Release Notes for LDAP C SDK 5.x

Michael Hein mhein@sun.com

LDAP C SDK 4.x historical release notes
LDAP C SDK 5.0 (3/28/2001)
LDAP C SDK 5.01 (06/13/2001)
LDAP C SDK 5.02 (07/03/2001)
LDAP C SDK 5.03 (08/02/2001)
LDAP C SDK 5.04 (08/15/2001)
LDAP C SDK 5.05 (10/04/2001)
LDAP C SDK 5.06 (11/07/2001)
LDAP C SDK 5.07 (02/02/2002)
LDAP C SDK 5.08 (02/10/2002)

LDAP C SDK 5.0 (3/28/2001) (www.iplanet.com release)

Bugs/enhancements fixed in this release:

Migrated to NSS 3.2 and NSPR 4.1
Build system rewritten to accommodate move to mozilla
530135 - simple filters are truncated
520548 - only print info if -vv is used
529868 - support "version 2" proxied auth control
Various bugs reported through Mozilla.org fixed in this release

LDAP C SDK 5.01 (06/13/2001)

Bugs/enhancements fixed in this release:

540490 - ber_scanf leaks memory on encoding errors
don't link libldap with NSPR libraries
543857 - broken command line utilities because of ber_scanf() changes
394822 - command line tools should support password policy
539148 - Unix ldapmodify cannot parse NT replica dump
526153 - -Z option is not checked in case of SSL client auth
Added files in coreconf as needed for Linux 7.1 build
(added to tip of ldapcsdk_branch_50 branch)
Took out libdbm module as we are no longer dependent on it (NSS includes it) as we don't build static ldap library versions anymore
546204 - HP-UX command line utilities not working
added SunOS5.8_i86pc.mk, SunOS5.9.mk, SunOS5.9_i86pc.mk, and updated SunOS5.mk for Solaris x86 support
misc changes for i86 support

LDAP C SDK 5.02 (07/03/2001)

Bugs/enhancements fixed in this release:

header file reorg. The ldap.h header file has now been split up into 4 separate files (ldap-standard.h, ldap-extension.h, ldap-deprecated.h, and ldap-to-be-deprecated.h) and a new file, ldap-platform.h has been added to the distribution. As per LDAP C API draft, user is only required to ldap.h and the files list above are included automatically.
ltest builds once again (Solaris only).
Use IPv6 (if available) when NSPR I/O is used via libprldap.
Change the cmd line utilities to always use NSPR I/O via libprldap.
Add support for IPv6 addresses (in square brackets) to the ldap_init() call and libldap's LDAP URL parser.
Export ldap-platform.h and ldappr.h (shipped as public headers).
Add top-level COMPS_FROM_OBJDIR=1 gmake option for use in the non-coreconf case.
Remove outdated build instructions.
Add support for building examples within a source tree.
nsprio now takes an optional hostport argument.
add check for ld_mutex != NULL in LDAP_MUTEX_LOCK/UNLOCK macros This fixes a crash that can occur when using libprldap.
73830 - Calling ldap_init() with a NULL hostname results in core. The crash occurred because the host pointer ("localhost") was being freed twice. Now we ensure that the host is set to NULL by ldap_x_hostlist_next() in the special case when NULL was passed into ldap_x_hostlist_first(), which is more consistent to the caller and eliminates the double free problem.
nsprio build fixes
build static libldap50.a library and include in distribution (Note this is the ldap library only. We do not ship the ssl enable library as a static library. When you use this library you will have to link with the static liblber library as well)
Cannot use the __declspec (thread) semantics for thread local storage if one want to use LoadLibrary to dynamically load DLL at runtime. This issue was found on NT only and cause PerLdap to fail.

LDAP C SDK 5.03 (08/02/2001)

Bugs/enhancements fixed in this release:

345002 - Implement persistent search (345002)
550410 - "-s" scope implementation
550409 - fix for false success report in verbose mode
Include liblber functions in Linux libldap build
BER speedup changes (via writev)
Update components to NSS 3.3, NSPR 4.12, and SVRCORE 3.3
553151 - Abnormal behavior of get_get_next_buffer() under extreme conditions
package up additional header files for internal product builds

LDAP C SDK 5.04 (08/15/2001)

Bugs/enhancements fixed in this release:

555890 - ldapsearch is broken on NT/Linux/OSF
added the new packaging script for www.iplanet.com

LDAP C SDK 5.05 (10/04/2001)

Bugs/enhancements fixed in this release:

new option to command line utilities to alllow for -w - to prompt for the simple bind password from the command line
new option to command line utilities to allow for -j to read the simple bind password from a specified file name
misc. ber changes to io.c
take out -lC in tools/clients/Makefile.client since we are now picking up clean forte6 components
558135 - smart referrals with three contiguous slashes don't work
allow for the setting of controls via command line interface
bump to forte6.2 component for Solaris 5.8 (This change only applies to the NSS component)
559670 - use of select() cause problems with > 1024 connections in iDS chaining code
support sun4m architecture

LDAP C SDK 5.06 (11/07/2001) (www.iplanet.com release)

Bugs/enhancements fixed in this release:

560859 - use of select() appears to limit connections to 1024. This is manifested in using select in the non-blocking connect code (os-ip.c). Have increased platform specific FD_SETSIZE constant to get around this limitation. This was done to reduce the risk of creating poll bugs.
561412 - no timeout in ssl_write in liblber. Changed the usage of PR_Write to PR_Send as PR_Send will allow for the specifying a timeout. This value should probably be settable from outside libprldap. This is the real fix that needs to be put in place.
561268 - Option '-w -' for command line utilities does not work on Win NT & Win 2000
a bunch of misc changes were committed to make the build system "company" agnostic which allows the builder of the LDAP C SDK to specify company version, company name etc.

LDAP C SDK 5.07 (02/02/2002) (www.iplanet.com release)

Bugs/enhancements fixed in this release:

fix regression on command line tools with -J option
add new prldap functionality to set timeout on PR_Send(), PR_Write() etc. calls.
A base64 encode value that commences (after decoding) with a '<' is incorrectly interpreted as LDIF URL syntax attr:<
114041 - previously allocated mutexes leaked when using LDAP_OPT_THREAD_FNS.
73830 - Calling ldap_init() with a NULL hostname results in core. The crash occurred because the host pointer ("localhost") was being freed twice. Now we ensure that the host is set to NULL by ldap_x_hostlist_next() in the special case when NULL was passed into ldap_x_hostlist_first(), which is more consistent to the caller and eliminates the double free problem.
112076 - crash due to double free of ssip->lssei_keypasswd. This code was inadvertently not migrated to NSS 3.x as this was a known change in behavior from 2.x
updated changes for idar writev (io.c, lber-int.h)
120406 - can't use more than 127 threads with SSL or NSPR. Previously, we allocated one NSPR thread-private data index for each active LDAP *. Now we only allocate one for the entire prldap library (this library now has its own thread-private DATA layer).
include nspr header files in distribution (in include-nspr) as a convenience for developers
move component version info to a separate file
enable COMPONENT_PULL_METHOD=FTP for UNIX builds
106057 - the nsldapi_os_connect_with_to() function should use poll()
upgrade to NSS 3.2.2

LDAP C SDK 5.08 (02/10/2002) (www.iplanet.com release)

Bugs/enhancements fixed in this release:

4615315 - C SDK needs mechanism for verifying SSL peer's hostname

LDAP C SDK 4.x release notes

NEW FEATURES AND ENHANCEMENTS

This section of enhancements details the changes that were made to both versions 4.0 and 4.1 of the LDAP SDK for C.

The following set of modifications were made to the LDAP SDK for C, version 4.1:

The LDAP SDK for C library names were changed to indicate the new version of the SDK. For example, the new Solaris version of the SDK library is libldapssl41.so. For information on how to build and link applications that uses this SDK, see the make files for the SDK examples.
Various changes were made to the LDAP SDK for C to align it with the LDAPv3, described in RFC 2251. You can find this RFC at the following URL:

http://www.ietf.org/rfc/rfc2251.txt?number=2251

Non-blocking connect functionality has been added. For more information, please see LDAP_X_OPT_CONNECT_TIMEOUT.
A new extended I/O function callback scheme was added to the SDK. The ldap_x_ext_io_fns struct has been added to hold extended I/O function pointers. The ldap.h file outlines the new callbacks.
Netscape Portable Runtime library (NSPR) support was added. The library, libldappr was added to provide a simple way for an application that is using NSPR to tie libldap into their environment. The ldappr.h file outlines the new interface. The library libldapr is statically linked in the version of the SDK that is available from both Mozilla and iPlanet's web sites.

The new example nsprio.c shows how to use the new interfaces. Note that before you can compile the example, you will need to rework the makefile to include NSPR v3.5.1. You can checkout the NSPR 3.5.1 source from www.mozilla.org with the following CVS command:

cvs co -r NSPRPUB_RELEASE_3_5_1 mozilla/nsprpub

CVSROOT

http://www.mozilla.org/cvs.html

http://www.mozilla.org/docs/refList/refNSPR/

The ldap_search*() line of functions was modified as follows:

The ldap_search*() line of functions now return LDAP_PARAM_ERROR if a sizelimit smaller than -1 is passed to the function call.
The ldap_search*() line of functions now set *result to NULL in all error situations.

The ldapmodify utility was modified as follows:

The -A option was added, which causes the tool to display non-ASCII values in conjunction with the -v option.
The -B and -q options were added, which provide support for the bulk import feature available in the iPlanet Directory Server, version 5.0.

Support for the version directive was added.
Support for changetype with moddn was added.
Improved the LDIF output to provide better support for file URLs.

The ldapsearch utility was modified as follows:

The -e option was added, which minimizes base-64 encoding of values.

ldapsearch

-e

ldapsearch

-e

\r

\n

<

-e

ldapsearch

ftp://ftp.isi.edu/in-notes/rfc2849.txt

The -U option was added, which operates in conjunction with the -t option (which causes ldapsearch to produce file URLs).
To conform with RFC 2849, ldapsearch now outputs a "version: 1" line at the start of all LDIF. A new -1 (minus 1) option has been added to ldapsearch to suppress this line.
The ldapsearch utility has been modified to support a zero length filter, represented as either "" or NULL. The zero-length filter "" is now an alias for "(objectclass=*)".

The following new examples have been added to the SDK:

csearch -- search with ldap_memcache
ssnoauth -- search over SSL
ssearch -- search over SSL with cert based authentication
nsprio -- example usage of the extended IO callbacks
psearch -- uses persistent search
srvsort -- shows server-side sorting

ppolicy -- shows use of password policies

crtfilt -- demonstrates the use of ldap_create_filter()

The following set of modifications were made to the LDAP SDK for C, version 4.0:

The ldap.h header file was modified as follows:

Support was added for discovery of API version information at run-time with the LDAP_OPT_API_INFO option and LDAPAPIInfo structure.
Support was added for the discovery of API extensions at run-time with the LDAP_OPT_API_FEATURE_INFO and LDAPAPIFeatureInfo structures.
The following macros were added to support the discovery of API version information at compile-time: LDAP_VENDOR_VERSION, LDAP_VENDOR_NAME, and LDAP_API_VERSION.
A set pf LDAP_API_FEATURE_* macros were added to support the discovery of API extensions at compile-time.
The LDAP_OPT_PRIVATE_EXTENSION_BASE macro was added.
The ldap_unbind_ext() function was added.
The ldap_mods_u name was added to the mod_vals union.
A number of function parameters were modified to be declared with const.

The ldap_get_option() function was modified as follows:

Support for the LDAP_OPT_HOST_NAME option was added.
The function now returns a duplicate copy of data when LDAP_OPT_SERVER_CONTROLS, LDAP_OPT_CLIENT_CONTROLS, or LDAP_OPT_ERROR_STRING are retrieved.
The LDAP_OPT_MATCHED_DN option was added.
Support for LDAP_OPT_ERROR_NUMBER and LDAP_OPT_ERROR_STRING were added.

The lber.h header file was modified as follows:

Support was added for the LBER_USE_DER option.
Several internal datatypes were changed to provide support for liblber. In the header file, see the definition for _LP64 for details.
The typedef BerValue was added to the berval struct, as follows:

typedef struct berval {
  unsigned long bv_len;
  char          *bv_val;
} BerValue;

Support was added for receiving unsolicited LDAPv3 notification messages.
The header files disptmpl.h and srchpref.h are now shipped with the SDK.
When using SSL client authentication with the command-line utilities, you are no longer required to provide the Cert DB password with the -W option on the command line. If you do not specify the -W option, the command-line utility will prompt you for your Cert DB password.

Alternatively, you can provide a path to a PIN file that contains your Cert DB password. The format of a PIN file is the same as the PIN file that you would use for a 4.1 Netscape Directory Server. That is, if your Cert DB password is secret12, then you would enter the following line into your PIN file:

Internal (Software) Token:secret12

-I

-I /h/bjensen/.netscape/my_pin_file

ps

LDAP_X_OPT_CONNECT_TIMEOUT

The LDAP SDK for C, v4.1 provides a new option that allows you to control the TCP/IP timeout. Normally connection attempts will block for a period of time when the connection is for a host that is not reachable. LDAP_X_OPT_CONNECT_TIMEOUT allows you to control the amount of time for which a connection attempt will block in the event that the host is not reachable. You can tell the SDK to return immediately, return after an amount of time that you specify, or to block indefinitely.

The timeout value is set on a per-session handle basis and you can control the default timeout that is used by all session handles. Use ldap_set_option() to set the timeout value. Use ldap_get_option() to return the timeout value that is set for the current session handle.

Timeout Values

To support this option, the following special values are now available:

LDAP_X_IO_TIMEOUT_NO_WAIT

LDAP_X_IO_TIMEOUT_NO_TIMEOUT -- The connection attempt will block until the host responds, or for the duration of the platform's connection timeout. Depending on the platform, the default connection timeout can be anywhere from 20 seconds to 3 minutes or longer. This value is the default.

In addition, you can specify a timeout value in milliseconds.

Setting the Timeout Value

The following code fragment sets the timeout value for the session handle to 10 seconds.

#include <stdio.h>
#include "ldap.h"

#define HOST "mydirectory.siroe.com"
#define PORT 389

...

LDAP *ld;
LDAPMessage *result;
int rc, version;

/* timeout is specified in milliseconds. 10000 = 10 seconds. */
int timeout = 10000;

...

if ( ( ld = ldap_init( HOST, PORT ) ) == NULL ) {
        perror( "ldap_init" );
        return( -1 );
}

if ( ldap_set_option( ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout ) != LDAP_SUCCESS ) {
        rc = ldap_get_lderrno( ld, NULL, NULL);
        fprintf( stderr, "ldap_set_option: %s\n", ldap_err2string( rc ) );
        ldap_unbind( ld );
        return (rc);
}

...

You can also control the default timeout for all LDAP session handles by setting the LDAP * value to NULL using ldap_set_option(). For example:

int timeout = LDAP_X_IO_TIMEOUT_WAIT;

ldap_set_option( NULL, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout );

/* the default timeout is now set for all new ldap connections that 
    are created after this call to ldap_set_option. */

Retrieving the Timeout Value

The following code fragment retrieves the timeout value for the current session handle.

#include <stdio.h>
#include "ldap.h"

#define HOST "mydirectory.siroe.com"
#define PORT 389

...

LDAP *ld;
LDAPMessage *result;
int rc, version, timeout;

...

if ( ( ld = ldap_init( HOST, PORT ) ) == NULL ) {
  perror( "ldap_init" );
  return( -1 );
}

if ( ldap_get_option( ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout ) != LDAP_SUCCESS ) {
  rc = ldap_get_lderrno( ld, NULL, NULL);
  fprintf( stderr, "ldap_set_option: %s\n", ldap_err2string( rc ) );
  ldap_unbind( ld );
  return (rc);
}

switch( timeout ) {
  case LDAP_X_IO_TIMEOUT_NO_WAIT:
    printf("The connection is set to not block\n");
    break;

  case LDAP_X_IO_TIMEOUT_NO_TIMEOUT:
    printf("The connection is set to block indefinitely\n");
    break;

  default:
    printf("The connection timeout is set to %d seconds", (timeout/1000) );
    break;
}

...

LDAP library/API Version Mismatch Error Messages

This feature was added to version 4.0 of the LDAP SDK for C.

Various macros and structures have been added to the SDK to allow for compile-time and run-time discovery of the API version. Their intended use is to allow you to ensure that you are compiling and running with the correct version of the LDAP SDK for C. These features are in line with the latest LDAP SDK for C API Internet Draft.

As a result of these changes, the command line tools bundled with the LDAP SDK for C now check to ensure that they are running with the correct version of the library. If your library path variable (LD_LIBRARY_PATH on most Unix systems and the PATH variable on Windows NT) is set so that an old version of the LDAP SDK for C library is in use, then the command line tools can return one of the following error messages:

ldapsearch: unable to retrieve LDAP library version information; 
        this program requires an LDAP library that implements revision 
        2003 or greater of the LDAP API. 

ldapsearch: this program requires an LDAP library that implements revision 
        2003 or greater of the LDAP API; running with revision 2002. 

ldapsearch: this program requires Netscape Communications Corp.'s LDAP 
        library version 3.20 or greater; running with version 3.00.

By default, the tools will exit if they see a mismatch in versions. To override the version mismatch, you can use -0 option (zero, not 'o') with the tools, but results may vary.

ldap_url_parse() with Space-Separated Lists of Hosts

This feature was added to version 4.0 of the LDAP SDK for C.

You can now pass ldap_url_parse() a string that uses the following format:

ldap://host1:port1 host2:port2 host2:port3 ... hostn:portn/<basedn>

Using this formatting, ldap_url_parse() will return results that are acceptable to ldap_init(). For example:

LDAP *ld;
LDAPURLDesc *ludpp;
int res;

char *url = "ldap://phonebook.example.com:2389 directory.example.com:389/o=example.com";

res = ldap_url_parse(url, &ludpp);
ld = ldap_init(ludpp->host, ludpp->port);

This input causes ldap_init() to try to connect to each host and port in the URL string until it finds a host with which it can connect.

Note that ludpp->port is set to the port identified on the last host in the URL string. If ludpp->port is used as shown here, then the last port identified on the URL string becomes the default port for any hosts for which a port is not explicitly set. Using the example above, suppose the URL string contained the following:

ldap://phonebook.example.com phonebook2.example.com phonebook3.example.com:2389/o=example.com

Here, ldap_init() would use port 2389 for all the hosts that it tries. If the last host in the string does not identify a port, then ludpp->port is set to zero (0). Setting the port to 0 tells ldap_init() to use the default port, which is 389 for ldap:// urls and 636 for ldaps:// urls.

KNOWNPROBLEMS

The following is a known bug in this release of the LDAP SDK for C:

The IO Connect Timeout feature does not work on Windows NT with SSL. That is, the Windows NT connection always blocks for the Windows NT TCP/IP timeout value (approximately 50 seconds) in the event that the host is not reachable. This is because the PR_Connect() function in the Windows NT version of NSPR does not timeout, and so a timeout value cannot be set for it. This problem will be resolved in a future release when a fixed version of NSPR becomes available. (42900)

MORE INFORMATION

iPlanet provide binary releases of this SDK. However, note that this SDK is also available in source code form as part of the Mozilla.org open source project. Refer to the following site for more information on how you can get the source code and contribute to the further development of this SDK:

http://www.mozilla.org/directory

Product Documentation

The LDAP SDK for C Programmer's Guide, version 4.1 is available in HTML and PDF formats. You can access this manual at the following site: http://docs.iplanet.com/docs/manuals/directory.html#SDK.

Installation instructions and release notes for all iPlanet and Netscape servers are posted at http://docs.iplanet.com/docs/manuals/index.html.

Reporting Problems with the LDAP SDK for C

Please submit problem reports to the netscape.public.mozilla.directory newsgroup and/or mailing list. For information on locating this and other Mozilla newsgroups and mailing lists, please see http://www.mozilla.org/community.html