You can subscribe to this list here.
| 2009 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
(1) |
Oct
(4) |
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2010 |
Jan
(10) |
Feb
|
Mar
(2) |
Apr
(4) |
May
(1) |
Jun
|
Jul
(13) |
Aug
(4) |
Sep
(1) |
Oct
(3) |
Nov
|
Dec
(13) |
| 2011 |
Jan
(1) |
Feb
(4) |
Mar
(25) |
Apr
(8) |
May
(14) |
Jun
|
Jul
(6) |
Aug
(6) |
Sep
(6) |
Oct
(12) |
Nov
(4) |
Dec
(4) |
| 2012 |
Jan
(5) |
Feb
|
Mar
(6) |
Apr
(6) |
May
(32) |
Jun
(16) |
Jul
(8) |
Aug
(6) |
Sep
(1) |
Oct
(3) |
Nov
(5) |
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(12) |
Jul
(7) |
Aug
|
Sep
|
Oct
(9) |
Nov
(1) |
Dec
(4) |
| 2014 |
Jan
|
Feb
(2) |
Mar
|
Apr
(4) |
May
(57) |
Jun
(12) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(3) |
| 2015 |
Jan
|
Feb
(15) |
Mar
(7) |
Apr
(6) |
May
(5) |
Jun
(5) |
Jul
|
Aug
(3) |
Sep
(4) |
Oct
(3) |
Nov
|
Dec
(4) |
| 2016 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
(3) |
Jun
(1) |
Jul
|
Aug
(3) |
Sep
(14) |
Oct
|
Nov
|
Dec
|
| 2017 |
Jan
(2) |
Feb
(2) |
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
(7) |
Sep
(1) |
Oct
(4) |
Nov
|
Dec
(1) |
| 2018 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
(1) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2020 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
(3) |
Sep
|
Oct
|
Nov
|
Dec
(2) |
| 2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
(1) |
Nov
|
Dec
(1) |
| 2022 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
(1) |
| 2023 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
(6) |
Jun
(1) |
Jul
(6) |
Aug
|
Sep
(1) |
Oct
(1) |
Nov
(1) |
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Neil W. <nei...@pi...> - 2022-05-09 15:46:13
|
We have just released version 6.0.5 of the UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>. It is available for download from GitHub <https://github.com/pingidentity/ldapsdk/releases> and SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is available in the Maven Central Repository <https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>. You can find the release notes at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes included in this version: General Updates: - We fixed an issue that could occasionally cause the LDAP SDK to hide the actual cause of a StartTLS failure by using information from a second, less useful exception. - We fixed an issue that could cause the ldifsearch tool to display a malformed message when the first unnamed trailing argument was expected to be a search filter but could not be parsed as a valid filter. - We improved support for validating and comparing values using the telephone number syntax. Previously, we used a loose interpretation of the specification, which would consider any printable string (including strings without any digits) to be valid, and would only ignore spaces and hyphens when comparing values. You can now configure varying levels of strictness (either programmatically or using system properties), including requiring at least one digit or strict conformance to the X.520 specification. You can also configure it to ignore all non-digit characters when comparing values, and this is now the default behavior. - We fixed a bug in which the ldapcompare tool did not properly close its output file if one was configured. The output file does get automatically closed when the tool exits so it’s not an issue when running ldapcompare from the command line, but this can cause problems if the tool is invoked programmatically from another application. - We fixed an issue with the tool properties file created using the --generatePropertiesFile argument in command-line tools that support it. The generated properties file did not properly escape backslash, carriage return, line feed, or form feed characters. Updates Specific to Use With the Ping Identity Directory Server: - We added support for encoding controls to JSON objects, and for decoding JSON objects as controls. There is a generic JSON representation that will work for any type of control (in which the value is provided as the base64-encoded representation of the raw value used in the LDAP representation of the control), but most controls provided as part of the LDAP SDK also support a more user-friendly representation in which the components of the value are represented in a nested JSON object. - We added client-side support for a new JSON-formatted request control that can be used to send request controls to a Ping Identity Directory Server with the controls encoded as JSON objects rather than a raw LDAP representation. We also added support for a JSON-formatted response control that can be used to receive JSON-encoded response controls from the server. - We updated the ldapsearch and ldapmodify command-line tools to add a --useJSONFormattedRequestControls argument that will cause any request controls to be sent using a JSON-formatted request control, and it will cause any response controls returned by the server to be embedded in a JSON-formatted response control. - We fixed an issue with the way that the parallel-update tool created assured replication request controls when an explicit local or remote assurance level was specified. Previously, it would only specify a minimum assurance level without specifying a maximum level, which could cause the server to use a higher assurance level than requested by the client. - We updated the topology registry trust manager to allow trusting a certificate chain if either the peer certificate or any of its issuers is found in the server’s topology registry. Previously, it would only trust a certificate chain if the peer certificate itself was found in the topology registry, and having an issuer certificate was not sufficient. The former behavior is still available with a configuration option. - We updated the topology registry trust manager to make it possible to ignore the certificate validity window for peer and issuer certificates. The validity window is still respected by default, but if the trust manager is configured to ignore it, then a certificate chain may be trusted even if the peer or an issuer certificate is expired or not yet valid. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2022-03-16 16:53:08
|
We have just released version 6.0.4 of the UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>. It is available for download from GitHub <https://github.com/pingidentity/ldapsdk/releases> and SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is available in the Maven Central Repository <https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>. You can find the release notes at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes included in this version: General Updates: - We fixed an issue with the Filter.matchesEntry method that could cause it to throw an exception rather than returning an appropriate Boolean result when evaluating an AND or an OR filter in which one of the nested elements used inappropriate matching (for example, if the assertion value did not conform to the syntax for the associated attribute type). - We fixed an issue with the way that decodeable controls are registered with the LDAP SDK. Under some circumstances, a thread could become blocked while attempting to create a new control. - We updated the JVM-default trust manager to properly check for the existence of a “jssecacerts” trust store file in accordance with the JSSE specification. It had previously only looked for a file named “ cacerts”. - We updated the logic used to select the default set of supported cipher suites so that it will no longer exclude suites with names starting with “SSL_” by default on JVMs with a vendor string that includes “IBM”. IBM JVMs appear to use the “SSL_” prefix for some or all cipher suites, including those that are not associated with TLS protocols rather than a legacy SSL protocol. We also added a TLSCipherSuiteSelector.setAllowSSLPrefixedSuites method that can be used to override the default behavior. - We updated the LDIF reader to support reading modifications with attribute values read from a file referenced by URL. This was previously supported when reading LDIF entries or add change records, but it had been overlooked for LDIF modify change records. - We updated the LDIF reader so that it no longer generates comments attempting to clarify the contents of base64-encoded values if the value is longer than 1,000 bytes. - We updated the documentation to include the latest versions of the draft-behera-ldap-password-policy, draft-coretta-x660-ldap, and draft-ietf-kitten-scram-2fa specifications. Updates Specific to Use With the Ping Identity Directory Server: - We added a new API for parsing access log messages generated by the server. The new API supports both text-formatted and JSON-formatted log messages, whereas the previous version only supported messages in the default text (“name=value”) format. - We updated the summarize-access-log tool (which can be used to perform basic analysis of server access log files) to add support for JSON-formatted log files. - We added support for retrieving and parsing X.509 certificate monitor entries. - We added client-side support for an administrative task that can cause the server to immediately refresh any cached certificate monitor data. The server will automatically refresh the cache every minute, but the task can be used to cause an immediate refresh. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2021-12-07 16:53:06
|
We have just released version 6.0.3 of the UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>. It is available for download from GitHub <https://github.com/pingidentity/ldapsdk/releases> and SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is available in the Maven Central Repository <https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>. You can find the release notes at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes included in this version: General Updates: - We fixed an issue with the round-robin server set that could cause it to select some servers with a higher frequency than others in the event that one or more of the servers become unavailable. - We fixed a potential race condition that could leave a background Timer thread running if a connection was closed while waiting for a response to a request issued via the asynchronous API. - We fixed an issue in which the in-memory directory server could incorrectly include a matched DN in certain bind response messages. - We improved support for SSL/TLS debugging for SSLUtil operations when used in conjunction with the javax.net.debug system property. - We added methods to the JSONLDAPResultWriter class that can be used to encode entries, search result references, and LDAP results to JSON objects. - We added a CryptoHelper.inferKeyStoreType method that attempts to determine the key store type for a specified file that is expected to represent a JKS, PKCS #12, or BCFKS key store. - We added StaticUtils convenience methods for generating random bytes, integers, and strings, optionally using cryptographically secure random number generators. - We updated the documentation to add draft-melnikov-scram-bis <https://docs.ldap.com/specs/draft-melnikov-scram-bis-00.txt> and to update draft-melnikov-scram-sha-512 <https://docs.ldap.com/specs/draft-melnikov-scram-sha-512-02.txt> and draft-melnikov-scram-sha3-512 <https://docs.ldap.com/specs/draft-melnikov-scram-sha3-512-02.txt> in the set of LDAP-related specifications. Updates Specific to Use With the Ping Identity Directory Server: - We fixed an issue that could cause the manage-account tool to fail if it receives a response with an unrecognized password policy state operation type. This is most likely to occur when the tool is communicating with a version of the Ping Identity Directory Server that does not correspond to the version of the manage-account tool. - We added client-side support for new extended operations that can allow for remote management of certificates in Ping Identity Directory Server instances. - We updated the AuthenticationFailureReason class to add additional failure reason values related to pass-through authentication. - We updated the TaskManager class to add methods for using LDAPInterface objects (including connection pools or Server SDK internal connections) as an alternative to LDAPConnection objects when interacting with administrative tasks. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2021-10-05 19:15:10
|
We have just released version 6.0.2 of the UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>. It is available for download from GitHub <https://github.com/pingidentity/ldapsdk/releases> and SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is available in the Maven Central Repository <https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>. You can find the release notes at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes included in this version: - We fixed an issue in the JVM-default trust manager that could prevent it from properly trusting a certificate chain that should be considered valid through a cross-signed relationship, which may include certificates signed by the Let’s Encrypt service in some cases. Although the trust manager provided support for cross-signed certificates, that support would previously only be used if one or more of the certificates in the presented chain were outside of their current validity window. - We added the ability to use the tls-server-end-point channel binding type when authenticating with the GSSAPI SASL mechanism. This feature depends on the underlying JVM providing support for this channel binding type and will likely require Java 13 or later. - We fixed an issue in the in-memory directory server that could prevent it from returning search result references for smart referral entries within the scope of the search. It would previously only return references for smart referral entries that matched the search filter, but will now return references for any smart referral entry within the scope. - We updated the LDAP command-line tool framework to add a --defaultTrust argument that can be used to indicate that the tool should use a default set of non-interactive logic for determining whether to trust a presented certificate chain. This includes at least the JVM’s default trust store, but in tools that are part of a Ping Identity server installation, it may also include the server’s default trust store and the topology registry. This is the same logic that tools would previously use when invoked without any trust-related arguments, with the exception that it will not interactively prompt about whether to trust the presented chain if it cannot be trusted through any of the default mechanisms. As such, it is more suitable for use in scripts that are intended to run in non-interactive settings. - We updated the documentation to include the latest revision of draft-ietf-kitten-password-storage <https://docs.ldap.com/specs/draft-ietf-kitten-password-storage-07.txt> in the set of LDAP-related specifications. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2021-09-02 17:42:06
|
We have just released version 6.0.1 of the UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>. It is available for download from GitHub <https://github.com/pingidentity/ldapsdk/releases> and SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is available in the Maven Central Repository <https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>. You can find the release notes at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes included in this version: - We added a new ldap-diff command-line tool that can be used to compare the contents of two LDAPv3 servers. Any differences identified will be written to a specified file as LDIF change records that may be used to update the source server to match the target server. The tool attempts to minimize the memory required to perform the comparison, and it can use multiple passes to avoid potential false positives that result from delays in replication or changes made while the tool is running. - We updated the ldifsearch tool to provide support for presenting the results in alternative output formats. It now supports the same formats as ldapsearch, including LDIF, JSON, CSV (single-valued and multi-valued), tab-delimited text (single-valued and multi-valued), DNs only, and values only. - We updated the LDIF reader to make it possible to customize the size limit that it imposes for values read from a file referenced by URL. This limit is a safety feature that prevents consuming too much memory when encountering a reference to a very large file, but the size limit was previously hard-coded to be 10 megabytes. That is still the default, but it’s now possible to use the com.unboundid.ldif.LDIFReader.maxURLFileSizeBytes system property to set an alternative limit. - We augmented the LDAP SDK’s debugging support to make it possible to automatically have debug messages written to a file specified by the com.unboundid.ldap.sdk.debug.file system property. This is intended to be used in conjunction with other debugging-related system properties to enable support for debugging in existing applications without the need for a code change. - We lowered the debug level for exception messages that may be logged as a result of a SocketTimeoutException that is caught internally in the course of trying to determine whether a connection in a connection pool is still valid. This is a completely normal condition that was previously inadvertently logged at a WARNING level. This could potentially mislead people into thinking that it’s a problem, or at the very least make it harder to find debug messages that are actually important. It is now logged at the FINEST level, so it will only be visible at the highest level of verbosity. - We updated support for the Ping Identity Directory Server’s matching entry count control to make it possible to request extended response data, including whether the search is fully indexed, whether identified candidate entries are known to be included in the scope of the search, and any remaining portion of the filter that was not used in the course of building the set of candidate entries. - We updated support for the Ping Identity Directory Server’s generate profile administrative task to clarify that all included paths must be relative rather than absolute. Those paths will be treated as relative to the server root, and relative paths that reference portions of the filesystem outside the server root will not be allowed. - We updated the documentation to include the latest revision of draft-coretta-x660-ldap <https://docs.ldap.com/specs/draft-coretta-x660-ldap-07.txt> in the set of LDAP-related specifications. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2021-05-28 20:15:27
|
We have just released version 6.0.0 of the UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>. It is available for download from GitHub <https://github.com/pingidentity/ldapsdk/releases> and SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is available in the Maven Central Repository <https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav> . One of the biggest changes that we’ve made in this release is that we’ve deprecated support for the TLSv1 and TLSv1.1 protocol versions in accordance with RFC 8996 <https://www.ietf.org/rfc/rfc8996.txt>. By default, the LDAP SDK will prefer using TLSv1.3, but it can fall back to using TLSv1.2 if the newer protocol is not supported by the client JVM or by the directory server. The older TLSv1 and TLSv1.1 protocol versions can still be enabled if necessary (either programmatically or by setting system properties), but given that they are no longer considered secure, and given that TLSv1.2 became an official standard over twelve years ago, the far better option would be to use a directory server release from sometime in the last decade. We have also updated the set of TLS cipher suites that the LDAP SDK will use by default. The default set of enabled cipher suites no longer includes those that rely on the SHA-1 message digest algorithm (which is no longer considered secure) or those that rely on RSA key exchange (which doesn’t support forward secrecy and could allow an observer to decrypt the communication if the server certificate’s private key becomes compromised; note that deprecating RSA key exchange doesn’t affect the ability to interact with servers that use certificates with RSA key pairs). If necessary, you can override the set of cipher suites that the LDAP SDK uses by default, either programmatically or with system properties. You can find complete release notes at https://docs.ldap.com/ldap-sdk/docs/release-notes.html. Other notable changes in this release include: - We fixed an issue that could cause the LDAP SDK to use the set of TLS cipher suites enabled in the JVM by default rather than a recommended set identified by the LDAP SDK itself. This could potentially result in using weaker encryption for secure connections. - We updated the logic that the LDAP SDK uses when deciding which characters to escape when generating the string representation of a DN or RDN. Previously, it would always escape all non-ASCII characters. Now, the LDAP SDK will no longer escape non-ASCII characters that it believes are displayable (including the Unicode letter, number, punctuation, and symbol character types). If desired, you can override this behavior either programmatically or with a system property. - We updated the logic that the LDAP SDK uses when deciding which data should be base64-encoded when generating the LDIF representation of an entry. Previously, it would not always base64-encode data with ASCII control characters (other than NUL, LF, and CR, which must always be base64-encoded). Now, it will always base64-encode values with ASCII control characters by default. It can also be configured to optionally not base64-encode values with non-ASCII characters (which technically violates the LDIF specification but may be useful when displaying to an end user). You can override the LDAP SDK’s base64-encoding strategy either programmatically or with a system property. - We updated the LDIF reader to make it possible to disable support for parsing LDAP controls. By default, the LDAP SDK supports LDIF change records that include LDAP controls as described in RFC 2849 <https://docs.ldap.com/specs/rfc2849.txt>. However, this can cause a problem in a rare corner case if a record represents an entry rather than a change record and the first attribute in the LDIF representation of that entry is named “control”. If you attempt to read that record as a generic LDIF record or as a change record with defaultAdd set to true (rather than reading it specifically as an entry), then the LDIF reader will attempt to parse that attribute as an LDIF control. If you have LDIF records that represent entries in which the first attribute may be named “ control”, if you are reading them as generic LDIF records or as LDIF change records with defaultAdd set to true, and if you don’t have any LDIF change records that legitimately do include LDAP controls, then you can update the LDIF reader to disable support for controls so that it will interpret a leading “control” element as an attribute rather than a change record with a control. - We updated PKCS11KeyManager to make it easier to use certificate chains stored in PKCS #11 tokens without needing to alter the JVM configuration. Previously, if you wanted to use PKCS #11, you either had to modify a configuration file within the JVM installation (which may not always be feasible), or you had to write your own code to load the provider before trying to use the key manager. You can now supply a provider configuration file when creating a PKCS #11 key manager, and it will ensure that the necessary provider is loaded and registered with the JVM. - We updated the manage-certificates tool to support interacting with PKCS #11 tokens. Previously, the tool only supported certificates in JKS, PKCS #12, and BCFKS key stores. When using a PKCS #11 token, you must use the --keyStore argument with a value that is the path to the provider configuration file and the --keyStoreFormat argument with a value of PKCS11. - We updated the manage-certificates tool to add a new copy-keystore subcommand with support for copying some or all of the information in one key store to another key store of the same or a different type. This can allow you to merge key stores or convert a key store from one type to another (for example, JKS to PKCS #12). - We updated the manage-certificates tool to add optional --output-file and --output-format arguments to the generate-self-signed-certificate subcommand. This allows you to generate and export a self-signed certificate in one step rather than requiring a separate command to export a certificate after generating it. - We updated the manage-certificates tool to allow interacting with BCFKS key stores even when the LDAP SDK is not operating in FIPS 140-2-compliant mode. Note that the necessary FIPS-compliant Bouncy Castle libraries must already be in the classpath. - We updated the manage-certificates tool to display the key store type when using the list-certificates subcommand. - We updated the in-memory-directory-server command-line tool to add a new --doNotGenerateOperationalAttributes argument that will prevent the server from maintaining operational attributes like entryDN, entryUUID, subschemaSubentry, creatorsName, createTimestamp, modifiersName, and modifyTimestamp. - We updated the FileArgument class to provide better support for interacting with files that are potentially encrypted or compressed. The getFileLines, getNonBlankFileLines, and getFileBytesMethods have been updated so that they can transparently handle reading from gzip-compressed files. Further, for tools that are running as part of a Ping Identity Directory Server installation, they can transparently handle reading from files that are encrypted with a key from the server’s encryption settings database. Also, a new getFileInputStream method has been provided that can retrieve an input stream to use when reading from the target file, including cases in which the file is compressed or encrypted. - We added a new ThreadLocalSecureRandom class that can be used to maintain a set of per-thread SecureRandom instances that can be used without concerns around synchronization or contention. - We updated the documentation to include the latest revisions of the draft-coretta-x660-ldap, draft-ietf-kitten-password-storage, and draft-melnikov-scram-2fa drafts in the set of LDAP-related specifications. Changes specific to running in FIPS 140-2-compliant mode include: - We have updated the LDAP SDK so that it will use the Bouncy Castle FIPS-compliant SecureRandom instance in hybrid mode, which helps reduce the chance that it will encounter severe performance issues as a result of depleted entropy on the underlying system. However, in some cases, it may still be necessary to either use a hardware random number generator or a software entropy supplementing daemon (like rngd) to prevent blocking due to a lack of entropy. - We have updated the LDAP SDK to make it possible to customize the set of providers that will be allowed when running in FIPS 140-2-compliant mode. You can perform this customization programmatically or with a system property. - We have updated the command-line tool framework to check whether the LDAP SDK is running in FIPS 140-2-compliant mode upon invoking the tool constructor. This can help prevent cases in which the tool may inadvertently perform operations with a non-FIPS-compliant provider. Changes specific to using the LDAP SDK in conjunction with the Ping Identity Directory Server include: - We updated the collect-support-data tool to allow using the --keyStoreFormat and --trustStoreFormat arguments when invoking the server-side version of the tool. Previously, you could only use these arguments in conjunction with the --useRemoteServer argument. This change only applies when using the 8.3.0.0 or later release of the Ping Identity Directory Server. - We added client-side support for a new administrative task that can be used to safely remove an object class definition from the server schema. The task will ensure that the object class is not in use before attempting to remove it, and it will clean up any references to the object class that may no longer be necessary (for example, in a backend’s entry compaction dictionary). -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2021-03-23 19:14:21
|
We have just released version 5.1.4 of the UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>. It is available for download from GitHub <https://github.com/pingidentity/ldapsdk/releases> and SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is available in the Maven Central Repository <https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav> . The release notes <https://docs.ldap.com/ldap-sdk/docs/release-notes.html> contain a more complete overview of the changes included since the 5.1.3 release, but here’s a quick overview: - We fixed an issue with the fewest connections and round-robin server sets that could cause them to leave a background thread running if one of the servers it had been using goes away permanently. - We updated the TLS cipher suite selector to improve compatibility with JVMs (like the one provided by IBM) that use an “SSL_” prefix for all cipher suite names, rather than using “TLS_” for suites associated with the TLS protocol and only using “SSL_” for suites associated with legacy SSL protocols. - We have updated the TLS cipher suite selector to improve the order in which it returns the names of the recommended suites. - We have added new key and trust manager implementations that can use X.509 certificates and PKCS #8 private keys read from PEM files. We have also added new utility classes for reading certificates and private keys from PEM files. - We updated the LDAP SDK to support running in a FIPS 140-2-compliant mode using the Bouncy Castle FIPS provider (and the associated JSSE provider). The Bouncy Castle libraries are not provided as part of the LDAP SDK, but if they are separately obtained and included in the classpath, then the LDAP SDK can be configured to operate in a FIPS-compliant manner. - We have updated the manage-certificates tool to support managing certificates in BCFKS (the Bouncy Castle FIPS-compliant key store format) files. - We have updated the TLS cipher suite selector to exclude suites that rely on the SHA-1 digest algorithm from the recommended set of suites when running in FIPS-compliant mode. - We improved an error message that could be used in an exception if a connection becomes invalid in the course of trying to send a request to the server. - We updated the ldifmodify command-line tool to allow ignoring duplicate attempts to delete the same entry, and attempts to delete or modify entries that do not exist in the LDIF file. - We have updated support for the proprietary get user resource limits request control to allow clients to request that the server not return information about the user’s group membership in the response control. This can help improve performance when using the control, especially in servers with large numbers of dynamic groups. - We have updated the LDAP SDK documentation to include the latest versions of draft-coretta-x660-ldap and draft-ietf-kitten-password-storage in the set of LDAP-related specifications. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2020-12-10 21:27:16
|
We have just released version 5.1.3 of the UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>. It is available for download from GitHub <https://github.com/pingidentity/ldapsdk/releases> and SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is available in the Maven Central Repository <https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav> . The biggest change in this release addresses an issue in the LDAP listener framework (including the in-memory directory server). The listener did not adequately protect against the case in which a malicious or errant client could send an LDAP request encoded as an ASN.1 BER sequence with a very large value length, which could result in the listener attempting to allocate up to two gigabytes of memory. The LDAP listener framework will now impose a maximum request size of 20 megabytes by default, which is the same as the default maximum size that the LDAP SDK will impose for responses read from a directory server. The maximum request size can be configured using the InMemoryDirectoryServerConfig.setMaxMessageSizeBytes method when using the in-memory directory server, or using the LDAPListenerConfig.setMaxMessageSizeBytes method when using the more general LDAP listener framework. Other changes since the 5.1.2 release include: - We have updated OID support to add methods for interacting with object identifiers in a hierarchical manner. It is now possible to create a new OID that is a child of a provided OID with a given subordinate component value. You can also get the parent for a provided OID and determine whether one OID is an ancestor or descendant of another. - We have updated the oid-lookup tool to add a new --exact-match argument that will cause it to only return items in which the OID, name, type, origin, or URL exactly matches the provided search string. The tool continues to use substring matching by default. - We have updated the ldap-result-code tool to add a new --output-format argument that allows you to customize whether the output should be formatted as a human-readable table, comma-separated values, tab-delimited text, or JSON objects. It will continue to format result codes in a table by default. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2020-12-02 18:54:15
|
We have just released version 5.1.2 of the UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>. It is available for download from GitHub <https://github.com/pingidentity/ldapsdk/releases> and SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is available in the Maven Central Repository <https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>. The release notes <https://docs.ldap.com/ldap-sdk/docs/release-notes.html> provide a pretty comprehensive overview of what’s changed since the 5.1.1 release, but here’s a summary: Server-Agnostic Updates - We added a new parallel-update command-line tool that can be used to apply changes read from an LDIF file against an LDAP server using multiple concurrent threads. - We updated the ldapmodify and ldapdelete tools so that they will now default to retrying failed operations on a newly established connection if the failure suggests that the connection made for the initial attempt is no longer valid. This was previously available through the --retryFailedOperations argument, but it is now the default behavior, and a --neverRetry argument can be used if retry support is not wanted. - We added a new OIDRegistry class that provides a registry of object identifiers used in LDAP, including things like schema elements, controls, extended operations, and other sources. Each item in the registry has a name, an OID, and a type, and it may also have an origin string and a URL that may be used to retrieve additional information about the item. - We added a new oid-lookup command-line tool that can be used to search the OID registry to find items with a given OID, name, type, or other content. - We added a new ldap-result-code command-line tool that can be used to list all defined result codes and search for result codes with a given name or integer value. - We updated the LDAP listener framework and the in-memory directory server to support mutual TLS authentication, in which the server requests a certificate chain from the client and validates any chain that the client provides. - We updated the logic used to generate temporary self-signed certificates for use by the in-memory-directory-server and ldap-debugger command-line tools so that the certificates will be more acceptable to a wider range of clients. The certificate will now only be valid for one year, as some TLS clients balk at peer certificates with very long lifetimes. The subject alternative name extension will also default to only using canonical host names and IP addresses that are associated with non-loopback interfaces. - We added a new argument value validator that can be used to restrict command-line argument values to those that represent valid DNS host names. It can optionally accept or reject values that are numeric IP addresses, can accept or reject unqualified host names, and can accept or reject unresolvable host names. - We added a new SASLClientBindHandler class that can be used to invoke SASL bind operations that use a javax.security.sasl.SaslClient object to perform the actual SASL processing. We also added an LDAPConnection.applySASLSecurityLayer method that can be used to add a security layer that has been negotiated with a SaslClient to an established, clear-text connection. - We updated the HostNameSSLSocketVerifier to automatically trust any certificate when the client used a loopback IP address (not a host name, even if that name is associated with a loopback interface) as the address for the server. This is in accordance with the W3C Secure Contexts Candidate Recommendation <https://www.w3.org/TR/secure-contexts/>, section 3.2. - We updated the HostNameSSLSocketVerifier and TrustAllSSLSocketVerifier classes to implement the javax.net.ssl.HostnameVerifier interface. - We updated the LDIF writer to improve human readability for the comments that it can automatically add for base64-encoded values. - We updated the manage-certificates command-line tool to add support for a new retrieve-server-certificate subcommand, which will retrieve the certificate chain from a specified server and optionally write a PEM-encoded or DER-encoded representation of the certificate(s) to a specified file. - We fixed an issue with the manage-certificates trust-server-certificate command that only caused it to wait for 60 milliseconds rather than the intended 60 seconds when trying to establish a connection to the target server. - We updated ldapsearch to add a new “dns-only” output format. If this format is selected, then the output will contain only the DNs of matching entries. - We updated support for the OAUTHBEARER SASL mechanism to make it possible to include arbitrary key-value pairs in the SASL credentials. - We fixed an issue in the command-line tool framework that affected tools that provide support for automatically writing the output to a file. The output file was never explicitly closed, which could cause problems in cases where the tool was invoked programmatically, and then an attempt was made to subsequently use the output from code in the same JVM. - We added a new StaticUtils.isIANAReservedIPAddress method that can be used to determine whether a provided IPv4 or IPv6 address is contained in an IANA-reserved range. - We updated the ChangeLogEntry class so that it will fall back to using the includedAttributes attribute if the deletedEntryAttrs attribute does not exist in changelog entries that represent a delete operation. - We updated the LDAP SDK’s support for passphrase-based encryption to make it possible to explicitly specify the type of cipher that should be used. Previously, you could only request either a baseline level of protection (which should be available in all supported Java versions) or the strongest supported level of protection (which might not be available in some JVMs) - We added a new X.509 trust manager that will never trust any certificate chain. This is primarily intended for testing purposes. - We updated the documentation to include the latest versions of the draft-melnikov-scram-sha-512 <https://docs.ldap.com/specs/draft-melnikov-scram-sha-512-01.txt>, draft-melnikov-scram-sha3-512 <https://docs.ldap.com/specs/draft-melnikov-scram-sha3-512-01.txt>, and draft-ietf-kitten-password-storage <https://docs.ldap.com/specs/draft-ietf-kitten-password-storage-02.txt> drafts in the set of LDAP-related specifications. Updates Specific to the Ping Identity Directory Server - We added client-side support for a new ds-pwp-modifiable-state operational attribute that can be used to retrieve and manipulate a select set of password policy state information in a user’s entry. - We added support for a new “remove attribute type” administrative task that can be used to safely remove an attribute type definition from the server schema. - We added client-side support for interacting with passwords encoded with the new AES256 password storage scheme. - We updated the Filter.matchesEntry method to add limited support for extensible matching filters that contain both an attribute type and a matching rule ID, when the dnAttributes flag is not set, and when the matching rule ID targets the jsonObjectFilterExtensibleMatch matching rule. - We updated the uniqueness request control to make it possible to indicate whether the server should raise an administrative alert if it detects a conflict during the post-commit validation phase. - We updated the uniqueness request control to make it possible to indicate that the server should create a temporary conflict prevention details entry before beginning pre-commit processing as a means of better preventing conflicts that arise from concurrent changes in different servers. - We deprecated support for interactive transactions, whose use has been discouraged for many releases, and for which server-side support is being removed. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2020-08-28 15:07:39
|
I answered this question on GitHub ( https://github.com/pingidentity/ldapsdk/issues/92), but here’s my response: It is very unlikely that you actually want to do this. The LDAP simple bind operation (which I assume is what you’re using) expects the password to be provided in the clear and without any kind of transformation. This is also true of the PLAIN SASL mechanism. Some other SASL mechanisms, like CRAM-MD5, DIGEST-MD5, and the SCRAM mechanisms, send a digest generated from the password and other information, but even in those cases, you should provide the password to the bind request in the clear-text, unencoded form and let the LDAP SDK generate the proper encoded representation. When an LDAP client sends the bind request to the server, the password (like other LDAP values) is transmitted as an ASN.1 BER octet string. This holds the raw bytes that comprise the password. LDAP generally expects strings to be converted to bytes using the UTF-8 character encoding, and if you provide the password to the LDAP SDK as a string, then the bind request that it sends to the server will contain the bytes for the UTF-8 representation of that password. In the event that you actually need to use some other character encoding, or if the password includes bytes that can’t be represented in a UTF-8 string, then you should provide the password as a byte array rather than as a string when creating the bind request. Even though the LDAPConnection.bind method that takes a bind DN and password only allows you to provide the password as a string, there is a second version of the LDAPConnection.bind method that takes a BindRequest object. You’re almost certainly using an LDAP simple bind, so you should create a SimpleBindRequest object to pass to the LDAPConnection.bind method, and SimpleBindRequest does allow you to provide the raw bytes that comprise the password. Another possibility is that you’re getting confused by seeing the password in an encoded form when you retrieve the entry from the server. There are two potential reasons for this: - Most directory servers don’t actually store the password in the clear. Instead, they encode the password using some scheme in an attempt to prevent attackers from discovering the clear-text value if they happen to gain access to the server data. This encoding generally uses either a one-way algorithm or reversible encryption, and the output of that algorithm is very likely a sequence of bytes that don’t represent a string, so it’s very common for the encoding algorithm to base64-encode the result so that it is easier to represent if the encoded password needs to be displayed as text. However, if the server does automatically encode passwords when it’s storing them, you still need to provide the password in the clear-text, unencoded form when binding. The server will take the appropriate steps to determine whether that clear-text password can be used to generate the encoded form that it stores. - Even if the directory server actually does store the password in the clear without any encoding, if you retrieve the entry in LDIF form (for example, using a tool like ldapsearch), then you might see it represented in base64. That’s because LDIF itself has rules that may require values with special characters to be represented in base64-encoded form. If that’s the case, then you’ll see two colons between the attribute name and value rather than just one. Note, however, that while LDIF is a text-based representation of LDAP data, LDAP doesn’t actually use LDIF when transferring requests and responses between the client and the server. So just because you see a base64-encoded value when you’re looking at the LDIF representation of an entry, that doesn’t mean that you need to use the base64-encoded representation of that value when including it in an LDAP request. In the unlikely event that you do actually need to base64-encode the password before including it in the bind request (either because the server you’re using uses a nonstandard behavior, or perhaps more likely because the password was inadvertently base64-encoded before it was originally written to the server), then you can do that using the com.unboundid.util.Base64 class. The Base64.encode method will allow you to base64-encode the contents of a string or a byte array, and then you can try providing that resulting string as the password for the bind request. On Fri, Aug 28, 2020 at 8:58 AM John Dev <jo...@gm...> wrote: > Hey, > > we are facing the issue that we have all kinds of special characters in > passwords and the need to encode those in base64. > Any idea how we can use the UnboundID LDAP SDK with base64 encoded > passwords? > The LDAPConnection.bind class doesn’t support it. > > Thanks, > John > > _______________________________________________ > ldap-sdk-discuss mailing list > lda...@li... > https://lists.sourceforge.net/lists/listinfo/ldap-sdk-discuss > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: John D. <jo...@gm...> - 2020-08-28 07:15:43
|
Hey, we are facing the issue that we have all kinds of special characters in passwords and the need to encode those in base64. Any idea how we can use the UnboundID LDAP SDK with base64 encoded passwords? The LDAPConnection.bind class doesn’t support it. Thanks, John |
|
From: Neil W. <nei...@pi...> - 2020-08-25 20:13:24
|
We have just released version 5.1.1 of the UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>. It is available for download from GitHub <https://github.com/pingidentity/ldapsdk/releases> and SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is available in the Maven Central Repository <https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>. The release notes <https://docs.ldap.com/ldap-sdk/docs/release-notes.html> provide a pretty comprehensive overview of what’s changed since the 5.1.0 release, but here’s a summary: Server-Agnostic Updates - We have added new @NotNull and @Nullable annotation types and updated the entire LDAP SDK codebase to mark all non-primitive fields, parameters, and method return values to indicate whether they may be null. These annotations will appear in the generated Javadoc documentation <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html>, and they will also be available at runtime for introspection by IDEs and other tools. - We have improved the logic used to validate certificate hostnames. The LDAP SDK now does a better job of handling hostnames with wildcards, and it does a better job of handling cases in which the connection was established with an IP address rather than a hostname. There is also an option to indicate whether to treat a certificate’s subject alternative name extension (if present) as the only authoritative source of allowed hostnames or to also allow looking at the CN attribute in the certificate subject DN even if the certificate contains a subject alternative name extension. - We fixed an issue that could prevent command-line tools that support subcommands from performing all appropriate validation when running in interactive mode. The command-line tool’s interactive mode framework neglected to perform required, dependent, and exclusive argument set validation for the selected subcommand, which could cause the tool to run with an inappropriate set of arguments. - We fixed issues in the code used to format strings in the comma-separated values (CSV) format. Previously, all ASCII control characters and all non-ASCII characters were silently dropped from the output. They are now included, but the value will be in quotes (and may span multiple lines if the value to format includes line breaks). Further, it had previously used the backslash character to escape any double quotes in the data (\"), but RFC 4180 <https://tools.ietf.org/rfc/rfc4180.txt> indicates that each double-quote character should be escaped by preceding it with another double quote character (""). The LDAP SDK now uses the RFC-specified behavior as the default, but it is possible to fall back to the former backslash-based encoding if desired or needed for backward compatibility. - We updated ldapsearch to add multi-valued-csv and multi-valued-tab-delimited output formats. The existing csv and tab-delimited output formats only include the first value for multi-valued attributes, while the multi-valued variants use the vertical bar character (|) as a delimiter between values. - We updated the ldappasswordmodify command-line tool to default to using the password modify extended operation if it is unable to retrieve the server’s root DSE while attempting to determine which method to use to change the password. The tool would previously exit with an error if the --passwordChangeMethod argument was not provided and it couldn’t retrieve the root DSE to determine an appropriate method. - We updated the authrate command-line tool so that the --filter argument is not required if the --bindOnly argument is provided. - Updated the ldapcompare tool so that it always uses an exit code of zero (corresponding to the LDAP success result code) by default if all compare operations are processed successfully, regardless of whether the assertions matched or did not match the target entries. Previously, the tool would use an exit code of 5 or 6 (corresponding to the LDAP compareFalse and compareTrue result codes, respectively) if only a single compare assertion was processed and completed with the corresponding result code. However, returning a nonzero exit code by default can cause problems with scripts that invoke the tool and expect that a nonzero result code indicates that an error occurred. The new --useCompareResultCodeAsExitCode argument can be used to request the previous behavior. - We updated the ldapcompare tool to allow reading the raw assertion value from a file. If this option is used, then the attribute name or OID should be followed by a colon, a less-than sign, and the path to the file from which the value should be read (for example, “ cn:</path/to/asserted-cn-value.txt”). If this option is used, then the exact bytes of the file (including line breaks) will be used as the assertion value for the compare operation. - We updated the ldifsearch tool so that all non-LDIF output is written as LDIF comments (preceded by the octothorpe character, #) so that it will not interfere with the ability to parse the remaining output as LDIF. - We added support for the OAUTHBEARER SASL mechanism, as described in RFC 7628 <https://docs.ldap.com/specs/rfc7628.txt>. - We updated the LDAP command-line tool framework to add support for authenticating with additional SASL mechanisms, including OAUTHBEARER, SCRAM-SHA-1, SCRAM-SHA-256, and SCRAM-SHA-512. - We fixed issues with the ldifsearch, ldifmodify, and ldif-diff tools that could arise if they were run in a manner that would cause the output to be both compressed and encrypted. The tool incorrectly attempted to compress the output after it was encrypted rather than before, making the compression ineffective and the output incompatible with tools that expect compression to be applied before encryption. - We fixed an issue with the ldifsearch tool that could prevent it from properly finalizing the output when using compression or encryption, potentially leaving buffered data unwritten. - We fixed an issue with the ldifmodify tool that caused it to use a nonzero exit code if it was only used to add new entries to a previously empty source LDIF file. - We updated the ldifmodify tool to use lenient mode by default when applying modifications. It would previously reject attempts to add attribute values that already existed or remove attribute values that do not exist, but this could cause problems with applications that did not expect this behavior, as a legacy version of the tool used lenient mode by default. A new --strictModifications argument has been added that can request the strict validation mode if desired. - We updated the LDAP SDK’s command-line tool framework so that when displaying an example command that is split across multiple lines, it will use an appropriate continuation character for the underlying platform. It previously always used the backslash character (\), which is correct for UNIX-based systems, but it will now use the caret character (^) when running on Windows systems. - We fixed an issue with the ldifsearch tool that caused its usage output to include example arguments and descriptions intended for use with the ldif-diff tool. - We fixed an issue in the manage-certificates tool usage output that caused the generate-certificate-signing-request subcommand’s --key-size-bits argument to use the wrong description. - We updated the documentation to include the latest versions of the draft-kitten-gss-sanon <https://docs.ldap.com/specs/draft-ietf-kitten-gss-sanon-01.txt>, draft-melnikov-scram-2fa <https://docs.ldap.com/specs/draft-melnikov-scram-2fa-01.txt>, and draft-melnikov-scram-sha3-512 <https://docs.ldap.com/specs/draft-melnikov-scram-sha-512-00.txt> drafts in the set of LDAP-related specifications. Updates Specific to the Ping Identity Directory Server - We added support for a new “get recent login history” control that can be included in a bind request to indicate that the bind response (if authentication was successful) should include information about other recent successful and failed authentication attempts for that user. The ldapsearch and ldapmodify commands have been updated to provide support for this control. We also updated support for the password modify extended operation, the manage-account command-line tool, and the ds-pwp-state-json virtual attribute to provide support for retrieving a user’s recent login history. - We updated support for the password modify extended operation, the manage-account tool, and the ds-pwp-state-json virtual attribute to provide support for retrieving state information about password validation performed during bind operations, including the time that validation was last performed and whether the account is locked because the bind password failed validation. - We updated support for the ds-pwp-state-json virtual attribute to provide support for retrieving information about the quality requirements that the user’s password must satisfy. - We updated the set of potential authentication failure reasons to include an additional failure type for cases in which a password used in a bind request failed to satisfy one or more of the configured password validators. - We added a new password policy state account usability error that may be used if an account is locked because the user attempted to authenticate with a password that failed to satisfy one or more of the configured password validators. - We added a new password policy state account usability warning that may be used if an account contains a password that is encoded with a deprecated password storage scheme. - We updated the collect-support-data tool to add the ability to specify the amount of data to capture from each log file to be included in the support data archive. We have also updated client-side support for the administrative task and extended operation that may be used to invoke collect-support-data processing against a remote server to include support for the new arguments. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2020-06-03 15:54:19
|
UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk> version 5.1.0 has been released and is available for download from GitHub <https://github.com/pingidentity/ldapsdk/releases> and SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, and it is available in the Maven Central Repository <https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>. The release notes <https://docs.ldap.com/ldap-sdk/docs/release-notes.html> provide a pretty comprehensive overview of the changes since the previous 5.0.1 release, but here’s a summary: - We fixed an issue in which the JVM-default trust manager did not always correctly handle cross-signed issuer certificates when the presented chain included an expired issuer certificate. It will now check to see if it can build a valid path with an alternate trust anchor. - We added a new SchemaValidator class that can identify all kinds of problems with LDAP schema definitions. We also provide a new validate-ldap-schema command-line tool that will examine definitions contained in one or more LDIF files and report any problems that it finds. - We updated the in-memory-directory-server command-line tool to validate any schema definitions provided through the --useSchemaFile argument. Even if there are problems, the server will still try to use that schema to the best of its ability (as was previously the case). The --doNotValidateSchemaDefnitions argument can be used to disable the new validation if it is not desired. - We added a new ldappasswordmodify command-line tool that can be used to perform a self password change or an administrative password reset. It supports the password modify extended operation (as described in RFC 3062 <https://docs.ldap.com/specs/rfc3062.txt>), and it can also change passwords using a regular LDAP modify operation or using an Active Directory-specific modification. - We added three new command-line tools for performing operations on data contained in LDIF files: - The ldifsearch tool can be used to identify entries that match a given set of search criteria. - The ldifmodify tool can be used to apply a set of add, delete, modify, and modify DN changes to LDIF data. - The ldif-diff tool can be used to identify differences between data in two provided LDIF files and report the differences in the form of LDIF change records. - We added a new version of the ldapcompare tool that can be used to perform LDAP compare operations in a directory server. The new version offers a lot of additional functionality like support for performing multiple compare assertions and using a variety of request controls, and it can generate parseable output in tab-delimited text, CSV, or JSON formats. - We updated the in-memory directory server to make it possible to add custom attributes to the root DSE. While it was already possible to replace the entire root DSE entry with a static entry, this new approach makes it possible to retain some dynamic content (for example, changelog-related attributes) while still customizing other attributes. - We made several changes in our support for entries with the ldapSubEntry object class: - We added a new RFC3672SubentriesRequestControl class with support for the LDAP subentries request control as described in RFC 3672 <https://docs.ldap.com/specs/rfc3672.txt>. - The LDAP SDK already had support for an alternate version of the control described in draft-ietf-ldup-subentry <https://docs.ldap.com/specs/draft-ietf-ldup-subentry-08.txt> through the SubentriesRequestControl class, but that class has been deprecated in favor of a new DraftLDUPSubentriesRequestControl class, which helps avoid confusion with the class that implements the RFC 3672 version of the control. The deprecated class is still fully functional and will be kept to preserve backward compatibility, but we recommend updating code that uses the old class for the sake of clarity. - The in-memory directory server has been updated with support for the RFC 3672 version of the control. It already had support for the draft-ietf-ldup-subentry version. - The in-memory directory server has been updated so that it will return entries with the ldapSubEntry object class if the filter includes an “(objectClass=ldapSubEntry)” component. - The ldapsearch command-line tool has been updated with support for the RFC 3672 version of the LDAP subentries control, using the new --rfc3672Subentries argument. It already had support for the draft-ietf-ldup-subentry version of the control through the --includeSubentries argument, and that argument is still available, but we now recommend using --draftLDUPSubentries instead for the sake of clarity. - We updated the ldapsearch tool to add a new “values-only” output format (as an alternative to the existing LDIF, tab-delimited text, CSV, and JSON output formats). If this output format is selected, then it will only output the values of the requested attributes without any entry DNs or attribute names. This can help extract raw attribute values from a directory server from a script without the need for any additional text processing. - We updated the ldapsearch tool to add a new --requireMatch argument. If this argument is provided and the search completes successfully but does not return any entries, then the tool will have an exit code of 94 (corresponding to the noResultsReturned result code) rather than zero. This argument does not have any visible effect on the output. - We updated the round-robin and fewest connections servers sets to expose the blacklist manager that they use to avoid trying to establish connections to servers that are believed to be unavailable. - We updated the manage-certificates tool to make it easier to list and export certificates from the JVM’s default trust store without needing to know the path to the appropriate file. - We improved the logic that the LDAP SDK uses when selecting ordering and substring matching rules for ordering operations involving attributes that are defined in the schema but whose definition does not specify an ordering matching rule. It will now try to infer an appropriate ordering matching rule from the equality matching rule before trying other alternatives like inferring a rule from the associated syntax or using a default rule. - We updated the LDAP command-line tool framework to make it easier and more convenient to communicate securely with the Ping Identity Directory Server (and other related server products). This includes: - We added a new TopologyRegistryTrustManager class that can use information in the server’s topology registry to determine whether to trust the certificates for instances in the topology. - If no trust-related arguments are specified when running the tool, it will now check the server’s default trust store and the topology registry to determine whether the presented certificate should be trusted. It will still also check the JVM’s default trust store, and it will still fall back to interactively prompting the user if the certificate cannot be trusted through other means. - We streamlined the process that LDAP command-line tools use to establish and authenticate connections when run in interactive mode. It will now recommend TLS encryption over unencrypted communication with a simplified set of arguments, and it will recommend simple authentication over unauthenticated connections. Further, when the tool is part of a Ping Identity Directory Server (or related server product) installation, it will read the configuration to determine the appropriate port to suggest when connecting to the server. - We made several improvements to the summarize-access-log tool that can be used to examine Ping Identity Directory Server access logs. These include: - You can now customize the maximum number of values to display for each item. It was previously hard-coded to use a limit of 20 values. If any values were omitted, then it will now tell you how many were left out. - You can now choose to de-anonymize the output to obtain the specific attribute values used in search filters and entry DNs (instead of displaying question marks as placeholders). - The output will now include information about the most common TLS protocols and cipher suites used for secure communication. - The output will now include the most common successful and failed bind DNs and the most common authentication mechanisms. - The output will now include the most common DNs used as alternate authorization identities (e.g., via the proxied authorization request control). - The output will now include the most common filters used for unindexed searches, the most common base DNs for searches with non-baseObject scopes, the filters for searches taking the longest to complete, and the most common filters for searches returning zero, one, or multiple entries. - When summarizing the most commonly invoked types of extended operations, the tool will now try to provide a human-readable name for the extended operation in addition to its OID. - We added client-side support for obtaining password policy state information from the Ping Identity Directory Server’s ds-pwp-state-json virtual attribute. - We added client-side support for the new populate composed attribute values and generate server profile administrative tasks in the Ping Identity Directory Server. - We added a new OID.parseNumericOID method that can be used to parse a provided string as a valid numeric object identifier, optionally performing strict validation. If the provided string does not represent a valid numeric OID, then the method will throw an exception with a message that explains the problem. - We improved the error messages generated for problems that may arise when parsing schema definitions. - We updated the schema parsing code so that it can now handle schema elements with a description value that is an empty string. Although empty descriptions (or other types of quoted strings) are not permitted in schema element definitions, some servers allow them. Empty descriptions are still not allowed by default, but that behavior can be overridden with a code change or a system property. - We added a new IA5 string argument value validator that can be used to require that the values of associated arguments are only permitted to contain ASCII characters. The manage-certificates tool has also been updated to provide better validation for certificate components that are required to be IA5 strings, including DNS names and email addresses in the subject alternative name extension. - We added support for encoding and decoding timestamps in the ISO 8601 format described in RFC 3339 <https://www.ietf.org/rfc/rfc3339.txt>. - We updated the LDAP command-line tool framework so that if the --help-sasl argument is used in conjunction with a --saslOption argument that specifies the name of the SASL mechanism, the output will only include help information for that mechanism. - We fixed a bug in the StaticUtils.isASCIIString method that caused it to only look at the lowest byte for each character in the provided string. - We added new ByteStringBuffer utility methods, including getting individual bytes or sets of bytes at a specified position, for determining whether the buffer starts with or ends with a given set of bytes, and for reading the contents of a file or input stream into the buffer. - We added new StaticUtils convenience methods for reading and writing files as bytes, strings, or lists of lines. - We added support for new password policy state account usability warning and notice types for the Ping Identity Directory Server. The new types can be used to indicate that the account has too many outstanding authentication failures, but that the server will take some other action (for example, delaying the bind response) instead of completely preventing authentication. - We fixed an issue in the LDAP SDK’s JSON-formatted debug logging support for debug messages containing exceptions with another exception as the underlying cause. - We fixed an issue with the command-line tool framework that could prevent it from setting an argument value from a properties file even though that same value would have been permitted if it had been provided directly on the command line. - We updated the default standard schema provided with the LDAP SDK to include additional attribute syntaxes, matching rule, attribute type, and object class definitions. - We updated the documentation to include draft-ietf-kitten-gss-sanon <https://docs.ldap.com/specs/draft-ietf-kitten-gss-sanon-00.txt>, draft-ietf-kitten-password-storage <https://docs.ldap.com/specs/draft-ietf-kitten-password-storage-00.txt>, and draft-melnikov-scram-sha-512 <https://docs.ldap.com/specs/draft-melnikov-scram-sha-512-00.txt> in the set of LDAP-related specifications. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2020-03-16 19:00:03
|
The UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk> is a fast, powerful, user-friendly, and completely free Java library for communicating with LDAP directory servers and performing other LDAP-related processing. We have just released version 5.0.1 of the LDAP SDK, and it is available for download from GitHub <https://github.com/pingidentity/ldapsdk/releases> and SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, as well as from the Maven Central Repository <https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>. The release notes are available online at https://docs.ldap.com/ldap-sdk/docs/release-notes.html. This is a minor release that was primarily created in service of an upcoming release of the Ping Identity Directory Server <https://www.pingidentity.com/en/platform/directory/directory-overview.html>, as it fixes an issue in a tool that only impacts that new release. Nevertheless, there are a couple of additional updates, so we’re making it publicly available. The changes over the previous 5.0.0 release include: - We added a new LDAP connection logger API that can be used to keep a record of processing performed by the LDAP SDK, including successful and failed connection attempts, operation requests and responses (including non-final responses like search result entries, search result references, and intermediate responses), and disconnects. The LDAP SDK includes a connection logger instance that formats messages as JSON objects, but it’s an extensible API, so you’re free to create your own implementation using whatever format you want. - We have updated the LDAP command-line tool framework to make it possible to specify the address of the target directory server(s) using either --host or --address as an alternative to the existing --hostname argument. - We fixed an issue that prevented the collect-support-data tool from running properly in local mode when using a secure connection (either SSL or StartTLS). This functionality only applies to an upcoming release of the Ping Identity Directory Server, so existing installations should not have been affected, and new installations will have the fix. - We made minor updates to the usage output for several command-line tools to improve wording and fix typos. We also fixed typos in other messages used throughout the LDAP SDK. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2020-02-27 19:04:19
|
The UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk> is a fast, powerful, user-friendly, and completely free Java library for communicating with LDAP directory servers and performing other LDAP-related processing. We have just released version 5.0.0 of the LDAP SDK, and it is available for download from GitHub <https://github.com/pingidentity/ldapsdk/releases> and SourceForge <https://sourceforge.net/projects/ldap-sdk/files/>, as well as from the Maven Central Repository <https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav>. The release notes are available online at https://docs.ldap.com/ldap-sdk/docs/release-notes.html. The most significant change in this new release is that the LDAP SDK is now available under the terms of the Apache License, Version 2.0 <https://github.com/pingidentity/ldapsdk/blob/master/LICENSE.md>, which is a very permissive OSI-approved open source license. Although it was already open source under the terms of the GNU GPLv2 <https://raw.githubusercontent.com/pingidentity/ldapsdk/master/LICENSE-GPLv2.txt> and LGPLv2.1 <https://raw.githubusercontent.com/pingidentity/ldapsdk/master/LICENSE-LGPLv2.1.txt>, the Apache License imposes fewer restrictions on how you can use the LDAP SDK. You are no longer required to offer to redistribute the source code (even if you want to use a modified version), and there’s no longer any concern about whether you need to keep the LDAP SDK jar file as a separate component. The Apache License is well respected and is often seen as more compatible and easier to use in non-open-source software than the GNU license, so we hope that this will make it easier to use in your applications, whether open source or proprietary. The LDAP SDK is still available for use under the terms of the GPLv2 and LGPLv2.1 (as well as the non-open-source UnboundID LDAP SDK Free Use License <https://raw.githubusercontent.com/pingidentity/ldapsdk/master/LICENSE-UnboundID-LDAPSDK.txt>), but we recommend that new users consider using it under the Apache License. Aside from adding the new license, we made several code changes in this release as well. They include: - The LDAP SDK offers an LDAPConnectionDetailsJSONSpecification <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/util/json/LDAPConnectionDetailsJSONSpecification.html> class that allows you to define a JSON file with all of the settings needed to create and authenticate individual LDAP connections or connection pools. We’ve updated this class so that it’s now possible to indicate that when establishing a connection that is secured with SSL or StartTLS, the LDAP SDK should automatically trust any certificates signed by an authority in the JVM’s default set of trusted issuers. This was already the default behavior if you didn’t provide your own trust store (or choose to blindly trust all certificates, which isn’t recommended for production use), but it’s now possible to use this option in conjunction with a provided trust store so that it’s possible to trust a certificate either through that trust store or through the JVM’s default set of trusted issuers. - The KeyStoreKeyManager <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/util/ssl/KeyStoreKeyManager.html> can be used to obtain a certificate from a key store file if one is needed during TLS negotiation. We have updated this class to provide an option to better validate that the key store can actually be used by this purpose with the settings that you provide. If you use this option and supply the alias of the certificate you wish to use, then the key manager will now verify that the alias exists in the key store, that it’s associated with a private key entry (as opposed to a trusted certificate entry, which only contains the public portion of a certificate and isn’t suitable for use if you need to present that certificate to the peer), and that all of the certificates in the chain are currently within their validity window. If you don’t specify a certificate alias, then the validation will make sure that the key store contains at least one private key entry in which all of the certificates in the chain are within their validity window. - The TrustStoreTrustManager <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/util/ssl/TrustStoreTrustManager.html> can be used in the course of determining whether to trust a certificate presented by a peer during TLS negotiation. We have improved performance and concurrency for this trust manager by eliminating unnecessary synchronization that forced interaction with the trust store to be single-threaded. - We fixed an issue that could interfere with GSSAPI authentication <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/GSSAPIBindRequest.html> if a JAAS login module configuration was loaded and cached by the JVM before the login attempt. In such cases, the cached configuration could be used instead of the one that was intended. - The LDAPDebuggerRequestHandler <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/listener/LDAPDebuggerRequestHandler.html> can be used to log detailed information about LDAP requests and responses that pass through an application using the LDAP SDK’s LDAPListener <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/listener/LDAPListener.html> framework (including the in-memory directory server <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/listener/InMemoryDirectoryServer.html> and the ldap-debugger <https://docs.ldap.com/ldap-sdk/docs/tool-usages/ldap-debugger.html> command-line tool). We fixed an issue that could cause messages to be held up in an internal buffer rather than immediately written out as soon as they’re logged. In some cases, this could significantly delay the appearance of these messages or could prevent them from being written out at all if the amount of data to be logged was never enough to fill that internal buffer. - We added a new JSONAccessLogRequestHandler <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/listener/JSONAccessLogRequestHandler.html> to the LDAPListener framework. This can log information about requests and responses as JSON objects, which are both human-readable and machine-parseable. While the existing AccessLogRequestHandler <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/listener/AccessLogRequestHandler.html> produces output that can be parsed programmatically to some extent, it is more optimized for human readability. - The LDAP SDK offers debugging logging support <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/util/Debug.html> that can be helpful in diagnosing problems whose cause may not otherwise be readily apparent. Previously, the debug messages were logged in a form that was primarily intended to be human-readable rather than machine-parseable. They are now written in a JSON format that is both human-readable and machine-parseable. - The manage-certificates <https://docs.ldap.com/ldap-sdk/docs/tool-usages/manage-certificates.html> command-line tool provides a utility for interacting with certificate key and trust stores in the Java JKS format or the standard PKCS #12 format. When displaying detailed information about certificates in a key or trust store, the tool may not have been able to properly decode public key information for certificates with 384-bit elliptic curve public keys, and it also may not have been able to properly decode a subject alternative names extension that included one or more directoryName values. While it was still possible to display most of the information about the affected certificates, the updated version can now provide the full details about those elements. - The Ping Identity Directory Server <https://www.pingidentity.com/en/platform/directory/directory-overview.html> includes a collect-support-data utility that can be used to gather a variety of information from a server installation that can be very useful for troubleshooting problems, tuning performance and scalability, and better understanding the environment in which the server is running. Previously, this utility could only be invoked by logging into the system on which the server instance is running and running the command-line tool. We have now added a couple of additional mechanisms for running the utility. It can now be invoked via an administrative task <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/unboundidds/tasks/CollectSupportDataTask.html> (either as an individual event that is requested by a remote client or as a recurring task that runs on a regular basis) that will create the resulting support data archive in a specified location on the system (which may be a shared filesystem for easier exfiltration). It can also be invoked via an extended operation <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/unboundidds/extensions/CollectSupportDataExtendedRequest.html> that will run the tool and stream its output and the resulting support data archive back to the client in the form of intermediate response messages. Further, although the logic for actually collecting all of this support information remains in the server, we have added the collect-support-data <https://docs.ldap.com/ldap-sdk/docs/tool-usages/collect-support-data.html> command-line tool to the LDAP SDK so that it is easier to invoke the tool against a remote server without needing to install the server software on the client system. - The Ping Identity Directory Server provides a monitor backend that authorized clients can use to obtain a wealth of useful information about the state of the server, and the LDAP SDK includes support for retrieving and parsing the information in these monitor entries. We have updated the LDAP SDK’s support for the general monitor <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/unboundidds/monitors/GeneralMonitorEntry.html> (that is, the top-level “cn=monitor” entry) to make it easier to obtain information about the cluster with which the server is associated, the location of the server instance, and a unique identifier that was generated for the server when the instance was initially configured. - The LDAP SDK offers a Version <https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/Version.html> class that provides version information for the LDAP SDK, including the version number and information about the repository (e.g., the repository URL and revision ID) from which the LDAP SDK source code was obtained. This information was previously only offered as public static final constants, but referencing these constants from third-party applications could lead to unexpected behavior thanks to a “feature” of the Java compiler that will directly imbed the values of those constants (even if they come from a separate library) in the Java bytecode that it generates. This means that if your application references these LDAP SDK version constants and you compile it against one version of the LDAP SDK, then those version constants will be placed directly into the compiled bytecode. If you upgrade the LDAP SDK version that you use without recompiling your application (e.g., by just replacing the LDAP SDK jar file with a newer version), the code referencing the LDAP SDK version would still have the old values. To address this, we have updated the Version class to provide methods for obtaining the values of all the version constants. If you use these methods to obtain the values rather than referencing the constants directly, then you will always get the correct LDAP SDK version information even if you update the LDAP SDK without recompiling your application. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2019-12-13 16:10:29
|
We have just released version 4.0.14 of the UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>. It is available for download from the releases page of our GitHub repository ( https://github.com/pingidentity/ldapsdk/releases), from the Files page of our SourceForge repository (https://sourceforge.net/projects/ldap-sdk/files/), and from the Maven Central Repository ( https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav ). The LDAP SDK release notes are available online at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but the changes included in this release are as follows: - Fixed an issue in which LDAP URLs with consecutive percent-encoded bytes were not decoded correctly. - Fixed an issue that could cause the LDAP SDK to incorrectly handle data read from a server when the communication was protected with SASL integrity or confidentiality. Thanks to Boris Danilovich for reporting the problem and identifying the cause. - Fixed an issue that prevented the searchrate tool from running if neither a base DN pattern nor an LDAP URL pattern was provided. - Improved the logic that the LDAP SDK used when selecting the cipher suites to use when establishing a TLS-secured connection. Weaker suites are disabled, and the enabled suites are prioritized so that those offering forward secrecy and stronger encryption are preferred. - Added a new FullLDAPInterface that extends LDAPInterface and adds support for close, bind, and processExtendedOperation methods. The existing LDAPConnection, AbstractConnectionPool, and InMemoryDirectoryServer classes have been updated to implement this interface. - Added a new non-final MockableLDAPConnection class that makes it easier to mock an LDAPConnection instance. It implements FullLDAPInterface and wraps a provided LDAPConnection. If you create a MockableLDAPConnection subclass, then you may override any of the FullLDAPInterface methods to provide whatever logic you desire for them. Any non-overridden methods will invoke the corresponding method on the provided LDAPConnection instance. - Fixed a minor typo in the ldapsearch usage information -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2019-11-26 16:39:34
|
We have just released version 4.0.13 of the UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>. It is available for download from the releases page of our GitHub repository ( https://github.com/pingidentity/ldapsdk/releases), from the Files page of our SourceForge repository (https://sourceforge.net/projects/ldap-sdk/files/), and from the Maven Central Repository ( https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav ). This is a minor update that is primarily intended to serve the upcoming Ping Identity Directory Server 8.0.0.0 release. The LDAP SDK release notes are available online at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but the changes included in this release are as follows: - Added support for debugging connection pool interactions, including checking out and releasing connections, as well as establishing and closing connections for use in the pool. - Fixed an issue in the prompt trust manager that could cause it to incorrectly display a warning for some certificates with a basic constraints extension that included the optional path length constraint. - Updated the manage-certificates check-certificate-usability command to add an additional check to see whether the certificate at the root of the chain is found in the JVM’s default set of trusted issuer certificates. If it is not found, the tool will display a notice, but it will still complete with a success result. - Fixed an issue in manage-certificates that could prevent it from correctly showing the key agreement usage when displaying verbose information about a certificate with the key usage extension. - Fixed an issue that could prevent properly decoding an authority key identifier extension that included the optional authorityCertIssuer element in an X.509 certificate. - Made the ManageCertificates.readCertificatesFromFile method public so that it can be used outside of the LDAP SDK. This method can be used to read a set of PEM-encoded or DER-encoded X.509 certificates from a specified file. - Made the ManageCertificates.readCertificateSigningRequestFromFile method so that it can be used outside of the LDAP SDK. This method can be used to read a PEM-encoded or DER-encoded PKCS #10 certificate signing request from a file. - Updated the passphrase-encrypted output stream to provide an option to override the default key factory iteration count. - Updated support for the exec task to add an option to specify the path to use as the current working directory when invoking the specified command. Previously, the server would always use the server instance root directory, and that will still be the default if no alternate working directory is specified. - Added an additional StaticUtils.getEnvironmentVariable method variant that can be used to provide a default value that should be used if the specified environment variable is not set. - Added an additional StaticUtils.getStackTrace method variant that allows you to limit the number of stack frames to include from code before the call into the LDAP SDK. Also, updated StaticUtils.getExceptionMessage when invoked for a NullPointerException so that it now shows all frames from the LDAP SDK (and anything that the LDAP SDK calls), and up to three frames from the code before the call into the LDAP SDK. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2019-10-09 19:53:12
|
We have just released version 4.0.12 of the UnboundID LDAP SDK for Java <https://github.com/pingidentity/ldapsdk>. It is available for download from the releases page of our GitHub repository ( https://github.com/pingidentity/ldapsdk/releases), from the Files page of our SourceForge repository (https://sourceforge.net/projects/ldap-sdk/files/), and from the Maven Central Repository ( https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav ). The LDAP SDK release notes are available at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but the changes included in this release are as follows: - Fixed an issue in the write timeout handler that could prevent it from properly cleaning up a timer task object for a connection if an attempt to establish that connection failed. This regression, which was introduced in the 4.0.11 release, could lead to a gradual increase in memory consumption over time. - Updated the write timeout handler so that it will now shut down its background thread after all LDAP connections have been closed. - Fixed an issue with the JVM-default trust manager that could cause it to incorrectly abort TLS negotiation if the server presented only a partial certificate chain, and if the last certificate in that partial chain was not included in the JVM’s default set of trusted issuers but was signed by one of those issuers. - Corrected the result code used in the LDAPException that is thrown when attempting to parse a malformed schema element. We now use the correct INVALID_ATTRIBUTE_SYNTAX result code instead of the INVALID_DN_SYNTAX result code that had been used by mistake. - Fixed an issue in the way that the persistence framework constructed LDAP attributes for its internal processing. While it would have properly selected an appropriate matching rule based on the data type of the corresponding Java field when constructing attribute type definitions for inclusion in the server schema, it neglected to use that matching rule for client-side matching involving those attributes, but instead always used a default “case-ignore string” matching behavior. - Updated the manage-certificates tool to use the SHA-1 digest algorithm instead of 256-bit SHA-2 when generating the subject key identifier extension for certificates and certificate signing requests. This makes it possible to work around a limitation in Microsoft certificate authorities, which are apparently unable to handle CSRs with 256-bit subject key identifiers. - Fixed an issue in the search-and-mod-rate tool in which the search durations reported by the tool included not only the time required to process the search, but also the time required for the associated modify operations. Further, if the tool was configured to limit the rate at which modify operations would be attempted, the reported search durations could also include any wait imposed by the rate limiter. - Added client-side support for the SCRAM-SHA-1, SCRAM-SHA-256, and SCRAM-SHA-512 SASL mechanisms. - Added client-side support for a “generate password” request and response controls. When included in an add request sent to the Ping Identity Directory Server, the request control indicates that the server should generate a password for the entry and return it to the client in the corresponding response control. The ldapmodify tool has been updated to provide support for this control. - Added client-side support for a “generate password” extended operation. When sent to the Ping Identity Directory Server, this operation will cause the server to generate one or more passwords that may be suggested to the end user when creating or updating a user entry. - Updated the transform-ldif tool to provide options to exclude LDIF records by change type, and to exclude LDIF records that do not have a changetype. - Updated the command-line argument parser to provide a better error message if the value the user provides to a string or Boolean value argument is not in the set of allowed values for that argument. The error message will now include a list of the allowed values. - Updated the command-line tool interactive mode processor so that when it prompts for a password, PIN, or other sensitive value that does not get echoed to the screen, it will now ask the user to confirm the value to help ensure that they entered it correctly. - Updated the command-line tool interactive mode processor so that when the user asks to see the set of arguments that will be used when running the tool, it will now display the full command rather than just listing the arguments. Further, if the command spans multiple lines, then all but the last line will now include a trailing backslash. This makes it more convenient to run the command non-interactively because it can simply be copied and pasted. - Updated the argument parser to provide a more convenient way to define mutually dependent argument sets, such that if any argument in the set is provided, then all of the other arguments will also be required. - Updated the argument parser to allow applications to define their own custom interactive mode rather than using the default one that the LDAP SDK provides. - Added a set of StaticUtils.linesToString convenience methods that can convert a list or array of strings to a single string that includes line breaks after each line. - Added a set of StaticUtils methods for obtaining all of the addresses associated with the network interfaces available on the system, and to get the canonical host names associated with those addresses. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2019-06-04 19:04:56
|
We have just released version 4.0.11 of the UnboundID LDAP SDK for Java. It is available for download from the releases page of our GitHub repository ( https://github.com/pingidentity/ldapsdk/releases), from the Files page of our SourceForge repository (https://sourceforge.net/projects/ldap-sdk/files/), and from the Maven Central Repository ( https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav ). The LDAP SDK release notes are available at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but the changes included in this release are as follows: - Updated the round-robin and fewest connections server sets so that they can temporarily blacklist a server that was found to be offline or unavailable. If an attempt to create a connection to a server fails, or if that connection is found to be unacceptable for some reason (e.g., it does not pass the associated health check), subsequent connection attempts will avoid that server until a background thread determines that it is available again. Blacklisted servers will still be tried as a last resort if it is not possible to get an acceptable connection to a non-blacklisted server. These server sets will now use the blacklist by default, but that can be disabled programmatically through the constructor or by setting a system property before creating the server set. - Updated the round-robin and fewest connections server sets to improve concurrency. In previous implementations, these sets could only create one connection at a time, which could limit the rate at which connection pools using them could establish new connections. This is no longer the case, and any number of threads will be able to create connections in parallel using the server sets. This change also updated the ServerSet API to make it possible for a server set to be notified whenever a connection created with that set has been closed. - Added a new SubtreeDeleter utility class that can make it easier to delete a specified subtree, optionally including or excluding the base entry for that subtree. It provides a good client-side alternative to the subtree delete request control, which isn’t supported by all servers and can sometimes be problematic in servers that do support it. - Added a new ldapdelete command-line tool that can be used to delete entries from an LDAP directory server. The DNs of the entries to delete can be provided on the command line, read from a file, or read from standard input. Alternately, the server can search for and delete all entries matching one or more filters. It offers a number of options, including support for client-side and server-side subtree deletes, rate limiting, and a variety of standard and proprietary controls. - Improved the LDAP SDK’s protection against socket write attempts that block for an indefinite length of time. This is only likely to occur when sending a large number of asynchronous requests over a connection, and only in the case that the server stops reading requests from the client or if a networking problem prevents the request from reaching the server and prevents the client from receiving any information about that failure. - Added InMemoryDirectoryServer.applyChangesFromLDIF methods that can be used to read LDIF change records and apply them to data in the server. The changes will be applied atomically, and if any of them cannot be applied successfully, then the server data will remain unchanged. - Updated the searchrate utility to allow specifying the base DN, scope, filter, and requested attributes using LDAP URLs rather than using separate arguments to provide appropriate values. The LDAP URL can be a fixed URL, or it can be a value pattern (including the ability to include variable content in the URLs or to load the URLs from a file). Using LDAP URLs allows for more precise control over the combination of base, scope, filter, and requested attributes on a per-request basis. Note that any addresses and ports used in the URLs will be ignored; the --hostname and --port arguments will still be used to identify which servers to use. - Updated the ldapsearch and ldapmodify command-line tools to use an unlimited response timeout, which will prevent the tool from giving up on an operation if it takes the server a long time to return any kind of response. Previously, the tools used the LDAP SDK’s default timeout of five minutes for searches and 30 seconds for add, delete, modify, and modify DN operations. - Updated the ldapmodify command-line tool to add a --clientSideSubtreeDleete argument that can be used to cause each delete operation to be converted to a client-side subtree delete operation, in which the tool will search for entries to delete and then delete them individually. This makes it easier to delete entries with subordinates on servers that either do not support the subtree delete request control or in which the client may not have permission to use that control. - Added a new indent-ldap-filter command-line tool that can help make it easier to visualize complex filters with a lot of components, and especially a lot of nesting. If possible, it can also try to simplify the filter (for example, to remove unnecessary levels of nesting, like an AND inside an AND). - Enabled concurrent socket factory use by default for all versions of Java. In the past, we have observed that at least some IBM JVMs had a thread safety issue with SSL socket factory implementations, so we only allowed a socket factory to be used concurrently by multiple threads on a whitelisted set of JVMs. We no longer believe that the IBM JDK socket factory thread safety is an issue, and there are now many more JVM vendors (e.g., Apple, Azul, Amazon Coretto, AdoptOpenJDK, and potentially Red Hat), so concurrent socket factory use will be enabled by default. If an issue is found on a particular JVM, then concurrent access can be disabled programmatically or with a system property. - Updated the LDAPCommandLineTool API to add an option to expose an --enableSSLDebugging argument. If this argument is available, and if it is provided in the set of command-line arguments when the tool is run, then the JVM’s SSL/TLS debugging support will be enabled, and the JVM will write a large amount of TLS-related debugging information to standard error. This can help troubleshoot problems with or provide detailed information about any TLS communication that the tool attempts. - Updated the LDAP SDK to add protection against JVM security managers that may prevent calls to certain methods, like attempts to interact with system properties, environment variables, or logger levels. - Updated the password reader so that it will generate a more user-friendly error message if it is run in a context in which no console is available. A tool could encounter this error if its output has been redirected, or if it’s not running in an interactive shell (for example, in a cron job or system startup script). - Dramatically improved the performance of the streamfile value pattern, which operates like the sequentialfile value pattern in that it can iterate through values in sequential order, except that streamfile doesn’t need to hold the whole file in memory at once whereas sequentialfile does. - Updated the Filter.simplifyFilter method to simplify an AND filter containing an LDAP false filter (an OR filter with zero components, which will never match anything) to just that LDAP false filter, and to simplify an OR filter containing an LDAP true filter (an AND filter with zero components, which will match any entry) to just that LDAP true filter. - Added a PasswordValidationDetailsResponseControl.get(LDAPException) method that makes it more convenient to get the response control from an unsuccessful operation. - Improved the exception message that is generated if a failure occurs while trying to create a TLS-based connection. If the JVM supports creating an unconnected SSLSocket and then connecting it after the fact (which makes it possible to specify a connect timeout), and that connection attempt failed (for example, because the client did not trust the certificate presented by the server), the LDAP SDK could think that the connection was still established. Subsequent attempts to use the connection would fail, but the failure message would not accurately reflect the true cause of the problem. - Updated the in-memory directory server to improve the diagnostic message that is returned when it rejects an add attempt because the provided entry is not within any of the configured base DNs. - Fixed an issue in generating the normalized representation of a multivalued RDN when one or more of those components referenced an attribute type by its OID or by a name other than the first one listed in the attribute type definition. Previously, the normalized string representation would have simply used an all-lowercase representation of the provided attribute name, but it will now use an all-lowercase representation of the primary name for that attribute (if schema information is available to the client). Also, updated the logic used to determine whether an RDN has a specified name or name-value pair to handle the use of alternate names, and exposed the RDN.getNameValuePairs method to make it easier to work with an RDN’s name-value pairs. - Fixed a bug in the ByteStringBuffer.append(CharSequence,int,int) method in which the final integer argument could be interpreted as the number of characters to append rather than the end position at which to stop appending, which could yield incorrect results when the method was called with a nonzero start position. Also, updated the ByteStringBuffer.append methods that take CharSequence arguments to eliminate the creation of an intermediate character array, thereby improving performance and reducing garbage creation. - Updated the LDAP SDK’s command-line tool framework to fix an issue with the tool’s validation for required, exclusive, and dependent argument sets. If an argument was configured with a default value, then that default value could have been mistakenly treated as if it had been explicitly provided by the user. This could cause problems for arguments that are part of an exclusive argument set (in which only one of the arguments in that set may be provided) or a dependent argument set (in which an argument can only be used if at least one of a specified set of additional arguments is present). In such cases, the tool could not have been used in interactive mode. The modrate tool was affected by this issue. - Updated the argument parser to fix a problem with the way that it handles backslash characters in argument property files. Previously, it only correctly handled backslashes if they were at the end of a line to indicate that the content continued to the next line, or if they were followed by the letter ‘u’ and the hexadecimal representation of the desired Unicode character. It did not handle the backslash in front of another character used to force that character to be treated as a literal (for example, a backslash followed by an equal sign should be treated as just an equal sign, but was instead being treated as a backslash followed by an equal sign). - Updated the LDAP SDK build process to automatically generate documentation for all of the command-line tools included with the LDAP SDK. Usages are provided in both plain text and HTML, and the HTML-formatted documentation <https://docs.ldap.com/ldap-sdk/docs/tool-usages/index.html> is linked from the main documentation index page <https://docs.ldap.com/ldap-sdk/docs/index.html>. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2019-03-11 15:08:31
|
We have just released version 4.0.10 of the UnboundID LDAP SDK for Java. It is available for download from the releases page of our GitHub repository ( https://github.com/pingidentity/ldapsdk/releases), from the Files page of our SourceForge repository (https://sourceforge.net/projects/ldap-sdk/files/), and from the Maven Central Repository ( https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav ). By the way, this is the first release that has been built from the public GitHub repository. All previous releases were built from an internal subversion repository that had been kept in sync with the GitHub repository. The only visible evidence of this change should be in the com.unboundid.ldap.sdk.Version class, where the REVISION_NUMBER constant (which has been deprecated for a couple of years) now has an integer value of -1 instead of the subversion revision number, and the REVISION_ID constant (which is the preferred replacement for REVISION_NUMBER) now reflects the GitHub commit digest (“b2272901fd62ad978017ff1aeb049cafc1999b12” for the 4.0.10 release) instead of the internal subversion revision number. The most significant changes included in this release are: - Fixed a bug in generating the normalized string representation of an RDN with multiple values that have the same attribute type (for example, “cn=foo+cn=bar”). In such cases, the normalized representation would only have contained one value with that attribute type, and any other values with the same attribute type would have been incorrectly omitted. Further, because the normalized string representation of an RDN is used for other purposes (for example, determining equality and comparator ordering), this may fix other related issues as well. - Added methods for improved DN and RDN validation that make it possible to require attribute names to strictly comply with the requirements of the LDAP specification. Previously, the methods for creating and validating DNs and RDNs were always lenient with what they would allow (for example, allowing attribute names with underscores) since some servers are lenient in this regard. The existing methods are still lenient by default for the sake of backward compatibility, but there is now an option to require strict compliance with the specification. - Improved support for TLS version 1.3 in JVMs that support it (which should be Java 11 and higher). The LDAP SDK will now automatically enable support for TLSv1.3 if it is available, and will prefer that protocol if the server also supports it, but it can still fall back to an earlier protocol version (TLSv1.2, TLSv1.1, or TLSv1, whichever is the highest version that the server supports) if necessary. As before, the default set of TLS protocols can be overridden programmatically by calling methods in the com.unboundid.util.SSLUtil class or by setting system properties. - Updated the process for establishing a secure connection so that it immediately starts the TLS handshake on the socket, rather than waiting for it to happen on the first attempt to communicate over the connection. This can help ensure that the connection is ready to use more quickly, and can help avoid timing issues in certain cases where the prompt trust manager is used in interactive applications that may prompt for other user input. - Updated the in-memory-directory-server command-line tool to add support for a number of new arguments, including --generateSelfSignedCertificate, --maxConcurrentConnections, --sizeLimit, --passwordAttribute, --defaultPasswordEncoding, --allowedOperationType, and --authenticationRequiredOperationType. - Updated the ldap-debugger tool to add a --generateSelfSignedCertificate argument. If the tool is configured to listen using SSL, then this argument can be given as an alternative to the --keyStorePath argument to indicate that the tool should generate its own self-signed certificate instead of requiring the user to supply a certificate. - Updated the ResultCode.isConnectionUsable method so that UNWILLING_TO_PERFORM is no longer included in the set of result codes that will cause the LDAP SDK to suspect that the connection may no longer be usable. Although it is possible that the connection may have become invalid, there are plenty of reasons that an LDAP server may return an UNWILLING_TO_RETURN response for a connection that remains completely usable. Since isConnectionUsable is often used to decide whether to keep the existing connection or throw it away and replace it with a new one, being too prone to indicate that a connection is no longer usable can adversely impact application performance and increase load on the directory server. - Added a new API that can be used to change the way that the LDAP SDK resolves names to IP addresses, and IP addresses to names. The default implementation simply uses the JVM's standard name resolution methods, but a caching name resolver implementation is also provided that can offer better performance and better resilience against name service outages. - Added a new PasswordFileReader class that makes it easier to read a password from a file. The password files may optionally be gzip-compressed and/or passphrase-encrypted, and the reader validates that the file contains exactly one line and that the line is non-empty. All command-line tools now have access to a password file reader, and LDAP SDK tools that can read passwords from files have been updated to take advantage of it. - Updated the command-line tool framework so that tools that support reading argument values from properties files can now handle the case in which the properties file is gzip-compressed and/or passphrase-encrypted. - Fixed a potential null pointer exception in ArgumentParser.toString that could arise if the parser was created through serialization and there were not any additional description paragraphs. Also, eliminated an unnecessary quotation mark in the generated string representation. - Updated the ldapsearch and ldapmodify command-line tools to add support for the get backend set ID and get server ID request controls (which can be used to obtain information from a Ping Identity Directory Server or Ping Identity Directory Proxy Server about which entry-balancing sets or which server instances were used to process a request), and for the route to backend set and route to server request controls (which can be used to request that the Ping Identity Directory Proxy Server route the request to a specific group of entry-balancing backend sets or to a specific backend server). - Updated LDAP command-line tools to support authentication with the UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism. - Added StaticUtils convenience methods for creating maps and sets with predefined sets of elements. - Updated the LDIF writer to make its user-friendly display of base64-encoded values more filter-friendly. The LDIF writer has a feature that allows it to automatically include a comment below a base64-encoded value that tries to display a more human-readable version of that value, but with special characters escaped. In most cases, that more human-readable value could have been directly copied into the string representation of a search filter, but there were previously some cases where that was not true (for example, cases where the raw value included parentheses, an asterisk, a horizontal tab, a carriage return, or a line feed). - Updated the UniquenessResponseControl class to add convenience methods to help make it easier to interpret the response. Updated the UniquenessRequestControl class to add an example to the class-level Javadoc documentation. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2018-11-20 18:00:15
|
We have just released version 4.0.9 of the UnboundID LDAP SDK for Java. It is available for download from the releases page of our GitHub repository ( https://github.com/pingidentity/ldapsdk/releases), from the Files page of our SourceForge repository (https://sourceforge.net/projects/ldap-sdk/files/), and from the Maven Central Repository ( https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav ). The most significant changes included in this release are: * Updated the command-line tool framework to allow tools to have descriptions that are comprised of multiple paragraphs. * Updated the support for passphrase-based encryption to work around an apparent JVM bug in the support for some MAC algorithms that could cause them to create an incorrect MAC. * Updated all existing ArgumentValueValidator instances to implement the Serializable interface. This can help avoid errors when trying to serialize an argument configured with one of those validators. * Updated code used to create HashSet, LinkedHashSet, HashMap, LinkedHashMap, and ConcurrentHashMap instances with a known set of elements to use better algorithms for computing the initial capacity for the map to make it less likely to require the map to be dynamically resized. * Updated the LDIF change record API to make it possible to obtain a copy of a change record with a given set of controls. * Added additional methods for obtaining a normalized string representation of JSON objects and value components. The new methods provide more control over case sensitivity of field names and string values, and over array order. * Improved support for running in a JVM with a security manager that prevents setting system properties (which also prevents access to the System.getProperties method because the returned map is mutable). -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2018-09-14 04:14:18
|
We have just released version 4.0.8 of the UnboundID LDAP SDK for Java. It is available for download from the releases page of our GitHub repository ( https://github.com/pingidentity/ldapsdk/releases), from the Files page of our SourceForge repository (https://sourceforge.net/projects/ldap-sdk/files/), and from the Maven Central Repository ( https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav ). The most significant changes included in this release are: * Fixed a bug in the modrate tool that could cause it to use a fixed string instead of a randomly generated one as the value to use in modifications. * Fixed an address caching bug in the RoundRobinDNSServerSet class. An inverted comparison could cause it to use cached addresses after they expired, and to cached addresses that weren’t expired. * Updated the ldapmodify tool to remove the restriction that prevented using arbitrary controls with an LDAP transaction or the Ping-proprietary multi-update extended operation. * Updated a number of locations in the code that caught Throwable so that they re-throw the original Throwable instance (after performing appropriate cleanup) if that instance was an Error or perhaps a RuntimeException. * Added a number of JSONObject convenience methods to make it easier to get the value of a specified field as a string, Boolean, number, object, array, or null value. * Added a StaticUtils.toArray convenience method that can be useful for converting a collection to an array when the type of element in the collection isn’t known at compile time. * Added support for parsing audit log messages generated by the Ping Identity Directory Server for versions 7.1 and later, including generating LDIF change records that can be used to revert change records (if the audit log is configured to record changes in a reversible form). -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2018-08-06 21:24:12
|
We have just released the UnboundID LDAP SDK for Java version 4.0.7, available for download from the releases page of our GitHub repository ( https://github.com/pingidentity/ldapsdk/releases), from the Files page of our SourceForge project (https://sourceforge.net/projects/ldap-sdk/files/), and from the Maven Central Repository ( https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.unboundid%22%20AND%20a%3A%22unboundid-ldapsdk%22 ). The most significant changes in this release include: * Fixed an issue in the LDAPConnectionPool and LDAPThreadLocalConnectionPool classes when created with a connection that is already established and authenticated (as opposed to being created from a server set and bind request). Internally, the LDAP SDK created its own server set and bind request from the provided connection's state information, but it incorrectly included bind credentials in the server set. Under most circumstances, this would merely cause the LDAP SDK to send two bind requests (the second a duplicate of the first) when establishing a new connection as part of the pool. However, it caused a bigger problem when using the new setBindRequest methods that were introduced in the 4.0.6 release. Because the server set was created with bind credentials, the pool would create a connection that tried to use those old credentials before sending a second bind request with the new credentials, and this would fail if the old credentials were no longer valid. * Fixed an issue with the behavior that the LDAP SDK exhibited when configured to automatically follow referrals. If the server returned a search result reference that the LDAP SDK could not follow (for example, because none of the URLs were valid, none of the servers could be reached, none of the searches succeeded, in those servers, etc.), the LDAP SDK would assign a result code of "referral" to the search operation, which would cause it to throw an exception when the search completed (as is the case for most non-success result codes). The LDAP SDK will no longer override the result code for the search operation, but will instead use whatever result code the server returned in its search result done message. Any search result references that the LDAP SDK could not automatically follow will be made available to the caller through the same mechanism that would have been used if the SDK had not been configured to automatically follow referrals (that is, either hand them off to a search result listener or collect them in a list to include in the search result object). The LDAP SDK was already making the unfollowable search result references available in this manner, but the client probably wouldn't have gotten to the point of looking for them because of the exception resulting from the overridden operation result code. * Added a new LDAPConnectionPoolHealthCheck.performPoolMaintenance method that can be used to perform processing on the pool itself (rather than on any individual connection) at regular intervals as specified by the connection pool's health check interval. This method will be invoked by the health check thread after all other periodic health checking is performed. * Added a new PruneUnneededConnectionsLDAPConnectionPoolHealthCheck class that can be used to monitor the size of a connection pool over time, and if the number of available (that is, not currently in use) connections is consistently greater than a specified minimum for a given length of time, then the number of connections in the pool can be reduced to that minimum. This can be used to automatically shrink the size of the pool during periods of reduced activity. * Updated the Schema class to provide additional constructors and methods that can be used to attempt to retrieve the schema without silently ignoring errors about unparsable elements. Previously, if a schema entry contained one or more unparsable elements, they would be silently ignored. It is now possible to more easily obtain information about unparsable elements or to have the LDAP SDK throw an exception if it encounters any unparsable elements. * Added createSubInitialFilter, createSubAnyFilter, and createSubFinalFilter methods to the Filter class that are more convenient to use than the existing createSubstringFilter methods for substring filters that only have one type of component. * Updated the Entry.diff method when operating in reversible mode so that when altering the values of an existing attribute, the delete modifications will be ordered before the add modifications. Previously, the adds came before the deletes, but this could cause problems in some directory servers, especially when the modifications are intended to change the case of a value in a case-insensitive attribute (for example, the add could be ignored or rejected because the value already exists in the entry, or the delete could end up removing the value entirely). Ordering the deletes before the adds should provide much more reliable results. * Updated the modrate tool to add a new "--valuePattern" argument that can be used to specify the pattern to use to generate new values. This argument is an alternative to the "--valueLength" and "--characterSet" arguments and allows for more flexibility in the types of values that can be generated. * Updated the manage-account tool so that the arguments related to TOTP secrets are marked sensitive. This will ensure that the value is not displayed in the clear in certain cases like interactive mode output or tool invocation logging. * Added a new "streamfile" value pattern component that operates like the existing "sequentialfile" component except that it limits the amount of the file that is read into memory at any given time, so it is more suitable for reading values from very large files. * Added a new "timestamp" value pattern component that can be used to include either the current time or a randomly selected time from a given range in a variety of formats. * Added a new "uuid" value pattern component that can be used to include a randomly generated universally unique identifier (UUID). * Added a new "random" value pattern component that can be used to include a specified number of randomly selected characters from a given character set. * Added a StaticUtils.toUpperCase method to complement the existing StaticUtils.toLowerCase method. * Added Validator.ensureNotNullOrEmpty methods that work for collections, maps, arrays, and character sequences. * Added LDAPTestUtils methods that can be used to make assertions about the diagnostic message of an LDAP result or an LDAP exception. * Added client-side support for a new exec task that can be used to invoke a specified command in the Ping Identity Directory Server (subject to security restrictions imposed by the server). * Added client-side support for a new file retention task that can be used to examine files in a specified directory, identify files matching a given pattern, and delete any of those files that do not match count-based, age-based, or size-based criteria. * Added client-side support for a new delay task that can be used sleep for a specified period of time, until the server work queue reports that all worker threads are idle and there are no pending operations, or until a given search or set of searches match at least one entry. The delay task is primarily intended to be used as a spacer between other tasks in a dependency chain. * Updated support for the ignore NO-USER-MODIFICATION request control to make it possible to set the criticality when creating an instance of the control. Previously, new instances were always critical. * Updated the ldapmodify tool to include the ignore NO-USER-MODIFICATION request control in both add and modify requests if the --ignoreNoUserModification argument was provided. Previously, that argument only caused the control to be included in add requests. Further, the control will now be marked non-critical instead of critical. * Updated the task API to add support for a number of new properties, including the email addresses of users to notify on task start and successful completion (in addition to the existing properties specifying users to email on error or on any type of completion), and flags indicating whether the server should alert on task start, successful completion, or failure. * Updated the argument parser's properties file support so that it expects the file to use the ISO 8859-1 encoding, and to support Unicode escape sequences that are comprised of a backslash followed by the letter u and four hexadecimal digits. * Updated the tool invocation logger to add a failsafe mechanism for preventing passwords from being included in the log. Although it will already redact the values of any arguments that are declared sensitive, it will now also redact the values of any arguments whose name suggests that their value is a password. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2018-05-23 15:54:42
|
We have just released the UnboundID LDAP SDK for Java version 4.0.6, available for download from the releases page <https://github.com/pingidentity/ldapsdk/releases> of our GitHub repository, from the Files page <https://sourceforge.net/projects/ldap-sdk/files/> of our SourceForge project, and from the Maven Central Repository <https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.unboundid%22%20AND%20a%3A%22unboundid-ldapsdk%22>. The most significant changes in this release include: - We fixed a number of issues in the way that the LDAP SDK handled characters whose UTF-8 representation requires more than two bytes (and therefore requires two Java chars to represent a single character). Issues related to these characters were found in code for matching rules, DNs and RDNs, and search filters. - We fixed an issue in the ldapsearch tool that could cause it to use an incorrect scope when constructing search requests from LDAP URLs that were read from a file. - We fixed a bug in schema handling that could arise if an object class definition did not explicitly specify an object class type (STRUCTURAL, AUXILIARY, or ABSTRACT). In some cases, the type could be incorrectly inherited from the superclass rather than assuming the default type of STRUCTURAL. - We updated the LDAPConnectionPool and LDAPThreadLocalConnectionPool classes to add new setServerSet and setBindRequest methods. These new methods make it possible to update an existing pool to change the logic that it uses for establishing and authenticating new connections. - We added a new LDAPRequest.setReferralConnector method that makes it possible to set a custom referral connector on a per-request basis. We also added a new RetainConnectExceptionReferralConnector class that makes it easier to obtain the exception (if any) that was caught on the last attempt to establish a connection for the purpose of following a referral. - Updated the in-memory directory server to better handle any java.lang.Errors that occur while interacting with a client connection. These kinds of errors should not happen under normal circumstances but may be generated by third-party code (for example, an InMemoryOperationInterceptor), and it is possible for the JVM to generate them in extraordinary circumstances like running out of memory. In such cases, the thread responsible for interacting with that client would exit without returning a response for the operation being processed and without closing the operation. The LDAP SDK will now attempt to return an error (if appropriate for the type of operation being processed) and close the connection. - Updated the manage-certificates tool to fix an incorrect interpretation of the path length element of a basic constraints extension. - Updated manage-certificates to add support for importing PEM-encoded RSA private keys that are not wrapped in a PKCS #8 envelope (that is, from a file whose header contains “BEGIN RSA PRIVATE KEY” instead of “BEGIN PRIVATE KEY”). Previously, it was only possible to import private keys using the PKCS #8 format. - Updated manage-certificates to add an --allow-sha-1-signature-for-issuer-certificates argument to the check-certificate-usability subcommand. If this argument is provided, then the tool will continue to call out issuer certificates whose signature is based on the now-considered-weak SHA-1 digest algorithm, but it will no longer cause the tool to exit with an error just because of that issue. This argument has no effect for certificates that use a signature based on the extremely weak MD5 digest, and it also does not have any effect if the certificate at the head of the chain (that is, the server certificate rather than the root certificate) has a SHA-1-based signature. - Added client-side support for a new “reload HTTP connection handler certificates” task that may be used in some Ping Identity server products to request that the server dynamically reload the certificate key and trust stores used by all HTTP connection handler instances that provide support for HTTPS. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ |
|
From: Neil W. <nei...@pi...> - 2018-03-19 16:24:59
|
We have just released the UnboundID LDAP SDK for Java version 4.0.4, available for download from the LDAP.com website <https://www.ldap.com/unboundid-ldap-sdk-for-java>, from the releases page <https://github.com/pingidentity/ldapsdk/releases> of our GitHub repository, from the Files page <https://sourceforge.net/projects/ldap-sdk/files/> of our SourceForge project, and from the Maven Central Repository <https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.unboundid%22%20AND%20a%3A%22unboundid-ldapsdk%22> . The most significant change in this release is the fix for a vulnerability described in CVE-2018-1000134 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000134>. In an application that uses the LDAP SDK in synchronous mode, that uses the LDAP simple bind operation to authenticate users, that does not properly check to ensure that the user actually provided a password, and that sends its request to a directory server that does not follow the RFC 4513 section 5.1.2 recommendation to reject simple bind requests with a DN but no password, this bug could have allowed the application to mistakenly grant access to an attacker who identified themselves as a legitimate user but supplied an empty password. See CVE-2018-1000134 and the UnboundID LDAP SDK for Java <https://nawilson.com/2018/03/19/cve-2018-1000134-and-the-unboundid-ldap-sdk-for-java/> for more information about this issue. Other changes in the 4.0.5 release of the LDAP SDK include: - Updated the command-line argument parser so that it will not assign a value from a properties file to an argument if that argument is part of an exclusive argument set and another argument in that set was provided on the command line. - Fixed a manage-certificates bug in which the validity start time and validity duration values would be ignored when generating a self-signed certificate intended to replace an existing certificate. In that case, the tool would have always used the current time as the start time and a duration of one year. - Updated the manage-certificates tool to change the primary name for the existing --replace-existing-certificate argument in the generate-certificate-signing-request subcommand to be --use-existing-key-pair, and updated the usage information to make it clearer that using this option will not cause the keystore to be updated. The former --replace-existing-certificate identifier can still be used and will behave in exactly the same way as before, so there is no change in functionality. - Improved the usability of the ldap-debugger tool when using the --listenUsingSSL argument by ensuring that the --keyStorePath argument is also provided, along with one of the --keyStorePassword, --keyStorePasswordFile, and --promptForKeyStorePassword arguments. - Fixed a number of cases in which there was a mismatch between the arguments provided to a message format string and the arguments expected by that format string. Unit tests have been added to help prevent this from recurring. - Added a new PassphraseEncryptedOutputStream class that can be used to write encrypted data with a key generated from a provided passphrase. Also added a new PassphraseEncryptedInputStream class that can be used to read encrypted data written with the PassphraseEncryptedOutputStream when provided with the correct passphrase. - Added new RateLimitedInputStream and RateLimitedOutputStream classes that can be used to impose a maximum rate (in bytes per second) at which data can be read from a wrapped input stream or written to a wrapped output stream. - Added new CloseableLock and CloseableReadWriteLock classes that provide the same basic functionality as Java's ReentrantLock and ReentrantReadWriteLock classes, but that can also be used with Java's try-with-resources facility. - Added a new FixedBarrier.await(int) method that can be used to request rate limiting for the specified number of occurrences, rather than just a single occurrence. This can be used to make it easier to impose rate limiting in instances where the event that you're limiting doesn't fit into the existing paradigm. For example, it could be used to implement a rate-limited output stream in which you want to be able to specify the number of bytes being written at a time, instead of requiring a separate await() call for each byte being written. - Updated the ldapsearch, ldapmodify, split-ldif, transform-ldif, and validate-ldif tools to add support for encrypted LDIF files. The passphrase used to generate the encryption key can be provided interactively or read from a file. - Added support for two new UnboundID/Ping-proprietary request controls that can help clients prevent inadvertently requesting unindexed searches. The reject unindexed search request control can be used to indicate that the server should reject a search request if it cannot be efficiently processed using server indexes, even if the requester has the unindexed-search privilege. The permit unindexed search request control can be used to indicate that the server should process the search request even if it is unindexed, as long as the requester has the unindexed-search-with-control privilege. The ldapsearch tool has also been updated allow these controls to be included in the search requests that it generates. - Added support for a new UnboundID/Ping-proprietary request control that can be included in a search request to indicate that the client wishes to override an internal limit that might otherwise be in effect for that operation. The ldapsearch tool has been updated to allow this control to be included in the search requests that it generates. - Updated the summarize-access-log tool to add support for encrypted log files. The passphrase used to generate the encryption key can be provided interactively or read from a file. -- *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.* |
