UnboundID LDAP SDK for Java 4.0.10

We have just released version 4.0.10 of the UnboundID LDAP SDK for Java. It is available for download from the releases page of our GitHub repository, from the Files page of our SourceForge repository, and from the Maven Central Repository.

By the way, this is the first release that has been built from the public GitHub repository. All previous releases were built from an internal subversion repository that had been kept in sync with the GitHub repository. The only visible evidence of this change should be in the com.unboundid.ldap.sdk.Version class, where the REVISION_NUMBER constant (which has been deprecated for a couple of years) now has an integer value of -1 instead of the subversion revision number, and the REVISION_ID constant (which is the preferred replacement for REVISION_NUMBER) now reflects the GitHub commit digest (“b2272901fd62ad978017ff1aeb049cafc1999b12” for the 4.0.10 release) instead of the internal subversion revision number.

The most significant changes included in this release are:

  • Fixed a bug in generating the normalized string representation of an RDN with multiple values that have the same attribute type (for example, “cn=foo+cn=bar”). In such cases, the normalized representation would only have contained one value with that attribute type, and any other values with the same attribute type would have been incorrectly omitted. Further, because the normalized string representation of an RDN is used for other purposes (for example, determining equality and comparator ordering), this may fix other related issues as well.
  • Added methods for improved DN and RDN validation that make it possible to require attribute names to strictly comply with the requirements of the LDAP specification. Previously, the methods for creating and validating DNs and RDNs were always lenient with what they would allow (for example, allowing attribute names with underscores) since some servers are lenient in this regard. The existing methods are still lenient by default for the sake of backward compatibility, but there is now an option to require strict compliance with the specification.
  • Improved support for TLS version 1.3 in JVMs that support it (which should be Java 11 and higher). The LDAP SDK will now automatically enable support for TLSv1.3 if it is available, and will prefer that protocol if the server also supports it, but it can still fall back to an earlier protocol version (TLSv1.2, TLSv1.1, or TLSv1, whichever is the highest version that the server supports) if necessary. As before, the default set of TLS protocols can be overridden programmatically by calling methods in the com.unboundid.util.SSLUtil class or by setting system properties.
  • Updated the process for establishing a secure connection so that it immediately starts the TLS handshake on the socket, rather than waiting for it to happen on the first attempt to communicate over the connection. This can help ensure that the connection is ready to use more quickly, and can help avoid timing issues in certain cases where the prompt trust manager is used in interactive applications that may prompt for other user input.
  • Updated the in-memory-directory-server command-line tool to add support for a number of new arguments, including --generateSelfSignedCertificate, --maxConcurrentConnections, --sizeLimit, --passwordAttribute, --defaultPasswordEncoding, --allowedOperationType, and --authenticationRequiredOperationType.
  • Updated the ldap-debugger tool to add a --generateSelfSignedCertificate argument. If the tool is configured to listen using SSL, then this argument can be given as an alternative to the --keyStorePath argument to indicate that the tool should generate its own self-signed certificate instead of requiring the user to supply a certificate.
  • Updated the ResultCode.isConnectionUsable method so that UNWILLING_TO_PERFORM is no longer included in the set of result codes that will cause the LDAP SDK to suspect that the connection may no longer be usable. Although it is possible that the connection may have become invalid, there are plenty of reasons that an LDAP server may return an UNWILLING_TO_RETURN response for a connection that remains completely usable. Since isConnectionUsable is often used to decide whether to keep the existing connection or throw it away and replace it with a new one, being too prone to indicate that a connection is no longer usable can adversely impact application performance and increase load on the directory server.
  • Added a new API that can be used to change the way that the LDAP SDK resolves names to IP addresses, and IP addresses to names. The default implementation simply uses the JVM’s standard name resolution methods, but a caching name resolver implementation is also provided that can offer better performance and better resilience against name service outages.
  • Added a new PasswordFileReader class that makes it easier to read a password from a file. The password files may optionally be gzip-compressed and/or passphrase-encrypted, and the reader validates that the file contains exactly one line and that the line is non-empty. All command-line tools now have access to a password file reader, and LDAP SDK tools that can read passwords from files have been updated to take advantage of it.
  • Updated the command-line tool framework so that tools that support reading argument values from properties files can now handle the case in which the properties file is gzip-compressed and/or passphrase-encrypted.
  • Fixed a potential null pointer exception in ArgumentParser.toString that could arise if the parser was created through serialization and there were not any additional description paragraphs. Also, eliminated an unnecessary quotation mark in the generated string representation.
  • Updated the ldapsearch and ldapmodify command-line tools to add support for the get backend set ID and get server ID request controls (which can be used to obtain information from a Ping Identity Directory Server or Ping Identity Directory Proxy Server about which entry-balancing sets or which server instances were used to process a request), and for the route to backend set and route to server request controls (which can be used to request that the Ping Identity Directory Proxy Server route the request to a specific group of entry-balancing backend sets or to a specific backend server).
  • Updated LDAP command-line tools to support authentication with the UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism.
  • Added StaticUtils convenience methods for creating maps and sets with predefined sets of elements.
  • Updated the LDIF writer to make its user-friendly display of base64-encoded values more filter-friendly. The LDIF writer has a feature that allows it to automatically include a comment below a base64-encoded value that tries to display a more human-readable version of that value, but with special characters escaped. In most cases, that more human-readable value could have been directly copied into the string representation of a search filter, but there were previously some cases where that was not true (for example, cases where the raw value included parentheses, an asterisk, a horizontal tab, a carriage return, or a line feed).
  • Updated the UniquenessResponseControl class to add convenience methods to help make it easier to interpret the response. Updated the UniquenessRequestControl class to add an example to the class-level Javadoc documentation.