OpenLDAP Version 2.5 Release Announcement
April 29, 2021
The OpenLDAP Project is pleased to announce the general availability of
OpenLDAP Software version 2.5, a suite of the Lightweight Directory Access
Protocol (v3) servers, clients, utilities, documentation, and development tools.
This release contains significant new function that has been contributed by
Symas, its customers, and by other organizations and individuals that use
OpenLDAP. The bulk of this function has already been heavily tested in the
field using OpenLDAP 2.4, so the Project expects the 2.5 release to be
extremely stable in its early releases. As with all new software, though, the
Project recommends that users carefully test the software to ensure it meets
their needs.
The following new components and capabilities are highlighted for this release:
Featured Enhancements
* LDAP Load Balancer Daemon
A load balancer daemon, designed from the ground up to handle LDAP loads, has
been developed. It is protocol-aware and can balance LDAP loads on a
per-operation basis rather than on a per-connection basis. Gone are the days of
long-lived connections collecting on a small number of LDAP servers and having
to manually restart servers to rebalance loads.
* Large Multi-valued Attribute Support
When configured to use LMDB, OpenLDAP can handle multi-valued attributes with
large numbers of values without any appreciable performance degradation.
Searches, adds, deletes, and modifications of individual values happen faster
than quicksilver through a goose.
* LDAP Transaction Support
When configured to use LMDB, multiple LDAP operations can be committed together
in a single client-controlled transaction. If any of the operations fail, all
of the other operations that are part of that transaction are rolled back.
* New Replication Protocols
OpenLDAP can now replicate entries from legacy LDAP directory servers including
Microsoft Active Directory and Sun DSEE/Oracle DSEE. This makes retiring those
systems simpler and easier.
* Multi-Factor Authentication
OpenLDAP now supports TOTP, HOTP and other modern multi-factor authentication
methods. Many existing LDAP applications can use multi-factor authentication
without modification.
New Database Backends
* Asynchronous Meta-directory
OpenLDAP's standard meta-directory backend ties together search results from
multiple remote LDAP servers, translates attribute names, and rewrites
distinguished names but is limited to working with a relatively small number of
remote servers. A new version of the meta-directory backend, async-meta, is
able to efficiently handle connections to thousands of remote LDAP servers
without suffering performance degradation.
* Wiredtiger (Experimental)
OpenLDAP can now use the Wiredtiger database to store its data. The Wiredtiger
database software is available separately and its SDK must be available when
OpenLDAP is compiled.
New OpenLDAP Server Capabilities
General
* Additional LDAP Replication Protocols
The replication consumer software has been enhanced to support multiple
replication protocols. In addition to supporting the native Syncrepl/Delta
Syncrepl protocols, it can also replicate entries from Microsoft Active
Directory and DSEE/ODSEE.
* Support for New LDAP Controls and Extended Operations To improve
compatibility with applications designed for use with legacy LDAP servers,
OpenLDAP 2.5 now supports many additional LDAP controls. See below for a
complete list of new controls.
* Dynamic Configuration Delete
OpenLDAP 2.5 now allows dynamic configuration objects to be deleted. That
makes it possible to delete overlays, databases, and other
configuration-related items without restarting the LDAP server daemon.
* Significant performance enhancements throughout the client and server code
base
Details
New Overlays and Modules
* autoca: An overlay to perform X.509 certificate authority functions via
LDAP. Create a new CA, create or fetch a certificate/key pair with an LDAP
search operation, and perform other CA functions with just an LDAP search
operation.
* homedir: perform complete home directory life cycle management, from
creation, to archival, to deletion, completely automatically. Designed
specifically for environments that use LDAP authentication and networked home
directories, this overlay monitors a replication feed and performs actions
based on changes to user and group entries.
* otp: Have the LDAP directory server handle all the processing for time-
and counter-based one-time passwords. Compatible with Google and other
standards-based authenticator apps.
* totp: A simpler password hashing module for time-based one-time passwords.
* argon2: a new password hashing module using the Argon2 hash mechanism
* adremap: remap attributes for PAM/NSS MS AD support
* authzid: implements RFC 3829 support
* datamorph: store enumerated values and fixed size integers
* ppm: adds additional password checking critera to the slapo-ppolicy overlay
* pw-radius: pass bind operations to the specified radius server(s)
* rbac: accelerates the responses to ANSI INCITS 359 RBAC policy queries
originating from Apache Fortress
clients
* remoteauth: Forward bind operations to one or more remote LDAP servers.
Can optionally store the successfully-submitted password in the local database.
* usn: adds MS AD usnCreated and usnChanged operational attributes to entries
* variant: allows attributes/values to be shared between several entries
* vc: implements the verify credentials extended operation
Updates to Existing Backends
* back-monitor is always statically built into slapd
Updates to Existing Overlays
The following updates have been made to existing overlays:
* pcache: New control allows access to the cache DB, exop can remove data
from the cache DB. Monitoring information for pcache is now available if
back-monitor is enabled.
* ppolicy: updated to comply with password policy draft 10
(draft-behera-ldap-password-policy-10) and to optionally return Netscape
Password Expiring and Password Expired controls
* dynlist: can now generate the (is)memberOf attribute dynamically and
perform reverse lookups to find all groups a user belongs to.
* unique: the unique overlay can now do db-wide locking to avoid potential
race conditions
New Libraries
* libldif provides an LDIF parsing API
Updates to Existing Libraries
* libldap_r has been merged with libldap
* libldap has TLS channel binding support
* libldap has TLS public key pinning support
* libldap has TLS SNI support
* libldap has GSSAPI channel binding support
New and Updated Clients and Tools
* slapmodify: a tool for offline updates to cn=config
New Supported LDAP Controls
The following controls are now supported in OpenLDAP 2.5:
Control Name OID Comments
AUTHZID_REQUEST 2.16.840.1.113730.4.16 Authorization Identity Request
Control (RFC 3829)
AUTHZID_RESPONSE 2.16.840.1.113730.4.15 Authorization Identity Response
Control (RFC 3829)
LAZY_COMMIT 1.2.840.113556.1.4.619 MS AD Lazy Commit Control
ACCOUNT_USABILITY 1.3.6.1.4.1.42.2.27.9.5.8 Netscape account usability
control
PASSWORD_EXPIRED 2.16.840.1.113730.3.4.4 Netscape Password expiring warning
PASSWORD_EXPIRING 2.16.840.1.113730.3.4.5 Netscape Password expired warning
TXN_SPEC 1.3.6.1.1.21.2 LDAP transaction specification control
New Supported Extended Operations
The following extended operations are now supported in OpenLDAP 2.5:
Exop Name OID Comments
TXN_START 1.3.6.1.1.21.1 Start LDAP transaction
TXN_END 1.3.6.1.1.21.3 End LDAP Transaction
TXN_ABORTED_NOTICE 1.3.6.1.1.21.4 Abort LDAP Transaction (notification)
VERIFY_CREDENTIALS 1.3.6.1.4.1.4203.666.6.5 Verify user credentials
ACKNOWLEDGEMENTS
OpenLDAP Software is developed by the OpenLDAP Project. The Project consists of
a team of volunteers who use the Internet to coordinate their activities. The
Project is an organized activity of the OpenLDAP Foundation.
OpenLDAP Software is derived from University of Michigan LDAP, release 3.3.
AVAILABILITY
This software is available under the OpenLDAP Public License, a
non-restrictive, "free", open-source license. Download information is available
at:
https://www.OpenLDAP.org/software/download/
Binary distributions are available from a number of sources, including Symas
and the Linux Toolbox (LTB) Project
SUPPORT
OpenLDAP Software is user supported:
https://www.openldap.org/support/
In addition, commercial support is available from the vendors listed here:
https://www.openldap.org/support/
The OpenLDAP Administrator's Guide, which includes quick-start instructions, is
available at:
https://www.openldap.org/doc/admin25/
In addition, there are also a number of discussion lists related to OpenLDAP
Software. A list of mailing lists is available
at:
https://www.OpenLDAP.org/lists/
To report bugs, please use project's Issue Tracking System:
https://bugs.openldap.org/
The OpenLDAP home page containing lots of interesting information and online
documentation is available at this URL:
https://www.OpenLDAP.org/
SUPPORTED PLATFORMS
This release has been ported to many UNIX (and UNIX-like) platforms including
Darwin, FreeBSD, Linux, NetBSD, OpenBSD and most commercial UNIX systems. The
release has also been ported (in part or in whole) to other platforms including
Apple MacOS X, IBM zOS, and Microsoft Windows NT/2000/etc.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
Copyright 1999-2021 The OpenLDAP Foundation, Redwood City, California, USA. All
Rights Reserved. Permission to copy and distribute verbatim copies of this
document is granted.
