-
Notifications
You must be signed in to change notification settings - Fork 81
/
release-notes.html
10052 lines (8678 loc) · 511 KB
/
release-notes.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<div align="right">
${TARGET="offline"} <a href="${LDAP_SDK_HOME_URL}" style="font-size: 85%">LDAP SDK Home Page</a>
${TARGET="offline"} <br>
<a href="${BASE}index.${EXTENSION}" style="font-size: 85%">Product Information</a>
</div>
<h2>Release Notes</h2>
<h3>Version 7.0.2</h3>
<p>
The following changes were made between the 7.0.1 and 7.0.2 releases:
</p>
<ul>
<li>
Added support for using the 2.x version of the Bouncy Castle FIPS-compliant
security provider, which offers support for FIPS 140-3 compliance. Previously,
the LDAP SDK only supported the 1.x version of the library, which offers FIPS
140-2 compliance. The necessary jar files must already be in the CLASSPATH.
<br><br>
</li>
<li>
Added a new PropertyManager class that can be used to retrieve the values of
system properties or environment variables, optionally parsing the values as
Booleans, numbers, or comma-delimited lists. Most uses of system properties
within the LDAP SDK have been updated to use the PropertyManager, so those
properties can now be set as environment variables as an alternative to Java
system properties.
<br><br>
</li>
<li>
Fixed a bug in the SSLUtil.certificateToString method that prevented it from
including notBefore and notAfter timestamp values in the resulting string
representation of the provided certificate.
<br><br>
</li>
<li>
Updated client-side support for the Ping Identity Directory Server's get subtree
accessibility and set subtree accessibility extended operations to include a new
"to be deleted" accessibility state.
<br><br>
</li>
<li>
Added a SubtreeAccessibilityState.isMoreRestrictiveThan method that can be used
to determine whether one state is more restrictive than another.
<br><br>
</li>
<li>
Updated the documentation to include the latest revisions of
draft-coretta-ldap-subnf-01, draft-coretta-oiddir-radit,
draft-coretta-oiddir-radsa, draft-coretta-oiddir-radua,
draft-coretta-oiddir-roadmap, and draft-coretta-oiddir-schema in the set of
LDAP-related specifications.
<br><br>
</li>
</ul>
<p></p>
<h3>Version 7.0.1</h3>
<p>
The following changes were made between the 7.0.0 and 7.0.1 releases:
</p>
<ul>
<li>
Added a new LDAP connection pool health check that can be used to replace
connections that have remained idle for longer than a specified length of time.
This is primarily useful in cases where the associated directory servers (or
intermediate networking equipment) may terminate connections that have remained
idle for too long. Note that in connection pools that may contain connections
across multiple servers, you should probably set a maximum connection age for the
pool rather than using this health check, as this will better allow the pool to
return to a balanced state more quickly after a failure has caused connections to
migrate away from one or more servers. Also note that health checks that attempt
to actually communicate with the associated server over LDAP may be preferred
over this health check because not only will they do a better job of ensuring
that connections are actually usable, but the communication that they perform
will also prevent the connections from being seen as idle.
<br><br>
</li>
<li>
Updated the in-memory directory server to improve its concurrency when performing
operations that don't need to make changes to the data.
<br><br>
</li>
<li>
Added createSubstringAssertion methods to the filter class, which make it easier
to construct the string representation of a substring assertion with a given
combination of subInitial, subAny, and/or subFinal elements. This can be helpful
for creating the assertion value for an extensible matching filter for use with a
substring matching rule.
<br><br>
</li>
<li>
Updated the KeyStoreKeyManager and TrustStoreTrustManager classes to make it
possible to use alternative security providers when accessing key store files. It
is also possible to indicate whether non-FIPS 140-2-compliant key stores may be
accessed in applications running in FIPS-compliant mode.
<br><br>
</li>
<li>
Fixed an issue in which the parallel-update tool would buffer data written to the
reject file. This could prevent information from appearing in that file until
enough reject records were written to cause the buffer to be flushed to disk, or
until the tool completed its processing.
<br><br>
</li>
<li>
Fixed a manage-certificates issue that could arise in cases where it is invoked
programmatically in cases in which an application is using the LDAP SDK in FIPS
140-2-compliant mode and the tool needs to try to locate an issuer certificate in
the JVM's default trust store.
<br><br>
</li>
<li>
Added client-side support for a new verify password extended request that may be
used in the Ping Identity Directory Server to determine whether a provided
password is correct for a given user without performing any other password policy
processing. This extended operation may only be used under a limited set of
circumstances.
<br><br>
</li>
<li>
Updated the command-line tool framework to make it possible to include arguments
that allow the tool to generate a log file containing any debug messages
generated while the tool was running. The new --helpDebug argument can be used to
obtain usage information for arguments related to debug logging in any tools that
support it. All of the tools included with the LDAP SDK have been updated to
provide support for debug logging.
<br><br>
</li>
<li>
Updated the debug logging framework to make it possible to format debug messages
as multi-line strings. Debug messages will be generated as JSON objects, but
they use a single-line string representation by default. It is now possible to
generate those messages as multi-line strings, which may be easier for humans to
read, but may be more difficult for some applications to parse.
<br><br>
</li>
<li>
Added a StaticUtils.setSystemPropertyIfNotAlreadyDefined method that can be used
to set the value of a system property, but only if that property is not already
set. If the property already has a value, then the existing value will be
retained regardless of whether it is the same as or different from the provided
value.
<br><br>
</li>
<li>
Updated the OID registry to include records for a number of collation matching
rules.
<br><br>
</li>
</ul>
<p></p>
<h3>Version 7.0.0</h3>
<p>
The following changes were made between the 6.0.11 and 7.0.0 releases:
</p>
<ul>
<li>
Updated the LDAP SDK to require Java SE 8 or later. As of the 7.0.0 release,
Java 7 is no longer supported.
<br><br>
</li>
<li>
Updated the LDAPConnectionPool behavior in the case that an attempt to check out
a connection from the pool first encounters an existing connection that is deemed
not valid by the configured health check. Previously, it would close that
connection as defunct and try to create a new connection to replace it, but if
that attempt was successful, the newly created connection would be added to the
end of the pool's set of potentially available connections, and it would continue
iterating through the set of connections to try to find one that is valid. Now,
if the pool is able to successfully create a new connection to replace the
existing defunct connection, it will immediately return that new connection
without checking any of the other existing connections. This should
substantially improve performance in the case that the pool has several
connections that are already established but have become invalid for some reason
in a way that does not prevent successfully establishing new connections.
<br><br>
</li>
<li>
Added a compare-ldap-schemas command-line tool that can be used to identify
differences between the schemas of two LDAP servers.
<br><br>
</li>
<li>
Added the ability to reuse automatically generated JAAS configuration files if
possible when attempting a SASL GSSAPI bind. Previously, if the caller didn't
explicitly provide a JAAS config file, the LDAP SDK would generate one based on
the provided bind request properties. It would do this for every GSSAPI bind
attempt, even if they all used the same properties, which means that it could
generate many copies of the same JAAS config file, which could unnecessarily
waste disk space and memory. It will now detect when a bind request would use a
JAAS configuration that matches one that has already been generated, and will
reuse the previously generated file rather than creating a new one.
<br><br>
</li>
<li>
Added client-side support for the LDAP relax rules request control as defined in
draft-zeilenga-ldap-relax-03. Note that this support is currently classified as
experimental because this most recent version of the Internet Draft (which
expired in 2008 without being renewed or standardized as an RFC) does not specify
an official OID for the control. However, some servers (including OpenLDAP and
ForgeRock Directory Services) appear to have implemented support for the control
with an OID of 1.3.6.1.4.1.4203.666.5.12, and that is the OID used in this
implementation.
<br><br>
</li>
<li>
Added client-side support for the transaction ID request control as used in the
ForgeRock Directory Server. This control may be included in an operation request
to provide a transaction ID that will appear in the access log message for that
operation.
<br><br>
</li>
<li>
Added client-side support for the replication repair request control as used in
the ForgeRock Directory Server. This control may be included in an add, delete,
modify, or modify DN request to indicate that the associated change should only
be processed in the local server and not replicated to other servers in the
topology. It is primarily intended for use in manually resolving replication
conflicts and other replication-related issues.
<br><br>
</li>
<li>
Added client-side support for the change sequence number request and response
controls as used in the ForgeRock Directory Server. The request control may be
included in an add, delete, modify, or modify DN request to indicate that the
server should return a corresponding response control containing the replication
change sequence number (CSN) that the server has assigned to that operation.
<br><br>
</li>
<li>
Added client-side support for the affinity request control as used in the
ForgeRock Directory Proxy Server, which allows explicitly routing multiple
related requests to the same backend server.
<br><br>
</li>
<li>
Added a new "lockdown mode" LDAP connection pool health check that can be used to
determine whether a Ping Identity Directory Server instance is currently in
lockdown mode.
<br><br>
</li>
<li>
Added a new "active alerts" LDAP connection pool health check that can retrieve
the set of active alert types from a Ping Identity Directory Server instance to
determine whether the server considers itself to be in a degraded or unavailable
state. You can configure it to only care about unavailable alert types, or to
ignore a specific set of degraded or unavailable alert types.
<br><br>
</li>
<li>
Added a new "replication backlog" LDAP connection pool health check that can be
used to evaluate a Ping Identity Directory Server instance based on the number or
age of changes that have been made in other replicas but have not yet been applied
in the local server.
<br><br>
</li>
<li>
Updated support for the replica monitor entry in the Ping Identity Directory
Server to include support for a number of additional attributes.
<br><br>
</li>
<li>
Updated the CryptoHelper class to add convenience methods for generating
cryptographic message digests from byte arrays, strings, and files. Specific
methods are provided for the SHA-256, SHA-384, and SHA-512 digest algorithms, as
well as more general methods in which you must specify the desired algorithm.
<br><br>
</li>
<li>
Added methods for normalizing JSON values and JSON object filters.
<br><br>
</li>
<li>
Updated the BouncyCastleFIPSHelper class to add a constant with the name of a
system property that can be used to enable support for the MD5 digest algorithm
if necessary.
<br><br>
</li>
<li>
Updated the documentation to include the latest revisions of
draft-ietf-kitten-scram-2fa, draft-melnikov-scram-bis,
draft-melnikov-scram-sha-512, and draft-melnikov-scram-sha3-512 in the set of
LDAP-related specifications.
<br><br>
</li>
<li>
Updated the documentation to include draft-coretta-oiddir-radit,
draft-coretta-oiddir-radsa, draft-coretta-oiddir-radua,
draft-coretta-oiddir-roadmap, and draft-coretta-oiddir-schema in the set of
LDAP-related specifications.
<br><br>
</li>
</ul>
<p></p>
<h3>Version 6.0.11</h3>
<p>
The following changes were made between the 6.0.10 and 6.0.11 releases:
</p>
<ul>
<li>
Note that this is the last release that will support Java 7. The next release
(expected to have a version number of 7.0.0) will only support Java 8 and later.
<br><br>
</li>
<li>
Updated the ldapsearch and ldapmodify command-line tools to provide better
validation for the value of the --proxyAs argument. The tools will now reject
attempts to use the argument with a value that doesn't start with either "dn:" or
"u:", and they will also reject attempts to use a value that starts with "dn:"
but is not followed by a valid LDAP DN.
<br><br>
</li>
<li>
Updated the Filter methods for creating substring filters to better support empty
components. In LDAP filters, filters are transmitted using a binary encoding,
and substring components may be absent but not empty. However, because
developers creating LDAP-enabled applications are more likely to be familiar with
the string representations of filters, it is understandable if someone were to
try to provide an empty string instead of null to indicate that the component is
not needed. The methods for creating substring filters will now interpret empty
components as equivalent to being null, causing them to be omitted from the
resulting encoded LDAP filter.
<br><br>
</li>
<li>
Updated the logic that the LDAP SDK uses in the in-memory directory server and
the ldifsearch tool to pare matching entries based on a set of requested
attributes in the in-memory. If an entry included an attribute with an invalid
name, then the logic used to parse an attribute description into the base
attribute type name and a set of attribute options would result in a null pointer
exception. It now uses more lenient logic for parsing attribute descriptions,
and it can handle malformed attribute descriptions in a more graceful manner.
<br><br>
</li>
<li>
Updated the TimestampArgument class to allow it to accept timestamps in the ISO
8601 format described in RFC 3339.
<br><br>
</li>
<li>
Updated the JSONBuffer class to add an appendField method that can be used for a
field object that already encapsulates a name and value.
<br><br>
</li>
<li>
Added new BinarySizeUnit and DecimalSizeUnit enums that can be used when working
with data sizes in a variety of units, including bytes, kilobytes, megabytes,
gigabytes, terabytes, petabytes, exabytes, zettabytes, and yottabytes. These
enums provide methods for determining the number of bytes in a specified number
of instances of the given unit, determining the number of instances of a unit
represented by a given number of bytes, and generating a human-readable string
representation of a given number of bytes using the unit deemed most appropriate.
The BinarySizeUnit enum assumes that each unit is 1024 times larger than the next
smaller unit (e.g., so one kilobyte is 1024 bytes, one megabyte is 1024
kilobytes, etc.), while the DecimalSizeUnit enum assumes that each unit is 1000
times larger than the next smaller unit (e.g., so one kilobyte is 1000 bytes, one
megabyte is 1000 kilobytes, etc.).
<br><br>
</li>
<li>
Updated client-side support for the LDIF export administrative task in the Ping
Identity Directory Server to allow requesting that the server invoke one or more
post-LDIF-export task processors after the data is successfully exported.
<br><br>
</li>
</ul>
<p></p>
<h3>Version 6.0.10</h3>
<p>
The following changes were made between the 6.0.9 and 6.0.10 releases:
</p>
<ul>
<li>
Added a new ReusableRefeerralConnector interface that can be used to provide a
way of following referrals using a mechanism that doesn't automatically close
connections after they are used. This allows for the possibility that
connections created for the purpose of following referrals could be used for
multiple referrals, rather than always closing them after their first use as was
previously the case. Also, added a new PooledReferralConnector implementation
that uses connection pools to maintain connections for following referrals.
<br><br>
</li>
<li>
Fixed an issue in which parallel-update did not properly handle multiple
concurrent attempts to write to the reject file, which could cause its contents
to be unparseable or otherwise incorrect.
<br><br>
</li>
<li>
Updated the PLAINBindRequest class to add an encodeCredentials method that can be
used to retrieve a properly encoded representation of the SASL credentials for a
PLAIN bind request with the given authentication ID, authorization ID, and
password.
<br><br>
</li>
<li>
Updated the JSONNumber class to add getValueAsInteger and getValueAsLong methods
that will return the value of the number as an Integer or Long, respectively, but
only if it can do so losslessly. These methods will return null if the value has
a fractional component or if it is outside the range of the associated data type.
<br><br>
</li>
<li>
Updated the JSONNumber class to add a getValueAsDouble method that will return
the value of the number as a double. This method will never return null,
although the value that is returned may have less precision than the internal
BigDecimal value, or it may be converted to positive or negative infinity if the
BigDecimal value is outside the range that can be represented by a double.
<br><br>
</li>
<li>
Added a StaticUtils.getBacktrace method that can be used to retrieve a compact
single-line string representation of a stack trace of the code from which the
method was called.
<br><br>
</li>
<li>
Added client-side support for the access log field request control that can be
used in an upcoming version of the Ping Identity Directory Server to include a
specified set of additional fields in the access log message for the associated
operation. Also, updated the ldapsearch and ldapmodify tools to add support for
an --accessLogField argument that can be used to include the access log field
request control to in requests.
<br><br>
</li>
<li>
Added client-side support for new generate access token request and response
controls that can be used in an upcoming version of the Ping Identity Directory
Server to request that the server provide an access token in a bind response (for
example, in response to a request using a one-time password that cannot be
replayed) that can be used to authenticate subsequent bind operations using the
OAUTHBEARER SASL mechanism. Also, updated the ldapsearch and ldapmodify tools to
add support for a --generateAccessToken argument that can be used to include the
control in bind requests and display information from the corresponding response
control.
<br><br>
</li>
<li>
Updated support for the Ping Identity Directory Server's ds-pwp-state-json
virtual attribute to include fields pertaining to support for passwords encoded
in a manner that doesn't reflect the current configuration for the associated
password storage scheme.
<br><br>
</li>
<li>
Updated the documentation to include the latest versions of
draft-ietf-kitten-scram-2fa, draft-melnikov-scram-bis, and
draft-melnikov-scram-sha3-512 in the set of LDAP-related specifications.
<br><br>
</li>
</ul>
<p></p>
<h3>Version 6.0.9</h3>
<p>
The following changes were made between the 6.0.8 and 6.0.9 releases:
</p>
<ul>
<li>
The LDAP SDK source code will now only be updated on GitHub and will no longer
be maintained on SourceForge. The SourceForge repository will still be
available for historical releases, but the trunk has been replaced with a README
file indicating that updated code is now only on GitHub. It required effort to
keep both repositories in sync, and GitHub is removing its support for acting as
a Subversion repository, which that synchronization process relied upon. The
SourceForge project will still be updated with downloads for new releases, and
the discussion forums and mailing lists will remain available.
<br><br>
</li>
<li>
Added an option for customizing the set of result codes that the LDAP SDK may
use to determine whether a connection may no longer be usable. Previously, it
used a hard-coded set of result codes for this purpose, and that set is still
the default, but it is now possible to override that with a provided set of
result codes.
<br><br>
</li>
<li>
Added a new HTTPProxySocketFactory class that can be used to allow establishing
LDAP and LDAPS connections through an HTTP proxy server, and added a new
SOCKSProxySocketFactory class that can be used to allow establishing connections
through a SOCKSv4 or SOCKSv5 proxy server. Communication with the proxy server
itself must be unencrypted (although communication with the target LDAP server
may optionally be end-to-end encrypted with TLS), and the proxy server must not
require authentication.
<br><br>
</li>
<li>
Updated the ldif-diff tool to add a --byteForByte argument that can be used to
indicate that it should not ignore differences between source and target entries
that would otherwise be considered insignificant based on the associated
matching rules (for example, values that differ only in capitalization for
attributes that use case-ignore matching). Byte-for-byte matching was
previously always used when comparing source and target entries, but it should
be a configurable option, and it is better to use schema-aware matching by
default.
<br><br>
</li>
<li>
Fixed an issue in which a non-default channel binding type was not preserved when
duplicating a GSSAPI bind request. Also, added a method to retrieve the channel
binding type in use for a GSSAPI bind request.
<br><br>
</li>
<li>
Added a ResultCode.getStandardName method that can be used to retrieve the name
assigned to the associated result code in the relevant specification. This may
not be available for result codes that are not defined in known specifications.
<br><br>
</li>
<li>
Updated support for passphrase-encrypted input and output streams to provide a
mechanism for caching the derived secret keys so that it's not necessary to
re-derive the key each time it's used. This can dramatically improve
performance when the same key is used multiple times.
<br><br>
</li>
<li>
Updated the StaticUtils.isLikelyDisplayableCharacter method to add additional
character types that are believed to be displayable. While most types of
symbols were already considered displayable, modifier symbols had previously
been overlooked but are now included. In addition, non-spacing marks,
enclosing marks, and combining spacing marks are also considered displayable
because even though they aren't displayable on their own, they are likely to
be combined with other characters that makes them displayable.
<br><br>
</li>
<li>
Added a new StaticUtils.getCodePoints method that can be used to retrieve an
array of the code points that comprise a given string.
<br><br>
</li>
<li>
Added a StaticUtils.unicodeStringsAreEquivalent method that can be used to
determine whether two strings represent an equivalent sequence of Unicode
characters. Also, added a StaticUtils.utf8StringsAreEquivalent method that can
be used to determine whether two byte arrays represent UTF-8 strings with an
equivalent set of Unicode characters. Unicode may offer multiple ways of
encoding the same character or sequence of characters, and these methods take
those alternative encodings into account.
<br><br>
</li>
<li>
Added a StaticUtils.isValidUTF8WithNonASCIICharacters method that can be used to
determine if a provided byte array represents a valid UTF-8 string that contains
at least one non-ASCII character. This new method can be more efficient than
calling both the existing isValidUTF8 and isASCIIString methods when that
combination is needed.
<br><br>
</li>
<li>
Updated the client-side support for the administrative task used to invoke the
collect support data tool in a Ping Identity Directory Server to make it possible
to specify the start and end times for the set of log messages to include in the
support data archive.
<br><br>
</li>
<li>
Updated the documentation to include the latest versions of draft-melnikov-sasl2
and draft-melnikov-scram-sha-512 in the set of LDAP-related specifications.
<br><br>
</li>
</ul>
<p></p>
<h3>Version 6.0.8</h3>
<p>
The following changes were made between the 6.0.7 and 6.0.8 releases:
</p>
<ul>
<li>
Added a DN.getDNRelativeToBaseDN method that may be used to retrieve the portion
of a DN that is relative to a given base DN (that is, the portion of a DN with
the given base DN stripped off).
<br><br>
</li>
<li>
Updated the LDAPConnectionPool and LDAPThreadLocalConnectionPool classes to add
getServerSet methods that can be used to retrieve the server set used to
establish new connections for the pool.
<br><br>
</li>
<li>
Added convenience methods with shorter names for constructing search filters
from their individual components. For example, instead of calling
Filter.createANDFilter(components), you can now use Filter.and(components), and
instead of Filter.createEqualityFilter(attributeName, assertionValue), you can
now use Filter.equals(attributeName, assertionValue). The existing methods with
longer names will remain available for backward compatibility.
<br><br>
</li>
<li>
Added support for encrypted PKCS #8 private keys. Private keys can now be
formatted in encrypted PEM when provided with an encryption password and a set
of encryption properties, and the PKCS #8 PEM file reader can read encrypted
private keys when provided with the encryption password. The
manage-certificates export-private-key command has been updated to support
writing an encrypted representation of the private key in either PEM or DER
form, and manage-certificates import-certificate has been updated to support
obtaining the private key when it is encrypted form.
<br><br>
</li>
<li>
Updated the passphrase-encrypted output stream to use a higher key factory
iteration count by default. When using the strongest available 256-bit AES
encryption, it now follows the latest OWASP recommendation of 600,000 PBKDF2
iterations. The key factory iteration count can still be explicitly specified
when creating a new output stream if an alternative iteration count is desired,
and the default iteration count can now be overridden with a system property.
<br><br>
</li>
<li>
Updated the passphrase-encrypted output stream to make it possible to create a
new output stream with the encryption header from a previously created
encryption header. This will make it possible to reuse the previously derived
key (with a different initialization vector), which will be substantially faster
when using the same passphrase to encrypt multiple output streams than needing
to re-derive the key for each stream.
<br><br>
</li>
<li>
Added a new ObjectTrio utility class that can be useful in cases where only a
single object is allowed but three typed objects are needed (e.g., when you want
to return three typed items from a method).
<br><br>
</li>
<li>
Updated the set of LDAP-related specifications to include RFC 9371, which
describes the procedures for registering private enterprise numbers (PENs),
which may be used when defining your own object identifiers for custom schema
elements or other purposes. The OID registry document has also been updated to
provide a link to this RFC and to the IANA PEN registry.
<br><br>
</li>
<li>
Updated the documentation to include the latest versions of
draft-howard-gssapi-aead, draft-ietf-kitten-scram-2fa, draft-melnikov-scram-bis,
and draft-reitzenstein-kitten-opaque in the set of LDAP-related specifications.
<br><br>
</li>
</ul>
<p></p>
<h3>Version 6.0.7</h3>
<p>
The following changes were made between the 6.0.6 and 6.0.7 releases:
</p>
<ul>
<li>
Fixed a bug in the SearchResultEntry.equals method that could prevent a
SearchResultEntry object (which is a subclass of Entry) from being considered
equal to an Entry that is not a SearchResultEntry.
<br><br>
</li>
<li>
Fixed an issue with the Entry.applyModifications method in which it could fail
with a NOT_ALLOWED_ON_RDN result if the provided entry was missing one or more
attribute values used in its RDN.
<br><br>
</li>
<li>
Fixed a bug in the argument parser's support for mutually dependent arguments.
In a mutually dependent argument set, if any one of the arguments is provided,
then all of the other arguments in the set must also be provided, but there was
a problem with support for sets containing three or more elements. In such
cases, the argument parser would only enforce that at least two arguments from
the set were present.
<br><br>
</li>
<li>
Added JSONObject methods for retrieving fields by name using case-insensitive
matching. By default, JSON field names are treated in a case-sensitive manner,
but new methods allow them to be retrieved in a case-insensitive manner.
Because a JSON object may have multiple fields with names differing only by
case, there are a few options for handling the possibility of conflicts,
including returning only the first match found and ignoring subsequent matches,
throwing an exception if multiple matches are found, or returning a map
containing all matching name-value pairs.
<br><br>
</li>
<li>
Updated the set of LDAP-related specifications to include the latest version of
draft-schmaus-kitten-sasl-ht.
<br><br>
</li>
</ul>
<p></p>
<h3>Version 6.0.6</h3>
<p>
The following changes were made between the 6.0.5 and 6.0.6 releases:
</p>
<ul>
<li>
Fixed an issue that could cause request failures when closing a connection that
has outstanding operations in the default asynchronous mode, immediately
re-establishing the connection (to the same or a different server), and sending
a request on the newly established connection. However, we generally recommend
creating a new connection object (or using a connection pool) in these cases,
rather than closing and re-establishing the same connection object.
<br><br>
</li>
<li>
Fixed an issue that could interfere with the ability to get a default SSLContext
on modern versions of Java (e.g., Java 17) when using the LDAP SDK in FIPS
140-2-compliant mode.
<br><br>
</li>
<li>
Updated the LDAPConnectionOptions class to add support for a new
com.unboundid.ldap.sdk.LDAPConnectionOptions.defaultVerifyCertificateHostnames
system property that can be used to enable certificate hostname verification by
default. This verification was previously available by calling the
LDAPConnectionOptions.setSSLSocketVerifier method with a
HostNameSSLSocketVerifier instance, but the new system property can be used to
enable this verification by default without any code changes. Even though
hostname verification is strongly recommended, it is disabled by default in the
LDAP SDK for backward compatibility purposes, and for compatibility with a wide
range of development, test, and even production environments that are not
properly set up with certificates that allow for hostname verification.
<br><br>
</li>
<li>
Updated the LDAP command-line tool framework to add a new
"--verifyCertificateHostnames" argument that can be used to enable hostname
verification when performing TLS negotiation.
<br><br>
</li>
<li>
Significantly improved the class-level Javadoc documentation for the SSLUtil
class to provide a better overview of TLS protocol versions, TLS cipher suites,
key managers, trust managers, and certificate host name verification, and to
provide examples that better illustrate best practices for establishing secure
connections. Also made Javadoc improvements in the LDAPConnection and
StartTLSPostConnectProcessor classes, and improved documentation for creating
secure connections in the FAQ and getting started guide.
<br><br>
</li>
<li>
Fixed an issue in the JNDI compatibility support for controls, extended
requests, and extended responses. Although the JNDI documentation states that
the byte array returned by the getEncodedValue method for these types of objects
will include the BER type and length, that does not actually appear to be the
case. Since the LDAP SDK used the documented behavior for those methods rather
than the apparent actual behavior, conversion of those elements between the LDAP
SDK and JNDI representations would not yield the expected results. To address
this, the LDAP SDK now uses the actual behavior that JNDI exhibits rather than
the documented behavior. The former behavior can be obtained using system
properties in the event that a JNDI implementation actually does exhibit the
documented behavior.
<br><br>
</li>
<li>
Updated the SearchRequest class to add constructors that allow you to specify
the base DN with a DN object rather than a string.
<br><br>
</li>
<li>
Updated the command-line tool framework to better handle the possibility of
encountering a Java Error (e.g., OutOfMemoryError) in the course of tool
processing. The framework previously handled any unexpected Exception that may
have been thrown during processing by displaying an error message and exiting
with an error, but if an Error was thrown instead of an Exception, then that
could trigger a NullPointerException that would mask the original Error. Errors
are now handled in the same way as exceptions.
<br><br>
</li>
<li>
Fixed an issue in the IA5 argument value validator that could allow an
associated argument to incorrect accept values with non-ASCII characters.
<br><br>
</li>
<li>
Updated the DNS hostname argument value validator to fix an issue that could
prevent it from performing all necessary validation for the last component in a
fully qualified name, or for the only component in an unqualified name.
<br><br>
</li>
<li>
Updated the identify-references-to-missing-entries example tool to add an option
to write an LDIF file with modify change records that can be used to clean up
any identified references to missing entries.
<br><br>
</li>
<li>
Updated the SelfSignedCertificateGenerator class (which may be used to
dynamically create self-signed certificates for testing and is used by tools
like the in-memory directory server and ldap-debugger) to perform better
validation for the subject alternative DNS names that it includes in a
certificate. It will now exclude values that are identified as system hostnames
but aren't actually technically valid hostnames (e.g., values with non-ASCII
characters).
<br><br>
</li>
<li>
Updated the manage-certificates generate-self-signed-certificate command to
rename the --replace-existing-certificate argument to be
--use-existing-key-pair. The latter is more clear, and can help avoid confusion
in cases where someone may mistakenly think that the command performs more
processing than it actually does (for example, all the processing necessary to
fully replace a certificate that is actively being used by a Ping Identity
Directory Server). The former name is still available to use and will result in
exactly the same behavior so backward compatibility will not be affected, but
that name is hidden in favor of the new name.
<br><br>
</li>
<li>
Updated the summarize-access-log tool that can be used to report on the contents
of one or more Ping Identity Directory Server access logs. The tool will now
report the most common IP addresses for failed bind attempts. It will now
report work queue wait times, both as an average and a histogram. It will now
report the most common request and response controls, the most common privileges
used and missing, and the most common filter sizes in terms of number of
components. If the tool is invoked with the --doNotAnonymize option, then it
will also report on the target bind DNs with the most consecutive failed
authentication attempts, and on search filters that may potentially indicate
unsuccessful injection attempts based on suspicious content in an assertion
value (including parentheses, ampersands, pipes, quotes, or the words "select"
and "from").
<br><br>
</li>
<li>
Updated support for the Ping Identity Directory Server's "audit data security"
administrative task to add the ability to specify either or both the number or
age of previous reports to retain after the new report has been generated.
<br><br>
</li>
<li>
Fixed issues with the join request control and administrative operation request
control in which it was not possible to specify the criticality to use for the
control.
<br><br>
</li>
<li>
Updated the LDAP SDK to include a native-image/resource-config.json file in the
jar file manifest. When using the GraalVM native-image tool to generate a
self-contained executable version of a Java program that uses the LDAP SDK, this
file helps ensure that all of the appropriate resource files (including message
property files, a default standard schema, and a registry file used by the
oid-lookup tool) are included as part of the generated image.
<br><br>
</li>
</ul>
<p></p>
<h3>Version 6.0.5</h3>
<p>
The following changes were made between the 6.0.4 and 6.0.5 releases:
</p>
<ul>
<li>
Fixed a bug in which the ldapcompare tool did not properly close its output file
if one was configured. This is primarily an issue if the tool is invoked
programmatically rather than running it from the command line (or a shell script
or batch file).
<br><br>
</li>
<li>
Improved support for validating and comparing values using the telephone number
syntax. Previously, telephone number matching always used a loose