Compared to the OpenDJ release, OpenDJ provides the following new features. OpenDJ now provides native RESTful access over HTTP to directory data (OPENDJ-808). See the procedure, To Set Up REST Access to OpenDJ Directory Server, to activate this feature. OpenDJ REST LDAP gateway lets clients access directory data in remote LDAP servers over HTTP (OPENDJ-757, OPENDJ-1033). See the procedure, To Install OpenDJ REST LDAP Gateway, to get started. OpenDJ now lets you delegate authentication to another LDAP directory service, such as Active Directory. The feature is called pass through authentication (PTA) (OPENDJ-262). With PTA, OpenDJ replays a user's simple bind operation against the remote directory service. If the bind is successful, OpenDJ considers the user authenticated to perform subsequent operations like searches and updates in OpenDJ. For PTA to work, OpenDJ must be able to match its OpenDJ entry for the user with the user's entry on the remote directory service. The two entries must correspond in one of the following ways. Both the OpenDJ entry and the remote entry have the same DN. The OpenDJ entry has an attribute that holds the DN of the entry on the remote directory service. The OpenDJ entry and the remote entry share an attribute that has exactly the same value. If user entries do not match originally, you can no doubt add an attribute to users' OpenDJ entries when configuring them to use pass through authentication. To configure PTA, you set up an LDAP pass through authentication policy in OpenDJ's configuration, and then assign the policy to users in the same way you would assign a password policy. See the Administration Guide for details. OpenDJ now provides Debian and RPM packages (OPENDJ-408). The OpenDJ upgrade process and upgrade command have changed to facilitate native packaging on more platforms and to make upgrade easier to handle over time (OPENDJ-455). Also, you can now force OpenDJ upgrade to complete if errors occur in non-interactive mode (OPENDJ-522). See Upgrading to OpenDJ for instructions. OpenDJ now lets you filter access and audit logs to focus on messages that interest you. OpenDJ supports many criteria for flexible log filtering (OPENDJ-308). OpenDJ now includes an ETag attribute for optimistic concurrency control (OPENDJ-409). OpenDJ now supports the PBKDF2 password storage scheme (OPENDJ-510). OpenDJ now lets you use more TLS cipher suites in SSFs, including those provided by Bouncy Castle and IBM (OPENDJ-826). OpenDJ can now synchronize Samba password attribute values with the userPassword attribute value, ensuring that when users change their LDAP passwords in OpenDJ or change their LanMan or NT passwords in Samba, their password attribute values all stay in sync (OPENDJ-233, OPENDJ-511). To activate this feature, configure the OpenDJ Samba Password plugin by using the dsconfig command. The OpenDJ dictionary password validator can now check whether a password value contains dictionary words as substrings (OPENDJ-295). The character set password validator now supports optional character sets (OPENDJ-168). Also, The character set password validator now understands classes like "All non-Latin characters" (OPENDJ-620) OpenDJ now provides a read-only, non-searchable operational attribute, ds-pwd-password-expiration-time, to make it easier to read the password expiration time for an account (OPENDJ-441). OpenDJ now computes last login time as UTC time when the value is expressed in GeneralizedTime syntax (OPENDJ-418). OpenDJ now lets you escape characters in make-ldif templates (OPENDJ-800). Country String syntax now validates ISO 3166 codes (OPENDJ-562). OpenDJ now sets isMemberOf on groups as well as user entries (OPENDJ-513). Performance has been significantly improved for searches with a virtual attribute in the filter (OPENDJ-508). OpenDJ now better supports more, and larger static groups (OPENDJ-197). OpenDJ now supports checking that entries of new group members exist (OPENDJ-221). OpenDJ can now ensure both that members' entries exist when they are added to groups, and also that members are removed from groups when their entries are deleted. OpenDJ now includes attribute syntax validation for X.509 certificate values (OPENDJ-482). OpenDJ now runs more reliably as a Windows Service (OPENDJ-617). OpenDJ now provides the rebuild-index --rebuildDegraded command for rebuilding degraded indexes (OPENDJ-406). The OpenDJ rebuild-index command now provides an option, --clearDegradedState, to forcefully clear the state of an unused index for a newly created attribute (OPENDJ-473). Import now performs better when handling LDIF entries with attributes that have many values, such as large static group entries (OPENDJ-469). Persistent connections can now be identified when querying cn=monitor for the LDAP client connection handler. (OPENDJ-677). OpenDJ now lets you configure the access log to display LDAP controls (OPENDJ-60). OpenDJ now adds Unindexed to access log response messages for unindexed searches, making it easier to identify searches rejected by default (OPENDJ-246). OpenDJ now logs use of the proxied authorization V1 control with obsoleteProxiedAuthzV1Control (OPENDJ-283). OpenDJ now logs only fatal errors, severe errors, warnings, and notices at startup time (OPENDJ-438). The mechanism to determine during setup whether the configuration has been modified runs a more effective check (OPENDJ-446). OpenDJ now lets you setup the server in command-line mode without creating a default backend (OPENDJ-435). OpenDJ schema for configuration attributes has been cleaned up (OPENDJ-393). OpenDJ now uses Berkeley JE 5, which brings many performance improvements (OPENDJ-371, OPENDJ-662). With the new version, explicitly use the Java setting -XX:+UseCompressedOops to improve performance, even if the setting is enabled by default in recent versions of the Java runtime environment. To apply JVM settings for your server, edit config/java.properties, and apply the changes with the dsjavaproperties command. OpenDJ now exposes the je.log.fileCacheSize property through the ds-cfg-db-log-filecache-size configuration attribute (OPENDJ-383). OpenDJ verify and rebuild index commands now use JE 5 disk ordered cursoring (OPENDJ-372). More OpenDJ tools now prompt for a bind password when none is provided (OPENDJ-358). OpenDJ DSML gateway now allows authentication using an ID rather than a DN (OPENDJ-352). OpenDJ DSML gateway can now connect over SSL to the LDAP server (OPENDJ-269). OpenDJ now lets you configure attributes to be removed or renamed on update (OPENDJ-258). Subordinate indexes id2children and id2subtree can now be disabled on OpenDJ JE backends to improve performance when repeated adds and deletes are performed beneath the same entry (OPENDJ-250). OpenDJ now calls Account Status Notification Handlers when an account in enabled or disabled by the manage-account (OPENDJ-248). Change log content and configuration has been improved in this release (OPENDJ-194). Default database cache size, request handler counts, and replication purge delay are now set more sensibly for default installations (OPENDJ-116, OPENDJ-186). Collective attributes can now be applied based on the values of virtual attributes (OPENDJ-76). OpenDJ now lets you execute control-panel as any user, not only the user who installed OpenDJ (OPENDJ-19).