Release Notes

Improved DS-48826 PingDirectory

Increased throughput for replicated operations.

Improved DS-48058 PingDirectory

To reduce the size of replication monitor messages, the include-all-remote-servers-state-in-monitor-message global configuration property is now set to false by default. Servers no longer include information about other remote servers in their monitor messages, but each server describes itself with its own monitor message.

Fixed DS-48785 PingDirectory, PingDirectoryProxy, PingDataSync

Fixed an issue where dsreplication enable didn’t print error information if the tool failed to establish a connection to a source or target server.

Fixed DS-45783 PingDirectory, PingDirectoryProxy, PingDataSync

Resolved an issue where running the manage-profile replace-profile command could cause dsconfig changes to be made out of order.

Fixed DS-48669 PingDataSync

Fixed an issue where syncing from a PingOne sync source using an attribute synchronization mode of modified-attributes-only resulted in changed attributes not being properly synced over.

Fixed DS-48969 PingDirectory

Fixed an issue that could cause an inconsistency in the metadata for a composite index record. This inconsistency could cause:

In addition, the server now has added resiliency against these kinds of issues, with a better ability to identify the correct result set and notify administrators of the issue.

Fixed DS-48796 PingDirectory

Fixed an NPE error that could occur when running the dsreplication enable command in interactive mode.

Fixed DS-48678, DS-48720 PingDirectory

Fixed an issue where MODDN operations on replicated PingDirectory servers configured with Groovy-scripted or third-party type password generators or validators could result in inconsistent entryUUID values for the same entry on different servers.

Fixed DS-48026 PingDirectory

Fixed an issue that could prevent the server from using VLV indexes defined with certain kinds of extensible match filters, including those using the jsonObjectFilterExtensibleMatch or relativeTimeExtensibleMatch matching rules.

Improved DS-47831 PingDirectory

A copy of the setup script output is now saved to an archive file in the /history directory. This should help with troubleshooting installations where multiple server images have been extracted on top of each other and setup has been run multiple times.

Fixed DS-48300 PingDirectory, PingDataSync

Fixed an issue where PingDataSync couldn’t properly encode certain UTF-8 characters used in a URI search request filter sent to an external server. The server is now able to encode filter values that include any UTF-8 characters.

Fixed DS-48585 PingDirectory

Fixed an issue where replace operations that target attributes with subordinate types would cause the subordinate attribute values to be duplicated.

Fixed DS-48599 PingDirectory

We fixed an uncommon issue that was causing memory usage to spike, possibly crashing the PingDirectory server.

With this issue present, when clients performed atypical modify operations, they might have populated entries with duplicate attribute values. If clients repeated these modifications, over time, the duplicate attribute values could have caused the server to consume a substantial amount of memory, which might have eventually caused the server to shut down with an out-of-memory error.

New

Security DS-47632 PingDirectory, DelegatedAdmin

Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported version of the PingDirectory server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039 (requires sign-on).

New DS-47965 PingDirectory

Added a new amazon-s3-client command-line tool that can be used to interact with the Amazon AWS Simple Storage Service (S3) service. This tool enables you to list, create, and delete buckets, as well as list, upload, download, and delete files in a specified bucket. This may be useful in deployments where the server is configured to automatically copy rotated log files or exported LDIF files to the S3 service.

New DS-47899 PingDirectory

Added support for access log field request control in Directory REST API requests.

New DS-47596 PingDirectory, PingDirectoryProxy

Added an /authenticate endpoint to the Directory REST API that enables users to generate an access token by providing combinations of valid credentials, depending on the authentication type specified in the HTTP request body. The supported authentication types are:

For more information on the /authenticate endpoint, see Managing the Directory REST API.

New DS-47641, DS-47642, DS-47644, DS-47645, DS-47646, DS-47643, DS-47648 PingDirectory

Added five new Directory REST API endpoints to support the new /authenticate endpoint. These endpoints enable users to interact with supporting services that facilitate the creation, delivery, and revocation of one-time passwords (OTP) and time-based one-time passwords (TOTP), which are required to perform authentication operations with the API. These endpoints include:

For more information on these endpoints, see Managing the Directory REST API.

New DS-48119 PingDirectory

Updated the bcrypt password storage scheme to include support for the 2b variant in addition to the existing 2y, 2a, and 2x variants.

New DS-47420 PingDirectory

Added support for post-LDIF-export task processors to use in performing custom processing whenever an LDIF export task (including those invoked as part of a recurring task) successfully completes the export.

These processors include an Upload to S3 processor, which can be used to upload the resulting LDIF file to a specified Amazon S3 bucket. You can also use the Server SDK to create custom post-LDIF-export task processors. For more information, see Performing post-LDIF-export task processing.

New DS-46026 PingDirectory

Added support for inverted static groups, which operate like traditional static groups in that membership is explicitly specified rather than dynamically determined, but where membership information is stored in user entries rather than in the group entry. For groups with a large number of members, inverted static groups may exhibit substantially better performance than traditional static groups.

Although it is not enabled by default, the server also provides a new plugin that makes it possible for clients to interact with inverted static groups in much the same way as they interact with traditional static groups. The plugin will intercept attempts to add or remove member DNs in the group entry itself and will instead cause the corresponding changes to be applied in the member entries. It also provides limited support for interacting with group members in the group entry for search and compare operations as if the member DNs actually existed in the group entries. For more information, see Using inverted static groups.

New DS-48018 PingDirectory, PingDirectoryProxy

Added a split-ldif tool that can be used to split an LDIF file into multiple segments, with each having a subset of the entries below a specified base DN, and entries at or above that base DN will be included in all sets. This is primarily intended for splitting a large data set for use in entry balancing, and it offers several algorithms for dividing the entries between segments.

New DS-48055 PingDirectory

Added a new HTTP Connection configuration property to enable SNI hostname checks, which are now disabled by default.

New DS-47888 PingDirectory

Added the include-all-remote-servers-state-in-monitor-message configuration property to control whether replication monitor messages include information about remote servers. By default, the property is set to true so that information about remote servers is sent. Setting the property to false may be helpful in large topologies because the size of monitor messages scales with the number of servers.

New DS-47627

Added a new log file rotation listener that can be used to upload newly rotated log files to a specified Amazon S3 bucket. The listener can remove previously updated log files based on the specified number or age of files to retain.

New DS-47756 PingDirectory

Added the ability to share a single database cache across all local DB backends. This is an alternative to the default behavior in which each local DB backend maintains its own independent database cache, and it can simplify cache sizing in deployments with multiple local DB backends. This behavior is controlled by two new global configuration properties:

If a shared database cache is enabled, the server will expose a Shared Local DB Backend Database Cache monitor entry with information about that shared cache, including how much of the cache is consumed by each of the backends.

New DS-35739 PingDirectory

Added the re-encode-passwords-on-scheme-config-change property to the password policy configuration to indicate if the server should automatically re-encode passwords that are encoded with settings that don’t match the scheme’s current configuration. If a user authenticates with a mechanism that provides their password unencoded, and if the password stored in their entry is encoded with settings that don’t match the current configuration for the associated password storage scheme, then the server now automatically re-encodes their password with the default password storage scheme(s) using the current settings. The following password storage schemes support this functionality: AES256, ARGON2, ARGON2D, ARGON2I, ARGON2ID, BCRYPT, PBKDF2, SCRYPT, SSHA, SSHA256, SSHA384, and SSHA512.

You can also implement this capability for custom password storage schemes developed with the Server SDK.

The ds-pwp-state-json virtual attribute provider has also been updated with a new has-password-encoded-with-non-current-settings field whose value indicates if the user’s password is encoded with settings that don’t match the current configuration, and a new non-current-password-storage-scheme-settings-explanations field that can provide additional details on how the password encoding differs from the current configuration.

New DS-47612 PingDirectory

Added a --re-encrypt argument to the encrypt-file tool to read the contents of an existing encrypted file and re-encrypt it with a different encryption settings definition or user-supplied passphrase. If the file is currently encrypted with a user-supplied passphrase, then the --prompt-for-current-passphrase or --current-passphrase-file argument should be used to supply the current encryption passphrase. If the file is currently encrypted with an encryption settings definition, then that definition will automatically be obtained from the encryption settings database.

Added a --find-encrypted-files argument to the encrypt-file tool to identify encrypted files in a specified location on the filesystem. By default, the tool will search for files that are encrypted with any encryption settings definition or a user-supplied passphrase, but it can be used in conjunction with the --encryption-settings-id argument to only identify files that are encrypted with the specified definition.

These new arguments can be useful when migrating away from a former encryption settings definition, particularly if the former definition will eventually be removed from the encryption settings database. If a definition is removed from the encryption settings database, any files encrypted with that definition will no longer be accessible.

New DS-45452, DS-47383 PingDirectory

Added a replication-missing-changes-policy configuration property for both replication servers and replication domains to control how replication handles missing changes. This property can be used to avoid missing changes lockdown in cases where such lockdown is not beneficial to the server.

When the missing changes policy is modified, connections are restarted so that the missing changes state can be reevaluated. Lockdown mode is not cleared, but may be cleared by running the leave-lockdown-mode tool.

New DS-47557 PingDirectory, PingDirectoryProxy

Added support for an access log field request control to specify field names and values that should be included in the access log message for the associated operation.

New DS-47570 PingDirectory, PingDirectoryProxy

Added support for a generate access token request control that can be included in a bind request to indicate that the server should generate and return an access token in the bind response. That access token may be used in conjunction with the OAUTHBEARER SASL mechanism to authorize subsequent connections by that client. This can be useful in cases where the initial authentication should be performed in a manner that involves single-use credentials like a time-based one time password, a delivered one-time password, or a one-time password generated by a YubiKey device, but the client wishes to establish multiple connections in which the initial credentials cannot be replayed.

Info DS-48071 PingDirectory

Upgraded Jetty version to 10.0.17.

Info DS-47558 PingDirectory

Removed support for Java 8 in the PingDirectory server. For more information, see System requirements. For information on upgrading from a PingDirectory instance installed with Java 8, see PingDirectory, PingDirectoryProxy, and PingDataSync.

Info DS-47916 PingDirectory

Removed support for the deprecated remove-defunct-server and cleanup-local-server dsreplication subcommands. To remove a defunct server from the topology, use the remove-defunct-server command-line tool. To clean up topology references on a server, run remove-defunct-server --performLocalCleanup.

Info DS-46012 PingDataMetrics

PingDataMetrics was previously deprecated and has been removed from this release. For more information about support for versions of PingDirectory containing PingDataMetrics, see Ping Identity’s End-of-Life Policy (sign on required).

To monitor and provide statistics for your PingDirectory suite of products, see Monitoring PingDirectory metrics with Splunk and Monitoring server metrics with Prometheus.

Improved DS-47454 PingDirectory

Updated the server to allow configuration of connect and response timeouts when communicating with external HTTP services, such as CyberArk Conjur and HashiCorp Vault instances, the Pwned Passwords service, and YubiKey OTP validation servers.

Improved DS-45148 PingDirectory

To improve server performance and prevent invalid block type errors, java.util.zip will now be used instead of com.jcraft.jzlib for zip compression.

Improved DS-47695 PingDirectory

The replication generation ID, a value used by replication to determine if replicas are compatible and can be replicated, will now be calculated in a way that is independent of the disk order in which the entries are stored. This is helpful when entries are imported into new servers instead of being initialized.

Improved DS-48092 PingDirectory

To increase password security when using the Directory REST API, we improved the sanitization of password-related data in API responses.

Improved DS-47799 PingDirectory

Improved server upgrade times by streamlining the post-upgrade stability checks.

Improved DS-44417 PingDirectory

To help avoid excessive memory pressure on a server running multiple processes, we reduced the JVM memory requirements for the export-ldif and backup command-line tools.

Improved DS-48121 PingDirectory

To help you manage your backup and restore times, the backup tool now displays a warning when you run it with the --compress flag on an encrypted backend.

Improved DS-47820 PingDirectory

dsreplication commands that produce an error are now archived to avoid being overwritten. In addition, the dsreplication command now logs subcommands in separate files.

Improved DS-45157 PingDirectory

Significantly improved the performance times of backup, restore, and online replica initialization processes.

Improved DS-47402, DS-47410, DS-47412, DS-47413 PingDirectory

Improved performance when making updates to static groups.

Improved DS-46635 PingDataSync

For Active Directory Sync sources, when setting the startpoint to end-of-changelog, extraneous data is no longer sent from the Active Directory server to the Sync server. With this update, setting the startpoint should be faster, particularly for slow networks.

Fixed DS-48046 PingDirectory

Fixed an issue where an AggregatePTAhandler’s subhandlers sometimes did not properly initialize on startup and threw a NullPointerException.

Fixed DS-48157 PingDirectory

Fixed an issue where the server did not properly log the alternative authorization DN for multi-update extended operations that used proxied authorization.

Fixed DS-45206

Fixed an issue where running dsjavaproperties --initialize would append duplicate arguments to common.java-args in the java.properties file.

Fixed DS-48084 PingDirectory

Fixed an issue where a cn=config does not exist error message would appear in the error logs after navigating to the status page of the administrative console.

Fixed DS-47381

Fixed an issue where running manage-profile generate-profile on an instance that had been upgraded from an earlier version would result in a profile that contained commands that were part of the upgrade, and could not be used to set up new installations.

Fixed DS-47875 PingDirectory

Fixed an issue where the Dictionary password validator would sometimes incorrectly handle dictionary words contained as password substrings.

Fixed DS-48205 PingDirectory

Fixed an issue where the Changelog Password Encryption plugin would not work properly in a replicated environment if a password was changed with a Password Modify extended operation.

Fixed DS-47821 PingDirectory

Fixed an issue where an ldapsearch for rootDSE did not exclude the baseDNs that were specified in a client connection policy.

Fixed DS-47878 PingDirectory

Fixed an issue where help text incorrectly suggested using the --force flag if unable to connect to the server properly when running dsreplication initialize.

Fixed DS-47798, DS-47898, DS=47924 PingDirectory

Fixed an issue that could prevent the server from properly updating a user’s password history for a password change if the request included the password update behavior request control, indicating that password history violations should be ignored. This control is designed to prevent the server from rejecting an attempt to change a user’s password if the new password is already in the history, but it incorrectly caused the server to skip all password history processing for the update.

Fixed an issue that could cause the server to add two copies of the current password into the password history when setting a new password with the password modify extended operation. This did not affect password changes with a regular LDAP modify operation.

Fixed an issue where the server could incorrectly allow a user to set an empty password in cases where none of the configured password validators would have rejected an empty password.

Fixed DS-43034, DS-47832 PingDirectory

Fixed a regression that was introduced in the 9.3.0.0 release to allow additional values for the allow-pre-encoded-passwords property in the password policy configuration. This issue only affects password policies stored outside of the server configuration in local DB backends, and only those policies that include the ds-cfg-allow-pre-encoded-passwords attribute.

This fix enables the server to recognize and properly interpret compacted values for the ds-cfg-allow-pre-encoded-passwords attribute when parsing a password policy definition contained in a local DB backend. When the password policy entry is retrieved, the attribute may still appear to have a corrupt value, as the value that is actually stored in the entry would still represent the compacted token rather than the logically equivalent Boolean value. Replacing the value of the ds-cfg-allow-pre-encoded-passwords attribute in affected entries with the appropriate value is the best way to address this issue.

Fixed DS-47975 PingDirectory

Fixed an issue that could prevent replace modifications for attribute types with subordinate types from being properly applied.

Fixed DS-47790 PingDirectory

Fixed an issue where the Configuration API treated SCIM patch operations with empty arrays as invalid. Now, the API resets configuration attributes for replace operations with an empty array and ignores add operations with an empty array.

Fixed DS-47585 PingDirectory

Fixed an issue that could allow the server to continue processing a search operation for longer than the allowed time limit. The server would not check the time limit in the course of index processing to identify potential matching entries, and in certain cases where the server had to iterate across a very large number of index keys, the allowed time limit could be exceeded in that portion of the processing.

Fixed DS-47784 PingDirectory

Fixed an issue where encryption settings were not initialized before initializing password policy components when running remove-defunct-server against servers configured with an AES256 password storage scheme.

Fixed DS-47614 PingDirectory

Fixed an issue that caused the server to incorrectly include client certificate messages in the expensive operations log.

Fixed DS-46312

Fixed an issue where the absence of the request-handler-per-connection configuration property for LDAP Connection Handler objects resulted in a single request handler being unable to acknowledge incoming client requests for long-running TLS negotiations.

Fixed DS-47655

Fixed the check-replication-domains tool so that the --serverRoot argument is no longer required, and it defaults to the server’s root directory.

Fixed DS-47289 PingDirectory

Fixed a possible NullPointerException replication error that occurred when missing changes were found for a replica, but that replica did not exist on all servers.

Fixed DS-47035 PingDirectory

Fixed an issue that could prevent an unsuccessful bind attempt from being properly counted toward account lockout for a user. If the user’s account had been temporarily locked as a result of too many failed authentication attempts, and if the first bind attempt after that temporary lockout period had elapsed was also unsuccessful, then the act of clearing the elapsed temporary lockout prevented the new failure from being properly recorded.

Fixed DS-47455

Fixed a NullPointerException error where an alert or alarm was raised and one or more of the alert handlers was not configured. This most commonly happened when the server was being stopped.

Fixed DS-47918 PingDataSync

We fixed an issue where, when using the create-sync-pipe-config command, the correlated attributes for Generic JDBC sync pipe destinations were a single string value. The attributes are now correctly split by commas.

Fixed DS-48151 PingDataSync

Fixed an issue where syncing to an Active Directory sync destination could result in the destination rejecting operations if a DN map was not configured on the sync class, and if the operations included modifications to the unicodePwd attribute.

Fixed DS-47905 PingDataSync

Fixed an issue with synchronizing the enabled attribute of a user in a PingOne destination. This issue only occurred when attempting to enable or disable a user in PingOne from the source server.

To create an attribute mapping that will modify the enablement status of a user in PingOne, use the dsconfig tool to create a constructed attribute mapping of the following form. This will ensure that the enabled attribute will always have a well-defined value, even if the source attribute is not present on an entry in the source server.

Fixed DS-45527 PingDataSync

Fixed an issue where a NullPointerException would be thrown when adding a sync server to a topology of two or more existing sync servers using manage-topology add-server.

Fixed DS-48040 PingDirectoryProxy

Fixed an issue where Proxy would not accurately report the availability of backends added through automatic backend discovery.

Fixed DS-48349 Delegated Admin

Fixed an issue where the Save button did not respond when editing a user. This issue affected users configured with an auxiliary LDAP object class that required the userPassword attribute.