OpenDJ ${docTargetVersion} is a maintenance release that resolves a number of issues, including security issues in OpenDJ directory server. It is strongly recommended that you update to this release to make your deployment more secure, and to take advantage of important functional fixes. ForgeRock customers can contact support for help and further information. Before you install OpenDJ or update your existing OpenDJ installation, read these release notes. Then update or install OpenDJ.

A security vulnerability has been discovered in OpenDJ. This issue is present in all versions of OpenDJ including 2.6.x, 2.5.0-Xpress1, 2.4.x, and possibly previous versions. A security advisory has been issued to provide guidance on how to ensure your deployments can be secured. Workarounds or patches are available for the issue, with fixes included in OpenDJ 2.6.3. The severity of the issue in the advisory is High. Deployers should take immediate steps as outlined in the advisory and apply the relevant update at the earliest opportunity. The recommendation is to deploy the relevant patch or to upgrade to OpenDJ 2.6.3. Customers without existing patches can obtain the relevant patch from BackStage. Customers with deployed patches should contact the support organization to obtain a combo patch. The fix is also present in the community "trunk" nightly builds. The following security fix has been included in this release: Issue #201504-01: Proxied Authorization may allow unexpected escalation of privileges and access. When someone has been granted the privileges to Proxy requests and use the Proxied Authorization control, it is not possible to control who that user can impersonate. It is thus possible to impersonate "cn=Directory Manager" and bypass all access controls. Severity: High For more information, see OpenDJ Security Advisory #201504.

Compared to the OpenDJ ${stableServerVersion} release, OpenDJ ${docTargetVersion} provides these important enhancements. OpenDJ ${docTargetVersion} includes no new enhancements beyond those included in OpenDJ 2.6.2. The following improvement is new in OpenDJ 2.6.2. OpenDJ server can now bind to a local address when making outgoing connections (OPENDJ-1565). This improvement introduces a new configuration attribute, source-address, that you can set for Replication Domains, Replication Servers, and LDAP Pass Through Authentication Policies. If the source-address property is set to an IP address, OpenDJ binds to the address before connecting to the remote server. The address must be one assigned to an existing network interface. The following improvements are new in OpenDJ 2.6.1. OpenDJ directory server ships with updated Commons REST, OpenDJ LDAP SDK, and Berkeley DB Java Edition components (OPENDJ-1323). OpenDJ directory server now makes it possible to specify password validators in subentry based password policies (OPENDJ-1295). To configure password validators for a subentry password policy, add the auxiliary object class pwdValidatorPolicy and setting the multi-valued attribute, ds-cfg-password-validator, to the DNs of the password validator configuration entries. OpenDJ directory server now orders attributes according to search request attribute list order (OPENDJ-1082). OpenDJ directory server logs information to help you more effectively determine why a directory server replica switches its connection to a different replication server (OPENDJ-1053). The REST LDAP Gateway now supports LDAPS connections and StartTLS (OPENDJ-1033). For information on configuring the gateway to use LDAPS or StartTLS, see the comments in the configuration file, opendj-rest2ldap-servlet.json. Find the settings to change in the configuration for "ldapConnectionFactories".

You can read the following additional product documentation for OpenDJ 2.6 online at ForgeRock BackStage. OpenDJ ${stableServerVersion} Installation Guide OpenDJ ${stableServerVersion} Administration Guide OpenDJ ${stableServerVersion} Configuration Reference OpenDJ ${stableServerVersion} Developer's Guide OpenDJ ${stableServerVersion} LDAP SDK API Specification OpenDJ ${stableServerVersion} Server Plugin API Specification