OpenLDAP 2.5.6

The OpenLDAP project has announced the release of version 2.5.6 of their LDAP directory server. Changes in this release include:

  • Fixed a potential buffer overflow in the LDAP client library
  • Fixed a potential crash when updating the configuration
  • Fixed a case in which an acquired lock may not have been released
  • Fixed an issue with the configuration of the LDAP load-balancer component
  • Fixed an issue in which removing a configuration attribute did not reset the property to its default value
  • Fixed an issue that could arise when using TCP wrappers with IPv6 connections

LdapRecord 2.6.0 and 2.6.1

LdapRecord aims to provide a simple way to interact with LDAP entries using PHP. The project has released versions 2.6.0 and 2.6.1. Changes included in these releases are:

  • Added a getObjectGuidKey method (version 2.6.0)
  • Added multi, rdns, and head methods for working with DNs (version 2.6.0)
  • Fixed an issue with the way that LDAP options are applied (version 2.6.0)
  • Fixed an infinite loop when accessing entries with circular relationships (version 2.6.1)

Apache Directory Studio 2.0.0-M17

The Apache Directory Project has announced the release of the Apache Directory Studio version 2.0.0-M17. According to the release notes and a CVE announcement, this release appears to include the following changes:

  • Fixed an issue in which StartTLS encryption was not applied when using SASL authentication
  • Fixed an issue in which SASL confidentiality was not applied
  • Fixed an issue in which GSSAPI authentication may fail
  • Fixed an issue in which a deleted entry may be kept in the cache
  • Fixed an issue that could prevent creating an entry with a mandatory binary attribute
  • Fixed an issue with an attempt to communicate through a SOCKS proxy
  • Fixed an issue with displaying naming contexts
  • Fixed an issue with missing information in search logs and modification logs views
  • Fixed an “illegal reflective access” warning message on startup

LdapRecord 2.5.4

LdapRecord aims to provide a simple way to interact with LDAP entries using PHP. The project has released version 2.5.4, which includes the following updates:

  • Fixed an issue with pagination requests
  • Fixed an issue with the DistinguishedNameBuilder
  • Added a ConnectionManager class and moved some Container methods into it

Apache Directory LDAP API 2.1.0

The Apache Directory Project has announced the release of the Apache Directory LDAP API version 2.1.0. This release appears to include the following changes:

  • Fixed an issue in which StartTLS may not be properly used to secure communication in all cases in which it is requested
  • Enabled support for TLSv1.3 by default
  • Added support for SASL integrity and confidentiality
  • Added support for the LDAP relax rules control as described in draft-zeilenga-ldap-relax-03
  • Updated the method used to retrieve a server’s root DSE so that it requests all user and operational attributes

LdapRecord 2.5.1 and 2.5.2

LdapRecord aims to provide a simple way to interact with LDAP entries using PHP. The project has released versions 2.5.1 and 2.5.2. Changes included in these releases are:

  • Fixed an issue with caching search results (version 2.5.1)
  • Added the ability to chunk relationship queries (version 2.5.1)
  • Fixed an issue with validating integer options (version 2.5.2)

389 Directory Server 2.0.6

The 389 Directory Server project has released version 2.0.6. Some of the changes in this release appear to include:

  • Fixed a potential crash in disk monitoring code
  • Fixed a potential crash and other issues resulting from a replication plugin name change
  • Fixed a potential crash resulting from a manual edit to the referential integrity log file
  • Fixed a memory management issue in dbscan
  • Fixed an issue in which the use of ACIs based on the client IP address could cause the server to classify a connection as used for replication
  • Fixed an issue in which temporary password rules are not used in conjunction with a local password policy
  • Fixed an issue in the retro changelog plugin when configured to exclude attributes
  • Fixed an issue that could cause tasks to hang
  • Fixed an issue that could cause ldapsearch to fail when multiple empty attribute descriptions were requested
  • Improved SASL logging
  • Added CLI support for temporary password rules

Ping Identity Directory Server 8.3.0.0

Ping Identity Directory Server version 8.2.0.0 has just been released. I wrote about this release in detail on my personal blog, but here’s a summary of the changes:

Summary of Deprecated Functionality

  • Deprecate support for TLSv1 and TLSv1.1
  • Deprecate support for TLS cipher suites using SHA-1
  • Deprecate support for TLS cipher suites using RSA key exchange
  • Deprecate support for incremental backups

Summary of New Features and Enhancements

  • Add support for a FIPS 140-2-compliant mode
  • Added support for passphrase providers
  • Improve auditability for SCIM2 requests
  • Add support for join virtual attribute types
  • Add support for Admin Console SSO with alternative OpenID Connect providers
  • Add Admin Console support for collect-support-data and manage-profile generate-profile
  • Add a “must change password” account status notification type
  • Include an appropriate diagnostic message when successfully authenticating with an account in a “must change password” state
  • Allow updating ds-pwp-modifiable-state-json with other attributes and in transactions
  • Fix an issue preventing ds-pwp-modifiable-state-json from being updated in a multi-update extended operation
  • Add support for an AWS Secrets Manager cipher stream provider
  • Add support for dynamically loading a PKCS #11 provider
  • Add manage-certificates support for PKCS #11 key stores
  • Add support for setting up the server with certificates provided in PEM files
  • Add support for including custom tags in StatsD metric messages
  • Allow providing a JVM options cache for improved setup performance
  • Make manage-profile replace-profile more efficient when applying changes that require administrative actions
  • Reduce unnecessary escaping for non-ASCII characters in DNs
  • Reduce memory requirements for many command-line tools
  • Improve logging for multi-update extended operations
  • Include the Bouncy Castle library by default
  • Improve Admin Console logging when running in an external container
  • Add a remove-object-class-from-schema tool
  • Improve LDIF import performance and reduce the number of intermediate index files
  • Improve delete and modify performance with very large composite indexes
  • Improve performance for searches targeting dynamic groups via isMemberOf
  • Improve bind performance through the Directory Proxy Server in environments with many dynamic groups
  • Improve performance for very large exploded indexes when the index entry limit has been exceeded
  • Allow the purge expired data plugin to use multiple threads
  • Improve dbtest output for several subcommands
  • Minimize the conflict prevention details entry created for the uniqueness request control
  • Add an oid-lookup command-line tool
  • Add global ACIs for the LDAP assertion and permissive modify request controls
  • Allow forwarding the assured replication request control through the Directory Proxy Server by default
  • Allow the operation purpose request control to be used for operations in a transaction
  • Add support for alternative output formats in the ldap-result-code tool

Summary of Bug Fixes

  • Fix an issue that could allow users in a “must change password” state to issue requests
  • Prevent warning messages for unrecognized JVM vendors
  • Fix an issue that could prevent ds-pwp-modifiable-state-json changes from being replicated right away
  • Improve the logic for maintaining the entry-balancing global index
  • Fix an issue that could prevent setting up the server on old JVMs without support for 256-bit AES
  • Fix an issue that could interfere with manage-profile replace-profile when using a StatsD monitoring endpoint
  • Avoid entering lockdown mode when incorrectly believing that there were missed replication changes
  • Improve replication for dependent changes that may be received out of order
  • Fix an issue with incorrectly reporting that certain filters were not indexed
  • Prevent dsreplication status from listing offline servers under incorrect domains
  • Allow configuring cipher stream providers in Directory Proxy Server, Synchronization Server, and Metrics Engine
  • Fix an issue preventing manage-profile replace-profile from updating mirrored configuration
  • Prevent offline config change warnings when using manage-profile replace-profile
  • Update manage-profile replace-profile to preserve setup logs
  • Improve validation and behavior when configuring an explicit set of TLS cipher suites
  • Improve manage-profile replace-profile detection of changes to files not included in the server profile
  • Fix an issue when trying to update a topology server group with a server that already exists in that group
  • Fix issues with import-ldif with –addMissingRDNAttributes
  • Fix an issue with dsjavaproperties with –initialize and –jvmTuningParameter
  • Fix an issue that could prevent Sync failed ops log publishers from being removed
  • Improve the result code when trying to add an entry through the Directory Proxy Server when no backend servers are available or when adding entries with missing parents
  • Fix a potentially incorrect warning about duplicate jar files detected during startup
  • Fix an issue that could prevent Server SDK plugins from seeing all content in an add operation
  • Avoid a potential reverse DNS warning message during setup
  • Fix an issue that could cause the server to provide an incorrect estimate for the number of entries matching a filter using a composite index
  • Improve prompts when using dsreplication in interactive mode