389 Directory Server 2.0.13

The 389 Directory Server project has released version 2.0.13. Changes in this release appear to include:

  • Fixed an issue that could cause bind processing to complete without sending a result
  • Fixed an issue that could interfere with syncrepl replication
  • Fixed an issue that could interfere with creating an instance with dscontainer
  • Added edit and rename functionality to the LDAP editor
  • Reduced contention that could affect search performance
  • Updated the UI to add the ability to exclude attributes from the retro changelog
  • Added ACI editing to the UI

FreeDSx LDAP 0.7.0

FreeDSx LDAP is a pure PHP library that implements most LDAP client functionality and limited LDAP server functionality. The project has just released version 0.7.0, which appears to include the following changes:

  • Added the ability to run the LDAP client and server over a UNIX socket
  • Added the ability to run the server with only TLS enabled
  • Added the ability to provide a client handler for paged results
  • Added the ability to declare the simple paged results control critical
  • Added a helper method for creating an LDAP proxy server
  • Provided an alternative method for configuring server handlers
  • Added the ability to force a disconnect when changing LDAP client options

A New OpenLDAP Release Maintenance Policy

The OpenLDAP project has announced a new release maintenance policy to describe how they will support releases going forward. Highlights include:

  • There will be two release streams: LTS and feature.
  • LTS releases will only get bug fixes and not new features, with about four patch releases per year.
  • LTS releases will be supported for around five years.
  • A new LTS stream will be created about three years after the previous LTS stream, giving about two years to migrate from the previous LTS release stream to the new one before the previous one becomes unsupported.
  • Feature releases will get features, bug fixes, and performance improvements.
  • A new feature release stream will be created every 12–18 months.
  • Periodically, feature releases will be promoted to LTS releases.

OpenLDAP 2.6.1 and 2.5.10

The OpenLDAP project has announced the release of versions 2.6.1 and 2.5.10 of their LDAP directory server. Changes included in these releases include:

  • Fixed logging-related issues that could cause the server to crash (both versions)
  • Fixed a memory leak in replication processing (both versions)
  • Fixed an issue in which the mdb backend did not make proper index changes for a replace modification (both versions)
  • Fixed an issue that could interfere with log file rotation (version 2.6.1)
  • Fixed several replication issues (both versions)
  • Fixed issues in the way the server made group membership determinations (both versions)
  • Fixed issues with maintaining the order of attribute values (both versions)
  • Fixed issues with the slapd-sock module with cn=config processing (version 2.6.1)
  • Fixed an issue with a modification that replaces the set of object classes with a logically equivalent set of values (both versions)
  • Added support for the post-read request control for modify DN operations (version 2.6.1)
  • Fixed a client library issue with following referrals (both versions)
  • Added an option to specify the timestamp format in log files (version 2.6.1)
  • Addressed a misleading message about password encoding (version 2.6.1)
  • Added improved validation for detecting invalid configuration (both versions)

Ping Identity Directory Server 9.0.0.0

Ping Identity Directory Server version 9.0.0.0 has just been released. I wrote about this release in detail on my personal blog, but here’s a summary of the changes:

All server products:

  • Confirmed that none of the Directory Server, Directory Proxy Server, Synchronization Server, Metrics Engine, Admin Console, or LDAP SDK for Java use log4j or are affected by its vulnerability.
  • Added cipher stream providers for PKCS #11 tokens, Azure Key Vault, and CyberArk Conjur.
  • Added passphrase providers for Azure Key Vault and CyberArk Conjur.
  • Added password storage schemes for authenticating with passwords stored in external services, including AWS Secrets Manager, Azure Key Vault, CyberArk Conjur, and HashiCorp Vault.
  • Added extended operations for managing server certificates.
  • Added the ability to redact the values of sensitive configuration properties when constructing the dsconfig representation for a configuration change.
  • Included the original requester DN and client IP address in log messages for mirrored configuration changes.
  • Added TLS configuration properties for outbound connections.
  • Updated the Admin Console to support using PKCS #12 and BCFKS trust stores.
  • Updated the file servlet to support authenticating with OAuth 2.0 access tokens and OpenID Connect ID tokens.
  • Fixed an issue that could cause degraded performance and higher CPU utilization for some clients using TLSv1.3.
  • Fixed an issue that prevented the manage-profile replace-profile tool from working properly for servers running in FIPS 140-2-compliant mode.
  • Updated export-ldif to always base64-encode attribute values containing any ASCII control characters.
  • Fixed an issue in which some tools that operate on the server’s configuration did not use the correct matching rule for attribute types configured to use case-sensitive matching.
  • Updated the Directory REST API to add support for attribute options.
  • Added the ability to recognize JVM builds from Eclipse Foundation, Eclipse Adoptium, and BellSoft.
  • Removed “-XX:RefDiscoveryPolicy=1” from the default set of options used to launch the JVM.

Directory Server changes:

  • Added support for pluggable pass-through authentication.
  • Fixed an issue that could interfere with the use of legacy reversibly encrypted passwords if an instance was removed from the topology.
  • Fixed an issue that prevented decoding proxied authorization v2 request controls with an authorization identity of a specific length.
  • Fixed an issue that could cause sporadic failures when attempting to back up a backend with data encryption enabled.
  • Added a replica-partial-backlog attribute to the replication summary monitor entry.
  • Fixed an issue in which the server could use incorrect resource limit values for users with custom limits who authenticated via pass-through authentication.
  • Fixed an issue in which the server did not properly update certain password policy state information for simple bind attempts targeting users without a password.
  • Fixed an issue in which the server may not handle other controls properly when processing an operation that includes the join request control.
  • Fixed an issue in which a newly initialized server could go into lockdown mode with a warning about missing changes if it was restarted immediately after initialization completed.
  • Fixed an issue that could prevent changes applied to non-RDN attributes in the course of processing a modify DN operation from being replicated.
  • Fixed an issue that could prevent composed attribute values from being properly updated for operations that are part of a muti-update extended operation.
  • Improved performance for modify operations that need to update a composite index to add an entry ID to the middle of a very large ID set.
  • Added limits for the maximum number of attributes in an add request and the maximum number of modifications in a modify request.
  • Updated the dsreplication initialize-all command to support initializing multiple replicas in parallel.
  • Fixed an issue in which an entry added with a createTimestamp attribute could lose the original formatting for that attribute when replicated to other servers.
  • Fixed an issue that could lead to long startup times in large topologies with data encryption enabled.
  • Updated the ldap-diff tool to add several new features.
  • Updated the migrate-ldap-schema tool to add several new features.

Directory Proxy Server changes:

  • Fixed an issue that could cause certain internal operations initiated in the Directory Proxy Server to fail when forwarded to a backend Directory Server.
  • Improved the logic used to select the best error result to return to the client for operations broadcast to all backend sets.
  • Updated the entry counter, hash DN, and round-robin placement algorithms to support excluding specific backend sets.

Synchronization Server changes:

  • Added the ability to synchronize certain password policy state information from Active Directory to the Ping Identity Directory Server.
  • Fixed an issue that could prevent synchronizing changes to entries that have multiple attributes with the same base attribute type but different sets of attribute options.
  • Added the ability to apply rate limiting when synchronizing changes to PingOne.
  • Fixed an issue in which the max-rate-per-second property was not properly applied when running the resync tool.

Metrics Engine changes:

  • Fixed an issue that could prevent dashboard icons from being properly displayed.

389 Directory Server 2.0.12

The 389 Directory Server project has released version 2.0.12. Changes in this release appear to include:

  • Fixed an issue that could cause the server to crash from an incomplete replication setup
  • Fixed an issue that could prevent root user access over UNIX socket connections
  • Updated the server to allow startup to continue if a non-critical plugin cannot be initialized
  • Improved cache management
  • Improved an error message that could be logged when synchronizing with Active Directory
  • Updated dsidm to add the ability to create service accounts
  • Added edit and rename functionality to the LDAP editor
  • Fixed various UI issues