We fixed an issue that could cause request failures when closing a connection operating in asynchronous mode with outstanding operations.
We fixed an issue that could interfere with the ability to get a default SSLContext on Java 17 when running in FIPS 140-2-compliant mode.
We updated LDAPConnectionOptions to add support for a new system property that can enable certificate hostname verification by default without any code changes.
We updated the LDAP command-line tool framework to add a new --verifyCertificateHostnames argument to enable hostname verification when performing TLS negotiation.
We improved the class-level Javadoc documentation for the SSLUtil class to provide a better overview of TLS protocol versions, TLS cipher suites, key managers, trust managers, and certificate hostname verification, and to provide better examples that illustrate best practices for establishing secure connections.
We fixed an issue in the JNDI compatibility support for controls, as well as extended requests and responses. Even though the implementation was based on the JNDI documentation, it appears that at least OpenJDK implementations do not abide by that documentation. The LDAP SDK is now compatible with the observed behavior rather than the documentation, although a system property can be used to revert to the former behavior.
We updated the SearchRequest class to add constructors that allow you to provide the search base DN with a DN object (as an alternative to existing constructors that allow you to specify it as a String).
We fixed an issue in the command-line tool framework in which an Error (for example, OutOfMemoryError) could cause the tool to report a NullPointerException rather than information about the underlying error.
We fixed an issue in the IA5 argument value validator that could allow it to accept argument values with non-ASCII characters.
We fixed an issue in the DNS hostname argument value validator that could prevent it from properly validating the last component of a fully qualified domain name, or the only component of an unqualified name.
We updated the identify-references-to-missing-entries tool to provide an option to generate an LDIF file with changes that can be used to remove identified references.
We updated the SelfSignedCertificateGenerator class to perform better validation for the subject alternative DNS names that it includes in a certificate.
We updated the manage-certificates generate-self-signed-certificate command to rename the --replace-existing-certificate argument to be --use-existing-key-pair. The former argument name still works, but it is hidden from the usage.
We included a native-image/resource-config.json file in the LDAP SDK jar file manifest, which can be used by the GraalVM native-image tool to ensure that appropriate resource files are included in the resulting image.
Updates Specific to Use With the Ping Identity Directory Server
We updated the summarize-access-log tool to report on many more things, including the most common IP addresses for failed bind attempts, the most consecutive failed binds, information about work queue wait times, information about request and response controls, the number of components in search filters, and search filters that may indicate injection attempts.
We updated support for the audit data security administrative task to make it possible to specify the number and/or age of previous reports to retain.
We fixed issues that prevented specifying the criticality of the administrative operation and join request controls.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
We have just released version 6.0.6 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository. You can find the release notes at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes included in this version:
General Updates
We fixed an issue that could cause request failures when closing a connection operating in asynchronous mode with outstanding operations.
We fixed an issue that could interfere with the ability to get a default
SSLContexton Java 17 when running in FIPS 140-2-compliant mode.We updated
LDAPConnectionOptionsto add support for a new system property that can enable certificate hostname verification by default without any code changes.We updated the LDAP command-line tool framework to add a new
--verifyCertificateHostnamesargument to enable hostname verification when performing TLS negotiation.We improved the class-level Javadoc documentation for the
SSLUtilclass to provide a better overview of TLS protocol versions, TLS cipher suites, key managers, trust managers, and certificate hostname verification, and to provide better examples that illustrate best practices for establishing secure connections.We fixed an issue in the JNDI compatibility support for controls, as well as extended requests and responses. Even though the implementation was based on the JNDI documentation, it appears that at least OpenJDK implementations do not abide by that documentation. The LDAP SDK is now compatible with the observed behavior rather than the documentation, although a system property can be used to revert to the former behavior.
We updated the
SearchRequestclass to add constructors that allow you to provide the search base DN with aDNobject (as an alternative to existing constructors that allow you to specify it as aString).We fixed an issue in the command-line tool framework in which an
Error(for example,OutOfMemoryError) could cause the tool to report aNullPointerExceptionrather than information about the underlying error.We fixed an issue in the IA5 argument value validator that could allow it to accept argument values with non-ASCII characters.
We fixed an issue in the DNS hostname argument value validator that could prevent it from properly validating the last component of a fully qualified domain name, or the only component of an unqualified name.
We updated the
identify-references-to-missing-entriestool to provide an option to generate an LDIF file with changes that can be used to remove identified references.We updated the
SelfSignedCertificateGeneratorclass to perform better validation for the subject alternative DNS names that it includes in a certificate.We updated the
manage-certificates generate-self-signed-certificatecommand to rename the--replace-existing-certificateargument to be--use-existing-key-pair. The former argument name still works, but it is hidden from the usage.We included a
native-image/resource-config.jsonfile in the LDAP SDK jar file manifest, which can be used by the GraalVMnative-imagetool to ensure that appropriate resource files are included in the resulting image.Updates Specific to Use With the Ping Identity Directory Server
We updated the
summarize-access-logtool to report on many more things, including the most common IP addresses for failed bind attempts, the most consecutive failed binds, information about work queue wait times, information about request and response controls, the number of components in search filters, and search filters that may indicate injection attempts.We updated support for the audit data security administrative task to make it possible to specify the number and/or age of previous reports to retain.
We fixed issues that prevented specifying the criticality of the administrative operation and join request controls.