LDAP Tool Box Self Service Password 1.4.4

The LDAP Tool Box project provides a set of LDAP-related applications, administrative tools, and other utilities. They have just released the version 1.4.4 of their Self Service Password tool, which is a PHP application that allows users to change their password in an LDAP directory. Some of the changes in this release include:

  • Fixed an issue that could prevent sending notification email messages
  • Fixed an issue that could cause a notification email message to be sent even if a password update attempt failed
  • Fixed an internal error that could arise when trying to reset the password for a nonexistent user

Ping Identity Directory Server

Ping Identity Directory Server version has just been released. I wrote about this release in detail on my personal blog, but here’s a summary of the changes:

  • Known issue: when reverting an update to the 9.1 release, updated Bouncy Castle cryptographic library files may remain in place.
  • Added support for controls to the Directory REST API.
  • Updated replace-certificate and the topology registry to streamline the process for replacing a listener certificate when the current and new certificates are signed by the same issuer.
  • Made it easier to replace a listener certificate after it has expired.
  • Added support for sanitizing access log messages as they are logged.
  • Added support for generifying message strings in access and error log messages.
  • Updated Synchronization Server support for PingOne to include multi-valued attributes and JSON-formatted attributes.
  • Improved the assured replication result used in the event that a replication conflict is detected.
  • Improved the sanitize-log tool and updated it to better align with sanitized logging support.
  • Updated sanitize-access-log to support JSON-formatted log files.
  • Added support for JSON-formatted controls in LDAP requests and responses.
  • Added a docker-pre-start-config tool that can help reduce startup time when running in a Docker container.
  • Added a –skipValidation argument to manage-profile replace-profile.
  • Added an –excludeSetupArguments argument to manage-profile generate-profile.
  • Increased the maximum value of the on-replay-failure-wait-for-dependent-ops-timeout replication property from one minute to five minutes.
  • Improved the Directory REST API support for PUT operations that alter a DN in conjunction with changes to other attributes in the entry.
  • Updated the active operations monitor to use millisecond precision for timestamps and to make operation strings more parseable.
  • Added the collect-support-data version to the output of status –fullVersion.
  • Updated several dependencies to improve functionality, address defects, and improve security.
  • Fixed an issue that could cause some replication protocol messages to be dropped.
  • Fixed an issue that could cause the server to report missing changes and go into lockdown mode if it is restarted immediately after running dsreplication initialize.
  • Fixed an issue that could prevent certain password policy functionality from being invoked for add operations in which the password policy is assigned by virtual attribute.
  • Fixed an issue that could cause privileges assigned by virtual attribute to be overlooked in some cases.
  • Updated the server to create the esTokenizer.ping file if it does not exist but is needed.
  • Fixed an issue that could have incorrectly applied minimum and maximum password age constraints to users without a password.
  • Updated the JSON-formatted access logger to include the requester IP address field in disconnect, security negotiation, and client certificate log messages when appropriate.
  • Fixed an issue that prevented the certificate monitor from recognizing replaced certificates.
  • Fixed issues that could prevent using the Amazon Secrets Manager, CyberArk Conjur, or HashiCorp Vault passphrase providers to obtain key and trust store PINs.
  • Fixed an issue that could cause the server to log negative operation processing times for certain operations.
  • Updated the server to prevent add and modify operations targeting ds-pwp-modifiable-state-json when the associated plugin is not enabled.
  • Updated the server to prevent a user from updating the ds-pwp-modifiable-state-json attribute for their own entry.
  • Updated the server to prevent a user from updating the ds-pwp-modifiable-state-json attribute in the same modification that also reset a user’s password.
  • Fixed an issue in which dsreplication failed to properly normalize base DN values.
  • Fixed an issue that could prevent the Directory REST API from retrieving entries with generalized time values in an unexpected format.
  • Fixed an issue that could cause manage-profile replace-profile to fail with an error about merging configuration.
  • Updated manage-profile setup and manage-profile replace-profile to prevent including a pre-populated encryption settings database in the pre-setup files.
  • Updated manage-topology add-server to be more consistent when adding additional Syncrhonization Servers to a failover topology.
  • Fixed an issue in which the server could ignore certain indexes that it believed to be redundant when evaluating search criteria.
  • Improved the SCIM error code for cases in which an update violated a unique attribute constraint.
  • Fixed an issue that could cause the server to incorrectly reject requests with non-critical controls that the requester did not have permission to use rather than ignoring those controls.
  • Fixed an issue that could allow the password policy state extended operation to create duplicate authentication failure time or grace login use time values.
  • Fixed an issue that could affect backward compatibility when using migrate-ldap-schema with the legacy –useSSL or –useStartTLS arguments.
  • Fixed an issue that could prevent the server from generating alerts to indicate that an outstanding alarm condition had been resolved.
  • Fixed an issue that could cause the server to reprt an internal error when attempting to obtain database statistics for a read-only backend.
  • Fixed an export-reversible-passwords issue that could cause it to time out while waiting for a response from the server.
  • Updated export-reversible-passwords to abort processing if the tool invoking it was terminated.
  • Fixed an issue that prevented encode-password from working if the AES256 scheme was enabled.
  • Disabled the index cursor entry limit by default.

ruby-net-ldap 0.17.1

The ruby-net-ldap project provides LDAP support for the Ruby programming language. They have just released version 0.17.1 of the library. Some of the changes in this release appear to include:

  • Added support for Ruby 3.0
  • Fixed a potential issue in TLS communication
  • Fixed circular references in require statements
  • Fixed a typo in an error message

OpenDJ 4.5.0 and 4.4.15

The Open Identity Platform project has released versions 4.5.0 and 4.4.15 of the OpenDJ Directory Server. Changes in these releases appear to include:

  • Updated the Docker image to use Java 17 (version 4.5.0)
  • Added support for Java versions 16, 17, and 18 (version 4.4.15)
  • Added support for encoding passwords with PBKDF2-HMAC-SHA256 and PBKDF2-HMAC-SHA512 (version 4.4.15)
  • Added support for the userAccountControl, mmsDS-UserAccountDisabled, and pwdLastSet attributes in Active Directory (version 4.4.15)
  • Added support for Alpine Linux on several platforms (version 4.4.15)
  • Fixed an that could prevent error messages from being logged (version 4.4.15)
  • Fixed an issue that could prevent installing on Windows in a path with spaces (version 4.4.15)
  • Fixed an issue that could prevent removing entries under multiple backends (version 4.4.15)
  • Fixed a typo in the definition for the Tamil matching rule (version 4.4.15)

FreeDSx LDAP 0.8.0

FreeDSx LDAP is a pure PHP library that implements most LDAP client functionality and limited LDAP server functionality. The project has just released version 0.8.0, which appears to include the following changes:

  • Enable support for PSR-3-compatible logging for server info and error events
  • Properly handle POSIX signals sent to the server
  • Fixed an issue with handling of child processes