickly as they
are returned. If the queue becomes full, then the LDAP SDK will push back
against the directory server so that it will only be able to send entries as
fast as the client can consume them.
-
Added the ability to control automatic referral following at a per-request level.
By default, the LDAP SDK will still use the behavior defined at the connection
level, but it is now possible to override that on a per-request level if desired.
-
Added the ability to include a call stack trace in debug log messages.
-
Updated the LDAP connection pool implementation to ensure that the auto-reconnect
connection option is ignored for connections which are part of a connection pool.
In some cases, the use of this option for pooled connections could cause
connections to be re-established when the pool had attempted to close them.
-
Added the ability to assign user-friendly names to connections and connection
pools. This can be helpful in applications which maintain multiple connections
or connection pools for different purposes. The name of the connection or
connection pool can be queried via code and will also appear in the names of the
threads used to read responses from the directory server for those connections so
that they will be more visible in thread stack traces.
-
Fixed a bug in the LDIF writer that could cause an extra space to be added to the
beginning of the last line of a multi-line comment.
-
Updated LDAP connection pool implementations so that releasing a defunct
connection will not automatically cause a new connection to be created to replace
it if the pool already has the maximum number of available connections.
Previously, the connection pool could have created and then immediately closed
a connection in that scenario.
-
Added additional connection pool statistics that can be used to help distinguish
between differences in behavior when a connection was successfully checked out of
the pool. It is now possible to differentiate between cases in which an
existing connection was returned without any wait, an existing connection was
returned after waiting for it to become available, or a new connection was
created to return to the client. This can help make information available for
applications to understand whether their connection pools are sized
appropriately.
-
Updated the LDAP SDK to change the manner in which a connection is closed if it
is done by the Java finalizer (which would presumably only occur if a connection
was leaked by the application using it). If the connection is part of a
connection pool, then it will now simply be terminated rather than released back
to the pool as a defunct connection.
-
Made the LDAPRequest.getLastMessageID() method public. This was previously used
internally, but may be useful when trying to cancel a synchronous request from a
different thread.
-
Added the ability to control the send and receive buffer sizes for sockets used
when communicating with the directory server.
-
Updated the LDAP SDK to provide better information to clients in the event that a
connection is terminated because of an unrecoverable error encountered while
reading responses from the directory server. This information was previously
only available through the debugging framework, but the LDAP SDK will now attempt
to generate a response to provide to the client with information about the
failure so that it will be available when debugging isn't enabled.
-
Added a static Attribute.getBaseName(String) method that may be used to retrieve
the base name without any attribute options for a specified attribute
description.
-
Updated the format of LDAP SDK debug messages to make them more consistent and
easier to parse.
-
Added the ability to capture a thread stack trace at the time that an attempt is
made to establish a connection. This can be useful for debugging purposes,
especially for tracking down the source of a leaked connection.
-
Added the ability to update an Entry object with one or more modifications.
-
Fixed a bug that could prevent the LDAP SDK from correctly following referrals
for search operations.
-
Added support for the unsolicited cancel response control, which may be included
in responses the that UnboundID Directory Server sends for requests that are
canceled by the server for some reason other than being canceled by the client
(e.g., if the server is shutting down or the client connection is being
terminated and all outstanding operations for the client are being canceled).
-
Added support for the stream values extended request and intermediate response.
This request may be used to retrieve information about entry DNs or attribute
values for a specified set of entries in the server.
-
Added the ability to parse alert entries as included in the administrative alert
backend of the UnboundID Directory Server.
-
Updated the general monitor entry to add support for the degraded-alert-type,
unavailable-alert-type, instanceName, and startupID attributes.
-
Updated the active operations monitor entry to add support for the list of
active persistent searches.
-
Updated the processing time histogram monitor entry to add support for the
total count and average response time attributes.
-
Added support for the LDAP external server, replica, replication server, and
replication summary monitor entry types.
-
Updated the monitor entry API so that information from any types of Directory
Server monitor entries which are not explicitly supported by the LDAP SDK may
still be accessed using the generic API.
-
Added a new API which may be used for parsing access and error log messages as
generated by the UnboundID Directory Server.
-
Added support for the replication repair request control, which may be used to
process an add, delete, modify, or modify DN operation which will not be
replicated to any other server. This control is primarily intended for use in
manually repairing replication conflicts.
Version 0.9.8
The following changes were made between the 0.9.7 and 0.9.8 releases:
-
Fixed a bug that could prevent the LDAP SDK from returning a response to the
StartTLS extended request if the server certificate was not trusted.
-
Fixed a bug that could cause the connection pool implementation to leak a
connection when performing a background health check if that connection was
examined multiple times in the same health check sequence.
-
Fixed a bug in the LDAPConnectionPool.getRootDSE() method in which it could
inadvertently check out two connections when only one was required. Both
connections were properly returned to the pool, but holding the unnecessary
connection could create an artificial shortage of available connections.
-
Fixed a problem that caused the name of the background thread used by the
internal LDAPConnectionReader class to be set to "Connection reader for
LDAPConnection(not connected)" even when the connection was established. This
has been changed so that it will be "Connection reader for {host}:{port}" when
the connection is established, and "Connection reader for {host}:{port} (closed)"
when the connection has been closed.
-
Added a new com.unboundid.util.FixedRateBarrier class which can be used to help
try to perform operations no faster than a specified rate. The authrate,
modrate, and searchrate tools have been updated to include a new
"--ratePerSecond" argument that can be used to attempt to process
authentications, modifies, and searches at the specified rate.
-
Updated the CompareRequest class to make the setAssertionValue(ASN1OctetString)
method public, since it can be useful in code outside of the LDAP SDK itself.
-
Added an Attribute.getMatchingRule() method that can be used to get the matching
rule that will be used by default for matching operations involving that
attribute.
-
Added the ability to easily convert between Filter objects (which are normal
search filters) and MatchedValuesFilter objects (which are used in the matched
values request control). Not all search filters are valid matched values
filters, so an attempt to convert a search filter using an AND, OR, or NOT
component, or using an extensible match component with the "dnAttributes" flag
set will throw an exception.
-
Message strings used by the LDAP SDK have been updated so that they use single
quotes rather than double quotes. If the messages generated by the LDAP SDK
(especially those included in exceptions) are consumed by and embedded in
messages from another application, then single quotes are less likely to create
confusion or need escaping if anything tries to parse those messages.
-
Updated the output of the authrate, modrate, and searchrate tools so that a row
of dashes is displayed between the column headings and the data, which moderately
improves the appearance. This will not be used when CSV-formatted output is
requested.
Version 0.9.7
The following changes were made between the 0.9.6 and 0.9.7 releases:
-
Further improved the performance of the LDIFReader for entries containing
multi-valued attributes. The change introduced the 0.9.6 version was only
applicable for entries with an LDIF representation of at least 100 lines. The
new implementation works for entries of any size and can help dramatically
improve read performance for smaller static groups, whereas the previous change
only worked for large groups.
-
Added a new com.unboundid.ldap.sdk.CompactEntry class that provides much of the
same functionality of the Entry class but in a manner that requires much less
memory. This is particularly useful for cases in which it may be necessary to
store a large number of entries in memory. For one test involving typical user
entries, CompactEntry has been found to require only about 25% as much memory as
Entry. For another test involving static groups with 20 members each,
CompactEntry has been found to require only about 31% as much memory as Entry.
Note that some operations involving CompactEntry may not perform as well as with
the corresponding methods in the Entry class, so it is generally recommended that
CompactEntry only be used when it is necessary to store a large number of entries
in memory. Further, CompactEntry objects are read-only and the API does not
expose any way to directly alter their contents.
-
Fixed a potential null pointer exception that could arise as a result of a race
condition when closing a connection.
-
Made a minor change to the com.unboundid.ldif.LDIFChangeRecord class so that the
processChange method now takes an LDAPInterface argument rather than an
LDAPConnection. This change is completely backward compatible, since
LDAPConnection implements LDAPInterface, but the new version makes it more
convenient to use with connection pools.
-
Added source code for a simple application that allows the UnboundID LDAP SDK for
Java to be used to communicate with an LDAP directory server on Android mobile
devices. This application makes it possible to perform searches against an LDAP
directory server, and can parse user entries to make it possible to call or
e-mail a user found in the directory, show a map of their location, or add
information about that user to the device's local contacts. More information
about this application can be found at
http://directorymanager.wordpress.com/2009/03/24/using-ldap-on-android/,
including a video demonstrating its use.
Version 0.9.6
The following changes were made between the 0.9.5 and 0.9.6 releases:
-
Added support for the LDAP intermediate response protocol op type as described in
RFC 3771. Intermediate responses provide the ability for operations to return
multiple responses to a single request. A new
IntermediateResponseListener interface has been added, and clients can use the
LDAPRequest.setIntermediateResponseListener method to indicate that any
intermediate response messages returned in response to that request should be
made available via that interface. If no intermediate response listener is
defined for a request, then any intermediate response messages returned in
response to that request will be silently discarded (although a debug message
will be generated).
-
Fixed a problem in the LDIFReader class in which it did not properly propagate
the LDIFException that was thrown if the first line of an LDIF record started
with a space.
-
Fixed a potential problem in the searchrate and modrate tools in which the
auto-reconnect flag did not get properly set on the connections that they used.
Before this fix, if the connection to the server was lost for some reason, then
they would not make any attempt to re-establish the connection.
-
Added a new authrate tool as an example. It can be used to measure
authentication performance, where each authentication consists of a search to
retrieve a user entry followed by a bind to verify the password for that user.
It supports simple authentication, as well as the CRAM-MD5, DIGEST-MD5, and PLAIN
SASL mechanisms.
-
Updated the CommandLineTool API to make it possible to include example usages
for tools that will be included whenever the usage information is displayed.
This can make it easier to understand how a given tool might be used. The
example tools provided with the LDAP SDK have been updated to provide this
capability.
-
Updated LDAP connection pools to provide support for a maximum connection age.
If a maximum connection age is defined, then any connection which has been
established for a longer period than this will be closed and replaced with a new
connection.
-
Created a new LDAPConnectionStatistics class that can be used to provide
information about the processing performed by the LDAP SDK. The connection
statistics can be retrieved using the
LDAPConnection.getConnectionStatistics method, and they include information
about the number of times the connection has been established and closed, the
number of times each type of request message has been sent, the number of times
each type of response message has been received, and the total and average
response times for those operations. This feature was suggested by Philip
Peake.
-
Created a new LDAPConnectionPoolStatistics class that can be used to provide
information about the processing performed by the connection pool. The
connection pool statistics can be retrieved using the
LDAPConnectionPool.getConnectionPoolStatistics() method, and they include the
number of connections currently available in the pool, the maximum number of
connections that may be maintained in the pool, the number of successful and
failed attempts to create connections, the number of connections that have been
closed as defunct, expired, or unneeded, the number of successful and failed
attempts to retrieve a connection, and the number of valid connections released
back to the pool. This feature was suggested by Philip Peake.
-
Updated LDAP connection pools to provide support for connection health checking.
Health check implementations may be used to perform custom checks to determine
whether a connection is valid at any of the following times:
- Whenever a new connection is created for use in the pool
- Whenever a connection is checked out of the pool
- Whenever a connection is released back to the pool
- After an exception has been caught while processing an operation in the
pool
In addition, a background thread will be used to periodically invoke health
checks against all available connections. The ServerSet API has been updated to
provide the ability to make use of a health check in the course of creating new
connections. A health check implementation has been provided that can be used
to retrieve a specified entry from the directory server. The ability or
inability to retrieve the entry, as well as the time required to do so, can be
taken into consideration. This feature was suggested by Philip Peake.
-
Added a number of convenience methods to the DN and RDN class that make it easier
to interact with them using their string representations. For example, there are
now methods for determining if a string represents a valid DN or RDN, if two
strings represent the same DN or RDN, to determine whether there is a
hierarchical relationship between two strings representing DNs, and to compare
two DNs or RDNs based on their string representations. This feature was
suggested by Felix Gaehtgens.
-
Updated the LDIF reader to significantly improve performance when reading entries
containing attributes with a large number of values (e.g., large static groups).
In a single-threaded test case involving reading static group entries with 2000
members each, performance has been improved by over 360x (i.e., over 36,000%).
This problem was reported by Felix Gaehtgens.
Version 0.9.5
This was the initial public release of the UnboundID LDAP SDK for Java.