OpenLDAP 2.4.57

The OpenLDAP project has announced the release of OpenLDAP version 2.4.57. From the release announcement, the changes in this release appear to be:

  • Fixed a crash in packet decoding during SASL authentication
  • Fixed several memory management issues that can lead to crashes or other undesirable behavior
  • Fixed an issue with RDN sorting
  • Fixed an issue that could prevent the cancel operation from terminating
  • Fixed an X.509 issue that could arise when encountering a malformed certificate
  • Fixed the ldapextop tool to use the correct return code
  • Fixed a client-side issue involving binds when retrying an operation after re-establishing a connection
  • Updated synchronization processing to ignore duplicate session log entries

389 Directory Server 1.4.3.18

The 389 Directory Server project has announced the release of version 1.4.3.18. From the release announcements, it looks like some of the changes in these versions are:

  • Fixed a security issue that could cause unexpected information to be returned in an LDAP request
  • Fixed memory management issues that could cause crashes or potential security issues
  • Fixed a potential crash when dereferencing an entry that exists but is not returned by an internal search
  • Fixed a potential crash resulting from a division-by-zero in disk monitoring code
  • Fixed an out-of-bounds issue affecting the file descriptor table
  • Fixed an issue that may cause the changelog cache to upload updates from the wrong starting point
  • Fixed an issue with singleLevel searches below “cn=monitor”
  • Fixed a performance issue around the use of the TCP_NODELAY socket option
  • Added a warning for skipped entries during an online LDIF import
  • Added cockpit enabling to dsctl
  • Added support for encoding passwords with gost-yescrypt
  • Added the machine name as a subject alternative name when generating certificates
  • Fixed an issue that could prevent dsidm from removing an organizationalUnit entry

389 Directory Server 2.0.2 and 1.4.4.10

The 389 Directory Server project has announced new releases of versions 2.0.2 and 1.4.4.10. From the release announcements, it looks like some of the changes in these versions are:

  • Fixed a security issue that could cause unexpected information to be returned in an LDAP request (both versions)
  • Fixed a number of memory management issues that could cause crashes or potential security issues (both versions)
  • Fixed a potential data corruption error in syncrepl processing (both versions)
  • Fixed a potential crash when dereferencing an entry that exists but is not returned by an internal search (both versions)
  • Fixed a potential crash resulting from a division-by-zero in disk monitoring code (both versions)
  • Fixed a potential crash when using the simple paged results control with chaining (version 2.0.2)
  • Fixed an out-of-bounds issue affecting the file descriptor table (both versions)
  • Fixed an issue that may prevent entryUUID from being replicated properly (both versions)
  • Fixed a replication issue that could cause an internal search to use an improperly escaped filter (version 2.0.2)
  • Fixed an issue that affects interaction with OpenLDAP involving the entryUUID attribute (both versions)
  • Fixed an issue that may cause the changelog cache to upload updates from the wrong starting point (both versions)
  • Updated the server to log internal searches that are unindexed (version 2.0.2)
  • Fixed an issue that could occur during migration from OpenLDAP (both versions)
  • Fixed an issue with singleLevel searches below “cn=monitor” (both versions)
  • Fixed a performance issue around the use of the TCP_NODELAY socket option (both versions)
  • Added support for OpenLDAP-compatible password encodings (both versions)
  • Added a warning for skipped entries during an online LDIF import (both versions)
  • Fixed an LDIF import performance issue after an earlier failed import (version 2.0.2)
  • Added cockpit enabling to dsctl (both versions)
  • Added DN rewriting support for LDAPI authentication (both versions)
  • Added support for encoding passwords with gost-yescrypt (both versions)
  • Added the machine name as a subject alternative name when generating certificates (both versions)
  • Fixed an issue that could cause the server to return referrals for servers with a different data generation (version 2.0.2)
  • Fixed a DN normalization issue for escaped spaces (version 2.0.2)
  • Fixed an ldifgen issue when using the –start-idx argument (version 2.0.2)
  • Fixed an issue that could prevent dsidm from removing an organizationalUnit entry (version 2.0.2)
  • Fixed systemd pin warnings (version 2.0.2)
  • Fixed a UI issue that prevented it from handling object class definitions without an X-ORIGIN extension (version 2.0.2)
  • Updated the client library to use the underlying system’s TLS policy (version 2.0.2)

Ping Identity Directory Server 8.2.0.0

Ping Identity Directory Server version 8.2.0.0 has just been released. I wrote about this release in detail on my personal blog, but here’s a summary of the changes:

  • Added single sign-on support to the Administration Console
  • Added a new ds-pwp-modifiable-state-json operational attribute
  • Added support for password validation during bind
  • Added support for a recent login history
  • Added sample dsconfig batch files
  • Added JSON-formatted variants for the audit, HTTP operation, and synchronization log files
  • Added support for logging to standard output or standard error
  • Added support for rotating the logs/server.out log file
  • Improved support for logging to syslog servers
  • Added support for the OAUTHBEARER SASL mechanism
  • Added support for the ($attr.attrName) macro ACI
  • Added a remove-attribute-type-from-schema tool
  • Added a validate-ldap-schema tool
  • Added a number of security-related improvements to setup
  • Added a number of improvements to the manage-profile tool
  • Added a number of improvements to the parallel-update tool
  • Added various improvements to several other command-line tools, including ldappasswordmodify, ldapcompare, ldifsearch, ldifmodify, ldif-diff, ldap-diff, and collect-support-data
  • Added various usability improvements to command-line tools
  • Added several improvements to the dictionary password validator
  • Added a new AES256 password storage scheme
  • Added an export-reversible-passwords tool
  • Create a 256-bit AES encryption settings definition in addition to the 128-bit AES definition
  • Added password information about password quality requirements to the ds-pwp-state-json virtual attribute
  • Added the ability to augment the default set of crypto manager cipher suites
  • Improvements in delaying bind responses
  • Require a minimum ephemeral Diffie-Hellman key size of 2048-bits
  • Switched to using /dev/urandom as a source of secure random data
  • Improved the way we generate self-signed certificates and certificate signing requests
  • Added support for using elliptic curve keys in JWTs
  • Added new administrative alert types for account status notification events, privilege assignment, and rejection of insecure requests
  • Added improvements to monitor data and the way it is requested by the status tool
  • Added identity mapper improvements, including filter support, an aggregate identity mapper, and an out-of-the-box mapper for administrative users
  • Improved uniqueness control conflict prevention and detection
  • Added support for re-sending an internal replication message if there is no response to a dsreplication initialize request
  • Added a --force argument to dsreplication initialize that can be used to force initialization even if the source server is in lockdown mode
  • Added options to customize the response code and body in availability servlets
  • Increased the number of RDN components that a DN may have from 50 to 100
  • Updated the SCIM servlet to leverage a VLV index (if available) to support paging through search result sets larger than the lookthrough limit
  • Added an --adminPasswordFile argument to the manage-topology add-server command
  • Added a password policy configuration property to indicate whether the server should return the password expiring or password expired based on whether the client also provided the password policy request control
  • Updated support for the CRAM-MD5 and DIGEST-MD5 SASL mechanisms so they are no longer considered secure
  • Improved Directory Proxy Server support for several SASL mechanisms
  • Improved Directory Proxy Server support for the LDAP join control
  • Updated manage-topology add-server to add support for configuring failover between Synchronization Server instances
  • Added a Synchronization Server configuration property for customizing the sync pipe queue size
  • Added a Synchronization Server configuration property for processing changes with REPLACE modifications rather than ADD and DELETE modifications
  • Fixed an issue that could prevent the installer from removing information about the instance from the topology registry
  • Fixed an issue that could cause replication to miss changes if a backend was reverted to an earlier state without reverting the replication database
  • Fixed an issue in which a replica could enter lockdown mode after initialization
  • Fixed an issue that could allow some non-LDAP clients to inappropriately issue requests without the server in lockdown mode
  • Fixed an issue in which restoring an incremental backup could cause dependencies to be restored out of order, leading to an incomplete intermediate database file
  • Fixed a backup retention issue in which the process of purging old backups could cause old backups to be removed out of order
  • Fixed an issue in which the server could leak a small amount of memory upon closing a JMX connection
  • Fixed an issue that could cause the server.status file to be corrupted on Windows systems after an unplanned reboot if the server is configured to run as a Windows service
  • Fixed an issue that could cause the server to return a password expired response control in a bind response when the user’s account is expired but the client provided incorrect credentials
  • Fixed an issue in which a search that relied on a virtual attribute provider for efficient processing could omit object classes from search result entries
  • Fixed an issue in which the server did not properly handle the matched values control that used an extensible match filter with both an attribute type and a matching rule (for example, in conjunction with the jsonObjectFilterExtensibleMatch matching rule)
  • Fixed an issue in which the server could incorrectly log an error message at startup if it was configured with one or more ACIs that grant or deny permissions based on the use of SASL mechanisms
  • Fixed an issue in which the remove-defunct-server tool to fail to remove certain replication attributes when the tool was run with a topology JSON file
  • Fixed an issue in which manage-profile replace-profile could fail to apply changes if the profile included dsconfig batch files without a “.dsconfig” extension
  • Fixed an issue in which the server could raise an internal error and terminate the connection if a client attempted to undelete a non-soft-deleted entry
  • Fixed an issue that could cause the REST API to fail to decode certain types of credentials when using basic authentication
  • Fixed an issue in which the encryption-settings tool could leave the server without a preferred definition after importing a set of definitions with the --set-preferred argument but none of the imported definitions is marked preferred
  • Fixed an issue in which the manage-profile generate-profile command could run out of memory when trying to generate a profile containing large files
  • Fixed an issue in which the manage-profile generate-profile command could display a spurious message when generating the profile in an existing directory
  • Fixed an issue that could interfere with cursoring through paged search results when using the REST API and the results included entries with long DNs
  • Fixed an issue that could cause an exception in SCIM 1.1 processing as a result of inappropriate DN escaping
  • Fixed an issue that could cause the isMemberOf and isDirectMemberOf virtual attributes to miss updates if the same group is updated concurrently by multiple clients
  • Fixed an issue that could cause the server to return an objectClassViolation result code instead of the more appropriate attributeOrValueExists result code when attempting to add an object class value to an entry that already has that object class
  • Fixed an issue that could cause loggers to consume more CPU processing time than necessary in an idle server
  • Fixed an issue in which the stats collector plugin could generate unnecessary I/O when it is used exclusively for sending metrics to a StatsD endpoint
  • Fixed an issue in which the periodic stats logger could include duplicate column headers
  • Fixed an issue that could cause the server to periodically log an error message if certain internal backends are disabled
  • Fixed a typo in the default template that the multi-part email account status notification handler uses to warn about an upcoming password expiration
  • Fixed an issue in which the dsconfig list command could omit certain requested properties
  • Fixed an issue in which the dsreplication tool could incorrectly suppress LDAP SDK debug messages even if debugging was requested
  • Fixed an issue that could cause the Directory Proxy Server to log information about an internal exception if an entry-balanced search encountered a timeout when processing one or more backend sets
  • Fixed an issue in which the Synchronization Server could get stuck when attempting to retry failed operations when it already has too many other operations queued up for processing
  • Fixed an issue in which Synchronization Server loggers were not properly closed during the server shutdown process
  • Fixed an issue in which the synchronization server could fail to synchronize certain delete operations from an Oracle Unified Directory because of variations in the format of the targetUniqueID attribute

UnboundID LDAP SDK for Java 5.1.3

UnboundID LDAP SDK for Java is a Java-based API for interacting with LDAP directory servers and performing other LDAP-related processing. The project has just released version 5.1.3, which includes the following changes:

  • Fixed an issue in the LDAP listener framework that could allow malicious clients to cause the listener to consume large amounts of memory
  • Improved support for working with OIDs in a hierarchy
  • Added an –exact-match argument to the oid-lookup tool
  • Added an –output-format argument to the ldap-result-code tool

    UnboundID LDAP SDK for Java 5.1.2

    UnboundID LDAP SDK for Java is a Java-based API for interacting with LDAP directory servers and performing other LDAP-related processing. The project has just released version 5.1.2, which includes the following changes:

    • Added a new parallel-update tool
    • Added automatic retry support to ldapmodify and ldapdelete
    • Added programmatic and command-line access to a registry of LDAP-related object identifiers
    • Added a new ldap-result-code tool
    • Updated the in-memory directory server to support mutual TLS authentication
    • Improved the way that self-signed certificates are generated for the in-memory-directory-server and ldap-debugger tools
    • Added better support for validating arguments that represent host names
    • Improved support for implementing client-side support for custom SASL mechanisms
    • Added automatic trust for TLS certificates requested via a loopback IP address
    • Improved the comments that the LDIF writer generates for human-readable representations of base64-encoded values
    • Added a new manage-certificates retrieve-server-certificate command
    • Fixed a timeout issue in the manage-certificates trust-server-certificate command
    • Added a new dns-only output format for ldapsearch
    • Added the ability to include arbitrary key-value pairs in OAUTHBEARER SASL bind requests
    • Fixed a command-line tool framework issue that prevented it from explicitly closing output files
    • Added a method for determining whether an IP address is in a private or reserved range
    • Improved support for changelog entries for delete operations to provide an alternative way to get deleted entry attributes
    • Updated support for passphrase encryption to make it possible to explicitly specify the type of cipher that should be used
    • Added an X.509 trust manager that will never trust any certificate chain (primarliy for testing purposes)
    • Updated the documentation to include the latest versions of draft-melnikov-scram-sha-512, draft-melnikov-scram-sha3-512, and draft-ietf-kitten-password-storage drafts in the set of LDAP-related specifications
    • Added client-side support for the new ds-pwp-modifiable-state-json operational attribute in the Ping Identity Directory Server
    • Added client-side support for the new “remove attribute type” administrative task in the Ping Identity Directory Server
    • Added client-side support for the new AES256 password storage scheme in the Ping Identity Directory Server
    • Added client-side filter support for the jsonObjectFilterExtensibleMatch matching rule
    • Updated the uniqueness request control to make it possible to indicate that the server should generate a temporary conflict prevention details entry before pre-commit processing, and that it should generate an administrative alert when post-commit conflicts are detected
    • Deprecated support for interactive transactions in the Ping Identity Directory Server

      LdapRecord 2.0.1 and 1.12.2

      LdapRecord aims to provide a simple way to interact with LDAP entries using PHP. The project has released versions version 2.0.1 and 1.12.2, which appear to include the following changes:

      • Deleting non-leaf nodes will now properly delete leaf nodes of different types (both versions)
      • Deleting specific attributes properly diff non-array values (version 2.0.1 only)

      389 Directory Server 1.4.4.9 and 1.4.3.17

      The 389 Directory Server project has announced new releases of versions 1.4.4.9 and 1.4.3.17. From the release announcements, it looks like some of the changes in these versions are:

      • Fixed a potential crash that could occur when chaining a search operation that includes a critical simple paged results request control (both versions)
      • Fixed a potential crash that could occur when deleting an entry with an escaped leading space (version 1.4.4.9)
      • Updated the server to use a monotonic clock for all timing events to avoid issues related to changes in the system time (both versions)
      • Updated the server to prevent read-only replicas from sending referrals to writable servers with a different data generation (both versions)
      • Fixed an issue that could cause problems managing object class definitions without the X-ORIGIN extension (both versions)
      • Fixed a replication issue that could cause internal searches to use a malformed filter (both versions)
      • Fixed a normalization issue for DNs with escaped spaces (both versions)
      • Fixed an issue that could cause online imports to be very slow after a previous failed import attempt (version 1.4.4.9)