UnboundID LDAP SDK for Java 5.1.2

We have just released version 5.1.2 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository. The release notes provide a pretty comprehensive overview of what’s changed since the 5.1.1 release, but here’s a summary:

Server-Agnostic Updates

  • We added a new parallel-update command-line tool that can be used to apply changes read from an LDIF file against an LDAP server using multiple concurrent threads.
  • We updated the ldapmodify and ldapdelete tools so that they will now default to retrying failed operations on a newly established connection if the failure suggests that the connection made for the initial attempt is no longer valid. This was previously available through the --retryFailedOperations argument, but it is now the default behavior, and a --neverRetry argument can be used if retry support is not wanted.
  • We added a new OIDRegistry class that provides a registry of object identifiers used in LDAP, including things like schema elements, controls, extended operations, and other sources. Each item in the registry has a name, an OID, and a type, and it may also have an origin string and a URL that may be used to retrieve additional information about the item.
  • We added a new oid-lookup command-line tool that can be used to search the OID registry to find items with a given OID, name, type, or other content.
  • We added a new ldap-result-code command-line tool that can be used to list all defined result codes and search for result codes with a given name or integer value.
  • We updated the LDAP listener framework and the in-memory directory server to support mutual TLS authentication, in which the server requests a certificate chain from the client and validates any chain that the client provides.
  • We updated the logic used to generate temporary self-signed certificates for use by the in-memory-directory-server and ldap-debugger command-line tools so that the certificates will be more acceptable to a wider range of clients. The certificate will now only be valid for one year, as some TLS clients balk at peer certificates with very long lifetimes. The subject alternative name extension will also default to only using canonical host names and IP addresses that are associated with non-loopback interfaces.
  • We added a new argument value validator that can be used to restrict command-line argument values to those that represent valid DNS host names. It can optionally accept or reject values that are numeric IP addresses, can accept or reject unqualified host names, and can accept or reject unresolvable host names.
  • We added a new SASLClientBindHandler class that can be used to invoke SASL bind operations that use a javax.security.sasl.SaslClient object to perform the actual SASL processing. We also added an LDAPConnection.applySASLSecurityLayer method that can be used to add a security layer that has been negotiated with a SaslClient to an established, clear-text connection.
  • We updated the HostNameSSLSocketVerifier to automatically trust any certificate when the client used a loopback IP address (not a host name, even if that name is associated with a loopback interface) as the address for the server. This is in accordance with the W3C Secure Contexts Candidate Recommendation, section 3.2.
  • We updated the HostNameSSLSocketVerifier and TrustAllSSLSocketVerifier classes to implement the javax.net.ssl.HostnameVerifier interface.
  • We updated the LDIF writer to improve human readability for the comments that it can automatically add for base64-encoded values.
  • We updated the manage-certificates command-line tool to add support for a new retrieve-server-certificate subcommand, which will retrieve the certificate chain from a specified server and optionally write a PEM-encoded or DER-encoded representation of the certificate(s) to a specified file.
  • We fixed an issue with the manage-certificates trust-server-certificate command that only caused it to wait for 60 milliseconds rather than the intended 60 seconds when trying to establish a connection to the target server.
  • We updated ldapsearch to add a new “dns-only” output format. If this format is selected, then the output will contain only the DNs of matching entries.
  • We updated support for the OAUTHBEARER SASL mechanism to make it possible to include arbitrary key-value pairs in the SASL credentials.
  • We fixed an issue in the command-line tool framework that affected tools that provide support for automatically writing the output to a file. The output file was never explicitly closed, which could cause problems in cases where the tool was invoked programmatically, and then an attempt was made to subsequently use the output from code in the same JVM.
  • We added a new StaticUtils.isIANAReservedIPAddress method that can be used to determine whether a provided IPv4 or IPv6 address is contained in an IANA-reserved range.
  • We updated the ChangeLogEntry class so that it will fall back to using the includedAttributes attribute if the deletedEntryAttrs attribute does not exist in changelog entries that represent a delete operation.
  • We updated the LDAP SDK’s support for passphrase-based encryption to make it possible to explicitly specify the type of cipher that should be used. Previously, you could only request either a baseline level of protection (which should be available in all supported Java versions) or the strongest supported level of protection (which might not be available in some JVMs)
  • We added a new X.509 trust manager that will never trust any certificate chain. This is primarily intended for testing purposes.

Updates Specific to the Ping Identity Directory Server

  • We added client-side support for a new ds-pwp-modifiable-state-json operational attribute that can be used to retrieve and manipulate a select set of password policy state information in a user’s entry.
  • We added support for a new “remove attribute type” administrative task that can be used to safely remove an attribute type definition from the server schema.
  • We added client-side support for interacting with passwords encoded with the new AES256 password storage scheme.
  • We updated the Filter.matchesEntry method to add limited support for extensible matching filters that contain both an attribute type and a matching rule ID, when the dnAttributes flag is not set, and when the matching rule ID targets the jsonObjectFilterExtensibleMatch matching rule.
  • We updated the uniqueness request control to make it possible to indicate whether the server should raise an administrative alert if it detects a conflict during the post-commit validation phase.
  • We updated the uniqueness request control to make it possible to indicate that the server should create a temporary conflict prevention details entry before beginning pre-commit processing as a means of better preventing conflicts that arise from concurrent changes in different servers.
  • We deprecated support for interactive transactions, whose use has been discouraged for many releases, and for which server-side support is being removed.