Bump unboundid-ldapsdk from 2.3.1 to 5.1.4

[dependabot-preview]

Bumps unboundid-ldapsdk from 2.3.1 to 5.1.4.

Release notes

Sourced from unboundid-ldapsdk's releases.

UnboundID LDAP SDK for Java 5.1.4

We have just released version 5.1.4 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository.

The release notes contain a more complete overview of the changes included since the 5.1.3 release, but here’s a quick overview:

• We fixed an issue with the fewest connections and round-robin server sets that could cause them to leave a background thread running if one of the servers it had been using goes away permanently.

• We updated the TLS cipher suite selector to improve compatibility with JVMs (like the one provided by IBM) that use an “SSL_” prefix for all cipher suite names, rather than using “TLS_” for suites associated with the TLS protocol and only using “SSL_” for suites associated with legacy SSL protocols.

• We have updated the TLS cipher suite selector to improve the order in which it returns the names of the recommended suites.

• We have added new key and trust manager implementations that can use X.509 certificates and PKCS #8 private keys read from PEM files. We have also added new utility classes for reading certificates and private keys from PEM files.

• We updated the LDAP SDK to support running in a FIPS 140-2-compliant mode using the Bouncy Castle FIPS provider (and the associated JSSE provider). The Bouncy Castle libraries are not provided as part of the LDAP SDK, but if they are separately obtained and included in the classpath, then the LDAP SDK can be configured to operate in a FIPS-compliant manner.

• We have updated the manage-certificates tool to support managing certificates in BCFKS (the Bouncy Castle FIPS-compliant key store format) files.

• We have updated the TLS cipher suite selector to exclude suites that rely on the SHA-1 digest algorithm from the recommended set of suites when running in FIPS-compliant mode.

• We improved an error message that could be used in an exception if a connection becomes invalid in the course of trying to send a request to the server.

• We updated the ldifmodify command-line tool to allow ignoring duplicate attempts to delete the same entry, and attempts to delete or modify entries that do not exist in the LDIF file.

• We have updated support for the proprietary get user resource limits request control to allow clients to request that the server not return information about the user’s group membership in the response control. This can help improve performance when using the control, especially in servers with large numbers of dynamic groups.

• We have updated the LDAP SDK documentation to include the latest versions of draft-coretta-x660-ldap and draft-ietf-kitten-password-storage in the set of LDAP-related specifications.

UnboundID LDAP SDK for Java 5.1.3

We have just released version 5.1.3 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository.

The biggest change in this release addresses an issue in the LDAP listener framework (including the in-memory directory server). The listener did not adequately protect against the case in which a malicious or errant client could send an LDAP request encoded as an ASN.1 BER sequence with a very large value length, which could result in the listener attempting to allocate up to two gigabytes of memory. The LDAP listener framework will now impose a maximum request size of 20 megabytes by default, which is the same as the default maximum size that the LDAP SDK will impose for responses read from a directory server. The maximum request size can be configured using the InMemoryDirectoryServerConfig.setMaxMessageSizeBytes method when using the in-memory directory server, or using the LDAPListenerConfig.setMaxMessageSizeBytes method when using the more general LDAP listener framework. If you’re using the LDAP listener framework (or the in-memory directory server) to accept requests from potentially untrusted clients, then we recommend upgrading to the 5.1.3 release.

Other changes since the 5.1.2 release include:

• We have updated OID support to add methods for interacting with object identifiers in a hierarchical manner. It is now possible to create a new OID that is a child of a provided OID with a given subordinate component value. You can also get the parent for a provided OID and determine whether one OID is an ancestor or descendant of another.

• We have updated the oid-lookup tool to add a new --exact-match argument that will cause it to only return items in which the OID, name, type, origin, or URL exactly matches the provided search string. The tool continues to use substring matching by default.

• We have updated the ldap-result-code tool to add a new --output-format argument that allows you to customize whether the output should be formatted as a human-readable table, comma-separated values, tab-delimited text, or JSON objects. It will continue to format result codes in a table by default.

UnboundID LDAP SDK for Java 5.1.2

We have just released version 5.1.2 of the UnboundID LDAP SDK for Java. It is available for download from GitHub and SourceForge, and it is available in the Maven Central Repository. The release notes provide a pretty comprehensive overview of what’s changed since the 5.1.1 release, but here’s a summary:

Server-Agnostic Updates

• We added a new parallel-update command-line tool that can be used to apply changes read from an LDIF file against an LDAP server using multiple concurrent threads.

• We updated the ldapmodify and ldapdelete tools so that they will now default to retrying failed operations on a newly established connection if the failure suggests that the connection made for the initial attempt is no longer valid. This was previously available through the --retryFailedOperations argument, but it is now the default behavior, and a --neverRetry argument can be used if retry support is not wanted.

• We added a new OIDRegistry class that provides a registry of object identifiers used in LDAP, including things like schema elements, controls, extended operations, and other sources. Each item in the registry has a name, an OID, and a type, and it may also have an origin string and a URL that may be used to retrieve additional information about the item.

... (truncated)

Changelog

Sourced from unboundid-ldapsdk's changelog.

          <div align="right">

${TARGET="offline"} LDAP SDK Home Page ${TARGET="offline"} Product Information

          <h2>Release Notes</h2>
      &lt;h3&gt;Version 5.1.4&lt;/h3&gt;
  &amp;lt;p&amp;gt;
    The following changes were made between the 5.1.3 and 5.1.4 releases:
  &amp;lt;/p&amp;gt;

  &amp;lt;ul&amp;gt;
    &amp;lt;li&amp;gt;
      Fixed a potential issue that could affect the fewest connections and round-robin
      server sets.  Under certain circumstances (when a server associated with the
      server set is no longer available), the LDAP SDK could have left a background
      thread running until that server became available again.  If the server was
      permanently unavailable, then that background thread would have remained alive
      until the JVM was shut down.
      &amp;lt;br&amp;gt;&amp;lt;br&amp;gt;
    &amp;lt;/li&amp;gt;

    &amp;lt;li&amp;gt;
      Improved support for running in a JVM that has been configured to operate in a
      FIPS 140-2-compliant mode using the Bouncy Castle BCFIPS provider.  The LDAP SDK
      does not include the Bouncy Castle libraries, but if they are available in the
      classpath, and if the com.unboundid.crypto.FIPS_MODE system property is set to
      &amp;quot;true&amp;quot; (ideally at the time the JVM is launched, but at the very least before
      any LDAP SDK classes are loaded), then the Bouncy Castle FIPS provider will be
      used for cryptographic operations.  In addition, the manage-certificates tool
      has been updated to add support for interacting with BCFKS key stores, and the
      LDAP listener and command-line tool frameworks have been updated to support
      using key and trust store files in the BCFKS format when explicitly requested.
      &amp;lt;br&amp;gt;&amp;lt;br&amp;gt;
    &amp;lt;/li&amp;gt;

    &amp;lt;li&amp;gt;
      Updated the TLS cipher suite selector to improve compatibility with JVMs that
      report all cipher suite names starting with &amp;quot;SSL_&amp;quot;.  Previously, the LDAP SDK
      assumed that modern TLS cipher suite names would always start with &amp;quot;TLS_&amp;quot; and
      only legacy SSL suite names would start with &amp;quot;SSL_&amp;quot;.  However, some JVMs (like
      the one maintained by IBM) use the &amp;quot;SSL_&amp;quot; prefix for all TLS cipher suite names,
      regardless of the protocol with which they are intended to be used.  In such
      cases, the LDAP SDK would previously not identify any recommended suites, which
      would prevent the SSLUtil helper class from establishing secure connections, but
      it will now fall back to allowing suite names that start with &amp;quot;SSL_&amp;quot; as long as
      they do not meet any other criteria for exclusion.  Further, if the cipher suite

... (truncated)

Commits

• 9512113 Really fix removing non-FIPS provider
• a6880e6 Fix an issue in removing non-essential providers
• 1bb0f3b Add an option to remove non-FIPS providers
• 65fbc94 Update BC FIPS properties
• 551ae4d Update to draft-ietf-kitten-password-storage-04
• e09a7ee Allow customizing the default key store type
• 7f5ddd5 Exclude SHA-1 cipher suites in FIPS mode
• e163e97 Add a BC log level property
• 8b50908 Add a way to recompute recommended cipher suites
• cc4bf11 Define an APPROVED_ONLY constant for FIPS mode
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)