Critical fixes

This release of PingDirectory Server addresses critical issues from earlier versions. Update all affected servers appropriately.

  • Fixed an issue where secret keys under cn=Topology,cn=config could be lost when removing a server from the topology. When a server is removed via the dsreplication disable or remove-defunct-server tools, its secret keys will now be distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.

    The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.

    Note:

    Since this change only applies to the most recent version of remove-defunct-server and dsreplication disable, if you are removing a server from a multi-version topology, you should run that tool from the most recent version. In the past dsreplication and remove-defunct-server could only be run from an older version, but now in the case of removing a server from the topology, they should be run from the most recent version in the topology. If you run the tool from an older server, it will not include this fix, and you might lose access to secret keys from servers that are removed from the topology.

    • Fixed in: 8.2.0.7
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-44591

Resolved issues

The following issues have been resolved with this release of the Directory Server.

Ticket ID Description

DS-42961

To help with replication backlog analysis the replication summary monitor will now include a replica-partial-backlog attribute that will show how each origin replica contributes partial backlog with the per-origin-replication-backlog property. The replica-partial-backlog attribute will also show the change numbers used for the calculation.

DS-43959, DS-44924

Added new global configuration properties that can be used to impose limits on the maximum number of attributes that can be present in an add request and the maximum number of modifications in a modify request, which can be used to avoid potential denial of service attacks. Both limits are set to 1000 by default, which is likely to be adequate for all legitimate use cases, and neither property affects the number of values that may be provided for an attribute.

DS-44591

Fixed an issue where secret keys under cn=Topology,cn=config could be lost when removing a server from the topology. When a server is removed via the dsreplication disable or remove-defunct-server tools, its secret keys will now be distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.

The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.

Note:

Since this change only applies to the most recent version of remove-defunct-server and dsreplication disable, if you are removing a server from a multi-version topology, you should run that tool from the most recent version. In the past dsreplication and remove-defunct-server could only be run from an older version, but now in the case of removing a server from the topology, they should be run from the most recent version in the topology. If you run the tool from an older server, it will not include this fix, and you might lose access to secret keys from servers that are removed from the topology.

DS-44892

Addressed a connection error in remove-defunct-server when the tool tried to migrate secret keys on a single-instance topology (i.e., a server that is not part of a replication topology). The tool now only moves secret keys if the server is part of a topology.

DS-45032

Addressed an issue that caused remove-defunct-server to hang when performing replication artifact cleanup in non-interactive mode.

DS-45115

Fixed a Ping Directory Server performance issue involving high CPU usage when writing LDAP data to certain clients using TLSv1.3 connection security.

DS-45124

Removed -XX:RefDiscoveryPolicy=1 from the default start-server Java arguments. In rare cases, this argument was related to segmentation faults in the JVM, especially when used with the G1 garbage collector.

DS-45154

Fixed an issue where a server with a newly initialized database (through dsreplication initialize) could go into lockdown mode and report that the server may have missed one or more update(s). This generally occurred only if the initialized server was restarted right after initialization completed.

DS-45190

Added support for the use of JDKs obtained through BellSoft.

DS-45449

Updated the server to create the esTokenizer.ping file if it does not exist for a backend containing encrypted data. This file may be needed to open the database environment for a backend containing encrypted indexes, but it would not have been automatically created when upgrading from a pre-7.0 server to a later version with support for encrypted indexes.

DS-45654

Resolved an issue where SCIM POST requests that violated a unique attribute constraint got an internal error instead of the expected SCIM error response.