Bug 2068740

Summary: [RFE] Rebase on UnboundID LDAP SDK for Java 6.0.4
Product: [oVirt] ovirt-distribution Reporter: Sandro Bonazzola <sbonazzo>
Component: unboundid-ldapsdkAssignee: Sandro Bonazzola <sbonazzo>
Status: CLOSED CURRENTRELEASE QA Contact: Pavol Brilla <pbrilla>
Severity: low Docs Contact:
Priority: medium    
Version: 4.5.0CC: bugs, emesika, mperina
Target Milestone: ovirt-4.5.2Keywords: FutureFeature, Rebase
Target Release: 4.5.2Flags: mperina: ovirt-4.5+
pm-rhel: planning_ack?
pm-rhel: devel_ack?
gdeolive: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: unboundid-ldapsdk-6.0.4-1 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
UnboundID LDAP SDK has been rebased on upstream version 6.0.4. Please review https://github.com/pingidentity/ldapsdk/releases for changes since version 4.0.14
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-30 08:47:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2068741, 2092478    

Description Sandro Bonazzola 2022-03-26 11:52:54 UTC 
Description of problem:
In CentOS Virt SIG we are shipping 4.0.14.
Upstream released 6.0.4 but the interesting part of the rebase comes from 6.0.0 release notes: https://github.com/pingidentity/ldapsdk/releases/tag/6.0.0

> One of the biggest changes that we’ve made in this release is that we’ve deprecated support for the TLSv1 and TLSv1.1 protocol versions in accordance with RFC 8996. By default, the LDAP SDK will prefer using TLSv1.3, but it can fall back to using TLSv1.2 if the newer protocol is not supported by the client JVM or by the directory server. The older TLSv1 and TLSv1.1 protocol versions can still be enabled if necessary (either programmatically or by setting system properties), but given that they are no longer considered secure, and given that TLSv1.2 became an official standard over twelve years ago, the far better option would be to use a directory server release from sometime in the last decade.

There's also a licensing change happened in 5.0 release: https://github.com/pingidentity/ldapsdk/releases/tag/5.0.0

> UnboundID LDAP SDK for Java 5.0.0, now available under the Apache License


I don't see a reason to rush the change in, but looks like a good idea to rebase on latest release.
Comment 1 Sandro Bonazzola 2022-05-02 15:00:57 UTC 
Builds available here:
- https://cbs.centos.org/koji/buildinfo?buildID=39177
- https://cbs.centos.org/koji/buildinfo?buildID=39178

Not pushed to testing repos yet, waiting for corresponding changes in ovirt-engine-extension-aaa-ldap tracked in bug #2068741
Comment 2 Pavol Brilla 2022-08-10 13:24:24 UTC 
# yum deplist *unboundid-ldapsdk-6.0.4*; yum list unboundid-ldapsdk-6.0.4
Last metadata expiration check: 0:10:34 ago on Wed 10 Aug 2022 04:13:13 PM IDT.
package: unboundid-ldapsdk-6.0.4-1.el8ev.noarch
  dependency: java-headless
   provider: java-1.8.0-openjdk-headless-1:1.8.0.342.b07-2.el8_6.x86_64
  dependency: javapackages-filesystem
   provider: javapackages-filesystem-5.3.0-1.module+el8+2447+6f56d9a6.noarch
Last metadata expiration check: 0:10:35 ago on Wed 10 Aug 2022 04:13:13 PM IDT.
Installed Packages
unboundid-ldapsdk.noarch                                                                    6.0.4-1.el8ev
Comment 3 Sandro Bonazzola 2022-08-30 08:47:42 UTC 
This bugzilla is included in oVirt 4.5.2 release, published on August 10th 2022.
Since the problem described in this bug report should be resolved in oVirt 4.5.2 release, it has been closed with a resolution of CURRENT RELEASE.
If the solution does not work for you, please open a new bug report.