The OpenLDAP project has announced that the 2.6 series of the server has entered the long-term support (LTS) phase. It is expected to remain supported for the next five years, but new releases should only contain fixes but no new features. New features will now be introduced in 2.7 releases, and the first release in that series is expected this fall.

The 2.5 release series is in its end-of-life phase. It will continue to receive fixes for critical issues for the next two years, but users should upgrade to the 2.6 or 2.7 series before it becomes unsupported.

The LDAP Tool Box project provides a set of LDAP-related applications, administrative tools, and other utilities. They have just released version 1.6.1 of their Self Service Password tool, which is a PHP application that allows users to change their password in an LDAP directory. Changes in this release appear to include:

• Fixed an issue that prevented installing the application on Rocky Linux
• Fixed a warning message about an uninitialized variable when using sendsms
• Suppressed warning log messages that may appear by default
• Added documentation about displaying computed entropy for a proposed password

Ping Identity Directory Server version 10.1.0.0 has just been released. I wrote about this release in detail on my personal blog, but here’s a summary of the changes:

• Added the ability to include presence components in composite index filter patterns
• Added the ability to include approximate-match components in composite index filter patterns
• Added the ability to include static equality components in composite index filter patterns
• Added the ability to stream search results directly from a composite index
• Added support for caching the candidate set for searches using the simple paged results control
• Improved Directory Proxy Server’s handling of requests with the simple paged results control
• Updated the access control handler to provide enhanced support for controlling which attributes may be included in add requests
• Added support for a verify password extended operation
• Added support for collation matching rules for improved extensible matching support for non-English values
• Added a new compare-ldap-schemas tool
• Reduced the performance impact of exploded index cleanup
• Improved warnings about high index entry limits for attribute indexes
• Improved overall write performance and reduced the number of outliers for write operations with higher response times
• Improved performance when applying changes via replication
• Improved performance when retrieving the database environment monitor entry
• Improved the efficiency of replicating server schema information between servers
• Reduced the default size of messages used in the course of monitoring replication
• Reduced the amount of memory that the server needs to cache information about dynamic groups
• Enabled the expensive operations logger by default so that information about any operations taking longer than 1 second to complete will be written to logs/expensive-ops
• Added the ability to include extended information about the associated connection in access log messages about requested operations
• Added the ability to exclude specific certain kinds of messages from the server error log, based on message category, severity, message ID, and message content
• Added the ability to define Prometheus metrics for Boolean monitor attributes by using a value of 1 for true and 0 for false
• Improved the logic used to determine whether a given replica should be considered obsolete
• Added an –ignoreDuplicateAttributeValues argument to the import-ldif command, which will allow it to successfully import entries that have duplicate values for the same attribute (with only one copy of each attribute value)
• Updated the interactive setup process so that when asking about whether to prime the contents of the backend into the cache during server startup, the default response has been changed from enabling priming to disabling priming
• Updated the server so that it will now only retain the last 100 copies of former configurations by default
• Added a new repair-topology-listener-certificates tool that can be used to recover from issues related to improperly updating certificates that the server uses for TLS communication
• Improved the efficiency of the Directory Proxy Server’s replication backlog health check
• Updated the export-reversible-passwords tool to make it possible to include only entries below a specified set of base DNs, or to exclude entries from a specified set of base DNs
• Added a subtree-modify-dn-size-limit property to the backend configuration that can be used to limit the size of subtree move and rename operations, and these operations are now limited by default to subtrees with no more than 100 entries
• Added the ability to specify the key wrapping transformation that the PKCS #11 cipher stream provider should use to protect the contents of the encryption settings database
• Updated the Synchronization Server to support synchronizing USER.LOCKED and USER.UNLOCKED events from the PingOne service
• Added the ability to obscure sensitive producer property values when using the Kafka sync destination
• Fixed an issue that could cause inconsistency in entryUUID values across replicas in servers configured with a custom password validator created with the Server SDK
• Fixed an issue that could allow insufficiently authorized clients to use the get password policy state issues request control through the Directory Proxy Server
• Fixed an issue in which manage-profile replace-profile could apply configuration changes in an incorrect order
• Fixed an issue that could cause dsreplication status to fail after disabling replication
• Fixed an issue that could cause dsreplication enable to report an error when run in interactive mode
• Fixed an issue that could cause the server to store multiple duplicate copies of the values of some attributes in which the associated attribute type has one or more subordinate types
• Fixed an issue that could prevent the server from adding real attribute values to a replicated entry that already had virtual values for the same attribute
• Fixed an issue that could prevent the server from adding or modifying entries that matched the criteria for an untrusted composite index if debug logging was enabled
• Fixed an issue that prevented the server from properly using a virtual list view index to process an applicable search using an extensible matching filter
• Fixed an issue in which the server could have incorrectly reported that the underlying JVM did not provide support for strong encryption (e.g., 256-bit AES)
• Fixed an issue that could result in increased memory pressure, and potential out-of-memory errors, when running in FIPS-compliant mode as a result of a quirk in the Bouncy Castle implementation for the AES cipher
• Fixed an issue that could cause the server to add duplicate entries to the configuration when setting up the server in FIPS 140-2-compliant mode
• Fixed a rare issue in which the server could report an error on startup when one or more replicas were not online
• Fixed an issue in which the Synchronization Server would not properly encode certain UTF-8 characters when constructing a URI for interacting with a source or destination server
• Fixed an issue in which the Synchronization Server could incorrectly omit certain attributes when synchronizing from the PingOne service when the modified-attributes-only mode
• Fixed an issue in which the Synchronization Server could incorrectly omit certain escape characters in search filters sent to the PingOne service
• Fixed an issue in which the Active Directory Password Synchronization Agent did not properly handle the case in which multiple users in a forest had the same sAMAccountName
• Cleaned up an error message that may be used when attempting to generate a Delegated Admin report with an invalid SCIM filter

The Open Identity Platform project has released version 4.6.4 of the OpenDJ Directory Server. Aside from updating library versions, the primary change in this release appears to be improving support for embedding the server in another application.

UnboundID LDAP SDK for Java is a Java-based API for interacting with LDAP directory servers and performing other LDAP-related processing. The project has just released version 7.0.1, which includes the following changes:

• Added a new LDAP connection pool health check that can be used to replace idle connections
• Improved the concurrency of the in-memory directory server
• Added new methods for creating string representations of substring assertions
• Added the ability to use an alternative provider with file-based key and trust managers, and added the ability to access non-FIPS-compliant key stores when running in FIPS-compliant mode
• Fixed an issue in which buffering could delay writes to the parallel-update reject file
• Fixed an issue in which programmatically invoking manage-certificates could prevent it from accessing the JVM-default trust store in FIPS-compliant mode
• Added debug logging support to the command-line tool framework
• An option to log JSON-formatted debug messages using a multi-line representation
• Added client-side support for a verify password extended request offered by the Ping Identity Directory Server
• Updated the OID registry to include the OIDs for a number of collation matching rules

The LDAP Tool Box project offers a number of tools, scripts, and other niceties for working with LDAP. The project has released Linux packages for OpenLDAP versions 2.6.8 and 2.5.18, including RPMs for distributions like Red Hat and CentOS, as well as DEBs for distributions like Debian and Ubuntu. The packages are available for download from https://ltb-project.org/download.html.

The LDAP Tool Box project provides a set of LDAP-related applications, administrative tools, and other utilities. They have just released version 3.4 of their slapd-cli tools (formerly called openldap-initscript), which provide a set of command-line tools for OpenLDAP. Changes in this release appear to include:

• Added support for restoring data and configuration without restarting the service
• Improved systemd support to allow running multiple OpenLDAP instances
• Fixed an issue that could affect proper evaluation of contextcsn values
• Added a means of getting the OpenLDAP server version

The OpenLDAP project has announced the release of versions 2.6.8 and 2.5.18 of their LDAP directory server. Changes included in these releases appear to include:

• Fixed an issue with clients crashing or exiting after using a TLS-based connection (both versions)
• Fixed a client issue with channel binding on connections secured with certain EC certificates (both versions)
• Fixed an issue with peercred authentication for accounts with very large uid or gid values (both versions)
• Fixed an issue that could cause back-meta to hang when using the dynlist overlay (both versions)
• Fixed an issue that could prevent back-meta from proxying internal operations (both versions)
• Fixed a potential crash that could occur when abandoning a search operation with dynlist enabled (both versions)
• Fixed a potential crash that could occur if internal operations are attempted during early startup (both versions)
• Fixed a potential crash when trying to use the constraint overlay with a DN-based filter (version 2.6.8)
• Fixed an asyncmeta issue when adding a new target via cn=config (version 2.6.8)
• Moved nested group support to its own overlay (version 2.6.8)
• Fixed an issue in which memberof values may not be created when adding the member entries after they were added to the group (version 2.6.8)
• Added an alias overlay (version 2.6.8)

The 389 Directory Server project has released version 3.1.0. Some of the changes in this release appear to include:

• Fixed an issue that could prevent creating entries with long RDNs
• Fixed an issue in which Cockpit could crash when getting replication status
• Fixed an issue in which the server could ignore file descriptor configuration during startup
• Fixed a warning about using dscreate with a non-root user in SELinux
• Added a dscontainer stop function
• Added support for using dscreate in kickstart installations
• Improved error logging when running out of memory
• Improved performance for creating and removing instances

LdapRecord aims to provide a simple way to interact with LDAP entries using PHP. The project has released version 3.6.3, which appears to fix an issue with casting string values to Boolean variables.