Ping Identity Directory Server version 10.1.0.0 has just been released. I wrote about this release in detail on my personal blog, but here’s a summary of the changes:

• Java 11 support has been deprecated and will be removed in a future release.
• In an upcoming release, Java EE package names will transition from using javax to using jakarta, which may affect some third-party extensions.
• Support for SCIM version 1.1 has been deprecated.
• Support for SNMP has been deprecated, both for accessing limited monitor data and for generating traps from administrative alerts.
• Added the ability to run the server on a Java 21 JVM.
• Added support for running in a FIPS 140-3-compliant manner.
• Added a cache for improving authentication performance when using expensive password storage schemes.
• Added a new entry counter plugin.
• Updated the Directory REST API to support making access control decisions based on OAuth scopes.
• Dramatically improved bind performance in environments with a very large number of dynamic groups.
• Updated the Synchronization Server to support synchronizing changes to a Ping Identity Directory Server for updating both a user’s password and their password policy state at the same time.
• Added the ability to specify a proxy server when defining HTTP external servers in the configuration.
• Added support for pausing database cleaning activity when creating a backup, which may increase the speed and reduce the size of the backup.
• Added a new db-on-disk-to-db-cache-size-ratio attribute to database environment monitor entries. Also, added a gauge to raise an alarm if the on-disk database size becomes many times larger than the in-memory cache size, which could lead to performance degradation.
• Added support for caching the contents of key and trust stores for improved performance during TLS negotiation.
• Updated the check-replication-domains tool to better distinguish between deleted and obsolete replicas.
• Updated the dsjavaproperties tool to allow using the new –gcType argument to change type type of garbage collector used for the server.
• Added the ability to use generational ZGC garbage collection when running on Java 21.
• Updated collect-support-data to use the most recent monitor history file if monitor information is not obtained from LDAP.
• Updated the Synchronization Server to use the get changelog batch extended operation as the default mechanism for discovering changes in the Ping Identity Directory Server.
• Fixed an issue in which a Directory REST API error response could potentially allow an unauthorized user to determine whether a specified entry existed in the server.
• Fixed an issue that could cause replication changes to be lost between locations when a remote gateway was in the process of starting or shutting down.
• Fixed an issue that could cause the default topology admin user to be subject to the default password policy when upgrading the server via manage-profile replace-profile.
• Fixed a potential memory leak that could occur in the Synchronization Server in certain failover states when using a Kafka destination.
• Fixed an issue that could result in inconsistency in the metadata for a composite index record. This could cause the server to send errors in response to certain requests, and has the potential to prevent bringing the affected backend online.
• Fixed an issue that could cause upgrade attempts to fail in servers in which the default userRoot backend had been removed.
• Fixed an issue that prevented the server from starting when configured to use a third-party key manager provider created using the Server SDK.
• Fixed an issue in which the Synchronization Server did not always properly encode spaces in HTTP URLs used when communicating with PingOne.
• Fixed an issue in which an untrusted VLV index could interfere with the server’s ability to process certain kinds of searches.
• Fixed an issue in which the server did not always properly use the configured substring-index-entry-limit value when maintaining substring attribute indexes.
• Fixed an issue in which dsjavaproperties did not always properly handle changes to the path to the desired Java runtime.
• Fixed an issue in which the Directory REST API may not use a configured alternative authorization identity when attempting to access data outside the requester’s backend set in an entry-balanced topology.
• Updated the server’s default configuration to prevent going into lockdown mode as a result of missed replication changes from obsolete replicas or as a result of null CSNs.
• Fixed an issue in which the HTTP connection handler’s response-header property was not properly used for certain kinds of error responses.
• Fixed an issue in which the Directory REST API could incorrectly use less-than-or-equal-to matching when comparing JSON fields in cases where strict less-than matching had been requested.
• Fixed an issue in which config-diff could report an error when attempting to compare configuration objects with the same name but different types.
• Fixed an issue in which the Synchronization Server may not properly exclude entries in cases where a configured include-filter targeted a virtual attribute in a NOT component.
• Fixed a potential null pointer exception that could be raised in the Synchronization Server in certain cases in which an operation failed with no additional information about the cause of that failure.
• Fixed an issue that could prevent dsreplication enable from reporting a useful error message when it was unable to establish a connection to one of the server instances.
• Fixed an issue in which isMemberOf values were not automatically updated for groups contained in a subtree that was moved or renamed by a modify DN operation.
• Fixed an issue that allowed the Directory Proxy Server to be configured with attribute mapping proxy transformations for attribute types that were not defined in the schema.
• Fixed an issue in which the server could report an incorrect value for the ds-backend-entry-count attribute in the replicationChanges backend monitor entry if a sequence number counter rolled over after reaching its maximum value.
• Fixed an issue that caused the server to incorrectly indicate that a restart was needed for a change to the LDAP connection handler’s ssl-certificate-nickname property to take effect.
• Fixed an issue that would cause dsconfig or the admin console to suggest a malformed default value when creating a new dictionary-based password validator.
• Reduced the number of error messages generated if the server lost connection to a Prometheus server.
• Updated the server to begin suppressing repeated error log messages of the same type after 200 such messages had been logged, rather than the previous default of 2000.
• Fixed an issue in which the server could log information about suppressing duplicate alert messages for alert types that had been disabled.
• Fixed an issue in which the Synchronization Server could incorrectly report errors for all sync pipes when they were only relevant to a single pipe.
• Fixed an issue in which the server could log an irrelevant error message if it was in the process of receiving mirrored topology data when the server began shutting down.
• Fixed an issue with an error message that was generated if an HTTP connection handler could not use a configured key manager provider.

UnboundID LDAP SDK for Java is a Java-based API for interacting with LDAP directory servers and performing other LDAP-related processing. The project has just released version 7.0.2, which includes the following changes:

• Added support for FIPS 140-3 compliance via the 2.x version of the Bouncy Castle FIPS provider.
• Added a new PropertyManager mechanisms for obtaining property values via system properties or environment variables
• Fixed a bug in which SSLUtil.certificateToString omitted notBefore and notAfter timestamps
• Added client-side support for the new to-be-deleted subtree accessibility state in the Ping Identity Directory Server
• Updated MoveSubtree to support the to-be-deleted subtree accessibility state
• Added a SubtreeAccessibilityState.isMoreRestrictiveThan method
• Updated the documentation to include the latest versions of a number of LDAP-related specifications

The LDAP Tool Box project provides a set of LDAP-related applications, administrative tools, and other utilities. They have just released the 0.6 release of their Service Desk tool, which is a web application for administrators that supports viewing and managing accounts in an LDAP directory server. This release includes the following changes:

• Added support for Active Directory
• Fixed an issue that could arise when searching for multiple entries
• Added the ability to configure a last authentication attribute
• Added an option for defining a time zone
• Added the ability to restrict allowed languages
• Added an option to hide account lock and password expiration panels
• Added the ability to display the name of an associated password policy subentry
• Added support for additional password policy attributes from draft-behera-ldap-password-policy
• Added support for configuring account validity dates
• Added support for blocking (disabling) accounts
• Added the ability to display audit log messages
• Improved autocomplete behavior for password fields
• Added an option to specify the scope for searches
• Added an option control the sort order for multivalued attributes
• Improved the documentation

Note that features for managing password policy state may only be available for certain types of directory servers.

The LDAP Tool Box project offers a number of tools, scripts, and other niceties for working with LDAP. The project has released Linux packages for OpenLDAP versions 2.6.9 and 2.5.19, including RPMs for distributions like Red Hat and CentOS, as well as DEBs for distributions like Debian and Ubuntu. The packages are available for download from https://ltb-project.org/download.html.

The LDAP Tool Box project provides a set of LDAP-related applications, administrative tools, and other utilities. They have just released version 3.5 of their slapd-cli tools (formerly called openldap-initscript), which provide a set of command-line tools for OpenLDAP. Changes in this release appear to include:

• Added the ability to change access rights and ownership for LDAPI sockets
• Improved configuration for multivalued attributes

The OpenLDAP project has announced the release of versions 2.6.9 and 2.5.19 of their LDAP directory server. Changes included in these releases appear to include:

• Fixed an issue that prevented modifying cn=schema (version 2.6.9)
• Fixed a potential memory leak when using the nested groups overlay (version 2.6.9)
• Fixed an issue with incorrect candidate set merging when using LMDB or WiredTiger databases (both versions)
• Fixed issues with syncrepl refresh handling (both versions)
• Fixed regressions in the translucent overlay (both versions)
• Fixed an issue with incorrect inclusion of nested membership in the memberof attribute (version 2.6.9)
• Fixed an issue with TLS connection timeout handling in libldap (version 2.6.9)
• Fixed a libldap issue with an incompatible pointer type when using GnuTLS (both versions)
• Improved default settings when encoding passwords using Argon2 (both versions)

LdapRecord aims to provide a simple way to interact with LDAP entries using PHP. The project has released version 3.7.5, which appears to include the following change:

• Fixed a potential infinite loop in the LdapRecord\Models\Collection::contains method
• Added the ability to provide additional control options in the LdapRecord\Query\Builder::orderBy method

The Open Identity Platform project has released version 4.8.2 of the OpenDJ Directory Server. Changes in this release include:

• Fixed an issue that could cause an LDIF import to fail
• Updated schema related to subentry name forms
• Fixed a makeldif template parsing issue

The LDAP Tool Box project provides a set of LDAP-related applications, administrative tools, and other utilities. They have just released version 1.7.1 of their Self Service Password tool, which is a PHP application that allows users to change their password in an LDAP directory. This release appears to address an issue with detecting the browser language.

LdapRecord aims to provide a simple way to interact with LDAP entries using PHP. The project has released version 3.7.3, which appears to fix an issue with the query builder hasSelects method.