Symas OpenLDAP Knowledge Base

OpenLDAP 2.5 Announcement

OpenLDAP Version 2.5 Release Announcement

4/29/2021

The OpenLDAP Project is pleased to announce the general availability of OpenLDAP Software version 2.5, a suite of the Lightweight Directory Access Protocol (v3) servers, clients, utilities, documentation, and development tools.

This release contains significant new function that has been contributed by Symas, its customers, and by other organizations and individuals that use OpenLDAP. The bulk of this function has already been heavily tested in the field using OpenLDAP 2.4, so the Project expects the 2.5 release to be extremely stable in its early releases. As with all new software, though, the Project recommends that users carefully test the software to ensure it meets their needs.

The following new components and capabilities are highlighted for this release:

LDAP Load Balancer Daemon

A load balancer daemon, designed from the ground up to handle LDAP loads, has been developed. It is protocol-aware and can balance LDAP loads on a per-operation basis rather than on a per-connection basis. Gone are the days of long-lived connections collecting on a small number of LDAP servers and having to manually restart servers to rebalance loads.

Large Multi-valued Attribute Support

When configured to use LMDB, OpenLDAP can handle multi-valued attributes with large numbers of values without any appreciable performance degradation. Searches, adds, deletes, and modifications of individual values happen faster than quicksilver through a goose.

LDAP Transaction Support

When configured to use LMDB, multiple LDAP operations can be committed together in a single client-controlled transaction. If any of the operations fail, all of the other operations that are part of that transaction are rolled back.

New Replication Protocols

OpenLDAP can now replicate entries from legacy LDAP directory servers including Microsoft Active Directory and Sun DSEE/ Oracle DSEE. This makes retiring those systems simpler and easier.

Multi-Factor Authentication

OpenLDAP now directly supports TOTP, HOTP and other modern multi-factor authentication methods. Many existing LDAP applications can use multi-factor authentication without modification.

New Database Backends

Asynchronous Meta-directory

OpenLDAP’s standard meta-directory backend ties together search results from multiple remote LDAP servers, translates attribute names, and rewrites distinguished names but is limited to working with a relatively small number of remote servers. A new version of the meta-directory backend, async-meta, is able to efficiently handle connections to thousands of remote LDAP servers without suffering performance degradation.

Wiredtiger (Experimental)

OpenLDAP can now use the Wiredtiger database to store its data. The Wiredtiger database software is available separately and its SDK must be available when OpenLDAP is compiled.

New OpenLDAP Server Capabilities

General

  • Additional LDAP Replication Protocols
    The replication consumer software has been enhanced to support multiple replication protocols. In addition to supporting the native Syncrepl/Delta Syncrepl protocols, it can also replicate entries from Microsoft Active Directory and DSEE/ODSEE.

  • Support for New LDAP Controls
    To improve compatibility with applications designed for use with legacy LDAP servers, OpenLDAP 2.5 now supports many additional LDAP controls. See below for a complete list of new controls.

  • Dynamic Configuration Delete
    OpenLDAP 2.5 now allows dynamic configuration objects to be deleted. That makes it possible to delete overlays, databases, and other configuration-related items without restarting the LDAP server daemon.

  • Significant performance enhancements throughout the client and server code base

Details

New Overlays and Modules

  • autoca: An overlay to perform X.509 certificate authority functions via LDAP. Create a new CA, create or fetch a certificate/key pair with an LDAP search operation, and perform other CA functions with just an LDAP search operation.
  • homedir: perform complete home directory life cycle management, from creation, to archival, to deletion, completely automatically. Designed specifically for environments that use LDAP authentication and networked home directories, this overlay monitors a replication feed and performs actions based on changes to user and group entries.
  • otp: Have the LDAP directory server handle all the processing for time- and counter-based one-time passwords. Compatible with Google and other standards-based authenticator apps.
  • totp: A simpler password hashing module for time-based one-time passwords.
  • argon2: a new password hashing module using the Argon2 hash mechanism
  • adremap: remap attributes for PAM/NSS MS AD support
  • authzid: implements RFC 3829 support
  • datamorph: store enumerated values and fixed size integers
  • ppm: adds additional password checking critera to the slapo-ppolicy overlay
  • pw-radius: pass bind operations to the specified radius server(s)
  • rbac: accelerates the responses to ANSI INCITS 359 RBAC policy queries originating from Apache Fortress clients
  • usn: adds MS AD usnCreated and usnChanged operational attributes to entries
  • variant: allows attributes/values to be shared between several entries
  • vc: implements the verify credentials extended operation

Updates to Existing Overlays

The following updates have been made to existing overlays:

  • pcache: New control allows access to the cache DB, exop can remove data from the cache DB
  • back-monitor: support has been added for pcache
  • ppolicy: updated to comply with password policy draft 10 (draft-behera-ldap-password-policy-10) and to optionally return Netscape Password Expiring and Password Expired controls
  • dynlist: can now generate the (is)memberOf attribute dynamically and perform reverse lookups to find all groups a user belongs to
  • unique: the unique overlay can now do db-wide locking to avoid potential race conditions
  • remoteauth: The remoteauth overlay now has a password migration feature. If enabled, the password used for a successful remote authentication is stored in the user’s entry in the local directory. This is extremely useful when migrating from a legacy directory system that makes it difficult to access existing passwords.

New Libraries

  • libldif provides an LDIF parsing API

Updates to Existing Libaries

  • libldap_r has been merged with libldap
  • libldap has TLS channel binding support
  • libldap has TLS public key pinning support
  • libldap has TLS SNI support
  • libldap has GSSAPI channel binding support

New and Updated Clients and Tools

  • slapmodify: a tool for offline updates to cn=config

New Supported LDAP Controls

The following controls are supported in OpenLDAP 2.5:

Control Name OID Comments
AUTHZID_REQUEST 2.16.840.1.113730.4.16 Authorization Identity Request Control (RFC 3829)
AUTHZID_RESPONSE 2.16.840.1.113730.4.15 Authorization Identity Response Control (RFC 3829)
LAZY_COMMIT 1.2.840.113556.1.4.619 MS AD Lazy Commit Control
ACCOUNT_USABILITY 1.3.6.1.4.1.42.2.27.9.5.8 Netscape account usability control
PASSWORD_EXPIRED 2.16.840.1.113730.3.4.4 Netscape Password expiring warning
PASSWORD_EXPIRING 2.16.840.1.113730.3.4.5 Netscape Password expired warning
TXN_SPEC 1.3.6.1.1.21.2 LDAP transaction specification control

New Supported Extended Operations

The following extended operations are supported in OpenLDAP 2.5:

Exop Name OID Comments
TXN_START 1.3.6.1.1.21.1 Start LDAP transaction
TXN_END 1.3.6.1.1.21.3 End LDAP Transaction
TXN_ABORTED_NOTICE 1.3.6.1.1.21.4 Abort LDAP Transaction (notification)
VERIFY_CREDENTIALS 1.3.6.1.4.1.4203.666.6.5 Verify user credentials

ACKNOWLEDGEMENTS

OpenLDAP Software is developed by the OpenLDAP Project. The Project consists of a team of volunteers who use the Internet to coordinate their activities. The Project is an organized activity of the OpenLDAP Foundation.

OpenLDAP Software is derived from University of Michigan LDAP, release 3.3.

AVAILABILITY

This software is available under the OpenLDAP Public License, a non-restrictive, “free”, open-source license. Download information is available at:

http://www.OpenLDAP.org/software/download/

Binary distributions are available from a number of sources, including Symas and the Linux Toolbox (LTB) Project

SUPPORT

OpenLDAP Software is user supported:

http://www.openldap.org/support/

In addition, commercial support is available from the vendors listed here:

https://www.openldap.org/support/

The OpenLDAP Administrator’s Guide, which includes quick-start instructions, is available at:

http://www.openldap.org/doc/admin/

The project maintains a FAQ which you may find useful:

http://www.openldap.org/faq/

In addition, there are also a number of discussion lists related to OpenLDAP Software. A list of mailing lists is available at:

http://www.OpenLDAP.org/lists/

To report bugs, please use project’s Issue Tracking System:

http://www.openldap.org/its/

The OpenLDAP home page containing lots of interesting information and online documentation is available at this URL:

http://www.OpenLDAP.org/

SUPPORTED PLATFORMS

This release has been ported to many UNIX (and UNIX-like) platforms including Darwin, FreeBSD, Linux, NetBSD, OpenBSD and most commercial UNIX systems. The release has also been ported (in part or in whole) to other platforms including Apple MacOS X, IBM zOS, and Microsoft Windows NT/2000/etc.


OpenLDAP is a registered trademark of the OpenLDAP Foundation.

Copyright 1999-2021 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted.