ldap-sdk-announce — Announcements related to the LDAP SDK for Java

[ldap-sdk-announce] UnboundID LDAP SDK for Java 7.0.1

[Neil W. <nei...@pi...>]

We have just released version 7.0.1 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://central.sonatype.com/artifact/com.unboundid/unboundid-ldapsdk/7.0.1>.
You can find the release notes for this release (and all previous versions)
at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a
summary of the changes:


   -

   We added a new MaximumIdleDurationLDAPConnectionPoolHealthCheck class
   that can be used to replace connections that have remained idle for longer
   than a specified length of time. We generally recommend setting a maximum
   connection age for the pool so that connections are automatically replaced
   after a given amount of time regardless of their activity, but the new
   health check can be used as an alternative if you want to keep active
   connections around as long as possible while also ensuring that idle
   connections are closed by the LDAP SDK before they might be closed by the
   LDAP server or by intermediate network equipment.



   -

   We updated the in-memory directory server to improve its concurrency
   when processing operations that don’t need to make changes to the data,
   including binds, searches, and compares.



   -

   We added new Filter.createSubstringAssertion methods that can be used to
   create properly encoded string representations of substring assertions.
   This can be particularly helpful when you want to create an extensible
   matching filter using a substring matching rule.



   -

   We updated the KeyStoreKeyManager and TrustStoreTrustManager classes to
   make it possible to use an alternative security provider when accessing the
   associated key or trust store. We’ve also made it possible to indicate
   whether the LDAP SDK should be allowed to access non-FIPS-compliant key
   stores when operating in FIPS 140-2-compliant mode.



   -

   We fixed an issue in which the parallel-update tool would use an
   in-memory buffer to hold information about information to write to the
   reject file, but it would not automatically flush that buffer when changes
   are rejected. In some cases, this could introduce a significant delay
   between the time that a change is rejected and the time that a record of it
   was written to the specified log file.



   -

   We fixed an issue with the manage-certificates tool that could prevent
   it from accessing the JVM’s default trust store in cases where the LDAP SDK
   is operating in FIPS 140-2-compliant mode and the tool is invoked
   programmatically (as opposed to running it from the command line).



   -

   We updated the command-line tool framework to make it possible for tools
   to expose arguments for generating a debug log file. All of the tools
   included with the LDAP SDK have been updated to provide this option, and
   you can use the --help-debug argument to see the applicable arguments.



   -

   We updated the debug logging framework to make it possible to write
   debug messages, which are formatted as JSON objects, using a multi-line
   representation rather than the default single-line representation. People
   looking at the log messages may find the multi-line format easier to read.



   -

   We added a new StaticUtils.setSystemPropertyIfNotAlreadyDefined method
   that can be used to set the value of a specified system property in the
   JVM, but only if it’s not already set (in which case its current value will
   be preserved).



   -

   We added client-side support for a new “verify password” extended
   request in the Ping Identity Directory Server that properly authorized
   clients (under a restricted set of circumstances) can use to determine
   whether a given password is valid for a specified user without performing
   any other password policy processing.



   -

   We updated the OID registry to include records for a number of collation
   matching rules supported in the Ping Identity Directory Server, ForgeRock
   OpenDJ, Oracle OUD, and other servers.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 7.0.0

[Neil W. <nei...@pi...>]

We have just released version 7.0.0 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://central.sonatype.com/artifact/com.unboundid/unboundid-ldapsdk/7.0.0>.
You can find the release notes for this release (and all previous versions)
at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a
summary of the changes:


   -

   The LDAP SDK now requires Java 8 or later. Java 7 is no longer supported.



   -

   We improved the behavior of LDAP connection pools when they are
   configured to invoke a health check when checking out a connection from the
   pool. Previously, if a connection was found to be invalid during checkout,
   the LDAP SDK would create a new connection to replace it, but would
   continue iterating through other connections in the pool trying to find an
   existing valid connection. It will now return the newly created connection
   immediately without checking other existing connections, which can
   substantially reduce the time to check out a connection in a scenario where
   many connections have been invalidated (e.g., by a server shutdown).



   -

   We added a new compare-ldap-schemas command-line tool that can be used
   to identify differences between the schemas of two LDAP servers.



   -

   We improved the behavior that the LDAP SDK uses when authenticating with
   the GSSAPI SASL mechanism. Previously, if you didn’t explicitly provide a
   JAAS configuration file to use for the attempt, the LDAP SDK would create a
   new one for each bind attempt. This would create a lot of temporary files
   that would need to be cleaned up when the JVM exited, and they might not
   get cleaned up properly if they JVM exits abnormally (e.g., it’s killed or
   if the JVM crashes). It would also require a small amount of additional
   memory for each bind attempt, since it has to remember another file to be
   deleted. Now, the LDAP SDK will be able to reuse the same generated
   configuration file for all GSSAPI bind requests that use the same JAAS
   settings, which will slightly improve performance, reduce memory usage, and
   reduce disk space consumption.



   -

   We added experimental client-side support for the relax rules support as
   defined in draft-zeilenga-ldap-relax-03
   <https://docs.ldap.com/specs/draft-zeilenga-ldap-relax-03.txt>. This
   draft doesn’t specify an OID for the control, but at least a couple of
   servers (OpenLDAP and ForgeRock OpenDJ) have implemented support for the
   control with an OID of 1.3.6.1.4.1.4203.666.5.12, so the LDAP SDK uses that
   OID for the control.



   -

   We added client-side support for a number of proprietary controls used
   by the ForgeRock OpenDJ directory server. These include:
   -

      A transaction ID request control, which can be included in an
      operation request to provide a transaction ID that will appear in the
      access log message for that operation.
      -

      A replication repair request control, which can be included in a
      write request to indicate that the associated change should not be
      replicated.
      -

      Change sequence number request and response controls, which can be
      used with a write operation to obtain the replication CSN that the server
      assigned to that operation.
      -

      Affinity request control, which can be included in related requests
      sent through an LDAP proxy server to consistently route them to the same
      LDAP server instance.



   -

   We added connection pool health checks for use in conjunction with the
   Ping Identity Directory Server, including:
   -

      One that will attempt to determine whether there are any active
      alerts in the server that cause it to consider itself to be
either degraded
      or unavailable.
      -

      One that will assess the replication backlog and can consider a
      server unavailable if it has too many outstanding changes, or if
the oldest
      outstanding change was originally processed too long ago.
      -

      One that will attempt to determine whether the server is in lockdown
      mode.



   -

   We updated the CryptoHelper class to add convenience methods for
   generating SHA-256, SHA-384, and SHA-512 digests from byte arrays, strings,
   and files. There are also generic versions of these methods that can be
   used with user-specified digest algorithms.



   -

   We added methods for normalizing JSON values and JSON object filters.
   This can help make it possible to compare two JSON object filters to
   determine whether two JSON object filters are equivalent.



   -

   We updated the BouncyCastleFIPSHelper class to add a constant with the
   name of a system property that can be used to enable support for the MD5
   digest algorithm, which may be needed if you’re using the 1.0.2.4 or later
   version of the bc-fips jar file and need to use the MD5 message digest for
   some reason.



   -

   We updated the documentation to include new and updated versions of a
   number of LDAP-related Internet Drafts, including:
   -

      draft-ietf-kitten-scram-2fa-04
      <https://docs.ldap.com/specs/draft-ietf-kitten-scram-2fa-04.txt>
      -

      draft-melnikov-scram-bis-04
      <https://docs.ldap.com/specs/draft-melnikov-scram-bis-04.txt>
      -

      draft-melnikov-scram-sha-512-04
      <https://docs.ldap.com/specs/draft-melnikov-scram-sha-512-04.txt>
      -

      draft-melnikov-scram-sha3-512-04
      <https://docs.ldap.com/specs/draft-melnikov-scram-sha3-512-04.txt>
      -

      draft-coretta-oiddir-radit-00
      <https://docs.ldap.com/specs/draft-coretta-oiddir-radit-00.txt>
      -

      draft-coretta-oiddir-radsa-00
      <https://docs.ldap.com/specs/draft-coretta-oiddir-radsa-00.txt>
      -

      draft-coretta-oiddir-radua-00
      <https://docs.ldap.com/specs/draft-coretta-oiddir-radua-00.txt>
      -

      draft-coretta-oiddir-roadmap-00
      <https://docs.ldap.com/specs/draft-coretta-oiddir-roadmap-00.txt>
      -

      draft-coretta-oiddir-schema-01
      <https://docs.ldap.com/specs/draft-coretta-oiddir-schema-01.txt>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 6.0.11

[Neil W. <nei...@pi...>]

We have just released version 6.0.11 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://central.sonatype.com/artifact/com.unboundid/unboundid-ldapsdk/6.0.11>
.

Note that this is the last release of the LDAP SDK that will offer support
for Java 7. As of the next release (which is expected to have a version of
7.0.0), the LDAP SDK will only support Java 8 and later.

You can find the release notes for the 6.0.11 release (and all previous
versions) at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but
here’s a summary of the changes:


   -

   We updated the ldapsearch and ldapmodify command-line tools to provide
   better validation for the --proxyAs argument, which includes the proxied
   authorization v2 request control in the requests that they issue.
   Previously, they would accept any string as the authorization ID value, but
   they will verify that it is a valid authorization ID using the form “dn:”
   followed by a valid DN or “u:” followed by a username.



   -

   We updated the Filter class so that the methods used to create substring
   filters are more user-friendly when the filter doesn’t contain all types of
   components. Previously, it expected a substring component to be null if
   that component wasn’t to be included in the request, and it would create an
   invalid filter if the component was provided as an empty string. It will
   now treat components provided as empty strings as if they had been null.



   -

   We updated the logic that the LDAP SDK uses to pare entries down to a
   specified set of attributes (including in the in-memory directory server
   and the ldifsearch command-line tool) to improve its behavior if it
   encounters an entry with a malformed attribute description (for example,
   one that contains characters that aren’t allowed). Previously, this would
   result in an internal error, but it will now make a best-attempt effort to
   handle the invalid name.



   -

   We updated the TimestampArgument class to allow it to accept timestamps
   in the ISO 8601 format described in RFC 3339 (e.g.,
   2023-11-30T01:02:03.456Z). Previously, it only accepted timestamps in the
   generalized time format (or a generalized time representation that didn’t
   include any time zone information, which was treated as the system’s local
   time zone).



   -

   We updated the JSONBuffer class to add an appendField method that can be
   used to append a generic field without knowing the value type. Previously,
   it only allowed you to append fields if you knew the type of the value.



   -

   We added new BinarySizeUnit and DecimalSizeUnit enums that can be used
   when dealing with a quantity of data, like the size of a file or the amount
   of information transferred over a network. Each of the enums supports a
   variety of units (bytes, kilobytes, megabytes, gigabytes, terabytes,
   petabytes, exabytes, zettabytes, and yottabytes), but the BinarySizeUnit
   variant assumes that each subsequent unit is 1024 times greater than the
   previous (e.g., one kilobyte is treated as 1024 bytes), while
   DecimalSizeUnit assumes that each subsequent unit is 1000 times greater
   than the previous (e.g., one kilobyte is treated as 1000 bytes).



   -

   We updated the client-side support for invoking the LDIF export
   administrative task in the Ping Identity Directory Server to include
   support for activating one or more post-LDIF-export task processors, which
   can be used to perform additional processing after the data is successfully
   exported.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] Dropping support for Java 7 after the upcoming 6.0.11 release

[Neil W. <nei...@pi...>]

Unless there is substantial pushback with really good reasoning behind it,
I intend to update the LDAP SDK to drop support for Java 7 after the next
release, which should be version 6.0.11 and will likely be released
sometime in December. The next release after that should be version 7.0.0
(which I suppose is an unfortunate coincidence), and it will support Java
versions 8 and higher.

Java 7 reached its end of support life (EOSL) last year, and it’s getting
harder to support newer Java versions while retaining support for Java 7.
Java 8 is currently slated to have its EOSL at the end of 2030, and there
are no plans to drop support for it in the LDAP SDK at any time in the near
future.


Neil Wilson

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 6.0.10

[Neil W. <nei...@pi...>]

We have just released version 6.0.10 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://central.sonatype.com/artifact/com.unboundid/unboundid-ldapsdk/6.0.9>.
You can find the release notes for the 6.0.10 release (and all previous
versions) at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but
here’s a summary of the changes:


   -

   We added a new ReusableReferralConnector interface that makes it
   possible to create referral connectors that can be reused for following
   multiple referrals. We’ve added a new PooledReferralConnector
   implementation that uses connection pools for improved performance when
   following multiple referrals.



   -

   We fixed an issue in which the parallel-update tool could write
   malformed data to the reject log file when multiple write operations were
   rejected concurrently.



   -

   We added a PLAINBindRequest.encodeCredentials method that can be used to
   retrieve the encoded credentials for a SASL PLAIN bind request.



   -

   We added JSONNumber.getValueAsInteger and getValueAsLong methods that
   will return the value of a JSON number as an Integer or Long, but only
   if the conversion can be made losslessly. The methods will return null
   if the value is a floating-point number, or if the value is outside the
   supported range for the data type.



   -

   We added a StaticUtils.getBacktrace method that can be used to retrieve
   a compact, single-line string representation of a stack trace representing
   the code location from which the method was called.



   -

   We added support for a new Ping-proprietary “access log field” request
   control, which can be used to indicate that the server should include a
   specified set of name-value pairs in the access log message for the
   associated operation. We also updated the ldapsearch and ldapmodify
   tools to add a new --accessLogField argument to include this control in
   requests.



   -

   We added support for a new Ping-proprietary “generate access token”
   request control that can be included in a bind request to indicate that the
   server should include an access token in a corresponding response control
   included in the response to a successful bind operation. That access token
   can be used to authenticate to the Ping Identity Directory Server with the
   OAUTHBEARER SASL mechanism. This may be especially useful when initially
   authenticating to the Directory Server with a mechanism that relies on
   single-use credentials (e.g., UNBOUNDID-TOTP, UNBOUNDID-DELIVERED-OTP, or
   UNBOUNDID-YUBIKEY-OTP) because it allows you to establish multiple
   connections (e.g., using a connection pool or to replace connections that
   are no longer valid). We also updated the ldapsearch and ldapmodify
   tools to add a new --generateAccessToken argument to request that the
   server return an access token in the bind response.



   -

   We updated support for the ds-pwp-state-json virtual attribute to
   include the has-password-encoded-with-non-current-settings field, which
   may indicate whether the user has a password that is encoded with settings
   that are different from the current configuration for the associated
   password storage scheme, and the
   non-current-password-storage-scheme-settings-explanations field, which
   may explain the ways in which the password encoding differs from the
   current configuration.



   -

   We updated the documentation to include the latest versions of
   draft-ietf-kitten-scram-2fa, draft-melnikov-scram-bis, and
   draft-melnikov-scram-sha3-512 in the set of LDAP-related specifications.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 6.0.9

[Neil W. <nei...@pi...>]

We have just released version 6.0.9 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://central.sonatype.com/artifact/com.unboundid/unboundid-ldapsdk/6.0.9>
.

As announced in the previous release, the LDAP SDK source code is now
maintained only at GitHub. The SourceForge repository is still available
for its discussion forum
<https://sourceforge.net/p/ldap-sdk/discussion/1001257/>, mailing lists
<https://sourceforge.net/p/ldap-sdk/mailman/>, and release downloads
<https://sourceforge.net/projects/ldap-sdk/files/>, but the source code is
no longer available there.

You can find the release notes for the 6.0.9 release (and all previous
versions) at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but
here’s a summary of the changes:


   -

   We made it possible to customize the set of result codes that the LDAP
   SDK uses to determine whether a connection may no longer be usable.
   Previously, we used a hard-coded set of result codes, and that is still the
   default, but you can now override that using the
   ResultCode.setConnectionNotUsableResultCodes method.



   -

   We added a new HTTPProxySocketFactory class that can be used to
   establish LDAP and LDAPS connections through an HTTP proxy server.



   -

   We added a new SOCKSProxySocketFactory class that can be used to
   establish LDAP and LDAPS connections through a SOCKSv4 or SOCKSv5 proxy
   server.



   -

   We updated the ldap-diff tool to add a --byteForByte argument that can
   be used to indicate that it should use a byte-for-byte comparison when
   determining whether two attribute values are equivalent rather than using a
   schema-aware comparison (which may ignore insignificant differences in some
   cases, like differences in capitalization or extra spaces). Previously, the
   tool always used byte-for-byte matching, but we decided to make it a
   configurable option, and we determined that it is better to use
   schema-aware comparison by default.



   -

   We fixed an issue in which a non-default channel binding type was not
   preserved when duplicating a GSSAPI bind request. We also added a
   GSSAPIBindRequest.getChannelBindingType method to retrieve the selected
   channel binding type for a GSSAPI bind request.



   -

   We added a ResultCode.getStandardName method that can be used to
   retrieve the name for the result code in a form that is used to reference
   it in standards documents.  Note that this may not be available for result
   codes that are not defined in known specifications.



   -

   We added a mechanism for caching the derived secret keys used for
   passphrase-encrypted input and output streams so that it is no longer
   necessary to re-derive the same key each time it is used. This can
   dramatically improve performance when the same key is used multiple times.



   -

   We updated the StaticUtils.isLikelyDisplayableCharacter method to
   consider additional character types to be displayable, including modifier
   symbols, non-spacing marks, enclosing marks, and combining spacing marks.



   -

   We added a new StaticUtils.getCodePoints method that can be used to
   retrieve an array of the code points that comprise a given string.



   -

   We added a new StaticUtils.unicodeStringsAreEquivalent method that can
   be used to determine whether two strings represent an equivalent string of
   Unicode characters, even if they use different forms of Unicode
   normalization.



   -

   We added a new StaticUtils.utf8StringsAreEquivalent method that can be
   used to determine whether two byte arrays represent an equivalent UTF-8
   string of Unicode characters, even if they use different forms of Unicode
   normalization.



   -

   We added a new StaticUtils.isValidUTF8WithNonASCIICharacters method that
   can be used to determine whether a given byte array represents a valid
   UTF-8 string that contains at least one non-ASCII character.



   -

   We updated the client-side support for the collect-support-data
   administrative task to make it possible to specify the start and end times
   for the set of log messages to include in the support data archive.



   -

   We updated the documentation so that the latest versions of
   draft-melnikov-sasl2 and draft-melnikov-scram-sha-512 are included in the
   set of LDAP-related specifications.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 6.0.8

[Neil W. <nei...@pi...>]

We have just released version 6.0.8 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://central.sonatype.com/artifact/com.unboundid/unboundid-ldapsdk/6.0.8>
.

Note that this is the last release for which the LDAP SDK source code will
be maintained in both the GitHub and SourceForge repositories. The LDAP SDK
was originally hosted in a subversion repository at SourceForge, but we
switched to GitHub as the primary repository a few years ago. We have been
relying on GitHub’s support for accessing git repositories via subversion
to synchronize changes to the legacy SourceForge repository, but that
support is being discontinued. The SourceForge project will continue to
remain available for the discussion forum
<https://sourceforge.net/p/ldap-sdk/discussion/1001257/>, mailing lists
<https://sourceforge.net/p/ldap-sdk/mailman/>, and release downloads
<https://sourceforge.net/projects/ldap-sdk/files/>, but up-to-date source
code will only be available on GitHub.

You can find the release notes for the 6.0.8 release (and all previous
versions) at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but
here’s a summary of the changes:


   -

   We added a DN.getDNRelativeToBaseDN method that can be used to retrieve
   the portion of DN that is relative to a given base DN (that is, the portion
   of a DN with the base DN stripped off). For example, if you provide it with
   a DN of “uid=test.user,ou=People,dc=example,dc=com” and a base DN of “
   dc=example,dc=com”, then the method will return “uid=test.user,ou=People
   ”.



   -

   We added LDAPConnectionPool.getServerSet and
   LDAPThreadLocalConnectionPool.getServerSet methods that can be used to
   retrieve the server set that the connection pool uses to establish new
   connections for the pool.



   -

   We updated the Filter class to alternative methods with shorter names
   for constructing search filters from their individual components. For
   example, as an alternative to calling the Filter.createANDFilter method
   for constructing an AND search filter, you can now use Filter.and, and
   as an alternative to calling Filter.createEqualityFilter, you can now
   use Filter.equals. The older versions with longer method names will
   remain available for backward compatibility.



   -

   We added support for encrypted PKCS #8 private keys, which require a
   password to access the private key. The PKCS8PrivateKey class now
   provides methods for creating the encrypted PEM representation of the key,
   and the PKCS8PEMFileReader class now has the ability to read encrypted
   PEM files. We also updated the manage-certificates tool so that the
   export-private-key and import-certificate subcommands now support
   encrypted private keys.



   -

   We updated PassphraseEncryptedOutputStream to use a higher key factory
   iteration count by default. When using the strongest available 256-bit AES
   encryption, it now follows the latest OWASP recommendation of 600,000
   PBKDF2 iterations. You can still programmatically explicitly specify the
   iteration count when creating a new output stream if desired, and we have
   also added system properties that can override the default iteration count
   without any code change.



   -

   We added a PassphraseEncryptedOutputStream constructor that allows you
   to provide a PassphraseEncryptedStreamHeader when creating a new
   instance of the output stream. This will reuse the secret key that was
   already derived for the provided stream header (although with newly
   generated initialization vector), which can be significantly faster than
   deriving a new secret key from the same passphrase.



   -

   We added a new ObjectTrio utility class that can be useful in cases
   where you need to reference three typed objects as a single object (for
   example, if you want a method to be able to return three objects without
   needing to define a new class that encapsulates those objects). This
   complements the existing ObjectPair class that supports two typed
   objects.



   -

   We updated the documentation to include RFC 9371
   <https://docs.ldap.com/specs/rfc9371.txt> in the set of LDAP-related
   specifications. This RFC formalizes the process for requesting a private
   enterprise number (PEN) to use as the base object identifier (OID) for your
   own definitions (e.g., for use in defining custom attribute types or object
   classes). The OID-related documentation has also been updated to provide a
   link to the IANA site
   <https://www.iana.org/assignments/enterprise-numbers/> that you can use
   to request an official base OID for yourself or your organization.



   -

   We updated the documentation to include the latest revisions of
   draft-howard-gssapi-aead
   <https://docs.ldap.com/specs/draft-howard-gssapi-aead-01.txt>,
   draft-ietf-kitten-scram-2fa
   <https://docs.ldap.com/specs/draft-ietf-kitten-scram-2fa-02.txt>,
   draft-melnikov-scram-bis
   <https://docs.ldap.com/specs/draft-melnikov-scram-bis-02.txt>, and
   draft-reitzenstein-kitten-opaque
   <https://docs.ldap.com/specs/draft-reitzenstein-kitten-opaque-02.txt> in
   the set of LDAP-related specifications.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 6.0.7

[Neil W. <nei...@pi...>]

We have just released version 6.0.7 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>.
You can find the release notes at
https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a
summary of the changes included in this version:


   -

   We fixed a bug in the SearchResultEntry.equals method that could prevent
   a SearchResultEntry from matching other types of Entry objects.



   -

   We fixed a bug in the Entry.applyModifications method that could cause
   it to fail with a NOT_ALLOWED_ON_RDN result if the provided entry was
   missing one or more of the attribute values used in its RDN.



   -

   We fixed a bug in the argument parser’s support for mutually dependent
   arguments with a set containing more than two arguments. Previously, the
   constraint would have been satisfied if at least two of the arguments were
   provided, rather than requiring all of them to be provided.



   -

   We added JSONObject methods for retrieving fields by name using
   case-insensitive matching (by default, JSON field names are treated in a
   case-sensitive manner). Because it is possible that a JSON object will have
   multiple fields with the same name when using case-insensitive matching,
   there are a few options for indicating how such conflicts should be
   handled, including only returning the first match, returning a map with all
   matching fields, or throwing an exception if there are multiple matches.



   -

   We updated the set of LDAP-related specifications to include the latest
   version of the draft-schmaus-kitten-sasl-ht proposal.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 6.0.6

[Neil W. <nei...@pi...>]

We have just released version 6.0.6 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>.
You can find the release notes at
https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a
summary of the changes included in this version:

General Updates:


   -

   We fixed an issue that could cause request failures when closing a
   connection operating in asynchronous mode with outstanding operations.



   -

   We fixed an issue that could interfere with the ability to get a default
   SSLContext on Java 17 when running in FIPS 140-2-compliant mode.



   -

   We updated LDAPConnectionOptions to add support for a new system
   property that can enable certificate hostname verification by default
   without any code changes.



   -

   We updated the LDAP command-line tool framework to add a new
   --verifyCertificateHostnames argument to enable hostname verification
   when performing TLS negotiation.



   -

   We improved the class-level Javadoc documentation for the SSLUtil class
   to provide a better overview of TLS protocol versions, TLS cipher suites,
   key managers, trust managers, and certificate hostname verification, and to
   provide better examples that illustrate best practices for establishing
   secure connections.



   -

   We fixed an issue in the JNDI compatibility support for controls, as
   well as extended requests and responses. Even though the implementation was
   based on the JNDI documentation, it appears that at least OpenJDK
   implementations do not abide by that documentation. The LDAP SDK is now
   compatible with the observed behavior rather than the documentation,
   although a system property can be used to revert to the former behavior.



   -

   We updated the SearchRequest class to add constructors that allow you to
   provide the search base DN with a DN object (as an alternative to
   existing constructors that allow you to specify it as a String).



   -

   We fixed an issue in the command-line tool framework in which an Error
   (for example, OutOfMemoryError) could cause the tool to report a
   NullPointerException rather than information about the underlying error.



   -

   We fixed an issue in the IA5 argument value validator that could allow
   it to accept argument values with non-ASCII characters.



   -

   We fixed an issue in the DNS hostname argument value validator that
   could prevent it from properly validating the last component of a fully
   qualified domain name, or the only component of an unqualified name.



   -

   We updated the identify-references-to-missing-entries tool to provide an
   option to generate an LDIF file with changes that can be used to remove
   identified references.



   -

   We updated the SelfSignedCertificateGenerator class to perform better
   validation for the subject alternative DNS names that it includes in a
   certificate.



   -

   We updated the manage-certificates generate-self-signed-certificate
   command to rename the --replace-existing-certificate argument to be
   --use-existing-key-pair. The former argument name still works, but it is
   hidden from the usage.



   -

   We included a native-image/resource-config.json file in the LDAP SDK jar
   file manifest, which can be used by the GraalVM native-image tool to
   ensure that appropriate resource files are included in the resulting image.


Updates Specific to Use With the Ping Identity Directory Server:


   -

   We updated the summarize-access-log tool to report on many more things,
   including the most common IP addresses for failed bind attempts, the most
   consecutive failed binds, information about work queue wait times,
   information about request and response controls, the number of components
   in search filters, and search filters that may indicate injection attempts.



   -

   We updated support for the audit data security administrative task to
   make it possible to specify the number and/or age of previous reports to
   retain.



   -

   We fixed issues that prevented specifying the criticality of the
   administrative operation and join request controls.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 6.0.5

[Neil W. <nei...@pi...>]

We have just released version 6.0.5 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>.
You can find the release notes at
https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a
summary of the changes included in this version:

General Updates:


   -

   We fixed an issue that could occasionally cause the LDAP SDK to hide the
   actual cause of a StartTLS failure by using information from a second, less
   useful exception.



   -

   We fixed an issue that could cause the ldifsearch tool to display a
   malformed message when the first unnamed trailing argument was expected to
   be a search filter but could not be parsed as a valid filter.



   -

   We improved support for validating and comparing values using the
   telephone number syntax. Previously, we used a loose interpretation of the
   specification, which would consider any printable string (including strings
   without any digits) to be valid, and would only ignore spaces and hyphens
   when comparing values. You can now configure varying levels of strictness
   (either programmatically or using system properties), including requiring
   at least one digit or strict conformance to the X.520 specification. You
   can also configure it to ignore all non-digit characters when comparing
   values, and this is now the default behavior.



   -

   We fixed a bug in which the ldapcompare tool did not properly close its
   output file if one was configured. The output file does get automatically
   closed when the tool exits so it’s not an issue when running ldapcompare
   from the command line, but this can cause problems if the tool is invoked
   programmatically from another application.



   -

   We fixed an issue with the tool properties file created using the
   --generatePropertiesFile argument in command-line tools that support it.
   The generated properties file did not properly escape backslash, carriage
   return, line feed, or form feed characters.


Updates Specific to Use With the Ping Identity Directory Server:


   -

   We added support for encoding controls to JSON objects, and for decoding
   JSON objects as controls. There is a generic JSON representation that will
   work for any type of control (in which the value is provided as the
   base64-encoded representation of the raw value used in the LDAP
   representation of the control), but most controls provided as part of the
   LDAP SDK also support a more user-friendly representation in which the
   components of the value are represented in a nested JSON object.



   -

   We added client-side support for a new JSON-formatted request control
   that can be used to send request controls to a Ping Identity Directory
   Server with the controls encoded as JSON objects rather than a raw LDAP
   representation. We also added support for a JSON-formatted response control
   that can be used to receive JSON-encoded response controls from the server.



   -

   We updated the ldapsearch and ldapmodify command-line tools to add a
   --useJSONFormattedRequestControls argument that will cause any request
   controls to be sent using a JSON-formatted request control, and it will
   cause any response controls returned by the server to be embedded in a
   JSON-formatted response control.



   -

   We fixed an issue with the way that the parallel-update tool created
   assured replication request controls when an explicit local or remote
   assurance level was specified. Previously, it would only specify a minimum
   assurance level without specifying a maximum level, which could cause the
   server to use a higher assurance level than requested by the client.



   -

   We updated the topology registry trust manager to allow trusting a
   certificate chain if either the peer certificate or any of its issuers is
   found in the server’s topology registry. Previously, it would only trust a
   certificate chain if the peer certificate itself was found in the topology
   registry, and having an issuer certificate was not sufficient. The former
   behavior is still available with a configuration option.



   -

   We updated the topology registry trust manager to make it possible to
   ignore the certificate validity window for peer and issuer certificates.
   The validity window is still respected by default, but if the trust manager
   is configured to ignore it, then a certificate chain may be trusted even if
   the peer or an issuer certificate is expired or not yet valid.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 6.0.4

[Neil W. <nei...@pi...>]

We have just released version 6.0.4 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>.
You can find the release notes at
https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a
summary of the changes included in this version:

General Updates:


   -

   We fixed an issue with the Filter.matchesEntry method that could cause
   it to throw an exception rather than returning an appropriate Boolean
   result when evaluating an AND or an OR filter in which one of the nested
   elements used inappropriate matching (for example, if the assertion value
   did not conform to the syntax for the associated attribute type).



   -

   We fixed an issue with the way that decodeable controls are registered
   with the LDAP SDK. Under some circumstances, a thread could become blocked
   while attempting to create a new control.



   -

   We updated the JVM-default trust manager to properly check for the
   existence of a “jssecacerts” trust store file in accordance with the
   JSSE specification. It had previously only looked for a file named “
   cacerts”.



   -

   We updated the logic used to select the default set of supported cipher
   suites so that it will no longer exclude suites with names starting with
   “SSL_” by default on JVMs with a vendor string that includes “IBM”. IBM
   JVMs appear to use the “SSL_” prefix for some or all cipher suites,
   including those that are not associated with TLS protocols rather than a
   legacy SSL protocol. We also added a
   TLSCipherSuiteSelector.setAllowSSLPrefixedSuites method that can be used
   to override the default behavior.



   -

   We updated the LDIF reader to support reading modifications with
   attribute values read from a file referenced by URL. This was previously
   supported when reading LDIF entries or add change records, but it had been
   overlooked for LDIF modify change records.



   -

   We updated the LDIF reader so that it no longer generates comments
   attempting to clarify the contents of base64-encoded values if the value is
   longer than 1,000 bytes.



   -

   We updated the documentation to include the latest versions of the
   draft-behera-ldap-password-policy, draft-coretta-x660-ldap, and
   draft-ietf-kitten-scram-2fa specifications.



Updates Specific to Use With the Ping Identity Directory Server:


   -

   We added a new API for parsing access log messages generated by the
   server. The new API supports both text-formatted and JSON-formatted log
   messages, whereas the previous version only supported messages in the
   default text (“name=value”) format.



   -

   We updated the summarize-access-log tool (which can be used to perform
   basic analysis of server access log files) to add support for
   JSON-formatted log files.



   -

   We added support for retrieving and parsing X.509 certificate monitor
   entries.



   -

   We added client-side support for an administrative task that can cause
   the server to immediately refresh any cached certificate monitor data. The
   server will automatically refresh the cache every minute, but the task can
   be used to cause an immediate refresh.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 6.0.3

[Neil W. <nei...@pi...>]

We have just released version 6.0.3 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>.
You can find the release notes at
https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a
summary of the changes included in this version:

General Updates:


   -

   We fixed an issue with the round-robin server set that could cause it to
   select some servers with a higher frequency than others in the event that
   one or more of the servers become unavailable.



   -

   We fixed a potential race condition that could leave a background Timer
   thread running if a connection was closed while waiting for a response to a
   request issued via the asynchronous API.



   -

   We fixed an issue in which the in-memory directory server could
   incorrectly include a matched DN in certain bind response messages.



   -

   We improved support for SSL/TLS debugging for SSLUtil operations when
   used in conjunction with the javax.net.debug system property.



   -

   We added methods to the JSONLDAPResultWriter class that can be used to
   encode entries, search result references, and LDAP results to JSON objects.



   -

   We added a CryptoHelper.inferKeyStoreType method that attempts to
   determine the key store type for a specified file that is expected to
   represent a JKS, PKCS #12, or BCFKS key store.



   -

   We added StaticUtils convenience methods for generating random bytes,
   integers, and strings, optionally using cryptographically secure random
   number generators.



   -

   We updated the documentation to add draft-melnikov-scram-bis
   <https://docs.ldap.com/specs/draft-melnikov-scram-bis-00.txt> and to
   update draft-melnikov-scram-sha-512
   <https://docs.ldap.com/specs/draft-melnikov-scram-sha-512-02.txt> and
   draft-melnikov-scram-sha3-512
   <https://docs.ldap.com/specs/draft-melnikov-scram-sha3-512-02.txt> in
   the set of LDAP-related specifications.



Updates Specific to Use With the Ping Identity Directory Server:


   -

   We fixed an issue that could cause the manage-account tool to fail if it
   receives a response with an unrecognized password policy state operation
   type. This is most likely to occur when the tool is communicating with a
   version of the Ping Identity Directory Server that does not correspond to
   the version of the manage-account tool.



   -

   We added client-side support for new extended operations that can allow
   for remote management of certificates in Ping Identity Directory Server
   instances.



   -

   We updated the AuthenticationFailureReason class to add additional
   failure reason values related to pass-through authentication.



   -

   We updated the TaskManager class to add methods for using LDAPInterface
   objects (including connection pools or Server SDK internal connections) as
   an alternative to LDAPConnection objects when interacting with
   administrative tasks.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 6.0.2

[Neil W. <nei...@pi...>]

We have just released version 6.0.2 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>.
You can find the release notes at
https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a
summary of the changes included in this version:


   -

   We fixed an issue in the JVM-default trust manager that could prevent it
   from properly trusting a certificate chain that should be considered valid
   through a cross-signed relationship, which may include certificates signed
   by the Let’s Encrypt service in some cases. Although the trust manager
   provided support for cross-signed certificates, that support would
   previously only be used if one or more of the certificates in the presented
   chain were outside of their current validity window.



   -

   We added the ability to use the tls-server-end-point channel binding
   type when authenticating with the GSSAPI SASL mechanism. This feature
   depends on the underlying JVM providing support for this channel binding
   type and will likely require Java 13 or later.



   -

   We fixed an issue in the in-memory directory server that could prevent
   it from returning search result references for smart referral entries
   within the scope of the search. It would previously only return references
   for smart referral entries that matched the search filter, but will now
   return references for any smart referral entry within the scope.



   -

   We updated the LDAP command-line tool framework to add a --defaultTrust
   argument that can be used to indicate that the tool should use a default
   set of non-interactive logic for determining whether to trust a presented
   certificate chain. This includes at least the JVM’s default trust store,
   but in tools that are part of a Ping Identity server installation, it may
   also include the server’s default trust store and the topology registry.
   This is the same logic that tools would previously use when invoked without
   any trust-related arguments, with the exception that it will not
   interactively prompt about whether to trust the presented chain if it
   cannot be trusted through any of the default mechanisms. As such, it is
   more suitable for use in scripts that are intended to run in
   non-interactive settings.



   -

   We updated the documentation to include the latest revision of
   draft-ietf-kitten-password-storage
   <https://docs.ldap.com/specs/draft-ietf-kitten-password-storage-07.txt>
   in the set of LDAP-related specifications.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 6.0.1

[Neil W. <nei...@pi...>]

We have just released version 6.0.1 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>.
You can find the release notes at
https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a
summary of the changes included in this version:


   -

   We added a new ldap-diff command-line tool that can be used to compare
   the contents of two LDAPv3 servers. Any differences identified will be
   written to a specified file as LDIF change records that may be used to
   update the source server to match the target server. The tool attempts to
   minimize the memory required to perform the comparison, and it can use
   multiple passes to avoid potential false positives that result from delays
   in replication or changes made while the tool is running.



   -

   We updated the ldifsearch tool to provide support for presenting the
   results in alternative output formats. It now supports the same formats as
   ldapsearch, including LDIF, JSON, CSV (single-valued and multi-valued),
   tab-delimited text (single-valued and multi-valued), DNs only, and values
   only.



   -

   We updated the LDIF reader to make it possible to customize the size
   limit that it imposes for values read from a file referenced by URL. This
   limit is a safety feature that prevents consuming too much memory when
   encountering a reference to a very large file, but the size limit was
   previously hard-coded to be 10 megabytes. That is still the default, but
   it’s now possible to use the
   com.unboundid.ldif.LDIFReader.maxURLFileSizeBytes system property to set
   an alternative limit.



   -

   We augmented the LDAP SDK’s debugging support to make it possible to
   automatically have debug messages written to a file specified by the
   com.unboundid.ldap.sdk.debug.file system property. This is intended to
   be used in conjunction with other debugging-related system properties to
   enable support for debugging in existing applications without the need for
   a code change.



   -

   We lowered the debug level for exception messages that may be logged as
   a result of a SocketTimeoutException that is caught internally in the
   course of trying to determine whether a connection in a connection pool is
   still valid. This is a completely normal condition that was previously
   inadvertently logged at a WARNING level. This could potentially mislead
   people into thinking that it’s a problem, or at the very least make it
   harder to find debug messages that are actually important. It is now logged
   at the FINEST level, so it will only be visible at the highest level of
   verbosity.



   -

   We updated support for the Ping Identity Directory Server’s matching
   entry count control to make it possible to request extended response data,
   including whether the search is fully indexed, whether identified candidate
   entries are known to be included in the scope of the search, and any
   remaining portion of the filter that was not used in the course of building
   the set of candidate entries.



   -

   We updated support for the Ping Identity Directory Server’s generate
   profile administrative task to clarify that all included paths must be
   relative rather than absolute. Those paths will be treated as relative to
   the server root, and relative paths that reference portions of the
   filesystem outside the server root will not be allowed.



   -

   We updated the documentation to include the latest revision of
   draft-coretta-x660-ldap
   <https://docs.ldap.com/specs/draft-coretta-x660-ldap-07.txt> in the set
   of LDAP-related specifications.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 6.0.0

[Neil W. <nei...@pi...>]

We have just released version 6.0.0 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>
.

One of the biggest changes that we’ve made in this release is that we’ve
deprecated support for the TLSv1 and TLSv1.1 protocol versions in
accordance with RFC 8996 <https://www.ietf.org/rfc/rfc8996.txt>. By
default, the LDAP SDK will prefer using TLSv1.3, but it can fall back to
using TLSv1.2 if the newer protocol is not supported by the client JVM or
by the directory server. The older TLSv1 and TLSv1.1 protocol versions can
still be enabled if necessary (either programmatically or by setting system
properties), but given that they are no longer considered secure, and given
that TLSv1.2 became an official standard over twelve years ago, the far
better option would be to use a directory server release from sometime in
the last decade.

We have also updated the set of TLS cipher suites that the LDAP SDK will
use by default. The default set of enabled cipher suites no longer includes
those that rely on the SHA-1 message digest algorithm (which is no longer
considered secure) or those that rely on RSA key exchange (which doesn’t
support forward secrecy and could allow an observer to decrypt the
communication if the server certificate’s private key becomes compromised;
note that deprecating RSA key exchange doesn’t affect the ability to
interact with servers that use certificates with RSA key pairs). If
necessary, you can override the set of cipher suites that the LDAP SDK uses
by default, either programmatically or with system properties.

You can find complete release notes at
https://docs.ldap.com/ldap-sdk/docs/release-notes.html. Other notable
changes in this release include:


   -

   We fixed an issue that could cause the LDAP SDK to use the set of TLS
   cipher suites enabled in the JVM by default rather than a recommended set
   identified by the LDAP SDK itself. This could potentially result in using
   weaker encryption for secure connections.



   -

   We updated the logic that the LDAP SDK uses when deciding which
   characters to escape when generating the string representation of a DN or
   RDN. Previously, it would always escape all non-ASCII characters. Now, the
   LDAP SDK will no longer escape non-ASCII characters that it believes are
   displayable (including the Unicode letter, number, punctuation, and symbol
   character types). If desired, you can override this behavior either
   programmatically or with a system property.



   -

   We updated the logic that the LDAP SDK uses when deciding which data
   should be base64-encoded when generating the LDIF representation of an
   entry. Previously, it would not always base64-encode data with ASCII
   control characters (other than NUL, LF, and CR, which must always be
   base64-encoded). Now, it will always base64-encode values with ASCII
   control characters by default. It can also be configured to optionally not
   base64-encode values with non-ASCII characters (which technically violates
   the LDIF specification but may be useful when displaying to an end user).
   You can override the LDAP SDK’s base64-encoding strategy either
   programmatically or with a system property.



   -

   We updated the LDIF reader to make it possible to disable support for
   parsing LDAP controls. By default, the LDAP SDK supports LDIF change
   records that include LDAP controls as described in RFC 2849
   <https://docs.ldap.com/specs/rfc2849.txt>. However, this can cause a
   problem in a rare corner case if a record represents an entry rather than a
   change record and the first attribute in the LDIF representation of that
   entry is named “control”. If you attempt to read that record as a
   generic LDIF record or as a change record with defaultAdd set to true
   (rather than reading it specifically as an entry), then the LDIF reader
   will attempt to parse that attribute as an LDIF control. If you have LDIF
   records that represent entries in which the first attribute may be named “
   control”, if you are reading them as generic LDIF records or as LDIF
   change records with defaultAdd set to true, and if you don’t have any
   LDIF change records that legitimately do include LDAP controls, then you
   can update the LDIF reader to disable support for controls so that it will
   interpret a leading “control” element as an attribute rather than a
   change record with a control.



   -

   We updated PKCS11KeyManager to make it easier to use certificate chains
   stored in PKCS #11 tokens without needing to alter the JVM configuration.
   Previously, if you wanted to use PKCS #11, you either had to modify a
   configuration file within the JVM installation (which may not always be
   feasible), or you had to write your own code to load the provider before
   trying to use the key manager. You can now supply a provider configuration
   file when creating a PKCS #11 key manager, and it will ensure that the
   necessary provider is loaded and registered with the JVM.



   -

   We updated the manage-certificates tool to support interacting with PKCS
   #11 tokens. Previously, the tool only supported certificates in JKS, PKCS
   #12, and BCFKS key stores. When using a PKCS #11 token, you must use the
   --keyStore argument with a value that is the path to the provider
   configuration file and the --keyStoreFormat argument with a value of
   PKCS11.



   -

   We updated the manage-certificates tool to add a new copy-keystore
   subcommand with support for copying some or all of the information in one
   key store to another key store of the same or a different type. This can
   allow you to merge key stores or convert a key store from one type to
   another (for example, JKS to PKCS #12).



   -

   We updated the manage-certificates tool to add optional --output-file
   and --output-format arguments to the generate-self-signed-certificate
   subcommand. This allows you to generate and export a self-signed
   certificate in one step rather than requiring a separate command to export
   a certificate after generating it.



   -

   We updated the manage-certificates tool to allow interacting with BCFKS
   key stores even when the LDAP SDK is not operating in FIPS 140-2-compliant
   mode. Note that the necessary FIPS-compliant Bouncy Castle libraries must
   already be in the classpath.



   -

   We updated the manage-certificates tool to display the key store type
   when using the list-certificates subcommand.



   -

   We updated the in-memory-directory-server command-line tool to add a new
   --doNotGenerateOperationalAttributes argument that will prevent the
   server from maintaining operational attributes like entryDN, entryUUID,
   subschemaSubentry, creatorsName, createTimestamp, modifiersName, and
   modifyTimestamp.



   -

   We updated the FileArgument class to provide better support for
   interacting with files that are potentially encrypted or compressed. The
   getFileLines, getNonBlankFileLines, and getFileBytesMethods have been
   updated so that they can transparently handle reading from gzip-compressed
   files. Further, for tools that are running as part of a Ping Identity
   Directory Server installation, they can transparently handle reading from
   files that are encrypted with a key from the server’s encryption settings
   database. Also, a new getFileInputStream method has been provided that
   can retrieve an input stream to use when reading from the target file,
   including cases in which the file is compressed or encrypted.



   -

   We added a new ThreadLocalSecureRandom class that can be used to
   maintain a set of per-thread SecureRandom instances that can be used
   without concerns around synchronization or contention.



   -

   We updated the documentation to include the latest revisions of the
   draft-coretta-x660-ldap, draft-ietf-kitten-password-storage, and
   draft-melnikov-scram-2fa drafts in the set of LDAP-related specifications.


Changes specific to running in FIPS 140-2-compliant mode include:


   -

   We have updated the LDAP SDK so that it will use the Bouncy Castle
   FIPS-compliant SecureRandom instance in hybrid mode, which helps reduce
   the chance that it will encounter severe performance issues as a result of
   depleted entropy on the underlying system. However, in some cases, it may
   still be necessary to either use a hardware random number generator or a
   software entropy supplementing daemon (like rngd) to prevent blocking
   due to a lack of entropy.



   -

   We have updated the LDAP SDK to make it possible to customize the set of
   providers that will be allowed when running in FIPS 140-2-compliant mode.
   You can perform this customization  programmatically or with a system
   property.



   -

   We have updated the command-line tool framework to check  whether the
   LDAP SDK is running in FIPS 140-2-compliant mode upon invoking the tool
   constructor. This can help prevent cases in which the tool may
   inadvertently perform operations with a non-FIPS-compliant provider.


Changes specific to using the LDAP SDK in conjunction with the Ping
Identity Directory Server include:


   -

   We updated the collect-support-data tool to allow using the
   --keyStoreFormat and --trustStoreFormat arguments when invoking the
   server-side version of the tool. Previously, you could only use these
   arguments in conjunction with the --useRemoteServer argument. This
   change only applies when using the 8.3.0.0 or later release of the Ping
   Identity Directory Server.



   -

   We added client-side support for a new administrative task that can be
   used to safely remove an object class definition from the server schema.
   The task will ensure that the object class is not in use before attempting
   to remove it, and it will clean up any references to the object class that
   may no longer be necessary (for example, in a backend’s entry compaction
   dictionary).

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 5.1.4

[Neil W. <nei...@pi...>]

We have just released version 5.1.4 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>
.

The release notes <https://docs.ldap.com/ldap-sdk/docs/release-notes.html>
contain a more complete overview of the changes included since the 5.1.3
release, but here’s a quick overview:


   -

   We fixed an issue with the fewest connections and round-robin server
   sets that could cause them to leave a background thread running if one of
   the servers it had been using goes away permanently.



   -

   We updated the TLS cipher suite selector to improve compatibility with
   JVMs (like the one provided by IBM) that use an “SSL_” prefix for all
   cipher suite names, rather than using “TLS_” for suites associated with the
   TLS protocol and only using “SSL_” for suites associated with legacy SSL
   protocols.



   -

   We have updated the TLS cipher suite selector to improve the order in
   which it returns the names of the recommended suites.



   -

   We have added new key and trust manager implementations that can use
   X.509 certificates and PKCS #8 private keys read from PEM files. We have
   also added new utility classes for reading certificates and private keys
   from PEM files.



   -

   We updated the LDAP SDK to support running in a FIPS 140-2-compliant
   mode using the Bouncy Castle FIPS provider (and the associated JSSE
   provider). The Bouncy Castle libraries are not provided as part of the LDAP
   SDK, but if they are separately obtained and included in the classpath,
   then the LDAP SDK can be configured to operate in a FIPS-compliant manner.



   -

   We have updated the manage-certificates tool to support managing
   certificates in BCFKS (the Bouncy Castle FIPS-compliant key store format)
   files.



   -

   We have updated the TLS cipher suite selector to exclude suites that
   rely on the SHA-1 digest algorithm from the recommended set of suites when
   running in FIPS-compliant mode.



   -

   We improved an error message that could be used in an exception if a
   connection becomes invalid in the course of trying to send a request to the
   server.



   -

   We updated the ldifmodify command-line tool to allow ignoring duplicate
   attempts to delete the same entry, and attempts to delete or modify entries
   that do not exist in the LDIF file.



   -

   We have updated support for the proprietary get user resource limits
   request control to allow clients to request that the server not return
   information about the user’s group membership in the response control. This
   can help improve performance when using the control, especially in servers
   with large numbers of dynamic groups.



   -

   We have updated the LDAP SDK documentation to include the latest
   versions of draft-coretta-x660-ldap and draft-ietf-kitten-password-storage
   in the set of LDAP-related specifications.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 5.1.3

[Neil W. <nei...@pi...>]

We have just released version 5.1.3 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>
.

The biggest change in this release addresses an issue in the LDAP listener
framework (including the in-memory directory server). The listener did not
adequately protect against the case in which a malicious or errant client
could send an LDAP request encoded as an ASN.1 BER sequence with a very
large value length, which could result in the listener attempting to
allocate up to two gigabytes of memory. The LDAP listener framework will
now impose a maximum request size of 20 megabytes by default, which is the
same as the default maximum size that the LDAP SDK will impose for
responses read from a directory server. The maximum request size can be
configured using the InMemoryDirectoryServerConfig.setMaxMessageSizeBytes
method when using the in-memory directory server, or using the
LDAPListenerConfig.setMaxMessageSizeBytes method when using the more
general LDAP listener framework.

Other changes since the 5.1.2 release include:


   -

   We have updated OID support to add methods for interacting with object
   identifiers in a hierarchical manner. It is now possible to create a new
   OID that is a child of a provided OID with a given subordinate component
   value. You can also get the parent for a provided OID and determine whether
   one OID is an ancestor or descendant of another.



   -

   We have updated the oid-lookup tool to add a new --exact-match argument
   that will cause it to only return items in which the OID, name, type,
   origin, or URL exactly matches the provided search string. The tool
   continues to use substring matching by default.



   -

   We have updated the ldap-result-code tool to add a new --output-format
   argument that allows you to customize whether the output should be
   formatted as a human-readable table, comma-separated values, tab-delimited
   text, or JSON objects. It will continue to format result codes in a table
   by default.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 5.1.2

[Neil W. <nei...@pi...>]

We have just released version 5.1.2 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>.
The release notes <https://docs.ldap.com/ldap-sdk/docs/release-notes.html>
provide a pretty comprehensive overview of what’s changed since the 5.1.1
release, but here’s a summary:

Server-Agnostic Updates

   -

   We added a new parallel-update command-line tool that can be used to
   apply changes read from an LDIF file against an LDAP server using multiple
   concurrent threads.



   -

   We updated the ldapmodify and ldapdelete tools so that they will now
   default to retrying failed operations on a newly established connection if
   the failure suggests that the connection made for the initial attempt is no
   longer valid. This was previously available through the
   --retryFailedOperations argument, but it is now the default behavior,
   and a --neverRetry argument can be used if retry support is not wanted.



   -

   We added a new OIDRegistry class that provides a registry of object
   identifiers used in LDAP, including things like schema elements, controls,
   extended operations, and other sources. Each item in the registry has a
   name, an OID, and a type, and it may also have an origin string and a URL
   that may be used to retrieve additional information about the item.



   -

   We added a new oid-lookup command-line tool that can be used to search
   the OID registry to find items with a given OID, name, type, or other
   content.



   -

   We added a new ldap-result-code command-line tool that can be used to
   list all defined result codes and search for result codes with a given name
   or integer value.



   -

   We updated the LDAP listener framework and the in-memory directory
   server to support mutual TLS authentication, in which the server requests a
   certificate chain from the client and validates any chain that the client
   provides.



   -

   We updated the logic used to generate temporary self-signed certificates
   for use by the in-memory-directory-server and ldap-debugger command-line
   tools so that the certificates will be more acceptable to a wider range of
   clients. The certificate will now only be valid for one year, as some TLS
   clients balk at peer certificates with very long lifetimes. The subject
   alternative name extension will also default to only using canonical host
   names and IP addresses that are associated with non-loopback interfaces.



   -

   We added a new argument value validator that can be used to restrict
   command-line argument values to those that represent valid DNS host names.
   It can optionally accept or reject values that are numeric IP addresses,
   can accept or reject unqualified host names, and can accept or reject
   unresolvable host names.



   -

   We added a new SASLClientBindHandler class that can be used to invoke
   SASL bind operations that use a javax.security.sasl.SaslClient object to
   perform the actual SASL processing. We also added an
   LDAPConnection.applySASLSecurityLayer method that can be used to add a
   security layer that has been negotiated with a SaslClient to an
   established, clear-text connection.



   -

   We updated the HostNameSSLSocketVerifier to automatically trust any
   certificate when the client used a loopback IP address (not a host name,
   even if that name is associated with a loopback interface) as the address
   for the server. This is in accordance with the W3C Secure Contexts
   Candidate Recommendation <https://www.w3.org/TR/secure-contexts/>,
   section 3.2.



   -

   We updated the HostNameSSLSocketVerifier and TrustAllSSLSocketVerifier
   classes to implement the javax.net.ssl.HostnameVerifier interface.



   -

   We updated the LDIF writer to improve human readability for the comments
   that it can automatically add for base64-encoded values.



   -

   We updated the manage-certificates command-line tool to add support for
   a new retrieve-server-certificate subcommand, which will retrieve the
   certificate chain from a specified server and optionally write a
   PEM-encoded or DER-encoded representation of the certificate(s) to a
   specified file.



   -

   We fixed an issue with the manage-certificates trust-server-certificate
   command that only caused it to wait for 60 milliseconds rather than the
   intended 60 seconds when trying to establish a connection to the target
   server.



   -

   We updated ldapsearch to add a new “dns-only” output format. If this
   format is selected, then the output will contain only the DNs of matching
   entries.



   -

   We updated support for the OAUTHBEARER SASL mechanism to make it
   possible to include arbitrary key-value pairs in the SASL credentials.



   -

   We fixed an issue in the command-line tool framework that affected tools
   that provide support for automatically writing the output to a file. The
   output file was never explicitly closed, which could cause problems in
   cases where the tool was invoked programmatically, and then an attempt was
   made to subsequently use the output from code in the same JVM.



   -

   We added a new StaticUtils.isIANAReservedIPAddress method that can be
   used to determine whether a provided IPv4 or IPv6 address is contained in
   an IANA-reserved range.



   -

   We updated the ChangeLogEntry class so that it will fall back to using
   the includedAttributes attribute if the deletedEntryAttrs attribute does
   not exist in changelog entries that represent a delete operation.



   -

   We updated the LDAP SDK’s support for passphrase-based encryption to
   make it possible to explicitly specify the type of cipher that should be
   used. Previously, you could only request either a baseline level of
   protection (which should be available in all supported Java versions) or
   the strongest supported level of protection (which might not be available
   in some JVMs)



   -

   We added a new X.509 trust manager that will never trust any certificate
   chain. This is primarily intended for testing purposes.



   -

   We updated the documentation to include the latest versions of the
   draft-melnikov-scram-sha-512
   <https://docs.ldap.com/specs/draft-melnikov-scram-sha-512-01.txt>,
   draft-melnikov-scram-sha3-512
   <https://docs.ldap.com/specs/draft-melnikov-scram-sha3-512-01.txt>, and
   draft-ietf-kitten-password-storage
   <https://docs.ldap.com/specs/draft-ietf-kitten-password-storage-02.txt>
   drafts in the set of LDAP-related specifications.


Updates Specific to the Ping Identity Directory Server

   -

   We added client-side support for a new ds-pwp-modifiable-state
   operational attribute that can be used to retrieve and manipulate a select
   set of password policy state information in a user’s entry.



   -

   We added support for a new “remove attribute type” administrative task
   that can be used to safely remove an attribute type definition from the
   server schema.



   -

   We added client-side support for interacting with passwords encoded with
   the new AES256 password storage scheme.



   -

   We updated the Filter.matchesEntry method to add limited support for
   extensible matching filters that contain both an attribute type and a
   matching rule ID, when the dnAttributes flag is not set, and when the
   matching rule ID targets the jsonObjectFilterExtensibleMatch matching
   rule.



   -

   We updated the uniqueness request control to make it possible to
   indicate whether the server should raise an administrative alert if it
   detects a conflict during the post-commit validation phase.



   -

   We updated the uniqueness request control to make it possible to
   indicate that the server should create a temporary conflict prevention
   details entry before beginning pre-commit processing as a means of better
   preventing conflicts that arise from concurrent changes in different
   servers.



   -

   We deprecated support for interactive transactions, whose use has been
   discouraged for many releases, and for which server-side support is being
   removed.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 5.1.1

[Neil W. <nei...@pi...>]

We have just released version 5.1.1 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from GitHub <https://github.com/pingidentity/ldapsdk/releases> and
SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is
available in the Maven Central Repository
<https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>.
The release notes <https://docs.ldap.com/ldap-sdk/docs/release-notes.html>
provide a pretty comprehensive overview of what’s changed since the 5.1.0
release, but here’s a summary:

Server-Agnostic Updates

   -

   We have added new @NotNull and @Nullable annotation types and updated
   the entire LDAP SDK codebase to mark all non-primitive fields, parameters,
   and method return values to indicate whether they may be null. These
   annotations will appear in the generated Javadoc documentation
   <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html>, and they will
   also be available at runtime for introspection by IDEs and other tools.



   -

   We have improved the logic used to validate certificate hostnames. The
   LDAP SDK now does a better job of handling hostnames with wildcards, and it
   does a better job of handling cases in which the connection was established
   with an IP address rather than a hostname. There is also an option to
   indicate whether to treat a certificate’s subject alternative name
   extension (if present) as the only authoritative source of allowed
   hostnames or to also allow looking at the CN attribute in the certificate
   subject DN even if the certificate contains a subject alternative name
   extension.



   -

   We fixed an issue that could prevent command-line tools that support
   subcommands from performing all appropriate validation when running in
   interactive mode. The command-line tool’s interactive mode framework
   neglected to perform required, dependent, and exclusive argument set
   validation for the selected subcommand, which could cause the tool to run
   with an inappropriate set of arguments.



   -

   We fixed issues in the code used to format strings in the
   comma-separated values (CSV) format. Previously, all ASCII control
   characters and all non-ASCII characters were silently dropped from the
   output. They are now included, but the value will be in quotes (and may
   span multiple lines if the value to format includes line breaks). Further,
   it had previously used the backslash character to escape any double quotes
   in the data (\"), but RFC 4180 <https://tools.ietf.org/rfc/rfc4180.txt>
   indicates that each double-quote character should be escaped by preceding
   it with another double quote character (""). The LDAP SDK now uses the
   RFC-specified behavior as the default, but it is possible to fall back to
   the former backslash-based encoding if desired or needed for backward
   compatibility.



   -

   We updated ldapsearch to add multi-valued-csv and
   multi-valued-tab-delimited output formats. The existing csv and
   tab-delimited output formats only include the first value for
   multi-valued attributes, while the multi-valued variants use the vertical
   bar character (|) as a delimiter between values.



   -

   We updated the ldappasswordmodify command-line tool to default to using
   the password modify extended operation if it is unable to retrieve the
   server’s root DSE while attempting to determine which method to use to
   change the password. The tool would previously exit with an error if the
   --passwordChangeMethod argument was not provided and it couldn’t
   retrieve the root DSE to determine an appropriate method.



   -

   We updated the authrate command-line tool so that the --filter argument
   is not required if the --bindOnly argument is provided.



   -

   Updated the ldapcompare tool so that it always uses an exit code of zero
   (corresponding to the LDAP success result code) by default if all compare
   operations are processed successfully, regardless of whether the assertions
   matched or did not match the target entries. Previously, the tool would use
   an exit code of 5 or 6 (corresponding to the LDAP compareFalse and
   compareTrue result codes, respectively) if only a single compare assertion
   was processed and completed with the corresponding result code. However,
   returning a nonzero exit code by default can cause problems with scripts
   that invoke the tool and expect that a nonzero result code indicates that
   an error occurred. The new --useCompareResultCodeAsExitCode argument can
   be used to request the previous behavior.



   -

   We updated the ldapcompare tool to allow reading the raw assertion value
   from a file. If this option is used, then the attribute name or OID should
   be followed by a colon, a less-than sign, and the path to the file from
   which the value should be read (for example, “
   cn:</path/to/asserted-cn-value.txt”). If this option is used, then the
   exact bytes of the file (including line breaks) will be used as the
   assertion value for the compare operation.



   -

   We updated the ldifsearch tool so that all non-LDIF output is written as
   LDIF comments (preceded by the octothorpe character, #) so that it will
   not interfere with the ability to parse the remaining output as LDIF.



   -

   We added support for the OAUTHBEARER SASL mechanism, as described in RFC
   7628 <https://docs.ldap.com/specs/rfc7628.txt>.



   -

   We updated the LDAP command-line tool framework to add support for
   authenticating with additional SASL mechanisms, including OAUTHBEARER,
   SCRAM-SHA-1, SCRAM-SHA-256, and SCRAM-SHA-512.



   -

   We fixed issues with the ldifsearch, ldifmodify, and ldif-diff tools
   that could arise if they were run in a manner that would cause the output
   to be both compressed and encrypted. The tool incorrectly attempted to
   compress the output after it was encrypted rather than before, making the
   compression ineffective and the output incompatible with tools that expect
   compression to be applied before encryption.



   -

   We fixed an issue with the ldifsearch tool that could prevent it from
   properly finalizing the output when using compression or encryption,
   potentially leaving buffered data unwritten.



   -

   We fixed an issue with the ldifmodify tool that caused it to use a
   nonzero exit code if it was only used to add new entries to a previously
   empty source LDIF file.



   -

   We updated the ldifmodify tool to use lenient mode by default when
   applying modifications. It would previously reject attempts to add
   attribute values that already existed or remove attribute values that do
   not exist, but this could cause problems with applications that did not
   expect this behavior, as a legacy version of the tool used lenient mode by
   default. A new --strictModifications argument has been added that can
   request the strict validation mode if desired.



   -

   We updated the LDAP SDK’s command-line tool framework so that when
   displaying an example command that is split across multiple lines, it will
   use an appropriate continuation character for the underlying platform. It
   previously always used the backslash character (\), which is correct for
   UNIX-based systems, but it will now use the caret character (^) when
   running on Windows systems.



   -

   We fixed an issue with the ldifsearch tool that caused its usage output
   to include example arguments and descriptions intended for use with the
   ldif-diff tool.



   -

   We fixed an issue in the manage-certificates tool usage output that
   caused the generate-certificate-signing-request subcommand’s
   --key-size-bits argument to use the wrong description.



   -

   We updated the documentation to include the latest versions  of the
   draft-kitten-gss-sanon
   <https://docs.ldap.com/specs/draft-ietf-kitten-gss-sanon-01.txt>,
   draft-melnikov-scram-2fa
   <https://docs.ldap.com/specs/draft-melnikov-scram-2fa-01.txt>, and
   draft-melnikov-scram-sha3-512
   <https://docs.ldap.com/specs/draft-melnikov-scram-sha-512-00.txt> drafts
   in the set of LDAP-related specifications.


Updates Specific to the Ping Identity Directory Server

   -

   We added support for a new “get recent login history” control that can
   be included in a bind request to indicate that the bind response (if
   authentication was successful) should include information about other
   recent successful and failed authentication attempts for that user. The
   ldapsearch and ldapmodify commands have been updated to provide support
   for this control. We also updated support for the password modify extended
   operation, the manage-account command-line tool, and the
   ds-pwp-state-json virtual attribute to provide support for retrieving a
   user’s recent login history.



   -

   We updated support for the password modify extended operation, the
   manage-account tool, and the ds-pwp-state-json virtual attribute to
   provide support for retrieving state information about password validation
   performed during bind operations, including the time that validation was
   last performed and whether the account is locked because the bind password
   failed validation.



   -

   We updated support for the ds-pwp-state-json virtual attribute to
   provide support for retrieving information about the quality requirements
   that the user’s password must satisfy.



   -

   We updated the set of potential authentication failure reasons to
   include an additional failure type for cases in which a password used in a
   bind request failed to satisfy one or more of the configured password
   validators.



   -

   We added a new password policy state account usability error that may be
   used if an account is locked because the user attempted to authenticate
   with a password that failed to satisfy one or more of the configured
   password validators.



   -

   We added a new password policy state account usability warning that may
   be used if an account contains a password that is encoded with a deprecated
   password storage scheme.



   -

   We updated the collect-support-data tool to add the ability to specify
   the amount of data to capture from each log file to be included in the
   support data archive. We have also updated client-side support for the
   administrative task and extended operation that may be used to invoke
   collect-support-data processing against a remote server to include
   support for the new arguments.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 5.1.0

[Neil W. <nei...@pi...>]

UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>
version 5.1.0 has been released and is available for download from GitHub
<https://github.com/pingidentity/ldapsdk/releases> and SourceForge
<https://sourceforge.net/projects/ldap-sdk/files/>, and it is available in
the Maven Central Repository
<https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>.
The release notes <https://docs.ldap.com/ldap-sdk/docs/release-notes.html>
provide a pretty comprehensive overview of the changes since the previous
5.0.1 release, but here’s a summary:


   -

   We fixed an issue in which the JVM-default trust manager did not always
   correctly handle cross-signed issuer certificates when the presented chain
   included an expired issuer certificate. It will now check to see if it can
   build a valid path with an alternate trust anchor.



   -

   We added a new SchemaValidator class that can identify all kinds of
   problems with LDAP schema definitions. We also provide a new
   validate-ldap-schema command-line tool that will examine definitions
   contained in one or more LDIF files and report any problems that it finds.



   -

   We updated the in-memory-directory-server command-line tool to validate
   any schema definitions provided through the --useSchemaFile argument.
   Even if there are problems, the server will still try to use that schema to
   the best of its ability (as was previously the case). The
   --doNotValidateSchemaDefnitions argument can be used to disable the new
   validation if it is not desired.



   -

   We added a new ldappasswordmodify command-line tool that can be used to
   perform a self password change or an administrative password reset. It
   supports the password modify extended operation (as described in RFC 3062
   <https://docs.ldap.com/specs/rfc3062.txt>), and it can also change
   passwords using a regular LDAP modify operation or using an Active
   Directory-specific modification.



   -

   We added three new command-line tools for performing operations on data
   contained in LDIF files:
   -

      The ldifsearch tool can be used to identify entries that match a
      given set of search criteria.
      -

      The ldifmodify tool can be used to apply a set of add, delete,
      modify, and modify DN changes to LDIF data.
      -

      The ldif-diff tool can be used to identify differences between data
      in two provided LDIF files and report the differences in the form of LDIF
      change records.



   -

   We added a new version of the ldapcompare tool that can be used to
   perform LDAP compare operations in a directory server. The new version
   offers a lot of additional functionality like support for performing
   multiple compare assertions and using a variety of request controls, and it
   can generate parseable output in tab-delimited text, CSV, or JSON formats.



   -

   We updated the in-memory directory server to make it possible to add
   custom attributes to the root DSE. While it was already possible to replace
   the entire root DSE entry with a static entry, this new approach makes it
   possible to retain some dynamic content (for example, changelog-related
   attributes) while still customizing other attributes.



   -

   We made several changes in our support for entries with the ldapSubEntry
   object class:
   -

      We added a new RFC3672SubentriesRequestControl class with support for
      the LDAP subentries request control as described in RFC 3672
      <https://docs.ldap.com/specs/rfc3672.txt>.
      -

      The LDAP SDK already had support for an alternate version of the
      control described in draft-ietf-ldup-subentry
      <https://docs.ldap.com/specs/draft-ietf-ldup-subentry-08.txt> through
      the SubentriesRequestControl class, but that class has been
      deprecated in favor of a new DraftLDUPSubentriesRequestControl class,
      which helps avoid confusion with the class that implements the RFC 3672
      version of the control. The deprecated class is still fully
functional and
      will be kept to preserve backward compatibility, but we
recommend updating
      code that uses the old class for the sake of clarity.
      -

      The in-memory directory server has been updated with support for the
      RFC 3672 version of the control. It already had support for the
      draft-ietf-ldup-subentry version.
      -

      The in-memory directory server has been updated so that it will
      return entries with the ldapSubEntry object class if the filter
      includes an “(objectClass=ldapSubEntry)” component.
      -

      The ldapsearch command-line tool has been updated with support for
      the RFC 3672 version of the LDAP subentries control, using the new
      --rfc3672Subentries argument. It already had support for the
      draft-ietf-ldup-subentry version of the control through the
      --includeSubentries argument, and that argument is still available,
      but we now recommend using --draftLDUPSubentries instead for the sake
      of clarity.



   -

   We updated the ldapsearch tool to add a new “values-only” output format
   (as an alternative to the existing LDIF, tab-delimited text, CSV, and JSON
   output formats). If this output format is selected, then it will only
   output the values of the requested attributes without any entry DNs or
   attribute names. This can help extract raw attribute values from a
   directory server from a script without the need for any additional text
   processing.



   -

   We updated the ldapsearch tool to add a new --requireMatch argument. If
   this argument is provided and the search completes successfully but does
   not return any entries, then the tool will have an exit code of 94
   (corresponding to the noResultsReturned result code) rather than zero. This
   argument does not have any visible effect on the output.



   -

   We updated the round-robin and fewest connections servers sets to expose
   the blacklist manager that they use to avoid trying to establish
   connections to servers that are believed to be unavailable.



   -

   We updated the manage-certificates tool to make it easier to list and
   export certificates from the JVM’s default trust store without needing to
   know the path to the appropriate file.



   -

   We improved the logic that the LDAP SDK uses when selecting ordering and
   substring matching rules for ordering operations involving attributes that
   are defined in the schema but whose definition does not specify an ordering
   matching rule. It will now try to infer an appropriate ordering matching
   rule from the equality matching rule before trying other alternatives like
   inferring a rule from the associated syntax or using a default rule.



   -

   We updated the LDAP command-line tool framework to make it easier and
   more convenient to communicate securely with the Ping Identity Directory
   Server (and other related server products). This includes:
   -

      We added a new TopologyRegistryTrustManager class that can use
      information in the server’s topology registry to determine
whether to trust
      the certificates for instances in the topology.
      -

      If no trust-related arguments are specified when running the tool, it
      will now check the server’s default trust store and the topology registry
      to determine whether the presented certificate should be trusted. It will
      still also check the JVM’s default trust store, and it will
still fall back
      to interactively prompting the user if the certificate cannot be trusted
      through other means.



   -

   We streamlined the process that LDAP command-line tools use to establish
   and authenticate connections when run in interactive mode. It will now
   recommend TLS encryption over unencrypted communication with a simplified
   set of arguments, and it will recommend simple authentication over
   unauthenticated connections. Further, when the tool is part of a Ping
   Identity Directory Server (or related server product) installation, it will
   read the configuration to determine the appropriate port to suggest when
   connecting to the server.



   -

   We made several improvements to the summarize-access-log tool that can
   be used to examine Ping Identity Directory Server access logs. These
   include:
   -

      You can now customize the maximum number of values to display for
      each item. It was previously hard-coded to use a limit of 20
values. If any
      values were omitted, then it will now tell you how many were left out.
      -

      You can now choose to de-anonymize the output to obtain the specific
      attribute values used in search filters and entry DNs (instead of
      displaying question marks as placeholders).
      -

      The output will now include information about the most common TLS
      protocols and cipher suites used for secure communication.
      -

      The output will now include the most common successful and failed
      bind DNs and the most common authentication mechanisms.
      -

      The output will now include the most common DNs used as alternate
      authorization identities (e.g., via the proxied authorization request
      control).
      -

      The output will now include the most common filters used for
      unindexed searches, the most common base DNs for searches with
      non-baseObject scopes, the filters for searches taking the longest to
      complete, and the most common filters for searches returning
zero, one, or
      multiple entries.
      -

      When summarizing the most commonly invoked types of extended
      operations, the tool will now try to provide a human-readable
name for the
      extended operation in addition to its OID.



   -

   We added client-side support for obtaining password policy state
   information from the Ping Identity Directory Server’s ds-pwp-state-json
   virtual attribute.



   -

   We added client-side support for the new populate composed attribute
   values and generate server profile administrative tasks in the Ping
   Identity Directory Server.



   -

   We added a new OID.parseNumericOID method that can be used to parse a
   provided string as a valid numeric object identifier, optionally performing
   strict validation. If the provided string does not represent a valid
   numeric OID, then the method will throw an exception with a message that
   explains the problem.



   -

   We improved the error messages generated for problems that may arise
   when parsing schema definitions.



   -

   We updated the schema parsing code so that it can now handle schema
   elements with a description value that is an empty string. Although empty
   descriptions (or other types of quoted strings) are not permitted in schema
   element definitions, some servers allow them. Empty descriptions are still
   not allowed by default, but that behavior can be overridden with a code
   change or a system property.



   -

   We added a new IA5 string argument value validator that can be used to
   require that the values of associated arguments are only permitted to
   contain ASCII characters. The manage-certificates tool has also been
   updated to provide better validation for certificate components that are
   required to be IA5 strings, including DNS names and email addresses in the
   subject alternative name extension.



   -

   We added support for encoding and decoding timestamps in the ISO 8601
   format described in RFC 3339 <https://www.ietf.org/rfc/rfc3339.txt>.



   -

   We updated the LDAP command-line tool framework so that if the
   --help-sasl argument is used in conjunction with a --saslOption argument
   that specifies the name of the SASL mechanism, the output will only include
   help information for that mechanism.



   -

   We fixed a bug in the StaticUtils.isASCIIString method that caused it to
   only look at the lowest byte for each character in the provided string.



   -

   We added new ByteStringBuffer utility methods, including getting
   individual bytes or sets of bytes at a specified position, for determining
   whether the buffer starts with or ends with a given set of bytes, and for
   reading the contents of a file or input stream into the buffer.



   -

   We added new StaticUtils convenience methods for reading and writing
   files as bytes, strings, or lists of lines.



   -

   We added support for new password policy state account usability warning
   and notice types for the Ping Identity Directory Server. The new types can
   be used to indicate that the account has too many outstanding
   authentication failures, but that the server will take some other action
   (for example, delaying the bind response) instead of completely preventing
   authentication.



   -

   We fixed an issue in the LDAP SDK’s JSON-formatted debug logging support
   for debug messages containing exceptions with another exception as the
   underlying cause.



   -

   We fixed an issue with the command-line tool framework that could
   prevent it from setting an argument value from a properties file even
   though that same value would have been permitted if it had been provided
   directly on the command line.



   -

   We updated the default standard schema provided with the LDAP SDK to
   include additional attribute syntaxes, matching rule, attribute type, and
   object class definitions.



   -

   We updated the documentation to include draft-ietf-kitten-gss-sanon
   <https://docs.ldap.com/specs/draft-ietf-kitten-gss-sanon-00.txt>,
   draft-ietf-kitten-password-storage
   <https://docs.ldap.com/specs/draft-ietf-kitten-password-storage-00.txt>,
   and draft-melnikov-scram-sha-512
   <https://docs.ldap.com/specs/draft-melnikov-scram-sha-512-00.txt> in the
   set of LDAP-related specifications.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 5.0.1

[Neil W. <nei...@pi...>]

The UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>
is a fast, powerful, user-friendly, and completely free Java library for
communicating with LDAP directory servers and performing other LDAP-related
processing. We have just released version 5.0.1 of the LDAP SDK, and it is
available for download from GitHub
<https://github.com/pingidentity/ldapsdk/releases> and SourceForge
<https://sourceforge.net/projects/ldap-sdk/files/>, as well as from the Maven
Central Repository
<https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>.
The release notes are available online at
https://docs.ldap.com/ldap-sdk/docs/release-notes.html.

This is a minor release that was primarily created in service of an
upcoming release of the Ping Identity Directory Server
<https://www.pingidentity.com/en/platform/directory/directory-overview.html>,
as it fixes an issue in a tool that only impacts that new release.
Nevertheless, there are a couple of additional updates, so we’re making it
publicly available.

The changes over the previous 5.0.0 release include:


   -

   We added a new LDAP connection logger API that can be used to keep a
   record of processing performed by the LDAP SDK, including successful and
   failed connection attempts, operation requests and responses (including
   non-final responses like search result entries, search result references,
   and intermediate responses), and disconnects. The LDAP SDK includes a
   connection logger instance that formats messages as JSON objects, but it’s
   an extensible API, so you’re free to create your own implementation using
   whatever format you want.



   -

   We have updated the LDAP command-line tool framework to make it possible
   to specify the address of the target directory server(s) using either
   --host or --address as an alternative to the existing --hostname argument.



   -

   We fixed an issue that prevented the collect-support-data tool from
   running properly in local mode when using a secure connection (either SSL
   or StartTLS). This functionality only applies to an upcoming release of the
   Ping Identity Directory Server, so existing installations should not have
   been affected, and new installations will have the fix.



   -

   We made minor updates to the usage output for several command-line tools
   to improve wording and fix typos. We also fixed typos in other messages
   used throughout the LDAP SDK.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 5.0.0, now available under the Apache License

[Neil W. <nei...@pi...>]

The UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>
is a fast, powerful, user-friendly, and completely free Java library for
communicating with LDAP directory servers and performing other LDAP-related
processing. We have just released version 5.0.0 of the LDAP SDK, and it is
available for download from GitHub
<https://github.com/pingidentity/ldapsdk/releases> and SourceForge
<https://sourceforge.net/projects/ldap-sdk/files/>, as well as from the Maven
Central Repository
<https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>.
The release notes are available online at
https://docs.ldap.com/ldap-sdk/docs/release-notes.html.

The most significant change in this new release is that the LDAP SDK is now
available under the terms of the Apache License, Version 2.0
<https://github.com/pingidentity/ldapsdk/blob/master/LICENSE.md>, which is
a very permissive OSI-approved open source license. Although it was already
open source under the terms of the GNU GPLv2
<https://raw.githubusercontent.com/pingidentity/ldapsdk/master/LICENSE-GPLv2.txt>
and LGPLv2.1
<https://raw.githubusercontent.com/pingidentity/ldapsdk/master/LICENSE-LGPLv2.1.txt>,
the Apache License imposes fewer restrictions on how you can use the LDAP
SDK. You are no longer required to offer to redistribute the source code
(even if you want to use a modified version), and there’s no longer any
concern about whether you need to keep the LDAP SDK jar file as a separate
component. The Apache License is well respected and is often seen as more
compatible and easier to use in non-open-source software than the GNU
license, so we hope that this will make it easier to use in your
applications, whether open source or proprietary. The LDAP SDK is still
available for use under the terms of the GPLv2 and LGPLv2.1 (as well as the
non-open-source UnboundID LDAP SDK Free Use License
<https://raw.githubusercontent.com/pingidentity/ldapsdk/master/LICENSE-UnboundID-LDAPSDK.txt>),
but we recommend that new users consider using it under the Apache License.

Aside from adding the new license, we made several code changes in this
release as well. They include:


   -

   The LDAP SDK offers an LDAPConnectionDetailsJSONSpecification
   <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/util/json/LDAPConnectionDetailsJSONSpecification.html>
   class that allows you to define a JSON file with all of the settings needed
   to create and authenticate individual LDAP connections or connection pools.
   We’ve updated this class so that it’s now possible to indicate that when
   establishing a connection that is secured with SSL or StartTLS, the LDAP
   SDK should automatically trust any certificates signed by an authority in
   the JVM’s default set of trusted issuers. This was already the default
   behavior if you didn’t provide your own trust store (or choose to blindly
   trust all certificates, which isn’t recommended for production use), but
   it’s now possible to use this option in conjunction with a provided trust
   store so that it’s possible to trust a certificate either through that
   trust store or through the JVM’s default set of trusted issuers.



   -

   The KeyStoreKeyManager
   <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/util/ssl/KeyStoreKeyManager.html>
   can be used to obtain a certificate from a key store file if one is needed
   during TLS negotiation. We have updated this class to provide an option to
   better validate that the key store can actually be used by this purpose
   with the settings that you provide. If you use this option and supply the
   alias of the certificate you wish to use, then the key manager will now
   verify that the alias exists in the key store, that it’s associated with a
   private key entry (as opposed to a trusted certificate entry, which only
   contains the public portion of a certificate and isn’t suitable for use if
   you need to present that certificate to the peer), and that all of the
   certificates in the chain are currently within their validity window. If
   you don’t specify a certificate alias, then the validation will make sure
   that the key store contains at least one private key entry in which all of
   the certificates in the chain are within their validity window.



   -

   The TrustStoreTrustManager
   <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/util/ssl/TrustStoreTrustManager.html>
   can be used in the course of determining whether to trust a certificate
   presented by a peer during TLS negotiation. We have improved performance
   and concurrency for this trust manager by eliminating unnecessary
   synchronization that forced interaction with the trust store to be
   single-threaded.



   -

   We fixed an issue that could interfere with GSSAPI authentication
   <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/GSSAPIBindRequest.html>
   if a JAAS login module configuration was loaded and cached by the JVM
   before the login attempt. In such cases, the cached configuration could be
   used instead of the one that was intended.



   -

   The LDAPDebuggerRequestHandler
   <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/listener/LDAPDebuggerRequestHandler.html>
   can be used to log detailed information about LDAP requests and responses
   that pass through an application using the LDAP SDK’s LDAPListener
   <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/listener/LDAPListener.html>
   framework (including the in-memory directory server
   <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/listener/InMemoryDirectoryServer.html>
   and the ldap-debugger
   <https://docs.ldap.com/ldap-sdk/docs/tool-usages/ldap-debugger.html>
   command-line tool). We fixed an issue that could cause messages to be held
   up in an internal buffer rather than immediately written out as soon as
   they’re logged. In some cases, this could significantly delay the
   appearance of these messages or could prevent them from being written out
   at all if the amount of data to be logged was never enough to fill that
   internal buffer.



   -

   We added a new JSONAccessLogRequestHandler
   <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/listener/JSONAccessLogRequestHandler.html>
   to the LDAPListener framework. This can log information about requests and
   responses as JSON objects, which are both human-readable and
   machine-parseable. While the existing AccessLogRequestHandler
   <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/listener/AccessLogRequestHandler.html>
   produces output that can be parsed programmatically to some extent, it is
   more optimized for human readability.



   -

   The LDAP SDK offers debugging logging support
   <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/util/Debug.html>
   that can be helpful in diagnosing problems whose cause may not otherwise be
   readily apparent. Previously, the debug messages were logged in a form that
   was primarily intended to be human-readable rather than machine-parseable.
   They are now written in a JSON format that is both human-readable and
   machine-parseable.



   -

   The manage-certificates
   <https://docs.ldap.com/ldap-sdk/docs/tool-usages/manage-certificates.html>
   command-line tool provides a utility for interacting with certificate key
   and trust stores in the Java JKS format or the standard PKCS #12 format.
   When displaying detailed information about certificates in a key or trust
   store, the tool may not have been able to properly decode public key
   information for certificates with 384-bit elliptic curve public keys, and
   it also may not have been able to properly decode a subject alternative
   names extension that included one or more directoryName values. While it
   was still possible to display most of the information about the affected
   certificates, the updated version can now provide the full details about
   those elements.



   -

   The Ping Identity Directory Server
   <https://www.pingidentity.com/en/platform/directory/directory-overview.html>
   includes a collect-support-data utility that can be used to gather a
   variety of information from a server installation that can be very useful
   for troubleshooting problems, tuning performance and scalability, and
   better understanding the environment in which the server is running.
   Previously, this utility could only be invoked by logging into the system
   on which the server instance is running and running the command-line tool.
   We have now added a couple of additional mechanisms for running the
   utility. It can now be invoked via an administrative task
   <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/unboundidds/tasks/CollectSupportDataTask.html>
   (either as an individual event that is requested by a remote client or as a
   recurring task that runs on a regular basis) that will create the resulting
   support data archive in a specified location on the system (which may be a
   shared filesystem for easier exfiltration). It can also be invoked
via an extended
   operation
   <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/unboundidds/extensions/CollectSupportDataExtendedRequest.html>
   that will run the tool and stream its output and the resulting support data
   archive back to the client in the form of intermediate response messages.
   Further, although the logic for actually collecting all of this support
   information remains in the server, we have added the collect-support-data
   <https://docs.ldap.com/ldap-sdk/docs/tool-usages/collect-support-data.html>
   command-line tool to the LDAP SDK so that it is easier to invoke the tool
   against a remote server without needing to install the server software on
   the client system.



   -

   The Ping Identity Directory Server provides a monitor backend that
   authorized clients can use to obtain a wealth of useful information about
   the state of the server, and the LDAP SDK includes support for retrieving
   and parsing the information in these monitor entries. We have updated the
   LDAP SDK’s support for the general monitor
   <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/unboundidds/monitors/GeneralMonitorEntry.html>
   (that is, the top-level “cn=monitor” entry) to make it easier to obtain
   information about the cluster with which the server is associated, the
   location of the server instance, and a unique identifier that was generated
   for the server when the instance was initially configured.



   -

   The LDAP SDK offers a Version
   <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/Version.html>
   class that provides version information for the LDAP SDK, including the
   version number and information about the repository (e.g., the repository
   URL and revision ID) from which the LDAP SDK source code was obtained. This
   information was previously only offered as public static final constants,
   but referencing these constants from third-party applications could lead to
   unexpected behavior thanks to a “feature” of the Java compiler that will
   directly imbed the values of those constants (even if they come from a
   separate library) in the Java bytecode that it generates. This means that
   if your application references these LDAP SDK version constants and you
   compile it against one version of the LDAP SDK, then those version
   constants will be placed directly into the compiled bytecode. If you
   upgrade the LDAP SDK version that you use without recompiling your
   application (e.g., by just replacing the LDAP SDK jar file with a newer
   version), the code referencing the LDAP SDK version would still have the
   old values. To address this, we have updated the Version class to provide
   methods for obtaining the values of all the version constants. If you use
   these methods to obtain the values rather than referencing the constants
   directly, then you will always get the correct LDAP SDK version information
   even if you update the LDAP SDK without recompiling your application.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 4.0.14

[Neil W. <nei...@pi...>]

We have just released version 4.0.14 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from the releases page of our GitHub repository (
https://github.com/pingidentity/ldapsdk/releases), from the Files page of
our SourceForge repository (https://sourceforge.net/projects/ldap-sdk/files/),
and from the Maven Central Repository (
https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav
).

The LDAP SDK release notes are available online at
https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but the changes
included in this release are as follows:


   -

   Fixed an issue in which LDAP URLs with consecutive percent-encoded bytes
   were not decoded correctly.



   -

   Fixed an issue that could cause the LDAP SDK to incorrectly handle data
   read from a server when the communication was protected with SASL integrity
   or confidentiality. Thanks to Boris Danilovich for reporting the problem
   and identifying the cause.



   -

   Fixed an issue that prevented the searchrate tool from running if
   neither a base DN pattern nor an LDAP URL pattern was provided.



   -

   Improved the logic that the LDAP SDK used when selecting the cipher
   suites to use when establishing a TLS-secured connection. Weaker suites are
   disabled, and the enabled suites are prioritized so that those offering
   forward secrecy and stronger encryption are preferred.



   -

   Added a new FullLDAPInterface that extends LDAPInterface and adds
   support for close, bind, and processExtendedOperation methods. The
   existing LDAPConnection, AbstractConnectionPool, and
   InMemoryDirectoryServer classes have been updated to implement this
   interface.



   -

   Added a new non-final MockableLDAPConnection class that makes it easier
   to mock an LDAPConnection instance. It implements FullLDAPInterface and
   wraps a provided LDAPConnection. If you create a MockableLDAPConnection
   subclass, then you may override any of the FullLDAPInterface methods to
   provide whatever logic you desire for them. Any non-overridden methods will
   invoke the corresponding method on the provided LDAPConnection instance.



   -

   Fixed a minor typo in the ldapsearch usage information

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 4.0.13

[Neil W. <nei...@pi...>]

We have just released version 4.0.13 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from the releases page of our GitHub repository (
https://github.com/pingidentity/ldapsdk/releases), from the Files page of
our SourceForge repository (https://sourceforge.net/projects/ldap-sdk/files/),
and from the Maven Central Repository (
https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav
).

This is a minor update that is primarily intended to serve the upcoming
Ping Identity Directory Server 8.0.0.0 release. The LDAP SDK release notes
are available online at
https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but the changes
included in this release are as follows:


   -

   Added support for debugging connection pool interactions, including
   checking out and releasing connections, as well as establishing and closing
   connections for use in the pool.



   -

   Fixed an issue in the prompt trust manager that could cause it to
   incorrectly display a warning for some certificates with a basic
   constraints extension that included the optional path length constraint.



   -

   Updated the manage-certificates check-certificate-usability command to
   add an additional check to see whether the certificate at the root of the
   chain is found in the JVM’s default set of trusted issuer certificates. If
   it is not found, the tool will display a notice, but it will still complete
   with a success result.



   -

   Fixed an issue in manage-certificates that could prevent it from
   correctly showing the key agreement usage when displaying verbose
   information about a certificate with the key usage extension.



   -

   Fixed an issue that could prevent properly decoding an authority key
   identifier extension that included the optional authorityCertIssuer element
   in an X.509 certificate.



   -

   Made the ManageCertificates.readCertificatesFromFile method public so
   that it can be used outside of the LDAP SDK. This method can be used to
   read a set of PEM-encoded or DER-encoded X.509 certificates from a
   specified file.



   -

   Made the ManageCertificates.readCertificateSigningRequestFromFile method
   so that it can be used outside of the LDAP SDK. This method can be used to
   read a PEM-encoded or DER-encoded PKCS #10 certificate signing request from
   a file.



   -

   Updated the passphrase-encrypted output stream to provide an option to
   override the default key factory iteration count.



   -

   Updated support for the exec task to add an option to specify the path
   to use as the current working directory when invoking the specified
   command. Previously, the server would always use the server instance root
   directory, and that will still be the default if no alternate working
   directory is specified.



   -

   Added an additional StaticUtils.getEnvironmentVariable method variant
   that can be used to provide a default value that should be used if the
   specified environment variable is not set.



   -

   Added an additional StaticUtils.getStackTrace method variant that allows
   you to limit the number of stack frames to include from code before the
   call into the LDAP SDK. Also, updated StaticUtils.getExceptionMessage
   when invoked for a NullPointerException so that it now shows all frames
   from the LDAP SDK (and anything that the LDAP SDK calls), and up to three
   frames from the code before the call into the LDAP SDK.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[ldap-sdk-announce] UnboundID LDAP SDK for Java 4.0.12

[Neil W. <nei...@pi...>]

We have just released version 4.0.12 of the UnboundID LDAP SDK for Java
<https://github.com/pingidentity/ldapsdk>. It is available for download
from the releases page of our GitHub repository (
https://github.com/pingidentity/ldapsdk/releases), from the Files page of
our SourceForge repository (https://sourceforge.net/projects/ldap-sdk/files/),
and from the Maven Central Repository (
https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav
).

The LDAP SDK release notes are available at
https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but the changes
included in this release are as follows:


   -

   Fixed an issue in the write timeout handler that could prevent it from
   properly cleaning up a timer task object for a connection if an attempt to
   establish that connection failed. This regression, which was introduced in
   the 4.0.11 release, could lead to a gradual increase in memory consumption
   over time.



   -

   Updated the write timeout handler so that it will now shut down its
   background thread after all LDAP connections have been closed.



   -

   Fixed an issue with the JVM-default trust manager that could cause it to
   incorrectly abort TLS negotiation if the server presented only a partial
   certificate chain, and if the last certificate in that partial chain was
   not included in the JVM’s default set of trusted issuers but was signed by
   one of those issuers.



   -

   Corrected the result code used in the LDAPException that is thrown when
   attempting to parse a malformed schema element. We now use the correct
   INVALID_ATTRIBUTE_SYNTAX result code instead of the INVALID_DN_SYNTAX
   result code that had been used by mistake.



   -

   Fixed an issue in the way that the persistence framework constructed
   LDAP attributes for its internal processing. While it would have properly
   selected an appropriate matching rule based on the data type of the
   corresponding Java field when constructing attribute type definitions for
   inclusion in the server schema, it neglected to use that matching rule for
   client-side matching involving those attributes, but instead always used a
   default “case-ignore string” matching behavior.



   -

   Updated the manage-certificates tool to use the SHA-1 digest algorithm
   instead of 256-bit SHA-2 when generating the subject key identifier
   extension for certificates and certificate signing requests. This makes it
   possible to work around a limitation in Microsoft certificate authorities,
   which are apparently unable to handle CSRs with 256-bit subject key
   identifiers.



   -

   Fixed an issue in the search-and-mod-rate tool in which the search
   durations reported by the tool included not only the time required to
   process the search, but also the time required for the associated modify
   operations. Further, if the tool was configured to limit the rate at which
   modify operations would be attempted, the reported search durations could
   also include any wait imposed by the rate limiter.



   -

   Added client-side support for the SCRAM-SHA-1, SCRAM-SHA-256, and
   SCRAM-SHA-512 SASL mechanisms.



   -

   Added client-side support for a “generate password” request and response
   controls. When included in an add request sent to the Ping Identity
   Directory Server, the request control indicates that the server should
   generate a password for the entry and return it to the client in the
   corresponding response control. The ldapmodify tool has been updated to
   provide support for this control.



   -

   Added client-side support for a “generate password” extended operation.
   When sent to the Ping Identity Directory Server, this operation will cause
   the server to generate one or more passwords that may be suggested to the
   end user when creating or updating a user entry.



   -

   Updated the transform-ldif tool to provide options to exclude LDIF
   records by change type, and to exclude LDIF records that do not have a
   changetype.



   -

   Updated the command-line argument parser to provide a better error
   message if the value the user provides to a string or Boolean value
   argument is not in the set of allowed values for that argument. The error
   message will now include a list of the allowed values.



   -

   Updated the command-line tool interactive mode processor so that when it
   prompts for a password, PIN, or other sensitive value that does not get
   echoed to the screen, it will now ask the user to confirm the value to help
   ensure that they entered it correctly.



   -

   Updated the command-line tool interactive mode processor so that when
   the user asks to see the set of arguments that will be used when running
   the tool, it will now display the full command rather than just listing the
   arguments. Further, if the command spans multiple lines, then all but the
   last line will now include a trailing backslash. This makes it more
   convenient to run the command non-interactively because it can simply be
   copied and pasted.



   -

   Updated the argument parser to provide a more convenient way to define
   mutually dependent argument sets, such that if any argument in the set is
   provided, then all of the other arguments will also be required.



   -

   Updated the argument parser to allow applications to define their own
   custom interactive mode rather than using the default one that the LDAP SDK
   provides.



   -

   Added a set of StaticUtils.linesToString convenience methods that can
   convert a list or array of strings to a single string that includes line
   breaks after each line.



   -

   Added a set of StaticUtils methods for obtaining all of the addresses
   associated with the network interfaces available on the system, and to get
   the canonical host names associated with those addresses.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._