v2.4.2

Changes

SECURITY UPDATE

• Fix non-use of prescriptiveACI to regulate subentries in several access
  control schemes.

Upgrading

Meerkat DSA previously did not use prescriptiveACI from superior access
control areas to govern access to subentries.

v2.4.1

Changes

• Fix Denial-of-Service caused by failing assertion

Upgrading

You do not have to do anything for this upgrade to work. Just update the
version of Meerkat DSA you're using.

v2.4.0

Changes

• Service Administration
  • This means that directory administrators can define search rules that constrain the types of searches users can perform

You do not have to do anything for this upgrade to work. Just update the version of Meerkat DSA you're using. The Demo DIT has a service administrative area in C=US,ST=FL,L=MAR,L=Ocala that you can experiment with.

v2.3.0

New Features

• Relaxations and Tightenings
  • This means that users can specify a desired minimum and maximum number of
    entries to be returned from the search, and, if the first pass of the search
    does not return a number of results within this range, a new pass of the
    search will proceed, but using a user-specified replacement of the otherwise
    applicable matching rules that makes the search filter stricter or more
    relaxed.
• Zonal matching
  • This is a type of relaxation that replaces locale-related attributes in the
    search filter with their equivalent "zone identifiers," such as postal
    codes, and can intelligently expand the scope of the search by including
    neighboring zones.
  • See the documentation on zonal matching.

Upgrading

You do not need to do anything for this to work other than apply migrations.

v2.2.0

Changes

• Support all hierarchy selections in the search operation.
• Use the extendedFilter component of search operation arguments.
• Support the Use Alias On Update critical extension.

Upgrading to this version

• If you previously set any hierarchical group-related attributes on any
  entries, hierarchical selections might not work as expected. You can fix this
  by removing the attributes and re-adding them.

v2.1.0

Changes

• Implement the Search Continuation Reference Procedure defined in
  ITU Recommendation X.518 (2019),
  Section 20.4.3.
  • This means that, in some circumstances, instead of returning continuation
    references to the client, Meerkat DSA will chain searches to other DSAs to
    continue the search.
• Improved distinguished name comparison for checking which remote DSAs are
  trusted for Identity-Based Requester Authentication, described in
  ITU Recommendation X.518 (2019),
  Section 22.1.1.
• Properly support the unmerged option in paginated list and search
  operations.

How to Upgrade

If you are already on version 2.0.0 or higher, just upgrade; there are no breaking changes. Otherwise, see the release notes for version 2.0.0.

v2.0.0

Changes

• Password Administration via Password Administrative Areas
• Password Assertion via the compare operation
  • Before, asserting a password using the compare operation would never work,
    because of a security feature of Meerkat DSA. User passwords were not even
    accessible via normal means in the code of Meerkat DSA (to prevent
    disclosing them, even if they are encrypted).
  • Now, the compare operation can evaluate user passwords, and it has all of
    the same side-effects as attempting a password during a bind operation (e.g.
    incrementing pwdFails if the password is wrong).
• Remote password checking via the compare operation during binding
  • This means that, no matter what DSA you attempt to bind to, it can submit a
    compare operation to the DSA that actually contains the password for a
    given user.
  • This is configurable via the
    MEERKAT_REMOTE_PWD_TIME_LIMIT
    environment variable. It defaults to 0, meaning that this feature is
    disabled by default. This is for security reasons.
• Nearly doubled performance for most workloads
• TLS Debugging Options
  • The ability to log (pre-)master secrets, either to the log or to a separate
    file via the MEERKAT_LOG_TLS_SECRETS environment variable.
  • The ability to print OpenSSL trace information via the
    MEERKAT_SSLKEYLOG_FILE
    environment variable.

Upgrading to this Version

The reason this version is a major version update is that I had to introduce a
breaking change into the database schema. The schema for this version is totally
incompatible with earlier versions. There is no way to "upgrade" to this
version. You must completely restart.

Fortunately, this update is a massive improvement and fix of many issues over
the previous version, so it is plausible that this will mean fewer breaking
changes going forward.

v1.3.0

Version 1.3.0

Changes

• Support ISO Transport Over TCP (ITOT), as defined in IETF RFC 1006.
  • This is supported both when Meerkat DSA acts as a server and as a client (in DSP, DOP, or DISP, for instance).
  • It is recommended that you leave this disabled unless you need it for some reason.
• Introduce missing LDAP syntaxes:
  • utmCoordinates
  • uiiForm
  • epcForm
  • countryString3c
  • countryString3n
  • dnsString
  • intEmailString
  • jidString
• Reject chaining to any TCP port that has the same port as the DBMS.
  • This is a security feature to prevent malicious users from tricking your DSA
    into making requests to your DBMS. (In all likelihood, your DBMS will
    probably just interpret these as corrupt packets, but there is a chance
    that it might not!)

Announcement

Wildboar Software is now maintaining the
ISO Development Environment!
This massive project contains an X.500 directory that was implemented in the
early 90s called "Quipu." Check it out
here! It was recently updated in a
BountySource challenge
to run on modern Linux systems, such as Ubuntu. Thank you
@abcpro1 for your work on this!

Part of the rationale for prioritizing ITOT support was for integration testing
with Quipu DSA. The @wildboar/rose-transport and @wildboar/x500-client-ts
libraries have been tested with Quipu DSA, but Meerkat DSA has not been
integration-tested with Quipu DSA yet. However, this is in the works!

More documentation about Quipu DSA, the X.500 libraries, terminal client, and
other tools found within ISODE will be added soon!

Next Developments

No promises, but the current plan is to work on X.500 clients and SDKs next so
that X.500 directories can be easily used. These include:

• A Rust SDK / Library
  • This will open up possibilities for PAM modules, Linux kernel modules, and more!
• A Golang SDK / Library (which is already partially complete)
• A PassportJS Strategy

Depending on how long this takes, work may also begin on an X.500 GUI client!

v1.2.5

Version 1.2.5

• Fix use of ManageDSAIT control in LDAP not returning most search results.
  • This was caused because of a deviation in behavior from LDAP and DAP. Code
    was added so that LDAP behaves as would be expected from LDAP, while leaving
    the DAP code unchanged.

No administrative action is needed to upgrade to this version. Just download it
and use it.

v1.2.4

Version 1.2.4

• Log much more information on LDAP searches
  • Almost the entire search request is logged.
  • The number of search results returned is logged.
  • This was implemented specifically to make it easier to diagnose issues with
    integration with tools that use LDAP authentication. Often, LDAP searches
    are used to enumerate users, so it is important to be able to debug these.
• Log bound distinguished names if the MEERKAT_LOG_BOUND_DN environment
  variable is set to 1.

No administrative action is needed to upgrade to this version. Just download it
and use it.