Enhancements

These are new features for this release of PingDirectory Server:

  • PingDirectory Server can now be configured to run in a mode compliant with the Federal Information Processing Standard (FIPS) 140-2. For PingDirectory Server to be FedRAMP compliant, it must be configured to support the FIPS 140-2 standard. This compliance will allow PingDirectory Server to be deployed for customers requiring FedRAMP compliance. Servers running in FIPS 140-2-compliant mode will not be compatible with servers running in the default non-FIPS-compatible mode. For more information, see Introduction to FIPS 140-2 compliance.
    Note:

    You cannot have FIPS-compliant and non-FIPS-compliant servers in the same topology, and you can’t replicate between them. However, you can use the Synchronization Server.

    Note:

    FIPS-compliant servers must store certificates in BCFKS key stores. The JKS and PKCS12 key store types used by non-FIPS servers cannot be used in FIPS-compliant mode.

    Note:

    Anything that relies on the non-FIPS-compliant Bouncy Castle Library (Argon2, bcrypt, scrypt) won’t be available in FIPS-compliant mode. To provide better support for the FIPS 140-2 standard, the Bouncy Castle library is now being shipped with the PingDirectory products. This does not impact upgrades for customers who already have a copy of the library.

  • PingDirectory Server administrators use passphrases to secure access to external servers, trust stores, the encryption settings database and encrypted data in the changelog. However, these passphrases were typically stored in plain text. This release provides support for a passphrase provider API so that administrators can obtain these passphrases from secure alternative locations. Currently supported alternatives include a HashiCorp Vault, an obscured value password provider, a file-based provider, an environment variable, or other third-party passphrase provider written using the Server SDK.
  • In the previous release, the ability to single sign-on from the PingOne admin portal was implemented. Rounding out this functionality, the administrative console can now accept bearer tokens from other OpenID Connect (OIDC) applications or identity providers such as PingFederate.
  • The Administrative console is used to view and modify the configuration of an existing instance. Several features have been added to improve administering PingDirectory Server instances that are running in containers.
  • Server profiles can now be easily created and downloaded to the local machine.
  • Admins can also create and download the output from the collect-support-data tool used for troubleshooting issues Additionally, the console now can display the associated command line options (such as dsconfig) needed to create the current object being viewed.
  • Many CIAM customer use cases require a one-to-many relationship that can be retrieved as JSON either through REST API or SCIM API. The new Join Virtual Attribute Provider generates a JSON formatted value that represents content from related entries.
  • The capability to filter JSON field values in constructed values has been added. Including a JSON object filter in parentheses after a JSON field name will indicate that for each attribute value, the named field value will only be extracted if the attribute value matches the provided filter. This allows, for example, when used in a Constructed Attribute Mapping's value-pattern property, for a given field value to only be mapped for values that match a given filter. For information about the syntax and use of this capability, see the config reference guide for Constructed Attribute Mappings.
  • Customers can now use the PingDirectory Server Splunk Application for monitoring the PingDirectory Server topology. This application is available here: https://splunkbase.splunk.com/app/5523/

Upgrade considerations

Upgrade considerations are no longer part of the release notes. That information is now in Upgrade overview and considerations.

Critical Fixes

This release of the PingDirectory Server addresses critical issues from earlier versions. Update all affected servers appropriately.

  • Avoid lockdown due to missing changes during enable caused by a missing timestamp that indicates the enable time. The problem resulted in change numbers and error messages with dates around the year 1970.
    • DS-44037
    • Fixed in 8.3.0.0
    • Introduced in 8.2.0.0
  • Deprecated support for incremental backups. Incremental backups are still available but may be removed in a future release. There have been a number of issues around the use of incremental backups in the past, and there are better alternatives that make incremental backup unnecessary. LDIF exports are both more portable and more compressible than full backups and can therefore be taken more frequently than full backups while consuming less disk space. In addition, the extract-data-recovery-log-changes tool can be used in conjunction with either LDIF exports or full backups to extract and replay changes recorded in the data recovery log since the time the LDIF export or backup was created.
    • DS-44431
    • Fixed in 8.3.0.0
    • Introduced in 7.0.1.4

  • Fixed an issue where new replicas incorrectly went into lockdown mode after initialization.

    This issue would happen when trying to initialize a newly-added replica to a topology that had been created some time ago. This amount of time had to exceed the replication purge delay, which is 24 hours by default. Before this fix was introduced, you could get past this by running "leave-lockdown-mode" on the new replica, then re-running "dsreplication initialize" on it.

    • Fixed in: 8.2.0.0
    • Introduced in: 8.1.0.0
    • Support identifiers: DS-42790 SF#00695648
  • Fixed an issue in which adding or modifying a server group would result in a 404.
    • DS-41436
    • Fixed in 8.3.0.0
    • Introduced in 7.0.1.4

  • Addressed an issue that could lead to slow, off-heap memory growth. This only occurred on servers whose cn=Version,cn=monitor entry was retrieved frequently.

    • Fixed in: 8.1.0.0
    • Introduced in: 5.2.0.0
    • Support identifiers: DS-41301

  • Addressed an issue where replication could incorrectly detect a backlog that never clears when updating from a pre-7.3 to a 7.3 or later version. This issue requires that servers were previously removed from the topology, and it has been seen rarely.

    • Fixed in: 8.1.0.0
    • Introduced in: 7.3.0.0
    • Support identifiers: DS-40955

  • Fixed a memory leak when performing SCIM queries on the PingDirectory Server.

    • Fixed in: 8.1.0.0
    • Introduced in: 7.2.0.0
    • Support identifiers: DS-41206 SF#00681395

  • Fixed an issue where mirrored subtree polling could produce config archive files that were identical or ignored the configured insignificant attributes list.

    • Fixed in: 8.1.0.0
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-41762 SF#00675207 SF#00683777

  • Fixed an issue that could cause the server to report an "Unable to decode a blacklist key" error while trying to open a local DB backend after an unclean shutdown.

    • Fixed in: 8.0.0.0
    • Introduced in: 7.2.0.0
    • Support identifiers: DS-40788

  • The following enhancements were made to the topology manager to make it easier to diagnose connection errors:

    - Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.

    - Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period.

    • Fixed in: 7.3.0.0
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-38334 SF#00655578

  • The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared as soon as there is connection symmetry.

    • Fixed in: 7.3.0.0
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-38344 SF#00655578

  • The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master.

    • Fixed in: 7.3.0.0
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-38335 SF#00655578

  • Fixed two issues in which the server could have exposed some clear-text passwords in files on the server file system.

    * When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.

    * When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.

    In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.

    We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords.

    • Fixed in: 7.3.0.0
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-38897 DS-38908

  • The following enhancements were made to the topology manager to make it easier to diagnose the connection errors:

    - Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.

    - Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period.

    • Fixed in: 7.2.1.0
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-38334 SF#00655578

  • The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared when connection symmetry is achieved.

    • Fixed in: 7.2.1.0
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-38344 SF#00655578

  • The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master.

    • Fixed in: 7.2.1.0
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-38335 SF#00655578

  • Addressed an issue where an InvalidKeyException could occasionally be reported by import-ldif. The error message for this problem resembles, "An unexpected error occurred during merge processing for index 'dc_example_dc_com_sn.equality': InvalidKeyException: The provided passphrase is invalid."

    • Fixed in: 7.2.0.0
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-37313

  • Fixed two issues in which the server could have exposed some clear-text passwords in files on the server file system.

    * When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.

    * When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.

    In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.

    We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords.

    • Fixed in: 7.0.1.3
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-38897 DS-38908

  • Addressed an issue in "dsreplication enable/initialize" that prevented servers from some previous versions (5.2.0.5 and earlier and 6.0.0.*) from initializing newer servers. Servers from these prior versions can now be used to enable replication with current versions of the server.

    • Fixed in: 7.0.0.0
    • Introduced in: 5.2.0.5
    • Support identifiers: DS-35528 SF#624368

  • Fixed a very rare race condition with the Frequently Accessed Entry Cache which could lead to an index being marked as degraded and requiring a rebuild.

    The problem is unlikely to happen outside of testing environments since it requires modifying a single entry over 1000 times per second across multiple servers concurrently.

    • Fixed in: 7.0.0.0
    • Introduced in: 5.2.0.6
    • Support identifiers: DS-35616 SF#00625189

  • Addressed an issue where an index key could incorrectly be reported as exceeding the index-entry-limit after one billion entries had been imported or added to the directory server. The directory server does not need to contain one billion entries at the same time to be affected by this issue since the entry ID will always increase for each added entry even if entries are deleted. Environments that have experienced this issue should export and reimport their data after applying this patch.

    • Fixed in: 7.0.0.0
    • Introduced in: 2.0.0.0
    • Support identifiers: DS-35790 SF#00625942

  • Fixed an issue that could allow users with locked accounts to change their own passwords using the password modify extended operation.

    • Fixed in: 6.2.0.0
    • Introduced in: 5.2.0.3
    • Support identifiers: DS-17074

  • Addressed an issue specific to entry-balanced environments where changes received through replication are applied in the incorrect backend. This can occur if a restricted domain is disabled prior to disabling the global domain. With the restricted domain disabled, the affected server could apply the changes originally targeted for the restricted domain in the global domain. In addition, other servers in the topology will reset their generation ID for the restricted domain.

    • Fixed in: 6.2.0.0
    • Introduced in: 2.1.4.0
    • Support identifiers: DS-17237 SF#3746

  • Added an alarm at warning level to notify if any of the important JVM startup arguments are missing or misconfigured.

    • Fixed in: 6.2.0.0
    • Introduced in: 5.0.0.0
    • Support identifiers: DS-12216

  • Addressed an issue where a server could incorrectly report missed replication changes at startup in rare circumstances. Server A could report missed changes at startup where

    1) Server B had not received changes directly from a client for a long time (beyond the purge delay),

    2) Since the last successful change, Server B had processed an operation from a client that made it deep enough in the operation processing to generate a change sequence number (CSN) but that operation was later rejected by the server,

    3) Server A is shutdown, and

    4) While Server A is shutdown, the Server B processes one or more changes directly from the client.

    • Fixed in: 6.2.0.0
    • Introduced in: 3.5.0.0
    • Support identifiers: DS-18035 SF#00614612

  • Fixed an issue that could prevent the server from properly closing a database transaction under a sustained load of heavily conflicting write operations on a system that is processing those operations at an abnormally slow rate (for example, if the database is not cached and the disk subsystem is completely saturated).

    • Fixed in: 6.2.0.0
    • Introduced in: 6.0.1.0
    • Support identifiers: DS-18070

  • Fixed an issue that could allow users with locked accounts to change their own passwords using the password modify extended operation.

    • Fixed in: 6.2.0.0
    • Introduced in: 5.2.0.3
    • Support identifiers: DS-17074

  • Addressed an issue specific to entry-balanced environments where changes received through replication are applied in the incorrect backend. This can occur if a restricted domain is disabled prior to disabling the global domain. With the restricted domain disabled, the affected server could apply the changes originally targeted for the restricted domain in the global domain. In addition, other servers in the topology will reset their generation ID for the restricted domain.

    • Fixed in: 6.2.0.0
    • Introduced in: 2.1.4.0
    • Support identifiers: DS-17237 SF#3746

  • Added an alarm at warning level to notify if any of the important JVM startup arguments are missing or misconfigured.

    • Fixed in: 6.2.0.0
    • Introduced in: 5.0.0.0
    • Support identifiers: DS-12216

  • Addressed an issue where a server could incorrectly report missed replication changes at startup in rare circumstances. Server A could report missed changes at startup where

    1) Server B had not received changes directly from a client for a long time (beyond the purge delay),

    2) Since the last successful change, Server B had processed an operation from a client that made it deep enough in the operation processing to generate a change sequence number (CSN) but that operation was later rejected by the server,

    3) Server A is shutdown, and

    4) While Server A is shutdown, the Server B processes one or more changes directly from the client.

    • Fixed in: 6.2.0.0
    • Introduced in: 3.5.0.0
    • Support identifiers: DS-18035 SF#00614612

  • Fixed an issue that could prevent the server from properly closing a database transaction under a sustained load of heavily conflicting write operations on a system that is processing those operations at an abnormally slow rate (for example, if the database is not cached and the disk subsystem is completely saturated).

    • Fixed in: 6.2.0.0
    • Introduced in: 6.0.1.0
    • Support identifiers: DS-18070

  • Fixed an issue where opening the backend database might fail with an IllegalStateException that references "exploded-index-background-deletes" when there are several backend exploded indexes.

    • Fixed in: 6.0.0.0
    • Introduced in: 4.6.0.0
    • Support identifiers: DS-15094

  • The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state.

    • Fixed in: 5.1.0.0
    • Introduced in: 2.1.0.0
    • Support identifiers: DS-12579 SF#2655

  • Added a fail safe to the pending changes queue for the Changelog Backend that can detect and ignore recovered changes that do not need to be committed in order to prevent holding up other changes in the queue.

    • Fixed in: 5.0.0.0
    • Introduced in: 4.5.1.0
    • Support identifiers: DS-11720 SF#2453

  • Disabled support for SSLv3 by default in the LDAP, HTTP, and JMX connection handlers, and for replication communication. The recently-discovered POODLE vulnerability could potentially allow a network attacker to determine the plaintext behind an SSLv3-encrypted session, which would effectively negate the primary benefit of the encryption.

    SSLv3 was initially defined in 1996, but was supplanted by the release of the TLSv1 definition in 1999 (and subsequently by TLSv1.1 in 2006 and TLSv1.2 in 2008). These newer TLS protocols are not susceptible to the POODLE vulnerability, and the server has supported them (and preferred them over SSLv3) for many years. The act of disabling SSLv3 by default should not have any adverse effect on clients that support any of the newer TLS protocols. However, if there are any legacy client applications that attempt to communicate securely but do not support the newer TLS protocols, they should be updated to support the newer protocols. In the event that there are known clients that do not support any security protocol newer than SSLv3 and that cannot be immediately updated to support a newer protocol, SSLv3 support can be re-enabled using the newly-introduced allowed-insecure-tls-protocol global configuration property. However, since communication using SSLv3 can no longer be considered secure, it is strongly recommended that every effort be made to update all known clients still using SSLv3.

    It is possible to use the server access log to identify LDAP clients that use SSLv3 to communicate with the server. Whenever an LDAP client establishes a secure connection to the server, or whenever a client uses the StartTLS extended operation to secure an existing plaintext connection, the server will generate a SECURITY-NEGOTIATION access log message. The "protocol" element of a SECURITY-NEGOTIATION access log message specifies the name of the security protocol that has been negotiated between the client and the server, and any SECURITY-NEGOTIATION messages with a protocol of "SSLv3" suggest that the associated client is vulnerable to the POODLE attack. In addition, if any connections are terminated for attempting to use the disallowed SSLv3 protocol, the access log message for that disconnect should include a message stating the reason for the termination.

    • Fixed in: 5.0.0.0
    • Introduced in: 2.1.0.0
    • Support identifiers: DS-11782

  • Fixed a problem that could interfere with access to an exploded attribute index after performing an online index rebuild for that attribute.

    • Fixed in: 4.6.0.0
    • Introduced in: 4.5.1.0
    • Support identifiers: DS-10470

  • Fix a bug in low level protocol buffer that could result in "uncaught exception" errors.

    • Fixed in: 4.5.0.0
    • Introduced in: 3.2.0.0
    • Support identifiers: DS-9268 SF#2002

  • Improve server stability by disabling explicit garbage collections that were being caused by JMX connections.

    • Fixed in: 4.0.0.0
    • Introduced in: 3.5.0.0
    • Support identifiers: DS-7633

  • Fix a bug in the LDAP Changelog where the changelog index manager could capture new changes for an attribute in one index after already hitting the end of another index. This created the possibility for changes to be missed when processing get-changelog-batch-requests at the same time that live traffic is happening.

    • Fixed in: 3.6.0.0
    • Introduced in: 3.2.0.0
    • Support identifiers: DS-7422

  • Fix a bug that allows users with expired passwords to change attributes in their own entry other than password.

    • Fixed in: 3.5.0.0
    • Introduced in: 3.2.0.0
    • Support identifiers: DS-6054

  • Address an issue where a directory server might resend duplicate changes when processing a GetChangelogBatch request in an environment that is under heavy load.

    • Fixed in: 3.5.0.0
    • Introduced in: 3.2.0.0
    • Support identifiers: DS-5656

  • Update the PingDirectory Server to apply access controls when processing the GetAuthorizationEntryRequestControl.

    • Fixed in: 3.5.0.0
    • Introduced in: 2.0.0.0
    • Support identifiers: DS-854

  • Fix a bug where PingDirectory Servers could potentially miss some update messages in large topologies after a restart.

    • Fixed in: 3.2.0.0
    • Introduced in: 3.1.0.0
    • Support identifiers: DS-3592

Known issues and limitations

  • The option to download collect-support-data or to generate a server profile using the admin console will not work when logged in with single sign-on.

Resolved issues

The following issues have been resolved with this release of the PingDirectory Server.

Ticket ID Description
DS-8

The Administrative Console now shows a dsconfig command to create the current object from scratch on the edit page.

DS-14833

Updated the logic that the server uses to escape distinguished names. Previously, it would always escape all non-ASCII characters. It will no longer escape printable non-ASCII characters (including letters, numbers, spaces, dashes, punctuation, and symbols). It will continue to escape ASCII control characters, non-printable non-ASCII characters, and non-ASCII characters in non-UTF-8 values.

DS-15746

Added a passphrase provider mechanism, which can be used to obtain clear-text passphrases, API keys, or other types of secrets that are needed by server components like those that interact with external servers or certificate key stores. Available passphrase provider implementations include:

* A provider that stores an obscured representation of the passphrase directly in the server configuration.

* A provider that reads the passphrase from a file on the server filesystem. The file may optionally be encrypted with a key from the server's encryption settings database.

* A provider that can obtain the passphrase from an environment variable set in the server's process.

* A provider that can obtain the passphrase from a HashiCorp Vault instance.

Components of the server that have been updated to support using passphrase providers include:

* LDAP, JDBC, SCIM, and SMTP external servers. * File-based key and trust manager providers. * The PKCS #11 key manager provider. * The changelog password encryption plugin. * The Twilio alert handler and OTP delivery mechanism. * The UNBOUNDID-YUBIKEY-OTP SASL mechanism handler.

The Server SDK has been updated to provide support for creating custom passphrase provider implementations and to allow extensions to retrieve secrets from passphrase providers configured in the server.

DS-38427,DS-43896

Updated the dbtest tool to provide access to additional detail about data in local DB backends. This includes:

* Updated the dump-database-container subcommand so that when it is dumping the contents of the id2entry database, it provides additional information about the entry's encoding, including whether it is compressed, whether it is encrypted, and whether it has any uncached attributes.

* Updated the dump-database-container subcommand so that when it is dumping the contents of the id2entry database, you can optionally restrict the output to include only entries that match a specified filter.

* Updated the dump-database-container subcommand to provide more useful information when dumping the contents of the state database, including the index name and a human-readable representation of the trust state.

* Updated the dump-database-container subcommand to provide more useful information when dumping the contents of the recent changes database, including the target entry DN and entryUUID values, the change type, the change time, the replication CSN, information about the original client request, and an LDIF representation of the change.

* Added a new dump-attribute-tokens subcommand that can display information about the attribute description tokens that have been defined for the backend.

* Added a new dump-object-class-tokens subcommand that can display information about the object class set tokens that have been defined for the backend.

* Added a new dump-dn-tokens subcommand that can display information about the DN compaction tokens that have been defined for the backend.

* Added a new dump-metadata subcommand that can display information from the backend's metadata database.

DS-39157,DS-39158,DS-43848

The Server SDK ServerContext class has been updated to provide a new set of methods for writing messages to the server's trace log publishers using various log severity levels. These methods replace an existing API that only supported recording debug messages, which should not be enabled in production environments.

Administrators can configure the server's trace log publishers to enable or disable message types on a per-severity basis using a trace log publisher's extension-message-type property.

DS-41815

Fixed an issue with the copy/paste functionality in the Administrative Console.

DS-41857

Fixed an issue that prevented the server from including search result entry attributes whose types are subordinates of the requested attribute types.

DS-41911

In order to reduce the time it takes for "setup" to run the testing of Java options that "setup" does will now be cached and stored in a directory. By default the directory is "logs/option-cache" relative to the server root, but an alternative directory can be specified via setup option "--optionCacheDirectory". If a directory is specified it must be created prior to running setup.

DS-41951, DS-41326

The Administrative Console can now download either a collect-support-data file or a server profile from the managed server. This can be done through the Status page. These operations require that a 'csd-files/' and a 'profile-files/' directory be present in the server root by default, but this can be customized through the ldap.csd-destination-folder and ldap.profile-destination-folder settings, which can be found in the Console's application.yml configuration file.

Downloading collect-support-data files is disabled by default when using the PingDataConsole Docker image. It also strongly recommended to avoid downloading collect-support-data files from servers that are running in a container.
DS-41998

Added a remove-object-class-from-schema tool that can be used to safely remove an object class definition from the server schema. It will first ensure that the object class is not in use, and it will also clean up any metadata references to that object class that may exist if the class has been used in the past.

The remove object class processing can also be requested programmatically through an administrative task.

DS-42401,DS-43754

Updated the manage-profile replace-profile subcommand to detect changes to files referenced in setup-arguments.txt when those files are outside of the server profile

DS-42937

The Administrative Console now allows users to specify the LDAP server they wish to bind to using the query parameters 'ldap-hostname' and 'ldaps-port' when the console is configured for SSO. This allows a single console instance to administer multiple PingData servers. Note that an LDAPS scheme is always assumed because an encrypted connection is always required for SSO.

DS-43024

Updated the purge expired data plugin to support deleting entries with multiple concurrent threads. Deletes will still be performed in a single thread by default, and this is the recommended configuration for most deployments, but the value of the num-delete-threads configuration property may be increased if expired entries accumulate faster than a single thread can delete them.

DS-43189

Fixed a performance issue in PingDirectory Server when the index entry limit is exceeded on an exploded index with an index entry limit of several million entries.

DS-43224

Made a generic OpenID Connect ID token validator available. This change allows single sign-on to the Administrative Console with OIDC providers other than just PingOne.

DS-43435

Fix a bug that prevented offline changes to mirrored configuration with manage-profile replace-profile.

DS-43441

Fixed "Reverse DNS resolution" warning during setup. This warning was a result of performing a reverse DNS lookup on link local addresses, which is now avoided. This is mostly only relevant to IPv6.

DS-43576

Added the ability to retry operation failures from replication if the failures are likely due to dependent writes being played out of order. This issue only affected environments that were sending writes to different servers, and also were not able to use the appropriate level of replication assurance. To enable this setting, update the on-replay-failure-wait-for-dependent-ops-timeout configuration property on a replication domain.

DS-43596

Added a new oid-lookup command-line tool that can be used to retrieve information about a given object identifier or to retrieve the object identifier for an item with a given name.

DS-43632

Fixed an issue where the "format" field is omitted from the list of operational attribute schemas in the Directory REST API.

DS-43666

Fixed an issue in which a server in lockdown mode could incorrectly allow an operation to be processed if a connection authenticated as a user with the lockdown-mode privilege issued a request with an alternate authorization identity that did not have the lockdown-mode privilege. The server now requires that both the authentication and authorization identities have the lockdown-mode privilege.

DS-43685

Added three new virtual attribute types that can generate JSON-formatted values with content from entries that are related to the entry that contains them, much like using the LDAP join request control. The new types of virtual attributes include:

* The DN join virtual attribute expects a specified attribute in an entry to contain the DNs of the entries to be joined. For example, if the manager attribute is used to hold the DN of an employee's manager, then the DN join virtual attribute can be used to provide a JSON-formatted representation of the manager's entry in the employee's entry.

* The reverse DN join virtual attribute expects a specified attribute in entries to be joined to contain the DN of the entry in which the virtual attribute to appear. For example, if the manager attribute is used to hold the DN of an employee's manager, then the reverse DN join virtual attribute can be used to provide JSON-formatted representations of the entries of a manager's direct reports in the manager's entry.

* The equality join virtual attribute expects related entries have values in common for the same or different attribute. For example, if the data includes account entries that contain an accountNumber attribute, and if it also includes user entries with an an accountNumber attribute that match the account number from their associated account, then the equality join virtual attribute can be used to include a JSON-formatted representation of the account entry in the entries for the users associated with that account, or to include JSON-formatted representations of the entries for the associated users in an account entry.

DS-43700

Updated the ldap-result-code tool to provide support for additional output formats, including JSON, CSV, and tab-delimited text.

DS-43713

Added a new "must change password" account status notification type that can be used to take a configured action whenever a user successfully authenticates but will be required to choose a new password before being allowed to request any other operations.

DS-43719

Added the capability to filter JSON field values in constructed values. Including a JSON object filter in parentheses after a JSON field name will indicate that for each attribute value, the named field value will only be extracted if the attribute value matches the provided filter. This allows, for example, when used in a Constructed Attribute Mapping's value-pattern property, for a given field value to only be mapped for values that match a given filter. For information about the syntax and use of this capability, see the config reference guide for Constructed Attribute Mappings.

DS-43737

Updated the SCIM 2 servlet so that it provides an option to map the presented bearer token to a local user in the server. If the token can be mapped to a local user, then that account will be used as the authorization identity for the requested operation rather than the default authorization identity of "cn=SCIM2 Servlet,cn=Root DNs,cn=config". If this option is enabled and the mapping is successful, then all associated log messages, changelog records, and creatorsName and modifiersName attribute updates will use the DN of the mapped user rather than that of the SCIM2 Servlet user. Requested operations will be processed using the access rights granted to that user, as well as rights granted to any OAuth scopes included in the access token. The server's global access control rules have been updated so that an appropriate minimum set of rights should be granted for access tokens that include the "scim2" scope.

If the presented access token cannot be mapped to a local user, then you can indicate whether the request should be rejected or whether it should be processed as before using the default "cn=SCIM2 Servlet,cn=Root DNs,cn=config" authorization identity.

DS-43745

Fix an issue in the server causing PingDirectory 8.2.0.0 to be incompatible with version 4.2.0 of the Delegated Admin app, which prevented upgrade to Delegated Admin version 4.4.0 without some downtime.

DS-43770

Fixed an issue that could prevent pre-operation add plugins created with the Server SDK from accessing some changes to the content of the add operation. For example, a Server SDK pre-operation add plugin could not access an attribute created by a composed attribute plugin that had been invoked before the Server SDK plugin.

DS-43787,DS-43788,DS-43795

Added the ability to implement custom SCIM Sub-Resource Type Handlers using the Server SDK. A SCIM Sub-Resource Type Handler defines a child type of a SCIM resource type that you can use to offer extended features not defined by the SCIM 2.0 standard.

DS-43809

Fixed an issue in which the server could report that certain types of were not indexed even though they were covered by an applicable composite index. Any searches that were actually processed correctly made use of the composite index, but it could have caused the server to reject some valid configuration changes that will only be permitted if proper indexing is in place.

DS-43817

Fixed an issue where PingDirectory Server sometimes reports erroneous warnings about duplicate jar files.

DS-43836

Updated the PingDirectory Server's support for the get user resource limits control to make it possible to exclude information about the user's group membership from the response control. This can improve the performance of bind operations that use this control, especially in servers with a large number of dynamic groups.

Also, updated the Directory Proxy Server's use of the get user resource limits control when passing through bind requests to the PingDirectory Server. If it can verify that the PingDirectory Server supports this new feature, the PingDirectoryProxy Server will request that the server exclude group membership information from the get user resource limits response control.

DS-43838

Updated the server's support for the uniqueness request control so that if a conflict prevention details entry is requested, the server may be able to use a minimal version of the proposed target entry instead of a full copy. This can help improve performance when using this option.

DS-43884

Fixed issues with the import-ldif tool when invoked with the --addMissingRDNAttributes argument. It could fail to add missing RDN attribute values to an entry if the attribute type is required by any of that entry's object classes. It could also result in entries with multiple values for single-valued attribute types.

DS-43890

Fixed an issue with dsjavaproperties --initialize that prevented changing the JVM tuning parameter using the --jvmTuningParameter command line argument.

DS-43898

Addressed an issue where the backend would store an incorrect count for a database key that had exceeded the index entry limit. This would only happen for composite indexes when the server started up after not being shut down cleanly. Normal search processing was unaffected, but the matching entry count request control processing would return incorrect results.

DS-43916

Added cipher stream provider and passphrase provider implementations with support for the Amazon AWS Secrets Manager service. The Amazon Secrets Manager cipher stream provider can be used to protect the contents of the encryption settings with a key derived from a secret retrieved from the Secrets Manager service. The Amazon Secrets Manager passphrase provider can be used to obtain clear-text secrets needed for processing within the server from the Secrets Manager service.

DS-43926

Significantly improved the performance of delete and modify operations that require removing IDs from very large composite index ID sets.

DS-43935

Updated manage-profile replace-profile to run a shorter process when applying dsconfig changes that require administrative actions.

DS-43941

You can now specify that the Administrative Console use a custom truststore when evaluating OIDC provider certificates by using the oidc-trust-store-file and oidc-trust-store-type settings. Also, you can set the console to skip hostname and/or certification verification through the oidc-strict-hostname-verification and oidc-trust-all configuration settings.

DS-43950

Fixed an issue where PingDirectoryProxy Server failed to install on JDKs that lack support for AES-256 encryption.

DS-43992

Increased the parallelism within import-ldif when flushing intermediate index files to disk to improve import throughput.

Reduced the number of intermediate index files that are written out during the first phase of import-ldif. This avoids running out of file descriptors when initializing the indexes especially in environments with lots of indexes or lots of entries.

DS-43999

Updated the server to allow the operation purpose control to be used for operations that are part of an LDAP transaction.

DS-44010

Updated the server to allow obtaining client secrets from a passphrase provider as an alternative to storing an obscured representation of the secret directly in the configuration. Updated components include:

* The OpenID Connect client secret needed for single sign-on to the admin console

* The OAuth client secret needed to connect to the PingOne service

* The client secret needed in conjunction with the PingFederate access token validator

DS-44025

Addressed an issue where the server was incorrectly displaying an "Unknown vendor" warning when using JDKs obtained on Red Hat and Ubuntu systems.

DS-44037

Avoid lockdown due to missing changes during enable caused by a missing timestamp that indicates the enable time. The problem resulted in change numbers and error messages with dates around the year 1970.

DS-44039

Updated the messages in the interactive modes of "dsreplication enable" and "dsreplication initialize" to help clarify the prompts. This includes a summary printed for interactive "dsreplication initialize" (and initialize-all) to highlight the servers and baseDNs that will be updated.

DS-44054,DS-44091,DS-44100,DS-44104,DS-44135,DS-44239

Added a FIPS 140-2-compliant mode to the server. This mode may be enabled by running setup with the --fips argument, or by including the --fips argument in the setup-arguments.txt file when using manage-profile setup.

Servers running in FIPS 140-2-compliant mode are not compatible with those running in non-compliant mode. FIPS 140-2-compliant mode cannot be enabled after setup (including when upgrading an existing instance, whether using update or manage-profile replace-profile). It can only be enabled when the instance is initially configured. Further, servers running in FIPS 140-2-compliant mode cannot replicate with or participate in the same topology as servers not running in FIPS-compliant mode. If you wish to migrate an existing deployment to use FIPS 140-2-compliant mode, you must install create a new topology of servers running in FIPS-compliant mode and migrate the data into it.

In addition, servers running in FIPS 140-2-compliant mode will not be allowed to use the Argon2, bcrypt, or scrypt password storage schemes, as they rely on non-FIPS-approved algorithms. The PBKDF2 password storage scheme is approved and may be used in FIPS-compliant mode, but it requires passwords to have a minimum length of 14 bytes.

Setup has also been updated to make it possible to initialize the certificate key and trust stores with certificate data read from PEM files. These options are available in both FIPS 140-2-compliant and non-FIPS-compliant modes, and can help make it easier to set up the server with existing certificates that are not available in a key or trust store that setup supports.

DS-44057

Improved the behavior that the server exhibits for attempts to configure it with an invalid set of TLS cipher suites.

Previously, if a connection handler was configured with an explicit set of TLS cipher suites, and if none of those cipher suites was supported by the underlying JVM, the server would log a message for each unsupported suite and would fall back to using a default set of suites. This could lead to cases in which the server ran with a different set of cipher suites than expected, and the warning log messages might be overlooked.

The server will now reject an attempted configuration change that would leave it without any valid cipher suites. For the sake of preserving backward compatibility, and helping to avoid issues around upgrading the server or JVM version, it will still allow attempts to configure the set of cipher suites using one or more invalid suite names as long as the server would still be able to offer at least one valid suite, and it will still log a warning message about each invalid cipher suite referenced in the configuration.

DS-44061

Fixed a NullPointerException that could occur when using manage-profile replace-profile with a server profile that configured a StatsD monitoring endpoint.

DS-44106

Updated the StatsD Monitoring Endpoint to support sending custom tags with each metric message. Custom tags will be appended at the end of each StatsD message as comma-separated key-value pairs.

DS-44187

Included the Bouncy Castle library with the server, which is needed to support certain cryptographic functionality, like the Argon2, bcrypt, and scrypt password storage schemes. It was not previously not included with the server over concerns around compliance with U.S. export control regulations around strong encryption, but those concerns have been alleviated. You no longer need to obtain the library for yourself if you wish to use any of the functionality that requires it, and the Argon2, bcrypt, and scrypt password storage schemes are now enabled by default in the out-of-the-box configuration.

DS-44192

Updated the default set of TLS protocols and cipher suites that the server will support. As TLSv1 and TLSv1.1 are no longer considered secure (see RFC 8996 for additional information), the server will only support TLSv1.2 and TLSv1.3 (if supported by the JVM) by default. The server will also no longer enable support for TLS cipher suites that use the SHA-1 digest algorithm (which is also no longer considered secure and is not needed for TLSv1.2 or TLSv1.3) or that use the RSA key exchange algorithm (which does not support forward secrecy).

If you need to enable support for legacy TLS protocols or cipher suites, you may do so through the server configuration. This can be enabled on a per-connection-handler basis using the ssl-protocol and ssl-cipher-suite configuration properties. Alternatively, you may use the ssl-protocol and ssl-cipher-suite properties in the crypto manager configuration to set default values that will be used by connection handlers that do not explicitly specify values for those properties.

DS-44204

Fixed an issue in which the PingDirectoryProxy Server could incorrectly allow requests to be processed with an alternate authorization identity (for example, using the proxied authorization control, or if the requests pass through a Directory Proxy Server) whose account is in a "must change password" state. The server will now only permit the operation if it attempts to set a new password for the target user.

DS-44247

Added a rewrite-search-filters configuration property to the isMemberOf virtual attribute. This allows isMemberOf searches targeting dynamic groups to be processed more efficiently because the filter of the dynamic group can be substituted into the original search filter. This yields extensive speedup of paged searches across a large dynamic group. The default setting, 'within-group-scope', will only enhance the search filter if the scope of the search fully contained with the scope of the group. This avoids slowing down isMemberOf searches with dynamic groups whose filter matches many users but base DN does not.

DS-44259

Fixed an issue that could prevent password policy state changes made through the ds-pwp-modifiable-state-json operational attribute from being properly replicated.

DS-44292

Updated the server's support for the ds-pwp-modifiable-state-json operational attribute to make it possible to modify this attribute in conjunction with other attributes in the same modification, and also to include modify operations targeting this attribute in LDAP transactions or atomic multi-update operations.

DS-44293

Fixed an issue that could prevent operations included in a multi-update extended operation from being logged. Also, improved the log message for the multi-update extended result to provide more useful information about the operation that failed.

DS-44297

Added global ACIs that allow clients to use the LDAP assertion and permissive modify request controls by default.

DS-44316

Reduced the JVM memory requirements for many command line tools. This avoids memory pressure when multiple tools, such as a scheduled collect-support-data task, are run concurrently to the server process. For most tools, the initial heap size has been reduced to 128 MB, and for certain tools the maximum heap size has capped at 512 MB. On systems with larger amounts of memory, these tools previously were allotted unnecessarily large heaps. The maximum heap size has not been reduced for any tool that especially benefits from having more memory.

DS-44390

Fixed an issue where logs from setting up a new server could be lost when running the manage-profile replace-profile subcommand.

DS-44410

When deployed to a web application server such as Apache Tomcat, the Administrative Console will now write log messages to the application server's console output by default.

DS-44420

Updated the PKCS #11 key manager provider to make it possible to dynamically load the PKCS #11 provider with a specific configuration, rather than requiring the administrator to update configuration files that are part of the JVM installation. The manage-certificates tool has also been updated to support interacting with PKCS #11 key stores, and many LDAP command-line tools also provide improved support for using PKCS #11 key stores for access to client certificates.

DS-44436

Addressed an issue in which attempting to add a member that already existed in a non-default server group would cause an error. Adds of duplicate members are now ignored and no errors are thrown.

DS-44531

Updated the manage-profile replace-profile command to avoid printing warnings for offline config changes from the new server profile.