OpenDJ 2.5.0 brings you the latest features such as: Capability to delegate authentication to Microsoft Active Directory (pass-through authentication) Improved enforcement of referential integrity for groups, whereby OpenDJ can now ensure both that members' entries exist when they are added to groups, and also that members are removed from groups when their entries are deleted Access log filtering, with additional output configuration to combine request and response messages, log control OIDs, and specify timestamp formats Optimistic concurrency control through ETag attributes Synchronization of Samba and OpenDJ passwords Compared to the OpenDJ release, OpenDJ fixes a number of issues. OpenDJ provides the following new features. TODO: Bring this list up to date post OpenDJ 2.5.0-Xpress1. OpenDJ now provides RESTful access to directory data (OPENDJ-687, OPENDJ-688). OpenDJ now sets isMemberOf on groups as well as user entries (OPENDJ-513). Performance has been significantly improved for searches with a virtual attribute in the filter (OPENDJ-508). OpenDJ now includes attribute syntax validation for X.509 certificate values (OPENDJ-482). The OpenDJ rebuild-index command now provides an option, --clearDegradedState, to forcefully clear the state of an unused index for a newly created attribute (OPENDJ-473). Import now performs better when handling LDIF entries with attributes that have many values, such as large static group entries (OPENDJ-469). The mechanism to determine during setup whether the configuration has been modified runs a more effective check (OPENDJ-446). OpenDJ now provides a read-only, non-searchable operational attribute, ds-pwd-password-expiration-time, to make it easier to read the password expiration time for an account (OPENDJ-441). OpenDJ now logs only fatal errors, severe errors, warnings, and notices at startup time (OPENDJ-438). OpenDJ now lets you setup the server in command-line mode without creating a default backend (OPENDJ-435). OpenDJ now computes last login time as UTC time when the value is expressed in GeneralizedTime syntax (OPENDJ-418). OpenDJ now includes an ETag attribute for optimistic concurrency control (OPENDJ-409). OpenDJ now provides the rebuild-index --rebuildDegraded command for rebuilding degraded indexes (OPENDJ-406). OpenDJ schema for configuration attributes has been cleaned up (OPENDJ-393). OpenDJ now exposes the je.log.fileCacheSize property through the ds-cfg-db-log-filecache-size configuration attribute (OPENDJ-383). OpenDJ now exposes the je.log.fileCacheSize property through the ds-cfg-db-log-filecache-size configuration attribute (OPENDJ-383). OpenDJ verify and rebuild index commands now use JE 5 disk ordered cursoring (OPENDJ-372). OpenDJ now uses Berkeley JE 5, which brings many performance improvements (OPENDJ-371). More OpenDJ tools now prompt for a bind password when none is provided (OPENDJ-358). OpenDJ DSML gateway now allows authentication using an ID rather than a DN (OPENDJ-352). OpenDJ now lets you filter access and audit logs to focus on messages that interest you. OpenDJ supports many criteria for flexible log filtering (OPENDJ-308). The OpenDJ dictionary password validator can now check whether a password value contains dictionary words as substrings (OPENDJ-295). OpenDJ now logs use of the proxied authorization V1 control with obsoleteProxiedAuthzV1Control (OPENDJ-283). OpenDJ DSML gateway can now connect over SSL to the LDAP server (OPENDJ-269). OpenDJ now lets you delegate authentication to another LDAP directory service, such as Active Directory. The feature is called pass through authentication (PTA) (OPENDJ-262). With PTA, OpenDJ replays a user's simple bind operation against the remote directory service. If the bind is successful, OpenDJ considers the user authenticated to perform subsequent operations like searches and updates in OpenDJ. For PTA to work, OpenDJ must be able to match its OpenDJ entry for the user with the user's entry on the remote directory service. The two entries must correspond in one of the following ways. Both the OpenDJ entry and the remote entry have the same DN. The OpenDJ entry has an attribute that holds the DN of the entry on the remote directory service. The OpenDJ entry and the remote entry share an attribute that has exactly the same value. If user entries do not match originally, you can no doubt add an attribute to users' OpenDJ entries when configuring them to use pass through authentication. To configure PTA, you set up an LDAP pass through authentication policy in OpenDJ's configuration, and then assign the policy to users in the same way you would assign a password policy. See the Administration Guide for details. OpenDJ now lets you configure attributes to be removed or renamed on update (OPENDJ-258). Subordinate indexes id2children and id2subtree can now be disabled on OpenDJ JE backends to improve performance when repeated adds and deletes are performed beneath the same entry (OPENDJ-250). OpenDJ now calls Account Status Notification Handlers when an account in enabled or disabled by the manage-account (OPENDJ-248). OpenDJ now adds Unindexed to access log response messages for unindexed searches, making it easier to identify searches rejected by default (OPENDJ-246). OpenDJ can now synchronize Samba password attribute values with the userPassword attribute value, ensuring that when users change their LDAP passwords in OpenDJ or change their LanMan or NT passwords in Samba, their password attribute values all stay in sync (OPENDJ-233, OPENDJ-511). To activate this feature, configure the OpenDJ Samba Password plugin by using the dsconfig command. OpenDJ now supports checking that entries of new group members exist (OPENDJ-221). OpenDJ now better supports more, and larger static groups (OPENDJ-197). Change log content and configuration has been improved in this release (OPENDJ-194). Default database cache size, request handler counts, and replication purge delay are now set more sensibly for default installations (OPENDJ-116, OPENDJ-186). The character set password validator now supports optional character sets (OPENDJ-168). Collective attributes can now be applied based on the values of virtual attributes (OPENDJ-76). OpenDJ now lets you configure the access log to display LDAP controls (OPENDJ-60). OpenDJ now lets you execute control-panel as any user, not only the user who installed OpenDJ (OPENDJ-19).