UnboundID LDAP SDK for Java 5.1.0
dirmgr released this 17 hours ago · 2 commits to master since this release
UnboundID LDAP SDK for Java version 5.1.0 has been released and is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository. The release notes provide a pretty comprehensive overview of the changes since the previous 5.0.1 release, but here’s a summary:
- We fixed an issue in which the JVM-default trust manager did not always correctly handle cross-signed issuer certificates when the presented chain included an expired issuer certificate. It will now check to see if it can build a valid path with an alternate trust anchor.
- We added a new SchemaValidator class that can identify all kinds of problems with LDAP schema definitions. We also provide a new validate-ldap-schema command-line tool that will examine definitions contained in one or more LDIF files and report any problems that it finds.
- We updated the in-memory-directory-server command-line tool to validate any schema definitions provided through the -
useSchemaFileargument. Even if there are problems, the server will still try to use that schema to the best of its ability (as was previously the case). The -doNotValidateSchemaDefnitions argument can be used to disable the new validation if it is not desired.
- We added a new ldappasswordmodify command-line tool that can be used to perform a self password change or an administrative password reset. It supports the password modify extended operation (as described in RFC 3062), and it can also change passwords using a regular LDAP modify operation or using an Active Directory-specific modification.
- We added three new command-line tools for performing operations on data contained in LDIF files:
- The ldifsearch tool can be used to identify entries that match a given set of search criteria.
- The ldifmodify tool can be used to apply a set of add, delete, modify, and modify DN changes to LDIF data.
- The ldif-diff tool can be used to identify differences between data in two provided LDIF files and report the differences in the form of LDIF change records.
- We added a new version of the ldapcompare tool that can be used to perform LDAP compare operations in a directory server. The new version offers a lot of additional functionality like support for performing multiple compare assertions and using a variety of request controls, and it can generate parseable output in tab-delimited text, CSV, or JSON formats.
- We updated the in-memory directory server to make it possible to add custom attributes to the root DSE. While it was already possible to replace the entire root DSE entry with a static entry, this new approach makes it possible to retain some dynamic content (for example, changelog-related attributes) while still customizing other attributes.
- We made several changes in our support for entries with the ldapSubEntry object class:
- We added a new RFC3672SubentriesRequestControl class with support for the LDAP subentries request control as described in RFC 3672.
- The LDAP SDK already had support for an alternate version of the control described in draft-ietf-ldup-subentry through the SubentriesRequestControl class, but that class has been deprecated in favor of a new DraftLDUPSubentriesRequestControl class, which helps avoid confusion with the class that implements the RFC 3672 version of the control. The deprecated class is still fully functional and will be kept to preserve backward compatibility, but we recommend updating code that uses the old class for the sake of clarity.
- The in-memory directory server has been updated with support for the RFC 3672 version of the control. It already had support for the draft-ietf-ldup-subentry version.
- The in-memory directory server has been updated so that it will return entries with the ldapSubEntry object class if the filter includes an “(objectClass=ldapSubEntry)” component.
- The ldapsearch command-line tool has been updated with support for the RFC 3672 version of the LDAP subentries control, using the new -
rfc3672Subentriesargument. It already had support for the draft-ietf-ldup-subentry version of the control through the includeSubentriesargument, and that argument is still available, but we now recommend using -draftLDUPSubentries instead for the sake of clarity.
- We updated the ldapsearch tool to add a new “values-only” output format (as an alternative to the existing LDIF, tab-delimited text, CSV, and JSON output formats). If this output format is selected, then it will only output the values of the requested attributes without any entry DNs or attribute names. This can help extract raw attribute values from a directory server from a script without the need for any additional text processing.
- We updated the ldapsearch tool to add a new --requireMatch argument. If this argument is provided and the search completes successfully but does not return any entries, then the tool will have an exit code of 94 (corresponding to the noResultsReturned result code) rather than zero. This argument does not have any visible effect on the output.
- We updated the round-robin and fewest connections servers sets to expose the blacklist manager that they use to avoid trying to establish connections to servers that are believed to be unavailable.
- We updated the manage-certificates tool to make it easier to list and export certificates from the JVM’s default trust store without needing to know the path to the appropriate file.
- We improved the logic that the LDAP SDK uses when selecting ordering and substring matching rules for ordering operations involving attributes that are defined in the schema but whose definition does not specify an ordering matching rule. It will now try to infer an appropriate ordering matching rule from the equality matching rule before trying other alternatives like inferring a rule from the associated syntax or using a default rule.
- We updated the LDAP command-line tool framework to make it easier and more convenient to communicate securely with the Ping Identity Directory Server (and other related server products). This includes:
- We added a new TopologyRegistryTrustManager class that can use information in the server’s topology registry to determine whether to trust the certificates for instances in the topology.
- If no trust-related arguments are specified when running the tool, it will now check the server’s default trust store and the topology registry to determine whether the presented certificate should be trusted. It will still also check the JVM’s default trust store, and it will still fall back to interactively prompting the user if the certificate cannot be trusted through other means.
- We streamlined the process that LDAP command-line tools use to establish and authenticate connections when run in interactive mode. It will now recommend TLS encryption over unencrypted communication with a simplified set of arguments, and it will recommend simple authentication over unauthenticated connections. Further, when the tool is part of a Ping Identity Directory Server (or related server product) installation, it will read the configuration to determine the appropriate port to suggest when connecting to the server.
- We made several improvements to the summarize-access-log tool that can be used to examine Ping Identity Directory Server access logs. These include:
- You can now customize the maximum number of values to display for each item. It was previously hard-coded to use a limit of 20 values. If any values were omitted, then it will now tell you how many were left out.
- You can now choose to de-anonymize the output to obtain the specific attribute values used in search filters and entry DNs (instead of displaying question marks as placeholders).
- The output will now include information about the most common TLS protocols and cipher suites used for secure communication.
- The output will now include the most common successful and failed bind DNs and the most common authentication mechanisms.
- The output will now include the most common DNs used as alternate authorization identities (e.g., via the proxied authorization request control).
- The output will now include the most common filters used for unindexed searches, the most common base DNs for searches with non-baseObject scopes, the filters for searches taking the longest to complete, and the most common filters for searches returning zero, one, or multiple entries.
- When summarizing the most commonly invoked types of extended operations, the tool will now try to provide a human-readable name for the extended operation in addition to its OID.
- We added client-side support for obtaining password policy state information from the Ping Identity Directory Server’s ds-pwp-state-json virtual attribute.
- We added client-side support for the new populate composed attribute values and generate server profile administrative tasks in the Ping Identity Directory Server.
- We added a new OID.parseNumericOID method that can be used to parse a provided string as a valid numeric object identifier, optionally performing strict validation. If the provided string does not represent a valid numeric OID, then the method will throw an exception with a message that explains the problem.
- We improved the error messages generated for problems that may arise when parsing schema definitions.
- We updated the schema parsing code so that it can now handle schema elements with a description value that is an empty string. Although empty descriptions (or other types of quoted strings) are not permitted in schema element definitions, some servers allow them. Empty descriptions are still not allowed by default, but that behavior can be overridden with a code change or a system property.
- We added a new IA5 string argument value validator that can be used to require that the values of associated arguments are only permitted to contain ASCII characters. The manage-certificates tool has also been updated to provide better validation for certificate components that are required to be IA5 strings, including DNS names and email addresses in the subject alternative name extension.
- We added support for encoding and decoding timestamps in the ISO 8601 format described in RFC 3339.
- We updated the LDAP command-line tool framework so that if the -
help-saslargument is used in conjunction with a -saslOption argument that specifies the name of the SASL mechanism, the output will only include help information for that mechanism.
- We fixed a bug in the StaticUtils.isASCIIString method that caused it to only look at the lowest byte for each character in the provided string.
- We added new ByteStringBuffer utility methods, including getting individual bytes or sets of bytes at a specified position, for determining whether the buffer starts with or ends with a given set of bytes, and for reading the contents of a file or input stream into the buffer.
- We added new StaticUtils convenience methods for reading and writing files as bytes, strings, or lists of lines.
- We added support for new password policy state account usability warning and notice types for the Ping Identity Directory Server. The new types can be used to indicate that the account has too many outstanding authentication failures, but that the server will take some other action (for example, delaying the bind response) instead of completely preventing authentication.
- We fixed an issue in the LDAP SDK’s JSON-formatted debug logging support for debug messages containing exceptions with another exception as the underlying cause.
- We fixed an issue with the command-line tool framework that could prevent it from setting an argument value from a properties file even though that same value would have been permitted if it had been provided directly on the command line.
- We updated the default standard schema provided with the LDAP SDK to include additional attribute syntaxes, matching rule, attribute type, and object class definitions.