LDAP Connector v2 (c) Copyright 2020 OneLogin, Inc. 2021-03-08 - Version 2.3.21 --------------------------------------------------------------------------------------- 1. LDC-353 - When the LDAP connector synchronizes users, but needs to be restarted before it completes, and an exception occurs, synchronization doesn't automatically restart. Now, the connector automatically recovers and continues the normal synchronization process. 2. LDC-352 - Provisioned users that belong to a POSIX Group are now associated correctly in LDAP. Previously, an incorrect attribute was used to link a user to a group, which caused issues. 3. LDC-357 - You can now deselect a child OU from an OU parent selected. Users under the deselected OU won't synchronize, this includes the OUs under this deselected branch of the OU tree. Note: To enable this feature, update all configured connectors to the current LDC version, LDC 2.3.21, which supports this functionality. Warning: When at least one OU is deselected, don't perform downgrades of connectors. If you downgrade to a version that doesn't support the feature and it is promoted to synchronize, the OU won't be ignored, resulting in a user sync. 2020-11-09 - Version 2.3.20 --------------------------------------------------------------------------------------- 1. LDC-308 - The LDC now gracefully recovers from unexpected connection errors that were causing user syncs to fail. 2. LDC-310 - The LDC now gracefully recovers from an interrupted communication between the LDC and LDAP server, even when the LDC configuration changes while unable to connect to the LDAP server. 3. LDC-268 - When provisioning is enabled, the LDC now requests changed users every 15 minutes in addition to the dynamic updates that are received when a user is created or updated in LDAP. 4. LDC-309 - The LDC now waits 30 seconds before trying to reconnect with the OneLogin SMUX service to prevent overloading. 5. LDC-263 - All log messages from OneLogin SMUX connections are now sent to the correct LDC log file. 6. LDC-303 - The unused DE shard was removed from the LDC configuration. 2020-09-14 - Version 2.3.19 --------------------------------------------------------------------------------------- Support for automatic failover for user synchronization. Enhancements for log messages. 1. LDC-44 - The LDC now sends the health report to OneLogin every 15 minutes, which determines connector health when automatic failover mechanism is enabled. The LDC logs the health report in a new file named healthreport.log located in the logs directory. 2. LDC-281 - If the LDC receives an invalid DN format, a message is logged only when debug is enabled. 3. LDC-288 - The LDC now detects if the LDAP connection is valid when a ping is received from OneLogin. 4. LDC-276 - The ThirdParyLicenses file has been updated with current versions of libraries used by the LDC. 5. LDC-100 - The LDC token is now masked when logged directly or in a message. 2020-06-17 - Version 2.3.18 --------------------------------------------------------------------------------------- Support for TLS versions 1.1 and below removed. Enhancements on log messages, update users during sync, and pagination detection. 1. LDC-219 -TLS versions 1.1 and below are no longer supported. 2. LDC-220 - The LDC now logs information related to the cached users that are received from OneLogin when the LDC services are restarted. This helps troubleshoot issues when massive changes are detected and LDAP user attributes are compared with existing users fields in OneLogin. 3. LDC-256 -To improve performance with advanced mappings scenarios, the onelogin_id field is no longer sent with requests to update users. User identification now uses external_id. 4. LDC-265 - The LDC now detects if LDAP server pagination is supported and enabled. If not, the LDC writes a log message that LDAP server pagination must be enabled or LDC pagination must be disabled by adding to ldc.conf: ldc.ldap.search.paging.enabled=false. 5. LDC-269 - The LDC now use only the UUID attribute to identify the user, the OneLogin Id is not longer required for update. 2020-01-14 - Version 2.3.17 --------------------------------------------------------------------------------------- Log an event at OneLogin and in the LDC log when a user can't be created. Ignore case on RDN attribute names to prevent provisioning errors. 1. LDC-182 - An event is logged at OneLogin when the LDC tries to add a user to a LDAP server but the user is rejected. The LDC also now consistently logs the rejection locally and only when the user is rejected. 2. LDC-200 - Matches for RDN attribute names are now case insensitive to prevent provisioning errors resulting from case. 2019-11-15 - Version 2.3.16 --------------------------------------------------------------------------------------- Support for advanced mappings with provisioning, failover between LDAP servers, control for unrecoverable errors, LDAP messages when provisioning fails, and enabling execution of multiple LDC instances in one single VM/machine. 1. LDC-36 - Provisioning users from OneLogin to LDAP with advanced mappings is now supported. 2. LDC-133 - When provisioning from OneLogin to LDAP requires user deletion, the LDC required a valid user in the LDC internal cache to delete. The LDC is now able to delete the user even it does not exist in the LDC cache. 3. LDC-145 - When provisioning from OneLogin to LDAP fails, an event message is now sent to OneLogin with a specific LDAP error message to improve failure diagnostics. 4. LDC-152 - If any internal LDC thread stops working for any external reason such as unavailable network connection, LDC detects an unrecoverable state and then gracefully stops and sends an event message to OneLogin 5. LDC-151 - LDC failover between LDAP servers is now enabled. To configure, enter an ordered and comma-delimited list of hosts and ports in the OneLogin LDC configuration UI. For example, at OneLogin, enter: Host or IP: 10.10.10.10,10.10.10.11 Port: 636,389 6. LDC-188 - The LDC_HOME environmental variable used for log file location is now only required when LDC is installed as a Windows service. When starting the LDC from the command line, LDC_HOME is no longer required, which resolves LDC_HOME contentions between multiple instances of LDC on the same host. So each instance can have its own log file in the installed location. NOTE: If you installed LDC 2.3.15 on Windows, you must remove LDC_HOME which was set as a Windows system environment variable. 2019-08-02 - Version 2.3.15 --------------------------------------------------------------------------------------- Enhancements to provide detailed information for provisioning errors, detect specific LDAP codes for invalid authentication, validate LDAP fields received from the server, and install LDC as service on Windows. 2019-06-27 - Version 2.3.15-pre3 --------------------------------------------------------------------------------------- Provide detailed information when a LDAP server rejects a user modification 1. LDC-128 - When the LDAP server rejects a user modification from OneLogin through the LDC, the provisioning error reported by LDC now includes the specific reason provided by the LDAP server. The full list of changes are now logged and the user update will not be attempted again until the user data changes. 2019-05-10 - Version 2.3.15-pre2 --------------------------------------------------------------------------------------- Detect LDAP server-specific codes for invalid authentication, validate LDAP fields received from server, and install the LDC as service on Windows 1. LDC-118 - When the LDAP server connection of an active LDC fails for any reason, the message was incorrectly sent to OneLogin to use a configured LDC standby connector. The LDC now sends the correct message to OneLogin to enable switching to a configured standby connector. 2. LDC-127 - When provisioning from OneLogin to LDAP, if a user was marked to be updated but the LDC hasn't received the notification and the LDC was restarted or a synchronization was requested, users marked for update were discarded. Now all users marked for update will be processed at LDC restart or when a synchronization is requested. 3. LDC-126 - For some versions of Windows Server, path environment variables used in the service script that invokes the LDC were not correctly populated during installation. The installer now validates the paths before installing the LDC as a Windows service to verify the paths are correct. 2019-03-12 - Version 2.3.15-pre1 --------------------------------------------------------------------------------------- Detect LDAP server-specific codes for invalid authentication, validate LDAP fields received from server, and install LDC as service on Windows 1. LDC-123 - Some LDAP server return codes that provide additional context on failed authentications. These codes are LDAP server specific. Support has been added to detect data code after invalid authentication by AD LDS and to send the associated reason to OneLogin. The codes for for AD LDS are: 52e AD INVALID CREDENTIALS 525 USER NOT FOUND 530 NOT PERMITTED TO LOGON AT THIS TIME 531 RESTRICTED TO SPECIFIC MACHINES 532 PASSWORD EXPIRED 533 ACCOUNT DISABLED 568 ERROR TOO MANY CONTEXT IDS 701 ACCOUNT EXPIRED 773 USER MUST RESET PASSWORD Support for additional LDAP servers will be added in the future upon customer request. 2. LDC-116 - When provisioning from OneLogin to LDAP, if OneLogin sent an unmapped password field and LDC detected the field as a custom field, an error would occur. The LDC now only validates fields mapped to attributes in the OneLogin UI for provisioning to LDAP. 3. LDC-29 - You can now install/uninstall the LDC as a Windows service. To install the LDC as a Windows service, execute the script: LDC_HOME\bat\installService.bat To start service: LDC_HOME\bat\startService.bat To stop service: LDC_HOME\bat\stopService.bat To uninstall service: LDC_HOME\bat\uninstallService.bat To execute the LDC in Windows as a console process, use the start-ldc.bat and stop-ldc.bat scripts as before. If any changes on execution are required, for example, to enable debug or increase memory, the changes must be made in the file: LDC_HOME\bat\setenv-ldc.bat 2019-01-14 - Version 2.3.14 --------------------------------------------------------------------------------------- Provision users from OneLogin to LDAP with DNs that don't use uid 1. LDC-114 - Users with a DN that has a user identifier other than uid could not be provisioned from OneLogin to LDAP. Checks have been added to verify that the attribute used as the DN user identifier and the associated user entry attribute value are the same and can be provisioned. 2018-12-20 - Version 2.3.13 --------------------------------------------------------------------------------------- Enhancements to send events to OneLogin, support dynamic groups, validate LDAP server pagination support, validate and complete missing user OU tree nodes, and a configurable search filter to build the OU tree. 2018-12-17 - Version 2.3.13-pre4 --------------------------------------------------------------------------------------- Enhancements to send distinguished name with disassociated user events. 1. LDC-112 - Add the user's distinguished name as a separate field to send to OneLogin with user lifecycle events. In addition to description event, the distinguished name was included in user-related lifecycle events: user can't be provisioned or updated in LDAP, user can't be authenticated by LDAP, user password can't be changed or reset, and LDC runtime exceptions during user-related process. 2018-12-06 - Version 2.3.13-pre3 --------------------------------------------------------------------------------------- Enhancements to send events to OneLogin, support dynamic groups, and to validate LDAP server pagination support 1. LDC-13 - Add client-side lifecycle events to OneLogin In addition to user-related synchronization and authentication events displayed at OneLogin, lifecycle events have been added for: LDC start-up/stop, LDC configuration reload, LDC failover, user can't be provisioned or updated in LDAP, user can't be authenticated by LDAP, user password can't be changed or reset, and LDC runtime exceptions. 2. LDC-110 - Optionally disable sending user status to OneLogin When users are created or updated by a sync to OneLogin, the LDC always sends user status as active. This behaviour can now be disabled to prevent overriding the status when user status is set by mappings to inactive. To disable, set in ldc.conf: ldc.api.activate.user.enabled=false 3. LDC-10 - Validate LDAP server support for pagination The LDC now detects if a LDAP server supports pagination. If not, the LDC logs an error with instructions to disable pagination by configuration. 4. LDC-58 - Indicate when the LDAP server page size is exceeded The LDC now detects if LDAP server page size is exceeded and logs and error with instructions to modify page size by configuration. 5. ENT-92 - Support for OpenLDAP dynamic groups The LDC now returns users with membership in OpenLDAP dynamic groups using a new dynamic group search service. Dynamic groups are aggregated with existing groups types. To enable, set the following value in ldc.conf: ldc.ldap.group.search.type=dynamic-groups To also include existing static groups, set the following value: ldc.ldap.group.service.dynamic-groups.config.add-group=static-groups 2018-11-06 - Version 2.3.13-pre2 --------------------------------------------------------------------------------------- Validate and complete the user OUs for display and selection at OneLogin 1. LDC-105 - Validate and complete missing OU nodes The OU tree at OneLogin is built from search results returned by the get OU filter. If the OU tree is incomplete, the tree will not render correctly in the OneLogin user selection UI. The LDC now inspects the returned OUs, validates, and completes any gaps detected. No new configuration is required. For very large numbers of OUs, you may see slightly slower searches at LDC startup and when refreshing the OU tree. 2018-10-17 - Version 2.3.13-pre1 --------------------------------------------------------------------------------------- Configurable search filter to build the OU tree 1. LDC-103 - Add configuration property to define the OU search filter The OU tree at OneLogin was previously built only from entities with the 'organizationalUnit' objectclass. The LDC now extranlizes the search filter that gets the user OU tree by adding the property 'ldc.ldap.ous.scan.search.filter' to ldc.conf file with a custom filter, for example: ldc.ldap.ous.scan.search.filter=(|(objectclass=organizationalunit)(objectclass=container)) The default OU search continues to be (objectclass=organizationalunit), but will be replaced with the filter defined by this property. 2. LDC-102 - Use only mapped fields to calculate digest The digest the LDC calculates to determine that a user has changed was using values not mapped at OneLogin, resulting in false positives when compared with the digest sent from OneLogin which did not contain the value. This resulted in a full sync of users with every sift. Specifically, the LDC now ignores the UUID attibute to calculate digests when the UUID is not mapped at OneLogin. 2018-10-23 - Version 2.3.12 --------------------------------------------------------------------------------------- Enhancements to optimize memory handling, prevent unexpected stops, enable adding custom attributes via configuration, enhancements to the AD LDS nested group cache service, and support for multi-value attributes. 2018-09-27 - Version 2.3.12-rc4 --------------------------------------------------------------------------------------- Check if user exists in LDAP before searching for user's groups 1. LDC-98 - Check if user was deleted in LDAP before searching for user's groups When the LDAP search type is static, the user DN is obtained before getting the user's groups. If the user was deleted before the user group search, an error occurred. Now, the LDC checks if user exists in LDAP before performing the user's group search. 2018-09-24 - Version 2.3.12-rc3 --------------------------------------------------------------------------------------- Prevent stop synchronization on error, logging enhancements, and socket.io library update 1. LDC-97 - Prevent synchronization stop after LDAP error When an LDAP error occurred during get users or groups, the synchronization process was stopped. The LDC now detects the error, continues the synchronization, and waits for the next synchronization cycle to try to get users and groups again. 2. LDC-41 - Generate a list of invalid users and detect changes before sending again When an invalid user is reported by OneLogin the LDC adds the invalid user to a list and during each synchronization validates if the user has changed to try to send to OneLogin again. This avoids multiple unnecessary network traffic and log errors. If a change in configuration occurs, the invalid user list is cleared. 3. LDC-83 - Compatibility updates for socket.io client library Updated socket.io client library used to establish OneLogin supermux connections. 2018-08-22 - Version 2.3.12-rc1 --------------------------------------------------------------------------------------- This is a pre-release version that includes logging enhancements and third-party libraries updated 1. LDC-82 - Update dependencies Updated libraries used by the LDC including JSON, Jetty web server, and String utilities to address memory issues. 2. LDC-85 - LDC shown as disconnected in UI The messaging issues that cause the LDC to be shown as disconnected in the UI, when it was connected, were resolved. 3. LDC-69 - Log the details about the 422 errors When a user doesn't meet validation requirements to be imported, OneLogin responds with a 422 error, which was being ignored by the LDC. The LDC now logs the 422 details to facilitate troubleshooting. 4. LDC-88 - Validate if error message is contained in JSON response To prevent JSON parsing warnings when a no JSON response is received the LDC now validate if the received response contain an error label before extract the message . 5. LDC-87 - Add an HTTP request retry handler When the OneLogin server causes an IO Exception because of some internal blip, the LDC waited until next sync to retry update or create a user. The LDC now retry until 3 times before skipping the user until next sync to prevent delay times when a user is ceated or updated. 2018-08-02 - Version 2.3.12-pre6 --------------------------------------------------------------------------------------- Detect sync workers that unexpectedly stop 1. LDC-81 - Improve validation when sync workers unexpectedly stop If running workers unexpectedly stop, the sync queues are cleared to enable the sync process to restart after a wait period. 2018-08-02 - Version 2.3.12-pre5 --------------------------------------------------------------------------------------- Enhancement to add memory instrumentation and support smart password 1. LDC-80 - Add memory instrumentation Added more memory instrumentation to enable analysis of memory conditions in specific environments. 2. LDC-75 - Smart Password support The LDC now support Smart Password and allow reset password using email instead to DN. 2018-08-01 - Version 2.3.12-pre4 --------------------------------------------------------------------------------------- Enhancements to improve memory usage 1. LDC-76 - Improve memory handling The LDC now has memory optimizations to improve memory utilization when handling Strings, ConcurrentMaps and Queues. This enhancement was driven by large Strings returned from the AD LDS nested group service for users that have a massive numbers of nested groups. 2018-08-01 - Version 2.3.12-pre3 --------------------------------------------------------------------------------------- Enable force update all users 1. LDC-78 - Enable force full update The LDC now supports forcing a full user update from LDAP to OneLogin server. When this flag is enabled, a full update of users will be forced only when LDC is restarted or a sync users command is received. Enabled by adding in ldc.conf: ldc.sync.force.update.enabled=true 2018-07-11 - Version 2.3.12-pre2 --------------------------------------------------------------------------------------- Enhancement to detect and restart sync workers that unexpectedly stop 1. ENT-228 - Validate if sync workers unexpectedly stops The LDC now validates if running workers unexpectedly stop, which enables the sync process to restart after a wait period. 2. ENT-226 - Log Java command line parameters To aid in debugging, the Java invocation arguments are now logged. This may have information about heap size, gc parameters, and other items of interest. 2018-06-21 - Version 2.3.12-pre1 --------------------------------------------------------------------------------------- Enhancement to add memory instrumentation 1. ENT-216 - Add memory instrumentation Added memory instrumentation to enable analysis of memory conditions in specific environments. 2018-06-11 - Version 2.3.11-beta --------------------------------------------------------------------------------------- Enhancment to add custom attributes via configuration 1. ENT-219 - Add custom attributes by file configuration If some directory attributes are not available to the LDC through discovery, but all attributes are not found, the attributes can be configured for use with synchronization by adding the attribute names in the ldc.conf file: ldc.ldap.extra.attributes=attribute_name1,attribute_name2,attribute_name3 2018-05-30 - Version 2.3.10-beta --------------------------------------------------------------------------------------- Enhancements to the AD LDS nested group cache service, support for multi-value attributes, and logging enhancements 1. ENT-218 - Logging attributes metadata To get more information about the attributes obtained from the LDAP server, the LDC now logs more messages with related metadata. 2. ENT-213 Support LDAP multi-valued attributes The LDC now checks for LDAP multi-valued attributes other that memberOf and imports all multi-valued attributes it finds to OneLogin as semicolon delimited strings. 3. ENT-215 - Increase the log file size for debug To get more information during debug, the default log file size used for debugging has increased to 300 MB and also up to 20 zipped rotated files are maintained. 2018-05-14 - Version 2.3.9 --------------------------------------------------------------------------------------- This release includes enhancements to the AD LDS nested group cache service. 1. ENT-214 validate to ignore circular references on nested groups The LDC now checks for circular group references to prevent hanging the sync process when building the nested group cache. 2. ENT-212 - Prevent proxy warning Some proxy servers use pre-authentication with BASIC authentication before NTLM authentication resulting in a warning if this is not allowed. The LDC now detects and supresses this warning. 2018-05-02 - Version 2.3.8 --------------------------------------------------------------------------------------- This release includes enhancements to the AD LDS nested group cache service. 1. ENT-201 Improve reliability of nested group tree cache for AD LDS A filter within the service that uses Microsoft OID 1.2.840.113556.1.4.1941 to search for nested groups was causing the cache searches to timeout and is no longer used when the cache service is enabled. A filter that uses this OID is still used when the cache is disbled with this service flag: ldc.ldap.group.service.adlds-nested.config.cache-enabled=false Sites with smaller numbers of nested groups should set this flag to false. 2018-04-30 - Version 2.3.7 --------------------------------------------------------------------------------------- This release includes support for the Advanced Directory Attributes Feature, securely storing configuration properties, and bug-fixes. 1. ENT-202 Fix undetected stop LDC sync incomplete When the LDC tries to sync an incomplete user, the sync stops and is not handled correctly. The issue has been fixed and tested. 2. ENT-203 - Enable LDAP pagination by default LDAP pagination has been changed from disabled to enabled as the default. 3. ENT-204 - Fix script comments Some scripts like stop-ldc.bat had references that have been clarified. Script functionality is not affected. 4. ENT-205 - Avoid duplicated files on distribution Removed duplicate logback-debug.xml files from the distribution. Related tickets deployed in the OneLogin cloud: 1. DIRECTORY-2908 - Compare User Matching attributes using their downcased versions When importing SAMAccountName from AD OneLogin lowercases the values. However, matching users from addtional AD/LDAP servers using the LDC (and possibly AD) was case-sensitive resulting in case mismatches. Comparison of SAMAccountName, UserPrincipalName or Email attributes values are downcased to prevent case mismatching. Deployed on Apr/19/18 7:40 PM PST 2. DIRECTORY-2933 - Optimize DirectoryOus updates endpoint. Updates to large OU tree data was taking too long to process due to transactions being created for every directory OU record if its parent differed. Update to the database is delegated as a bulk up update to process directly with SQL commands. Deployed on Apr/26/18 10:32 AM PST 3. DIRECTORY-2826 - Detect correlating mappings in search for cached payloads. Cached values from a decorator director were not applied when syncing users new users from a master directory due to a missing step to identify correlating user matching attributes from cached payloads. For example, mappings in AD like `mail -> email` were not matching mappings in LDAP like `objectMail -> email`. To fix, OneLogin now identifies correlating user mappings for every directory which allows to identify their corresponding latest cached payload that matches the incoming payload. Deployed on Apr/26/18 4:41 PM PST 2018-04-19 - Version 2.3.6 --------------------------------------------------------------------------------------- This is a release candidate that include the support of store secure properties. 1. ENT-178 LDC v2 - Store and Load On-Prem Passwords from a Secure Secret Store The LDAP Directory Connector now supports secure properties values on the configuration file ldc.conf, which provide an extra security level for passwords and sensible information stored on the configuration file. To create encrypted values for configuration, a secure-properties utility is provided as part of distribution file. The new secure-properties utility is available in the distribution at: bin\secure-properties.sh for Linux, Unix, and Mac OS X bin\secure-properties.bat for Windows Customer configuration encrypted values should be included in configuration file: conf/ldc.conf When the LDAP Directory Connector is started, detect if the environment variable SECURE_PASSWORD used on secure-properties utility is available and configuration settings are loaded and decrypted using SECURE_PASSWORD. Only the Encrypted values are decrypted. 2018-04-12 - Version 2.3.5 --------------------------------------------------------------------------------------- This is a release candidate that include the support of the Multiple Directory Attributes Feature and solve some problems with cache groups. 1. Bug (ENT-200) Fix LDAP pagination when is used for cache groups LDAP Directory connector version 2.3.4 included support for cache groups to improve group handling including AD LDS nested groups and LDAP search groups, when a large number of groups is handled LDAP pagination is required, a problem with LDAP pagination was introduced and causes an exception because the LDAP search size limit was exceeded. The issue has been fixed and tested. 3. ENT-198 - Better string representation for response objects As part of the testing of some Server fixes and features, a better Http Response in logs was detected as an improvement to do a better diagnosis. 2018-03-21 - Version 2.3.4 --------------------------------------------------------------------------------------- This is a release candidate that include the support of the Multiple Directory Attributes Feature. The primary enhancement in this release is improve group handling, including AD LDS nested groups, LDAP search groups and Open LDAP memberOf. 1. ENT-173 - Nested Group Membership Search Performance Enhancements Active Directory Lightweight Directory Services (AD LDS) have a known problem with CPU utilization in Microsoft AD LDS environments using the special LDAP "chain search" that they've implemented. To optimize the use of that search the LDAP Directory Connector now has the option to use a cache. To enable the use of cache on AD LDS set the following values in your ldc.conf file: ldc.ldap.group.search.type=adlds-nested ldc.ldap.group.service.adlds-nested.config.cache-enabled=true 2. ENT-190 - Refactor Static Group Membership Support Searching for LDAP user group memberships in static groups now supports caching of group membership information, which can significantly improve performance compared with performing a separate LDAP search groups search for each user. To enable the use of cache for static groups: groupOfUniqueNames groupOfNames groupOfUrls posixGroups Set the following values in your ldc.conf file: ldc.ldap.group.search.type=static-groups ldc.ldap.group.service.static-groups.config.cache-enabled=true 3. ENT-191 - Refactor OpenLDAP memberOf Group Membership Support As part of the refactoring of group membership handling, the support for OpenLDAP 'memberof' overlay is included. To enable set the following value in your ldc.conf file: ldc.ldap.group.search.type=openldap-memberof 4. Bug (ENT-194) Fix proxy with no authentication configuration loading LDAP Directory connector version 2.2.24-beta included some configuration validation that introduced a problem when an outbound HTTP proxy was required, but authentication was not. It is now possible to enable the outbound HTTP proxy while selecting proxy authentication type 'none'. The issue has been fixed and tested. 2018-01-30 - Version 2.3.3-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. This is a follow up release for LDAP Directory Connector support of the Multiple Directory Attributes Feature. The primary enhancement in this release is support for 'Update and Create' LDAP Directory Configuration support of 'Change Password' and 'Reset Password' operations in Active Directory Lightweight Directory Services (AD LDS) environments. A few addtional fixes and enhancements are also included. This release is suiteable for use in multi-directory attribute modes: 'update only' and 'update and create' Users. 1. ENT-180 - Support unicodePwd Attribute in AD LDS Environments Active Directory Lightweight Directory Services (AD LDS) environments store a user's password in a write-only attribute named 'unicodePwd'. The value of this attribute is encoded, but NOT encrypted so (by default) attempts to modify this attribute for 'Change Password' and 'Reset Password' operations are strictly limited to SSL/TLS-enabled network connections. To enable support for 'Change Password' and 'Reset Password' encoding of the unicodePwd attribute in AD LDS environments, set the following value in your ldc.conf file: ldc.ldap.user.password.hash.algorithm=UNICODEPWD NOTE: the default value is CLEARTEXT, which is suitable for LDAP servers that salt and digest the the password and store it in 'hashed' form within the de facto standad 'userPassword' attribute. 2. ENT-187 - Improve User State Download Error Handling and Logging When the LDAP Directory Connector starts, downloads an updated configuration or receives a command to 'Synchronize Users', it downloads the state of all users stored in the associated OneLogin directory. In at least one reported case, the LDC downloaded only a subset of all users state from OneLogin, but (due to inadequate HTTP status handling) believed it had downloaded state for all users. This fix now specifically checks for HTTP status 200 and if not received, retries downloading the associated page of user state (up to 3 times). Additional INFO-level logging now shows that HTTP status received and other information. In addtion: if user state downloads do not complete, the cached user state is now cleared and the current 'sync loop' is cancelled. After waiting the configured sync interval, download of the Users state will be attempted again. 3. ENT-166 - Validate key Operational Values in the Downloaded Configuration With support for Multiple Directory Attributes, the LDAP Directory Connector now receives configure settings for additional operational modes. Some additional validation of these values was added to ensure they are consistent with the LDC design, which will proactively avoid undefined operational states. 4. ENT-175 - Capture and Log Runtime Exceptions A high-level Exception handler was added in the LDC Main program to catch and log any unexpected runtime exceptions. This ensures the exceptions are logged to the ldc.log file (rather than the console), where they appear in the context of other logged messages. Any exceptions caught by this handler should be considered programming errors (bugs) and resolved. 2017-12-20 - Version 2.3.2-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. This is the initial release for limited LDAP Directory Connector support of the Multiple Directory Attributes feature. This feature enables specified user attributes synchronized via the LDAP Directory Connector to be merged (at OneLogin) with user attributes from other directories. In this way: a complete OneLogin user can be populated from attributes synchronized via multiple on-premises directories. In this operating mode: one directory directory is designated a "master" directory, capabable of creating and updating users. Zero or more other "slave" directories may update the user data they contribute, but may not "create" new OneLogin users which are visible and available within your OneLogin directory. This release includes the following features and limitations in the context of Multiple Directory Attributes support: 1. The LDC "Mappings" configuration supports only: "This directory can only update users" It cannot assume the role of a "master" directory connector, which supports: "This directory can create and update users" The ability to serve as a "master" directory connector will be added in an upcoming release. 2. Synchronizing User attributes from the LDAP directory to OneLogin is supported, but the following synchronization actions are not supported: a) Deleting OneLogin user data because the associated LDAP user was deleted. b) Deleting OneLogin user data because the associated LDAP user was "unselected", either by unselecting an Organizational Unit or by changing any supported user selection filters in the local ldc.conf file. These user data delete actions will be supported in a near future release. 3. Provisioning User attributes to LDAP and/or deleting an LDAP user are not supported. 4. Support for LDAP Directory Connector Promote/Demote by configuring a 'Standby' connector and 'Activating' a 'Standby" connector is supported. 5. When the LDAP Directory Connector is configured for role: 'This directory can only update users', it cannot handle (and should not receive) delegated authenticaton and change password requests. This is true, regardless of whether the LDAP Directory Connector is the current/active/primary connector or whether it is the 'standby' connector. 2017-12-14 - Version 2.2.27-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Bug (ENT-164) Fix AD LDS Nested Groups Sync LDAP Directory Connector version 2.2.26-beta incorrectly searched for 'memberOf' attributes in the nested Group hierarchy (rather than 'member' attributes), which caused incorrect reporting of some group memberships. Also, the connector manually recursed groups using one LDAP search per level, which could have introduced an unnecessary performance penalty for directories with many groups and much group nesting. The LDAP Directory Connector now uses an AD/AD LDS-specific "chain filter", which automatically recurses nested group relationships from a single LDAP search. Correct nested group search results have been confirmed via independent means in the LDAP Directory Connector, Apache DS GUI client and ADSI Edit client. The nested group search also returns a user's memberships in the "Default Groups", available under the AD LDS "Roles" entry: including the "Administrators", "Readers" and "Users" groups. 2017-12-05 - Version 2.2.26-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Bug (ENT-151) Fix NTLM proxy configuration loading LDAP Directory connector version 2.2.25-beta included some configuration loading refactoring that introducted a problem when loading of NTLM proxy authentication configuration settings. The configuration loading issue has been fixed and tested. 2017-11-30 - Version 2.2.25-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Enhancement (DIRECTORY-2477) AD LDS Nested Groups Support The LDAP Directory Connector now includes support for nested group memberships in the Active Directory Lightweight Directory Server environment. To use this feature, the following two configuration options must be set in the ldc.conf file: ldc.ldap.user.memberof.search.enabled=true ldc.ldap.ad.user.search.groups.nested.enabled=true When using these settings, the LDAP Directory Connector will search LDAP user entries for 'memberof' attributes. Any referenced 'group' objects will be recursively searched for other nested 'group' references. Each of the referenced Group DNs are added to the User's OneLogin group memberships. NOTE: nested group membership searches currently work ONLY in the AD LDS and possibly in the regular AD environments (though AD has not been tested). Support for other nested group schemas in other LDAP server environments will require customization for the Group schemas and recursive search semantics needed for specific environments. 2017-10-23 - Version 2.2.24-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Enhancement (DIRECTORY-410) HTTP Proxy Authentication Support The LDAP Directory Connector now includes provisional support for NTLM proxy authentication. The following new LDAP Directory Connector configuration properties are now available: ldc.proxy.auth.ntlm.username - The proxy NTLM authentication username. ldc.proxy.auth.ntlm.password - The proxy NTLM authentication password. ldc.proxy.auth.ntlm.domain - The proxy NTLM authentication domain. ldc.proxy.auth.ntlm.workstation - The proxy NTLM authentication workstation name. These configuration properties are used when: ldc.proxy.auth.type=ntlm 2017-09-29 - Version 2.2.23 --------------------------------------------------------------------------------------- This is a general availability production release for all customers. This is the first production release since version 2.2.17 and contains all fixes and enhancements detailed for the intervening -beta releases. 1. Enhancement (DIRECTORY-420) Microsoft Windows Start/Stop Scripts The LDAP Directory Connector now includes batch scripts for Microsoft Windows environments supporting start and graceful stop operations. NOTE: A future release will include the ability to install/uninstall the LDAP Directory Connector as a Windows service so that it can be started/stopped via the Windows Service Manager. The new start/stop scripts are available in the distribution at: bin\start-ldc.bat bin\stop-ldc.bat Both scripts can be customized to configure: 1) the heap memory used by the Java Virtual Machine, 2) running in the foreground or background, 3) Enabling DEBUG-level logging. See the well-commented scripts for more details. 2. Enhancement (DIRECTORY-392) RFC 3062 - Modify Password Extended Operation Support Enable the use of the LDAP Password Modify Extended Operation defined in RFC 3062 to modify user passwords. This RFC defines multiple password-related features, but in the context of the LDAP Directory Connector it is useful for updating other LDAP user-related attributes when the user's updatePassword attribute is modified. One of the common features available in OpenLDAP servers, is update of a user's Windows or Unix desktop login credentials at the same time the userPassword attribute is modified. See the conf/ldc-default.properties file for more details. If you'd like to enable this feature, copy/paste the configuration property to: conf/ldc.conf (your site-specific configuration file) and set the corresponding configuration value to true. NOTE: when this property is enabled and you have an OpenLDAP Server you should also take care to set the password hashing algorithm to CLEARTEXT to delegate to LDAP Server the hash of the password based on olcPasswordHash parameter. 2017-08-15 - Version 2.2.22-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Enhancement (DIRECTORY-1688) Hierarchical Configuration Files The LDAP Directory Connector now supports a hierarch of configuration files, which simplifies environment updates. "Factory default" configuration settings are set in new configuration file: conf/ldc-default.conf Customer site-specific configuration settings should be made in configuration file: conf/ldc.conf When the LDAP Directory Connector is started, configuration settings are loaded as follows: 1. conf/ldc-default.conf is loaded 2. conf/ldc.conf is loaded any properties present here override those from step 1. The conf/ldc.conf file shipped with the connector still contains the properties most likely needing customization at each site. You can see all other configurable properties in file: conf/ldc-default.conf Should you need to customize a default property value that you see in conf/ldc-default.conf, copy/paste the properties into conf/ldc.conf and make your edits there. In the future, when you wish to upgrade the LDAP Directory Connector to a new version, you will most likely be able to use your existing ldc.conf file along with the new "factory default" ldc-default.conf distributed with the new connector. 2. Enhancement: (DIRECTORY-1815) Support LDAP server admin bindDN/password in config file For customers who do not wish to set the LDAP server admin bindDN and password in the LDAP Directory Connector cloud-based configuration, you may now configure these values in your local conf/ldc.conf configuration file. The following configuration properties are now available: ldc.ldap.admin.bind.dn ldc.ldap.admin.bind.password and if present in your onpremises configuration file, they will override any values delivered via your cloud-based LDAP Directory Connection configuration. 3. Enhancement: (DIRECTORY-2077) Configurable LDAP Group Search Object Classes When LDAP users are assigned to static and dynamic LDAP groups and the LDAP Directory Connector is configured to search for a User's group memberships (ldc.ldap.user.scan.groups.search.enabled=true) the following new configuration property enhances search performance: ldc.ldap.scan.groups.search.gc=groupofuniquenames,groupofnames,groupofurls,posixgroup The value is a list of LDAP group object classes used to search (filter) results for a specific User. If your environment does not uses some of these group object classes, those should be omitted from the list. IMPORTANT: Removing unused group object classes could significantly improve group membership search performance in your environment! For example, if only the 'groupofuniquenames' group object class is used in your environment, then set: ldc.ldap.scan.groups.search.gc=groupofuniquenames NOTE: If your environment does not use LDAP groups at all, has no need to synchronize them to OneLogin or uses the 'memberof' attributes in LDAP User entries, then disable LDAP user/group membership scans with: ldc.ldap.user.scan.groups.search.enabled=false This could significantly increase sync performance. 2017-08-01 - Version 2.2.21-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Enhancement (DIRECTORY-1816) Efficient 'memberof' Searches via LDAP User Entries The LDAP Directory Connector now provides the ability to search a User's 'memberof' group membership in the same LDAP search used to search other User attributes. This feature dramatically improves performance for LDAP directories that use this group mechanism. To control this feature, a new configuration option is available: ldc.ldap.user.memberof.search.enabled=true and you must also set (or the memberof search will be disabled): ldc.ldap.user.scan.groups.search.enabled=false 2. Fix (DIRECTORY-1860) PosixGroup Searches not Matching memberuid Attribute Synchronization of User groups failed for users assigned to posixGroups. The LDAP Directory Connector was attempting to match the posixGroup memberUid attribute against the User DN rather than the User uid. It now searches using the uid attribute value. 2017-07-18 - Version 2.2.20-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Enhancement (DIRECTORY-1880) Add Support for LDAP Search Results Paging This feature adds support for "paging" through LDAP search results, which is required in some LDAP directory servers that limit search results. The new feature is disabled by default, but can be enabled with configuration property: ldc.ldap.search.paging.enabled=true The "page size" can also be customized up to a value of 1000, which is a default value in some LDAP server environments: ldc.ldap.search.paging.size=1000 NOTE: It may be necessary to reduce the page size in LDAP server environments configured with a page size less than 1000. 2. Enhancement (DIRECTORY-1813) Mask the Installation Token in log files This enhancement secure logging of the installation token in log files by "masking" the value. The first and last four characters of the token are displayed and the middle characters are masked with the asterisk '*' character. Because knowledge of the installation token could enable someone to download the associated LDAP connector configuration, making this token secure it from anyone seeing exported log files. 3. Bug (DIRECTORY-1814) LDAP admin bind fails when password contains '&' When the LDAP admin password contains an ampersand character, the admin bind failed. The problem was due to the LDAP Directory API Service "HTML escaping" special character (like & to &). Other characters that are part of XML/HTML markup (like <, >, :, etc) would also have been "HTML escaped" causing a similar problem. NOTE: This OneLogin platform fix will be available with the 17-28 release scheduled for Tuesday 7/19/2017. 2017-07-06 - Version 2.2.19-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Bug (DIRECTORY-1855) Illegal host name resolution in proxy environment The LDAP Directory Connector was attempting to resolve the configured OneLogin API hostname in a secure environment that does not allow direct DNS resoluton of external hosts. The resulting exception caused startup of the LDAP Directory Connector to fail. The ConfigurationClient was creating Apache HttpClient instance without proxy server configuration and those client instances were attempting to resolve hostname for direct connection. This HttpClient instances now use the proxy server with configured to do so. 2017-06-28 - Version 2.2.18-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Enhancement (DIRECTORY-410) - HTTP Proxy and Proxy Authentication Support The LDAP Directory Connector now supports connecting to OneLogin servers via an outbound HTTP proxy server. The connections may either be unauthenticated or authenticated via the HTTP Basic authentication method. Because OneLogin API and connector Event endpoints are secure ("https") utilizing TLS, the LDAP Directory Connector HTTP client libraries use CONNECT to create an HTTP tunnel through the configured proxy server. See ldc.conf property names starting with: "ldc.proxy" for more details. 2. Bug (DIRECTORY-1838) - Incorrect ERROR reporting on Provisioning a new User The LDAP Directory Connector incorrectly reported an error on provisioning from OneLogin to the LDAP directory under the following conditions: - All directory field mappings were outbound (owned by OneLogin) - The LDAP Directory Connector was configured to delete LDAP users - A new user was created in the OneLogin directory - The LDAP Directory Connector was notified of the new User via an event - The LDAP Directory Connector queried the new user from OneLogin - The LDAP Directory Connector added the new user to the LDAP directory - The LDAP Directory Connector corresponding OneLogin user external_id Because the LDAP Directory Connector did not check the success code of the last step, it believed that step had failed and issued an ERROR message. The success code is now checked for this condition and the ERROR is not longer reported. 3. Enhancement (DIRECTORY-1770) - LDAP Connection Pool reports 'Who Am I?' Exception This error was reported by the LDAP Directory Connector in an LDAP server environment that does not support the 'Who Am I?' extended operation. This operation was in effect because it was a default for the underlying LDAP client libraries used. Use of this extended operation was removed (for portability sake) as it was not necessary for proper LDAP connection pool management. 4. Bug (DIRECTORY-1707) - Updated OneLogin Users limited to 100 When more than 100 OneLogin users were updated (e.g. via OneLogin user mappings) the LDAP Directory Connector was requesting only the first "page" (100) of the updated users rather than iterating through all "pages" in the updated users set. Consequently, the LDAP Directory Connector was not synchronizing state for all updated users. The connector now iterates through all pages of updated users, synchronizes it's internal state and provisions (if configured) those changes to the associated LDAP directory. 5. Enhancement (DIRECTORY-1605) - Update logback-core library based on Security Bulletin An internal logging library used by the LDAP Directory Connector was updated to the latest/patched version because of the following Security Bulletin: http://www.cvedetails.com/cve/CVE-2017-5929/ The connector now uses version 1.2.3 of this library and the security bulletin was reported for versions before 1.2.0 6. Bug (DIRECTORY-266) - New Installation Token is Identical to First Installation Token In the Admin GUI, when an LDAP directory already has at least one LDAP Directory Connectors configured, adding another connector displays the same Installation Token as the first connector. Use of the duplicate installation token for more than one LDAP directory connector cause problems with proper connectgor identification, authorization and state management. The OneLogin Admin GUI now displays the correct/unique Installation Token for each registred LDAP Directory Connector. 2017-05-08 - Version 2.2.17 --------------------------------------------------------------------------------------- This is a general availability (GA) release for all customers based on positive results from customer beta testing on version 2.2.16-beta. The enhancements and fixes in version 2.2.17 are those listed for 2.2.16-beta (below). 2017-04-22 - Version 2.2.16-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Enhancement (DIRECTORY-1527) - Support for LDAP {SHA} and {SSHA} encoded passwords The LDAP Directory Connector now supports a configuration property that enables site-specific hashing of user passwords on password reset and password change requests. The 'CLEARTEXT' value should be used in LDAP server environments that automatically hash clear text passwords. This occurs (for example) when the OpenLDAP server 'ppolicy' (password policy) overlay is installed and configuration setting: ppolicy_hash_cleartext is used. You must also take care to set a password hashing algorithm that is supported by your LDAP server because the LDAP server (not the LDAP connector) computes the hash of a presented clear text password on when authenticating users via LDAP simple bind authentication. Configuration property: ldc.ldap.user.password.hash.algorithm may be configured with: CLEARTEXT - send the clear text user password to the LDAP server. The password will either be stored in clear text or automatically hashed according to LDAP server password policy settings (Consult your LDAP server documentation). SHA - use the 'unsalted' SHA-1 message digest algorithm. The clear text password will be hashed by the LDAP connector using the SHA-1 algorithm, then base-64 encoded and prepended with tag: {SHA} SSHA - use the 'salted' SHA-1 message digest algorithm. The clear text password will be appended with 8 bytes of random data, the resulting value hashed by the LDAP connector using SHA-1, then base-64 encoded and prepended with tag: {SSHA} If this property is not set, then CLEARTEXT is the default value/behavior. Additional password hash algorithms may be added (based on customer demand), but environments that automatically hash clear text password should simply use the CLEARTEXT setting and let the LDAP server environment handle password hashing on reset/change password. See the ldc.conf file for additional details. 2. Bug (DIRECTORY-1528) - Only one User 'memberof' Group synced to OneLogin When using the OpenLDAP 'memberof' overlay and assigning a User to multiple 'memberof' Groups, only one Group membership was returned and synced to OneLogin. The code processing 'memberof' search results was fixed to properly handle all results returned. 2017-04-05 - Version 2.2.15 --------------------------------------------------------------------------------------- This is a production-ready release for General Availability (GA). 1. Bug (DIRECTORY-1472) - User sync stalls on IllegalArgumentException This bug occured as the LDAP Directory Connector 2.2.14 (and earlier) downloaded information about OneLogin users when a users distinguished_name field was null or empty when it expected that it would always be populated. The distinguished_name is required for proper association between a OneLogin user and an LDAP user. On receiving the empty distinguished_name, the LDAP Directory Connector threw an IllegalArgumentException (a Java RuntimeException), which was not caught/handled withing the synchronization control loop. The affected Thread terminated and consequently synchronization stalled. The LDAP Directory Connector now throws a "checked" Exception for this condition, catches and reports the Exception and the corresponding OneLogin user and continues with synchronization operations. The user with the unpopulated distinguished_name will be synchronized to OneLogin in the next LDAP directory scan/sync. 2. Enhancement (DIRECTORY-1485) - Enhanced INFO-level Logging The LDAP Directory Connector now logs additional INFO-level messages, which were previously only displayed in DEBUG-level messages. This information includes: + Authentication: attempting, success and failed messages (tagged with 'auth:') + Password Reset: attempting, success and failed messages (tagged with 'pwd-reset:') + Password Change: attempting, success and failed messages (tagged with 'pwd-change:') + User Sync: attempting, success and failed messages, tagged with: - sync:add - for users added to the OneLogin directory - sync:update - for users updated to the OneLogin directory - sync:delete - for users deleted from the OneLogin directory - sync:deleteUnselected - for users deleted from the OneLogin directory because the Organization Unit (OU) in which they reside was unselected + User Provisioning: attempting, success and failed messages, tagged with: - prov:add - for users added to the LDAP directory - prov:update - for users updated to the LDAP directory - prov:delete - for users deleted from the LDAP directory Corresponding ERROR messages are also logged with additional details on errors. The newly logged messages also include timing information for each operation in milliseconds. 3. Enhancement (DIRECTORY-362) - Enhanced Authentication error status values On failed authentication, the LDAP Directory Connector now returns one of the following error codes: 0 => undefined 1 => invalid_request 2 => invalid_credentials 3 => unable_to_resolve_user_name 4 => account_disabled 5 => account_locked_out 6 => password_expired Other conditions, which could not be detected, are no longer valid error response codes. This aids with server-side authentication response handling, reporting and debugging. 2017-02-16 - Version 2.2.14 --------------------------------------------------------------------------------------- This is a production-ready release for General Availability (GA). 1. Enhancement: the LDAP Directory Connector is now distributed in a directory tree with the following structure/contents: LDC_HOME/ README.txt ReleaseNotes.txt bin/ start-ldc.sh stop-ldc.sh conf/ ldc.conf logback.xml logback-debug.xml libs/ onelogin-ldc.jar 2. Enhancement: start-ldc.sh and stop-ldc.sh shell scripts are now available. These scripts are flexible, checking various environment requirements, assembling Java Virtual Machine options and other command line options then starting the JVM as a foreground or a background process. 3. Enhancement: Nearly all on-premises LDAP Directory Configuration settings are now located in configuation file: conf/ldc.conf This configuration file and the online documentation contain extensive informtion on available configuration options. The single required command line option is: -f 4. Enhancement: Automatically Adjusted LDAP User Sift CPU Utilization The thread pool used to 'sift' LDAP Users retrieved from the LDAP Directory Server is automatically configured to the minimum of: a) the number of available CPU cores, 2) 4 This provides adequate performance (even in large LDAP directories of 1 million+ users) while limiting CPU utilization for host systems with more available cores. 5. Enhancement: Added Location for OneLogin Directories hosted in Germany (DE) Configuration option: ldc.api.location now supports 3 options: US, EU, DE US - United States (default) EU - European Union DE - Germany (Deutschland) 6. Enhancement: Added Support for Graceful Stop The LDAP Directory Connector now uses an AdminService with an embedded HTTP web server to provide a 'graceful stop' via an authenticated HTTP request. For details, See script: LDC_HOME/bin/stop-ldc.sh 7. Enhancement: Removed Support for 'Search and Compare' Authentication This feature implemented a non-standard way of authenticating LDAP users and made use of configurable digest algorithms that had the potential to effectively 'reset' LDAP user passwords. The original intention of this feature was to provide support for more secure userPassword values via strong digest algorithms. Unfortunately, the LDAP Directory Server itself must support the strong digest algorithms to support standard LDAP 'simple bind' authentication, change password functionality, etc. 8. Enhancement: verbose logging flag added to ldc.conf and documented The flag used to enable verbose DEBUG-level logging (ldc.debug.verbose=false) was added to default configuration file and documented user-level installation/configuration documentation. 9. Bug: static groups are not removed from OneLogin When a user was removed from static groups in an LDAP directory, that state was not synced to OneLogin. Static group membership changes in LDAP are now synchronized to OneLogin. 10. Bug: static group updates not provisioned from OneLogin to LDAP When LDAP connector provisioning was enabled and user assignment to groups was changed in a OneLogin directory, the updates were not provisioned to the LDAP directory. The problem was caused by an inconsistent reference to the 'member_of' field name in the LDAP connector and server-base services. 11. Bug: Selected OU tree value incompatibility between LDAP Connector versions 1 & 2 When using the LDAP Connector v2 on a OneLogin directory previously configured and populated using LDAP Connector v1, the selected Organizational Unit (OU) tree was not correctly matched. This caused deletion of users in the OneLogin directory as it appeared the users were 'unselected'. The LDAP Connector v2 back-end services and the LDAP connector now compare the selected OU tree in a case-insensitive manner, ensuring compatibility with upgrades from an LDAP Connector v2 environment. 12. Bug: Admin DN Password removed/hidden from DEBUG-level Logging When DEBUG-level logging was enabled, the LDAP connector was logging the LDAP server password to trace log. The password is now logged using asterisk characters. 13. Bug: stop-ldc.sh must use the Admin Service port configured in ldc.conf The stop-ldc.sh was using a hard-coded port number for connecting to the LDAP connector Admin Service. The script now uses the port number configured in file: LDC_HOME/conf/ldc.conf 2016-12-13 - Version 2.2.11 --------------------------------------------------------------------------------------- This is a limited production-ready release for selected customers. 1. Bug Fix: Change Password Failed with ChangePasswordException: invalid Java enum On attempted 'change password', when an exception was thrown, the connector attempted to set the 'reason' code to the value of the 'status' code enum value. This resulted in an illegal enum value and a corresponding ChangePasswordException. 2016-11-27 - Version 2.2.10 --------------------------------------------------------------------------------------- This is a limited production-ready release for selected customers. 1. Bug Fix: Cancel User Sync/Provisioning Tasks Requiring Complete LDAP User Search When an LDAP search exception occurred during LDAP directory sift, the current sync/provisioning pass did not cancel User synchronization and provisioning operations that require a complete list of LDAP users. This resulted in (or could have resulted in) the following problems: a) Deletion of the OneLogin users who were NOT returned from the incompleted LDAP search. b) If provisioning enabled: Attempted addition of LDAP users from existing OneLogin users. The connector now detects incomplete LDAP searches (User and Group) and discontinues sifting LDAP users. Any existing Users already queued for sync/provisioning are processed. 2. Enhancement: Reduced CPU Utilization Performance analysis showed that threads processing the LDAP search of all selected LDAP users were using more CPU resources than desired. The associated thread pool was reduced from 10 to 5 and benchmarks show reduced CPU utilization with only marginally reduced User sift throughput. 3. Enhancement: Disable LDAP Groups Search (Configurable) For deployments that DO NOT assign LDAP Users to LDAP Groups, disabling the LDAP Groups search can significantly improve performance. This is because a separate LDAP groups search must be peformed for each LDAP User. By default, the LDAP Groups assigned to a User are searched. The following command line option can be used to disable Group searches: -Dldap.user.scan.groups.search.enabled=false NOTE: this value must be place BEFORE the -jar command line option. The following information is currently logged for this option: INFO - LDAP User groups search enabled or INFO - LDAP User groups search disabled 4. Enhancement: Added Synchronization Retry/Circuit Breaker The workers the process LDAP user search results retry twice on LDAP errors, then exit. This reduces excessive attempts to complete the LDAP sift work, including attempted (and failed) creation of new connections to an LDAP directory this may be offline. The connector will continue to attempt reconnection to the LDAP directory on each periodic synchronization pass, but limited exceptions are logged for those attempts. 5. Enhancement: Improved Operational and Progressing Logging Key log message related to core LDAP connector operations and progress were moved from the DEBUG level to the INFO level. The addtional INFO level messages provide much more detail on current LDAP connector state, operations and progress toward processing queued work. 6. Enhancement: Java Runtime version 1.8 (or greater) Required The connector now requires Java version 1.8 (or greater) and will fail to load (with a ClassFormatException) on attempts to run in a Java 1.7 (or earlier) environment. NOTE: a version check and explicit ERROR message will be added to the LDAP connector 'start' script when the script is added to the connector distribution. 2016-10-19 - Version 2.2.9 --------------------------------------------------------------------------------------- This is a limited production-ready release for selected customers. 1. Bug Fix: Encode non-ASCII characters in JSON String representations User data containing non-ASCII characters (like umlauts) failed to import to a OneLogin directory from an LDAP directory due to lexical errors reported by the OneLogin LDAP connector service. User String data in JSON representations is now encoded in UTF-8 Unicode escape format for safe network transport to/from the LDAP connector service. 2. Enhancement: LDAP Connection Pool used for scan supports config property overrides The LDAP connection pool used sync/scan operations now supports overriding configuration properties via system properties settings on the command line. For example, command line property: -Dsync.ldap.pool.responseTimeout=30000 may be used to set the LDAP connection pool response timeout to 30 seconds (30,000 milliseconds). NOTE: this value has valid range: 5000 to 60000 NOTE: -D command line properties must be added BEFORE the -jar flag. 3. Enhancement: Custom LDAP User Scan Inclusion Filter A custom LDAP search filter is now supported for including (or excluding) LDAP User entries for directory synchronization. The filter is appended to the default LDAP search filter using a 'logical AND' condition and depending on whether the filter matches or does not match a given user entry, while cause that entry to be included or excluded from the LDAP scan results. For example, command line property: -Dldap.user.scan.inclusion.filter='(!(mail=*@example.com))' will cause the default LDAP user search filter to append (using logical AND) a new LDAP filter that excludes users with a mail attribute ending with '@example.com'. NOTE: this value should be enclosed in single quotes in Linux/Unix/Mac OS X environments so the characters in the LDAP search are not interpreted as shell characters. NOTE: -D command line properties must be added BEFORE the -jar flag. 2016-09-17 - Version 2.2.8 --------------------------------------------------------------------------------------- This is a limited production-ready release for selected customers. 1. Bug Fix: Preserve LDAP attribute name case when sending to OneLogin Though LDAP attribute names are case-insensitive, the OneLogin LDAP v2 API back end performs multiple case-sensitive field name matches to apply User mappings. To ensure proper field name matching the LDAP connector now sends LDAP attribute names in the case they are provided from the LDAP directory server. For example: telephoneNumber, rather than telephonenumber. 2016-09-01 - Version 2.2.7 --------------------------------------------------------------------------------------- This is a limited production-ready release for selected customers. 1. Enhancements: Primary Connector Demote and Standby Connector Promote The LDAP Connector now supports a degree fault-tolerance via a manual Promote/Demote mechanism. With multiple LDAP Connectors configured for a given LDAP directory, one connector is designated the 'Primary' connector and others are designated as 'Standby' connectors. An administrator may (via the OneLogin portal GUI), select the 'Activate' button for a 'Standby' connector. The current 'Primary' connector receives a 'demote' command and transitions to 'Standby' state. The selected 'Standby' connector receives a 'promote' command and transitions to the 'Primary' state. In Primary state, an LDAP Connector: a) Performs configured directory synchronization b) Handles delegated authentication requests c) Handles delegated password reset requests d) Handles delegated change password requests In Standby state, an LDAP Connector: a) Handles delegated authentication requests Authentication requests are load balanced across the LDAP connector pool and will failover to another LDAP connector in the pool if an authentication response is not returned with 250 ms. 2. Partial Bug Fix: Notification of LDAP Connector on Add/Update OneLogin User Prior to release 2.2.7, the LDAP Connector was not consistently notified when a user was: a) Added to OneLogin and assigned to the LDAP directory b) Updated in OneLogin This condition occurred: a) When the configuration included a User mapping. b) Intermittently based on timing The LDAP Connector now receives at least one valid notification of the updated user(s), but also erroneously receives a second notification which has no users associated with it. Because the LDAP Connector receives the notification it needs to keep it's internal state, it can operate correctly. The extra 'update_users' command introduces an inefficiency (which will be fixed), but it otherwise harmless. 3. Known Issue: Set User Account Status Incomplete Support for setting user account status is incomplete because the mechanism needed to support this feature for LDAP must be added to the OneLogin server platform. Unlike the Active Directory environment, which synchronizes the user account state via a single synchronized field value, LDAP has no single account status field to synchronize. In addition, the location where this state is persisted must be changed to decouple handling for LDAP and Active Directory users. Significant design enhancements are required to resolve this solution and multiple possible approaches are under evaluation. We don't have an anticipated date for resolution of this issue yet as all solutions proposed so far could have undesirable consequences for some existing customers using other connects (including the Active Directory Connector). 4. Known Issue: Standby LDAP Connector does not Receive Reloaded Configuration Presently, only the configured 'Primary' LDAP Connector receives the updated configuration settings when they are changed in the OneLogin admin GUI. This poses a problem for 'Standby' LDAP Connector instances if the LDAP Server configuration setting change. The current workaround is to reload the current LDAP Connector Configuration whenever a connector receives the 'promote' or 'demote' command. This issue will be resolved in an upcoming release. 2016-08-20 - Version 2.2.6-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Enhancements: Full Bi-Directional User Synchronization Support (with Exceptions) The LDAP Connector now supports user account synchronization: A) From the LDAP Directory to the OneLogin directory B) From the OneLogin Directory to the LDAP directory This includes user account: adds, updates, and deletes depending on the current field mapping configuration, provisioning enabled/disabled setting, and LDAP Connector -delete command line flag setting. The exception to synchronization support is: when the LDAP Connector is running and a User is added or updated in the OneLogin directory via the Admin Portal GUI or public 'users' API, the OneLogin platform is not currently sending notification of the updates to the LDAP Connector. In the case when mappings are applied to users on update/create, the notifications are not generated/sent at all. In the case when mappings are not applied, the user update is detected by the OneLogin platform, the LDAP Connector is notified, but the referenced user updates are not available when the LDAP Connector requests them. The net result is that: provisioning from OneLogin to LDAP does not work reliably in the incremental case: when the LDAP connector is running and users are create or updated in the OneLogin directory via the GUI or public 'users' API. Provisioning from OneLogin to LDAP does work fully when the LDAP Connector is first started (and detects the necessary updates) and when 'Synchronize Users' is selected in the GUI. These issues are expected to be resolved by OneLogin platform changes in the 8/23/2016 Enhancement Release. 2. Known Issue: Set User Account Status Incomplete Support for setting user account status is incomplete because the mechanism needed to support this feature for LDAP must be added to the OneLogin server platform. Unlike the Active Directory environment, which synchronizes the user account state via a single synchronized field value, LDAP has no single account status field to synchronize. In addition, the location where this state is persisted must be changed to decouple handling for LDAP and Active Directory users. This issue is expected to be resolved by OneLogin platform changes in the 8/23/2016 Enhancement Release. 3. Upcoming support: Active/Standby Connector Support with Failover Implementation of this feature is starting and will be delivered with the 'Priority 4' release. 2016-08-08 - Version 2.2.5-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Bug Fix: LDAP uuid attribute not assigned to username field in authentication service The uuid attribute was not assigned to an internal LDAP Connector field needed for successful authentication. The resulst was failed authentication and an exception reported in the LDAP Connector log file: 'Invalid getUser request: null field user'. The internal LDAP Connector variable is now populated and test users successfully authenticate using LDAP bind. 2016-08-04 - Version 2.2.4-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Bug Fix: LDAP uid attribute not synched to OneLogin when uid is username field When creating a new OneLogin user from a new LDAP user, the connector was populating the user's 'external_id' field with the configured LDAP 'uuidattribute' value (the uid), but was not also adding the 'uid' attribute name/value to the user. This problem manifested as a OneLogin user without a populated username field and consequently the user could not authenticate. 2016-08-04 - Version 2.2.3-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Enhancement: Provisioning from OneLogin to LDAP The LDAP Connector now supports limited LDAP 'Provisioning', which is synchronization of user account data from a OneLogin directory to an LDAP directory. This feature is available when: 1) Provisioning is enabled via connector configuration setting: Advanced/Exporting Users/Provisioning Enabled, 2) At least one 'outbound' field (owned by the OneLogin directory) is configured. When enabled, users created or updated in the OneLogin Directory via the GUI or public API and properly mapped to the LDAP directory are synchronized to the LDAP directory. 2. Enhancement: Lock/Unlock User Account The LDAP Connector now supports synchronization of the User account status (locked/unlocked) from OneLogin to the LDAP Directory associated with the connector. This feature uses the LDAP 'password policy' functionality, which must be installed/configured in the LDAP server environment. For OpenLDAP servers, this corresponds to the 'ppolicy' overlay and associated schema entries. 2016-07-30 - Version 2.2.2-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Bug Fix: UnboundIdLdapAuthClient now uses bindAndRevertAuthentication instead of normal bind() when attempting user authentication via LDAP bind. This ensures that the LDAPConnection object used in the underlying connection pool is rebound as the admin user before it is put back into the pool. This condition appeared to cause errors and instability in a customers LDAP server: reportedly crashing the server. 2. Bug Fix: The client was using the incorrect version format for API calls, using a semicolon delimiter (e.g. 2:2:1) rather then the correct period character (e.g. 2.2.1). 3. Work-around: The LDAP Connector was reporting a NumberFormatException on createUser because the API back end is not returning the newly created users OneLogin ID for some conditions. Known conditions include: trying to create a user without an email address when the email address field is configured as the connector's authentication field. The connector now traps the condition, logs it as a warning, tells the administrator to populate the User's authentication field and converts the returned response to to HTTP status 424 (Failed Dependency). 4. Enhancement: Added more INFO and DEBUG logging in for authentication handling to see not only SUCCESS and FAILURE, but FAILURE reason and messages. This will enable easier validation of LDAP Connector operation for Authentication cases. 2016-07-29 - Version 2.2.1-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. 1. Bug Fix: JSON parsing issue when adding a User with OneLogin id. The JSON parser now check the value for null before attempting to parse it to an Integer. 2. Bug Fix: Change Password fails when the password hashing algorithm is changed to 'ClearText'. The LDAP Connector was incorrectly testing a request condition from an enum value in the wrong class. 3. Bug Fix: NullPointerException from LDAP ConnectionPool on invalid LDAP login configuration. The Exception was thrown when recursively logging the Exception Cause and has now been fixed. 4. Build Fix: the ldapConnector.jar file did not contain the correct release number. The release number displays with the jar file name in Exception stack traces. Updated the version number in the build environment. 2016-07-28 - Version 2.2.0-beta --------------------------------------------------------------------------------------- This is a limited beta release for selected customers. Version 2.2.0-beta is a complete refactoring of the LDAP v2 Connector to improve stability, peformance and functionality. This release provides the following partial functionality: 1. Configuration and Control Supported: - Triggering Configuration Reloading via edits in OneLogin Admin Portal - Triggering 'Synchronize Users' via command in OneLogin Admin Portal Not Supported: - Promote/Demote control 2. User Synchronization Supported: - Adding Users from LDAP to OneLogin - Updating Users from LDAP to OneLogin Not Supported: - Deleting Users in OneLogin (based on deleted Users in LDAP) - Provisioning Users from OneLogin to LDAP - Deleting Users in LDAP (based on deleting Users in OneLogin) 3. Authentication and Account Control Supported: - Delegated user authentication (from OneLogin to LDAP) - Delegated user password reset - Delegated user 'change password' - Configuration of password digest algorithm Not Supported: - Delegated change user status (API support needed) 4. Monitoring/Reporting Not Supported: - Status Report Request - Remote Set Log Level - Health Check Requests