Update dependency com.unboundid:unboundid-ldapsdk to v7

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.unboundid:unboundid-ldapsdk	6.0.11 -> 7.0.2

---

Release Notes

pingidentity/ldapsdk (com.unboundid:unboundid-ldapsdk)

v7.0.2: UnboundID LDAP SDK for Java 7.0.2

Compare Source

We have just released version 7.0.2 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository. You can find the release notes for this release (and all previous versions) at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes:

• We added support for using the 2.x version of the Bouncy Castle FIPS-compliant security provider, which provides support for FIPS 140-3 compliance. The 1.x version of the library, offering FIPS 140-2 compliance, is still supported. To use the LDAP SDK in this mode, you should ensure that the necessary jar files are in the classpath, and then you should call CryptoHelper.setUseFIPSMode("BCFIPS2") as early as possible in the life of the application.

• We added a new PropertyManager class that can be used to retrieve the value of specified properties using either system properties or environment variables. Values can be optionally parsed as Booleans, numbers, or comma-delimited lists. Most uses of system properties within the LDAP SDK have been updated to support the new PropertyManager mechanism so that it’s possible to set values as environment variables as an alternative to system properties.

• We fixed a bug in the SSLUtil.certificateToString method that prevented it from including the notBefore and notAfter timestamps in the string representation.

• We added client-side support for the Ping Identity Directory Server’s new to-be-deleted accessibility state for use with the get subtree accessibility and set subtree accessibility extended operations.

• We updated the MoveSubtree utility class to provide the ability to use the new to-be-deleted accessibility state (as an alternative to the hidden state) for the target subtree before starting to remove entries from the source server.

• We added a new SubtreeAccessibilityState.isMoreRestrictiveThan method that can be used to determine whether one accessibility state is considered more restrictive than another.

• Updated the documentation to include the latest versions of the following LDAP-related specifications:

  • draft-coretta-ldap-subnf-01
  • draft-coretta-oiddir-radit
  • draft-coretta-oiddir-radsa
  • draft-coretta-oiddir-radua
  • draft-coretta-oiddir-roadmap
  • draft-coretta-oiddir-schema
  • draft-ietf-kitten-scram-2fa
  • draft-melnikov-sasl2
  • draft-melnikov-scram-bis
  • draft-melnikov-scram-sha-512
  • draft-melnikov-scram-sha3-512

v7.0.1: UnboundID LDAP SDK for Java 7.0.1

Compare Source

We have just released version 7.0.1 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository. You can find the release notes for this release (and all previous versions) at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes:

• We added a new MaximumIdleDurationLDAPConnectionPoolHealthCheck class that can be used to replace connections that have remained idle for longer than a specified length of time. We generally recommend setting a maximum connection age for the pool so that connections are automatically replaced after a given amount of time regardless of their activity, but the new health check can be used as an alternative if you want to keep active connections around as long as possible while also ensuring that idle connections are closed by the LDAP SDK before they might be closed by the LDAP server or by intermediate network equipment.

• We updated the in-memory directory server to improve its concurrency when processing operations that don’t need to make changes to the data, including binds, searches, and compares.

• We added new Filter.createSubstringAssertion methods that can be used to create properly encoded string representations of substring assertions. This can be particularly helpful when you want to create an extensible matching filter using a substring matching rule.

• We updated the KeyStoreKeyManager and TrustStoreTrustManager classes to make it possible to use an alternative security provider when accessing the associated key or trust store. We’ve also made it possible to indicate whether the LDAP SDK should be allowed to access non-FIPS-compliant key stores when operating in FIPS 140-2-compliant mode.

• We fixed an issue in which the parallel-update tool would use an in-memory buffer to hold information about information to write to the reject file, but it would not automatically flush that buffer when changes are rejected. In some cases, this could introduce a significant delay between the time that a change is rejected and the time that a record of it was written to the specified log file.

• We fixed an issue with the manage-certificates tool that could prevent it from accessing the JVM’s default trust store in cases where the LDAP SDK is operating in FIPS 140-2-compliant mode and the tool is invoked programmatically (as opposed to running it from the command line).

• We updated the command-line tool framework to make it possible for tools to expose arguments for generating a debug log file. All of the tools included with the LDAP SDK have been updated to provide this option, and you can use the --help-debug argument to see the applicable arguments.

• We updated the debug logging framework to make it possible to write debug messages, which are formatted as JSON objects, using a multi-line representation rather than the default single-line representation. People looking at the log messages may find the multi-line format easier to read.

• We added a new StaticUtils.setSystemPropertyIfNotAlreadyDefined method that can be used to set the value of a specified system property in the JVM, but only if it’s not already set (in which case its current value will be preserved).

• We added client-side support for a new “verify password” extended request in the Ping Identity Directory Server that properly authorized clients (under a restricted set of circumstances) can use to determine whether a given password is valid for a specified user without performing any other password policy processing.

• We updated the OID registry to include records for a number of collation matching rules supported in the Ping Identity Directory Server, ForgeRock OpenDJ, Oracle OUD, and other servers.

v7.0.0: UnboundID LDAP SDK for Java 7.0.0

Compare Source

We have just released version 7.0.0 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository. You can find the release notes for this release (and all previous versions) at https://docs.ldap.com/ldap-sdk/docs/release-notes.html, but here’s a summary of the changes:

• The LDAP SDK now requires Java 8 or later. Java 7 is no longer supported.

• We improved the behavior of LDAP connection pools when they are configured to invoke a health check when checking out a connection from the pool. Previously, if a connection was found to be invalid during checkout, the LDAP SDK would create a new connection to replace it, but would continue iterating through other connections in the pool trying to find an existing valid connection. It will now return the newly created connection immediately without checking other existing connections, which can substantially reduce the time to check out a connection in a scenario where many connections have been invalidated (e.g., by a server shutdown).

• We added a new compare-ldap-schemas command-line tool that can be used to identify differences between the schemas of two LDAP servers.

• We improved the behavior that the LDAP SDK uses when authenticating with the GSSAPI SASL mechanism. Previously, if you didn’t explicitly provide a JAAS configuration file to use for the attempt, the LDAP SDK would create a new one for each bind attempt. This would create a lot of temporary files that would need to be cleaned up when the JVM exited, and they might not get cleaned up properly if they JVM exits abnormally (e.g., it’s killed or if the JVM crashes). It would also require a small amount of additional memory for each bind attempt, since it has to remember another file to be deleted. Now, the LDAP SDK will be able to reuse the same generated configuration file for all GSSAPI bind requests that use the same JAAS settings, which will slightly improve performance, reduce memory usage, and reduce disk space consumption.

• We added experimental client-side support for the relax rules support as defined in draft-zeilenga-ldap-relax-03. This draft doesn’t specify an OID for the control, but at least a couple of servers (OpenLDAP and ForgeRock OpenDJ) have implemented support for the control with an OID of 1.3.6.1.4.1.4203.666.5.12, so the LDAP SDK uses that OID for the control.

• We added client-side support for a number of proprietary controls used by the ForgeRock OpenDJ directory server. These include:

  • A transaction ID request control, which can be included in an operation request to provide a transaction ID that will appear in the access log message for that operation.
  • A replication repair request control, which can be included in a write request to indicate that the associated change should not be replicated.
  • Change sequence number request and response controls, which can be used with a write operation to obtain the replication CSN that the server assigned to that operation.
  • Affinity request control, which can be included in related requests sent through an LDAP proxy server to consistently route them to the same LDAP server instance.

• We added connection pool health checks for use in conjunction with the Ping Identity Directory Server, including:

  • One that will attempt to determine whether there are any active alerts in the server that cause it to consider itself to be either degraded or unavailable.
  • One that will assess the replication backlog and can consider a server unavailable if it has too many outstanding changes, or if the oldest outstanding change was originally processed too long ago.
  • One that will attempt to determine whether the server is in lockdown mode.

• We updated the CryptoHelper class to add convenience methods for generating SHA-256, SHA-384, and SHA-512 digests from byte arrays, strings, and files. There are also generic versions of these methods that can be used with user-specified digest algorithms.

• We added methods for normalizing JSON values and JSON object filters. This can help make it possible to compare two JSON object filters to determine whether two JSON object filters are equivalent.

• We updated the BouncyCastleFIPSHelper class to add a constant with the name of a system property that can be used to enable support for the MD5 digest algorithm, which may be needed if you’re using the 1.0.2.4 or later version of the bc-fips jar file and need to use the MD5 message digest for some reason.

• We updated the documentation to include new and updated versions of a number of LDAP-related Internet Drafts, including:

  • draft-ietf-kitten-scram-2fa-04
  • draft-melnikov-scram-bis-04
  • draft-melnikov-scram-sha-512-04
  • draft-melnikov-scram-sha3-512-04
  • draft-coretta-oiddir-radit-00
  • draft-coretta-oiddir-radsa-00
  • draft-coretta-oiddir-radua-00
  • draft-coretta-oiddir-roadmap-00
  • draft-coretta-oiddir-schema-01

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary or `` to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or `` anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[MrSebastian]

we use Version 6 as recommended by Spring-Security doc: https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/ldap.html#servlet-authentication-ldap-unboundid

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 7.x releases. But if you manually upgrade to 7.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.