Release Notes
Unless otherwise noted, all of the following enhancements, known issues, and resolved issues apply to the PingDirectory server, the PingDirectoryProxy server, and the PingDataSync server.
Subscribe to get automatic updates: PingDirectory Release Notes RSS feed
Notes for 10.3.x versions
PingDirectory suite of products 10.3.0.0 (July 2025)
Removed support for Java 11
Info DS-49541 PingDirectory, PingDirectoryProxy, PingDataSync
Support for Java 11 has been removed. You must be running Java 17 or a later supported version, as detailed in the System requirements. Learn more about upgrading a PingDirectory server running Java 11 in Considerations when upgrading to version 10.3.
Support for Internet Explorer 11 has been deprecated
Info PingDirectory, PingDirectoryProxy, PingDataSync
Support for Internet Explorer 11 has been deprecated and will be removed in a future release.
Support for the sync-pipe-view tool has been deprecated
Info PingDataSync
Support for the sync-pipe-view tool has been deprecated, and the tool will be removed in a future release.
Added user entry forwarding for easier request authorization
New DS-49681 PingDirectory, PingDirectoryProxy
We added a mechanism to forward the authenticated user’s entry to backend servers in an entry-balanced proxy configuration. This change makes it easier to authorize requests in backend sets that don’t contain the user’s entry.
You can use this mechanism instead of the authz-dn property in the entry-balancing request processor configuration or the ds-authz-map-to-dn operational attribute in user entries, which are both used to map requests as the authenticated user to a different surrogate user in the other backend sets.
Learn more in Forwarding authorization identities in requests.
Added REST API request controls for soft and hard deletes
New DS-49530 PingDirectory
We added support for the following HTTP request controls in the Directory REST API:
- Soft delete
-
Used to soft-delete entries
- Hard delete
-
Overrides automatic soft-delete policies and performs a full hard delete
- Soft-deleted entry access
-
Used to read or search soft-deleted entries
- Undelete
-
Restores soft-deleted entries to their normal state
Learn more in the Directory REST API documentation.
Added support for the HAProxy PROXY protocol
New DS-43335 PingDirectory, PingDirectoryProxy
We added support for LDAP and LDAPS clients accessing the server through a software load balancer using the PROXY protocol, which allows the server to see the actual address and port of the end client system rather than just the address of the load balancer.
The server supports LDAP clients using TCP over IPv4 or IPv6 with header versions 1 and 2. It also accepts valid PROXY protocol headers with other protocols and address families, but it only updates the client address and port for TCP-based clients.
Learn more in Using the HAProxy PROXY protocol.
Added support for a Thales HSM plugin
New DS-48531 PingDirectory
We added support for a Thales HSM plugin, which is available as a separate download. To get the plugin, contact your Ping Identity account representative.
More efficient server handling of failed authentication attempts
Improved DS-49418 PingDirectory
We changed the default server behavior for failed authentication attempts to unavailable user accounts. If a user’s account becomes unavailable (for example, because the account is locked, disabled, or the password has expired), the server won’t update the user’s recent login history for failed authentication attempts.
This change can prevent excessive write operations to a user entry in cases where the user can’t possibly authenticate, including when accounts could be subject to password guessing or denial-of-service attacks.
Encoded password caching improved for frequently used passwords
Improved DS-49516 PingDirectory
We improved the eviction logic for encoded password caches to help ensure that frequently used passwords remain cached. When a cache becomes full and needs to add a record, the server evicts the least-recently-used record to make room. Previously, the server evicted the oldest record from the cache.
Smarter dsreplication initialize failure behavior
Improved DS-48158 PingDirectory
We improved the dsreplication initialize failure behavior for source backends supplied in a JSON topology file.
A backend must be enabled before it can be initialized. If dsreplication initialize doesn’t successfully initialize the target backend from one source, the command re-enables the target backend before attempting to initialize it from the next source in the JSON file.
Exclude virtual attributes to streamline reversible delete audit logging
Improved DS-49377 PingDirectory
We added a configuration property for the file-based audit log publisher that can exclude virtual attributes from delete audit log records that use the reversible form of logging.
Excluding virtual attributes reduces the size of these log messages and can eliminate the potential performance impact of computing their values. Virtual attributes are still included by default in delete audit log messages generated by the regular file-based audit logger, but they are now suppressed by default in the data recovery log.
Made it easier to update FIPS compliance levels
Improved DS-49550 PingDirectory, PingDirectoryProxy, PingDataSync
We updated manage-profile replace-profile to allow changing the value of the --fips-provider argument in setup-arguments.txt from BCFIPS to BCFIPS2. This makes it possible to update an existing instance running in FIPS 140-2 compliance mode to use FIPS 140-3 compliance mode.
Added FIPS-compliance information to monitor entries
Improved DS-49731 PingDirectory, PingDirectoryProxy, PingDataSync
We updated the Version and SSL Context monitor entries to always include the fips-compliant-mode,
fips-140-2-compliant-mode, and fips-140-3-compliant-mode attributes, even when the server is running in non-FIPS-compliant mode. We also exposed those attributes in the Version monitor entry in the admin console’s Status section.
Added on-demand LDAP connection pool creation
Improved DS-49944 PingDirectory, PingDirectoryProxy, PingDataSync
We added an option to allow LDAP external servers to create connection pools without any initial connections so that all connections for use in the pool are created on demand. This can help make it faster to initialize components that use one or more LDAP external servers, but initial attempts to communicate with those servers could take longer as a result of needing to establish new connections.
Clearer attribute parsing for the Processing Time Histogram plugin
Improved DS-49558 PingDirectory, PingDirectoryProxy
We added the include-parseable-attribute-names option to the Processing Time Histogram plugin to output
entries in a format that’s easier to parse. These reformatted entries are duplicates and still exist in their original
format. Changing this option requires a server restart to take effect.
Improved server setup when using a profile
Improved DS-50069 PingDirectory
We added the --skipImportLdif argument to manage-profile setup. You can supply this argument
to set up a server without importing any LDIF files contained in the profile directory structure.
Fixed a server installation issue with Java 17 and Red Hat
Fixed DS-49716 PingDirectory, PingDirectoryProxy, PingDataSync
We fixed an issue that could prevent installing or running servers using Java 17 or later on Red Hat Enterprise Linux (RHEL) systems when the operating system itself is configured to run in FIPS-compliant mode.
This operating system setting is unrelated to whether the PingDirectory server has been set up to run in FIPS-compliant mode.
Fixed replication behavior for listen-on-all-addresses
Fixed DS-49547 PingDirectory
We fixed the replication server configuration property listen-on-all-addresses so that when the property is set to false, replication servers only listen to the replication port on the interface that corresponds to the hostname of the server instance for that replication server.
Fixed an issue with replication assurance for some password updates
Fixed DS-49851 PingDirectory
We fixed an issue where replication assurance wasn’t applied to the internal operation performed by the password modify extended operation.
Fixed an issue with dsreplication enable
Fixed DS-35915 PingDirectory
We fixed a bug where dsreplication enable ignored the --noPropertiesFile option and incorrectly applied options from the tools.property file.
Fixed the failure behavior for dsreplication initialize
Fixed DS-49890 PingDirectory
We fixed an issue where a PingDirectory server would continue sending binary data
to the destination server after a failed attempt to initialize using dsreplication initialize.
This behavior interfered with further initialization attempts from any other server.
Fixed a replace-certificate trust store issue
Fixed DS-44645 PingDirectory, PingDirectoryProxy, PingDataSync
We fixed an issue that prevented the replace-certificate tool from using the JVM-default trust store when replacing the listener certificate in interactive mode.
Fixed a replace-certificate argument issue
Fixed DS-49769 PingDirectory, PingDirectoryProxy, PingDataSync
We fixed an issue where replace-certificate replace-listener-certificate didn’t obey the
--trust-store-update-type argument.
Fixed an issue with some password resets
Fixed DS-50108 PingDirectory, PingDirectoryProxy
We fixed an issue where password resets done with the bypass-pw-policy privilege would circumvent the
force-change-on-reset property of password policies.
Fixed an issue with the Modifiable Password Policy State plugin
Fixed DS-49878 PingDirectory
We fixed an issue where the Modifiable Password Policy State plugin didn’t obey the value of the filter property.
Fixed an issue with the Entry Counter plugin
Fixed DS-49872 PingDirectory
We fixed an issue where the Entry Counter plugin couldn’t evaluate criteria filters against virtual attributes with
require-explicit-request-by-name set to true.
Restored the ability to modify an enabled Entry Counter plugin
Fixed DS-49816 PingDirectory
We fixed an issue with the Entry Counter plugin where an enabled plugin couldn’t be modified.
Fixed an issue with the Monitor History plugin preserving files
Fixed DS-46253 PingDirectory, PingDirectoryProxy, PingDataSync
We fixed an issue where the Monitor History plugin wouldn’t preserve files for longer than 14 days when
retain-files-sparsely-by-age was set to true.
Fixed a SCIM issue with modifying ds-pwp-modifiable-state-json
Fixed DS-49781 PingDirectory
We fixed an issue where SCIM requests that attempted to modify the ds-pwp-modifiable-state-json attribute would fail.
Fixed SCIM response errors
Fixed DS-48511 PingDirectory, PingDirectoryProxy
We fixed an issue with inconsistencies in id-attribute values returned in SCIM operation responses.
We also fixed an issue with SCIM GET operations where a filter used to search for an entry would result in a 404 error.
Fixed a SCIM 2.0 PUT issue with attribute values
Fixed DS-49619 PingDirectory
We fixed an issue where SCIM 2.0 PUT operations involving multivalued complex attributes would incorrectly remove some of the values.
Fixed a REST API issue with failed PUT requests
Fixed DS-49912 PingDirectory
We fixed an issue in the REST API where PUT requests would return a 500 response when attempting to replace the value of a virtual attribute.
Fixed an issue with allowed REST API syntax violations
Fixed DS-46314 PingDirectory
We fixed an issue where REST API calls failed due to attribute syntax violations, even though the server had been configured to allow syntax violations for those attributes.
Added a missing debug type to LDAP SDK logging
Fixed DS-43814 PingDirectory, PingDirectoryProxy
We added the missing connection-pool debug type to the server’s support for LDAP SDK debug logging.
Suppressed inaccurate server startup warnings
Fixed DS-49991 PingDirectory
We suppressed inaccurate server startup warning messages about some Apache commons-logging classes being scanned
from multiple locations. The scan detected older versions of those classes packaged inside a Spring JCL .jar file
needed by the admin console, but the older versions aren’t loaded at runtime.
Fixed an internal error logged at server restart
Fixed DS-49551 PingDirectory
We fixed a null pointer exception error logged when restarting a PingDirectory server configured with Delegated Admin.
Fixed a Delegated Admin memory leak
Fixed DS-49409 PingDirectory
We fixed an issue where Delegated Admin could leak memory due to unfinalized memory consumers.
Fixed a topology issue related to removing defunct servers
Fixed DS-49700 PingDataSync
We fixed an issue where the remove-defunct-server tool could leave a PingDataSync topology in a state where new servers couldn’t be added.
Fixed an issue with password sync from Active Directory
Fixed DS-50043 PingDataSync
We fixed an issue where password synchronization from multiple Active Directory subdomains through multiple sync pipes could fail abruptly.
Excluded some password attributes from sync sources
Fixed DS-49212 PingDataSync
We changed the resync tool to exclude unicodePwd automatically from
AD sync sources and password from PingOne sync sources.
By design, the resync tool updates the existing values for included
attributes at the destination to match what’s found at the source.
If resync can’t retrieve an attribute value at the source, it removes
any existing values at the destination. Because resync can’t retrieve
these password attributes from their sources, we’ve excluded them from
the attributes for resync consideration to avoid disrupting the values
at the destination.
You can still include these attributes manually in a resync operation by
providing the --includeSourceAttr argument.
Fixed an issue with logging changes to some attributes
Fixed DS-49917 PingDataSync
We fixed an issue where PingDataSync would log an operation as not applied if the only changes applied were to password policy state attributes.
Fixed an issue with third-party change detectors
Fixed DS-49035 PingDataSync
We fixed an issue where third-party change detectors didn’t properly persist the state of processing at the sync source.
This could’ve caused change detector malfunctions with the set-startpoint task,
with saving the change detector’s state upon server shutdown, or with communicating that state to failover instances.
Notes for previous 10.x versions
PingDirectory suite of products 10.2.0.1 (March 2025)
PingDirectory suite of products 10.2.0.0 (December 2024)
Basic authentication notice for the REST API
Security PingDirectory, PingDirectoryProxy
Basic authentication has been deprecated.
Although basic authentication is currently enabled by default for the PingDirectory REST API, it could be disabled by default in a future release. Learn more about enabling or disabling basic authentication in Directory REST API configuration.
Fixed a potential basic authentication vulnerability for the REST API
Security DS-49261 PingDirectory, PingDirectoryProxy
Fixed a potential user enumeration vulnerability when using the Directory Rest API with basic authentication.
SSO sessions to the admin console now expire with the access token
Security DS-49005, DS-49006, DS-49009 PingDirectory
When you enable single sign-on (SSO) for the PingDirectory admin console, the session expiration now depends on the lifetime of the OIDC access token. This change prevents the following:
-
Access to server information with an expired token
-
Server crashing caused by an increasing number of open connections created when attempting to bind to the server with an expired token
-
Unresponsive
Connection Errorpages when switching between servers in a topology
Support for Java 11 has been deprecated
Info PingDirectory, PingDirectoryProxy, PingDataSync
Support for Java 11 has been deprecated and will be removed in a future release.
Support for SCIM 1.1 has been deprecated
Info PingDirectory, PingDirectoryProxy
Support for SCIM 1.1 has been deprecated and will be removed in a future release.
Some Java properties set automatically for Java 21 support
Info DS-49414 PingDirectory, PingDirectoryProxy, PingDataSync
To help enable runtime support of Java 21, the import-ldif and rebuild-index tools now automatically set the java.security.manager property to allow in the following places that affect those tools:
-
The following properties in
config/java.properties:-
start-server.java-args -
import-ldif.offline.java-args -
rebuild-index.offline.java-args
-
-
Programatically, when
setupinvokesimport-ldifThis property change allows these tools to use the backend database
DbCacheSizeutility by preventing that utility from exiting.
Custom SDK extensions using Javax will need to be migrated and recompiled in 10.3
Info PingDirectory, PingDirectoryProxy, PingDataSync
Several components will be upgraded in version 10.3 of the PingDirectory suite of products. If any of your custom Server SDK extensions have classes that import javax.* packages, you will need to migrate them to the equivalent jakarta.* packages and then recompile the extensions.
SCIM 2 SDK version compatibility for custom extensions
Info PingDirectory, PingDirectoryProxy
For custom SCIM 2.0 extensions that use the UnboundID SCIM 2 SDK with objects under the Javax namespace (for example, javax.ws.rs.client.WebTarget or javax.ws.rs.core.MediaType), you must use version 2.4.0 of the SDK.
Starting with version 3.0.0, the SDK uses objects under the Jakarta namespace (such as jakarta.ws.rs.client.WebTarget), which aren’t compatible with PingDirectory 10.2.0.0 or earlier.
| If your SCIM 2.0 extension doesn’t use objects with Javax namespaces, you can use later versions of the UnboundID SCIM 2 SDK. |
Added runtime support for Java 21
New DS-48833, DS-49193 PingDirectory, PingDirectoryProxy, PingDataSync
Added JRE support for Oracle JDK 21 and OpenJDK 21.
Added support for Generational ZGC garbage collection
New DS-49408 PingDirectory, PingDirectoryProxy, PingDataSync
Added support for Generational ZGC garbage collection on servers running Java 21. Learn more in JVM garbage collection using ZGC.
Added support for FIPS 140-3
New DS-49249, DS-49285 PingDirectory, PingDirectoryProxy, PingDataSync
Added support for setting up the server in FIPS 140-3-compliant mode using 2.x versions of the Bouncy Castle FIPS-compliant library.
To set up the server in FIPS 140-3-compliant mode, use the --fips-provider BCFIPS2 argument. You can still set up the server in FIPS 140-2-compliant mode using the --fips-provider BCFIPS1 argument.
Learn more in Setting up the server in FIPS-compliant mode.
Use OAuth scopes for ACIs on REST API endpoints
New DS-48851 PingDirectory, PingDirectoryProxy
To help isolate access to admin credentials in authentication workflows, we added the ability to use OAuth scopes to enforce ACIs for users authenticating to most Directory REST API endpoints.
When users send authentication requests with an OAuth 2.0 bearer token, they can be granted OAuth scopes by a token validator, such as PingFederate. Scope-configured PingDirectory ACIs can then be applied to those scopes, providing the permissions for the user and the request.
Learn more in Using OAuth scopes for ACI rules with the REST API.
Keep count of specific entries with a new plugin
New DS-422, DS-47690 PingDirectory
Added an entry counter plugin that can determine the number of entries in the server matching configured sets of base DN and filter criteria. The plugin returns the resulting entry counts in monitor entries and can optionally include information about the amount of space used to store those entries in the backend database.
You can also define warning and error threshold values for each criteria. If the number of matching entries reaches those thresholds, the server raises a warning or error alarm.
Learn more in Working with the entry counter plugin.
Monitor the risk of performance degradation
New DS-49116 PingDirectory
Added the db-on-disk-to-db-cache-size-ratio monitor attribute to database environment monitor entries. Also added a gauge to monitor the attribute and raise an alert if the on-disk database size becomes eight times larger than the size of the in-memory cache, which could cause an increased risk of performance degradation.
Learn more about this monitor attribute in Server gauges.
Added key and trust manager caching
New DS-49135 PingDirectory, PingDirectoryProxy, PingDataSync
Added the ability to cache key managers and trust managers to prevent loading keystore and truststore files from disk when establishing connections to process requests. Use the enable-key-manager-caching and enable-trust-manager-caching configuration properties to enable or disable caching.
Learn more about key and trust manager caching in Configuring key and trust manager providers.
Added caching for expensive password storage schemes
New DS-49100 PingDirectory, PingDirectoryProxy, PingDataSync
Added a secure, in-memory cache for improving the performance of repeated authentication attempts for users with passwords encoded using expensive storage schemes, including PBKDF2, Argon2, bccrypt, and scrypt.
When a user whose password is encoded with one of these schemes tries to authenticate, the server checks the cache to see if it contains their encoded password. If not, the server verifies the password using the expensive processing required by the storage scheme and then adds it to the cache, along with a salted SHA-256-encoded representation of that password. On later authentication attempts, if the cache includes the expensive encoded password, the server can use the salted SHA-256-encoded variant to verify the password much more quickly.
The cache only holds encoded representations of passwords using the expensive storage scheme and the faster salted SHA-256 digest. It doesn’t include the plaintext representations of passwords or information that could associate an encoded password with the corresponding user account. The contents of the cache aren’t written to disk or persisted in any other way.
You can adjust the cache size by using the encoded-password-cache-size property in the password storage scheme configuration. Setting this property to 0 disables caching for that scheme.
Learn more in Encoded password caching.
Better authentication performance for dynamic groups
Improved DS-49030 PingDirectory, PingDirectoryProxy
Dramatically reduced the time needed to authenticate in environments with a very large number of dynamic groups.
No server lockdown for missing changes from obsolete replicas
Improved DS-49070 PingDirectory
Changed replication behavior to prevent server lockdown for missing changes due to obsolete replicas. This change affects the following scenarios where, previously, these types of missing changes triggered lockdowns:
-
The
replication-purge-obsolete-replicasglobal configuration property is set tofalse. -
Not all servers in the topology support configurable missing changes.
-
The remote server indicates lockdown for replicas that are actually obsolete.
No server lockdown for missing changes after a restart
Improved DS-48972 PingDirectory
Changed the default missing changes policy from favor-integrity to favor-availability to prevent lockdowns for missing changes from persisting between server restarts.
Made it easier to repair topologies with missing changes
Improved DS-49063 PingDirectory
Updated the check-replication-domains tool to distinguish between deleted and obsolete replicas, making it easier to manage missed changes when repairing a topology.
A replica listed as DELETED has been deleted from the topology but isn’t yet obsolete. A replica listed as OBSOLETE has been deleted from the topology and only contains changes older than the replication purge delay.
Mitigated a potential slowdown to server backups
Improved DS-49227 PingDirectory
Updated the server to attempt to pause backend cleaning activity while backups are in progress. If a cleaner thread removes any database files during a backup, it can cause the server to include additional files in the backup, which increases both the size of the backup and the time required to generate it. This effect can intensify when performing a rate-limited backup.
Improved password sync functionality
Improved DS-48794 PingDataSync
Added the ability to sync password changes and modifiable password policy state changes at the same time to PingDirectory sync destinations.
Allowed proxied requests for HTTP external servers
Improved DS-48729 PingDirectory, PingDirectoryProxy, PingDataSync
Updated the HTTP external server configuration to allow requests to be forwarded through an HTTP proxy server.
Made it easier to change garbage collection types
Improved DS-48966 PingDirectory, PingDirectoryProxy, PingDataSync
Added the --gcType argument for the dsjavaproperties tool to make it easier to change the server garbage collection type. Depending on the platform and Java version, some garbage collection types might not be recommended or supported.
Learn more in Changing the JVM garbage collector type.
Better compatibility with security scanners
Improved DS-48850 PingDirectory
To improve compatibility with third-party security scanners, HTTP response headers specified in the HTTP Connection Handler response-header property are now included in all error responses, for example 404 NOT FOUND.
Reduced redundant logging
Improved DS-49124 PingDirectory
Lowered the default global configuration property duplicate-error-log-limit from 2000 to 200 to reduce redundant logging.
Removed the restart prompt when changing a certificate alias
Fixed DS-45174 PingDirectory, PingDirectoryProxy, PingDataSync
Removed the prompt to restart the LDAP connection handler component after changing the ssl-cert-nickname configuration property because a restart isn’t required.
Fixed an issue with parsing the JAVA_HOME path
Fixed DS-DS-49349 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where the dsjavaproperties tool didn’t correctly parse the JAVA_HOME path and threw the following error:
The old java.properties JAVA_HOME was changed because the Java installation in it is not valid. This is usually because the previous JAVA_HOME pointed to an incompatible version of Java. The previous JAVA_HOME value will remain in the generated java.properties.old file.
Changed the collect-support-data monitor file behavior
Fixed DS-47384 PingDirectory, PingDirectoryProxy, PingDataSync
Changed the collect-support-data tool to use the latest monitor-history file if it can’t find ldap/monitor.ldif when examining monitor data.
Fixed an issue with VLV index errors
Fixed DS-49296 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where untrusted VLV indexes would throw errors for irrelevant searches.
Fixed an issue with Prometheus HTTP servlet error messages
Fixed DS-49161 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where the Prometheus HTTP servlet would publish an excessive number of error messages to the error log when it lost connection to its remote counterpart.
Fixed an issue with config-diff
Fixed DS-49071 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where running the config-diff tool would result in an Unknown property error when comparing configuration objects of different types.
Removed suppression messages for disabled alerts
Fixed DS-49119 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where alerts types that were disabled would still output suppression messages.
Fixed server startup with third-party key manager providers
Fixed DS-49121 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue that could prevent the server from starting when configured to use a third-party key manager provider created using the Server SDK.
Fixed an issue with the Dictionary Password Validator
Fixed DS-47914 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue with the default value for dictionary-file in the Dictionary Password Validator configuration.
Supplied missing replication error information
Fixed DS-48785 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where dsreplication enable didn’t print error information if the tool failed to establish a connection to a source or target server.
Fixed failing server upgrades using server profiles
Fixed DS-49374 PingDirectory
Fixed an issue where server upgrades using manage-profile replace-profile failed because the default topology admin user account was reverting to the default password policy.
Fixed an issue with updating isMemberOf values
Fixed DS-49371 PingDirectory
Fixed an issue where the server didn’t properly update isMemberOf values as a result of a modify DN operation that renamed or moved a subtree containing one or more groups. The isMemberOf values for those groups would continue to reflect their former DNs until a server restart.
Fixed an issue with ds-backend-entry-count
Fixed DS-49394 PingDirectory
The ds-backend-entry-count monitor attribute for the replicationChanges backend now correctly handles sequence number rollover so that it is accurate when more than 2,147,483,647 changes have been made.
Fixed an issue with rebuilding substring indexes
Fixed DS-49384 PingDirectory
Fixed an issue where rebuilding a substring index could either result in an error or the index not properly indexing all keys.
Removed an irrelevant validator error
Fixed DS-42343 PingDirectory
Removed an irrelevant validator error. This error was previously raised on shutdown if a server was concurrently receiving mirror subtree data from the master server.
Fixed an HTTP Connection Handler error message
Fixed DS-49364 PingDirectory
Fixed an error message caused by an improperly configured HTTP Connection Handler object so that it properly lists out the affected object names.
Fixed a userRoot issue for server upgrades
Fixed DS-49281 PingDirectory
Fixed an issue that caused some server upgrades to fail. During an upgrade, the update tool added userRoot entries for inverted static group support to the server configuration after the userRoot backend had been removed.
Fixed an issue with JSON-object extensible matching filters
Fixed DS-45519 PingDirectory
Fixed an issue where JSON-object extensible matching filters of type less-than were being evaluated as type less-than-or-equals.
Fixed an issue with lost replication changes and gateways
Fixed DS-45976 PingDirectory
Fixed an issue where replication changes could be lost when sent to a location whose gateway was starting or stopping.
Fixed an issue with composite index metadata
Fixed DS-48969 PingDirectory
Fixed an issue that could cause an inconsistency in the metadata for a composite index record, which could have the following effects:
-
Validator error messages show up in the server’s error log.
-
The server returns errors in response to some requests.
-
Under rare circumstances, the server can’t bring the affected backend online.
In addition, the server now has added resiliency against these kinds of issues, allowing it to better identify the correct result set and more effectively notify administrators if it does happen.
Fixed an issue with authorization IDs and the REST API
Fixed DS-49195 PingDirectoryProxy
Fixed an issue where the Directory REST API didn’t use alternate authorization identities in entry-balanced proxy environments.
Changed proxy transformation requirements for mapped attributes
Fixed DS-48958 PingDirectoryProxy
Updated the attribute mapping proxy transformation to require that both the source and target attribute types are defined in the local schema.
This change ensures that the server uses the correct logic when interacting with values of those attributes (for example, to identify whether the attribute type is declared as single-valued or multivalued so that it can properly format the values in REST API responses). The server now prevents adding a new instance of this proxy transformation if either of the attribute types isn’t defined in the schema. It also logs a warning message on startup if any existing instance of the transformation references an undefined attribute type.
Fixed an issue with character encoding for PingOne sync destinations
Fixed DS-49362 PingDataSync
Fixed an issue where an empty space character didn’t get properly encoded when URLs were sent to PingOne sync destinations.
Fixed an issue with filtering virtual attributes
Fixed DS-49290 PingDataSync
Fixed an issue with defining which entries to sync with the include-filter property in a sync class. If the filter targeted virtual attributes with a ! (not) operator, the sync operation would fail to exclude matching entries.
Fixed an issue with error messages for sync operations
Fixed DS-49224 PingDataSync
Fixed an issue where error messages related to creating sync operations were being logged to all sync pipe log publishers rather than just the associated log publisher.
Fixed an issue with Kafka and OutOfMemory errors
Fixed DS-48762 PingDataSync
Fixed an issue where failover instances configured with KafkaSyncDestinations could leak KafkaProducer objects and eventually encounter OutOfMemory errors.
Fixed a potential NPE when loading a sync source
Fixed DS-49248 PingDataSync
Fixed a potential NullPointerException that could occur when attempting to load changes from a sync source.
Expired certificates in keystores after running replace-certificate
Issue DS-49269 PingDirectory, PingDirectoryProxy, PingDataSync
When replacing a PingDirectoryProxy or PingDataSync certificate with the replace-certificate tool, the old certificate gets stored in the existing keystore with an alias of .old. Instances of PingDirectory in the configuration don’t identify this alias as an indicator of a deprecated certificate and can select the .old certificate for use in TLS communication, potentially causing a communication failure.
To avoid this issue, you can do one of the following:
-
Set a
Nullkey manager provider for all external PingDirectory servers in the configuration. -
Use the
manage-certificates delete-certificatecommand to remove unused aliases from the PingDirectoryProxy or PingDataSync keystores.
Learn more about the solutions for this issue in Communication failure due to aliased expired certificate (requires authentication).
Installing in FIPS-compliant mode with Oracle JDK 17 or later
Issue DS-48832 PingDirectory
If you attempt to install PingDirectory in FIPS-compliant mode while running Oracle JDK 17 or later, the installation might fail with an error similar to the following:
Initializing ..... An error occurred while attempting to initialize the crypto manager: due to an exception in the Java security provider: NoSuchAlgorithmException: 1.2.840.113549.1.1.4 Signature not available
To avoid this issue, use OpenJDK versions 17 or 21.
Support for the HashiCorp Vault secrets engine
Issue DS-49305 PingDirectory
Currently, the PingDirectory server only supports version 1 of the HashiCorp Vault KV secrets engine. Learn more about KV version 1 in the Vault KV secrets engine documentation.
PingDirectory suite of products 10.1.0.3 (May 2025)
Added key and trust manager caching
New DS-49135 PingDirectory, PingDirectoryProxy, PingDataSync
We’ve added the ability to cache key managers and trust managers to prevent loading keystore and truststore files from disk when establishing connections to process requests. Use the enable-key-manager-caching and enable-trust-manager-caching configuration properties to enable or disable caching.
Learn more about key and trust manager caching in Configuring key and trust manager providers.
Fixed a server installation issue with Java 17 and Red Hat
Fixed DS-49716 PingDirectory, PingDirectoryProxy, PingDataSync
We’ve fixed an issue that could prevent installing or running servers using Java 17 or later on Red Hat Enterprise Linux (RHEL) systems when the operating system itself is configured to run in FIPS-compliant mode.
This operating system setting is unrelated to whether the PingDirectory server has been set up to run in FIPS-compliant mode.
Fixed an issue with FIPS compliance and Oracle JDK 17+
Fixed DS-48832 PingDirectory, PingDirectoryProxy, PingDataSync
We’ve fixed an issue where the server wouldn’t install or operate correctly in FIPS-compliant mode with Oracle JDK 17 or later.
Fixed a userRoot issue for server upgrades
Fixed DS-49281 PingDirectory
We’ve fixed an issue that caused some server upgrades to fail. During an upgrade, the update tool added userRoot entries for inverted static group support to the server configuration after the userRoot backend had been removed.
Fixed a server startup issue
Fixed DS-49121 PingDirectory, PingDirectoryProxy, PingDataSync
We’ve fixed an issue that could prevent the server from starting when configured to use a third-party key manager provider created using the Server SDK.
Removed the restart prompt when changing a certificate alias
Fixed DS-45174 PingDirectory, PingDirectoryProxy, PingDataSync
We’ve removed the prompt to restart the LDAP connection handler component after changing the ssl-cert-nickname configuration property because a restart isn’t required.
Fixed an internal error logged at server restart
Fixed DS-49551 PingDirectory
We’ve fixed a null pointer exception error logged when restarting a PingDirectory server configured with Delegated Admin.
Fixed SCIM response errors
Fixed DS-48511 PingDirectory, PingDirectoryProxy
We’ve fixed an issue with inconsistencies in id-attribute values returned in SCIM operation responses. We’ve also fixed an issue with SCIM GET operations, where a filter used to search for an entry would result in a 404 error.
Fixed a SCIM 2.0 PUT issue with attribute values
Fixed DS-49619 PingDirectory
We’ve fixed an issue where SCIM 2.0 PUT operations involving multivalued complex attributes would incorrectly remove some of the values.
Fixed a SCIM issue with modifying ds-pwp-modifiable-state-json
Fixed DS-49781 PingDirectory
We’ve fixed an issue where SCIM requests that attempted to modify the ds-pwp-modifiable-state-json attribute would fail.
Changed proxy transformation requirements for mapped attributes
Fixed DS-48958 PingDirectoryProxy
We’ve updated the attribute mapping proxy transformation to require that both the source and target attribute types are defined in the local schema.
This change ensures that the server uses the correct logic when interacting with values of those attributes (for example, to identify whether the attribute type is declared as single-valued or multivalued so that it can properly format the values in REST API responses). The server now prevents adding a new instance of this proxy transformation if either of the attribute types isn’t defined in the schema. It also logs a warning message on startup if any existing instance of the transformation references an undefined attribute type.
Removed suppression messages for disabled alerts
Fixed DS-49119 PingDirectory, PingDirectoryProxy, PingDataSync
We’ve fixed an issue where alert types that were disabled would still output suppression messages.
PingDirectory suite of products 10.1.0.2 (September 2024)
Changed replication to prevent lockdown for missing changes from obsolete replicas
Improved DS-49070 PingDirectory
Changed replication behavior to prevent server lockdown for missing changes due to obsolete replicas. This change affects the following scenarios where, previously, these types of missing changes triggered lockdowns:
-
The
replication-purge-obsolete-replicasglobal configuration property is set to false. -
Not all servers in the topology support configurable missing changes.
-
The remote server indicates lockdown for replicas that are actually obsolete.
Made it easier to upgrade replicated servers to version 10.1.0.2 or later
Improved DS-48798, DS-49090 PingDirectory
When upgrading a pre-9.2 PingDirectory server in a replicated topology to version 10.1.0.2 or later, the update tool will automatically set replication-purge-obsolete-replicas to false for that server, if not already explicitly configured.
This change helps avoid unintended consequences when upgrading a pre-9.2 replicated server, as the replication-purge-obsolete-replicas configuration property has a value of true by default in version 9.2.
After upgrade, the update tool also displays a message with more information:
In the 9.2.0.0 release, the implicit default value for the 'replication-purge-obsolete-replicas' global configuration property changed from 'false' to 'true'. However, it should generally only be set to true if all servers in the topology are at version 9.2.0.0 or later. Because this server is being updated from a pre-9.2.0.0 version, it is possible that there are still other pre-9.2.0.0 servers in the topology. As such, the 'replication-purge-obsolete-replicas' property will be explicitly set to false for this server if it was not explicitly set. Once you have completed the upgrade across all servers in the topology so that there are no more pre-9.2.0.0 replicas, consider manually setting this property to 'true' on all servers.
PingDirectory suite of products 10.1.0.0 (June 2024)
Fixed a PingDirectoryProxy authentication issue
Security DS-48028 PingDirectoryProxy
Fixed an issue that could have allowed clients attempting to authenticate through the PingDirectoryProxy server to obtain more information in the bind response than would have been allowed if the request had been sent directly to a PingDirectory server.
Added presence component support for composite index filter patterns
New DS-18120 PingDirectory
Added the ability to use presence components in composite indexes, whether as a standalone filter pattern or in an AND filter pattern. You can now replace existing presence attribute indexes with composite indexes for improved scalability or to limit the scope of index keys by using a base DN pattern. Learn more about Composite index filter patterns.
Added static equality support for composite index filter patterns
New DS-18120 PingDirectory
Added the ability to use equality components with static values in composite index filter patterns, which can be useful in cases where you want to index specific attribute values that are present in a large number of entries. The index filter pattern can either be a simple static equality component, an AND filter with multiple static equality components, or an AND filter with static equality components combined with other supported filter pattern components.
Added approximate matching support for composite index filter patterns
New DS-48631 PingDirectory
Added the ability to use approximate matching components in composite indexes, whether as a standalone filter pattern or in an AND filter pattern. You can now replace existing approximate matching attribute indexes with composite indexes for improved scalability or to limit the scope of index keys by using a base DN pattern.
Added support for localized matching in searches
New DS-48630 PingDirectory
Added support for several collation matching rules, which allow clients to use extensible match filters to better search for entries with non-English values. Learn more about Localization of searches with collation matching.
Added a repair tool for broken trust in replicated topologies
New DS-48752 PingDirectory
Added a tool to repair broken listener certificate trust in replicated topologies. To reduce troubleshooting and speed up the repair of broken subtree mirroring in a replicated topology where listener certificates have fallen out of trust, you can use the repair-topology-listener-certificates tool. Learn more about Repairing broken listener certificate trust in replication.
|
This tool isn’t an alternative to using the |
Added the ability to compare LDAP schemas between servers
New DS-47930 PingDirectory, PingDirectoryProxy
Added the compare-ldap-schemas tool to identify differences between the schemas of two LDAP servers.
Added a configurable limit for subtree modification
New DS-47316 PingDirectory
Added the subtree-modify-dn-size-limit configuration property for local DB backends. By default, the server now rejects modify DN operations in which the target entry has more than 100 subordinate entries, which can help protect against inadvertent and potentially expensive subtree moves or renames.
With this property, subtree modify DN operations can be completely disabled, limited to subtrees of a specified maximum size, or allowed for subtrees of any size.
Added client connection info in request-type access logging
New DS-48614 PingDirectory
Added the include-connection-details-in-request-messages property to allow you to add details about client connections in request-type access log messages. The property is disabled by default. Learn more about Adding connection information to request-type log messages.
Added the ability to exclude error log messages
New DS-48581 PingDirectory, PingDirectoryProxy, PingDataSync
Added the ability to exclude specific error log messages to help simplify server administration. You can configure several criteria to determine which messages to exclude. Learn more about Excluding specific log messages.
Added boolean attribute support for Prometheus metrics
New DS-47286 PingDirectory
Added support for boolean attributes in Prometheus monitor metrics. These metrics can be used for monitor attributes that have values such as true, false, enabled, disabled, yes, no, on, off, 1, or 0. The server sends a gauge metric to Prometheus with a value of 1 or 0 to represent these values. Learn more about Customizing published metrics.
Added obfuscation for sensitive Kafka values
New DS-48216 PingDataSync
Added the sensitive-kafka-producer-property configuration object to enable you to obscure sensitive producer property values, such as keys or passwords. Learn more about Obscuring sensitive producer property values.
Added support for PKCS11 key wrapping transformations
New DS-48514 PingDirectory
For environments that require specific key wrapping transformations, we added the ability to use dsconfig to update the key-wrapping-transformation property for PingDirectory PKCS11 cipher stream providers.
Added a password verification extended operation
New DS-48662 PingDirectory, PingDirectoryProxy
Added support for an extended operation to verify passwords, which can be used to determine whether a specified password is correct for a given user without performing any other password policy processing. Support for this operation is disabled by default. Learn more about The verify password extended operation.
Added support for synchronizing account lock statuses from PingOne
Improved DS-47933 PingDataSync
Increased the consistency of enterprise-wide user statuses by adding support for synchronizing account lock status events from a PingOne source. Learn more about Synchronizing PingOne account status with PingDirectory.
Enabled candidate set caching to improve indexed search performance
Improved DS-48530 PingDirectory
Added a configuration property that enables you to cache the candidate set for indexed search requests that include the simple paged results request control. By default, the server recomputes the candidate set for each page of results retrieved from the server. With caching enabled, the server can reuse the same candidate set across all pages without needing to recompute it each time.
Learn more about optimizing paged searches using caching.
Reduced the performance impact of exploded index cleanup processing
Improved DS-48672 PingDirectory
Reduced the performance impact of the background cleanup processing that occurs when an exploded index key exceeds the index entry limit.
Previously, performance of other write operations had been substantially degraded while the cleanup was in progress and, under certain circumstances, could have caused the server to appear unresponsive. Now, the background cleanup processing might take significantly longer but has much less impact on other operations while that cleanup is in progress.
Increased the speed of search results
Improved DS-48075 PingDirectory
Updated the server to allow it to start returning matching entries more quickly and with reduced memory consumption when processing a search request that can be perfectly satisfied by a single composite index key.
Increased the server startup speed
Improved DS-48869 PingDirectory, PingDirectoryProxy, PingDataSync
Changed the default behavior of the interactive setup to not prime the database by preloading its contents.
Increased throughput in backend DB environments
Improved DS-48827 PingDirectory
Increased write throughput and significantly reduced response time outliers in backend DB environments.
Improved performance for servers with large configuration archives
Improved DS-48875 PingDirectory, PingDirectoryProxy, PingDataSync
Changed the configuration archive to retain a maximum of 100 previous configurations by default to alleviate the performance impact of large archives.
Improved server guidance around attribute and composite indexes
Improved DS-48670, DS-5357 PingDirectory
Updated the server to raise an alert or log a warning message when attribute index entry limits are set too high and to recommend the use of composite indexes instead. High index entry limits can lead to performance issues for attribute indexes, and composite indexes offer much better performance and scalability for index keys that match a large number of entries.
Reduced memory pressure for dynamic group caching
Improved DS-44929 PingDirectory
Reduced the amount of memory needed to cache information about dynamic groups.
Enabled data imports to ignore duplicate attribute values
Improved DS-48603 PingDirectory
Updated the import-ldif tool to add an --ignoreDuplicateAttributeValues argument. By default, the tool rejects any entries that contain duplicate values within the same attribute, but this new argument causes it to behave as if each value had only been provided once.
Enhanced the configurability of ACI rights for adding entries
Improved DS-48516 PingDirectory
Added the evaluate-target-attribute-rights-for-add-operations configuration property to the access control handler to correct a behavior where the bind user required an allow add ACI for only one attribute of an entry to add the entry.
With this property enabled, the bind user must have an allow add ACI for all attributes of an entry to add the entry. To avoid changing existing functionality, evaluate-target-attribute-rights-for-add-operations is disabled by default. Learn more about Changing the allow add ACI behavior for entries.
Increased replication speed
Improved DS-48826 PingDirectory
Increased throughput for replicated operations.
Made schema replication more efficient
Improved DS-48343 PingDirectory
Made schema replication more efficient by not sending, and by not applying, update messages that don’t need to be applied. This is done by calculating the generation ID correctly, setting replication operational attributes in the schema backend, and by noting the changes most recently applied in the replicationChanges backend.
Improved obsolete replica logic
Improved DS-48800 PingDirectory
Improve obsolete replica logic so that replication more accurately determines if a replica is obsolete.
Increased the efficiency of replication backlog health checks
Improved DS-48552 PingDirectoryProxy
Made the server health check for the replication backlog more efficient.
Reduced the size of replication monitor messages
Improved DS-48058 PingDirectory
To reduce the size of replication monitor messages, the include-all-remote-servers-state-in-monitor-message global configuration property is now set to false by default. Servers no longer include information about other remote servers in their monitor messages, but each server describes itself with its own monitor message.
Reduced the retrieval time for the percentage of undeletable files
Improved DS-45172 PingDirectory
Used caching to speed up the Database Environment monitor entry retrieval of the percentage of undeletable database files.
Expanded the controls for export-reversible-passwords
Improved DS-48022 PingDirectory
Updated the export-reversible-passwords tool to allow you to specify base DNs for entries to include in or exclude from the export.
Made it easier to upgrade the Password Sync Agent
Improved DS-17945, DS-48793 PingDataSync
Made it easier to install and upgrade the Password Sync Agent by clarifying and expanding the documentation.
Enhanced debug support for CLI tools
Improved DS-48239 PingDirectory, PingDirectoryProxy, PingDataSync
Added debug logging support to a number of command-line tools. Use the --help-debug argument to see the relevant arguments.
Added a timeout for long-running exec alert commands
Improved DS-48724 PingDirectory
Added a timeout feature that automatically terminates the execution of a long-running command or script initiated by the exec alert handler. The command-timeout attribute controls the time limit and has a default value of 1 hour. To disable this timeout, you can change the command-timeout value to 0 s. Learn more about Changing the timeout for an exec alert handler.
Enabled expensive operations access logging by default
Improved DS-48856 PingDirectory, PingDirectoryProxy, PingDataSync
Made a configuration change to have the expensive operations access logger enabled by default. Any operations that take at least one second to complete will be logged to the logs/expensive-ops file.
Added cipher re-initialization logic for performance improvement
Improved DS-48893 PingDirectory
Added the always-reinitialize-cached-cipher-instances configuration property to specify whether ciphers retrieved from an internal cache should always be re-initialized using Cipher.init() before re-use, or whether re-initialization can be skipped if the cipher hasn’t been used to encrypt or decrypt data since a previous call to Cipher.init() or Cipher.doFinal().
This new property defaults to true, unless the server is running in FIPS 140-2-compliant mode. Skipping unnecessary re-initialization of cached ciphers results in greatly improved performance for implementations such as BCFIPS AES/CBC/PKCs5Padding.
Fixed an issue with inconsistency in paged search results
Fixed DS-46808 PingDirectory, PingDirectoryProxy
Fixed an issue where PingDirectoryProxy could have returned an inconsistent number of entries for paged search requests. Now, to ensure consistency in the returned entries, PingDirectoryProxy sends each paged search request to one server.
Fixed an encoding issue with UTF-8 in URI search filters
Fixed DS-48300 PingDirectory, PingDataSync
Fixed an issue where PingDataSync couldn’t properly encode certain UTF-8 characters used in a URI search request filter sent to an external server. The server is now able to encode filter values that include any UTF-8 characters.
Fixed an issue with syncing modified PingOne attributes
Fixed DS-48669 PingDataSync
Fixed an issue where syncing from a PingOne sync source using an attribute synchronization mode of modified-attributes-only resulted in changed attributes not being properly synced over.
Fixed an issue with VLV indexes and extensible match filters
Fixed DS-48026 PingDirectory
Fixed an issue that could have prevented the server from using VLV indexes defined with certain kinds of extensible match filters, including those using the jsonObjectFilterExtensibleMatch or relativeTimeExtensibleMatch matching rules.
Fixed an issue with inconsistent entryUUID values across servers
Fixed DS-48678, DS-48720 PingDirectory
Fixed an issue where MODDN operations on replicated PingDirectory servers configured with Groovy-scripted or third-party type password generators or validators could result in inconsistent entryUUID values for the same entry on different servers.
Fixed an issue with attribute value duplication
Fixed DS-48585 PingDirectory
Fixed an issue where replace operations that targeted attributes with subordinate types would cause the subordinate attribute values to be duplicated.
Fixed a replication issue with an Invalid host error
Fixed DS-48311 PingDirectory
Fixed an issue where disabling replication with a missing hostname sometimes caused dsreplication status to fail with an Invalid host error.
Fixed a configuration change issue when replacing profiles
Fixed DS-45783 PingDirectory, PingDirectoryProxy, PingDataSync
Resolved an issue where running the manage-profile replace-profile command could cause dsconfig changes to be made out of order.
Fixed an issue with an encryption alarm
Fixed DS-46533 PingDirectory
Fixed an issue where the Strong Encryption Not Available Gauge had a value of INDETERMINATE and showed an alarm, even when the JVM supported strong encryption. Also changed the name of this gauge to Strong Encryption Available to avoid confusion in the event of an alarm being raised.
Fixed an issue with the PSA updating the wrong entries
Fixed DS-48358 PingDataSync
Fixed an issue where the PSA could update incorrect entries upon a password change if there were users with the same sAMAccountName in a forest.
Fixed an issue with entry modification in replication
Fixed DS-48491 PingDirectory
Fixed an issue that could prevent a modify request from adding real attribute values to a replicated entry that already had one or more virtual values for that attribute.
Fixed an issue with indexing entries while debugging
Fixed DS-48723 PingDirectory
Fixed an issue where an untrusted composite index would prevent entries matching that index from being added or modified if a debug log publisher was enabled for the composite index.
Fixed an error message in the Delegated Admin report
Fixed DS-48774 PingDirectory, PingDirectoryProxy
Removed a stack trace from the error message returned when generating a Delegated Admin report with an invalid SCIM filter.
Fixed a null pointer exception in replication
Fixed DS-48796 PingDirectory
Fixed an NPE error that could occur when running the dsreplication enable command in interactive mode.
Fixed an issue with installing PingDirectory in FIPS mode
Fixed DS-48834 PingDirectory
Resolved an issue where installing the PingDirectory server in FIPS-compliant mode would sometimes fail with an error stating that a configuration file entry had the same DN as another entry already read from that file.
Fixed a rare startup error related to replication and sleep values
Fixed DS-48897 PingDirectory
Fixed a rare issue where the server could have experienced an IllegalArgumentException on startup due to a negative sleep value when one or more replication servers wasn’t online.
Support for the HashiCorp Vault secrets engine
Issue DS-49305 PingDirectory
Currently, the PingDirectory server only supports version 1 of the HashiCorp Vault KV secrets engine. Learn more about KV version 1 in the Vault KV secrets engine documentation.
PingDirectory suite of products 10.0.0.6 (June 2025)
Fixed a server installation issue with Java 17 and Red Hat
Fixed DS-49716 PingDirectory, PingDirectoryProxy, PingDataSync
We fixed an issue that could prevent installing or running servers using Java 17 or later on Red Hat Enterprise Linux (RHEL) systems when the operating system itself is configured to run in FIPS-compliant mode.
This operating system setting is unrelated to whether the PingDirectory server is set up to run in FIPS-compliant mode.
Fixed a userRoot issue for server upgrades
Fixed DS-49281 PingDirectory
We fixed an issue that caused some server upgrades to fail. During an upgrade, the update tool added userRoot entries for inverted static group support to the server configuration after the userRoot backend had been removed.
Fixed the failure behavior for dsreplication initialize
Fixed DS-49890 PingDirectory
We fixed an issue where a PingDirectory server would continue sending binary data
to the destination server after a failed attempt to initialize using dsreplication initialize.
This behavior interfered with further initialization attempts from any other server.
Removed the restart prompt when changing a certificate alias
Fixed DS-45174 PingDirectory, PingDirectoryProxy, PingDataSync
We removed the prompt to restart the LDAP connection handler component after changing the ssl-cert-nickname configuration property because a restart isn’t required.
Fixed a SCIM 2.0 PUT issue with attribute values
Fixed DS-49619 PingDirectory
We fixed an issue where SCIM 2.0 PUT operations involving multivalued complex attributes would incorrectly remove some of the values.
Fixed a SCIM issue with modifying ds-pwp-modifiable-state-json
Fixed DS-49781 PingDirectory
We fixed an issue where SCIM requests that attempted to modify the ds-pwp-modifiable-state-json attribute would fail.
Changed proxy transformation requirements for mapped attributes
Fixed DS-48958 PingDirectoryProxy
We updated the attribute mapping proxy transformation to require that both the source and target attribute types are defined in the local schema.
This change ensures that the server uses the correct logic when interacting with values of those attributes (for example, to identify whether the attribute type is declared as single-valued or multivalued so that it can properly format the values in REST API responses). The server now prevents adding a new instance of this proxy transformation if either of the attribute types isn’t defined in the schema. It also logs a warning message on startup if any existing instance of the transformation references an undefined attribute type.
Excluded some password attributes from sync sources
Fixed DS-49212 PingDataSync
We changed the resync tool to exclude unicodePwd automatically from
AD sync sources and password from PingOne sync sources.
By design, the resync tool updates the existing values for included
attributes at the destination to match what’s found at the source.
If resync can’t retrieve an attribute value at the source, it removes
any existing values at the destination. Because resync can’t retrieve
these password attributes from their sources, we’ve excluded them from
the attributes for resync consideration, to avoid disrupting the values
at the destination.
You can still include these attributes manually in a resync operation by
providing the --includeSourceAttr argument.
PingDirectory suite of products 10.0.0.4 (October 2024)
Changed replication to prevent lockdown for missing changes from obsolete replicas
Improved DS-49070 PingDirectory
Changed replication behavior to prevent server lockdown for missing changes due to obsolete replicas. This change affects the following scenarios where, previously, these types of missing changes triggered lockdowns:
-
The
replication-purge-obsolete-replicasglobal configuration property is set to false. -
Not all servers in the topology support configurable missing changes.
-
The remote server indicates lockdown for replicas that are actually obsolete.
Made it easier to upgrade replicated servers to version 10.0.0.4 or later
Improved DS-48798, DS-49090 PingDirectory
When upgrading a pre-9.2 PingDirectory server in a replicated topology to version 10.0.0.4 or later, the update tool will automatically set replication-purge-obsolete-replicas to false for that server, if not already explicitly configured.
This change helps avoid unintended consequences when upgrading a pre-9.2 replicated server, as the replication-purge-obsolete-replicas configuration property has a value of true by default in version 9.2.
After upgrade, the update tool also displays a message with more information:
In the 9.2.0.0 release, the implicit default value for the 'replication-purge-obsolete-replicas' global configuration property changed from 'false' to 'true'. However, it should generally only be set to true if all servers in the topology are at version 9.2.0.0 or later. Because this server is being updated from a pre-9.2.0.0 version, it is possible that there are still other pre-9.2.0.0 servers in the topology. As such, the 'replication-purge-obsolete-replicas' property will be explicitly set to false for this server if it was not explicitly set. Once you have completed the upgrade across all servers in the topology so that there are no more pre-9.2.0.0 replicas, consider manually setting this property to 'true' on all servers.
Reduced the retrieval time for the percentage of undeletable files
Improved DS-45172 PingDirectory
Used caching to speed up the retrieval of the percentage of undeletable database files for the Database Environment monitor entry.
Fixed a config-diff error
Fixed DS-49071 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where config-diff would result in an Unknown property error when comparing configuration objects of different types.
Fixed a server startup issue
Fixed DS-49121 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue that could prevent the server from starting when configured to use a third-party key manager provider created using the Server SDK.
PingDirectory suite of products 10.0.0.3 (July 2024)
Increased replication speed
Improved DS-48826 PingDirectory
Increased throughput for replicated operations.
Reduced the size of replication monitor messages
Improved DS-48058 PingDirectory
To reduce the size of replication monitor messages, the include-all-remote-servers-state-in-monitor-message global configuration property is now set to false by default. Servers no longer include information about other remote servers in their monitor messages, but each server describes itself with its own monitor message.
Supplied missing replication error information
Fixed DS-48785 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where dsreplication enable didn’t print error information if the tool failed to establish a connection to a source or target server.
Fixed a configuration change issue when replacing profiles
Fixed DS-45783 PingDirectory, PingDirectoryProxy, PingDataSync
Resolved an issue where running the manage-profile replace-profile command could cause dsconfig changes to be made out of order.
Fixed an issue with syncing modified PingOne attributes
Fixed DS-48669 PingDataSync
Fixed an issue where syncing from a PingOne sync source using an attribute synchronization mode of modified-attributes-only resulted in changed attributes not being properly synced over.
Fixed an issue with inconsistent index metadata
Fixed DS-48969 PingDirectory
Fixed an issue that could cause an inconsistency in the metadata for a composite index record. This inconsistency could cause:
-
Validator error messages in the server’s error log
-
Error responses to some server requests
-
Failure to bring the affected backend online (rare)
In addition, the server now has added resiliency against these kinds of issues, with a better ability to identify the correct result set and notify administrators of the issue.
Fixed a null pointer exception in replication
Fixed DS-48796 PingDirectory
Fixed an NPE error that could occur when running the dsreplication enable command in interactive mode.
Fixed an issue with inconsistent entryUUID values across servers
Fixed DS-48678, DS-48720 PingDirectory
Fixed an issue where MODDN operations on replicated PingDirectory servers configured with Groovy-scripted or third-party type password generators or validators could result in inconsistent entryUUID values for the same entry on different servers.
Fixed an issue with VLV indexes and extensible match filters
Fixed DS-48026 PingDirectory
Fixed an issue that could prevent the server from using VLV indexes defined with certain kinds of extensible match filters, including those using the jsonObjectFilterExtensibleMatch or relativeTimeExtensibleMatch matching rules.
PingDirectory suite of products 10.0.0.2 (March 2024)
Added logging history for the setup tool
Improved DS-47831 PingDirectory
A copy of the setup script output is now saved to an archive file in the /history directory. This should help with troubleshooting installations where multiple server images have been extracted on top of each other and setup has been run multiple times.
Fixed an encoding issue with UTF-8 in URI search filters
Fixed DS-48300 PingDirectory, PingDataSync
Fixed an issue where PingDataSync couldn’t properly encode certain UTF-8 characters used in a URI search request filter sent to an external server. The server is now able to encode filter values that include any UTF-8 characters.
PingDirectory suite of products 10.0.0.1 (January 2024)
Fixed a memory issue introduced in 10.0 that could have caused the server to crash
Fixed DS-48599 PingDirectory
We fixed an uncommon issue that was causing memory usage to spike, possibly crashing the PingDirectory server.
With this issue present, when clients performed atypical modify operations, they might have populated entries with duplicate attribute values. If clients repeated these modifications, over time, the duplicate attribute values could have caused the server to consume a substantial amount of memory, which might have eventually caused the server to shut down with an out-of-memory error.
PingDirectory suite of products 10.0.0.0 (December 2023)
What’s new in the PingDirectory 10.0 suite of products?
New
- PingDirectory
-
-
Historically, LDAP servers favor data integrity over resiliency. However, given the growth in customer topologies, there is a strong requirement for maintaining production server uptimes to meet customer expectations. In this environment, servers can be removed from the topology frequently, and if the server is down longer than the configured replication purge delay, problems could arise once the server is brought back online. In this release, a new feature allows you to configure the level of availability when encountering this issue during topology management.
-
Static groups, which are the simplest and most commonly used type of group, explicitly list the DNs of group members. Server performance when adding or removing members from a static group depends partially on the group size itself, but we have identified a number of further inefficiencies in how the server handles static group membership changes. This release includes changes to improve performance when updating static groups.
This release also introduces a new group type: inverted static groups. As with traditional static groups, inverted static group membership is explicitly defined rather than automatically determined. However, instead of storing the entire list of members in the group entry, each user entry lists the set of inverted static groups in which that user is a member. Inverted static groups with a large number of members can be more efficient to maintain than traditional static groups, because the change needed to add or remove a user only requires updating the user entry, which isn’t affected by the number of members in the group. The server also provides an optional plugin that allows an inverted static group to be updated as if it were a traditional static group, intercepting attempts to alter the membership attribute in the group entry itself and making the corresponding changes in user entries instead.
-
PingDirectory allows clients to interact with the server using a REST API over HTTP as an alternative to LDAP. Recent updates to the Directory REST API, including the addition of support for controls and select extended operations, have improved feature parity between the REST-based and LDAP-based interfaces, creating a more robust experience for developers using the REST API.
While it is possible to authorize individual requests using either HTTP basic authentication (using the DN and password of the target user) or with an OAuth 2 access token obtained through another service, the Directory REST API didn’t provide a fine-grained way of verifying user credentials. This release introduces a new
authenticateendpoint, which provides a way for Directory REST API clients to verify user credentials. This enables you to better differentiate authentication failures from authorization failures, and to obtain an access token to use in authorizing subsequent requests as a specific user. Users can be identified with either a DN or a username, and the credentials may include a static password on its own or in conjunction with a delivered one-time password, a time-based one-time password, or a one-time password generated by a YubiKey device. -
PingDirectory has always offered support for defining deprecated password storage schemes. If a user successfully authenticates and provides the server their clear-text password, and if their password is currently encoded with an undesirable scheme, the server can automatically re-encode their password using a more desirable scheme. This release expands on this functionality by making it possible to re-encode passwords if the configuration of the underlying scheme has changed in a way that affects the scheme’s stored representation.
For example, if a user’s password is encoded using the PBKDF2 scheme, the server can now automatically re-encode the password if their stored password uses a digest algorithm, iteration count, salt length, or derived key length that doesn’t match the current configuration of that scheme. PingDirectory has also long supported the Pwned Passwords service, rejecting attempts to set passwords that are known to have been compromised. In the past, interaction with the Pwned Passwords service used a hard-coded timeout of 30 seconds in case the service became unreachable or unresponsive. You can now customize that timeout.
-
PingDirectory uses the Berkeley DB Java Edition to store its data, and this database library offers support for caching some or all of the data in memory for faster access. PingDirectory also allows administrators to configure separate backends to hold different portions of the DIT. Previously, the server maintained a separate database cache for each backend, requiring the administrator to adjust the percentage of the JVM’s memory that each backend is allowed to consume. This release now enables you to share a common database cache across all backends. Although this capability is disabled by default, it can simplify the server configuration by only requiring administrators to specify the total percentage of JVM memory to use for caching, without needing to configure caching separately for each backend.
-
Amazon’s Simple Storage Service (S3) is a popular cloud-based data storage service that can be used as a convenient off-site backup mechanism. In the past, some PingDirectory server administrators have chosen to copy certain types of files manually (for example, LDIF exports or rotated log files) to an S3 bucket as an additional layer of safety in their disaster recovery strategy. This release introduces direct support for using the S3 service as a way of backing up LDIF exports and log files.
This release offers support for post-LDIF-export task processors. This enables you to perform additional processing automatically after successfully completing an LDIF export, including exports created as part of a recurring task. We have included an implementation that can copy the resulting export file to a specified S3 bucket for safekeeping, and it can automatically remove older export files from that bucket based on the number or age of files in that bucket. It is also possible to use the Server SDK to develop custom post-LDIF-export task processor implementations to perform other kinds of processing after an export completes.
This release offers a new log file rotation listener that can automatically copy log files to a specified S3 bucket as soon as they have been rotated out of place. This support is available for most types of log files that the server can generate, and it also supports automatic retention based on the number or age of the files in the bucket. The server now includes a new
amazon-s3-clientcommand-line tool that can be used to interact with the S3 service manually. This tool can be used to manage buckets and files contained in the S3 service manually, including uploading files to or downloading files from a specified bucket. -
This release includes changes to improve performance dramatically when creating a backup, restoring a backup, or performing online replica initialization.
-
Fixed a security issue
Security DS-47632 PingDirectory, Delegated Admin
Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported version of the PingDirectory server. The Delegated Admin application is unaffected and doesn’t require updating. Additional details are provided in SECADV039 (requires sign-on).
Added an amazon-s3-client command-line tool
New DS-47965 PingDirectory
Added a new amazon-s3-client command-line tool that can be used to interact with the Amazon AWS Simple Storage Service (S3) service. This tool enables you to list, create, and delete buckets, as well as list, upload, download, and delete files in a specified bucket. This may be useful in deployments where the server is configured to automatically copy rotated log files or exported LDIF files to the S3 service.
Added a request control to Directory REST API
New DS-47899 PingDirectory
Added support for access log field request control in Directory REST API requests.
Added a new /authenticate endpoint to the Directory REST API
New DS-47596 PingDirectory, PingDirectoryProxy
Added an /authenticate endpoint to the Directory REST API that enables users to generate an access token by providing combinations of valid credentials, depending on the authentication type specified in the HTTP request body. The supported authentication types are:
-
password -
passwordPlusTOTP -
passwordPlusDeliveredOTP -
passwordPlusYubiKeyOTP
Learn more about the /authenticate endpoint in Directory REST API configuration.
Added five new Directory REST API endpoints to support the /authenticate endpoint
New DS-47641, DS-47642, DS-47644, DS-47645, DS-47646, DS-47643, DS-47648 PingDirectory
Added five new Directory REST API endpoints to support the new /authenticate endpoint. These endpoints enable users to interact with supporting services that facilitate the creation, delivery, and revocation of one-time passwords (OTP) and time-based one-time passwords (TOTP), which are required to perform authentication operations with the API. These endpoints include:
-
/directory/v1/{dn}/generateTOTPSharedSecret -
/directory/v1/{dn}/revokeTOTPSharedSecret -
/directory/v1/deliverOneTimePassword -
/directory/v1/{dn}/registerYubiKeyOTPDevice -
/directory/v1/{dn}/derigesterYubiKeyOTPDevice
Learn more about these endpoints in Directory REST API configuration.
Added support for the 2b password storage variant
New DS-48119 PingDirectory
Updated the bcrypt password storage scheme to include support for the 2b variant in addition to the existing 2y, 2a, and 2x variants.
Added support for post-LDIF-export task processors
New DS-47420 PingDirectory
Added support for post-LDIF-export task processors to use in performing custom processing whenever an LDIF export task (including those invoked as part of a recurring task) successfully completes the export.
These processors include an Upload to S3 processor, which can be used to upload the resulting LDIF file to a specified Amazon S3 bucket. You can also use the Server SDK to create custom post-LDIF-export task processors. Learn more in Performing post-LDIF-export task processing.
Added support for inverted static groups
New DS-46026 PingDirectory
Added support for inverted static groups, which operate like traditional static groups in that membership is explicitly specified rather than dynamically determined, but where membership information is stored in user entries rather than in the group entry. For groups with a large number of members, inverted static groups may exhibit substantially better performance than traditional static groups.
Although it’s not enabled by default, the server also provides a new plugin that allows clients to interact with inverted static groups like they interact with traditional static groups. The plugin intercepts attempts to add or remove member DNs in the group entry itself and causes the corresponding changes to be applied in the member entries. It also provides limited support for interacting with group members in the group entry for search and compare operations as if the member DNs existed in the group entries. Learn more in Using inverted static groups.
Added a split-ldif tool
New DS-48018 PingDirectory, PingDirectoryProxy
Added a split-ldif tool that can be used to split an LDIF file into multiple segments, with each having a subset of the entries below a specified base DN, and entries at or above that base DN will be included in all sets. This is primarily intended for splitting a large data set for use in entry balancing, and it offers several algorithms for dividing the entries between segments.
Added a new HTTP Connection configuration property
New DS-48055 PingDirectory
Added a new HTTP Connection configuration property to enable SNI hostname checks, which are now disabled by default.
Added a new configuration property for replication servers
New DS-47888 PingDirectory
Added the include-all-remote-servers-state-in-monitor-message configuration property to control whether replication monitor messages include information about remote servers. By default, the property is set to true so that information about remote servers is sent. Setting the property to false may be helpful in large topologies because the size of monitor messages scales with the number of servers.
Added a new log file rotation listener
New DS-47627
Added a new log file rotation listener that can be used to upload newly rotated log files to a specified Amazon S3 bucket. The listener can remove previously updated log files based on the specified number or age of files to retain.
Added the ability to share a single database cache
New DS-47756 PingDirectory
Added the ability to share a single database cache across all local DB backends. This is an alternative to the default behavior in which each local DB backend maintains its own independent database cache, and it can simplify cache sizing in deployments with multiple local DB backends. This behavior is controlled by two new global configuration properties:
-
use-shared-database-cache-across-all-local-db-backends: Indicates whether to use a shared database cache. If this property is set totrue, then all local DB backends will use a shared database cache, and you must set the property to specify the size of that shared cache. If the property is set tofalse(the default value), then each local DB backend will maintain its own independent database cache with a size specified by thedb-cache-percent propertyconfiguration property for that backend. -
shared-local-db-backend-database-cache-percent: Specifies the percentage of the total JVM heap size that will be used for the shared database cache. This property will only be used if theuse-shared-database-cache-across-all-local-db-backendsproperty is set totrue, in which case the server will ignore thedb-cache-percent propertyin the backend configuration.
If a shared database cache is enabled, the server will expose a Shared Local DB Backend Database Cache monitor entry with information about that shared cache, including how much of the cache is consumed by each of the backends.
Added the re-encode-passwords-on-scheme-config-change property to password policy configuration
New DS-35739 PingDirectory
Added the re-encode-passwords-on-scheme-config-change property to the password policy configuration to indicate if the server should automatically re-encode passwords that are encoded with settings that don’t match the scheme’s current configuration. If a user authenticates with a mechanism that provides their password unencoded, and if the password stored in their entry is encoded with settings that don’t match the current configuration for the associated password storage scheme, then the server now automatically re-encodes their password with the default password storage scheme(s) using the current settings. The following password storage schemes support this functionality: AES256, ARGON2, ARGON2D, ARGON2I, ARGON2ID, BCRYPT, PBKDF2, SCRYPT, SSHA, SSHA256, SSHA384, and SSHA512.
You can also implement this capability for custom password storage schemes developed with the Server SDK.
The ds-pwp-state-json virtual attribute provider has also been updated with a new has-password-encoded-with-non-current-settings field whose value indicates if the user’s password is encoded with settings that don’t match the current configuration, and a new non-current-password-storage-scheme-settings-explanations field that can provide additional details on how the password encoding differs from the current configuration.
Added new arguments to the encrypt-file tool
New DS-47612 PingDirectory
Added a --re-encrypt argument to the encrypt-file tool to read the contents of an existing encrypted file and re-encrypt it with a different encryption settings definition or user-supplied passphrase. If the file is currently encrypted with a user-supplied passphrase, then the --prompt-for-current-passphrase or --current-passphrase-file argument should be used to supply the current encryption passphrase. If the file is currently encrypted with an encryption settings definition, then that definition will automatically be obtained from the encryption settings database.
Added a --find-encrypted-files argument to the encrypt-file tool to identify encrypted files in a specified location on the filesystem. By default, the tool will search for files that are encrypted with any encryption settings definition or a user-supplied passphrase, but it can be used in conjunction with the --encryption-settings-id argument to only identify files that are encrypted with the specified definition.
These new arguments can be useful when migrating away from a former encryption settings definition, particularly if the former definition will eventually be removed from the encryption settings database. If a definition is removed from the encryption settings database, any files encrypted with that definition will no longer be accessible.
Added the replication-missing-changes-policy configuration property
New DS-45452, DS-47383 PingDirectory
Added a replication-missing-changes-policy configuration property for both replication servers and replication domains to control how replication handles missing changes. This property can be used to avoid missing changes lockdown in cases where such lockdown isn’t beneficial to the server.
When the missing changes policy is modified, connections are restarted so that the missing changes state can be reevaluated. Lockdown mode isn’t cleared, but may be cleared by running the leave-lockdown-mode tool.
Added support for an access log field request control
New DS-47557 PingDirectory, PingDirectoryProxy
Added support for an access log field request control to specify field names and values that should be included in the access log message for the associated operation.
Added support for a generate access token request control
New DS-47570 PingDirectory, PingDirectoryProxy
Added support for a generate access token request control that can be included in a bind request to indicate that the server should generate and return an access token in the bind response. That access token may be used in conjunction with the OAUTHBEARER SASL mechanism to authorize subsequent connections by that client. This can be useful in cases where the initial authentication should be performed in a manner that involves single-use credentials like a time-based one time password, a delivered one-time password, or a one-time password generated by a YubiKey device, but the client wishes to establish multiple connections in which the initial credentials can’t be replayed.
Removed support for Java 8
Info DS-47558 PingDirectory
We’ve removed support for Java 8 in the PingDirectory server. Learn more in System requirements. Learn more about upgrading from a PingDirectory instance installed with Java 8 in PingDirectory, PingDirectoryProxy, and PingDataSync.
Removed support for two dsreplication subcommands
Info DS-47916 PingDirectory
Removed support for the deprecated remove-defunct-server and cleanup-local-server dsreplication subcommands. To remove a defunct server from the topology, use the remove-defunct-server command-line tool. To clean up topology references on a server, run remove-defunct-server --performLocalCleanup.
Removed the PingDataMetrics Server
Info DS-46012 PingDataMetrics
PingDataMetrics was previously deprecated and has been removed from this release. Learn more about support for versions of PingDirectory containing PingDataMetrics in Ping Identity’s End-of-Life Policy (sign on required).
To monitor and provide statistics for your PingDirectory suite of products, see Monitoring PingDirectory metrics with Splunk and Monitoring server metrics with Prometheus.
Improved communication with external HTTP services
Improved DS-47454 PingDirectory
Updated the server to allow configuration of connect and response timeouts when communicating with external HTTP services, such as CyberArk Conjur and HashiCorp Vault instances, the Pwned Passwords service, and YubiKey OTP validation servers.
Updated zip compression process
Improved DS-45148 PingDirectory
To improve server performance and prevent invalid block type errors, java.util.zip will now be used instead of com.jcraft.jzlib for zip compression.
Improved how the replication generation ID is calculated
Improved DS-47695 PingDirectory
The replication generation ID, a value used by replication to determine if replicas are compatible and can be replicated, will now be calculated in a way that is independent of the disk order in which the entries are stored. This is helpful when entries are imported into new servers instead of being initialized.
Improved password security when using the Directory REST API
Improved DS-48092 PingDirectory
To increase password security when using the Directory REST API, we improved the sanitization of password-related data in API responses.
Improved server upgrade times
Improved DS-47799 PingDirectory
Improved server upgrade times by streamlining the post-upgrade stability checks.
Improved memory handling for export-ldif and backup tools
Improved DS-44417 PingDirectory
To help avoid excessive memory pressure on a server running multiple processes, we reduced the JVM memory requirements for the export-ldif and backup command-line tools.
Updated the backup tool to include a compression warning
Improved DS-48121 PingDirectory
To help you manage your backup and restore times, the backup tool now displays a warning when you run it with the --compress flag on an encrypted backend.
Updated dsreplication tool to avoid overwrites
Improved DS-47820 PingDirectory
dsreplication commands that produce an error are now archived to avoid being overwritten. In addition, the dsreplication command now logs subcommands in separate files.
Improved performance for backup, restore, and online replica initialization
Improved DS-45157 PingDirectory
Significantly improved the performance times of backup, restore, and online replica initialization processes.
Improved performance of static group updates
Improved DS-47402, DS-47410, DS-47412, DS-47413 PingDirectory
Improved performance when making updates to static groups.
Updated the handling of extraneous data when syncing with Active Directory
Improved DS-46635 PingDataSync
For Active Directory Sync sources, when setting the startpoint to end-of-changelog, extraneous data is no longer sent from the Active Directory server to the Sync server. With this update, setting the startpoint should be faster, particularly for slow networks.
Fixed an issue when initializing subhandlers on startup
Fixed DS-48046 PingDirectory
Fixed an issue where an AggregatePTAhandler’s subhandlers sometimes didn’t properly initialize on startup and threw a NullPointerException.
Fixed a logging issue when using proxied authorization
Fixed DS-48157 PingDirectory
Fixed an issue where the server didn’t properly log the alternative authorization DN for multi-update extended operations that used proxied authorization.
Fixed a duplication issue when running dsjavaproperties --initialize
Fixed DS-45206
Fixed an issue where running dsjavaproperties --initialize would append duplicate arguments to common.java-args in the java.properties file.
Fixed an issue with error logging
Fixed DS-48084 PingDirectory
Fixed an issue where a cn=config does not exist error message would appear in the error logs after navigating to the status page of the admin console.
Fixed an issue with running manage-profile generate-profile on an upgraded instance
Fixed DS-47381
Fixed an issue where running manage-profile generate-profile on an instance that had been upgraded from an earlier version would result in a profile that contained commands that were part of the upgrade, and couldn’t be used to set up new installations.
Fixed an issue with password validation
Fixed DS-47875 PingDirectory
Fixed an issue where the Dictionary password validator would sometimes incorrectly handle dictionary words contained as password substrings.
Fixed an issue that prevented use of the Changelog Password Encryption plugin in replicated environments
Fixed DS-48205 PingDirectory
Fixed an issue where the Changelog Password Encryption plugin wouldn’t work properly in a replicated environment if a password was changed with a Password Modify extended operation.
Fixed issues with rootDSE search
Fixed DS-47821 PingDirectory
Fixed an issue where an ldapsearch for rootDSE didn’t exclude the baseDNs that were specified in a client connection policy.
Fixed an incorrect help text suggestion when running dsreplication initialize
Fixed DS-47878 PingDirectory
Fixed an issue where help text incorrectly suggested using the --force flag if unable to connect to the server properly when running dsreplication initialize.
Fixed issues with password history
Fixed DS-47798, DS-47898, DS-47924 PingDirectory
Fixed an issue that could prevent the server from properly updating a user’s password history for a password change if the request included the password update behavior request control, indicating that password history violations should be ignored. This control is designed to prevent the server from rejecting an attempt to change a user’s password if the new password is already in the history, but it incorrectly caused the server to skip all password history processing for the update.
Fixed an issue that could cause the server to add two copies of the current password into the password history when setting a new password with the password modify extended operation. This didn’t affect password changes with a regular LDAP modify operation.
Fixed an issue where the server could incorrectly allow a user to set an empty password in cases where none of the configured password validators would have rejected an empty password.
Fixed the server’s handling of compact values for the ds-cfg-allow-pre-encoded-passwords attribute
Fixed DS-43034, DS-47832 PingDirectory
Fixed a regression that was introduced in the 9.3.0.0 release to allow additional values for the allow-pre-encoded-passwords property in the password policy configuration. This issue only affects password policies stored outside of the server configuration in local DB backends, and only those policies that include the ds-cfg-allow-pre-encoded-passwords attribute.
This fix enables the server to recognize and properly interpret compacted values for the ds-cfg-allow-pre-encoded-passwords attribute when parsing a password policy definition contained in a local DB backend. When the password policy entry is retrieved, the attribute may still appear to have a corrupt value, as the value that is actually stored in the entry would still represent the compacted token rather than the logically equivalent Boolean value. Replacing the value of the ds-cfg-allow-pre-encoded-passwords attribute in affected entries with the appropriate value is the best way to address this issue.
Fixed an issue with replace modifications for attributes
Fixed DS-47975 PingDirectory
Fixed an issue that could prevent replace modifications for attribute types with subordinate types from being properly applied.
Fixed the server’s handling of SCIM patch operations including empty arrays
Fixed DS-47790 PingDirectory
Fixed an issue where the Configuration API treated SCIM patch operations with empty arrays as invalid. Now, the API resets configuration attributes for replace operations with an empty array and ignores add operations with an empty array.
Fixed the server’s handling of search operations
Fixed DS-47585 PingDirectory
Fixed an issue that could allow the server to continue processing a search operation for longer than the allowed time limit. The server wouldn’t check the time limit in the course of index processing to identify potential matching entries, and in certain cases where the server had to iterate across a very large number of index keys, the allowed time limit could be exceeded in that portion of the processing.
Fixed an issue with encryption settings initialization
Fixed DS-47784 PingDirectory
Fixed an issue where encryption settings weren’t initialized before initializing password policy components when running remove-defunct-server against servers configured with an AES256 password storage scheme.
Fixed an issue with expensive operation logging
Fixed DS-47614 PingDirectory
Fixed an issue that caused the server to incorrectly include client certificate messages in the expensive operations log.
Fixed an issue with LDAP Connection Handler objects
Fixed DS-46312
Fixed an issue where the absence of the request-handler-per-connection configuration property for LDAP Connection Handler objects resulted in a single request handler being unable to acknowledge incoming client requests for long-running TLS negotiations.
Fixed the check-replication-domains tool requirements
Fixed DS-47655
Fixed the check-replication-domains tool so that the --serverRoot argument is no longer required, and it defaults to the server’s root directory.
Fixed a missing changes error when performing replication
Fixed DS-47289 PingDirectory
Fixed a possible NullPointerException replication error that occurred when missing changes were found for a replica, but that replica didn’t exist on all servers.
Fixed an issue with account lockout
Fixed DS-47035 PingDirectory
Fixed an issue that could prevent an unsuccessful bind attempt from being properly counted toward account lockout for a user. If the user’s account had been temporarily locked as a result of too many failed authentication attempts, and if the first bind attempt after that temporary lockout period had elapsed was also unsuccessful, then the act of clearing the elapsed temporary lockout prevented the new failure from being properly recorded.
Fixed the server’s handling of alerts or alarms without configuration
Fixed DS-47455
Fixed a NullPointerException error where an alert or alarm was raised and one or more of the alert handlers wasn’t configured. This most commonly happened when the server was being stopped.
Fixed the formatting of Generic JDC sync pipe destination attributes
Fixed DS-47918 PingDataSync
We fixed an issue where, when using the create-sync-pipe-config command, the correlated attributes for Generic JDBC sync pipe destinations were a single string value. The attributes are now correctly split by commas.
Fixed an issue with syncing to Active Directory
Fixed DS-48151 PingDataSync
Fixed an issue where syncing to an Active Directory sync destination could result in the destination rejecting operations if a DN map wasn’t configured on the sync class, and if the operations included modifications to the unicodePwd attribute.
Fixed an issue with synchronizing the enabled attribute in a PingOne destination
Fixed DS-47905 PingDataSync
Fixed an issue with synchronizing the enabled attribute of a user in a PingOne destination. This issue only occurred when attempting to enable or disable a user in PingOne from the source server.
To create an attribute mapping that modifies the enablement status of a user in PingOne, use the dsconfig tool to create a constructed attribute mapping of the following form. This ensures that the enabled attribute always has a well-defined value, even if the source attribute isn’t present on an entry in the source server.
dsconfig create-attribute-mapping --type constructed --map-name mapName --mapping-name enabled --set conditional-value-pattern:'(sourceAttribute=*) : {sourceAttribute}' --set conditional-value-pattern:'(!(sourceAttribute=*)) : true'
Fixed an issue with the manage-topology add-server command
Fixed DS-45527 PingDataSync
Fixed an issue where a NullPointerException would be thrown when adding a sync server to a topology of two or more existing sync servers using manage-topology add-server.
Fixed issue with reported availability of backends
Fixed DS-48040 PingDirectoryProxy
Fixed an issue where PingDirectoryProxy didn’t accurately report the availability of backends added through automatic backend discovery.
Support for the HashiCorp Vault secrets engine
Issue DS-49305 PingDirectory
Currently, the PingDirectory server only supports version 1 of the HashiCorp Vault KV secrets engine. Learn more about KV version 1 in the Vault KV secrets engine documentation.