pingidentity/ldapsdk
### [`v4.0.5`](https://togithub.com/pingidentity/ldapsdk/releases/tag/4.0.5): UnboundID LDAP SDK for Java 4.0.5
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/4.0.4...4.0.5)
We have just released the UnboundID LDAP SDK for Java version 4.0.5, available for download from the [LDAP.com website](https://www.ldap.com/unboundid-ldap-sdk-for-java), from the [releases page](https://togithub.com/pingidentity/ldapsdk/releases) of our GitHub repository, from the [Files page](https://sourceforge.net/projects/ldap-sdk/files/) of our SourceForge project, and from the [Maven Central Repository](https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.unboundid%22%20AND%20a%3A%22unboundid-ldapsdk%22).
The most significant change in this release is the fix for a vulnerability described in [CVE-2018-1000134](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000134). In an application that uses the LDAP SDK in synchronous mode, that uses the LDAP simple bind operation to authenticate users, that does not properly check to ensure that the user actually provided a password, and that sends its request to a directory server that does not follow the RFC 4513 section 5.1.2 recommendation to reject simple bind requests with a DN but no password, this bug could have allowed the application to mistakenly grant access to an attacker who identified themselves as a legitimate user but supplied an empty password. See [CVE-2018-1000134 and the UnboundID LDAP SDK for Java](https://nawilson.com/2018/03/19/cve-2018-1000134-and-the-unboundid-ldap-sdk-for-java/) for more information about this issue.
Other changes in the 4.0.5 release of the LDAP SDK include:
- Updated the command-line argument parser so that it will not assign a value from a properties file to an argument if that argument is part of an exclusive argument set and another argument in that set was provided on the command line.
- Fixed a manage-certificates bug in which the validity start time and validity duration values would be ignored when generating a self-signed certificate intended to replace an existing certificate. In that case, the tool would have always used the current time as the start time and a duration of one year.
- Updated the manage-certificates tool to change the primary name for the existing --replace-existing-certificate argument in the generate-certificate-signing-request subcommand to be --use-existing-key-pair, and updated the usage information to make it clearer that using this option will not cause the keystore to be updated. The former --replace-existing-certificate identifier can still be used and will behave in exactly the same way as before, so there is no change in functionality.
- Improved the usability of the ldap-debugger tool when using the --listenUsingSSL argument by ensuring that the --keyStorePath argument is also provided, along with one of the --keyStorePassword, --keyStorePasswordFile, and --promptForKeyStorePassword arguments.
- Fixed a number of cases in which there was a mismatch between the arguments provided to a message format string and the arguments expected by that format string. Unit tests have been added to help prevent this from recurring.
- Added a new PassphraseEncryptedOutputStream class that can be used to write encrypted data with a key generated from a provided passphrase. Also added a new PassphraseEncryptedInputStream class that can be used to read encrypted data written with the PassphraseEncryptedOutputStream when provided with the correct passphrase.
- Added new RateLimitedInputStream and RateLimitedOutputStream classes that can be used to impose a maximum rate (in bytes per second) at which data can be read from a wrapped input stream or written to a wrapped output stream.
- Added new CloseableLock and CloseableReadWriteLock classes that provide the same basic functionality as Java's ReentrantLock and ReentrantReadWriteLock classes, but that can also be used with Java's try-with-resources facility.
- Added a new FixedBarrier.await(int) method that can be used to request rate limiting for the specified number of occurrences, rather than just a single occurrence. This can be used to make it easier to impose rate limiting in instances where the event that you're limiting doesn't fit into the existing paradigm. For example, it could be used to implement a rate-limited output stream in which you want to be able to specify the number of bytes being written at a time, instead of requiring a separate await() call for each byte being written.
- Updated the ldapsearch, ldapmodify, split-ldif, transform-ldif, and validate-ldif tools to add support for encrypted LDIF files. The passphrase used to generate the encryption key can be provided interactively or read from a file.
- Added support for two new UnboundID/Ping-proprietary request controls that can help clients prevent inadvertently requesting unindexed searches. The reject unindexed search request control can be used to indicate that the server should reject a search request if it cannot be efficiently processed using server indexes, even if the requester has the unindexed-search privilege. The permit unindexed search request control can be used to indicate that the server should process the search request even if it is unindexed, as long as the requester has the unindexed-search-with-control privilege. The ldapsearch tool has also been updated allow these controls to be included in the search requests that it generates.
- Added support for a new UnboundID/Ping-proprietary request control that can be included in a search request to indicate that the client wishes to override an internal limit that might otherwise be in effect for that operation. The ldapsearch tool has been updated to allow this control to be included in the search requests that it generates.
- Updated the summarize-access-log tool to add support for encrypted log files. The passphrase used to generate the encryption key can be provided interactively or read from a file.
### [`v4.0.4`](https://togithub.com/pingidentity/ldapsdk/releases/tag/4.0.4): UnboundID LDAP SDK for Java 4.0.4
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/4.0.3...4.0.4)
We have just released the UnboundID LDAP SDK for Java version 4.0.4, available for download from the [LDAP.com website](https://www.ldap.com/unboundid-ldap-sdk-for-java), from the [releases page](https://togithub.com/pingidentity/ldapsdk/releases) of our GitHub repository, from the [Files page](https://sourceforge.net/projects/ldap-sdk/files/) of our SourceForge project, and from the [Maven Central Repository](https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.unboundid%22%20AND%20a%3A%22unboundid-ldapsdk%22).
There are a few noteworthy changes included in this release. The [release notes](https://docs.ldap.com/ldap-sdk/docs/release-notes.html) go into more detail, but the highlights of these changes include:
- We updated the way that the LDAP SDK generates exception messages to make them more user-friendly. They are now less likely to include stack traces, and they are less likely to include repeated information (like LDAP SDK build information, and information duplicated from an exception’s cause).
- We fixed an issue that could cause multiple application threads to block in the course of closing a connection pool.
- We updated the way that the LDAP SDK sends LDAP messages so that it is more resilient to stalls in the TLS negotiation process.
- We updated the LDAP SDK’s `ServerSet` implementations so that they can perform authentication and post-connect processing, which can make health checks against newly established connections more reliable.
- We updated the `GetEntryLDAPConnectionPoolHealthCheck` class to provide support for invoking the health check after a pooled connection has been authenticated.
- We fixed a bug in the `GetEntryLDAPConnectionPoolHealthCheck` class that could cause it to behave incorrectly when checking the validity of a connection after an `LDAPException` was caught.
- We updated the `Attribute.hasValue` method to be more efficient for attributes with multiple values, and especially for attributes with a lot of values or with more complicated matching rules. This will also improve the `Filter.matchesEntry` method for equality filters that target similar types of attributes.
- We updated the prompt trust manager to provide better output formatting, and to provide additional warnings about conditions that may make a server certificate chain less trustworthy.
- We updated the `LDAPConnectionOptions` class to adjust the initial default connect timeout and operation response timeout, and the default operation response timeout can now be set differently for each type of operation. Most of the default values for options in the `LDAPConnectionOptions` class can now be set via system properties.
### [`v4.0.3`](https://togithub.com/pingidentity/ldapsdk/releases/tag/4.0.3): UnboundID LDAP SDK for Java 4.0.3
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/4.0.2...4.0.3)
The 4.0.3 release of the LDAP SDK contains a single bugfix over the 4.0.2 version. Just after releasing the 4.0.2 version, we found a bug in the way that the LDAP SDK generated and verified signatures for X.509 certificates and PKCS10 certificate signing requests. That has been corrected, and the 4.0.3 release is available for download from the [LDAP.com website](https://www.ldap.com/unboundid-ldap-sdk-for-java), from our [GitHub repository](https://togithub.com/pingidentity/ldapsdk), from the [SourceForge project](https://sourceforge.net/projects/ldap-sdk/), or from the [Maven Central Repository](https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.unboundid%22%20AND%20a%3A%22unboundid-ldapsdk%22).
### [`v4.0.2`](https://togithub.com/pingidentity/ldapsdk/releases/tag/4.0.2): UnboundID LDAP SDK for Java 4.0.2
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/4.0.1...4.0.2)
Happy 20th birthday, LDAPv3! The core LDAPv3 specifications, RFCs 2251 through 2256, were released on December 4, 1997. To celebrate, we’re releasing the UnboundID LDAP SDK for Java version 4.0.2. It is available now for download from the [LDAP.com website](https://www.ldap.com/unboundid-ldap-sdk-for-java), from our [GitHub repository](https://togithub.com/pingidentity/ldapsdk), from the [SourceForge project](https://sourceforge.net/projects/ldap-sdk/), or from the [Maven Central Repository](https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.unboundid%22%20AND%20a%3A%22unboundid-ldapsdk%22).
The most significant changes included in this release are:
- Added a new `manage-certificates` tool that can be used to interact with JKS and PKCS [#12](https://togithub.com/pingidentity/ldapsdk/issues/12) keystores, generate certificates and certificate signing requests, sign certificates, and perform a number of other certificate-related features. It’s like keytool, but it offers additional functionality, and it’s a lot more user-friendly. The LDAP SDK also provides classes for generating and parsing certificates and certificate signing requests programmatically.
- Added a new variant of the `Entry.diff` method that can be used to perform a byte-for-byte comparison of attribute values instead of using the associated attribute syntax. This can help identify changes that result in logically equivalent values, like changing the value of a case-insensitive attribute in a way that only affects capitalization.
- Added a new `PasswordReader.readPasswordChars` method that can be used to read a password into a character array. Previously, it was only possible to read a password as a byte array.
- Added a new `LDAPConnection.closeWithoutUnbind` method that can be used to close a connection without first sending an LDAP unbind request. While this isn’t usually recommended, it can be useful in cases where the connection is known to be invalid, and especially if there is the potential for sending the unbind request to cause the connection to block.
- Improved support for validating object identifiers (OIDs). The LDAP SDK now offers a strict validation mode that requires the OID to be comprised of at least two components, that requires the first component to be between zero and two, and that requires the second component to be between zero and thirty-nine if the first component is zero or one. There is also a new `OIDArgumentValueValidator` class that can be used when requesting command-line arguments whose values are expected to be numeric OIDs.
- Fixed a bug that could cause the LDAP SDK to leak a connection if it was configured with an `SSLSocketVerifier` and that verifier rejected the connection for some reason.
- Fixed a bug that could cause the LDAP SDK to block for twice as long as it should in the event that a failure occurred while trying to send a simple bind request on a connection operating in synchronous mode and the attempt to send the request blocks.
- Added support for new ASN.1 element types, including bit string, object identifier, generalized time, UTC time, UTF-8 string, IA5 string, printable string, and numeric string. Also added support for a new integer type that is backed by a BigInteger and can support values of any magnitude.
- Added convenience methods that make it easier to determine the type class and primitive/constructed state of an ASN.1 element.
- Added support for a new uniqueness request control that can be included in add, modify, and modify DN requests sent to the Ping Identity Directory Server. This control requests that the server identify attribute value conflicts that might arise as a result of the changes performed by the associated operation. The ldapmodify tool has also been updated to support this control.
- Updated the searchrate tool to make it possible to set the search size limit, time limit, dereference policy, and typesOnly flag.
- Updated the in-memory directory server to support the UnboundID/Ping-proprietary ignore NO-USER-MODIFICATION request control.
- Updated the UnboundID/Ping-proprietary password policy state extended operation to make it possible to determine whether the target user has a static password.
- Updated the argument parser to make it possible to hide subcommand names and argument identifiers so that they can be used but will not appear in generated usage information.
- Improved the quality of LDAP request debug messages.
- Updated the set of LDAP-related specifications to include updated versions of existing specifications, and to add a number of certificate-related specifications.
### [`v4.0.1`](https://togithub.com/pingidentity/ldapsdk/releases/tag/4.0.1): UnboundID LDAP SDK for Java 4.0.1
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/4.0.0...4.0.1)
The UnboundID LDAP SDK for Java version 4.0.1 has been released. It is available for immediate download from the LDAP.com website, from our GitHub repository, from the SourceForge project, or from the Maven Central Repository.
This release fixes a number of issues and adds a few small features. Some of the most significant changes are:
- Added a new JVMDefaultTrustManager class that can be used to automatically trust any certificate signed by an authority that the JVM considers trusted by default. The command-line tool framework has been updated so that if you don’t explicitly specify a trust behavior, it will now check the JVM-default trust manager before prompting about whether to trust the server certificate.
- Updated the in-memory directory server to add support for encoding clear-text passwords using a pluggable mechanism. For example, you can automatically have clear-text passwords transformed so that they are stored as the base64-encoded representation of a salted message digest.
- Updated the in-memory directory server to indicate which attributes will be treated as password attributes. Any password attribute can be used to provide credentials for a bind operation, and the values of password attributes will be encoded with the configured password encoder (if any). The server was formerly hard-coded to use userPassword as the password attribute, and this is still the default configuration, but it is now possible to configure the server to use one or more other attributes instead of or in addition to userPassword.
- Added support for a new password update behavior request control. This control can be used in an upcoming release of the Ping Identity Directory Server to override the behavior the server would otherwise have used for a number of password-related properties (e.g., whether the password update is a self change or an administrative reset, whether to allow a pre-encoded password, which password storage scheme to use, etc.). The ldapmodify tool has been updated to make it easy to include this control in add and modify requests.
- Updated the identify-unique-attribute-conflicts example tool to provide support for identifying conflicts between combinations of attributes. For example, you can use this feature to identify cases in which there may be duplicate uid values within the same organization, but ignore duplicate uid values for users in different organizations.
- Fixed an OSGi problem in the jar file manifest. When the LDAP SDK supported Java 1.5 or later, the correct value for the Bundle-RequiredExecutionEnvironment property was “J2SE-1.5”. When we updated the LDAP SDK to require Java 7 or later, the value of this property was updated to be “J2SE-1.7” instead of the correct new value of “JavaSE-1.7”.
- Fixed a problem that prevented the complete set of argument validation from being performed when running a tool in interactive mode. In particular, the interactive mode framework did not perform validation related to required, exclusive, and dependent argument sets.
- Fixed an issue with the way that command-line tools handled trailing arguments in interactive mode. If the tool didn’t require any trailing arguments but allowed any number of them to be provided, then interactive mode did not allow trailing argument values to be provided.
- Fixed an issue with the way that relative paths were handled in command-line tools run in interactive mode. When a Java File object is created from a relative path rather than an absolute path, the getParentFile() method may return null, and this could cause the LDAP SDK to incorrectly believe that the file’s parent didn’t exist. To avoid this, the LDAP SDK now uses getAbsoluteFile().getParentFile() in order to get the parent for any File that may have been created from a relative path.
- Fixed an issue with command-line tools that default to interactive mode that could arise if the tool is invoked without any arguments, but if it tries to use a properties file referenced by an environment variable or JVM property. If the properties file contained some but not all of the arguments needed to invoke the tool, the command-line tool framework would still try to invoke the tool with just the arguments from the properties file, which could result in erratic behavior, unexpected errors, or uncaught exceptions. The tool will now launch in interactive mode to allow the missing arguments to be specified.
- The ldapsearch tool has been updated so that the base DN argument is now optional in all circumstances. Previously, you had to explicitly provide either a base DN or an LDAP URL file, but this created a usability problem if you ran ldapsearch in interactive mode and wanted to search with a null base DN (that is, the DN with the empty string representation). Now, if you don’t provide either a base DN or an LDAP URL file, then ldapsearch will assume a null base DN.
- Updated the class-level Javadoc documentation for a number of classes that implement controls and extended requests and responses. If it takes an encoded value, the Javadoc documentation now describes the encoding for that value.
- Fixed a couple of problems with message format strings that had incorrect property references (for example, they referenced “{1}” when they should have referenced “{0}” as the first argument). The LDAP SDK build process has been updated to better catch these kinds of problems.
- Improved the ByteStringBuffer.append(CharSequence) method so that it will be much more efficient for CharSequence implementations in which iterating through the characters using the charAt(int) method is expensive.
### [`v4.0.0`](https://togithub.com/pingidentity/ldapsdk/releases/tag/4.0.0): UnboundID LDAP SDK for Java 4.0.0
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/3.2.1...4.0.0)
The UnboundID LDAP SDK for Java version 4.0.0 has been released. Some of the most significant changes in this release are:
- The LDAP SDK now requires Java SE 7 or later. Java SE 7 and 8 are officially supported. There are known issues when trying to build the LDAP SDK on Java SE 9 early access builds, but builds of the LDAP SDK should run without issues on Java SE 9. Java SE versions 1.5 and 1.6 are no longer supported.
- We now provide only a single edition of the LDAP SDK. We used to provide Standard Edition, Commercial Edition, and Minimal Edition versions of the LDAP SDK, but they have been consolidated into a single edition that contains everything that was previously in the Commercial Edition (which was a superset of the Standard Edition, which was itself a superset of the Minimal Edition). That single edition is now called just “UnboundID LDAP SDK for Java” and is still available under the terms of the GNU General Public License version 2 (GPLv2), the GNU Lesser General Public License version 2.1 (LGPLv2.1), and the UnboundID LDAP SDK Free Use License.
- The GitHub repository for the LDAP SDK has been moved into the Ping Identity organization. The URL to the repository has changed from https://github.com/unboundid/ldapsdk to https://github.com/pingidentity/ldapsdk, but a redirect is in place to ensure that links to the old URL will be automatically transferred to the new location.
- All copyright notices have been updated to reference Ping Identity, and the LDAP SDK documentation now uses Ping Identity branding.
- The open source repositories for the LDAP SDK have been updated to become a complete mirror of the internal repository used to create official builds. The biggest change to come from this is that the full set of LDAP SDK unit tests are now publicly available under the same licenses as the rest of the LDAP SDK.
- This release fixes a bug in the logic for parsing DNs from a string in which one or more RDN values used a BER encoding by starting the value with the octothorpe (#) character. The LDAP SDK would incorrectly use the entire set of bytes (representing the BER type, length, and value) as the attribute value instead of just the BER element value.
- This release fixes a bug in the LDAP connection pool’s connection handling. If the connection pool is configured with createIfNecessary set to false and the replaceDefunctConnection method is called but unable to create a new connection, then the defunct connection could be destroyed without allowing for a replacement. If this happened enough times, the pool could run out of connections and would refuse to create new connections.
- This release fixes a bug in processing multi-stage SASL binds. Each bind request in a multi-stage bind should use a different LDAP message ID, but earlier versions of the LDAP SDK would use the same message ID for the later stages that it used for the first stage.
- This release fixes a bug in the in-memory directory server’s LDIF import code that prevented it from applying the configured schema to the entries being imported.
- This release fixes a bug in the in-memory directory server’s handling of LDAP subentries. The server could incorrectly return entries that are not LDAP subentries in response to a search request that included the subentries request control.
- This release fixes bugs various bugs in the ldapsearch and ldapmodify command-line tools, and in the command-line argument parser.
- The LDAP SDK documentation now includes a number of LDAP reference documents, including a result code reference guide, an OID reference guide, and an LDAPv3 wire protocol reference guide.
- The set of LDAP-related specifications has been updated to include a number of additional RFCs (including 2926, 2985, 4226, and 6238), and updated versions of IETF drafts (including draft-kille-ldap-xmpp-schema, draft-seantek-ldap-pkcs9, and draft-wibrown-ldapssotoken).
- When the LDAP SDK is checked out from a git repository, the build process can now capture information about the state of that repository, including the repository URL and the revision ID. This makes it easier to identify the precise source code revision used to create an LDAP SDK build for troubleshooting purposes. Previously, this information was only available if the LDAP SDK was checked out of a subversion repository.
### [`v3.2.1`](https://togithub.com/pingidentity/ldapsdk/releases/tag/3.2.1): UnboundID LDAP SDK for Java 3.2.1
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/3.2.0...3.2.1)
### Notable Changes in the Standard and Commercial Editions
- Updated the documentation to indicate that, as a result of Ping Identity's acquisition of UnboundID, all non-public feedback, feature enhancements, support requests, and other kinds of communication should now be sent to ldapsdk-support@pingidentity.com instead of ldapsdk-support@unboundid.com. We also now recommend using the GitHub issue tracker over the SourceForge mailing lists and discussion forums for bug reports and feature requests.
- Fixed a bug in the RDN parsing code that could cause multiple consecutive spaces in the middle of an attribute value to be condensed down to a single space. The string representation of the RDN was preserved correctly, but the methods used to retrieve attribute values as a string or byte array could return values that were missing spaces.
- Provided better handling for InterruptedException. A thread's interrupted state will now be preserved for cases in which the LDAP SDK consumes an InterruptedException without doing something to handle it.
- Fixed a bug in the support for the SASL ANONYMOUS mechanism that could cause the trace string to be omitted from the encoded bind request.
- Updated the searchrate tool to provide support for generic controls, as well as specific support for the assertion, simple paged results, and server-side sort request controls.
- Updated the authrate tool to add a new --bindOnly argument that allows you to indicate that the tool should only perform bind operations, rather than a search to find the entry and then a bind as that user. The base DN pattern will be used to construct the bind DN.
- Updated the authrate tool to provided support for generic search and bind controls, as well as specific support for the authorization identity and password policy request controls.
- Updated the search-and-modrate tool to provide support for generic search and modify controls, as well as specific support for the assertion, simple paged results, permissive modify, pre-read, and post-read request controls.
- Added a Schema.getSchema method that can read schema information in LDIF form from an input stream.
- Updated support for the GSSAPI SASL mechanism to make it possible to indicate in the generated configuration file whether the client should act as an initiator or an acceptor.
- Updated the identify-unique-attribute-conflicts tool to include a time limit in search requests intended to determine whether a unique attribute value may also be in use in any other entries. This can help limit the effect of running the tool against a server that is not configured with the appropriate indexes needed to ensure that equality searches targeting the unique attributes can be processed efficiently.
### Notable Changes Only in the Commercial Edition
- Added a new version of the ldapsearch tool that provides a lot of additional functionality over the version provided in the Standard Edition. It includes much better output formatting (including support for alternate output formats like JSON, CSV, and tab-delimited text), support for a number of data transformations, more robust connection handling, support for referrals, support for a large number of search and bind controls, support for administrative sessions, support for unsolicited notifications, the ability to process multiple searches with search criteria provided in filter or LDAP URL files, rate limiting, and the ability to send results to a specified output file (or a separate output file per search).
- Implemented caching for the matching rule instance used when requesting the jsonObjectExactMatch matching rule. This matching rule only exists in the Commercial Edition and needs to be loaded via reflection.
- Updated the access and error log parsing APIs to include support for the triggeredByConn and triggeredByOp log fields used to indicate that the message is associated with the indicated operation.
### [`v3.2.0`](https://togithub.com/pingidentity/ldapsdk/releases/tag/3.2.0): UnboundID LDAP SDK for Java 3.2.0
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/3.1.1...3.2.0)
Some of the most significant changes include:
- Added a new `transform-ldif` tool that can be used to apply a number of transformations to data in an LDIF file. This includes the ability to scramble, replace, redact, or exclude a specified set of attributes; to replace existing values for a specified attribute; the ability to use a sequential counter for values of a specified attribute; the ability to add a given set of values to entries matching specified criteria; the ability to exclude entries matching specified criteria; the ability to rename attributes; the ability to replace the base DN for entries in a specified subtree; and the ability to flatten a DIT.
- Updated all classes that offer a `public void close()` method that doesn't throw any exceptions other than a possible `IOException` so that they implement the `java.io.Closeable` interface. This includes classes like `LDAPConnection`, `LDAPConnectionPool`, `LDIFReader`, `LDIFWriter`, and all `EntrySource` implementations. This allows code using these classes to take advantage of the try-with-resources facility introduced in Java SE 7.
- Added support for parsing entries that contain information about the operations processed in the server for servers that support the syntax described in draft-chu-ldap-logschema-00.
- Updated the `modrate` tool to make a number of improvements, including support for a number of controls, the ability to replace multiple values rather than just a single value, or the ability to perform an increment modification rather than a replace modification.
- Added a new `JSONBuffer` class that can be used to efficiently construct the string representation of a JSON object, and a `JSONObjectReader` class that can be used to read JSON objects from an input stream. Added the ability to generate formatted, multi-line string representations of JSON objects with improved human readability.
- Updated the LDIF reader to make it possible to specify the character set to use when reading data. Updated the LDIF writer to make it possible to automatically include a comment below any base64-encoded values that provides a non-base64-encoded representation (with special characters escaped) of the preceding value.
- Updated the in-memory directory server to support the LDAP no-operation control as described in draft-zeilenga-ldap-noop-12.
- Added a new base64 command-line tool that can be used to encode and decode data using the base64 format.
- Dramatically improved the robustness of the `identify-references-to-missing-entries` and `identify-unique-attribute-conflicts` tools.
- Updated the argument parser to add support for subcommands with their own distinct set of arguments.
- Added support for timestamp arguments, which can be used to specify timestamps in either the generalized time syntax (including the time zone), or in a number of formats that indicate a time in the local time zone.
- Updated the command-line tool API to provide the ability to default to interactively prompt for passwords that may be needed but not provided, and to send output to a specified file.
- Updated the rate adjustor so that generated sample rate files include a number of additional examples for common patterns like square, stairstep, sine, sawtooth, triangle, and hockey stick.
### [`v3.1.1`](https://togithub.com/pingidentity/ldapsdk/releases/tag/3.1.1): UnboundID LDAP SDK for Java 3.1.1
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/3.1.0...3.1.1)
The most significant changes in this release include:
- Updated the AddRequest constructor that allows you to create a request from an LDIF entry. It will now accept an LDIF add change record (including the "changeytpe: add" line, and optionally including controls) in addition to an LDIF entry.
- Added two new LDAP listener request handler implementations that can be used to limit the load that clients can leverage against a listener. One implementation allows you to limit the number of requests that may be processed concurrently, while the other allows you to limit the overall rate (in operations per second) at which requests may be processed.
- Fixed a bug in which the LDAP connection pool statistics were not always properly updated for a failed attempt to create a new connection for the pool.
- Added a new --helpSASL argument for LDAP command-line tools that support authentication. This argument obtains a list of the supported SASL mechanisms and the options that are available for each.
- Updated the command-line argument parser to provide support for using a properties file to supply the default values for arguments not explicitly provided on the command line. Tools that support this feature now include a --generatePropertiesFile argument that can be used to generate a template with the supported properties for that tool.
- Updated the command-line argument parser to support grouping related sets of arguments together in the usage information.
### [`v3.1.0`](https://togithub.com/pingidentity/ldapsdk/releases/tag/3.1.0): UnboundID LDAP SDK for Java 3.1.0
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/2.3.8...3.1.0)
The most significant changes in this release include:
- Added the ability to launch command-line tools in an interactive mode, in which the user will be prompted for details needed to connect and authenticate to the target directory server (if applicable for that tool), as well as for any required arguments. The tool will then display a table allowing the user to customize values for all of the arguments, and the user can run the tool with the desired settings or merely display the non-interactive command line that would be used to run with those options.
- Updated the LDAP debugger and in-memory directory server tools to provide the ability to automatically generate source code for any client requests that they receive. This can be helpful when porting existing LDAP-enabled applications to use the UnboundID LDAP SDK for Java.
- Updated the LDAP connection pool to make it possible to configure a minimum available connection goal. If a goal is set, then the connection pool will try to maintain at least that many connections available for immediate use. This can help reduce the need to create new connections on demand under periods of heavy load.
- Added support for LDIF translators that can be used to transform LDIF change records when reading from or writing to LDIF. These translators are particularly helpful when using multiple threads to read or write change records in parallel.
- Improved compatibility with servers that don't support the most recent TLS implementation and don't correctly handle TLS client hello messages that reference the newer protocol.
- Updated the LDAP connection pool health check mechanism to provide support for validating a connection after authentication has completed. It was previously only possible to verify a connection after it was established but before it was authenticated. Added a new health check implementation that can check for various password policy-related conditions (e.g., a password that has expired or is about to expire), and another new aggregate health check that can invoke several health checks as a single unit.
- Improved the LDAP SDK's handling of connection timeouts so that an unsuccessful connection attempt is less likely to block for longer than the configured timeout.
- Deprecated the LDAPConnectionOptions auto-reconnect option. This option has always been very fragile and useful only in very limited circumstances. The functionality is still present (and will continue to be available in) the LDAP SDK, but applications are strongly recommended to use a connection pool, even when only a single connection is needed, because it provides much better and more reliable support for dealing with connectivity problems.
- Added support for specifying a number of additional options when authenticating with the GSSAPI SASL mechanism, including the ability to obtain credentials from a keytab.
- Added a new Entry.applyModifyDN method that can update the client-side representation of entry to reflect the changes that would be applied by a given modify DN operation. This updates both the entry DN and the corresponding attribute values in the entry.
- Updated the in-memory directory server and the LDAP listener framework to make it possible to configure a maximum number of concurrent connections. You can also specify an entry to use as the in-memory directory server's root DSE.
### [`v2.3.8`](https://togithub.com/pingidentity/ldapsdk/compare/2.3.7...2.3.8)
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/2.3.7...2.3.8)
### [`v2.3.7`](https://togithub.com/pingidentity/ldapsdk/compare/2.3.6...2.3.7)
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/2.3.6...2.3.7)
### [`v2.3.6`](https://togithub.com/pingidentity/ldapsdk/compare/2.3.5...2.3.6)
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/2.3.5...2.3.6)
### [`v2.3.5`](https://togithub.com/pingidentity/ldapsdk/compare/2.3.4...2.3.5)
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/2.3.4...2.3.5)
### [`v2.3.4`](https://togithub.com/pingidentity/ldapsdk/compare/2.3.3...2.3.4)
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/2.3.3...2.3.4)
### [`v2.3.3`](https://togithub.com/pingidentity/ldapsdk/compare/2.3.2...2.3.3)
[Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/2.3.2...2.3.3)
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
2.3.1->4.0.5By merging this PR, the issue #35 will be automatically resolved and closed:
Release Notes
pingidentity/ldapsdk
### [`v4.0.5`](https://togithub.com/pingidentity/ldapsdk/releases/tag/4.0.5): UnboundID LDAP SDK for Java 4.0.5 [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/4.0.4...4.0.5) We have just released the UnboundID LDAP SDK for Java version 4.0.5, available for download from the [LDAP.com website](https://www.ldap.com/unboundid-ldap-sdk-for-java), from the [releases page](https://togithub.com/pingidentity/ldapsdk/releases) of our GitHub repository, from the [Files page](https://sourceforge.net/projects/ldap-sdk/files/) of our SourceForge project, and from the [Maven Central Repository](https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.unboundid%22%20AND%20a%3A%22unboundid-ldapsdk%22). The most significant change in this release is the fix for a vulnerability described in [CVE-2018-1000134](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000134). In an application that uses the LDAP SDK in synchronous mode, that uses the LDAP simple bind operation to authenticate users, that does not properly check to ensure that the user actually provided a password, and that sends its request to a directory server that does not follow the RFC 4513 section 5.1.2 recommendation to reject simple bind requests with a DN but no password, this bug could have allowed the application to mistakenly grant access to an attacker who identified themselves as a legitimate user but supplied an empty password. See [CVE-2018-1000134 and the UnboundID LDAP SDK for Java](https://nawilson.com/2018/03/19/cve-2018-1000134-and-the-unboundid-ldap-sdk-for-java/) for more information about this issue. Other changes in the 4.0.5 release of the LDAP SDK include: - Updated the command-line argument parser so that it will not assign a value from a properties file to an argument if that argument is part of an exclusive argument set and another argument in that set was provided on the command line. - Fixed a manage-certificates bug in which the validity start time and validity duration values would be ignored when generating a self-signed certificate intended to replace an existing certificate. In that case, the tool would have always used the current time as the start time and a duration of one year. - Updated the manage-certificates tool to change the primary name for the existing --replace-existing-certificate argument in the generate-certificate-signing-request subcommand to be --use-existing-key-pair, and updated the usage information to make it clearer that using this option will not cause the keystore to be updated. The former --replace-existing-certificate identifier can still be used and will behave in exactly the same way as before, so there is no change in functionality. - Improved the usability of the ldap-debugger tool when using the --listenUsingSSL argument by ensuring that the --keyStorePath argument is also provided, along with one of the --keyStorePassword, --keyStorePasswordFile, and --promptForKeyStorePassword arguments. - Fixed a number of cases in which there was a mismatch between the arguments provided to a message format string and the arguments expected by that format string. Unit tests have been added to help prevent this from recurring. - Added a new PassphraseEncryptedOutputStream class that can be used to write encrypted data with a key generated from a provided passphrase. Also added a new PassphraseEncryptedInputStream class that can be used to read encrypted data written with the PassphraseEncryptedOutputStream when provided with the correct passphrase. - Added new RateLimitedInputStream and RateLimitedOutputStream classes that can be used to impose a maximum rate (in bytes per second) at which data can be read from a wrapped input stream or written to a wrapped output stream. - Added new CloseableLock and CloseableReadWriteLock classes that provide the same basic functionality as Java's ReentrantLock and ReentrantReadWriteLock classes, but that can also be used with Java's try-with-resources facility. - Added a new FixedBarrier.await(int) method that can be used to request rate limiting for the specified number of occurrences, rather than just a single occurrence. This can be used to make it easier to impose rate limiting in instances where the event that you're limiting doesn't fit into the existing paradigm. For example, it could be used to implement a rate-limited output stream in which you want to be able to specify the number of bytes being written at a time, instead of requiring a separate await() call for each byte being written. - Updated the ldapsearch, ldapmodify, split-ldif, transform-ldif, and validate-ldif tools to add support for encrypted LDIF files. The passphrase used to generate the encryption key can be provided interactively or read from a file. - Added support for two new UnboundID/Ping-proprietary request controls that can help clients prevent inadvertently requesting unindexed searches. The reject unindexed search request control can be used to indicate that the server should reject a search request if it cannot be efficiently processed using server indexes, even if the requester has the unindexed-search privilege. The permit unindexed search request control can be used to indicate that the server should process the search request even if it is unindexed, as long as the requester has the unindexed-search-with-control privilege. The ldapsearch tool has also been updated allow these controls to be included in the search requests that it generates. - Added support for a new UnboundID/Ping-proprietary request control that can be included in a search request to indicate that the client wishes to override an internal limit that might otherwise be in effect for that operation. The ldapsearch tool has been updated to allow this control to be included in the search requests that it generates. - Updated the summarize-access-log tool to add support for encrypted log files. The passphrase used to generate the encryption key can be provided interactively or read from a file. ### [`v4.0.4`](https://togithub.com/pingidentity/ldapsdk/releases/tag/4.0.4): UnboundID LDAP SDK for Java 4.0.4 [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/4.0.3...4.0.4) We have just released the UnboundID LDAP SDK for Java version 4.0.4, available for download from the [LDAP.com website](https://www.ldap.com/unboundid-ldap-sdk-for-java), from the [releases page](https://togithub.com/pingidentity/ldapsdk/releases) of our GitHub repository, from the [Files page](https://sourceforge.net/projects/ldap-sdk/files/) of our SourceForge project, and from the [Maven Central Repository](https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.unboundid%22%20AND%20a%3A%22unboundid-ldapsdk%22). There are a few noteworthy changes included in this release. The [release notes](https://docs.ldap.com/ldap-sdk/docs/release-notes.html) go into more detail, but the highlights of these changes include: - We updated the way that the LDAP SDK generates exception messages to make them more user-friendly. They are now less likely to include stack traces, and they are less likely to include repeated information (like LDAP SDK build information, and information duplicated from an exception’s cause). - We fixed an issue that could cause multiple application threads to block in the course of closing a connection pool. - We updated the way that the LDAP SDK sends LDAP messages so that it is more resilient to stalls in the TLS negotiation process. - We updated the LDAP SDK’s `ServerSet` implementations so that they can perform authentication and post-connect processing, which can make health checks against newly established connections more reliable. - We updated the `GetEntryLDAPConnectionPoolHealthCheck` class to provide support for invoking the health check after a pooled connection has been authenticated. - We fixed a bug in the `GetEntryLDAPConnectionPoolHealthCheck` class that could cause it to behave incorrectly when checking the validity of a connection after an `LDAPException` was caught. - We updated the `Attribute.hasValue` method to be more efficient for attributes with multiple values, and especially for attributes with a lot of values or with more complicated matching rules. This will also improve the `Filter.matchesEntry` method for equality filters that target similar types of attributes. - We updated the prompt trust manager to provide better output formatting, and to provide additional warnings about conditions that may make a server certificate chain less trustworthy. - We updated the `LDAPConnectionOptions` class to adjust the initial default connect timeout and operation response timeout, and the default operation response timeout can now be set differently for each type of operation. Most of the default values for options in the `LDAPConnectionOptions` class can now be set via system properties. ### [`v4.0.3`](https://togithub.com/pingidentity/ldapsdk/releases/tag/4.0.3): UnboundID LDAP SDK for Java 4.0.3 [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/4.0.2...4.0.3) The 4.0.3 release of the LDAP SDK contains a single bugfix over the 4.0.2 version. Just after releasing the 4.0.2 version, we found a bug in the way that the LDAP SDK generated and verified signatures for X.509 certificates and PKCS10 certificate signing requests. That has been corrected, and the 4.0.3 release is available for download from the [LDAP.com website](https://www.ldap.com/unboundid-ldap-sdk-for-java), from our [GitHub repository](https://togithub.com/pingidentity/ldapsdk), from the [SourceForge project](https://sourceforge.net/projects/ldap-sdk/), or from the [Maven Central Repository](https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.unboundid%22%20AND%20a%3A%22unboundid-ldapsdk%22). ### [`v4.0.2`](https://togithub.com/pingidentity/ldapsdk/releases/tag/4.0.2): UnboundID LDAP SDK for Java 4.0.2 [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/4.0.1...4.0.2) Happy 20th birthday, LDAPv3! The core LDAPv3 specifications, RFCs 2251 through 2256, were released on December 4, 1997. To celebrate, we’re releasing the UnboundID LDAP SDK for Java version 4.0.2. It is available now for download from the [LDAP.com website](https://www.ldap.com/unboundid-ldap-sdk-for-java), from our [GitHub repository](https://togithub.com/pingidentity/ldapsdk), from the [SourceForge project](https://sourceforge.net/projects/ldap-sdk/), or from the [Maven Central Repository](https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.unboundid%22%20AND%20a%3A%22unboundid-ldapsdk%22). The most significant changes included in this release are: - Added a new `manage-certificates` tool that can be used to interact with JKS and PKCS [#12](https://togithub.com/pingidentity/ldapsdk/issues/12) keystores, generate certificates and certificate signing requests, sign certificates, and perform a number of other certificate-related features. It’s like keytool, but it offers additional functionality, and it’s a lot more user-friendly. The LDAP SDK also provides classes for generating and parsing certificates and certificate signing requests programmatically. - Added a new variant of the `Entry.diff` method that can be used to perform a byte-for-byte comparison of attribute values instead of using the associated attribute syntax. This can help identify changes that result in logically equivalent values, like changing the value of a case-insensitive attribute in a way that only affects capitalization. - Added a new `PasswordReader.readPasswordChars` method that can be used to read a password into a character array. Previously, it was only possible to read a password as a byte array. - Added a new `LDAPConnection.closeWithoutUnbind` method that can be used to close a connection without first sending an LDAP unbind request. While this isn’t usually recommended, it can be useful in cases where the connection is known to be invalid, and especially if there is the potential for sending the unbind request to cause the connection to block. - Improved support for validating object identifiers (OIDs). The LDAP SDK now offers a strict validation mode that requires the OID to be comprised of at least two components, that requires the first component to be between zero and two, and that requires the second component to be between zero and thirty-nine if the first component is zero or one. There is also a new `OIDArgumentValueValidator` class that can be used when requesting command-line arguments whose values are expected to be numeric OIDs. - Fixed a bug that could cause the LDAP SDK to leak a connection if it was configured with an `SSLSocketVerifier` and that verifier rejected the connection for some reason. - Fixed a bug that could cause the LDAP SDK to block for twice as long as it should in the event that a failure occurred while trying to send a simple bind request on a connection operating in synchronous mode and the attempt to send the request blocks. - Added support for new ASN.1 element types, including bit string, object identifier, generalized time, UTC time, UTF-8 string, IA5 string, printable string, and numeric string. Also added support for a new integer type that is backed by a BigInteger and can support values of any magnitude. - Added convenience methods that make it easier to determine the type class and primitive/constructed state of an ASN.1 element. - Added support for a new uniqueness request control that can be included in add, modify, and modify DN requests sent to the Ping Identity Directory Server. This control requests that the server identify attribute value conflicts that might arise as a result of the changes performed by the associated operation. The ldapmodify tool has also been updated to support this control. - Updated the searchrate tool to make it possible to set the search size limit, time limit, dereference policy, and typesOnly flag. - Updated the in-memory directory server to support the UnboundID/Ping-proprietary ignore NO-USER-MODIFICATION request control. - Updated the UnboundID/Ping-proprietary password policy state extended operation to make it possible to determine whether the target user has a static password. - Updated the argument parser to make it possible to hide subcommand names and argument identifiers so that they can be used but will not appear in generated usage information. - Improved the quality of LDAP request debug messages. - Updated the set of LDAP-related specifications to include updated versions of existing specifications, and to add a number of certificate-related specifications. ### [`v4.0.1`](https://togithub.com/pingidentity/ldapsdk/releases/tag/4.0.1): UnboundID LDAP SDK for Java 4.0.1 [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/4.0.0...4.0.1) The UnboundID LDAP SDK for Java version 4.0.1 has been released. It is available for immediate download from the LDAP.com website, from our GitHub repository, from the SourceForge project, or from the Maven Central Repository. This release fixes a number of issues and adds a few small features. Some of the most significant changes are: - Added a new JVMDefaultTrustManager class that can be used to automatically trust any certificate signed by an authority that the JVM considers trusted by default. The command-line tool framework has been updated so that if you don’t explicitly specify a trust behavior, it will now check the JVM-default trust manager before prompting about whether to trust the server certificate. - Updated the in-memory directory server to add support for encoding clear-text passwords using a pluggable mechanism. For example, you can automatically have clear-text passwords transformed so that they are stored as the base64-encoded representation of a salted message digest. - Updated the in-memory directory server to indicate which attributes will be treated as password attributes. Any password attribute can be used to provide credentials for a bind operation, and the values of password attributes will be encoded with the configured password encoder (if any). The server was formerly hard-coded to use userPassword as the password attribute, and this is still the default configuration, but it is now possible to configure the server to use one or more other attributes instead of or in addition to userPassword. - Added support for a new password update behavior request control. This control can be used in an upcoming release of the Ping Identity Directory Server to override the behavior the server would otherwise have used for a number of password-related properties (e.g., whether the password update is a self change or an administrative reset, whether to allow a pre-encoded password, which password storage scheme to use, etc.). The ldapmodify tool has been updated to make it easy to include this control in add and modify requests. - Updated the identify-unique-attribute-conflicts example tool to provide support for identifying conflicts between combinations of attributes. For example, you can use this feature to identify cases in which there may be duplicate uid values within the same organization, but ignore duplicate uid values for users in different organizations. - Fixed an OSGi problem in the jar file manifest. When the LDAP SDK supported Java 1.5 or later, the correct value for the Bundle-RequiredExecutionEnvironment property was “J2SE-1.5”. When we updated the LDAP SDK to require Java 7 or later, the value of this property was updated to be “J2SE-1.7” instead of the correct new value of “JavaSE-1.7”. - Fixed a problem that prevented the complete set of argument validation from being performed when running a tool in interactive mode. In particular, the interactive mode framework did not perform validation related to required, exclusive, and dependent argument sets. - Fixed an issue with the way that command-line tools handled trailing arguments in interactive mode. If the tool didn’t require any trailing arguments but allowed any number of them to be provided, then interactive mode did not allow trailing argument values to be provided. - Fixed an issue with the way that relative paths were handled in command-line tools run in interactive mode. When a Java File object is created from a relative path rather than an absolute path, the getParentFile() method may return null, and this could cause the LDAP SDK to incorrectly believe that the file’s parent didn’t exist. To avoid this, the LDAP SDK now uses getAbsoluteFile().getParentFile() in order to get the parent for any File that may have been created from a relative path. - Fixed an issue with command-line tools that default to interactive mode that could arise if the tool is invoked without any arguments, but if it tries to use a properties file referenced by an environment variable or JVM property. If the properties file contained some but not all of the arguments needed to invoke the tool, the command-line tool framework would still try to invoke the tool with just the arguments from the properties file, which could result in erratic behavior, unexpected errors, or uncaught exceptions. The tool will now launch in interactive mode to allow the missing arguments to be specified. - The ldapsearch tool has been updated so that the base DN argument is now optional in all circumstances. Previously, you had to explicitly provide either a base DN or an LDAP URL file, but this created a usability problem if you ran ldapsearch in interactive mode and wanted to search with a null base DN (that is, the DN with the empty string representation). Now, if you don’t provide either a base DN or an LDAP URL file, then ldapsearch will assume a null base DN. - Updated the class-level Javadoc documentation for a number of classes that implement controls and extended requests and responses. If it takes an encoded value, the Javadoc documentation now describes the encoding for that value. - Fixed a couple of problems with message format strings that had incorrect property references (for example, they referenced “{1}” when they should have referenced “{0}” as the first argument). The LDAP SDK build process has been updated to better catch these kinds of problems. - Improved the ByteStringBuffer.append(CharSequence) method so that it will be much more efficient for CharSequence implementations in which iterating through the characters using the charAt(int) method is expensive. ### [`v4.0.0`](https://togithub.com/pingidentity/ldapsdk/releases/tag/4.0.0): UnboundID LDAP SDK for Java 4.0.0 [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/3.2.1...4.0.0) The UnboundID LDAP SDK for Java version 4.0.0 has been released. Some of the most significant changes in this release are: - The LDAP SDK now requires Java SE 7 or later. Java SE 7 and 8 are officially supported. There are known issues when trying to build the LDAP SDK on Java SE 9 early access builds, but builds of the LDAP SDK should run without issues on Java SE 9. Java SE versions 1.5 and 1.6 are no longer supported. - We now provide only a single edition of the LDAP SDK. We used to provide Standard Edition, Commercial Edition, and Minimal Edition versions of the LDAP SDK, but they have been consolidated into a single edition that contains everything that was previously in the Commercial Edition (which was a superset of the Standard Edition, which was itself a superset of the Minimal Edition). That single edition is now called just “UnboundID LDAP SDK for Java” and is still available under the terms of the GNU General Public License version 2 (GPLv2), the GNU Lesser General Public License version 2.1 (LGPLv2.1), and the UnboundID LDAP SDK Free Use License. - The GitHub repository for the LDAP SDK has been moved into the Ping Identity organization. The URL to the repository has changed from https://github.com/unboundid/ldapsdk to https://github.com/pingidentity/ldapsdk, but a redirect is in place to ensure that links to the old URL will be automatically transferred to the new location. - All copyright notices have been updated to reference Ping Identity, and the LDAP SDK documentation now uses Ping Identity branding. - The open source repositories for the LDAP SDK have been updated to become a complete mirror of the internal repository used to create official builds. The biggest change to come from this is that the full set of LDAP SDK unit tests are now publicly available under the same licenses as the rest of the LDAP SDK. - This release fixes a bug in the logic for parsing DNs from a string in which one or more RDN values used a BER encoding by starting the value with the octothorpe (#) character. The LDAP SDK would incorrectly use the entire set of bytes (representing the BER type, length, and value) as the attribute value instead of just the BER element value. - This release fixes a bug in the LDAP connection pool’s connection handling. If the connection pool is configured with createIfNecessary set to false and the replaceDefunctConnection method is called but unable to create a new connection, then the defunct connection could be destroyed without allowing for a replacement. If this happened enough times, the pool could run out of connections and would refuse to create new connections. - This release fixes a bug in processing multi-stage SASL binds. Each bind request in a multi-stage bind should use a different LDAP message ID, but earlier versions of the LDAP SDK would use the same message ID for the later stages that it used for the first stage. - This release fixes a bug in the in-memory directory server’s LDIF import code that prevented it from applying the configured schema to the entries being imported. - This release fixes a bug in the in-memory directory server’s handling of LDAP subentries. The server could incorrectly return entries that are not LDAP subentries in response to a search request that included the subentries request control. - This release fixes bugs various bugs in the ldapsearch and ldapmodify command-line tools, and in the command-line argument parser. - The LDAP SDK documentation now includes a number of LDAP reference documents, including a result code reference guide, an OID reference guide, and an LDAPv3 wire protocol reference guide. - The set of LDAP-related specifications has been updated to include a number of additional RFCs (including 2926, 2985, 4226, and 6238), and updated versions of IETF drafts (including draft-kille-ldap-xmpp-schema, draft-seantek-ldap-pkcs9, and draft-wibrown-ldapssotoken). - When the LDAP SDK is checked out from a git repository, the build process can now capture information about the state of that repository, including the repository URL and the revision ID. This makes it easier to identify the precise source code revision used to create an LDAP SDK build for troubleshooting purposes. Previously, this information was only available if the LDAP SDK was checked out of a subversion repository. ### [`v3.2.1`](https://togithub.com/pingidentity/ldapsdk/releases/tag/3.2.1): UnboundID LDAP SDK for Java 3.2.1 [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/3.2.0...3.2.1) ### Notable Changes in the Standard and Commercial Editions - Updated the documentation to indicate that, as a result of Ping Identity's acquisition of UnboundID, all non-public feedback, feature enhancements, support requests, and other kinds of communication should now be sent to ldapsdk-support@pingidentity.com instead of ldapsdk-support@unboundid.com. We also now recommend using the GitHub issue tracker over the SourceForge mailing lists and discussion forums for bug reports and feature requests. - Fixed a bug in the RDN parsing code that could cause multiple consecutive spaces in the middle of an attribute value to be condensed down to a single space. The string representation of the RDN was preserved correctly, but the methods used to retrieve attribute values as a string or byte array could return values that were missing spaces. - Provided better handling for InterruptedException. A thread's interrupted state will now be preserved for cases in which the LDAP SDK consumes an InterruptedException without doing something to handle it. - Fixed a bug in the support for the SASL ANONYMOUS mechanism that could cause the trace string to be omitted from the encoded bind request. - Updated the searchrate tool to provide support for generic controls, as well as specific support for the assertion, simple paged results, and server-side sort request controls. - Updated the authrate tool to add a new --bindOnly argument that allows you to indicate that the tool should only perform bind operations, rather than a search to find the entry and then a bind as that user. The base DN pattern will be used to construct the bind DN. - Updated the authrate tool to provided support for generic search and bind controls, as well as specific support for the authorization identity and password policy request controls. - Updated the search-and-modrate tool to provide support for generic search and modify controls, as well as specific support for the assertion, simple paged results, permissive modify, pre-read, and post-read request controls. - Added a Schema.getSchema method that can read schema information in LDIF form from an input stream. - Updated support for the GSSAPI SASL mechanism to make it possible to indicate in the generated configuration file whether the client should act as an initiator or an acceptor. - Updated the identify-unique-attribute-conflicts tool to include a time limit in search requests intended to determine whether a unique attribute value may also be in use in any other entries. This can help limit the effect of running the tool against a server that is not configured with the appropriate indexes needed to ensure that equality searches targeting the unique attributes can be processed efficiently. ### Notable Changes Only in the Commercial Edition - Added a new version of the ldapsearch tool that provides a lot of additional functionality over the version provided in the Standard Edition. It includes much better output formatting (including support for alternate output formats like JSON, CSV, and tab-delimited text), support for a number of data transformations, more robust connection handling, support for referrals, support for a large number of search and bind controls, support for administrative sessions, support for unsolicited notifications, the ability to process multiple searches with search criteria provided in filter or LDAP URL files, rate limiting, and the ability to send results to a specified output file (or a separate output file per search). - Implemented caching for the matching rule instance used when requesting the jsonObjectExactMatch matching rule. This matching rule only exists in the Commercial Edition and needs to be loaded via reflection. - Updated the access and error log parsing APIs to include support for the triggeredByConn and triggeredByOp log fields used to indicate that the message is associated with the indicated operation. ### [`v3.2.0`](https://togithub.com/pingidentity/ldapsdk/releases/tag/3.2.0): UnboundID LDAP SDK for Java 3.2.0 [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/3.1.1...3.2.0) Some of the most significant changes include: - Added a new `transform-ldif` tool that can be used to apply a number of transformations to data in an LDIF file. This includes the ability to scramble, replace, redact, or exclude a specified set of attributes; to replace existing values for a specified attribute; the ability to use a sequential counter for values of a specified attribute; the ability to add a given set of values to entries matching specified criteria; the ability to exclude entries matching specified criteria; the ability to rename attributes; the ability to replace the base DN for entries in a specified subtree; and the ability to flatten a DIT. - Updated all classes that offer a `public void close()` method that doesn't throw any exceptions other than a possible `IOException` so that they implement the `java.io.Closeable` interface. This includes classes like `LDAPConnection`, `LDAPConnectionPool`, `LDIFReader`, `LDIFWriter`, and all `EntrySource` implementations. This allows code using these classes to take advantage of the try-with-resources facility introduced in Java SE 7. - Added support for parsing entries that contain information about the operations processed in the server for servers that support the syntax described in draft-chu-ldap-logschema-00. - Updated the `modrate` tool to make a number of improvements, including support for a number of controls, the ability to replace multiple values rather than just a single value, or the ability to perform an increment modification rather than a replace modification. - Added a new `JSONBuffer` class that can be used to efficiently construct the string representation of a JSON object, and a `JSONObjectReader` class that can be used to read JSON objects from an input stream. Added the ability to generate formatted, multi-line string representations of JSON objects with improved human readability. - Updated the LDIF reader to make it possible to specify the character set to use when reading data. Updated the LDIF writer to make it possible to automatically include a comment below any base64-encoded values that provides a non-base64-encoded representation (with special characters escaped) of the preceding value. - Updated the in-memory directory server to support the LDAP no-operation control as described in draft-zeilenga-ldap-noop-12. - Added a new base64 command-line tool that can be used to encode and decode data using the base64 format. - Dramatically improved the robustness of the `identify-references-to-missing-entries` and `identify-unique-attribute-conflicts` tools. - Updated the argument parser to add support for subcommands with their own distinct set of arguments. - Added support for timestamp arguments, which can be used to specify timestamps in either the generalized time syntax (including the time zone), or in a number of formats that indicate a time in the local time zone. - Updated the command-line tool API to provide the ability to default to interactively prompt for passwords that may be needed but not provided, and to send output to a specified file. - Updated the rate adjustor so that generated sample rate files include a number of additional examples for common patterns like square, stairstep, sine, sawtooth, triangle, and hockey stick. ### [`v3.1.1`](https://togithub.com/pingidentity/ldapsdk/releases/tag/3.1.1): UnboundID LDAP SDK for Java 3.1.1 [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/3.1.0...3.1.1) The most significant changes in this release include: - Updated the AddRequest constructor that allows you to create a request from an LDIF entry. It will now accept an LDIF add change record (including the "changeytpe: add" line, and optionally including controls) in addition to an LDIF entry. - Added two new LDAP listener request handler implementations that can be used to limit the load that clients can leverage against a listener. One implementation allows you to limit the number of requests that may be processed concurrently, while the other allows you to limit the overall rate (in operations per second) at which requests may be processed. - Fixed a bug in which the LDAP connection pool statistics were not always properly updated for a failed attempt to create a new connection for the pool. - Added a new --helpSASL argument for LDAP command-line tools that support authentication. This argument obtains a list of the supported SASL mechanisms and the options that are available for each. - Updated the command-line argument parser to provide support for using a properties file to supply the default values for arguments not explicitly provided on the command line. Tools that support this feature now include a --generatePropertiesFile argument that can be used to generate a template with the supported properties for that tool. - Updated the command-line argument parser to support grouping related sets of arguments together in the usage information. ### [`v3.1.0`](https://togithub.com/pingidentity/ldapsdk/releases/tag/3.1.0): UnboundID LDAP SDK for Java 3.1.0 [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/2.3.8...3.1.0) The most significant changes in this release include: - Added the ability to launch command-line tools in an interactive mode, in which the user will be prompted for details needed to connect and authenticate to the target directory server (if applicable for that tool), as well as for any required arguments. The tool will then display a table allowing the user to customize values for all of the arguments, and the user can run the tool with the desired settings or merely display the non-interactive command line that would be used to run with those options. - Updated the LDAP debugger and in-memory directory server tools to provide the ability to automatically generate source code for any client requests that they receive. This can be helpful when porting existing LDAP-enabled applications to use the UnboundID LDAP SDK for Java. - Updated the LDAP connection pool to make it possible to configure a minimum available connection goal. If a goal is set, then the connection pool will try to maintain at least that many connections available for immediate use. This can help reduce the need to create new connections on demand under periods of heavy load. - Added support for LDIF translators that can be used to transform LDIF change records when reading from or writing to LDIF. These translators are particularly helpful when using multiple threads to read or write change records in parallel. - Improved compatibility with servers that don't support the most recent TLS implementation and don't correctly handle TLS client hello messages that reference the newer protocol. - Updated the LDAP connection pool health check mechanism to provide support for validating a connection after authentication has completed. It was previously only possible to verify a connection after it was established but before it was authenticated. Added a new health check implementation that can check for various password policy-related conditions (e.g., a password that has expired or is about to expire), and another new aggregate health check that can invoke several health checks as a single unit. - Improved the LDAP SDK's handling of connection timeouts so that an unsuccessful connection attempt is less likely to block for longer than the configured timeout. - Deprecated the LDAPConnectionOptions auto-reconnect option. This option has always been very fragile and useful only in very limited circumstances. The functionality is still present (and will continue to be available in) the LDAP SDK, but applications are strongly recommended to use a connection pool, even when only a single connection is needed, because it provides much better and more reliable support for dealing with connectivity problems. - Added support for specifying a number of additional options when authenticating with the GSSAPI SASL mechanism, including the ability to obtain credentials from a keytab. - Added a new Entry.applyModifyDN method that can update the client-side representation of entry to reflect the changes that would be applied by a given modify DN operation. This updates both the entry DN and the corresponding attribute values in the entry. - Updated the in-memory directory server and the LDAP listener framework to make it possible to configure a maximum number of concurrent connections. You can also specify an entry to use as the in-memory directory server's root DSE. ### [`v2.3.8`](https://togithub.com/pingidentity/ldapsdk/compare/2.3.7...2.3.8) [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/2.3.7...2.3.8) ### [`v2.3.7`](https://togithub.com/pingidentity/ldapsdk/compare/2.3.6...2.3.7) [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/2.3.6...2.3.7) ### [`v2.3.6`](https://togithub.com/pingidentity/ldapsdk/compare/2.3.5...2.3.6) [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/2.3.5...2.3.6) ### [`v2.3.5`](https://togithub.com/pingidentity/ldapsdk/compare/2.3.4...2.3.5) [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/2.3.4...2.3.5) ### [`v2.3.4`](https://togithub.com/pingidentity/ldapsdk/compare/2.3.3...2.3.4) [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/2.3.3...2.3.4) ### [`v2.3.3`](https://togithub.com/pingidentity/ldapsdk/compare/2.3.2...2.3.3) [Compare Source](https://togithub.com/pingidentity/ldapsdk/compare/2.3.2...2.3.3)