UnboundID LDAP SDK for Java 7.0.1

We have just released version 7.0.1 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository. You can find the release notes for this release (and all previous versions) at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes:

• We added a new MaximumIdleDurationLDAPConnectionPoolHealthCheck class that can be used to replace connections that have remained idle for longer than a specified length of time. We generally recommend setting a maximum connection age for the pool so that connections are automatically replaced after a given amount of time regardless of their activity, but the new health check can be used as an alternative if you want to keep active connections around as long as possible while also ensuring that idle connections are closed by the LDAP SDK before they might be closed by the LDAP server or by intermediate network equipment.

• We updated the in-memory directory server to improve its concurrency when processing operations that don’t need to make changes to the data, including binds, searches, and compares.

• We added new Filter.createSubstringAssertion methods that can be used to create properly encoded string representations of substring assertions. This can be particularly helpful when you want to create an extensible matching filter using a substring matching rule.

• We updated the KeyStoreKeyManager and TrustStoreTrustManager classes to make it possible to use an alternative security provider when accessing the associated key or trust store. We’ve also made it possible to indicate whether the LDAP SDK should be allowed to access non-FIPS-compliant key stores when operating in FIPS 140-2-compliant mode.

• We fixed an issue in which the parallel-update tool would use an in-memory buffer to hold information about information to write to the reject file, but it would not automatically flush that buffer when changes are rejected. In some cases, this could introduce a significant delay between the time that a change is rejected and the time that a record of it was written to the specified log file.

• We fixed an issue with the manage-certificates tool that could prevent it from accessing the JVM’s default trust store in cases where the LDAP SDK is operating in FIPS 140-2-compliant mode and the tool is invoked programmatically (as opposed to running it from the command line).

• We updated the command-line tool framework to make it possible for tools to expose arguments for generating a debug log file. All of the tools included with the LDAP SDK have been updated to provide this option, and you can use the --help-debug argument to see the applicable arguments.

• We updated the debug logging framework to make it possible to write debug messages, which are formatted as JSON objects, using a multi-line representation rather than the default single-line representation. People looking at the log messages may find the multi-line format easier to read.

• We added a new StaticUtils.setSystemPropertyIfNotAlreadyDefined method that can be used to set the value of a specified system property in the JVM, but only if it’s not already set (in which case its current value will be preserved).

• We added client-side support for a new “verify password” extended request in the Ping Identity Directory Server that properly authorized clients (under a restricted set of circumstances) can use to determine whether a given password is valid for a specified user without performing any other password policy processing.

• We updated the OID registry to include records for a number of collation matching rules supported in the Ping Identity Directory Server, ForgeRock OpenDJ, Oracle OUD, and other servers.

UnboundID LDAP SDK for Java 7.0.0

We have just released version 7.0.0 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository. You can find the release notes for this release (and all previous versions) at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes:

• The LDAP SDK now requires Java 8 or later. Java 7 is no longer supported.

• We improved the behavior of LDAP connection pools when they are configured to invoke a health check when checking out a connection from the pool. Previously, if a connection was found to be invalid during checkout, the LDAP SDK would create a new connection to replace it, but would continue iterating through other connections in the pool trying to find an existing valid connection. It will now return the newly created connection immediately without checking other existing connections, which can substantially reduce the time to check out a connection in a scenario where many connections have been invalidated (e.g., by a server shutdown).

• We added a new compare-ldap-schemas command-line tool that can be used to identify differences between the schemas of two LDAP servers.

• We improved the behavior that the LDAP SDK uses when authenticating with the GSSAPI SASL mechanism. Previously, if you didn’t explicitly provide a JAAS configuration file to use for the attempt, the LDAP SDK would create a new one for each bind attempt. This would create a lot of temporary files that would need to be cleaned up when the JVM exited, and they might not get cleaned up properly if they JVM exits abnormally (e.g., it’s killed or if the JVM crashes). It would also require a small amount of additional memory for each bind attempt, since it has to remember another file to be deleted. Now, the LDAP SDK will be able to reuse the same generated configuration file for all GSSAPI bind requests that use the same JAAS settings, which will slightly improve performance, reduce memory usage, and reduce disk space consumption.

• We added experimental client-side support for the relax rules support as defined in draft-zeilenga-ldap-relax-03. This draft doesn’t specify an OID for the control, but at least a couple of servers (OpenLDAP and ForgeRock OpenDJ) have implemented support for the control with an OID of 1.3.6.1.4.1.4203.666.5.12, so the LDAP SDK uses that OID for the control.

• We added client-side support for a number of proprietary controls used by the ForgeRock OpenDJ directory server. These include:

  • A transaction ID request control, which can be included in an operation request to provide a transaction ID that will appear in the access log message for that operation.
  • A replication repair request control, which can be included in a write request to indicate that the associated change should not be replicated.
  • Change sequence number request and response controls, which can be used with a write operation to obtain the replication CSN that the server assigned to that operation.
  • Affinity request control, which can be included in related requests sent through an LDAP proxy server to consistently route them to the same LDAP server instance.

• We added connection pool health checks for use in conjunction with the Ping Identity Directory Server, including:

  • One that will attempt to determine whether there are any active alerts in the server that cause it to consider itself to be either degraded or unavailable.
  • One that will assess the replication backlog and can consider a server unavailable if it has too many outstanding changes, or if the oldest outstanding change was originally processed too long ago.
  • One that will attempt to determine whether the server is in lockdown mode.

• We updated the CryptoHelper class to add convenience methods for generating SHA-256, SHA-384, and SHA-512 digests from byte arrays, strings, and files. There are also generic versions of these methods that can be used with user-specified digest algorithms.

• We added methods for normalizing JSON values and JSON object filters. This can help make it possible to compare two JSON object filters to determine whether two JSON object filters are equivalent.

• We updated the BouncyCastleFIPSHelper class to add a constant with the name of a system property that can be used to enable support for the MD5 digest algorithm, which may be needed if you’re using the 1.0.2.4 or later version of the bc-fips jar file and need to use the MD5 message digest for some reason.

• We updated the documentation to include new and updated versions of a number of LDAP-related Internet Drafts, including:

  • draft-ietf-kitten-scram-2fa-04
  • draft-melnikov-scram-bis-04
  • draft-melnikov-scram-sha-512-04
  • draft-melnikov-scram-sha3-512-04
  • draft-coretta-oiddir-radit-00
  • draft-coretta-oiddir-radsa-00
  • draft-coretta-oiddir-radua-00
  • draft-coretta-oiddir-roadmap-00
  • draft-coretta-oiddir-schema-01

UnboundID LDAP SDK for Java 6.0.11

We have just released version 6.0.11 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository.

Note that this is the last release of the LDAP SDK that will offer support for Java 7. As of the next release (which is expected to have a version of 7.0.0), the LDAP SDK will only support Java 8 and later.

You can find the release notes for the 6.0.11 release (and all previous versions) at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes:

• We updated the ldapsearch and ldapmodify command-line tools to provide better validation for the --proxyAs argument, which includes the proxied authorization v2 request control in the requests that they issue. Previously, they would accept any string as the authorization ID value, but they will verify that it is a valid authorization ID using the form “dn:” followed by a valid DN or “u:” followed by a username.

• We updated the Filter class so that the methods used to create substring filters are more user-friendly when the filter doesn’t contain all types of components. Previously, it expected a substring component to be null if that component wasn’t to be included in the request, and it would create an invalid filter if the component was provided as an empty string. It will now treat components provided as empty strings as if they had been null.

• We updated the logic that the LDAP SDK uses to pare entries down to a specified set of attributes (including in the in-memory directory server and the ldifsearch command-line tool) to improve its behavior if it encounters an entry with a malformed attribute description (for example, one that contains characters that aren’t allowed). Previously, this would result in an internal error, but it will now make a best-attempt effort to handle the invalid name.

• We updated the TimestampArgument class to allow it to accept timestamps in the ISO 8601 format described in RFC 3339 (e.g., 2023-11-30T01:02:03.456Z). Previously, it only accepted timestamps in the generalized time format (or a generalized time representation that didn’t include any time zone information, which was treated as the system’s local time zone).

• We updated the JSONBuffer class to add an appendField method that can be used to append a generic field without knowing the value type. Previously, it only allowed you to append fields if you knew the type of the value.

• We added new BinarySizeUnit and DecimalSizeUnit enums that can be used when dealing with a quantity of data, like the size of a file or the amount of information transferred over a network. Each of the enums supports a variety of units (bytes, kilobytes, megabytes, gigabytes, terabytes, petabytes, exabytes, zettabytes, and yottabytes), but the BinarySizeUnit variant assumes that each subsequent unit is 1024 times greater than the previous (e.g., one kilobyte is treated as 1024 bytes), while DecimalSizeUnit assumes that each subsequent unit is 1000 times greater than the previous (e.g., one kilobyte is treated as 1000 bytes).

• We updated the client-side support for invoking the LDIF export administrative task in the Ping Identity Directory Server to include support for activating one or more post-LDIF-export task processors, which can be used to perform additional processing after the data is successfully exported.

UnboundID LDAP SDK for Java 6.0.10

We have just released version 6.0.10 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository. You can find the release notes for the 6.0.10 release (and all previous versions) at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes:

• We added a new ReusableReferralConnector interface that makes it possible to create referral connectors that can be reused for following multiple referrals. We’ve added a new PooledReferralConnector implementation that uses connection pools for improved performance when following multiple referrals.

• We fixed an issue in which the parallel-update tool could write malformed data to the reject log file when multiple write operations were rejected concurrently.

• We added a PLAINBindRequest.encodeCredentials method that can be used to retrieve the encoded credentials for a SASL PLAIN bind request.

• We added JSONNumber.getValueAsInteger and getValueAsLong methods that will return the value of a JSON number as an Integer or Long, but only if the conversion can be made losslessly. The methods will return null if the value is a floating-point number, or if the value is outside the supported range for the data type.

• We added a StaticUtils.getBacktrace method that can be used to retrieve a compact, single-line string representation of a stack trace representing the code location from which the method was called.

• We added support for a new Ping-proprietary “access log field” request control, which can be used to indicate that the server should include a specified set of name-value pairs in the access log message for the associated operation. We also updated the ldapsearch and ldapmodify tools to add a new --accessLogField argument to include this control in requests.

• We added support for a new Ping-proprietary “generate access token” request control that can be included in a bind request to indicate that the server should include an access token in a corresponding response control included in the response to a successful bind operation. That access token can be used to authenticate to the Ping Identity Directory Server with the OAUTHBEARER SASL mechanism. This may be especially useful when initially authenticating to the Directory Server with a mechanism that relies on single-use credentials (e.g., UNBOUNDID-TOTP, UNBOUNDID-DELIVERED-OTP, or UNBOUNDID-YUBIKEY-OTP) because it allows you to establish multiple connections (e.g., using a connection pool or to replace connections that are no longer valid). We also updated the ldapsearch and ldapmodify tools to add a new --generateAccessToken argument to request that the server return an access token in the bind response.

• We updated support for the ds-pwp-state-json virtual attribute to include the has-password-encoded-with-non-current-settings field, which may indicate whether the user has a password that is encoded with settings that are different from the current configuration for the associated password storage scheme, and the non-current-password-storage-scheme-settings-explanations field, which may explain the ways in which the password encoding differs from the current configuration.

• We updated the documentation to include the latest versions of draft-ietf-kitten-scram-2fa, draft-melnikov-scram-bis, and draft-melnikov-scram-sha3-512 in the set of LDAP-related specifications.

UnboundID LDAP SDK for Java 6.0.9

We have just released version 6.0.9 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository.

As announced in the previous release, the LDAP SDK source code is now maintained only at GitHub. The SourceForge repository is still available for its discussion forum, mailing lists, and release downloads, but the source code is no longer available there.

You can find the release notes for the 6.0.9 release (and all previous versions) at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes:

• We made it possible to customize the set of result codes that the LDAP SDK uses to determine whether a connection may no longer be usable. Previously, we used a hard-coded set of result codes, and that is still the default, but you can now override that using the ResultCode.setConnectionNotUsableResultCodes method.

• We added a new HTTPProxySocketFactory class that can be used to establish LDAP and LDAPS connections through an HTTP proxy server.

• We added a new SOCKSProxySocketFactory class that can be used to establish LDAP and LDAPS connections through a SOCKSv4 or SOCKSv5 proxy server.

• We updated the ldap-diff tool to add a --byteForByte argument that can be used to indicate that it should use a byte-for-byte comparison when determining whether two attribute values are equivalent rather than using a schema-aware comparison (which may ignore insignificant differences in some cases, like differences in capitalization or extra spaces). Previously, the tool always used byte-for-byte matching, but we decided to make it a configurable option, and we determined that it is better to use schema-aware comparison by default.

• We fixed an issue in which a non-default channel binding type was not preserved when duplicating a GSSAPI bind request. We also added a GSSAPIBindRequest.getChannelBindingType method to retrieve the selected channel binding type for a GSSAPI bind request.

• We added a ResultCode.getStandardName method that can be used to retrieve the name for the result code in a form that is used to reference it in standards documents. Note that this may not be available for result codes that are not defined in known specifications.

• We added a mechanism for caching the derived secret keys used for passphrase-encrypted input and output streams so that it is no longer necessary to re-derive the same key each time it is used. This can dramatically improve performance when the same key is used multiple times.

• We updated the StaticUtils.isLikelyDisplayableCharacter method to consider additional character types to be displayable, including modifier symbols, non-spacing marks, enclosing marks, and combining spacing marks.

• We added a new StaticUtils.getCodePoints method that can be used to retrieve an array of the code points that comprise a given string.

• We added a new StaticUtils.unicodeStringsAreEquivalent method that can be used to determine whether two strings represent an equivalent string of Unicode characters, even if they use different forms of Unicode normalization.

• We added a new StaticUtils.utf8StringsAreEquivalent method that can be used to determine whether two byte arrays represent an equivalent UTF-8 string of Unicode characters, even if they use different forms of Unicode normalization.

• We added a new StaticUtils.isValidUTF8WithNonASCIICharacters method that can be used to determine whether a given byte array represents a valid UTF-8 string that contains at least one non-ASCII character.

• We updated the client-side support for the collect-support-data administrative task to make it possible to specify the start and end times for the set of log messages to include in the support data archive.

• We updated the documentation so that the latest versions of draft-melnikov-sasl2 and draft-melnikov-scram-sha-512 are included in the set of LDAP-related specifications.

UnboundID LDAP SDK for Java 6.0.8

We have just released version 6.0.8 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository.

Note that this is the last release for which the LDAP SDK source code will be maintained in both the GitHub and SourceForge repositories. The LDAP SDK was originally hosted in a subversion repository at SourceForge, but we switched to GitHub as the primary repository a few years ago. We have been relying on GitHub’s support for accessing git repositories via subversion to synchronize changes to the legacy SourceForge repository, but that support is being discontinued. The SourceForge project will continue to remain available for the discussion forum, mailing lists, and release downloads, but up-to-date source code will only be available on GitHub.

You can find the release notes for the 6.0.8 release (and all previous versions) at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes:

• We added a DN.getDNRelativeToBaseDN method that can be used to retrieve the portion of DN that is relative to a given base DN (that is, the portion of a DN with the base DN stripped off). For example, if you provide it with a DN of “uid=test.user,ou=People,dc=example,dc=com” and a base DN of “dc=example,dc=com”, then the method will return “uid=test.user,ou=People”.

• We added LDAPConnectionPool.getServerSet and LDAPThreadLocalConnectionPool.getServerSet methods that can be used to retrieve the server set that the connection pool uses to establish new connections for the pool.

• We updated the Filter class to alternative methods with shorter names for constructing search filters from their individual components. For example, as an alternative to calling the Filter.createANDFilter method for constructing an AND search filter, you can now use Filter.and, and as an alternative to calling Filter.createEqualityFilter, you can now use Filter.equals. The older versions with longer method names will remain available for backward compatibility.

• We added support for encrypted PKCS #8 private keys, which require a password to access the private key. The PKCS8PrivateKey class now provides methods for creating the encrypted PEM representation of the key, and the PKCS8PEMFileReader class now has the ability to read encrypted PEM files. We also updated the manage-certificates tool so that the export-private-key and import-certificate subcommands now support encrypted private keys.

• We updated PassphraseEncryptedOutputStream to use a higher key factory iteration count by default. When using the strongest available 256-bit AES encryption, it now follows the latest OWASP recommendation of 600,000 PBKDF2 iterations. You can still programmatically explicitly specify the iteration count when creating a new output stream if desired, and we have also added system properties that can override the default iteration count without any code change.

• We added a PassphraseEncryptedOutputStream constructor that allows you to provide a PassphraseEncryptedStreamHeader when creating a new instance of the output stream. This will reuse the secret key that was already derived for the provided stream header (although with newly generated initialization vector), which can be significantly faster than deriving a new secret key from the same passphrase.

• We added a new ObjectTrio utility class that can be useful in cases where you need to reference three typed objects as a single object (for example, if you want a method to be able to return three objects without needing to define a new class that encapsulates those objects). This complements the existing ObjectPair class that supports two typed objects.

• We updated the documentation to include RFC 9371 in the set of LDAP-related specifications. This RFC formalizes the process for requesting a private enterprise number (PEN) to use as the base object identifier (OID) for your own definitions (e.g., for use in defining custom attribute types or object classes). The OID-related documentation has also been updated to provide a link to the IANA site that you can use to request an official base OID for yourself or your organization.

• We updated the documentation to include the latest revisions of draft-howard-gssapi-aead, draft-ietf-kitten-scram-2fa, draft-melnikov-scram-bis, and draft-reitzenstein-kitten-opaque in the set of LDAP-related specifications.

UnboundID LDAP SDK for Java 6.0.7

We have just released version 6.0.7 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository. You can find the release notes at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes included in this version:

• We fixed a bug in the SearchResultEntry.equals method that could prevent a SearchResultEntry from matching other types of Entry objects.

• We fixed a bug in the Entry.applyModifications method that could cause it to fail with a NOT_ALLOWED_ON_RDN result if the provided entry was missing one or more of the attribute values used in its RDN.

• We fixed a bug in the argument parser’s support for mutually dependent arguments with a set containing more than two arguments. Previously, the constraint would have been satisfied if at least two of the arguments were provided, rather than requiring all of them to be provided.

• We added JSONObject methods for retrieving fields by name using case-insensitive matching (by default, JSON field names are treated in a case-sensitive manner). Because it is possible that a JSON object will have multiple fields with the same name when using case-insensitive matching, there are a few options for indicating how such conflicts should be handled, including only returning the first match, returning a map with all matching fields, or throwing an exception if there are multiple matches.

• We updated the set of LDAP-related specifications to include the latest version of the draft-schmaus-kitten-sasl-ht proposal.

UnboundID LDAP SDK for Java 6.0.6

We have just released version 6.0.6 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository. You can find the release notes at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes included in this version:

General Updates

• We fixed an issue that could cause request failures when closing a connection operating in asynchronous mode with outstanding operations.

• We fixed an issue that could interfere with the ability to get a default SSLContext on Java 17 when running in FIPS 140-2-compliant mode.

• We updated LDAPConnectionOptions to add support for a new system property that can enable certificate hostname verification by default without any code changes.

• We updated the LDAP command-line tool framework to add a new --verifyCertificateHostnames argument to enable hostname verification when performing TLS negotiation.

• We improved the class-level Javadoc documentation for the SSLUtil class to provide a better overview of TLS protocol versions, TLS cipher suites, key managers, trust managers, and certificate hostname verification, and to provide better examples that illustrate best practices for establishing secure connections.

• We fixed an issue in the JNDI compatibility support for controls, as well as extended requests and responses. Even though the implementation was based on the JNDI documentation, it appears that at least OpenJDK implementations do not abide by that documentation. The LDAP SDK is now compatible with the observed behavior rather than the documentation, although a system property can be used to revert to the former behavior.

• We updated the SearchRequest class to add constructors that allow you to provide the search base DN with a DN object (as an alternative to existing constructors that allow you to specify it as a String).

• We fixed an issue in the command-line tool framework in which an Error (for example, OutOfMemoryError) could cause the tool to report a NullPointerException rather than information about the underlying error.

• We fixed an issue in the IA5 argument value validator that could allow it to accept argument values with non-ASCII characters.

• We fixed an issue in the DNS hostname argument value validator that could prevent it from properly validating the last component of a fully qualified domain name, or the only component of an unqualified name.

• We updated the identify-references-to-missing-entries tool to provide an option to generate an LDIF file with changes that can be used to remove identified references.

• We updated the SelfSignedCertificateGenerator class to perform better validation for the subject alternative DNS names that it includes in a certificate.

• We updated the manage-certificates generate-self-signed-certificate command to rename the --replace-existing-certificate argument to be --use-existing-key-pair. The former argument name still works, but it is hidden from the usage.

• We included a native-image/resource-config.json file in the LDAP SDK jar file manifest, which can be used by the GraalVM native-image tool to ensure that appropriate resource files are included in the resulting image.

Updates Specific to Use With the Ping Identity Directory Server

• We updated the summarize-access-log tool to report on many more things, including the most common IP addresses for failed bind attempts, the most consecutive failed binds, information about work queue wait times, information about request and response controls, the number of components in search filters, and search filters that may indicate injection attempts.

• We updated support for the audit data security administrative task to make it possible to specify the number and/or age of previous reports to retain.

• We fixed issues that prevented specifying the criticality of the administrative operation and join request controls.

UnboundID LDAP SDK for Java 6.0.5

We have just released version 6.0.5 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository. You can find the release notes at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes included in this version:

General Updates:

• We fixed an issue that could occasionally cause the LDAP SDK to hide the actual cause of a StartTLS failure by using information from a second, less useful exception.

• We fixed an issue that could cause the ldifsearch tool to display a malformed message when the first unnamed trailing argument was expected to be a search filter but could not be parsed as a valid filter.

• We improved support for validating and comparing values using the telephone number syntax. Previously, we used a loose interpretation of the specification, which would consider any printable string (including strings without any digits) to be valid, and would only ignore spaces and hyphens when comparing values. You can now configure varying levels of strictness (either programmatically or using system properties), including requiring at least one digit or strict conformance to the X.520 specification. You can also configure it to ignore all non-digit characters when comparing values, and this is now the default behavior.

• We fixed a bug in which the ldapcompare tool did not properly close its output file if one was configured. The output file does get automatically closed when the tool exits so it’s not an issue when running ldapcompare from the command line, but this can cause problems if the tool is invoked programmatically from another application.

• We fixed an issue with the tool properties file created using the --generatePropertiesFile argument in command-line tools that support it. The generated properties file did not properly escape backslash, carriage return, line feed, or form feed characters.

Updates Specific to Use With the Ping Identity Directory Server:

• We added support for encoding controls to JSON objects, and for decoding JSON objects as controls. There is a generic JSON representation that will work for any type of control (in which the value is provided as the base64-encoded representation of the raw value used in the LDAP representation of the control), but most controls provided as part of the LDAP SDK also support a more user-friendly representation in which the components of the value are represented in a nested JSON object.

• We added client-side support for a new JSON-formatted request control that can be used to send request controls to a Ping Identity Directory Server with the controls encoded as JSON objects rather than a raw LDAP representation. We also added support for a JSON-formatted response control that can be used to receive JSON-encoded response controls from the server.

• We updated the ldapsearch and ldapmodify command-line tools to add a --useJSONFormattedRequestControls argument that will cause any request controls to be sent using a JSON-formatted request control, and it will cause any response controls returned by the server to be embedded in a JSON-formatted response control.

• We fixed an issue with the way that the parallel-update tool created assured replication request controls when an explicit local or remote assurance level was specified. Previously, it would only specify a minimum assurance level without specifying a maximum level, which could cause the server to use a higher assurance level than requested by the client.

• We updated the topology registry trust manager to allow trusting a certificate chain if either the peer certificate or any of its issuers is found in the server’s topology registry. Previously, it would only trust a certificate chain if the peer certificate itself was found in the topology registry, and having an issuer certificate was not sufficient. The former behavior is still available with a configuration option.

• We updated the topology registry trust manager to make it possible to ignore the certificate validity window for peer and issuer certificates. The validity window is still respected by default, but if the trust manager is configured to ignore it, then a certificate chain may be trusted even if the peer or an issuer certificate is expired or not yet valid.

UnboundID LDAP SDK for Java 6.0.4

We have just released version 6.0.4 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository. You can find the release notes at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes included in this version:

General Updates:

• We fixed an issue with the Filter.matchesEntry method that could cause it to throw an exception rather than returning an appropriate Boolean result when evaluating an AND or an OR filter in which one of the nested elements used inappropriate matching (for example, if the assertion value did not conform to the syntax for the associated attribute type).

• We fixed an issue with the way that decodeable controls are registered with the LDAP SDK. Under some circumstances, a thread could become blocked while attempting to create a new control.

• We updated the JVM-default trust manager to properly check for the existence of a “jssecacerts” trust store file in accordance with the JSSE specification. It had previously only looked for a file named “cacerts”.

• We updated the logic used to select the default set of supported cipher suites so that it will no longer exclude suites with names starting with “SSL_” by default on JVMs with a vendor string that includes “IBM”. IBM JVMs appear to use the “SSL_” prefix for some or all cipher suites, including those that are not associated with TLS protocols rather than a legacy SSL protocol. We also added a TLSCipherSuiteSelector.setAllowSSLPrefixedSuites method that can be used to override the default behavior.

• We updated the LDIF reader to support reading modifications with attribute values read from a file referenced by URL. This was previously supported when reading LDIF entries or add change records, but it had been overlooked for LDIF modify change records.

• We updated the LDIF reader so that it no longer generates comments attempting to clarify the contents of base64-encoded values if the value is longer than 1,000 bytes.

• We updated the documentation to include the latest versions of the draft-behera-ldap-password-policy, draft-coretta-x660-ldap, and draft-ietf-kitten-scram-2fa specifications.

Updates Specific to Use With the Ping Identity Directory Server:

• We added a new API for parsing access log messages generated by the server. The new API supports both text-formatted and JSON-formatted log messages, whereas the previous version only supported messages in the default text (“name=value”) format.

• We updated the summarize-access-log tool (which can be used to perform basic analysis of server access log files) to add support for JSON-formatted log files.

• We added support for retrieving and parsing X.509 certificate monitor entries.

• We added client-side support for an administrative task that can cause the server to immediately refresh any cached certificate monitor data. The server will automatically refresh the cache every minute, but the task can be used to cause an immediate refresh.