OpenLDAP Version 2.5 Release Announcement
April 29, 2021
The OpenLDAP Project is pleased to announce the general availability of OpenLDAP Software
version 2.5, a suite of the Lightweight Directory Access Protocol (v3) servers, clients,
utilities, documentation, and development tools.
This release contains significant new function that has been contributed by Symas, its
customers, and by other organizations and individuals that use OpenLDAP. The bulk of this
function has already been heavily tested in the field using OpenLDAP 2.4, so the Project
expects the 2.5 release to be extremely stable in its early releases. As with all new
software, though, the Project recommends that users carefully test the software to ensure
it meets their needs.
The following new components and capabilities are highlighted for this release:
* LDAP Load Balancer Daemon
A load balancer daemon, designed from the ground up to handle LDAP loads, has been
developed. It is protocol-aware and can balance LDAP loads on a per-operation basis rather
than on a per-connection basis. Gone are the days of long-lived connections collecting on
a small number of LDAP servers and having to manually restart servers to rebalance loads.
* Large Multi-valued Attribute Support
When configured to use LMDB, OpenLDAP can handle multi-valued attributes with large
numbers of values without any appreciable performance degradation. Searches, adds,
deletes, and modifications of individual values happen faster than quicksilver through a
* LDAP Transaction Support
When configured to use LMDB, multiple LDAP operations can be committed together in a
single client-controlled transaction. If any of the operations fail, all of the other
operations that are part of that transaction are rolled back.
* New Replication Protocols
OpenLDAP can now replicate entries from legacy LDAP directory servers including Microsoft
Active Directory and Sun DSEE/Oracle DSEE. This makes retiring those systems simpler and
* Multi-Factor Authentication
OpenLDAP now supports TOTP, HOTP and other modern multi-factor authentication methods.
Many existing LDAP applications can use multi-factor authentication without modification.
New Database Backends
* Asynchronous Meta-directory
OpenLDAP's standard meta-directory backend ties together search results from multiple
remote LDAP servers, translates attribute names, and rewrites distinguished names but is
limited to working with a relatively small number of remote servers. A new version of the
meta-directory backend, async-meta, is able to efficiently handle connections to thousands
of remote LDAP servers without suffering performance degradation.
* Wiredtiger (Experimental)
OpenLDAP can now use the Wiredtiger database to store its data. The Wiredtiger database
software is available separately and its SDK must be available when OpenLDAP is compiled.
New OpenLDAP Server Capabilities
* Additional LDAP Replication Protocols
The replication consumer software has been enhanced to support multiple replication
protocols. In addition to supporting the native Syncrepl/Delta Syncrepl protocols, it can
also replicate entries from Microsoft Active Directory and DSEE/ODSEE.
* Support for New LDAP Controls and Extended Operations To improve compatibility with
applications designed for use with legacy LDAP servers, OpenLDAP 2.5 now supports many
additional LDAP controls. See below for a complete list of new controls.
* Dynamic Configuration Delete
OpenLDAP 2.5 now allows dynamic configuration objects to be deleted. That makes it
possible to delete overlays, databases, and other configuration-related items without
restarting the LDAP server daemon.
* Significant performance enhancements throughout the client and server code base
New Overlays and Modules
* autoca: An overlay to perform X.509 certificate authority functions via LDAP. Create
a new CA, create or fetch a certificate/key pair with an LDAP search operation, and
perform other CA functions with just an LDAP search operation.
* homedir: perform complete home directory life cycle management, from creation, to
archival, to deletion, completely automatically. Designed specifically for environments
that use LDAP authentication and networked home directories, this overlay monitors a
replication feed and performs actions based on changes to user and group entries.
* otp: Have the LDAP directory server handle all the processing for time- and
counter-based one-time passwords. Compatible with Google and other standards-based
* totp: A simpler password hashing module for time-based one-time passwords.
* argon2: a new password hashing module using the Argon2 hash mechanism
* adremap: remap attributes for PAM/NSS MS AD support
* authzid: implements RFC 3829 support
* datamorph: store enumerated values and fixed size integers
* ppm: adds additional password checking critera to the slapo-ppolicy overlay
* pw-radius: pass bind operations to the specified radius server(s)
* rbac: accelerates the responses to ANSI INCITS 359 RBAC policy queries originating
from Apache Fortress
* remoteauth: Forward bind operations to one or more remote LDAP servers. Can
optionally store the successfully-submitted password in the local database.
* usn: adds MS AD usnCreated and usnChanged operational attributes to entries
* variant: allows attributes/values to be shared between several entries
* vc: implements the verify credentials extended operation
Updates to Existing Backends
* back-monitor is always statically built into slapd
Updates to Existing Overlays
The following updates have been made to existing overlays:
* pcache: New control allows access to the cache DB, exop can remove data from the
cache DB. Monitoring information for pcache is now available if back-monitor is enabled.
* ppolicy: updated to comply with password policy draft 10
(draft-behera-ldap-password-policy-10) and to optionally return Netscape Password Expiring
and Password Expired controls
* dynlist: can now generate the (is)memberOf attribute dynamically and perform reverse
lookups to find all groups a user belongs to.
* unique: the unique overlay can now do db-wide locking to avoid potential race
* libldif provides an LDIF parsing API
Updates to Existing Libraries
* libldap_r has been merged with libldap
* libldap has TLS channel binding support
* libldap has TLS public key pinning support
* libldap has TLS SNI support
* libldap has GSSAPI channel binding support
New and Updated Clients and Tools
* slapmodify: a tool for offline updates to cn=config
New Supported LDAP Controls
The following controls are now supported in OpenLDAP 2.5:
Control Name OID Comments
AUTHZID_REQUEST 2.16.840.1.113730.4.16 Authorization Identity Request Control (RFC
AUTHZID_RESPONSE 2.16.840.1.113730.4.15 Authorization Identity Response Control (RFC
LAZY_COMMIT 1.2.840.113518.104.22.1689 MS AD Lazy Commit Control
ACCOUNT_USABILITY 22.214.171.124.126.96.36.199.188.8.131.52 Netscape account usability control
PASSWORD_EXPIRED 2.16.840.1.1137184.108.40.206 Netscape Password expiring warning
PASSWORD_EXPIRING 2.16.840.1.1137220.127.116.11 Netscape Password expired warning
TXN_SPEC 18.104.22.168.1.21.2 LDAP transaction specification control
New Supported Extended Operations
The following extended operations are now supported in OpenLDAP 2.5:
Exop Name OID Comments
TXN_START 22.214.171.124.1.21.1 Start LDAP transaction
TXN_END 126.96.36.199.1.21.3 End LDAP Transaction
TXN_ABORTED_NOTICE 188.8.131.52.1.21.4 Abort LDAP Transaction (notification)
VERIFY_CREDENTIALS 184.108.40.206.4.1.4203.666.6.5 Verify user credentials
OpenLDAP Software is developed by the OpenLDAP Project. The Project consists of a team of
volunteers who use the Internet to coordinate their activities. The Project is an
organized activity of the OpenLDAP Foundation.
OpenLDAP Software is derived from University of Michigan LDAP, release 3.3.
This software is available under the OpenLDAP Public License, a non-restrictive,
"free", open-source license. Download information is available at:
Binary distributions are available from a number of sources, including Symas and the Linux
Toolbox (LTB) Project
OpenLDAP Software is user supported:
In addition, commercial support is available from the vendors listed here:
The OpenLDAP Administrator's Guide, which includes quick-start instructions, is
In addition, there are also a number of discussion lists related to OpenLDAP Software. A
list of mailing lists is available
To report bugs, please use project's Issue Tracking System:
The OpenLDAP home page containing lots of interesting information and online documentation
is available at this URL:
This release has been ported to many UNIX (and UNIX-like) platforms including Darwin,
FreeBSD, Linux, NetBSD, OpenBSD and most commercial UNIX systems. The release has also
been ported (in part or in whole) to other platforms including Apple MacOS X, IBM zOS, and
Microsoft Windows NT/2000/etc.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
Copyright 1999-2021 The OpenLDAP Foundation, Redwood City, California, USA. All Rights
Reserved. Permission to copy and distribute verbatim copies of this document is granted.