Compared to the OpenDJ release, OpenDJ provides the following new features. OpenDJ now lets you use more TLS cipher suites in SSFs, including those provided by Bouncy Castle and IBM (OPENDJ-826). OpenDJ now provides native RESTful access over HTTP to directory data (OPENDJ-808). See the procedure, To Set Up REST Access to OpenDJ Directory Server, to activate this feature. OpenDJ REST LDAP gateway lets clients access directory data in remote LDAP servers over HTTP (OPENDJ-757). See the procedure, To Install OpenDJ REST LDAP Gateway, to get started. OpenDJ now lets you escape characters in make-ldif templates (OPENDJ-800). Persistent connections can now be identified when querying cn=monitor for the LDAP client connection handler. (OPENDJ-677). OpenDJ now runs more reliably as a Windows Service (OPENDJ-617). Country String syntax now validates ISO 3166 codes (OPENDJ-562). OpenDJ now sets isMemberOf on groups as well as user entries (OPENDJ-513). OpenDJ now supports the PBKDF2 password storage scheme (OPENDJ-510). Performance has been significantly improved for searches with a virtual attribute in the filter (OPENDJ-508). OpenDJ now includes attribute syntax validation for X.509 certificate values (OPENDJ-482). The OpenDJ rebuild-index command now provides an option, --clearDegradedState, to forcefully clear the state of an unused index for a newly created attribute (OPENDJ-473). Import now performs better when handling LDIF entries with attributes that have many values, such as large static group entries (OPENDJ-469). The OpenDJ upgrade process and upgrade command have changed to facilitate native packaging on more platforms and to make upgrade easier to handle over time (OPENDJ-455). Also, you can now force OpenDJ upgrade to complete if errors occur in non-interactive mode (OPENDJ-522). See Upgrading to OpenDJ for instructions. The mechanism to determine during setup whether the configuration has been modified runs a more effective check (OPENDJ-446). OpenDJ now provides a read-only, non-searchable operational attribute, ds-pwd-password-expiration-time, to make it easier to read the password expiration time for an account (OPENDJ-441). OpenDJ now logs only fatal errors, severe errors, warnings, and notices at startup time (OPENDJ-438). OpenDJ now lets you setup the server in command-line mode without creating a default backend (OPENDJ-435). OpenDJ now computes last login time as UTC time when the value is expressed in GeneralizedTime syntax (OPENDJ-418). OpenDJ now includes an ETag attribute for optimistic concurrency control (OPENDJ-409). OpenDJ now provides Debian and RPM packages (OPENDJ-408). OpenDJ now provides the rebuild-index --rebuildDegraded command for rebuilding degraded indexes (OPENDJ-406). OpenDJ schema for configuration attributes has been cleaned up (OPENDJ-393). OpenDJ now exposes the je.log.fileCacheSize property through the ds-cfg-db-log-filecache-size configuration attribute (OPENDJ-383). OpenDJ now exposes the je.log.fileCacheSize property through the ds-cfg-db-log-filecache-size configuration attribute (OPENDJ-383). OpenDJ verify and rebuild index commands now use JE 5 disk ordered cursoring (OPENDJ-372). OpenDJ now uses Berkeley JE 5, which brings many performance improvements (OPENDJ-371, OPENDJ-662). More OpenDJ tools now prompt for a bind password when none is provided (OPENDJ-358). OpenDJ DSML gateway now allows authentication using an ID rather than a DN (OPENDJ-352). OpenDJ now lets you filter access and audit logs to focus on messages that interest you. OpenDJ supports many criteria for flexible log filtering (OPENDJ-308). The OpenDJ dictionary password validator can now check whether a password value contains dictionary words as substrings (OPENDJ-295). OpenDJ now logs use of the proxied authorization V1 control with obsoleteProxiedAuthzV1Control (OPENDJ-283). OpenDJ DSML gateway can now connect over SSL to the LDAP server (OPENDJ-269). OpenDJ now lets you delegate authentication to another LDAP directory service, such as Active Directory. The feature is called pass through authentication (PTA) (OPENDJ-262). With PTA, OpenDJ replays a user's simple bind operation against the remote directory service. If the bind is successful, OpenDJ considers the user authenticated to perform subsequent operations like searches and updates in OpenDJ. For PTA to work, OpenDJ must be able to match its OpenDJ entry for the user with the user's entry on the remote directory service. The two entries must correspond in one of the following ways. Both the OpenDJ entry and the remote entry have the same DN. The OpenDJ entry has an attribute that holds the DN of the entry on the remote directory service. The OpenDJ entry and the remote entry share an attribute that has exactly the same value. If user entries do not match originally, you can no doubt add an attribute to users' OpenDJ entries when configuring them to use pass through authentication. To configure PTA, you set up an LDAP pass through authentication policy in OpenDJ's configuration, and then assign the policy to users in the same way you would assign a password policy. See the Administration Guide for details. OpenDJ now lets you configure attributes to be removed or renamed on update (OPENDJ-258). Subordinate indexes id2children and id2subtree can now be disabled on OpenDJ JE backends to improve performance when repeated adds and deletes are performed beneath the same entry (OPENDJ-250). OpenDJ now calls Account Status Notification Handlers when an account in enabled or disabled by the manage-account (OPENDJ-248). OpenDJ now adds Unindexed to access log response messages for unindexed searches, making it easier to identify searches rejected by default (OPENDJ-246). OpenDJ can now synchronize Samba password attribute values with the userPassword attribute value, ensuring that when users change their LDAP passwords in OpenDJ or change their LanMan or NT passwords in Samba, their password attribute values all stay in sync (OPENDJ-233, OPENDJ-511). To activate this feature, configure the OpenDJ Samba Password plugin by using the dsconfig command. OpenDJ now supports checking that entries of new group members exist (OPENDJ-221). OpenDJ can now ensure both that members' entries exist when they are added to groups, and also that members are removed from groups when their entries are deleted. OpenDJ now better supports more, and larger static groups (OPENDJ-197). Change log content and configuration has been improved in this release (OPENDJ-194). Default database cache size, request handler counts, and replication purge delay are now set more sensibly for default installations (OPENDJ-116, OPENDJ-186). The character set password validator now supports optional character sets (OPENDJ-168). Also, The character set password validator now understands classes like "All non-Latin characters" (OPENDJ-620) Collective attributes can now be applied based on the values of virtual attributes (OPENDJ-76). OpenDJ now lets you configure the access log to display LDAP controls (OPENDJ-60). OpenDJ now lets you execute control-panel as any user, not only the user who installed OpenDJ (OPENDJ-19).