OpenLDAP 2.5 Announcement
OpenLDAP Version 2.5 Release Announcement
The OpenLDAP Project is pleased to announce the general availability of OpenLDAP Software version 2.5, a suite of the Lightweight Directory Access Protocol (v3) servers, clients, utilities, documentation, and development tools.
This release contains significant new function that has been contributed by Symas, its customers, and by other organizations and individuals that use OpenLDAP. The bulk of this function has already been heavily tested in the field using OpenLDAP 2.4, so the Project expects the 2.5 release to be extremely stable in its early releases. As with all new software, though, the Project recommends that users carefully test the software to ensure it meets their needs.
The following new components and capabilities are highlighted for this release:
LDAP Load Balancer Daemon
A load balancer daemon, designed from the ground up to handle LDAP loads, has been developed. It is protocol-aware and can balance LDAP loads on a per-operation basis rather than on a per-connection basis. Gone are the days of long-lived connections collecting on a small number of LDAP servers and having to manually restart servers to rebalance loads.
Large Multi-valued Attribute Support
When configured to use LMDB, OpenLDAP can handle multi-valued attributes with large numbers of values without any appreciable performance degradation. Searches, adds, deletes, and modifications of individual values happen faster than quicksilver through a goose.
LDAP Transaction Support
When configured to use LMDB, multiple LDAP operations can be committed together in a single client-controlled transaction. If any of the operations fail, all of the other operations that are part of that transaction are rolled back.
New Replication Protocols
OpenLDAP can now replicate entries from legacy LDAP directory servers including Microsoft Active Directory and Sun DSEE/ Oracle DSEE. This makes retiring those systems simpler and easier.
OpenLDAP now directly supports TOTP, HOTP and other modern multi-factor authentication methods. Many existing LDAP applications can use multi-factor authentication without modification.
New Database Backends
OpenLDAP’s standard meta-directory backend ties together search results from multiple remote LDAP servers, translates attribute names, and rewrites distinguished names but is limited to working with a relatively small number of remote servers. A new version of the meta-directory backend, async-meta, is able to efficiently handle connections to thousands of remote LDAP servers without suffering performance degradation.
OpenLDAP can now use the Wiredtiger database to store its data. The Wiredtiger database software is available separately and its SDK must be available when OpenLDAP is compiled.
New OpenLDAP Server Capabilities
Additional LDAP Replication Protocols
The replication consumer software has been enhanced to support multiple replication protocols. In addition to supporting the native Syncrepl/Delta Syncrepl protocols, it can also replicate entries from Microsoft Active Directory and DSEE/ODSEE.
Support for New LDAP Controls
To improve compatibility with applications designed for use with legacy LDAP servers, OpenLDAP 2.5 now supports many additional LDAP controls. See below for a complete list of new controls.
Dynamic Configuration Delete
OpenLDAP 2.5 now allows dynamic configuration objects to be deleted. That makes it possible to delete overlays, databases, and other configuration-related items without restarting the LDAP server daemon.
Significant performance enhancements throughout the client and server code base
New Overlays and Modules
- autoca: An overlay to perform X.509 certificate authority functions via LDAP. Create a new CA, create or fetch a certificate/key pair with an LDAP search operation, and perform other CA functions with just an LDAP search operation.
- homedir: perform complete home directory life cycle management, from creation, to archival, to deletion, completely automatically. Designed specifically for environments that use LDAP authentication and networked home directories, this overlay monitors a replication feed and performs actions based on changes to user and group entries.
- otp: Have the LDAP directory server handle all the processing for time- and counter-based one-time passwords. Compatible with Google and other standards-based authenticator apps.
- totp: A simpler password hashing module for time-based one-time passwords.
- argon2: a new password hashing module using the Argon2 hash mechanism
- adremap: remap attributes for PAM/NSS MS AD support
- authzid: implements RFC 3829 support
- datamorph: store enumerated values and fixed size integers
- ppm: adds additional password checking critera to the slapo-ppolicy overlay
- pw-radius: pass bind operations to the specified radius server(s)
- rbac: accelerates the responses to ANSI INCITS 359 RBAC policy queries originating from Apache Fortress clients
- usn: adds MS AD usnCreated and usnChanged operational attributes to entries
- variant: allows attributes/values to be shared between several entries
- vc: implements the verify credentials extended operation
Updates to Existing Overlays
The following updates have been made to existing overlays:
- pcache: New control allows access to the cache DB, exop can remove
data from the cache DB
- back-monitor: support has been added for pcache
- ppolicy: updated to comply with password policy draft 10 (draft-behera-ldap-password-policy-10) and to optionally return Netscape Password Expiring and Password Expired controls
- dynlist: can now generate the (is)memberOf attribute dynamically and perform reverse lookups to find all groups a user belongs to
- unique: the unique overlay can now do db-wide locking to avoid potential race conditions
- remoteauth: The remoteauth overlay now has a password migration feature. If enabled, the password used for a successful remote authentication is stored in the user’s entry in the local directory. This is extremely useful when migrating from a legacy directory system that makes it difficult to access existing passwords.
- libldif provides an LDIF parsing API
Updates to Existing Libaries
- libldap_r has been merged with libldap
- libldap has TLS channel binding support
- libldap has TLS public key pinning support
- libldap has TLS SNI support
- libldap has GSSAPI channel binding support
New and Updated Clients and Tools
- slapmodify: a tool for offline updates to cn=config
New Supported LDAP Controls
The following controls are supported in OpenLDAP 2.5:
|AUTHZID_REQUEST||2.16.840.1.113730.4.16||Authorization Identity Request Control (RFC 3829)|
|AUTHZID_RESPONSE||2.16.840.1.113730.4.15||Authorization Identity Response Control (RFC 3829)|
|LAZY_COMMIT||1.2.840.1135184.108.40.2069||MS AD Lazy Commit Control|
|ACCOUNT_USABILITY||220.127.116.11.18.104.22.168.22.214.171.124||Netscape account usability control|
|PASSWORD_EXPIRED||2.16.840.1.1137126.96.36.199||Netscape Password expiring warning|
|PASSWORD_EXPIRING||2.16.840.1.1137188.8.131.52||Netscape Password expired warning|
|TXN_SPEC||184.108.40.206.1.21.2||LDAP transaction specification control|
New Supported Extended Operations
The following extended operations are supported in OpenLDAP 2.5:
|TXN_START||220.127.116.11.1.21.1||Start LDAP transaction|
|TXN_END||18.104.22.168.1.21.3||End LDAP Transaction|
|TXN_ABORTED_NOTICE||22.214.171.124.1.21.4||Abort LDAP Transaction (notification)|
|VERIFY_CREDENTIALS||126.96.36.199.4.1.4203.666.6.5||Verify user credentials|
OpenLDAP Software is developed by the OpenLDAP Project. The Project consists of a team of volunteers who use the Internet to coordinate their activities. The Project is an organized activity of the OpenLDAP Foundation.
OpenLDAP Software is derived from University of Michigan LDAP, release 3.3.
This software is available under the OpenLDAP Public License, a non-restrictive, “free”, open-source license. Download information is available at:
Binary distributions are available from a number of sources, including Symas and the Linux Toolbox (LTB) Project
OpenLDAP Software is user supported:
In addition, commercial support is available from the vendors listed here:
The OpenLDAP Administrator’s Guide, which includes quick-start instructions, is available at:
The project maintains a FAQ which you may find useful:
In addition, there are also a number of discussion lists related to OpenLDAP Software. A list of mailing lists is available at:
To report bugs, please use project’s Issue Tracking System:
The OpenLDAP home page containing lots of interesting information and online documentation is available at this URL:
This release has been ported to many UNIX (and UNIX-like) platforms including Darwin, FreeBSD, Linux, NetBSD, OpenBSD and most commercial UNIX systems. The release has also been ported (in part or in whole) to other platforms including Apple MacOS X, IBM zOS, and Microsoft Windows NT/2000/etc.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
Copyright 1999-2021 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted.